krb5_error_code
kcm_zero_ccache_data(krb5_context context,
kcm_ccache cache)
{
krb5_error_code ret;
KCM_ASSERT_VALID(cache);
HEIMDAL_MUTEX_lock(&cache->mutex);
ret = kcm_zero_ccache_data_internal(context, cache);
HEIMDAL_MUTEX_unlock(&cache->mutex);
return ret;
}
krb5_error_code
kcm_ccache_remove_creds(krb5_context context,
kcm_ccache ccache)
{
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
HEIMDAL_MUTEX_lock(&ccache->mutex);
ret = kcm_ccache_remove_creds_internal(context, ccache);
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
static krb5_error_code
kcmss_store_cred(krb5_context context,
krb5_ccache id,
krb5_creds *creds)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = kcm_ccache_store_cred_internal(context, c, creds, NULL, 1);
return ret;
}
static krb5_error_code
kcmss_get_principal(krb5_context context,
krb5_ccache id,
krb5_principal *principal)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = krb5_copy_principal(context, c->client,
principal);
return ret;
}
static krb5_error_code
kcmss_remove_cred(krb5_context context,
krb5_ccache id,
krb5_flags which,
krb5_creds *cred)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = kcm_ccache_remove_cred_internal(context, c, which, cred);
return ret;
}
krb5_error_code
kcm_ccache_destroy_if_empty(krb5_context context,
kcm_ccache ccache)
{
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
if (ccache->creds == NULL) {
ret = kcm_ccache_destroy(context, ccache->name);
} else
ret = 0;
return ret;
}
krb5_error_code
kcm_ccache_remove_cred(krb5_context context,
kcm_ccache ccache,
krb5_flags whichfields,
const krb5_creds *mcreds)
{
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
HEIMDAL_MUTEX_lock(&ccache->mutex);
ret = kcm_ccache_remove_cred_internal(context, ccache, whichfields, mcreds);
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
krb5_error_code
kcm_ccache_store_cred(krb5_context context,
kcm_ccache ccache,
krb5_creds *creds,
int copy)
{
krb5_error_code ret;
krb5_creds *tmp;
KCM_ASSERT_VALID(ccache);
HEIMDAL_MUTEX_lock(&ccache->mutex);
ret = kcm_ccache_store_cred_internal(context, ccache, creds, copy, &tmp);
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
krb5_error_code
kcm_release_ccache(krb5_context context, kcm_ccache c)
{
krb5_error_code ret = 0;
KCM_ASSERT_VALID(c);
HEIMDAL_MUTEX_lock(&c->mutex);
if (c->refcnt == 1) {
kcm_free_ccache_data_internal(context, c);
free(c);
} else {
c->refcnt--;
HEIMDAL_MUTEX_unlock(&c->mutex);
}
return ret;
}
static krb5_error_code
kcmss_initialize(krb5_context context,
krb5_ccache id,
krb5_principal primary_principal)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = kcm_zero_ccache_data_internal(context, c);
if (ret)
return ret;
ret = krb5_copy_principal(context, primary_principal,
&c->client);
return ret;
}
krb5_error_code
kcm_cleanup_events(krb5_context context,
kcm_ccache ccache)
{
kcm_event **e;
KCM_ASSERT_VALID(ccache);
HEIMDAL_MUTEX_lock(&events_mutex);
for (e = &events_head; *e != NULL; e = &(*e)->next) {
if ((*e)->valid && (*e)->ccache == ccache) {
kcm_remove_event_internal(context, e);
}
if (*e == NULL)
break;
}
HEIMDAL_MUTEX_unlock(&events_mutex);
return 0;
}
krb5_error_code kcm_debug_ccache(krb5_context context)
{
kcm_ccache p;
for (p = ccache_head; p != NULL; p = p->next) {
char *cpn = NULL, *spn = NULL;
int ncreds = 0;
struct kcm_creds *k;
if ((p->flags & KCM_FLAGS_VALID) == 0) {
kcm_log(7, "cache %08x: empty slot");
continue;
}
KCM_ASSERT_VALID(p);
for (k = p->creds; k != NULL; k = k->next)
ncreds++;
if (p->client != NULL)
krb5_unparse_name(context, p->client, &cpn);
if (p->server != NULL)
krb5_unparse_name(context, p->server, &spn);
kcm_log(7, "cache %08x: name %s refcnt %d flags %04x mode %04o "
"uid %d gid %d client %s server %s ncreds %d",
p, p->name, p->refcnt, p->flags, p->mode, p->uid, p->gid,
(cpn == NULL) ? "<none>" : cpn,
(spn == NULL) ? "<none>" : spn,
ncreds);
if (cpn != NULL)
free(cpn);
if (spn != NULL)
free(spn);
}
return 0;
}
static krb5_error_code
kcmss_get_next (krb5_context context,
krb5_ccache id,
krb5_cc_cursor *cursor,
krb5_creds *creds)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = krb5_copy_creds_contents(context,
&((struct kcm_creds *)cursor)->cred,
creds);
if (ret)
return ret;
*cursor = ((struct kcm_creds *)cursor)->next;
if (*cursor == 0)
ret = KRB5_CC_END;
return ret;
}
static krb5_error_code
kcmss_retrieve(krb5_context context,
krb5_ccache id,
krb5_flags which,
const krb5_creds *mcred,
krb5_creds *creds)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
krb5_creds *credp;
KCM_ASSERT_VALID(c);
ret = kcm_ccache_retrieve_cred_internal(context, c, which,
mcred, &credp);
if (ret)
return ret;
ret = krb5_copy_creds_contents(context, credp, creds);
if (ret)
return ret;
return 0;
}
static void
kcm_free_ccache_data_internal(krb5_context context,
kcm_ccache_data *cache)
{
KCM_ASSERT_VALID(cache);
if (cache->name != NULL) {
free(cache->name);
cache->name = NULL;
}
if (cache->flags & KCM_FLAGS_USE_KEYTAB) {
krb5_kt_close(context, cache->key.keytab);
cache->key.keytab = NULL;
} else if (cache->flags & KCM_FLAGS_USE_CACHED_KEY) {
krb5_free_keyblock_contents(context, &cache->key.keyblock);
krb5_keyblock_zero(&cache->key.keyblock);
}
cache->flags = 0;
cache->mode = 0;
cache->uid = -1;
cache->gid = -1;
cache->session = -1;
kcm_zero_ccache_data_internal(context, cache);
cache->tkt_life = 0;
cache->renew_life = 0;
cache->next = NULL;
cache->refcnt = 0;
HEIMDAL_MUTEX_unlock(&cache->mutex);
HEIMDAL_MUTEX_destroy(&cache->mutex);
}
krb5_error_code
kcm_access(krb5_context context,
kcm_client *client,
kcm_operation opcode,
kcm_ccache ccache)
{
int read_p = 0;
int write_p = 0;
uint16_t mask;
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
switch (opcode) {
case KCM_OP_INITIALIZE:
case KCM_OP_DESTROY:
case KCM_OP_STORE:
case KCM_OP_REMOVE_CRED:
case KCM_OP_SET_FLAGS:
case KCM_OP_CHOWN:
case KCM_OP_CHMOD:
case KCM_OP_GET_INITIAL_TICKET:
case KCM_OP_GET_TICKET:
case KCM_OP_MOVE_CACHE:
case KCM_OP_SET_DEFAULT_CACHE:
case KCM_OP_SET_KDC_OFFSET:
write_p = 1;
read_p = 0;
break;
case KCM_OP_NOOP:
case KCM_OP_GET_NAME:
case KCM_OP_RESOLVE:
case KCM_OP_GEN_NEW:
case KCM_OP_RETRIEVE:
case KCM_OP_GET_PRINCIPAL:
case KCM_OP_GET_CRED_UUID_LIST:
case KCM_OP_GET_CRED_BY_UUID:
case KCM_OP_GET_CACHE_UUID_LIST:
case KCM_OP_GET_CACHE_BY_UUID:
case KCM_OP_GET_DEFAULT_CACHE:
case KCM_OP_GET_KDC_OFFSET:
write_p = 0;
read_p = 1;
break;
default:
ret = KRB5_FCC_PERM;
goto out;
}
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
/* System caches cannot be reinitialized or destroyed by users */
if (opcode == KCM_OP_INITIALIZE ||
opcode == KCM_OP_DESTROY ||
opcode == KCM_OP_REMOVE_CRED ||
opcode == KCM_OP_MOVE_CACHE) {
ret = KRB5_FCC_PERM;
goto out;
}
/* Let root always read system caches */
if (CLIENT_IS_ROOT(client)) {
ret = 0;
goto out;
}
}
/* start out with "other" mask */
mask = S_IROTH|S_IWOTH;
/* root can do anything */
if (CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRUSR|S_IRGRP|S_IROTH;
if (write_p)
mask |= S_IWUSR|S_IWGRP|S_IWOTH;
}
/* same session same as owner */
if (kcm_is_same_session(client, ccache->uid, ccache->session)) {
if (read_p)
mask |= S_IROTH;
if (write_p)
mask |= S_IWOTH;
}
/* owner */
if (client->uid == ccache->uid) {
if (read_p)
mask |= S_IRUSR;
if (write_p)
mask |= S_IWUSR;
}
/* group */
if (client->gid == ccache->gid) {
if (read_p)
mask |= S_IRGRP;
if (write_p)
mask |= S_IWGRP;
}
ret = (ccache->mode & mask) ? 0 : KRB5_FCC_PERM;
out:
if (ret) {
kcm_log(2, "Process %d is not permitted to call %s on cache %s",
client->pid, kcm_op2string(opcode), ccache->name);
}
return ret;
}
krb5_error_code
kcm_access(krb5_context context,
kcm_client *client,
kcm_operation opcode,
kcm_ccache ccache)
{
int read_p = 0;
int write_p = 0;
uint16_t mask;
krb5_error_code ret;
KCM_ASSERT_VALID(ccache);
switch (opcode) {
case KCM_OP_INITIALIZE:
case KCM_OP_DESTROY:
case KCM_OP_STORE:
case KCM_OP_REMOVE_CRED:
case KCM_OP_SET_FLAGS:
case KCM_OP_CHOWN:
case KCM_OP_CHMOD:
case KCM_OP_GET_INITIAL_TICKET:
case KCM_OP_GET_TICKET:
write_p = 1;
read_p = 0;
break;
case KCM_OP_NOOP:
case KCM_OP_GET_NAME:
case KCM_OP_RESOLVE:
case KCM_OP_GEN_NEW:
case KCM_OP_RETRIEVE:
case KCM_OP_GET_PRINCIPAL:
case KCM_OP_GET_FIRST:
case KCM_OP_GET_NEXT:
case KCM_OP_END_GET:
case KCM_OP_MAX:
write_p = 0;
read_p = 1;
break;
}
if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
/* System caches cannot be reinitialized or destroyed by users */
if (opcode == KCM_OP_INITIALIZE ||
opcode == KCM_OP_DESTROY ||
opcode == KCM_OP_REMOVE_CRED) {
ret = KRB5_FCC_PERM;
goto out;
}
/* Let root always read system caches */
if (client->uid == 0) {
ret = 0;
goto out;
}
}
mask = 0;
/* Root may do whatever they like */
if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRUSR;
if (write_p)
mask |= S_IWUSR;
} else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client)) {
if (read_p)
mask |= S_IRGRP;
if (write_p)
mask |= S_IWGRP;
} else {
if (read_p)
mask |= S_IROTH;
if (write_p)
mask |= S_IWOTH;
}
ret = ((ccache->mode & mask) == mask) ? 0 : KRB5_FCC_PERM;
out:
if (ret) {
kcm_log(2, "Process %d is not permitted to call %s on cache %s",
client->pid, kcm_op2string(opcode), ccache->name);
}
return ret;
}
krb5_error_code
kcm_ccache_acquire(krb5_context context,
kcm_ccache ccache,
krb5_creds **credp)
{
krb5_error_code ret = 0;
krb5_creds cred;
krb5_const_realm realm;
krb5_get_init_creds_opt opt;
krb5_ccache_data ccdata;
char *in_tkt_service = NULL;
int done = 0;
memset(&cred, 0, sizeof(cred));
KCM_ASSERT_VALID(ccache);
/* We need a cached key or keytab to acquire credentials */
if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
if (ccache->key.keyblock.keyvalue.length == 0)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
} else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
if (ccache->key.keytab == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
} else {
kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
ccache->name);
return KRB5_FCC_INTERNAL;
}
HEIMDAL_MUTEX_lock(&ccache->mutex);
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Now, actually acquire the creds */
if (ccache->server != NULL) {
ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
if (ret) {
kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
return ret;
}
}
realm = krb5_principal_get_realm(context, ccache->client);
krb5_get_init_creds_opt_init(&opt);
krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, &opt);
if (ccache->tkt_life != 0)
krb5_get_init_creds_opt_set_tkt_life(&opt, ccache->tkt_life);
if (ccache->renew_life != 0)
krb5_get_init_creds_opt_set_renew_life(&opt, ccache->renew_life);
if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
ret = krb5_get_init_creds_keyblock(context,
&cred,
ccache->client,
&ccache->key.keyblock,
0,
in_tkt_service,
&opt);
} else {
/* loosely based on lib/krb5/init_creds_pw.c */
while (!done) {
ret = krb5_get_init_creds_keytab(context,
&cred,
ccache->client,
ccache->key.keytab,
0,
in_tkt_service,
&opt);
switch (ret) {
case KRB5KDC_ERR_KEY_EXPIRED:
if (in_tkt_service != NULL &&
strcmp(in_tkt_service, "kadmin/changepw") == 0) {
goto out;
}
ret = change_pw_and_update_keytab(context, ccache);
if (ret)
goto out;
break;
case 0:
default:
done = 1;
break;
}
}
}
if (ret) {
kcm_log(0, "Failed to acquire credentials for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
if (in_tkt_service != NULL)
free(in_tkt_service);
goto out;
}
if (in_tkt_service != NULL)
free(in_tkt_service);
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp);
if (ret) {
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
krb5_free_cred_contents(context, &cred);
goto out;
}
out:
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
krb5_error_code
kcm_ccache_acquire(krb5_context context,
kcm_ccache ccache,
time_t *expire)
{
krb5_error_code ret = 0;
krb5_creds cred;
krb5_const_realm realm;
krb5_get_init_creds_opt *opt = NULL;
krb5_ccache_data ccdata;
char *in_tkt_service = NULL;
*expire = 0;
memset(&cred, 0, sizeof(cred));
KCM_ASSERT_VALID(ccache);
/* We need a cached key or keytab to acquire credentials */
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
if (ccache->password == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_PASSWORD without password");
} else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
if (ccache->keytab == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
} else {
kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
ccache->name);
return KRB5_FCC_INTERNAL;
}
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Now, actually acquire the creds */
if (ccache->server != NULL) {
ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
if (ret) {
kcm_log(0, "Failed to unparse service name for cache %s",
ccache->name);
return ret;
}
}
realm = krb5_principal_get_realm(context, ccache->client);
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, opt);
if (ccache->tkt_life != 0)
krb5_get_init_creds_opt_set_tkt_life(opt, ccache->tkt_life);
if (ccache->renew_life != 0)
krb5_get_init_creds_opt_set_renew_life(opt, ccache->renew_life);
krb5_get_init_creds_opt_set_forwardable(opt, 1);
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
ret = krb5_get_init_creds_password(context,
&cred,
ccache->client,
ccache->password,
NULL,
NULL,
0,
in_tkt_service,
opt);
} else {
ret = krb5_get_init_creds_keytab(context,
&cred,
ccache->client,
ccache->keytab,
0,
in_tkt_service,
opt);
}
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to acquire credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
if (in_tkt_service != NULL)
free(in_tkt_service);
goto out;
}
if (in_tkt_service != NULL)
free(in_tkt_service);
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, &cred, NULL, 0);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
krb5_free_cred_contents(context, &cred);
goto out;
}
*expire = cred.times.endtime;
out:
if (opt)
krb5_get_init_creds_opt_free(context, opt);
return ret;
}
krb5_error_code
kcm_ccache_refresh(krb5_context context,
kcm_ccache ccache,
krb5_creds **credp)
{
krb5_error_code ret;
krb5_creds in, *out;
krb5_kdc_flags flags;
krb5_const_realm realm;
krb5_ccache_data ccdata;
const char *estr;
memset(&in, 0, sizeof(in));
KCM_ASSERT_VALID(ccache);
if (ccache->client == NULL) {
/* no primary principal */
kcm_log(0, "Refresh credentials requested but no client principal");
return KRB5_CC_NOTFOUND;
}
HEIMDAL_MUTEX_lock(&ccache->mutex);
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Find principal */
in.client = ccache->client;
if (ccache->server != NULL) {
ret = krb5_copy_principal(context, ccache->server, &in.server);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to copy service principal: %s",
estr);
krb5_free_error_message(context, estr);
goto out;
}
} else {
realm = krb5_principal_get_realm(context, in.client);
ret = krb5_make_principal(context, &in.server, realm,
KRB5_TGS_NAME, realm, NULL);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to make TGS principal for realm %s: %s",
realm, estr);
krb5_free_error_message(context, estr);
goto out;
}
}
if (ccache->tkt_life)
in.times.endtime = time(NULL) + ccache->tkt_life;
if (ccache->renew_life)
in.times.renew_till = time(NULL) + ccache->renew_life;
flags.i = 0;
flags.b.renewable = TRUE;
flags.b.renew = TRUE;
ret = krb5_get_kdc_cred(context,
&ccdata,
flags,
NULL,
NULL,
&in,
&out);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to renew credentials for cache %s: %s",
ccache->name, estr);
krb5_free_error_message(context, estr);
goto out;
}
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, out, 0, credp);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, estr);
krb5_free_error_message(context, estr);
krb5_free_creds(context, out);
goto out;
}
free(out); /* but not contents */
out:
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}