7bf4d76e75
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
ccaches in ccache collections
- KEYRING: ccaches are weird because they have one more optional field: the
"anchor", so rather than just assume a naming convention everywhere, we
add new functions as well
- Add krb5_cc_{resolve,default}_sub() that allows one to specify a
"subsidiary" ccache name in a collection separately from the
collection name
- Add krb5_cc_{resolve,default}_for() which take a principal name,
unparse it, and use it as the subsidiary ccache name (with colons
replaced)
- Make kinit use the new interfaces
- Add missing DIR ccache iteration functionality
- Revamps test_cc
- Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
- Bump the ccops SPI version number
- Add gss_store_cred_into2()
- Make MEMORY:anonymous not linked into the global MEMORY ccache
collection, and uses this for delegated cred handles
TBD:
- Split this up into a krb5 change and gss mech_krb5 change?
- Add krb5_cc_init_and_store() utility, per Greg's suggestion?
201 lines
5.4 KiB
C
201 lines
5.4 KiB
C
/*
|
|
* Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "gsskrb5_locl.h"
|
|
|
|
#if 0
|
|
OM_uint32
|
|
gss_krb5_copy_ccache(OM_uint32 *minor_status,
|
|
krb5_context context,
|
|
gss_cred_id_t cred,
|
|
krb5_ccache out)
|
|
{
|
|
krb5_error_code kret;
|
|
|
|
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
|
|
|
|
if (cred->ccache == NULL) {
|
|
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
|
|
*minor_status = EINVAL;
|
|
return GSS_S_FAILURE;
|
|
}
|
|
|
|
kret = krb5_cc_copy_cache(context, cred->ccache, out);
|
|
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
|
|
if (kret) {
|
|
*minor_status = kret;
|
|
return GSS_S_FAILURE;
|
|
}
|
|
*minor_status = 0;
|
|
return GSS_S_COMPLETE;
|
|
}
|
|
#endif
|
|
|
|
|
|
/*
|
|
* WARNING: Takes ownership of `id'. Because MEMORY:anonymous is now not
|
|
* linked into to the MEMORY ccache namespace, we can't use krb5_cc_resolve()
|
|
* with the cache's name anymore. We need a krb5_cc_clone() or some such, with
|
|
* attendant new method for ccops. Or we could create a new MEMORY:anonymous
|
|
* ccache and copy all the creds from `id' into it. But we know callers of
|
|
* this function don't need `id' after calling it, so for now we'll just take
|
|
* ownershipd of it.
|
|
*/
|
|
OM_uint32
|
|
_gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
|
|
krb5_ccache *id,
|
|
krb5_principal keytab_principal,
|
|
krb5_keytab keytab,
|
|
gss_cred_id_t *cred)
|
|
{
|
|
krb5_context context;
|
|
krb5_error_code kret;
|
|
gsskrb5_cred handle;
|
|
OM_uint32 ret;
|
|
|
|
*cred = NULL;
|
|
|
|
GSSAPI_KRB5_INIT (&context);
|
|
|
|
handle = calloc(1, sizeof(*handle));
|
|
if (handle == NULL) {
|
|
_gsskrb5_clear_status ();
|
|
*minor_status = ENOMEM;
|
|
return (GSS_S_FAILURE);
|
|
}
|
|
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
|
|
|
|
handle->usage = 0;
|
|
|
|
if (*id) {
|
|
time_t now;
|
|
OM_uint32 left;
|
|
|
|
handle->usage |= GSS_C_INITIATE;
|
|
|
|
kret = krb5_cc_get_principal(context, *id,
|
|
&handle->principal);
|
|
if (kret) {
|
|
free(handle);
|
|
*minor_status = kret;
|
|
return GSS_S_FAILURE;
|
|
}
|
|
|
|
if (keytab_principal) {
|
|
krb5_boolean match;
|
|
|
|
match = krb5_principal_compare(context,
|
|
handle->principal,
|
|
keytab_principal);
|
|
if (match == FALSE) {
|
|
krb5_free_principal(context, handle->principal);
|
|
free(handle);
|
|
_gsskrb5_clear_status ();
|
|
*minor_status = EINVAL;
|
|
return GSS_S_FAILURE;
|
|
}
|
|
}
|
|
|
|
krb5_timeofday(context, &now);
|
|
ret = __gsskrb5_ccache_lifetime(minor_status,
|
|
context,
|
|
*id,
|
|
handle->principal,
|
|
&left);
|
|
if (ret != GSS_S_COMPLETE) {
|
|
krb5_free_principal(context, handle->principal);
|
|
free(handle);
|
|
return ret;
|
|
}
|
|
handle->endtime = now + left;
|
|
|
|
handle->ccache = *id;
|
|
*id = NULL;
|
|
if (kret)
|
|
goto out;
|
|
}
|
|
|
|
|
|
if (keytab) {
|
|
char *str;
|
|
|
|
handle->usage |= GSS_C_ACCEPT;
|
|
|
|
if (keytab_principal && handle->principal == NULL) {
|
|
kret = krb5_copy_principal(context,
|
|
keytab_principal,
|
|
&handle->principal);
|
|
if (kret)
|
|
goto out;
|
|
}
|
|
|
|
kret = krb5_kt_get_full_name(context, keytab, &str);
|
|
if (kret)
|
|
goto out;
|
|
|
|
kret = krb5_kt_resolve(context, str, &handle->keytab);
|
|
free(str);
|
|
if (kret)
|
|
goto out;
|
|
}
|
|
|
|
|
|
if (id || keytab) {
|
|
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
|
|
if (ret == GSS_S_COMPLETE)
|
|
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
|
|
&handle->mechanisms);
|
|
if (ret != GSS_S_COMPLETE) {
|
|
kret = *minor_status;
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
*minor_status = 0;
|
|
*cred = (gss_cred_id_t)handle;
|
|
return GSS_S_COMPLETE;
|
|
|
|
out:
|
|
gss_release_oid_set(minor_status, &handle->mechanisms);
|
|
if (handle->ccache)
|
|
krb5_cc_close(context, handle->ccache);
|
|
if (handle->keytab)
|
|
krb5_kt_close(context, handle->keytab);
|
|
if (handle->principal)
|
|
krb5_free_principal(context, handle->principal);
|
|
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
|
|
free(handle);
|
|
*minor_status = kret;
|
|
return GSS_S_FAILURE;
|
|
}
|