1 1.1 elric /* $NetBSD: events.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 2005, PADL Software Pty Ltd. 5 1.1 elric * All rights reserved. 6 1.1 elric * 7 1.1 elric * Redistribution and use in source and binary forms, with or without 8 1.1 elric * modification, are permitted provided that the following conditions 9 1.1 elric * are met: 10 1.1 elric * 11 1.1 elric * 1. Redistributions of source code must retain the above copyright 12 1.1 elric * notice, this list of conditions and the following disclaimer. 13 1.1 elric * 14 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 15 1.1 elric * notice, this list of conditions and the following disclaimer in the 16 1.1 elric * documentation and/or other materials provided with the distribution. 17 1.1 elric * 18 1.1 elric * 3. Neither the name of PADL Software nor the names of its contributors 19 1.1 elric * may be used to endorse or promote products derived from this software 20 1.1 elric * without specific prior written permission. 21 1.1 elric * 22 1.1 elric * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND 23 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE 26 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 1.1 elric * SUCH DAMAGE. 33 1.1 elric */ 34 1.1 elric 35 1.1 elric #include "kcm_locl.h" 36 1.1 elric 37 1.1 elric __RCSID("$NetBSD: events.c,v 1.2 2017/01/28 21:31:44 christos Exp $"); 38 1.1 elric 39 1.1 elric /* thread-safe in case we multi-thread later */ 40 1.1 elric static HEIMDAL_MUTEX events_mutex = HEIMDAL_MUTEX_INITIALIZER; 41 1.1 elric static kcm_event *events_head = NULL; 42 1.1 elric static time_t last_run = 0; 43 1.1 elric 44 1.1 elric static char *action_strings[] = { 45 1.1 elric "NONE", "ACQUIRE_CREDS", "RENEW_CREDS", 46 1.1 elric "DESTROY_CREDS", "DESTROY_EMPTY_CACHE" }; 47 1.1 elric 48 1.1 elric krb5_error_code 49 1.1 elric kcm_enqueue_event(krb5_context context, 50 1.1 elric kcm_event *event) 51 1.1 elric { 52 1.1 elric krb5_error_code ret; 53 1.1 elric 54 1.1 elric if (event->action == KCM_EVENT_NONE) { 55 1.1 elric return 0; 56 1.1 elric } 57 1.1 elric 58 1.1 elric HEIMDAL_MUTEX_lock(&events_mutex); 59 1.1 elric ret = kcm_enqueue_event_internal(context, event); 60 1.1 elric HEIMDAL_MUTEX_unlock(&events_mutex); 61 1.1 elric 62 1.1 elric return ret; 63 1.1 elric } 64 1.1 elric 65 1.1 elric static void 66 1.2 christos print_times(time_t t, char buf[64]) 67 1.1 elric { 68 1.2 christos if (t) 69 1.2 christos strftime(buf, 64, "%m-%dT%H:%M", gmtime(&t)); 70 1.1 elric else 71 1.1 elric strlcpy(buf, "never", 64); 72 1.1 elric } 73 1.1 elric 74 1.1 elric static void 75 1.1 elric log_event(kcm_event *event, char *msg) 76 1.1 elric { 77 1.1 elric char fire_time[64], expire_time[64]; 78 1.1 elric 79 1.1 elric print_times(event->fire_time, fire_time); 80 1.1 elric print_times(event->expire_time, expire_time); 81 1.1 elric 82 1.1 elric kcm_log(7, "%s event %08x: fire_time %s fire_count %d expire_time %s " 83 1.1 elric "backoff_time %d action %s cache %s", 84 1.1 elric msg, event, fire_time, event->fire_count, expire_time, 85 1.1 elric event->backoff_time, action_strings[event->action], 86 1.1 elric event->ccache->name); 87 1.1 elric } 88 1.1 elric 89 1.1 elric krb5_error_code 90 1.1 elric kcm_enqueue_event_internal(krb5_context context, 91 1.1 elric kcm_event *event) 92 1.1 elric { 93 1.1 elric kcm_event **e; 94 1.1 elric 95 1.1 elric if (event->action == KCM_EVENT_NONE) 96 1.1 elric return 0; 97 1.1 elric 98 1.1 elric for (e = &events_head; *e != NULL; e = &(*e)->next) 99 1.1 elric ; 100 1.1 elric 101 1.1 elric *e = (kcm_event *)malloc(sizeof(kcm_event)); 102 1.1 elric if (*e == NULL) { 103 1.1 elric return KRB5_CC_NOMEM; 104 1.1 elric } 105 1.1 elric 106 1.1 elric (*e)->valid = 1; 107 1.1 elric (*e)->fire_time = event->fire_time; 108 1.1 elric (*e)->fire_count = 0; 109 1.1 elric (*e)->expire_time = event->expire_time; 110 1.1 elric (*e)->backoff_time = event->backoff_time; 111 1.1 elric 112 1.1 elric (*e)->action = event->action; 113 1.1 elric 114 1.1 elric kcm_retain_ccache(context, event->ccache); 115 1.1 elric (*e)->ccache = event->ccache; 116 1.1 elric (*e)->next = NULL; 117 1.1 elric 118 1.1 elric log_event(*e, "enqueuing"); 119 1.1 elric 120 1.1 elric return 0; 121 1.1 elric } 122 1.1 elric 123 1.1 elric /* 124 1.1 elric * Dump events list on SIGUSR2 125 1.1 elric */ 126 1.1 elric krb5_error_code 127 1.1 elric kcm_debug_events(krb5_context context) 128 1.1 elric { 129 1.1 elric kcm_event *e; 130 1.1 elric 131 1.1 elric for (e = events_head; e != NULL; e = e->next) 132 1.1 elric log_event(e, "debug"); 133 1.1 elric 134 1.1 elric return 0; 135 1.1 elric } 136 1.1 elric 137 1.1 elric krb5_error_code 138 1.1 elric kcm_enqueue_event_relative(krb5_context context, 139 1.1 elric kcm_event *event) 140 1.1 elric { 141 1.1 elric krb5_error_code ret; 142 1.1 elric kcm_event e; 143 1.1 elric 144 1.1 elric e = *event; 145 1.1 elric e.backoff_time = e.fire_time; 146 1.1 elric e.fire_time += time(NULL); 147 1.1 elric 148 1.1 elric ret = kcm_enqueue_event(context, &e); 149 1.1 elric 150 1.1 elric return ret; 151 1.1 elric } 152 1.1 elric 153 1.1 elric static krb5_error_code 154 1.1 elric kcm_remove_event_internal(krb5_context context, 155 1.1 elric kcm_event **e) 156 1.1 elric { 157 1.1 elric kcm_event *next; 158 1.1 elric 159 1.1 elric next = (*e)->next; 160 1.1 elric 161 1.1 elric (*e)->valid = 0; 162 1.1 elric (*e)->fire_time = 0; 163 1.1 elric (*e)->fire_count = 0; 164 1.1 elric (*e)->expire_time = 0; 165 1.1 elric (*e)->backoff_time = 0; 166 1.1 elric kcm_release_ccache(context, (*e)->ccache); 167 1.1 elric (*e)->next = NULL; 168 1.1 elric free(*e); 169 1.1 elric 170 1.1 elric *e = next; 171 1.1 elric 172 1.1 elric return 0; 173 1.1 elric } 174 1.1 elric 175 1.1 elric static int 176 1.1 elric is_primary_credential_p(krb5_context context, 177 1.1 elric kcm_ccache ccache, 178 1.1 elric krb5_creds *newcred) 179 1.1 elric { 180 1.1 elric krb5_flags whichfields; 181 1.1 elric 182 1.1 elric if (ccache->client == NULL) 183 1.1 elric return 0; 184 1.1 elric 185 1.1 elric if (newcred->client == NULL || 186 1.1 elric !krb5_principal_compare(context, ccache->client, newcred->client)) 187 1.1 elric return 0; 188 1.1 elric 189 1.1 elric /* XXX just checks whether it's the first credential in the cache */ 190 1.1 elric if (ccache->creds == NULL) 191 1.1 elric return 0; 192 1.1 elric 193 1.1 elric whichfields = KRB5_TC_MATCH_KEYTYPE | KRB5_TC_MATCH_FLAGS_EXACT | 194 1.1 elric KRB5_TC_MATCH_TIMES_EXACT | KRB5_TC_MATCH_AUTHDATA | 195 1.1 elric KRB5_TC_MATCH_2ND_TKT | KRB5_TC_MATCH_IS_SKEY; 196 1.1 elric 197 1.1 elric return krb5_compare_creds(context, whichfields, newcred, &ccache->creds->cred); 198 1.1 elric } 199 1.1 elric 200 1.1 elric /* 201 1.1 elric * Setup default events for a new credential 202 1.1 elric */ 203 1.1 elric static krb5_error_code 204 1.1 elric kcm_ccache_make_default_event(krb5_context context, 205 1.1 elric kcm_event *event, 206 1.1 elric krb5_creds *newcred) 207 1.1 elric { 208 1.1 elric krb5_error_code ret = 0; 209 1.1 elric kcm_ccache ccache = event->ccache; 210 1.1 elric 211 1.1 elric event->fire_time = 0; 212 1.1 elric event->expire_time = 0; 213 1.1 elric event->backoff_time = KCM_EVENT_DEFAULT_BACKOFF_TIME; 214 1.1 elric 215 1.1 elric if (newcred == NULL) { 216 1.1 elric /* no creds, must be acquire creds request */ 217 1.1 elric if ((ccache->flags & KCM_MASK_KEY_PRESENT) == 0) { 218 1.1 elric kcm_log(0, "Cannot acquire credentials without a key"); 219 1.1 elric return KRB5_FCC_INTERNAL; 220 1.1 elric } 221 1.1 elric 222 1.1 elric event->fire_time = time(NULL); /* right away */ 223 1.1 elric event->action = KCM_EVENT_ACQUIRE_CREDS; 224 1.1 elric } else if (is_primary_credential_p(context, ccache, newcred)) { 225 1.1 elric if (newcred->flags.b.renewable) { 226 1.1 elric event->action = KCM_EVENT_RENEW_CREDS; 227 1.1 elric ccache->flags |= KCM_FLAGS_RENEWABLE; 228 1.1 elric } else { 229 1.1 elric if (ccache->flags & KCM_MASK_KEY_PRESENT) 230 1.1 elric event->action = KCM_EVENT_ACQUIRE_CREDS; 231 1.1 elric else 232 1.1 elric event->action = KCM_EVENT_NONE; 233 1.1 elric ccache->flags &= ~(KCM_FLAGS_RENEWABLE); 234 1.1 elric } 235 1.1 elric /* requeue with some slop factor */ 236 1.1 elric event->fire_time = newcred->times.endtime - KCM_EVENT_QUEUE_INTERVAL; 237 1.1 elric } else { 238 1.1 elric event->action = KCM_EVENT_NONE; 239 1.1 elric } 240 1.1 elric 241 1.1 elric return ret; 242 1.1 elric } 243 1.1 elric 244 1.1 elric krb5_error_code 245 1.1 elric kcm_ccache_enqueue_default(krb5_context context, 246 1.1 elric kcm_ccache ccache, 247 1.1 elric krb5_creds *newcred) 248 1.1 elric { 249 1.1 elric kcm_event event; 250 1.1 elric krb5_error_code ret; 251 1.1 elric 252 1.1 elric memset(&event, 0, sizeof(event)); 253 1.1 elric event.ccache = ccache; 254 1.1 elric 255 1.1 elric ret = kcm_ccache_make_default_event(context, &event, newcred); 256 1.1 elric if (ret) 257 1.1 elric return ret; 258 1.1 elric 259 1.1 elric ret = kcm_enqueue_event_internal(context, &event); 260 1.1 elric if (ret) 261 1.1 elric return ret; 262 1.1 elric 263 1.1 elric return 0; 264 1.1 elric } 265 1.1 elric 266 1.1 elric krb5_error_code 267 1.1 elric kcm_remove_event(krb5_context context, 268 1.1 elric kcm_event *event) 269 1.1 elric { 270 1.1 elric krb5_error_code ret; 271 1.1 elric kcm_event **e; 272 1.1 elric int found = 0; 273 1.1 elric 274 1.1 elric log_event(event, "removing"); 275 1.1 elric 276 1.1 elric HEIMDAL_MUTEX_lock(&events_mutex); 277 1.1 elric for (e = &events_head; *e != NULL; e = &(*e)->next) { 278 1.1 elric if (event == *e) { 279 1.1 elric *e = event->next; 280 1.1 elric found++; 281 1.1 elric break; 282 1.1 elric } 283 1.1 elric } 284 1.1 elric 285 1.1 elric if (!found) { 286 1.1 elric ret = KRB5_CC_NOTFOUND; 287 1.1 elric goto out; 288 1.1 elric } 289 1.1 elric 290 1.1 elric ret = kcm_remove_event_internal(context, &event); 291 1.1 elric 292 1.1 elric out: 293 1.1 elric HEIMDAL_MUTEX_unlock(&events_mutex); 294 1.1 elric 295 1.1 elric return ret; 296 1.1 elric } 297 1.1 elric 298 1.1 elric krb5_error_code 299 1.1 elric kcm_cleanup_events(krb5_context context, 300 1.1 elric kcm_ccache ccache) 301 1.1 elric { 302 1.1 elric kcm_event **e; 303 1.1 elric 304 1.1 elric KCM_ASSERT_VALID(ccache); 305 1.1 elric 306 1.1 elric HEIMDAL_MUTEX_lock(&events_mutex); 307 1.1 elric 308 1.1 elric for (e = &events_head; *e != NULL; e = &(*e)->next) { 309 1.1 elric if ((*e)->valid && (*e)->ccache == ccache) { 310 1.1 elric kcm_remove_event_internal(context, e); 311 1.1 elric } 312 1.1 elric if (*e == NULL) 313 1.1 elric break; 314 1.1 elric } 315 1.1 elric 316 1.1 elric HEIMDAL_MUTEX_unlock(&events_mutex); 317 1.1 elric 318 1.1 elric return 0; 319 1.1 elric } 320 1.1 elric 321 1.1 elric static krb5_error_code 322 1.1 elric kcm_fire_event(krb5_context context, 323 1.1 elric kcm_event **e) 324 1.1 elric { 325 1.1 elric kcm_event *event; 326 1.1 elric krb5_error_code ret; 327 1.1 elric krb5_creds *credp = NULL; 328 1.1 elric int oneshot = 1; 329 1.1 elric 330 1.1 elric event = *e; 331 1.1 elric 332 1.1 elric switch (event->action) { 333 1.1 elric case KCM_EVENT_ACQUIRE_CREDS: 334 1.1 elric ret = kcm_ccache_acquire(context, event->ccache, &credp); 335 1.1 elric oneshot = 0; 336 1.1 elric break; 337 1.1 elric case KCM_EVENT_RENEW_CREDS: 338 1.1 elric ret = kcm_ccache_refresh(context, event->ccache, &credp); 339 1.1 elric if (ret == KRB5KRB_AP_ERR_TKT_EXPIRED) { 340 1.1 elric ret = kcm_ccache_acquire(context, event->ccache, &credp); 341 1.1 elric } 342 1.1 elric oneshot = 0; 343 1.1 elric break; 344 1.1 elric case KCM_EVENT_DESTROY_CREDS: 345 1.1 elric ret = kcm_ccache_destroy(context, event->ccache->name); 346 1.1 elric break; 347 1.1 elric case KCM_EVENT_DESTROY_EMPTY_CACHE: 348 1.1 elric ret = kcm_ccache_destroy_if_empty(context, event->ccache); 349 1.1 elric break; 350 1.1 elric default: 351 1.1 elric ret = KRB5_FCC_INTERNAL; 352 1.1 elric break; 353 1.1 elric } 354 1.1 elric 355 1.1 elric event->fire_count++; 356 1.1 elric 357 1.1 elric if (ret) { 358 1.1 elric /* Reschedule failed event for another time */ 359 1.1 elric event->fire_time += event->backoff_time; 360 1.1 elric if (event->backoff_time < KCM_EVENT_MAX_BACKOFF_TIME) 361 1.1 elric event->backoff_time *= 2; 362 1.1 elric 363 1.1 elric /* Remove it if it would never get executed */ 364 1.1 elric if (event->expire_time && 365 1.1 elric event->fire_time > event->expire_time) 366 1.1 elric kcm_remove_event_internal(context, e); 367 1.1 elric } else { 368 1.1 elric if (!oneshot) { 369 1.1 elric char *cpn; 370 1.1 elric 371 1.1 elric if (krb5_unparse_name(context, event->ccache->client, 372 1.1 elric &cpn)) 373 1.1 elric cpn = NULL; 374 1.1 elric 375 1.1 elric kcm_log(0, "%s credentials in cache %s for principal %s", 376 1.1 elric (event->action == KCM_EVENT_ACQUIRE_CREDS) ? 377 1.1 elric "Acquired" : "Renewed", 378 1.1 elric event->ccache->name, 379 1.1 elric (cpn != NULL) ? cpn : "<none>"); 380 1.1 elric 381 1.1 elric if (cpn != NULL) 382 1.1 elric free(cpn); 383 1.1 elric 384 1.1 elric /* Succeeded, but possibly replaced with another event */ 385 1.1 elric ret = kcm_ccache_make_default_event(context, event, credp); 386 1.1 elric if (ret || event->action == KCM_EVENT_NONE) 387 1.1 elric oneshot = 1; 388 1.1 elric else 389 1.1 elric log_event(event, "requeuing"); 390 1.1 elric } 391 1.1 elric if (oneshot) 392 1.1 elric kcm_remove_event_internal(context, e); 393 1.1 elric } 394 1.1 elric 395 1.1 elric return ret; 396 1.1 elric } 397 1.1 elric 398 1.1 elric krb5_error_code 399 1.1 elric kcm_run_events(krb5_context context, time_t now) 400 1.1 elric { 401 1.1 elric krb5_error_code ret; 402 1.1 elric kcm_event **e; 403 1.2 christos const char *estr; 404 1.1 elric 405 1.1 elric HEIMDAL_MUTEX_lock(&events_mutex); 406 1.1 elric 407 1.1 elric /* Only run event queue every N seconds */ 408 1.1 elric if (now < last_run + KCM_EVENT_QUEUE_INTERVAL) { 409 1.1 elric HEIMDAL_MUTEX_unlock(&events_mutex); 410 1.1 elric return 0; 411 1.1 elric } 412 1.1 elric 413 1.1 elric /* go through events list, fire and expire */ 414 1.1 elric for (e = &events_head; *e != NULL; e = &(*e)->next) { 415 1.1 elric if ((*e)->valid == 0) 416 1.1 elric continue; 417 1.1 elric 418 1.1 elric if (now >= (*e)->fire_time) { 419 1.1 elric ret = kcm_fire_event(context, e); 420 1.1 elric if (ret) { 421 1.2 christos estr = krb5_get_error_message(context, ret); 422 1.1 elric kcm_log(1, "Could not fire event for cache %s: %s", 423 1.2 christos (*e)->ccache->name, estr); 424 1.2 christos krb5_free_error_message(context, estr); 425 1.1 elric } 426 1.1 elric } else if ((*e)->expire_time && now >= (*e)->expire_time) { 427 1.1 elric ret = kcm_remove_event_internal(context, e); 428 1.1 elric if (ret) { 429 1.2 christos estr = krb5_get_error_message(context, ret); 430 1.1 elric kcm_log(1, "Could not expire event for cache %s: %s", 431 1.2 christos (*e)->ccache->name, estr); 432 1.2 christos krb5_free_error_message(context, estr); 433 1.1 elric } 434 1.1 elric } 435 1.1 elric 436 1.1 elric if (*e == NULL) 437 1.1 elric break; 438 1.1 elric } 439 1.1 elric 440 1.1 elric last_run = now; 441 1.1 elric 442 1.1 elric HEIMDAL_MUTEX_unlock(&events_mutex); 443 1.1 elric 444 1.1 elric return 0; 445 1.1 elric } 446 1.1 elric 447
Indexes created Tue Apr 28 00:22:25 UTC 2026