/*
* remove
*
* - remove the specified credentials from the NC
*/
krb5_error_code KRB5_CALLCONV
krb5_stdccv3_remove (krb5_context context,
krb5_ccache id,
krb5_flags whichfields,
krb5_creds *in_creds)
{
krb5_error_code err = 0;
stdccCacheDataPtr ccapi_data = id->data;
cc_credentials_iterator_t iterator = NULL;
int found = 0;
if (!err) {
err = stdccv3_setup(context, ccapi_data);
}
if (!err) {
err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache,
&iterator);
}
/* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */
while (!err && !found) {
cc_credentials_t credentials = NULL;
err = cc_credentials_iterator_next (iterator, &credentials);
if (!err && (credentials->data->version == cc_credentials_v5)) {
krb5_creds creds;
err = copy_cc_cred_union_to_krb5_creds(context,
credentials->data, &creds);
if (!err) {
found = krb5int_cc_creds_match_request(context,
whichfields,
in_creds,
&creds);
krb5_free_cred_contents (context, &creds);
}
if (!err && found) {
err = cc_ccache_remove_credentials (ccapi_data->NamedCache, credentials);
}
}
if (credentials) { cc_credentials_release (credentials); }
}
if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; }
if (iterator) {
err = cc_credentials_iterator_release(iterator);
}
if (!err) {
cache_changed ();
}
return cc_err_xlate (err);
}
/*
* next cred
*
* - get the next credential in the cache as part of an iterator call
* - this maps to call to cc_seq_fetch_creds
*/
krb5_error_code KRB5_CALLCONV
krb5_stdccv3_next_cred (krb5_context context,
krb5_ccache id,
krb5_cc_cursor *cursor,
krb5_creds *creds)
{
krb5_error_code err = 0;
stdccCacheDataPtr ccapi_data = id->data;
cc_credentials_t credentials = NULL;
cc_credentials_iterator_t iterator = *cursor;
if (!iterator) { err = KRB5_CC_END; }
if (!err) {
err = stdccv3_setup (context, ccapi_data);
}
/* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */
while (!err) {
err = cc_credentials_iterator_next (iterator, &credentials);
if (!err && (credentials->data->version == cc_credentials_v5)) {
copy_cc_cred_union_to_krb5_creds(context, credentials->data, creds);
break;
}
}
if (credentials) { cc_credentials_release (credentials); }
if (err == ccIteratorEnd) {
cc_credentials_iterator_release (iterator);
*cursor = 0;
}
return cc_err_xlate (err);
}
/*
* Deletion from credentials file
*/
int KRB5_CALLCONV
krb_delete_cred (
char* sname,
char* sinstance,
char* srealm)
{
cc_credentials_t theCreds = NULL;
cc_credentials_iterator_t iterator = NULL;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache);
}
if (cc_err == ccNoError) {
cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator);
}
if (cc_err == ccNoError) {
for (;;) {
/* get next creds */
cc_err = cc_credentials_iterator_next (iterator, &theCreds);
if (cc_err != ccNoError) {
break;
}
if ((theCreds -> data -> version == cc_credentials_v4) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> service, sname) == 0) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, sinstance) == 0) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, srealm) == 0)) {
cc_ccache_remove_credentials (ccache, theCreds);
cc_credentials_release (theCreds);
break;
}
cc_credentials_release (theCreds);
}
}
if (iterator != NULL)
cc_credentials_iterator_release (iterator);
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (cc_err != ccNoError)
return KFAILURE;
else
return KSUCCESS;
}
/*
* Destroy all credential caches
*
* Implementation in memcache.c
*/
int KRB5_CALLCONV
dest_all_tkts (void)
{
int count = 0;
cc_ccache_iterator_t iterator = NULL;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_new_ccache_iterator (cc_context, &iterator);
}
if (cc_err == ccNoError) {
for (;;) {
/* get next ccache */
cc_err = cc_ccache_iterator_next (iterator, &ccache);
if (cc_err != ccNoError)
break;
cc_ccache_destroy (ccache);
count++;
}
}
if (iterator != NULL)
cc_credentials_iterator_release (iterator);
if (cc_context != NULL)
cc_context_release (cc_context);
if ((cc_err == ccIteratorEnd) && (count == 0)) {
/* first time, nothing to destroy */
return KFAILURE;
} else {
if (cc_err == ccIteratorEnd) {
/* done */
return KSUCCESS;
} else {
/* error */
return KFAILURE;
}
}
}
/*
* Number of credentials in credentials cache
*/
int KRB5_CALLCONV
krb_get_num_cred (void)
{
cc_credentials_t theCreds = NULL;
int count = 0;
cc_credentials_iterator_t iterator = NULL;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache);
}
if (cc_err == ccNoError) {
cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator);
}
if (cc_err == ccNoError) {
for (;;) {
/* get next creds */
cc_err = cc_credentials_iterator_next (iterator, &theCreds);
if (cc_err != ccNoError)
break;
if (theCreds -> data -> version == cc_credentials_v4)
count++;
cc_credentials_release (theCreds);
}
}
if (iterator != NULL)
cc_credentials_iterator_release (iterator);
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (cc_err != ccNoError)
return 0;
else
return count;
}
/*
* end seq
*
* just free up the storage assoicated with the cursor (if we can)
*/
krb5_error_code KRB5_CALLCONV
krb5_stdccv3_end_seq_get (krb5_context context,
krb5_ccache id,
krb5_cc_cursor *cursor)
{
krb5_error_code err = 0;
stdccCacheDataPtr ccapi_data = id->data;
cc_credentials_iterator_t iterator = *cursor;
if (!iterator) { return 0; }
if (!err) {
err = stdccv3_setup (context, ccapi_data);
}
if (!err) {
err = cc_credentials_iterator_release(iterator);
}
return cc_err_xlate(err);
}
int check_cc_credentials_iterator_next(void) {
cc_int32 err = 0;
cc_context_t context = NULL;
cc_ccache_t ccache = NULL;
cc_credentials_union creds_union;
cc_credentials_iterator_t iterator = NULL;
unsigned int i;
BEGIN_TEST("cc_credentials_iterator_next");
err = cc_initialize(&context, ccapi_version_3, NULL, NULL);
if (!err) {
err = destroy_all_ccaches(context);
}
// iterate with no creds
if (!err) {
err = cc_context_create_new_ccache(context, cc_credentials_v5, "*****@*****.**", &ccache);
}
if (!err) {
err = cc_ccache_new_credentials_iterator(ccache, &iterator);
}
check_once_cc_credentials_iterator_next(iterator, 0, ccNoError, "iterating over an empty ccache");
if (iterator) {
cc_ccache_iterator_release(iterator);
iterator = NULL;
}
if (ccache) {
cc_ccache_release(ccache);
ccache = NULL;
}
// iterate with one cred
if (!err) {
destroy_all_ccaches(context);
err = cc_context_create_new_ccache(context, cc_credentials_v5, "*****@*****.**", &ccache);
}
if (!err) {
new_v5_creds_union(&creds_union, "BAR.ORG");
err = cc_ccache_store_credentials(ccache, &creds_union);
release_v5_creds_union(&creds_union);
}
if (!err) {
err = cc_ccache_new_credentials_iterator(ccache, &iterator);
}
check_once_cc_credentials_iterator_next(iterator, 1, ccNoError, "iterating over a ccache with 1 cred");
if (iterator) {
cc_credentials_iterator_release(iterator);
iterator = NULL;
}
if (ccache) {
cc_ccache_release(ccache);
ccache = NULL;
}
// iterate with several creds
if (!err) {
destroy_all_ccaches(context);
err = cc_context_create_new_ccache(context, cc_credentials_v5, "*****@*****.**", &ccache);
}
for(i = 0; !err && (i < 1000); i++) {
if (i%100 == 0) fprintf(stdout, ".");
new_v5_creds_union(&creds_union, "BAR.ORG");
err = cc_ccache_store_credentials(ccache, &creds_union);
release_v5_creds_union(&creds_union);
}
if (!err) {
err = cc_ccache_new_credentials_iterator(ccache, &iterator);
}
check_once_cc_credentials_iterator_next(iterator, 1000, ccNoError, "iterating over a ccache with 1000 creds");
if (ccache) { cc_ccache_release(ccache); }
if (iterator) { cc_credentials_iterator_release(iterator); }
if (context) {
destroy_all_ccaches(context);
cc_context_release(context);
}
END_TEST_AND_RETURN
}
/*
* Retrieval from credentials file
* This function is _not_!! well-defined under CCache API, because
* there is no guarantee about order of credentials remaining the same.
*/
int KRB5_CALLCONV
krb_get_nth_cred (
char* sname,
char* sinstance,
char* srealm,
int n)
{
cc_credentials_t theCreds = NULL;
int count = 0;
cc_credentials_iterator_t iterator = NULL;
cc_int32 cc_err = ccNoError;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
if (n < 1)
return KFAILURE;
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache);
}
if (cc_err == ccNoError) {
cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator);
}
if (cc_err == ccNoError) {
for (count = 0; count < n;) {
/* get next creds */
cc_err = cc_credentials_iterator_next (iterator, &theCreds);
if (cc_err != ccNoError)
break;
if (theCreds -> data -> version == cc_credentials_v4)
count++;
if (count < n - 1)
cc_credentials_release (theCreds);
}
}
if (cc_err == ccNoError) {
strcpy (sname, theCreds -> data -> credentials.credentials_v4 -> service);
strcpy (sinstance, theCreds -> data -> credentials.credentials_v4 -> service_instance);
strcpy (srealm, theCreds -> data -> credentials.credentials_v4 -> realm);
}
if (theCreds != NULL)
cc_credentials_release (theCreds);
if (iterator != NULL)
cc_credentials_iterator_release (iterator);
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (cc_err != ccNoError)
return KFAILURE;
else
return KSUCCESS;
}
/*
* Retrieval from credentials cache
*/
int KRB5_CALLCONV
krb_get_cred (
char* service,
char* instance,
char* realm,
CREDENTIALS* creds)
{
int kerr = KSUCCESS;
cc_int32 cc_err = ccNoError;
cc_credentials_t theCreds = NULL;
cc_credentials_iterator_t iterator = NULL;
cc_context_t cc_context = NULL;
cc_int32 cc_version;
cc_ccache_t ccache = NULL;
#ifdef USE_LOGIN_LIBRARY
// If we are requesting a tgt, prompt for it
if (strncmp (service, KRB_TICKET_GRANTING_TICKET, ANAME_SZ) == 0) {
OSStatus err;
char *cacheName;
KLPrincipal outPrincipal;
err = __KLInternalAcquireInitialTicketsForCache (TKT_FILE, kerberosVersion_V4, NULL,
&outPrincipal, &cacheName);
if (err == klNoErr) {
krb_set_tkt_string (cacheName); // Tickets for the krb4 principal went here
KLDisposeString (cacheName);
KLDisposePrincipal (outPrincipal);
} else {
return GC_NOTKT;
}
}
#endif /* USE_LOGIN_LIBRARY */
cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL);
if (cc_err == ccNoError) {
cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache);
}
if (cc_err == ccNoError) {
cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator);
}
if (cc_err == ccNoError) {
for (;;) {
/* get next creds */
cc_err = cc_credentials_iterator_next (iterator, &theCreds);
if (cc_err == ccIteratorEnd) {
kerr = GC_NOTKT;
break;
}
if (cc_err != ccNoError) {
kerr = KFAILURE;
break;
}
/* version, service, instance, realm check */
if ((theCreds -> data -> version == cc_credentials_v4) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> service, service) == 0) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, instance) == 0) &&
(strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, realm) == 0)) {
/* Match! */
strcpy (creds -> service, service);
strcpy (creds -> instance, instance);
strcpy (creds -> realm, realm);
memmove (creds -> session, theCreds -> data -> credentials.credentials_v4 -> session_key, sizeof (C_Block));
creds -> lifetime = theCreds -> data -> credentials.credentials_v4 -> lifetime;
creds -> kvno = theCreds -> data -> credentials.credentials_v4 -> kvno;
creds -> ticket_st.length = theCreds -> data -> credentials.credentials_v4 -> ticket_size;
memmove (creds -> ticket_st.dat, theCreds -> data -> credentials.credentials_v4 -> ticket, creds -> ticket_st.length);
creds -> issue_date = theCreds -> data -> credentials.credentials_v4 -> issue_date;
strcpy (creds -> pname, theCreds -> data -> credentials.credentials_v4 -> principal);
strcpy (creds -> pinst, theCreds -> data -> credentials.credentials_v4 -> principal_instance);
creds -> stk_type = theCreds -> data -> credentials.credentials_v4 -> string_to_key_type;
cc_credentials_release (theCreds);
kerr = KSUCCESS;
break;
} else {
cc_credentials_release (theCreds);
}
}
}
if (iterator != NULL)
cc_credentials_iterator_release (iterator);
if (ccache != NULL)
cc_ccache_release (ccache);
if (cc_context != NULL)
cc_context_release (cc_context);
if (kerr != KSUCCESS)
return kerr;
if (cc_err != ccNoError)
return GC_NOTKT;
else
return KSUCCESS;
}