Integrate Apple APIs for storing configuration parameters in a ccache

* krb5_cc_get_config: get a config parameter from a ccache * krb5_cc_set_config: set a configuration parameter in a ccache * krb5_is_config_principal: should this principal be skipped during ccache iteration * klist: skip config principals ticket: 6206 git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23316 dc483132-0cff-0310-8789-dd5450dbe970
author: Sam Hartman <hartmans@mit.edu> 2009-11-23 23:10:39 +0000
committer: Sam Hartman <hartmans@mit.edu> 2009-11-23 23:10:39 +0000
commit: a9d974df3c88bfa544b3369a95a00d4254946f72 (patch)
tree: b274704671e2caf21f56071bb9108d97c9b50e6b
parent: 9640262007e071df2762f01e5ce5763e5f492eb6 (diff)
download: krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.zip
krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.gz
krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.bz2
5 files changed, 182 insertions, 2 deletions
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 1a6309e..df306fa 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -382,6 +382,8 @@ void do_ccache(name)
         exit(1);
     }
     while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
+        if (krb5_is_config_principal(kcontext, creds.server))
+            continue;
         if (status_only) {
             if (exit_status && creds.server->length == 2 &&
                 strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 3b86b23..4420716 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1832,6 +1832,20 @@ krb5_cc_default(krb5_context, krb5_ccache *);
 krb5_error_code KRB5_CALLCONV
 krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
 
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_config(krb5_context, krb5_ccache,
+                   krb5_const_principal,
+                   const char *, krb5_data *);
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_config(krb5_context, krb5_ccache,
+                   krb5_const_principal,
+                   const char *, krb5_data *);
+
+krb5_boolean KRB5_CALLCONV
+krb5_is_config_principal(krb5_context,
+                         krb5_const_principal);
+
 /* krb5_free.c */
 void KRB5_CALLCONV krb5_free_principal(krb5_context, krb5_principal );
 void KRB5_CALLCONV krb5_free_authenticator(krb5_context,
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
index 33fb97c..de2bc9d 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc.c
@@ -805,7 +805,7 @@ krb5_stdccv3_get_flags (krb5_context context,
 krb5_error_code KRB5_CALLCONV
 krb5_stdccv3_remove (krb5_context context,
                      krb5_ccache id,
-                     krb5_flags flags,
+                     krb5_flags whichfields,
                      krb5_creds *in_creds)
 {
     krb5_error_code err = 0;
@@ -836,7 +836,10 @@ krb5_stdccv3_remove (krb5_context context,
                                                    credentials->data, &creds);
 
             if (!err) {
-                found = krb5_creds_compare (context, in_creds, &creds);
+                found = krb5int_cc_creds_match_request(context,
+                                                       whichfields,
+                                                       in_creds,
+                                                       &creds);
                 krb5_free_cred_contents (context, &creds);
             }
 
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
index e12dd56..8d1578a 100644
--- a/src/lib/krb5/ccache/ccfns.c
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -191,3 +191,161 @@ krb5_cc_unlock (krb5_context context, krb5_ccache ccache)
 {
     return ccache->ops->unlock(context, ccache);
 }
+
+static const char conf_realm[] = "X-CACHECONF:";
+static const char conf_name[] = "krb5_ccache_conf_data";
+
+static krb5_error_code
+build_conf_principals (krb5_context context, krb5_ccache id,
+                       krb5_const_principal principal,
+                       const char *name, krb5_creds *cred)
+{
+    krb5_principal client;
+    krb5_error_code ret;
+    char *pname = NULL;
+
+    memset(cred, 0, sizeof(*cred));
+
+    ret = krb5_cc_get_principal(context, id, &client);
+    if (ret)
+        return ret;
+
+    if (principal) {
+        ret = krb5_unparse_name(context, principal, &pname);
+        if (ret)
+            return ret;
+    }
+
+    ret = krb5_build_principal(context, &cred->server,
+                               sizeof(conf_realm) - 1, conf_realm,
+                               conf_name, name, pname, (char *)NULL);
+    free(pname);
+    if (ret) {
+        krb5_free_principal(context, client);
+        return ret;
+    }
+    ret = krb5_copy_principal(context, client, &cred->client);
+    krb5_free_principal(context, client);
+    return ret;
+}
+
+/*!
+ * \param context a Keberos context
+ * \param principal principal to check if it a configuration principal
+ *
+ * \brief Return TRUE (non zero) if the principal is a configuration
+ *        principal (generated part of krb5_cc_set_config()). Returns
+ *        FALSE (zero) if not a configuration principal.
+ *
+ */
+
+krb5_boolean KRB5_CALLCONV
+krb5_is_config_principal (krb5_context context,
+                          krb5_const_principal principal)
+{
+    const krb5_data *realm;
+
+    realm = krb5_princ_realm(context, principal);
+
+    if (realm->length != sizeof(conf_realm) - 1 ||
+        memcmp(realm->data, conf_realm, sizeof(conf_realm) - 1) != 0)
+        return FALSE;
+
+    if (principal->length == 0 ||
+        principal->data[0].length != (sizeof(conf_name) - 1) ||
+        memcmp(principal->data[0].data, conf_name, sizeof(conf_name) - 1) != 0)
+        return FALSE;
+
+    return TRUE;
+}
+
+/*!
+ * \param context a Keberos context
+ * \param id the credential cache to store the data for
+ * \param principal configuration for a specific principal, if
+ * NULL, global for the whole cache.
+ * \param key name under which the configuraion is stored.
+ * \param data data to store
+ *
+ * \brief Store some configuration for the credential cache in the
+ *        cache.  Existing configuration under the same key is
+ *        over-written.
+ *
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_config (krb5_context context, krb5_ccache id,
+                    krb5_const_principal principal,
+                    const char *key, krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+
+    ret = build_conf_principals(context, id, principal, key, &cred);
+    if (ret)
+        goto out;
+
+    ret = krb5_cc_remove_cred(context, id, 0, &cred);
+    if (ret && ret != KRB5_CC_NOTFOUND)
+        goto out;
+
+    cred.ticket.data = malloc(data->length);
+    if (cred.ticket.data == NULL) {
+        krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+        return ENOMEM;
+    }
+    cred.ticket.length = data->length;
+    memcpy(cred.ticket.data, data->data, data->length);
+
+    ret = krb5_cc_store_cred(context, id, &cred);
+
+out:
+    krb5_free_cred_contents(context, &cred);
+    return ret;
+}
+
+/*!
+ * \param context a Keberos context
+ * \param id the credential cache to store the data for
+ * \param principal configuration for a specific principal, if
+ *        NULL, global for the whole cache.
+ * \param key name under which the configuraion is stored.
+ * \param data data to fetched, free with krb5_data_free()
+ *
+ * \brief Get some configuration for the credential cache in the cache.
+ */
+
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_config (krb5_context context, krb5_ccache id,
+                    krb5_const_principal principal,
+                    const char *key, krb5_data *data)
+{
+    krb5_creds mcred, cred;
+    krb5_error_code ret;
+
+    memset(&cred, 0, sizeof(cred));
+    memset(data, 0, sizeof(*data));
+
+    ret = build_conf_principals(context, id, principal, key, &mcred);
+    if (ret)
+        goto out;
+
+    ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+    if (ret)
+        goto out;
+
+    data->data = malloc(cred.ticket.length);
+    if (data->data == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+        goto out;
+    }
+    data->length = cred.ticket.length;
+    memcpy(data->data, cred.ticket.data, data->length);
+
+out:
+    krb5_free_cred_contents(context, &cred);
+    krb5_free_cred_contents(context, &mcred);
+    return ret;
+}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 8ef3a9d..8a43818 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -168,6 +168,7 @@ krb5_cc_dfl_ops
 krb5_cc_end_seq_get
 krb5_cc_file_ops
 krb5_cc_gen_new
+krb5_cc_get_config
 krb5_cc_get_name
 krb5_cc_get_principal
 krb5_cc_get_type
@@ -179,6 +180,7 @@ krb5_cc_remove_cred
 krb5_cc_resolve
 krb5_cc_retrieve_cred
 krb5_cc_retrieve_cred_default
+krb5_cc_set_config
 krb5_cc_set_default_name
 krb5_cc_set_flags
 krb5_cc_start_seq_get
@@ -358,6 +360,7 @@ krb5_init_context
 krb5_init_keyblock
 krb5_init_secure_context
 krb5_internalize_opaque
+krb5_is_config_principal
 krb5_is_permitted_enctype
 krb5_is_referral_realm
 krb5_is_thread_safe
author	Sam Hartman <hartmans@mit.edu>	2009-11-23 23:10:39 +0000
committer	Sam Hartman <hartmans@mit.edu>	2009-11-23 23:10:39 +0000
commit	a9d974df3c88bfa544b3369a95a00d4254946f72 (patch)
tree	b274704671e2caf21f56071bb9108d97c9b50e6b
parent	9640262007e071df2762f01e5ce5763e5f492eb6 (diff)
download	krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.zip krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.gz krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.bz2