diff options
author | Sam Hartman <hartmans@mit.edu> | 2009-11-23 23:10:39 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2009-11-23 23:10:39 +0000 |
commit | a9d974df3c88bfa544b3369a95a00d4254946f72 (patch) | |
tree | b274704671e2caf21f56071bb9108d97c9b50e6b | |
parent | 9640262007e071df2762f01e5ce5763e5f492eb6 (diff) | |
download | krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.zip krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.gz krb5-a9d974df3c88bfa544b3369a95a00d4254946f72.tar.bz2 |
Integrate Apple APIs for storing configuration parameters in a ccache
* krb5_cc_get_config: get a config parameter from a ccache
* krb5_cc_set_config: set a configuration parameter in a ccache
* krb5_is_config_principal: should this principal be skipped during ccache iteration
* klist: skip config principals
ticket: 6206
git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23316 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/clients/klist/klist.c | 2 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 14 | ||||
-rw-r--r-- | src/lib/krb5/ccache/ccapi/stdcc.c | 7 | ||||
-rw-r--r-- | src/lib/krb5/ccache/ccfns.c | 158 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 3 |
5 files changed, 182 insertions, 2 deletions
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 1a6309e..df306fa 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -382,6 +382,8 @@ void do_ccache(name) exit(1); } while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { + if (krb5_is_config_principal(kcontext, creds.server)) + continue; if (status_only) { if (exit_status && creds.server->length == 2 && strcmp(creds.server->realm.data, princ->realm.data) == 0 && diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 3b86b23..4420716 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1832,6 +1832,20 @@ krb5_cc_default(krb5_context, krb5_ccache *); krb5_error_code KRB5_CALLCONV krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc); +krb5_error_code KRB5_CALLCONV +krb5_cc_get_config(krb5_context, krb5_ccache, + krb5_const_principal, + const char *, krb5_data *); + +krb5_error_code KRB5_CALLCONV +krb5_cc_set_config(krb5_context, krb5_ccache, + krb5_const_principal, + const char *, krb5_data *); + +krb5_boolean KRB5_CALLCONV +krb5_is_config_principal(krb5_context, + krb5_const_principal); + /* krb5_free.c */ void KRB5_CALLCONV krb5_free_principal(krb5_context, krb5_principal ); void KRB5_CALLCONV krb5_free_authenticator(krb5_context, diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c index 33fb97c..de2bc9d 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.c +++ b/src/lib/krb5/ccache/ccapi/stdcc.c @@ -805,7 +805,7 @@ krb5_stdccv3_get_flags (krb5_context context, krb5_error_code KRB5_CALLCONV krb5_stdccv3_remove (krb5_context context, krb5_ccache id, - krb5_flags flags, + krb5_flags whichfields, krb5_creds *in_creds) { krb5_error_code err = 0; @@ -836,7 +836,10 @@ krb5_stdccv3_remove (krb5_context context, credentials->data, &creds); if (!err) { - found = krb5_creds_compare (context, in_creds, &creds); + found = krb5int_cc_creds_match_request(context, + whichfields, + in_creds, + &creds); krb5_free_cred_contents (context, &creds); } diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c index e12dd56..8d1578a 100644 --- a/src/lib/krb5/ccache/ccfns.c +++ b/src/lib/krb5/ccache/ccfns.c @@ -191,3 +191,161 @@ krb5_cc_unlock (krb5_context context, krb5_ccache ccache) { return ccache->ops->unlock(context, ccache); } + +static const char conf_realm[] = "X-CACHECONF:"; +static const char conf_name[] = "krb5_ccache_conf_data"; + +static krb5_error_code +build_conf_principals (krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *name, krb5_creds *cred) +{ + krb5_principal client; + krb5_error_code ret; + char *pname = NULL; + + memset(cred, 0, sizeof(*cred)); + + ret = krb5_cc_get_principal(context, id, &client); + if (ret) + return ret; + + if (principal) { + ret = krb5_unparse_name(context, principal, &pname); + if (ret) + return ret; + } + + ret = krb5_build_principal(context, &cred->server, + sizeof(conf_realm) - 1, conf_realm, + conf_name, name, pname, (char *)NULL); + free(pname); + if (ret) { + krb5_free_principal(context, client); + return ret; + } + ret = krb5_copy_principal(context, client, &cred->client); + krb5_free_principal(context, client); + return ret; +} + +/*! + * \param context a Keberos context + * \param principal principal to check if it a configuration principal + * + * \brief Return TRUE (non zero) if the principal is a configuration + * principal (generated part of krb5_cc_set_config()). Returns + * FALSE (zero) if not a configuration principal. + * + */ + +krb5_boolean KRB5_CALLCONV +krb5_is_config_principal (krb5_context context, + krb5_const_principal principal) +{ + const krb5_data *realm; + + realm = krb5_princ_realm(context, principal); + + if (realm->length != sizeof(conf_realm) - 1 || + memcmp(realm->data, conf_realm, sizeof(conf_realm) - 1) != 0) + return FALSE; + + if (principal->length == 0 || + principal->data[0].length != (sizeof(conf_name) - 1) || + memcmp(principal->data[0].data, conf_name, sizeof(conf_name) - 1) != 0) + return FALSE; + + return TRUE; +} + +/*! + * \param context a Keberos context + * \param id the credential cache to store the data for + * \param principal configuration for a specific principal, if + * NULL, global for the whole cache. + * \param key name under which the configuraion is stored. + * \param data data to store + * + * \brief Store some configuration for the credential cache in the + * cache. Existing configuration under the same key is + * over-written. + * + */ + +krb5_error_code KRB5_CALLCONV +krb5_cc_set_config (krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *key, krb5_data *data) +{ + krb5_error_code ret; + krb5_creds cred; + + ret = build_conf_principals(context, id, principal, key, &cred); + if (ret) + goto out; + + ret = krb5_cc_remove_cred(context, id, 0, &cred); + if (ret && ret != KRB5_CC_NOTFOUND) + goto out; + + cred.ticket.data = malloc(data->length); + if (cred.ticket.data == NULL) { + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + return ENOMEM; + } + cred.ticket.length = data->length; + memcpy(cred.ticket.data, data->data, data->length); + + ret = krb5_cc_store_cred(context, id, &cred); + +out: + krb5_free_cred_contents(context, &cred); + return ret; +} + +/*! + * \param context a Keberos context + * \param id the credential cache to store the data for + * \param principal configuration for a specific principal, if + * NULL, global for the whole cache. + * \param key name under which the configuraion is stored. + * \param data data to fetched, free with krb5_data_free() + * + * \brief Get some configuration for the credential cache in the cache. + */ + + +krb5_error_code KRB5_CALLCONV +krb5_cc_get_config (krb5_context context, krb5_ccache id, + krb5_const_principal principal, + const char *key, krb5_data *data) +{ + krb5_creds mcred, cred; + krb5_error_code ret; + + memset(&cred, 0, sizeof(cred)); + memset(data, 0, sizeof(*data)); + + ret = build_conf_principals(context, id, principal, key, &mcred); + if (ret) + goto out; + + ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); + if (ret) + goto out; + + data->data = malloc(cred.ticket.length); + if (data->data == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + goto out; + } + data->length = cred.ticket.length; + memcpy(data->data, cred.ticket.data, data->length); + +out: + krb5_free_cred_contents(context, &cred); + krb5_free_cred_contents(context, &mcred); + return ret; +} diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 8ef3a9d..8a43818 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -168,6 +168,7 @@ krb5_cc_dfl_ops krb5_cc_end_seq_get krb5_cc_file_ops krb5_cc_gen_new +krb5_cc_get_config krb5_cc_get_name krb5_cc_get_principal krb5_cc_get_type @@ -179,6 +180,7 @@ krb5_cc_remove_cred krb5_cc_resolve krb5_cc_retrieve_cred krb5_cc_retrieve_cred_default +krb5_cc_set_config krb5_cc_set_default_name krb5_cc_set_flags krb5_cc_start_seq_get @@ -358,6 +360,7 @@ krb5_init_context krb5_init_keyblock krb5_init_secure_context krb5_internalize_opaque +krb5_is_config_principal krb5_is_permitted_enctype krb5_is_referral_realm krb5_is_thread_safe |