search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move kadmin and ktutil to /usr/bin.
[heimdal.git] / lib / krb5 / acache.c
blobaaaf71df1f8a43af09db531e92ce0b65b93d857b
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <krb5_ccapi.h>
38 #ifdef HAVE_DLFCN_H
39 #include <dlfcn.h>
40 #endif
41
42 #ifndef KCM_IS_API_CACHE
43
44 static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
45 static cc_initialize_func init_func;
46 static void (KRB5_CALLCONV *set_target_uid)(uid_t);
47 static void (KRB5_CALLCONV *clear_target)(void);
48
49 #ifdef HAVE_DLOPEN
50 static void *cc_handle;
51 #endif
52
53 typedef struct krb5_acc {
54 char *cache_name;
55 cc_context_t context;
56 cc_ccache_t ccache;
57 } krb5_acc;
58
59 static krb5_error_code KRB5_CALLCONV acc_close(krb5_context, krb5_ccache);
60
61 #define ACACHE(X) ((krb5_acc *)(X)->data.data)
62
63 static const struct {
64 cc_int32 error;
65 krb5_error_code ret;
66 } cc_errors[] = {
67 { ccErrBadName, KRB5_CC_BADNAME },
68 { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND },
69 { ccErrCCacheNotFound, KRB5_FCC_NOFILE },
70 { ccErrContextNotFound, KRB5_CC_NOTFOUND },
71 { ccIteratorEnd, KRB5_CC_END },
72 { ccErrNoMem, KRB5_CC_NOMEM },
73 { ccErrServerUnavailable, KRB5_CC_NOSUPP },
74 { ccErrInvalidCCache, KRB5_CC_BADNAME },
75 { ccNoError, 0 }
76 };
77
78 static krb5_error_code
79 translate_cc_error(krb5_context context, cc_int32 error)
80 {
81 size_t i;
82 krb5_clear_error_message(context);
83 for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
84 if (cc_errors[i].error == error)
85 return cc_errors[i].ret;
86 return KRB5_FCC_INTERNAL;
87 }
88
89 static krb5_error_code
90 init_ccapi(krb5_context context)
91 {
92 const char *lib = NULL;
93
94 HEIMDAL_MUTEX_lock(&acc_mutex);
95 if (init_func) {
96 HEIMDAL_MUTEX_unlock(&acc_mutex);
97 if (context)
98 krb5_clear_error_message(context);
99 return 0;
100 }
101
102 if (context)
103 lib = krb5_config_get_string(context, NULL,
104 "libdefaults", "ccapi_library",
105 NULL);
106 if (lib == NULL) {
107 #ifdef __APPLE__
108 lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
109 #elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
110 lib = "%{LIBDIR}/libkrb5_cc.dll";
111 #else
112 lib = "/usr/lib/libkrb5_cc.so";
113 #endif
114 }
115
116 #ifdef HAVE_DLOPEN
117
118 #ifndef RTLD_LAZY
119 #define RTLD_LAZY 0
120 #endif
121 #ifndef RTLD_LOCAL
122 #define RTLD_LOCAL 0
123 #endif
124
125 #ifdef KRB5_USE_PATH_TOKENS
126 {
127 char * explib = NULL;
128 if (_krb5_expand_path_tokens(context, lib, &explib) == 0) {
129 cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
130 free(explib);
131 }
132 }
133 #else
134 cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
135 #endif
136
137 if (cc_handle == NULL) {
138 HEIMDAL_MUTEX_unlock(&acc_mutex);
139 if (context)
140 krb5_set_error_message(context, KRB5_CC_NOSUPP,
141 N_("Failed to load API cache module %s", "file"),
142 lib);
143 return KRB5_CC_NOSUPP;
144 }
145
146 init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
147 set_target_uid = (void (KRB5_CALLCONV *)(uid_t))
148 dlsym(cc_handle, "krb5_ipc_client_set_target_uid");
149 clear_target = (void (KRB5_CALLCONV *)(void))
150 dlsym(cc_handle, "krb5_ipc_client_clear_target");
151 HEIMDAL_MUTEX_unlock(&acc_mutex);
152 if (init_func == NULL) {
153 if (context)
154 krb5_set_error_message(context, KRB5_CC_NOSUPP,
155 N_("Failed to find cc_initialize"
156 "in %s: %s", "file, error"), lib, dlerror());
157 dlclose(cc_handle);
158 return KRB5_CC_NOSUPP;
159 }
160
161 return 0;
162 #else
163 HEIMDAL_MUTEX_unlock(&acc_mutex);
164 if (context)
165 krb5_set_error_message(context, KRB5_CC_NOSUPP,
166 N_("no support for shared object", ""));
167 return KRB5_CC_NOSUPP;
168 #endif
169 }
170
171 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
172 _heim_krb5_ipc_client_set_target_uid(uid_t uid)
173 {
174 init_ccapi(NULL);
175 if (set_target_uid != NULL)
176 (*set_target_uid)(uid);
177 }
178
179 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
180 _heim_krb5_ipc_client_clear_target(void)
181 {
182 init_ccapi(NULL);
183 if (clear_target != NULL)
184 (*clear_target)();
185 }
186
187 static krb5_error_code
188 make_cred_from_ccred(krb5_context context,
189 const cc_credentials_v5_t *incred,
190 krb5_creds *cred)
191 {
192 krb5_error_code ret;
193 unsigned int i;
194
195 memset(cred, 0, sizeof(*cred));
196
197 ret = krb5_parse_name(context, incred->client, &cred->client);
198 if (ret)
199 goto fail;
200
201 ret = krb5_parse_name(context, incred->server, &cred->server);
202 if (ret)
203 goto fail;
204
205 cred->session.keytype = incred->keyblock.type;
206 cred->session.keyvalue.length = incred->keyblock.length;
207 cred->session.keyvalue.data = malloc(incred->keyblock.length);
208 if (cred->session.keyvalue.data == NULL)
209 goto nomem;
210 memcpy(cred->session.keyvalue.data, incred->keyblock.data,
211 incred->keyblock.length);
212
213 cred->times.authtime = incred->authtime;
214 cred->times.starttime = incred->starttime;
215 cred->times.endtime = incred->endtime;
216 cred->times.renew_till = incred->renew_till;
217
218 ret = krb5_data_copy(&cred->ticket,
219 incred->ticket.data,
220 incred->ticket.length);
221 if (ret)
222 goto nomem;
223
224 ret = krb5_data_copy(&cred->second_ticket,
225 incred->second_ticket.data,
226 incred->second_ticket.length);
227 if (ret)
228 goto nomem;
229
230 cred->authdata.val = NULL;
231 cred->authdata.len = 0;
232
233 cred->addresses.val = NULL;
234 cred->addresses.len = 0;
235
236 for (i = 0; incred->authdata && incred->authdata[i]; i++)
237 ;
238
239 if (i) {
240 cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
241 if (cred->authdata.val == NULL)
242 goto nomem;
243 cred->authdata.len = i;
244 for (i = 0; i < cred->authdata.len; i++) {
245 cred->authdata.val[i].ad_type = incred->authdata[i]->type;
246 ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
247 incred->authdata[i]->data,
248 incred->authdata[i]->length);
249 if (ret)
250 goto nomem;
251 }
252 }
253
254 for (i = 0; incred->addresses && incred->addresses[i]; i++)
255 ;
256
257 if (i) {
258 cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
259 if (cred->addresses.val == NULL)
260 goto nomem;
261 cred->addresses.len = i;
262
263 for (i = 0; i < cred->addresses.len; i++) {
264 cred->addresses.val[i].addr_type = incred->addresses[i]->type;
265 ret = krb5_data_copy(&cred->addresses.val[i].address,
266 incred->addresses[i]->data,
267 incred->addresses[i]->length);
268 if (ret)
269 goto nomem;
270 }
271 }
272
273 cred->flags.i = 0;
274 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
275 cred->flags.b.forwardable = 1;
276 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
277 cred->flags.b.forwarded = 1;
278 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
279 cred->flags.b.proxiable = 1;
280 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
281 cred->flags.b.proxy = 1;
282 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
283 cred->flags.b.may_postdate = 1;
284 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
285 cred->flags.b.postdated = 1;
286 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
287 cred->flags.b.invalid = 1;
288 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
289 cred->flags.b.renewable = 1;
290 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
291 cred->flags.b.initial = 1;
292 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
293 cred->flags.b.pre_authent = 1;
294 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
295 cred->flags.b.hw_authent = 1;
296 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
297 cred->flags.b.transited_policy_checked = 1;
298 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
299 cred->flags.b.ok_as_delegate = 1;
300 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
301 cred->flags.b.anonymous = 1;
302
303 return 0;
304
305 nomem:
306 ret = krb5_enomem(context);
307
308 fail:
309 krb5_free_cred_contents(context, cred);
310 return ret;
311 }
312
313 static void
314 free_ccred(cc_credentials_v5_t *cred)
315 {
316 int i;
317
318 if (cred->addresses) {
319 for (i = 0; cred->addresses[i] != 0; i++) {
320 if (cred->addresses[i]->data)
321 free(cred->addresses[i]->data);
322 free(cred->addresses[i]);
323 }
324 free(cred->addresses);
325 }
326 if (cred->server)
327 free(cred->server);
328 if (cred->client)
329 free(cred->client);
330 memset(cred, 0, sizeof(*cred));
331 }
332
333 static krb5_error_code
334 make_ccred_from_cred(krb5_context context,
335 const krb5_creds *incred,
336 cc_credentials_v5_t *cred)
337 {
338 krb5_error_code ret;
339 size_t i;
340
341 memset(cred, 0, sizeof(*cred));
342
343 ret = krb5_unparse_name(context, incred->client, &cred->client);
344 if (ret)
345 goto fail;
346
347 ret = krb5_unparse_name(context, incred->server, &cred->server);
348 if (ret)
349 goto fail;
350
351 cred->keyblock.type = incred->session.keytype;
352 cred->keyblock.length = incred->session.keyvalue.length;
353 cred->keyblock.data = incred->session.keyvalue.data;
354
355 cred->authtime = incred->times.authtime;
356 cred->starttime = incred->times.starttime;
357 cred->endtime = incred->times.endtime;
358 cred->renew_till = incred->times.renew_till;
359
360 cred->ticket.length = incred->ticket.length;
361 cred->ticket.data = incred->ticket.data;
362
363 cred->second_ticket.length = incred->second_ticket.length;
364 cred->second_ticket.data = incred->second_ticket.data;
365
366 /* XXX this one should also be filled in */
367 cred->authdata = NULL;
368
369 cred->addresses = calloc(incred->addresses.len + 1,
370 sizeof(cred->addresses[0]));
371 if (cred->addresses == NULL) {
372
373 ret = ENOMEM;
374 goto fail;
375 }
376
377 for (i = 0; i < incred->addresses.len; i++) {
378 cc_data *addr;
379 addr = malloc(sizeof(*addr));
380 if (addr == NULL) {
381 ret = ENOMEM;
382 goto fail;
383 }
384 addr->type = incred->addresses.val[i].addr_type;
385 addr->length = incred->addresses.val[i].address.length;
386 addr->data = malloc(addr->length);
387 if (addr->data == NULL) {
388 free(addr);
389 ret = ENOMEM;
390 goto fail;
391 }
392 memcpy(addr->data, incred->addresses.val[i].address.data,
393 addr->length);
394 cred->addresses[i] = addr;
395 }
396 cred->addresses[i] = NULL;
397
398 cred->ticket_flags = 0;
399 if (incred->flags.b.forwardable)
400 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
401 if (incred->flags.b.forwarded)
402 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
403 if (incred->flags.b.proxiable)
404 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
405 if (incred->flags.b.proxy)
406 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
407 if (incred->flags.b.may_postdate)
408 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
409 if (incred->flags.b.postdated)
410 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
411 if (incred->flags.b.invalid)
412 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
413 if (incred->flags.b.renewable)
414 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
415 if (incred->flags.b.initial)
416 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
417 if (incred->flags.b.pre_authent)
418 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
419 if (incred->flags.b.hw_authent)
420 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
421 if (incred->flags.b.transited_policy_checked)
422 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
423 if (incred->flags.b.ok_as_delegate)
424 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
425 if (incred->flags.b.anonymous)
426 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
427
428 return 0;
429
430 fail:
431 free_ccred(cred);
432
433 krb5_clear_error_message(context);
434 return ret;
435 }
436
437 static cc_int32
438 get_cc_name(krb5_acc *a)
439 {
440 cc_string_t name;
441 cc_int32 error;
442
443 error = (*a->ccache->func->get_name)(a->ccache, &name);
444 if (error)
445 return error;
446
447 a->cache_name = strdup(name->data);
448 (*name->func->release)(name);
449 if (a->cache_name == NULL)
450 return ccErrNoMem;
451 return ccNoError;
452 }
453
454
455 static const char* KRB5_CALLCONV
456 acc_get_name(krb5_context context,
457 krb5_ccache id)
458 {
459 krb5_acc *a = ACACHE(id);
460 int32_t error;
461
462 if (a->cache_name == NULL) {
463 krb5_error_code ret;
464 krb5_principal principal;
465 char *name;
466
467 ret = _krb5_get_default_principal_local(context, &principal);
468 if (ret)
469 return NULL;
470
471 ret = krb5_unparse_name(context, principal, &name);
472 krb5_free_principal(context, principal);
473 if (ret)
474 return NULL;
475
476 error = (*a->context->func->create_new_ccache)(a->context,
477 cc_credentials_v5,
478 name,
479 &a->ccache);
480 krb5_xfree(name);
481 if (error)
482 return NULL;
483
484 error = get_cc_name(a);
485 if (error)
486 return NULL;
487 }
488
489 return a->cache_name;
490 }
491
492 static krb5_error_code KRB5_CALLCONV
493 acc_alloc(krb5_context context, krb5_ccache *id)
494 {
495 krb5_error_code ret;
496 cc_int32 error;
497 krb5_acc *a;
498
499 ret = init_ccapi(context);
500 if (ret)
501 return ret;
502
503 ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
504 if (ret) {
505 krb5_clear_error_message(context);
506 return ret;
507 }
508
509 a = ACACHE(*id);
510
511 error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
512 if (error) {
513 krb5_data_free(&(*id)->data);
514 return translate_cc_error(context, error);
515 }
516
517 a->cache_name = NULL;
518
519 return 0;
520 }
521
522 static krb5_error_code KRB5_CALLCONV
523 acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
524 {
525 krb5_error_code ret;
526 cc_int32 error;
527 krb5_acc *a;
528
529 ret = acc_alloc(context, id);
530 if (ret)
531 return ret;
532
533 a = ACACHE(*id);
534
535 error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
536 if (error == ccNoError) {
537 cc_time_t offset;
538 error = get_cc_name(a);
539 if (error != ccNoError) {
540 acc_close(context, *id);
541 *id = NULL;
542 return translate_cc_error(context, error);
543 }
544
545 error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
546 cc_credentials_v5,
547 &offset);
548 if (error == 0)
549 context->kdc_sec_offset = offset;
550
551 } else if (error == ccErrCCacheNotFound) {
552 a->ccache = NULL;
553 a->cache_name = NULL;
554 } else {
555 *id = NULL;
556 return translate_cc_error(context, error);
557 }
558
559 return 0;
560 }
561
562 static krb5_error_code KRB5_CALLCONV
563 acc_gen_new(krb5_context context, krb5_ccache *id)
564 {
565 krb5_error_code ret;
566 krb5_acc *a;
567
568 ret = acc_alloc(context, id);
569 if (ret)
570 return ret;
571
572 a = ACACHE(*id);
573
574 a->ccache = NULL;
575 a->cache_name = NULL;
576
577 return 0;
578 }
579
580 static krb5_error_code KRB5_CALLCONV
581 acc_initialize(krb5_context context,
582 krb5_ccache id,
583 krb5_principal primary_principal)
584 {
585 krb5_acc *a = ACACHE(id);
586 krb5_error_code ret;
587 int32_t error;
588 char *name;
589
590 ret = krb5_unparse_name(context, primary_principal, &name);
591 if (ret)
592 return ret;
593
594 if (a->cache_name == NULL) {
595 error = (*a->context->func->create_new_ccache)(a->context,
596 cc_credentials_v5,
597 name,
598 &a->ccache);
599 free(name);
600 if (error == ccNoError)
601 error = get_cc_name(a);
602 } else {
603 cc_credentials_iterator_t iter;
604 cc_credentials_t ccred;
605
606 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
607 if (error) {
608 free(name);
609 return translate_cc_error(context, error);
610 }
611
612 while (1) {
613 error = (*iter->func->next)(iter, &ccred);
614 if (error)
615 break;
616 (*a->ccache->func->remove_credentials)(a->ccache, ccred);
617 (*ccred->func->release)(ccred);
618 }
619 (*iter->func->release)(iter);
620
621 error = (*a->ccache->func->set_principal)(a->ccache,
622 cc_credentials_v5,
623 name);
624 }
625
626 if (error == 0 && context->kdc_sec_offset)
627 error = (*a->ccache->func->set_kdc_time_offset)(a->ccache,
628 cc_credentials_v5,
629 context->kdc_sec_offset);
630
631 return translate_cc_error(context, error);
632 }
633
634 static krb5_error_code KRB5_CALLCONV
635 acc_close(krb5_context context,
636 krb5_ccache id)
637 {
638 krb5_acc *a = ACACHE(id);
639
640 if (a->ccache) {
641 (*a->ccache->func->release)(a->ccache);
642 a->ccache = NULL;
643 }
644 if (a->cache_name) {
645 free(a->cache_name);
646 a->cache_name = NULL;
647 }
648 if (a->context) {
649 (*a->context->func->release)(a->context);
650 a->context = NULL;
651 }
652 krb5_data_free(&id->data);
653 return 0;
654 }
655
656 static krb5_error_code KRB5_CALLCONV
657 acc_destroy(krb5_context context,
658 krb5_ccache id)
659 {
660 krb5_acc *a = ACACHE(id);
661 cc_int32 error = 0;
662
663 if (a->ccache) {
664 error = (*a->ccache->func->destroy)(a->ccache);
665 a->ccache = NULL;
666 }
667 if (a->context) {
668 error = (a->context->func->release)(a->context);
669 a->context = NULL;
670 }
671 return translate_cc_error(context, error);
672 }
673
674 static krb5_error_code KRB5_CALLCONV
675 acc_store_cred(krb5_context context,
676 krb5_ccache id,
677 krb5_creds *creds)
678 {
679 krb5_acc *a = ACACHE(id);
680 cc_credentials_union cred;
681 cc_credentials_v5_t v5cred;
682 krb5_error_code ret;
683 cc_int32 error;
684
685 if (a->ccache == NULL) {
686 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
687 N_("No API credential found", ""));
688 return KRB5_CC_NOTFOUND;
689 }
690
691 cred.version = cc_credentials_v5;
692 cred.credentials.credentials_v5 = &v5cred;
693
694 ret = make_ccred_from_cred(context,
695 creds,
696 &v5cred);
697 if (ret)
698 return ret;
699
700 error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
701 if (error)
702 ret = translate_cc_error(context, error);
703
704 free_ccred(&v5cred);
705
706 return ret;
707 }
708
709 static krb5_error_code KRB5_CALLCONV
710 acc_get_principal(krb5_context context,
711 krb5_ccache id,
712 krb5_principal *principal)
713 {
714 krb5_acc *a = ACACHE(id);
715 krb5_error_code ret;
716 int32_t error;
717 cc_string_t name;
718
719 if (a->ccache == NULL) {
720 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
721 N_("No API credential found", ""));
722 return KRB5_CC_NOTFOUND;
723 }
724
725 error = (*a->ccache->func->get_principal)(a->ccache,
726 cc_credentials_v5,
727 &name);
728 if (error)
729 return translate_cc_error(context, error);
730
731 ret = krb5_parse_name(context, name->data, principal);
732
733 (*name->func->release)(name);
734 return ret;
735 }
736
737 static krb5_error_code KRB5_CALLCONV
738 acc_get_first (krb5_context context,
739 krb5_ccache id,
740 krb5_cc_cursor *cursor)
741 {
742 cc_credentials_iterator_t iter;
743 krb5_acc *a = ACACHE(id);
744 int32_t error;
745
746 if (a->ccache == NULL) {
747 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
748 N_("No API credential found", ""));
749 return KRB5_CC_NOTFOUND;
750 }
751
752 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
753 if (error) {
754 krb5_clear_error_message(context);
755 return ENOENT;
756 }
757 *cursor = iter;
758 return 0;
759 }
760
761
762 static krb5_error_code KRB5_CALLCONV
763 acc_get_next (krb5_context context,
764 krb5_ccache id,
765 krb5_cc_cursor *cursor,
766 krb5_creds *creds)
767 {
768 cc_credentials_iterator_t iter = *cursor;
769 cc_credentials_t cred;
770 krb5_error_code ret;
771 int32_t error;
772
773 while (1) {
774 error = (*iter->func->next)(iter, &cred);
775 if (error)
776 return translate_cc_error(context, error);
777 if (cred->data->version == cc_credentials_v5)
778 break;
779 (*cred->func->release)(cred);
780 }
781
782 ret = make_cred_from_ccred(context,
783 cred->data->credentials.credentials_v5,
784 creds);
785 (*cred->func->release)(cred);
786 return ret;
787 }
788
789 static krb5_error_code KRB5_CALLCONV
790 acc_end_get (krb5_context context,
791 krb5_ccache id,
792 krb5_cc_cursor *cursor)
793 {
794 cc_credentials_iterator_t iter = *cursor;
795 (*iter->func->release)(iter);
796 return 0;
797 }
798
799 static krb5_error_code KRB5_CALLCONV
800 acc_remove_cred(krb5_context context,
801 krb5_ccache id,
802 krb5_flags which,
803 krb5_creds *cred)
804 {
805 cc_credentials_iterator_t iter;
806 krb5_acc *a = ACACHE(id);
807 cc_credentials_t ccred;
808 krb5_error_code ret;
809 cc_int32 error;
810 char *client, *server;
811
812 if (a->ccache == NULL) {
813 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
814 N_("No API credential found", ""));
815 return KRB5_CC_NOTFOUND;
816 }
817
818 if (cred->client) {
819 ret = krb5_unparse_name(context, cred->client, &client);
820 if (ret)
821 return ret;
822 } else
823 client = NULL;
824
825 ret = krb5_unparse_name(context, cred->server, &server);
826 if (ret) {
827 free(client);
828 return ret;
829 }
830
831 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
832 if (error) {
833 free(server);
834 free(client);
835 return translate_cc_error(context, error);
836 }
837
838 ret = KRB5_CC_NOTFOUND;
839 while (1) {
840 cc_credentials_v5_t *v5cred;
841
842 error = (*iter->func->next)(iter, &ccred);
843 if (error)
844 break;
845
846 if (ccred->data->version != cc_credentials_v5)
847 goto next;
848
849 v5cred = ccred->data->credentials.credentials_v5;
850
851 if (client && strcmp(v5cred->client, client) != 0)
852 goto next;
853
854 if (strcmp(v5cred->server, server) != 0)
855 goto next;
856
857 (*a->ccache->func->remove_credentials)(a->ccache, ccred);
858 ret = 0;
859 next:
860 (*ccred->func->release)(ccred);
861 }
862
863 (*iter->func->release)(iter);
864
865 if (ret)
866 krb5_set_error_message(context, ret,
867 N_("Can't find credential %s in cache",
868 "principal"), server);
869 free(server);
870 free(client);
871
872 return ret;
873 }
874
875 static krb5_error_code KRB5_CALLCONV
876 acc_set_flags(krb5_context context,
877 krb5_ccache id,
878 krb5_flags flags)
879 {
880 return 0;
881 }
882
883 static int KRB5_CALLCONV
884 acc_get_version(krb5_context context,
885 krb5_ccache id)
886 {
887 return 0;
888 }
889
890 struct cache_iter {
891 cc_context_t context;
892 cc_ccache_iterator_t iter;
893 };
894
895 static krb5_error_code KRB5_CALLCONV
896 acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
897 {
898 struct cache_iter *iter;
899 krb5_error_code ret;
900 cc_int32 error;
901
902 ret = init_ccapi(context);
903 if (ret)
904 return ret;
905
906 iter = calloc(1, sizeof(*iter));
907 if (iter == NULL)
908 return krb5_enomem(context);
909
910 error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
911 if (error) {
912 free(iter);
913 return translate_cc_error(context, error);
914 }
915
916 error = (*iter->context->func->new_ccache_iterator)(iter->context,
917 &iter->iter);
918 if (error) {
919 free(iter);
920 krb5_clear_error_message(context);
921 return ENOENT;
922 }
923 *cursor = iter;
924 return 0;
925 }
926
927 static krb5_error_code KRB5_CALLCONV
928 acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
929 {
930 struct cache_iter *iter = cursor;
931 cc_ccache_t cache;
932 krb5_acc *a;
933 krb5_error_code ret;
934 int32_t error;
935
936 error = (*iter->iter->func->next)(iter->iter, &cache);
937 if (error)
938 return translate_cc_error(context, error);
939
940 ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
941 if (ret) {
942 (*cache->func->release)(cache);
943 return ret;
944 }
945
946 ret = acc_alloc(context, id);
947 if (ret) {
948 (*cache->func->release)(cache);
949 free(*id);
950 return ret;
951 }
952
953 a = ACACHE(*id);
954 a->ccache = cache;
955
956 error = get_cc_name(a);
957 if (error) {
958 acc_close(context, *id);
959 *id = NULL;
960 return translate_cc_error(context, error);
961 }
962 return 0;
963 }
964
965 static krb5_error_code KRB5_CALLCONV
966 acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
967 {
968 struct cache_iter *iter = cursor;
969
970 (*iter->iter->func->release)(iter->iter);
971 iter->iter = NULL;
972 (*iter->context->func->release)(iter->context);
973 iter->context = NULL;
974 free(iter);
975 return 0;
976 }
977
978 static krb5_error_code KRB5_CALLCONV
979 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
980 {
981 krb5_acc *afrom = ACACHE(from);
982 krb5_acc *ato = ACACHE(to);
983 int32_t error;
984
985 if (ato->ccache == NULL) {
986 cc_string_t name;
987
988 error = (*afrom->ccache->func->get_principal)(afrom->ccache,
989 cc_credentials_v5,
990 &name);
991 if (error)
992 return translate_cc_error(context, error);
993
994 error = (*ato->context->func->create_new_ccache)(ato->context,
995 cc_credentials_v5,
996 name->data,
997 &ato->ccache);
998 (*name->func->release)(name);
999 if (error)
1000 return translate_cc_error(context, error);
1001 }
1002
1003 error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
1004
1005 acc_destroy(context, from);
1006
1007 return translate_cc_error(context, error);
1008 }
1009
1010 static krb5_error_code KRB5_CALLCONV
1011 acc_get_default_name(krb5_context context, char **str)
1012 {
1013 krb5_error_code ret;
1014 cc_context_t cc;
1015 cc_string_t name;
1016 int32_t error;
1017
1018 ret = init_ccapi(context);
1019 if (ret)
1020 return ret;
1021
1022 error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
1023 if (error)
1024 return translate_cc_error(context, error);
1025
1026 error = (*cc->func->get_default_ccache_name)(cc, &name);
1027 if (error) {
1028 (*cc->func->release)(cc);
1029 return translate_cc_error(context, error);
1030 }
1031
1032 error = asprintf(str, "API:%s", name->data);
1033 (*name->func->release)(name);
1034 (*cc->func->release)(cc);
1035
1036 if (error < 0 || *str == NULL)
1037 return krb5_enomem(context);
1038 return 0;
1039 }
1040
1041 static krb5_error_code KRB5_CALLCONV
1042 acc_set_default(krb5_context context, krb5_ccache id)
1043 {
1044 krb5_acc *a = ACACHE(id);
1045 cc_int32 error;
1046
1047 if (a->ccache == NULL) {
1048 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1049 N_("No API credential found", ""));
1050 return KRB5_CC_NOTFOUND;
1051 }
1052
1053 error = (*a->ccache->func->set_default)(a->ccache);
1054 if (error)
1055 return translate_cc_error(context, error);
1056
1057 return 0;
1058 }
1059
1060 static krb5_error_code KRB5_CALLCONV
1061 acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
1062 {
1063 krb5_acc *a = ACACHE(id);
1064 cc_int32 error;
1065 cc_time_t t;
1066
1067 if (a->ccache == NULL) {
1068 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1069 N_("No API credential found", ""));
1070 return KRB5_CC_NOTFOUND;
1071 }
1072
1073 error = (*a->ccache->func->get_change_time)(a->ccache, &t);
1074 if (error)
1075 return translate_cc_error(context, error);
1076
1077 *mtime = t;
1078
1079 return 0;
1080 }
1081
1082 /**
1083 * Variable containing the API based credential cache implemention.
1084 *
1085 * @ingroup krb5_ccache
1086 */
1087
1088 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
1089 KRB5_CC_OPS_VERSION,
1090 "API",
1091 acc_get_name,
1092 acc_resolve,
1093 acc_gen_new,
1094 acc_initialize,
1095 acc_destroy,
1096 acc_close,
1097 acc_store_cred,
1098 NULL, /* acc_retrieve */
1099 acc_get_principal,
1100 acc_get_first,
1101 acc_get_next,
1102 acc_end_get,
1103 acc_remove_cred,
1104 acc_set_flags,
1105 acc_get_version,
1106 acc_get_cache_first,
1107 acc_get_cache_next,
1108 acc_end_cache_get,
1109 acc_move,
1110 acc_get_default_name,
1111 acc_set_default,
1112 acc_lastchange,
1113 NULL,
1114 NULL,
1115 };
1116
1117 #endif
Heimdal