s4:heimdal: import lorikeet-heimdal-200906080040 (commit 904d0124b46eed7a8ad6e5b73e892ff34b6865ba)

Also including the supporting changes required to pass make test

A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).

Andrew Bartlett

1 files changed, 232 insertions, 96 deletions

diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 80b755cd27..12097470d5 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,70 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id$");
+/**
+ * @page krb5_ccache_intro The credential cache functions
+ * @section section_krb5_ccache Kerberos credential caches
+ * 
+ * krb5_ccache structure holds a Kerberos credential cache.
+ *
+ * Heimdal support the follow types of credential caches:
+ *
+ * - SCC
+ *   Store the credential in a database
+ * - FILE
+ *   Store the credential in memory
+ * - MEMORY
+ *   Store the credential in memory
+ * - API
+ *   A credential cache server based solution for Mac OS X
+ * - KCM
+ *   A credential cache server based solution for all platforms
+ *
+ * @subsection Example
+ *
+ * This is a minimalistic version of klist:
+@code
+#include <krb5.h>
+
+int
+main (int argc, char **argv)
+{
+    krb5_context context;
+    krb5_cc_cursor cursor;
+    krb5_error_code ret;
+    krb5_ccache id;
+    krb5_creds creds;
+
+    if (krb5_init_context (&context) != 0)
+	errx(1, "krb5_context");
+
+    ret = krb5_cc_default (context, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_default");
+
+    ret = krb5_cc_start_seq_get(context, id, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
+
+    while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
+        char *principal;
+
+	krb5_unparse_name_short(context, creds.server, &principal);
+	printf("principal: %s\\n", principal);
+	free(principal);
+	krb5_free_cred_contents (context, &creds);
+    }
+    ret = krb5_cc_end_seq_get(context, id, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
+
+    krb5_cc_close(context, id);
+
+    krb5_free_context(context);
+    return 0;
+}
+* @endcode
+*/
 
 /**
  * Add a new ccache type with operations `ops', overwriting any
@@ -176,23 +239,6 @@ krb5_cc_resolve(krb5_context context,
 }
 
 /**
- * Generate a new ccache of type `ops' in `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_gen_new(krb5_context context,
-		const krb5_cc_ops *ops,
-		krb5_ccache *id)
-{
-    return krb5_cc_new_unique(context, ops->prefix, NULL, id);
-}
-
-/**
  * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
  * the library chooses the default credential cache type. The supplied
  * `hint' (that can be NULL) is a string that the credential cache
@@ -221,7 +267,12 @@ krb5_cc_new_unique(krb5_context context, const char *type,
     ret = _krb5_cc_allocate(context, ops, id);
     if (ret)
 	return ret;
-    return (*id)->ops->gen_new(context, id);
+    ret = (*id)->ops->gen_new(context, id);
+    if (ret) {
+	free(*id);
+	*id = NULL;
+    }
+    return ret;
 }
 
 /**
@@ -676,7 +727,7 @@ krb5_cc_get_principal(krb5_context context,
 
 /**
  * Start iterating over `id', `cursor' is initialized to the
- * beginning.
+ * beginning.  Caller must free the cursor with krb5_cc_end_seq_get().
  *
  * @return Return an error code or 0, see krb5_get_error_message().
  *
@@ -712,32 +763,6 @@ krb5_cc_next_cred (krb5_context context,
 }
 
 /**
- * Like krb5_cc_next_cred, but allow for selective retrieval
- *
- * @ingroup krb5_ccache
- */
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_next_cred_match(krb5_context context,
-			const krb5_ccache id,
-			krb5_cc_cursor * cursor,
-			krb5_creds * creds,
-			krb5_flags whichfields,
-			const krb5_creds * mcreds)
-{
-    krb5_error_code ret;
-    while (1) {
-	ret = krb5_cc_next_cred(context, id, cursor, creds);
-	if (ret)
-	    return ret;
-	if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds))
-	    return 0;
-	krb5_free_cred_contents(context, creds);
-    }
-}
-
-/**
  * Destroy the cursor `cursor'.
  *
  * @ingroup krb5_ccache
@@ -806,25 +831,37 @@ krb5_cc_get_flags(krb5_context context,
 }
 
 /**
- * Copy the contents of `from' to `to'.
+ * Copy the contents of `from' to `to' if the given match function
+ * return true.
+ *
+ * @param context A Kerberos 5 context.
+ * @param from the cache to copy data from.
+ * @param to the cache to copy data to.
+ * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
+ * @param matchctx context passed to match function.
+ * @param matched set to true if there was a credential that matched, may be NULL.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
  *
  * @ingroup krb5_ccache
  */
 
-
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_copy_cache_match(krb5_context context,
-			 const krb5_ccache from,
-			 krb5_ccache to,
-			 krb5_flags whichfields,
-			 const krb5_creds * mcreds,
-			 unsigned int *matched)
+krb5_cc_copy_match_f(krb5_context context,
+		     const krb5_ccache from,
+		     krb5_ccache to,
+		     krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
+		     void *matchctx,
+		     unsigned int *matched)
 {
     krb5_error_code ret;
     krb5_cc_cursor cursor;
     krb5_creds cred;
     krb5_principal princ;
 
+    if (matched)
+	*matched = 0;
+
     ret = krb5_cc_get_principal(context, from, &princ);
     if (ret)
 	return ret;
@@ -838,24 +875,26 @@ krb5_cc_copy_cache_match(krb5_context context,
 	krb5_free_principal(context, princ);
 	return ret;
     }
-    if (matched)
-	*matched = 0;
-    while (ret == 0 &&
-	   krb5_cc_next_cred_match(context, from, &cursor, &cred,
-				   whichfields, mcreds) == 0) {
-	if (matched)
-	    (*matched)++;
-	ret = krb5_cc_store_cred(context, to, &cred);
-	krb5_free_cred_contents(context, &cred);
+
+    while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
+	   if (match == NULL || (*match)(context, matchctx, &cred) == 0) {
+	       if (matched)
+		   (*matched)++;
+	       ret = krb5_cc_store_cred(context, to, &cred);
+	       if (ret)
+		   break;
+	   }
+	   krb5_free_cred_contents(context, &cred);
     }
     krb5_cc_end_seq_get(context, from, &cursor);
     krb5_free_principal(context, princ);
+    if (ret == KRB5_CC_END)
+	ret = 0;
     return ret;
 }
 
-
 /**
- * Just like krb5_cc_copy_cache_match, but copy everything.
+ * Just like krb5_cc_copy_match_f(), but copy everything.
  *
  * @ingroup @krb5_ccache
  */
@@ -865,21 +904,7 @@ krb5_cc_copy_cache(krb5_context context,
 		   const krb5_ccache from,
 		   krb5_ccache to)
 {
-    return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL);
-}
-
-/**
- * MIT compat glue
- *
- * @ingroup krb5_ccache
- */
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_copy_creds(krb5_context context,
-		   const krb5_ccache from,
-		   krb5_ccache to)
-{
-    return krb5_cc_copy_cache(context, from, to);
+    return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
 }
 
 /**
@@ -1057,10 +1082,14 @@ krb5_cc_cache_end_seq_get (krb5_context context,
 }
 
 /**
- * Search for a matching credential cache of type `type' that have the
+ * Search for a matching credential cache that have the
  * `principal' as the default principal. On success, `id' needs to be
  * freed with krb5_cc_close() or krb5_cc_destroy().
  *
+ * @param context A Kerberos 5 context
+ * @param client The principal to search for
+ * @param id the returned credential cache
+ *
  * @return On failure, error code is returned and `id' is set to NULL.
  *
  * @ingroup krb5_ccache
@@ -1082,7 +1111,7 @@ krb5_cc_cache_match (krb5_context context,
     if (ret)
 	return ret;
 
-    while ((ret = krb5_cccol_cursor_next (context, cursor, &cache)) == 0) {
+    while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) {
 	krb5_principal principal;
 
 	ret = krb5_cc_get_principal(context, cache, &principal);
@@ -1107,7 +1136,7 @@ krb5_cc_cache_match (krb5_context context,
 	krb5_unparse_name(context, client, &str);
 
 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
-			       N_("Principal %s not found in a "
+			       N_("Principal %s not found in any "
 				  "credential cache", ""),
 			       str ? str : "<out of memory>");
 	if (str)
@@ -1178,7 +1207,7 @@ build_conf_principals(krb5_context context, krb5_ccache id,
     }
 
     ret = krb5_make_principal(context, &cred->server,
-			      krb5_principal_get_realm(context, client),
+			      KRB5_REALM_NAME,
 			      KRB5_CONF_NAME, name, pname, NULL);
     free(pname);
     if (ret) {
@@ -1224,7 +1253,7 @@ krb5_is_config_principal(krb5_context context,
  * @param principal configuration for a specific principal, if
  * NULL, global for the whole cache.
  * @param name name under which the configuraion is stored.
- * @param data data to store
+ * @param data data to store, if NULL, configure is removed.
  *
  * @ingroup krb5_ccache
  */
@@ -1246,15 +1275,17 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id,
     if (ret && ret != KRB5_CC_NOTFOUND)
         goto out;
 
-    /* not that anyone care when this expire */
-    cred.times.authtime = time(NULL);
-    cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
-
-    ret = krb5_data_copy(&cred.ticket, data->data, data->length);
-    if (ret)
-	goto out;
-
-    ret = krb5_cc_store_cred(context, id, &cred);
+    if (data) {
+	/* not that anyone care when this expire */
+	cred.times.authtime = time(NULL);
+	cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
+	
+	ret = krb5_data_copy(&cred.ticket, data->data, data->length);
+	if (ret)
+	    goto out;
+	
+	ret = krb5_cc_store_cred(context, id, &cred);
+    }
 
 out:
     krb5_free_cred_contents (context, &cred);
@@ -1345,6 +1376,8 @@ krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
  * @param cache the returned cursor, pointer is set to NULL on failure
  *        and a cache on success. The returned cache needs to be freed
  *        with krb5_cc_close() or destroyed with krb5_cc_destroy().
+ *        MIT Kerberos behavies slightly diffrent and sets cache to NULL
+ *        when all caches are iterated over and return 0.
  *
  * @return Return 0 or and error, KRB5_CC_END is returned at the end
  *        of iteration. See krb5_get_error_message().
@@ -1446,7 +1479,7 @@ krb5_cc_last_change_time(krb5_context context,
  * and mtime is 0, there was no credentials in the caches.
  *
  * @param context A Kerberos 5 context
- * @param id The credential cache to probe
+ * @param type The credential cache to probe, if NULL, all type are traversed.
  * @param mtime the last modification time, set to 0 on error.
 
  * @return Return 0 or and error. See krb5_get_error_message().
@@ -1470,7 +1503,7 @@ krb5_cccol_last_change_time(krb5_context context,
     if (ret)
 	return ret;
 
-    while ((ret = krb5_cccol_cursor_next (context, cursor, &id)) == 0) {
+    while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
 
 	if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
 	    continue;
@@ -1487,3 +1520,106 @@ krb5_cccol_last_change_time(krb5_context context,
 
     return 0;
 }
+/**
+ * Return a friendly name on credential cache. Free the result with krb5_xfree().
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_friendly_name(krb5_context context,
+			  krb5_ccache id,
+			  char **name)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
+    if (ret) {
+	krb5_principal principal;
+	ret = krb5_cc_get_principal(context, id, &principal);
+	if (ret)
+	    return ret;
+	ret = krb5_unparse_name(context, principal, name);
+	krb5_free_principal(context, principal);
+    } else {
+	ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
+	krb5_data_free(&data);
+	if (ret <= 0) {
+	    ret = ENOMEM;
+	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+	} else
+	    ret = 0;
+    }
+
+    return ret;
+}
+
+/**
+ * Set the friendly name on credential cache.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_set_friendly_name(krb5_context context,
+			  krb5_ccache id,
+			  const char *name)
+{
+    krb5_data data;
+
+    data.data = rk_UNCONST(name);
+    data.length = strlen(name);
+
+    return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
+}
+
+/**
+ * Get the lifetime of the initial ticket in the cache
+ *
+ * Get the lifetime of the initial ticket in the cache, if the initial
+ * ticket was not found, the error code KRB5_CC_END is returned.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param t the relative lifetime of the initial ticket
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
+{
+    krb5_cc_cursor cursor;
+    krb5_error_code ret;
+    krb5_creds cred;
+    time_t now;
+
+    *t = 0;
+    now = time(NULL);
+    
+    ret = krb5_cc_start_seq_get(context, id, &cursor);
+    if (ret)
+	return ret;
+
+    while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
+	if (cred.flags.b.initial) {
+	    if (now < cred.times.endtime)
+		*t = cred.times.endtime - now;
+	    krb5_free_cred_contents(context, &cred);
+	    goto out;
+	}
+	krb5_free_cred_contents(context, &cred);
+    }
+    
+ out:
+    krb5_cc_end_seq_get(context, id, &cursor);
+
+    return ret;
+}