/*
* remove
*
* - remove the specified credentials from the NC
*/
krb5_error_code KRB5_CALLCONV
krb5_stdccv3_remove (krb5_context context,
krb5_ccache id,
krb5_flags whichfields,
krb5_creds *in_creds)
{
krb5_error_code err = 0;
stdccCacheDataPtr ccapi_data = id->data;
cc_credentials_iterator_t iterator = NULL;
int found = 0;
if (!err) {
err = stdccv3_setup(context, ccapi_data);
}
if (!err) {
err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache,
&iterator);
}
/* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */
while (!err && !found) {
cc_credentials_t credentials = NULL;
err = cc_credentials_iterator_next (iterator, &credentials);
if (!err && (credentials->data->version == cc_credentials_v5)) {
krb5_creds creds;
err = copy_cc_cred_union_to_krb5_creds(context,
credentials->data, &creds);
if (!err) {
found = krb5int_cc_creds_match_request(context,
whichfields,
in_creds,
&creds);
krb5_free_cred_contents (context, &creds);
}
if (!err && found) {
err = cc_ccache_remove_credentials (ccapi_data->NamedCache, credentials);
}
}
if (credentials) { cc_credentials_release (credentials); }
}
if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; }
if (iterator) {
err = cc_credentials_iterator_release(iterator);
}
if (!err) {
cache_changed ();
}
return cc_err_xlate (err);
}
/*
* Modifies:
* the memory cache
*
* Effects:
* Remove the given creds from the ccache.
*/
static krb5_error_code KRB5_CALLCONV
krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
krb5_creds *creds)
{
krb5_mcc_data *data = (krb5_mcc_data *)cache->data;
krb5_mcc_link *l;
k5_cc_mutex_lock(context, &data->lock);
for (l = data->link; l != NULL; l = l->next) {
if (l->creds != NULL &&
krb5int_cc_creds_match_request(context, flags, creds, l->creds)) {
krb5_free_creds(context, l->creds);
l->creds = NULL;
}
}
k5_cc_mutex_unlock(context, &data->lock);
return 0;
}
static krb5_error_code
krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id,
krb5_flags whichfields, krb5_creds *mcreds,
krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
{
/* This function could be considerably faster if it kept indexing */
/* information.. sounds like a "next version" idea to me. :-) */
krb5_cc_cursor cursor;
krb5_error_code kret;
krb5_error_code nomatch_err = KRB5_CC_NOTFOUND;
struct {
krb5_creds creds;
int pref;
} fetched, best;
int have_creds = 0;
krb5_flags oflags = 0;
#define fetchcreds (fetched.creds)
/* Solaris Kerberos */
memset(&best, 0, sizeof (best));
memset(&fetched, 0, sizeof (fetched));
kret = krb5_cc_get_flags(context, id, &oflags);
if (kret != KRB5_OK)
return kret;
if (oflags & KRB5_TC_OPENCLOSE)
(void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE);
kret = krb5_cc_start_seq_get(context, id, &cursor);
if (kret != KRB5_OK) {
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
return kret;
}
while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) {
if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
{
if (ktypes) {
fetched.pref = pref (fetchcreds.keyblock.enctype,
nktypes, ktypes);
if (fetched.pref < 0)
nomatch_err = KRB5_CC_NOT_KTYPE;
else if (!have_creds || fetched.pref < best.pref) {
if (have_creds)
krb5_free_cred_contents (context, &best.creds);
else
have_creds = 1;
best = fetched;
continue;
}
} else {
krb5_cc_end_seq_get(context, id, &cursor);
*creds = fetchcreds;
/* Solaris Kerberos */
creds->keyblock.hKey = CK_INVALID_HANDLE;
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
return KRB5_OK;
}
}
/* This one doesn't match */
krb5_free_cred_contents(context, &fetchcreds);
}
/* If we get here, a match wasn't found */
krb5_cc_end_seq_get(context, id, &cursor);
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
if (have_creds) {
*creds = best.creds;
/* Solaris Kerberos */
creds->keyblock.hKey = CK_INVALID_HANDLE;
return KRB5_OK;
} else
return nomatch_err;
}
