int
heim_dict_add_value(heim_dict_t dict, heim_object_t key, heim_object_t value)
{
struct hashentry **tabptr, *h;
h = _search(dict, key);
if (h) {
heim_release(h->value);
h->value = heim_retain(value);
} else {
unsigned long v;
h = malloc(sizeof(*h));
if (h == NULL)
return ENOMEM;
h->key = heim_retain(key);
h->value = heim_retain(value);
v = heim_get_hash(key);
tabptr = &dict->tab[v % dict->size];
h->next = *tabptr;
*tabptr = h;
h->prev = tabptr;
if (h->next)
h->next->prev = &h->next;
}
return 0;
}
/** heim_db_register
* @brief Registers a DB type for use with heim_db_create().
*
* @param dbtype Name of DB type
* @param data Private data argument to the dbtype's openf method
* @param plugin Structure with DB type methods (function pointers)
*
* Backends that provide begin/commit/rollback methods must provide ACID
* semantics.
*
* The registered DB type will have ACID semantics for backends that do
* not provide begin/commit/rollback methods but do provide lock/unlock
* and rdjournal/wrjournal methods (using a replay log journalling
* scheme).
*
* If the registered DB type does not natively provide read vs. write
* transaction isolation but does provide a lock method then the DB will
* provide read/write transaction isolation.
*
* @return ENOMEM on failure, else 0.
*
* @addtogroup heimbase
*/
int
heim_db_register(const char *dbtype,
void *data,
struct heim_db_type *plugin)
{
heim_dict_t plugins;
heim_string_t s;
db_plugin plug, plug2;
int ret = 0;
if ((plugin->beginf != NULL && plugin->commitf == NULL) ||
(plugin->beginf != NULL && plugin->rollbackf == NULL) ||
(plugin->lockf != NULL && plugin->unlockf == NULL) ||
plugin->copyf == NULL)
heim_abort("Invalid DB plugin; make sure methods are paired");
/* Initialize */
plugins = heim_dict_create(11);
if (plugins == NULL)
return ENOMEM;
heim_base_once_f(&db_plugin_init_once, plugins, db_init_plugins_once);
heim_release(plugins);
heim_assert(db_plugins != NULL, "heim_db plugin table initialized");
s = heim_string_create(dbtype);
if (s == NULL)
return ENOMEM;
plug = heim_alloc(sizeof (*plug), "db_plug", plugin_dealloc);
if (plug == NULL) {
heim_release(s);
return ENOMEM;
}
plug->name = heim_retain(s);
plug->openf = plugin->openf;
plug->clonef = plugin->clonef;
plug->closef = plugin->closef;
plug->lockf = plugin->lockf;
plug->unlockf = plugin->unlockf;
plug->syncf = plugin->syncf;
plug->beginf = plugin->beginf;
plug->commitf = plugin->commitf;
plug->rollbackf = plugin->rollbackf;
plug->copyf = plugin->copyf;
plug->setf = plugin->setf;
plug->delf = plugin->delf;
plug->iterf = plugin->iterf;
plug->data = data;
HEIMDAL_MUTEX_lock(&db_type_mutex);
plug2 = heim_dict_get_value(db_plugins, s);
if (plug2 == NULL)
ret = heim_dict_set_value(db_plugins, s, plug);
HEIMDAL_MUTEX_unlock(&db_type_mutex);
heim_release(plug);
heim_release(s);
return ret;
}
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_sendto_ctx_set_krb5hst(krb5_context context,
krb5_sendto_ctx ctx,
krb5_krbhst_handle handle)
{
heim_release(ctx->krbhst);
ctx->krbhst = heim_retain(handle);
}
heim_error_t
heim_error_append(heim_error_t top, heim_error_t append)
{
if (top->next)
heim_release(top->next);
top->next = heim_retain(append);
return top;
}
heim_object_t
heim_dict_copy_value(heim_dict_t dict, heim_object_t key)
{
struct hashentry *p;
p = _search(dict, key);
if (p == NULL)
return NULL;
return heim_retain(p->value);
}
heim_string_t
heim_error_copy_string(heim_error_t error)
{
if (heim_get_tid(error) != HEIM_TID_ERROR) {
if (heim_get_tid(error) == heim_number_get_type_id())
return __heim_string_constant(strerror(heim_number_get_int((heim_number_t)error)));
heim_abort("invalid heim_error_t");
}
/* XXX concat all strings */
return heim_retain(error->msg);
}
heim_error_t
heim_error_append(heim_error_t top, heim_error_t append)
{
if (heim_get_tid(top) != HEIM_TID_ERROR) {
if (heim_get_tid(top) == heim_number_get_type_id())
return top;
heim_abort("invalid heim_error_t");
}
if (top->next)
heim_release(top->next);
top->next = heim_retain(append);
return top;
}
int
heim_array_append_value(heim_array_t array, heim_object_t object)
{
heim_object_t *ptr;
ptr = realloc(array->val, (array->len + 1) * sizeof(array->val[0]));
if (ptr == NULL)
return ENOMEM;
array->val = ptr;
array->val[array->len++] = heim_retain(object);
return 0;
}
hx509_certs
hx509_certs_ref(hx509_certs certs)
{
return heim_retain(certs);
}
OM_uint32
_gss_iakerb_acquire_cred_ext(OM_uint32 * minor_status,
const gss_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle)
{
krb5_context context;
gsskrb5_cred handle;
krb5_error_code ret;
krb5_creds cred;
gss_buffer_t credential_buffer = NULL;
#ifdef PKINIT
hx509_cert cert = NULL;
#endif
memset(&cred, 0, sizeof(cred));
if (cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH)
return GSS_S_FAILURE;
GSSAPI_KRB5_INIT_STATUS(&context, status);
/* pick up the credential */
if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
credential_buffer = (gss_buffer_t)credential_data;
if (credential_buffer->length + 1 < credential_buffer->length)
return GSS_S_FAILURE;
#ifdef PKINIT
} else if (gss_oid_equal(credential_type, GSS_C_CRED_CERTIFICATE)) {
cert = (hx509_cert)credential_data;
} else if (gss_oid_equal(credential_type, GSS_C_CRED_SecIdentity)) {
ret = hx509_cert_init_SecFramework(context->hx509ctx, rk_UNCONST(credential_data), &cert);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
#endif
} else {
*minor_status = KRB5_NOCREDS_SUPPLIED;
return GSS_S_FAILURE;
}
if (desired_name == GSS_C_NO_NAME)
return GSS_S_FAILURE;
handle = calloc(1, sizeof(*handle));
if (handle == NULL)
return (GSS_S_FAILURE);
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
handle->usage = GSS_C_INITIATE;
{
krb5_principal princ = (krb5_principal)desired_name;
ret = krb5_copy_principal(context, princ, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ret;
return GSS_S_FAILURE;
}
}
if (credential_buffer) {
handle->password = malloc(credential_buffer->length + 1);
if (handle->password == NULL) {
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
memcpy(handle->password, credential_buffer->value, credential_buffer->length);
handle->password[credential_buffer->length] = '\0';
}
#ifdef PKINIT
if (cert)
handle->cert = heim_retain(cert);
#endif
handle->keytab = NULL;
handle->ccache = NULL;
handle->endtime = INT_MAX;
/*
* Lets overwrite the same credentials if we already have it
*/
ret = krb5_cc_cache_match(context, handle->principal, &handle->ccache);
if (ret) {
ret = krb5_cc_new_unique(context, krb5_cc_type_api, NULL, &handle->ccache);
if (ret)
goto out;
}
ret = krb5_cc_initialize(context, handle->ccache, handle->principal);
if (ret)
goto out;
{
krb5_data data;
krb5_data_zero(&data);
krb5_cc_set_config(context, handle->ccache, NULL, "iakerb", &data);
}
if (handle->password) {
krb5_data pw;
pw.data = handle->password;
pw.length = strlen(handle->password);
ret = krb5_cc_set_config(context, handle->ccache, NULL, "password", &pw);
if (ret)
goto out;
}
#ifdef PKINIT
if (handle->cert) {
krb5_data pd;
ret = hx509_cert_get_persistent(handle->cert, &pd);
if (ret)
goto out;
ret = krb5_cc_set_config(context, handle->ccache, NULL, "certificate-ref", &pd);
der_free_octet_string(&pd);
if (ret)
goto out;
}
#endif
*output_cred_handle = (gss_cred_id_t) handle;
*minor_status = 0;
return GSS_S_COMPLETE;
out:
krb5_free_principal(context, handle->principal);
if (handle->password) {
memset(handle->password, 0, strlen(handle->password));
free(handle->password);
}
#ifdef PKINIT
if (handle->cert)
hx509_cert_free(handle->cert);
#endif
if (handle->ccache)
krb5_cc_destroy(context, handle->ccache);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ret;
return GSS_S_FAILURE;
}
void
krb5_load_plugins(krb5_context context, const char *name, const char **paths)
{
#ifdef HAVE_DLOPEN
heim_string_t s = heim_string_create(name);
heim_dict_t module;
struct dirent *entry;
krb5_error_code ret;
const char **di;
DIR *d;
HEIMDAL_MUTEX_lock(&plugin_mutex);
if (modules == NULL) {
modules = heim_dict_create(11);
if (modules == NULL) {
HEIMDAL_MUTEX_unlock(&plugin_mutex);
return;
}
}
module = heim_dict_copy_value(modules, s);
if (module == NULL) {
module = heim_dict_create(11);
if (module == NULL) {
HEIMDAL_MUTEX_unlock(&plugin_mutex);
heim_release(s);
return;
}
heim_dict_add_value(modules, s, module);
}
heim_release(s);
for (di = paths; *di != NULL; di++) {
d = opendir(*di);
if (d == NULL)
continue;
rk_cloexec_dir(d);
while ((entry = readdir(d)) != NULL) {
char *n = entry->d_name;
char *path = NULL;
heim_string_t spath;
struct plugin2 *p;
/* skip . and .. */
if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
continue;
ret = 0;
#ifdef __APPLE__
{ /* support loading bundles on MacOS */
size_t len = strlen(n);
if (len > 7 && strcmp(&n[len - 7], ".bundle") == 0)
ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", *di, n, (int)(len - 7), n);
}
#endif
if (ret < 0 || path == NULL)
ret = asprintf(&path, "%s/%s", *di, n);
if (ret < 0 || path == NULL)
continue;
spath = heim_string_create(n);
if (spath == NULL) {
free(path);
continue;
}
/* check if already cached */
p = heim_dict_copy_value(module, spath);
if (p == NULL) {
p = heim_uniq_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
if (p)
p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
if (p && p->dsohandle) {
p->path = heim_retain(spath);
p->names = heim_dict_create(11);
heim_dict_add_value(module, spath, p);
}
}
heim_release(spath);
heim_release(p);
free(path);
}
closedir(d);
}
heim_release(module);
HEIMDAL_MUTEX_unlock(&plugin_mutex);
#endif /* HAVE_DLOPEN */
}
/**
* Open a database of the given dbtype.
*
* Database type names can be composed of one or more pseudo-DB types
* and one concrete DB type joined with a '+' between each. For
* example: "transaction+bdb" might be a Berkeley DB with a layer above
* that provides transactions.
*
* Options may be provided via a dict (an associative array). Existing
* options include:
*
* - "create", with any value (create if DB doesn't exist)
* - "exclusive", with any value (exclusive create)
* - "truncate", with any value (truncate the DB)
* - "read-only", with any value (disallow writes)
* - "sync", with any value (make transactions durable)
* - "journal-name", with a string value naming a journal file name
*
* @param dbtype Name of DB type
* @param dbname Name of DB (likely a file path)
* @param options Options dict
* @param db Output open DB handle
* @param error Output error object
*
* @return a DB handle
*
* @addtogroup heimbase
*/
heim_db_t
heim_db_create(const char *dbtype, const char *dbname,
heim_dict_t options, heim_error_t *error)
{
heim_string_t s;
char *p;
db_plugin plug;
heim_db_t db;
int ret = 0;
if (options == NULL) {
options = heim_dict_create(11);
if (options == NULL) {
if (error)
*error = heim_error_create_enomem();
return NULL;
}
} else {
(void) heim_retain(options);
}
if (db_plugins == NULL) {
heim_release(options);
return NULL;
}
if (dbtype == NULL || *dbtype == '\0') {
struct dbtype_iter iter_ctx = { NULL, dbname, options, error};
/* Try all dbtypes */
heim_dict_iterate_f(db_plugins, &iter_ctx, dbtype_iter2create_f);
heim_release(options);
return iter_ctx.db;
} else if (strstr(dbtype, "json")) {
(void) heim_db_register(dbtype, NULL, &json_dbt);
}
/*
* Allow for dbtypes that are composed from pseudo-dbtypes chained
* to a real DB type with '+'. For example a pseudo-dbtype might
* add locking, transactions, transcoding of values, ...
*/
p = strchr(dbtype, '+');
if (p != NULL)
s = heim_string_create_with_bytes(dbtype, p - dbtype);
else
s = heim_string_create(dbtype);
if (s == NULL) {
heim_release(options);
return NULL;
}
HEIMDAL_MUTEX_lock(&db_type_mutex);
plug = heim_dict_get_value(db_plugins, s);
HEIMDAL_MUTEX_unlock(&db_type_mutex);
heim_release(s);
if (plug == NULL) {
if (error)
*error = heim_error_create(ENOENT,
N_("Heimdal DB plugin not found: %s", ""),
dbtype);
heim_release(options);
return NULL;
}
db = _heim_alloc_object(&db_object, sizeof(*db));
if (db == NULL) {
heim_release(options);
return NULL;
}
db->in_transaction = 0;
db->ro_tx = 0;
db->set_keys = NULL;
db->del_keys = NULL;
db->plug = plug;
db->options = options;
ret = plug->openf(plug->data, dbtype, dbname, options, &db->db_data, error);
if (ret) {
heim_release(db);
if (error && *error == NULL)
*error = heim_error_create(ENOENT,
N_("Heimdal DB could not be opened: %s", ""),
dbname);
return NULL;
}
ret = db_replay_log(db, error);
if (ret) {
heim_release(db);
return NULL;
}
if (plug->clonef == NULL) {
db->dbtype = heim_string_create(dbtype);
db->dbname = heim_string_create(dbname);
if (!db->dbtype || ! db->dbname) {
heim_release(db);
if (error)
*error = heim_error_create_enomem();
return NULL;
}
}
return db;
}
static void
db_init_plugins_once(void *arg)
{
db_plugins = heim_retain(arg);
}
heim_string_t
heim_error_copy_string(heim_error_t error)
{
/* XXX concat all strings */
return heim_retain(error->msg);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_context(krb5_context context, krb5_context *out)
{
krb5_error_code ret;
krb5_context p;
*out = NULL;
p = calloc(1, sizeof(*p));
if (p == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
if (p->mutex == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
free(p);
return ENOMEM;
}
HEIMDAL_MUTEX_init(p->mutex);
if (context->default_cc_name)
p->default_cc_name = strdup(context->default_cc_name);
if (context->default_cc_name_env)
p->default_cc_name_env = strdup(context->default_cc_name_env);
if (context->etypes) {
ret = copy_etypes(context, context->etypes, &p->etypes);
if (ret)
goto out;
}
if (context->etypes_des) {
ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
if (ret)
goto out;
}
if (context->default_realms)
p->default_realms = heim_retain(context->default_realms);
ret = _krb5_config_copy(context, context->cf, &p->cf);
if (ret)
goto out;
/* XXX should copy */
krb5_init_ets(p);
cc_ops_copy(p, context);
kt_ops_copy(p, context);
#if 0 /* XXX */
if (context->warn_dest != NULL)
;
if (context->debug_dest != NULL)
;
#endif
ret = krb5_set_extra_addresses(p, context->extra_addresses);
if (ret)
goto out;
ret = krb5_set_extra_addresses(p, context->ignore_addresses);
if (ret)
goto out;
ret = _krb5_copy_send_to_kdc_func(p, context);
if (ret)
goto out;
*out = p;
return 0;
out:
krb5_free_context(p);
return ret;
}
