oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
993ae3a82fe096079a6395baeb6385b0072633c1
heimdal/lib/krb5/cache.c
Love Hörnquist Åstrand cc7855865c (krb5_cc_cache_match): add function that iterates over all credential 
caches for a user and returns a match.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16187 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-10-19 17:30:40 +00:00

827 lines
19 KiB
C
Raw Blame History

/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5_locl.h"
RCSID("$Id$");
/*
* Add a new ccache type with operations `ops', overwriting any
* existing one if `override'.
* Return an error code or 0.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_register(krb5_context context,
const krb5_cc_ops *ops,
krb5_boolean override)
{
int i;
for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
if(!override) {
krb5_set_error_string(context,
"ccache type %s already exists",
ops->prefix);
return KRB5_CC_TYPE_EXISTS;
}
break;
}
}
if(i == context->num_cc_ops) {
krb5_cc_ops *o = realloc(context->cc_ops,
(context->num_cc_ops + 1) *
sizeof(*context->cc_ops));
if(o == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return KRB5_CC_NOMEM;
}
context->num_cc_ops++;
context->cc_ops = o;
memset(context->cc_ops + i, 0,
(context->num_cc_ops - i) * sizeof(*context->cc_ops));
}
memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
return 0;
}
/*
* Allocate the memory for a `id' and the that function table to
* `ops'. Returns 0 or and error code.
*/
krb5_error_code
_krb5_cc_allocate(krb5_context context,
const krb5_cc_ops *ops,
krb5_ccache *id)
{
krb5_ccache p;
p = malloc (sizeof(*p));
if(p == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return KRB5_CC_NOMEM;
}
p->ops = ops;
*id = p;
return 0;
}
/*
* Allocate memory for a new ccache in `id' with operations `ops'
* and name `residual'.
* Return 0 or an error code.
*/
static krb5_error_code
allocate_ccache (krb5_context context,
const krb5_cc_ops *ops,
const char *residual,
krb5_ccache *id)
{
krb5_error_code ret;
ret = _krb5_cc_allocate(context, ops, id);
if (ret)
return ret;
ret = (*id)->ops->resolve(context, id, residual);
if(ret)
free(*id);
return ret;
}
/*
* Find and allocate a ccache in `id' from the specification in `residual'.
* If the ccache name doesn't contain any colon, interpret it as a file name.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_resolve(krb5_context context,
const char *name,
krb5_ccache *id)
{
int i;
for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
size_t prefix_len = strlen(context->cc_ops[i].prefix);
if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
&& name[prefix_len] == ':') {
return allocate_ccache (context, &context->cc_ops[i],
name + prefix_len + 1,
id);
}
}
if (strchr (name, ':') == NULL)
return allocate_ccache (context, &krb5_fcc_ops, name, id);
else {
krb5_set_error_string(context, "unknown ccache type %s", name);
return KRB5_CC_UNKNOWN_TYPE;
}
}
/*
* Generate a new ccache of type `ops' in `id'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_gen_new(krb5_context context,
const krb5_cc_ops *ops,
krb5_ccache *id)
{
krb5_error_code ret;
ret = _krb5_cc_allocate(context, ops, id);
if (ret)
return ret;
return (*id)->ops->gen_new(context, id);
}
/*
* Generates a new unique ccache of `type` in `id'. If `type' is NULL,
* the library chooses the default credential cache type. The supplied
* `hint' (that can be NULL) is a string that the credential cache
* type can use to base the name of the credential on, this is to make
* its easier for the user to differentiate the credentials.
*
* Returns 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_new_unique(krb5_context context, const char *type,
const char *hint, krb5_ccache *id)
{
const krb5_cc_ops *ops;
if (type == NULL)
type = "FILE";
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL) {
krb5_set_error_string(context, "Credential cache type %s is unknown",
type);
return KRB5_CC_UNKNOWN_TYPE;
}
return krb5_cc_gen_new(context, ops, id);
}
/*
* Return the name of the ccache `id'
*/
const char* KRB5_LIB_FUNCTION
krb5_cc_get_name(krb5_context context,
krb5_ccache id)
{
return id->ops->get_name(context, id);
}
/*
* Return the type of the ccache `id'.
*/
const char* KRB5_LIB_FUNCTION
krb5_cc_get_type(krb5_context context,
krb5_ccache id)
{
return id->ops->prefix;
}
/*
* Return krb5_cc_ops of a the ccache `id'.
*/
const krb5_cc_ops *
krb5_cc_get_ops(krb5_context context, krb5_ccache id)
{
return id->ops;
}
/*
* Expand variables in `str' into `res'
*/
krb5_error_code
_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
{
size_t tlen, len = 0;
char *tmp, *tmp2, *append;
*res = NULL;
while (str && *str) {
tmp = strstr(str, "%{");
if (tmp && tmp != str) {
append = malloc((tmp - str) + 1);
if (append) {
memcpy(append, str, tmp - str);
append[tmp - str] = '\0';
}
str = tmp;
} else if (tmp) {
tmp2 = strchr(tmp, '}');
if (tmp2 == NULL) {
free(*res);
*res = NULL;
krb5_set_error_string(context, "variable missing }");
return KRB5_CONFIG_BADFORMAT;
}
if (strncasecmp(tmp, "%{uid}", 6) == 0)
asprintf(&append, "%u", (unsigned)getuid());
else if (strncasecmp(tmp, "%{null}", 7) == 0)
append = strdup("");
else {
free(*res);
*res = NULL;
krb5_set_error_string(context,
"expand default cache unknown "
"variable \"%.*s\"",
(int)(tmp2 - tmp) - 2, tmp + 2);
return KRB5_CONFIG_BADFORMAT;
}
str = tmp2 + 1;
} else {
append = strdup(str);
str = NULL;
}
if (append == NULL) {
free(*res);
res = NULL;
krb5_set_error_string(context, "malloc - out of memory");
return ENOMEM;
}
tlen = strlen(append);
tmp = realloc(*res, len + tlen + 1);
if (tmp == NULL) {
free(*res);
*res = NULL;
krb5_set_error_string(context, "malloc - out of memory");
return ENOMEM;
}
*res = tmp;
memcpy(*res + len, append, tlen + 1);
len = len + tlen;
free(append);
}
return 0;
}
/*
* Set the default cc name for `context' to `name'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_set_default_name(krb5_context context, const char *name)
{
krb5_error_code ret = 0;
char *p;
if (name == NULL) {
const char *e = NULL;
if(!issuid()) {
e = getenv("KRB5CCNAME");
if (e)
p = strdup(e);
}
if (e == NULL) {
e = krb5_config_get_string(context, NULL, "libdefaults",
"default_cc_name", NULL);
if (e) {
ret = _krb5_expand_default_cc_name(context, e, &p);
if (ret)
return ret;
}
}
if (e == NULL)
asprintf(&p,"FILE:/tmp/krb5cc_%u", (unsigned)getuid());
} else
p = strdup(name);
if (p == NULL) {
krb5_set_error_string(context, "malloc - out of memory");
return ENOMEM;
}
if (context->default_cc_name)
free(context->default_cc_name);
context->default_cc_name = p;
return ret;
}
/*
* Return a pointer to a context static string containing the default
* ccache name.
*/
const char* KRB5_LIB_FUNCTION
krb5_cc_default_name(krb5_context context)
{
if (context->default_cc_name == NULL)
krb5_cc_set_default_name(context, NULL);
return context->default_cc_name;
}
/*
* Open the default ccache in `id'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_default(krb5_context context,
krb5_ccache *id)
{
const char *p = krb5_cc_default_name(context);
if (p == NULL) {
krb5_set_error_string(context, "malloc - out of memory");
return ENOMEM;
}
return krb5_cc_resolve(context, p, id);
}
/*
* Create a new ccache in `id' for `primary_principal'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_initialize(krb5_context context,
krb5_ccache id,
krb5_principal primary_principal)
{
return id->ops->init(context, id, primary_principal);
}
/*
* Remove the ccache `id'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_destroy(krb5_context context,
krb5_ccache id)
{
krb5_error_code ret;
ret = id->ops->destroy(context, id);
krb5_cc_close (context, id);
return ret;
}
/*
* Stop using the ccache `id' and free the related resources.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_close(krb5_context context,
krb5_ccache id)
{
krb5_error_code ret;
ret = id->ops->close(context, id);
free(id);
return ret;
}
/*
* Store `creds' in the ccache `id'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_store_cred(krb5_context context,
krb5_ccache id,
krb5_creds *creds)
{
return id->ops->store(context, id, creds);
}
/*
* Retrieve the credential identified by `mcreds' (and `whichfields')
* from `id' in `creds'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_retrieve_cred(krb5_context context,
krb5_ccache id,
krb5_flags whichfields,
const krb5_creds *mcreds,
krb5_creds *creds)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
if (id->ops->retrieve != NULL) {
return id->ops->retrieve(context, id, whichfields,
mcreds, creds);
}
krb5_cc_start_seq_get(context, id, &cursor);
while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
if(krb5_compare_creds(context, whichfields, mcreds, creds)){
ret = 0;
break;
}
krb5_free_cred_contents (context, creds);
}
krb5_cc_end_seq_get(context, id, &cursor);
return ret;
}
/*
* Return the principal of `id' in `principal'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_get_principal(krb5_context context,
krb5_ccache id,
krb5_principal *principal)
{
return id->ops->get_princ(context, id, principal);
}
/*
* Start iterating over `id', `cursor' is initialized to the
* beginning.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_start_seq_get (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor)
{
return id->ops->get_first(context, id, cursor);
}
/*
* Retrieve the next cred pointed to by (`id', `cursor') in `creds'
* and advance `cursor'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_next_cred (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor,
krb5_creds *creds)
{
return id->ops->get_next(context, id, cursor, creds);
}
/* like krb5_cc_next_cred, but allow for selective retrieval */
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_next_cred_match(krb5_context context,
const krb5_ccache id,
krb5_cc_cursor * cursor,
krb5_creds * creds,
krb5_flags whichfields,
const krb5_creds * mcreds)
{
krb5_error_code ret;
while (1) {
ret = krb5_cc_next_cred(context, id, cursor, creds);
if (ret)
return ret;
if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds))
return 0;
krb5_free_cred_contents(context, creds);
}
}
/*
* Destroy the cursor `cursor'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_end_seq_get (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor)
{
return id->ops->end_get(context, id, cursor);
}
/*
* Remove the credential identified by `cred', `which' from `id'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_remove_cred(krb5_context context,
krb5_ccache id,
krb5_flags which,
krb5_creds *cred)
{
if(id->ops->remove_cred == NULL) {
krb5_set_error_string(context,
"ccache %s does not support remove_cred",
id->ops->prefix);
return EACCES; /* XXX */
}
return (*id->ops->remove_cred)(context, id, which, cred);
}
/*
* Set the flags of `id' to `flags'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_set_flags(krb5_context context,
krb5_ccache id,
krb5_flags flags)
{
return id->ops->set_flags(context, id, flags);
}
/*
* Copy the contents of `from' to `to'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_copy_cache_match(krb5_context context,
const krb5_ccache from,
krb5_ccache to,
krb5_flags whichfields,
const krb5_creds * mcreds,
unsigned int *matched)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
krb5_creds cred;
krb5_principal princ;
ret = krb5_cc_get_principal(context, from, &princ);
if (ret)
return ret;
ret = krb5_cc_initialize(context, to, princ);
if (ret) {
krb5_free_principal(context, princ);
return ret;
}
ret = krb5_cc_start_seq_get(context, from, &cursor);
if (ret) {
krb5_free_principal(context, princ);
return ret;
}
if (matched)
*matched = 0;
while (ret == 0 &&
krb5_cc_next_cred_match(context, from, &cursor, &cred,
whichfields, mcreds) == 0) {
if (matched)
(*matched)++;
ret = krb5_cc_store_cred(context, to, &cred);
krb5_free_cred_contents(context, &cred);
}
krb5_cc_end_seq_get(context, from, &cursor);
krb5_free_principal(context, princ);
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_copy_cache(krb5_context context,
const krb5_ccache from,
krb5_ccache to)
{
return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL);
}
/*
* Return the version of `id'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_get_version(krb5_context context,
const krb5_ccache id)
{
if(id->ops->get_version)
return id->ops->get_version(context, id);
else
return 0;
}
/*
* Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
*/
void KRB5_LIB_FUNCTION
krb5_cc_clear_mcred(krb5_creds *mcred)
{
memset(mcred, 0, sizeof(*mcred));
}
/*
* Get the cc ops that is registered in `context' to handle the
* `prefix'. `prefix' can be a complete credential cache name or a
* prefix, the function will only use part up to the first colon (:)
* if there is one. Returns NULL if ops not found.
*/
const krb5_cc_ops *
krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
{
char *p, *p1;
int i;
p = strdup(prefix);
if (p == NULL) {
krb5_set_error_string(context, "malloc - out of memory");
return NULL;
}
p1 = strchr(p, ':');
if (p1)
*p1 = '\0';
for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
if(strcmp(context->cc_ops[i].prefix, p) == 0) {
free(p);
return &context->cc_ops[i];
}
}
free(p);
return NULL;
}
struct krb5_cc_cache_cursor_data {
const krb5_cc_ops *ops;
krb5_cc_cursor cursor;
};
/*
* Start iterating over all caches of `type'. If `type' is NULL, the
* default type is * used. `cursor' is initialized to the beginning.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_cache_get_first (krb5_context context,
const char *type,
krb5_cc_cache_cursor *cursor)
{
const krb5_cc_ops *ops;
krb5_error_code ret;
if (type == NULL)
type = krb5_cc_default_name(context);
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL) {
krb5_set_error_string(context, "Unknown type \"%s\" when iterating "
"trying to iterate the credential caches", type);
return KRB5_CC_UNKNOWN_TYPE;
}
if (ops->get_cache_first == NULL) {
krb5_set_error_string(context, "Credential cache type %s doesn't support "
"iterations over caches", ops->prefix);
return KRB5_CC_NOSUPP;
}
*cursor = calloc(1, sizeof(**cursor));
if (*cursor == NULL) {
krb5_set_error_string(context, "malloc - out of memory");
return ENOMEM;
}
(*cursor)->ops = ops;
ret = ops->get_cache_first(context, &(*cursor)->cursor);
if (ret) {
free(*cursor);
*cursor = NULL;
}
return ret;
}
/*
* Retrieve the next cache pointed to by (`cursor') in `id'
* and advance `cursor'.
* Return 0 or an error code.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_cache_next (krb5_context context,
krb5_cc_cache_cursor cursor,
krb5_ccache *id)
{
return cursor->ops->get_cache_next(context, cursor->cursor, id);
}
/*
* Destroy the cursor `cursor'.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_cache_end_seq_get (krb5_context context,
krb5_cc_cache_cursor cursor)
{
krb5_error_code ret;
ret = cursor->ops->end_cache_get(context, cursor->cursor);
cursor->ops = NULL;
free(cursor);
return ret;
}
/*
* Search for a matching credential cache of type `type' that have the
* `principal' as the default principal. If NULL is used for `type',
* the default type is used. On success, `id' needs to be freed with
* krb5_cc_close or krb5_cc_destroy. On failure, error code is
* returned and `id' is set to NULL.
*/
krb5_error_code KRB5_LIB_FUNCTION
krb5_cc_cache_match (krb5_context context,
krb5_principal client,
const char *type,
krb5_ccache *id)
{
krb5_cc_cache_cursor cursor;
krb5_error_code ret;
krb5_ccache cache = NULL;
*id = NULL;
ret = krb5_cc_cache_get_first (context, type, &cursor);
if (ret)
return ret;
while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) {
krb5_principal principal;
ret = krb5_cc_get_principal(context, cache, &principal);
if (ret == 0) {
krb5_boolean match;
match = krb5_principal_compare(context, principal, client);
krb5_free_principal(context, principal);
if (match)
break;
}
krb5_cc_close(context, cache);
cache = NULL;
}
krb5_cc_cache_end_seq_get(context, cursor);
if (cache == NULL) {
char *str;
krb5_unparse_name(context, client, &str);
krb5_set_error_string(context, "Principal %s not found in a "
"credential cache", str ? str : "<out of memory>");
if (str)
free(str);
return KRB5_CC_NOTFOUND;
}
*id = cache;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink