crypto/krb5/src/lib/krb5/ccache/cc_retr.c

root/crypto/krb5/src/lib/krb5/ccache/cc_retr.c
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/krb5/ccache/cc_retr.c */
/*
 * Copyright 1990,1991,1999,2007,2008 by the Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 */

#include "k5-int.h"
#include "cc-int.h"
#include "../krb/int-proto.h"

#define KRB5_OK 0

static int
times_match_exact(const krb5_ticket_times *t1, const krb5_ticket_times *t2)
{
    return (t1->authtime == t2->authtime &&
            t1->starttime == t2->starttime &&
            t1->endtime == t2->endtime &&
            t1->renew_till == t2->renew_till);
}

static krb5_boolean
times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2)
{
    if (t1->renew_till) {
        if (ts_after(t1->renew_till, t2->renew_till))
            return FALSE;               /* this one expires too late */
    }
    if (t1->endtime) {
        if (ts_after(t1->endtime, t2->endtime))
            return FALSE;               /* this one expires too late */
    }
    /* only care about expiration on a times_match */
    return TRUE;
}

static krb5_boolean
princs_match(krb5_context context, krb5_flags whichfields,
             const krb5_creds *mcreds, const krb5_creds *creds)
{
    if (mcreds->client != NULL &&
        !krb5_principal_compare(context, mcreds->client, creds->client))
        return FALSE;
    if (mcreds->server == NULL)
        return TRUE;
    if (whichfields & KRB5_TC_MATCH_SRV_NAMEONLY) {
        return krb5_principal_compare_any_realm(context, mcreds->server,
                                                creds->server);
    } else {
        return krb5_principal_compare(context, mcreds->server, creds->server);
    }
}

static krb5_boolean
authdata_match(krb5_authdata *const *mdata, krb5_authdata *const *data)
{
    const krb5_authdata *mdatap, *datap;

    if (mdata == data)
        return TRUE;

    if (mdata == NULL)
        return *data == NULL;

    if (data == NULL)
        return *mdata == NULL;

    while ((mdatap = *mdata) && (datap = *data)) {
        if ((mdatap->ad_type != datap->ad_type) ||
            (mdatap->length != datap->length) ||
            (memcmp ((char *)mdatap->contents,
                     (char *)datap->contents, (unsigned) mdatap->length) != 0))
            return FALSE;
        mdata++;
        data++;
    }
    return (*mdata == NULL) && (*data == NULL);
}

static krb5_boolean
data_match(const krb5_data *data1, const krb5_data *data2)
{
    if (!data1) {
        if (!data2)
            return TRUE;
        else
            return FALSE;
    }
    if (!data2) return FALSE;

    return data_eq(*data1, *data2) ? TRUE : FALSE;
}

static int
pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
{
    int i;
    for (i = 0; i < nktypes; i++)
        if (my_ktype == ktypes[i])
            return i;
    return -1;
}

/*
 * Effects:
 * Searches the credentials cache for a credential matching mcreds,
 * with the fields specified by whichfields.  If one if found, it is
 * returned in creds, which should be freed by the caller with
 * krb5_free_credentials().
 *
 * The fields are interpreted in the following way (all constants are
 * preceded by KRB5_TC_).  MATCH_IS_SKEY requires the is_skey field to
 * match exactly.  MATCH_TIMES requires the requested lifetime to be
 * at least as great as that specified; MATCH_TIMES_EXACT requires the
 * requested lifetime to be exactly that specified.  MATCH_FLAGS
 * requires only the set bits in mcreds be set in creds;
 * MATCH_FLAGS_EXACT requires all bits to match.
 *
 * Flag SUPPORTED_KTYPES means check all matching entries that have
 * any supported enctype (according to tgs_enctypes) and return the one
 * with the enctype listed earliest.  Return CC_NOT_KTYPE if a match
 * is found *except* for having a supported enctype.
 *
 * Errors:
 * system errors
 * permission errors
 * KRB5_CC_NOMEM
 * KRB5_CC_NOT_KTYPE
 */

krb5_boolean
krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields,
                               krb5_creds *mcreds, krb5_creds *creds)
{
    krb5_boolean is_skey;

    if (!princs_match(context, whichfields, mcreds, creds))
        return FALSE;

    /* Only match a user-to-user credential if explicitly asked for, since the
     * ticket won't work as a regular service ticket. */
    is_skey = (whichfields & KRB5_TC_MATCH_IS_SKEY) ? mcreds->is_skey : FALSE;
    if (creds->is_skey != is_skey)
        return FALSE;

    if ((whichfields & KRB5_TC_MATCH_FLAGS_EXACT) &&
        mcreds->ticket_flags != creds->ticket_flags)
        return FALSE;
    if ((whichfields & KRB5_TC_MATCH_FLAGS) &&
        (creds->ticket_flags & mcreds->ticket_flags) != mcreds->ticket_flags)
        return FALSE;

    if ((whichfields & KRB5_TC_MATCH_TIMES_EXACT) &&
        !times_match_exact(&mcreds->times, &creds->times))
        return FALSE;
    if ((whichfields & KRB5_TC_MATCH_TIMES) &&
        !times_match(&mcreds->times, &creds->times))
        return FALSE;

    if ((whichfields & KRB5_TC_MATCH_AUTHDATA) &&
        !authdata_match(mcreds->authdata, creds->authdata))
        return FALSE;

    if ((whichfields & KRB5_TC_MATCH_2ND_TKT) &&
        !data_match(&mcreds->second_ticket, &creds->second_ticket))
        return FALSE;

    if ((whichfields & KRB5_TC_MATCH_KTYPE) &&
        mcreds->keyblock.enctype != creds->keyblock.enctype)
        return FALSE;

    return TRUE;
}

static krb5_error_code
krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id,
                           krb5_flags whichfields, krb5_creds *mcreds,
                           krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
{
    /* This function could be considerably faster if it kept indexing */
    /* information.. sounds like a "next version" idea to me. :-) */

    krb5_cc_cursor cursor;
    krb5_error_code kret;
    krb5_error_code nomatch_err = KRB5_CC_NOTFOUND;
    struct {
        krb5_creds creds;
        int pref;
    } fetched, best;
    int have_creds = 0;
#define fetchcreds (fetched.creds)

    kret = krb5_cc_start_seq_get(context, id, &cursor);
    if (kret != KRB5_OK)
        return kret;

    while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) {
        if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
        {
            if (ktypes) {
                fetched.pref = pref (fetchcreds.keyblock.enctype,
                                     nktypes, ktypes);
                if (fetched.pref < 0)
                    nomatch_err = KRB5_CC_NOT_KTYPE;
                else if (!have_creds || fetched.pref < best.pref) {
                    if (have_creds)
                        krb5_free_cred_contents (context, &best.creds);
                    else
                        have_creds = 1;
                    best = fetched;
                    continue;
                }
            } else {
                krb5_cc_end_seq_get(context, id, &cursor);
                *creds = fetchcreds;
                return KRB5_OK;
            }
        }

        /* This one doesn't match */
        krb5_free_cred_contents(context, &fetchcreds);
    }

    /* If we get here, a match wasn't found */
    krb5_cc_end_seq_get(context, id, &cursor);
    if (have_creds) {
        *creds = best.creds;
        return KRB5_OK;
    } else
        return nomatch_err;
}

krb5_error_code
k5_cc_retrieve_cred_default(krb5_context context, krb5_ccache id,
                            krb5_flags flags, krb5_creds *mcreds,
                            krb5_creds *creds)
{
    krb5_enctype *ktypes;
    int nktypes;
    krb5_error_code ret;

    if (flags & KRB5_TC_SUPPORTED_KTYPES) {
        ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes);
        if (ret)
            return ret;
        nktypes = k5_count_etypes (ktypes);

        ret = krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds,
                                         nktypes, ktypes);
        free (ktypes);
        return ret;
    } else {
        return krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds,
                                          0, 0);
    }
}
FreeBSD
