search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fixes from Stefan Metzmacher
[heimdal.git] / lib / krb5 / acache.c
blob573f02207eb6099517f52860b161533c7315548a
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35 #include <krb5_ccapi.h>
36 #ifdef HAVE_DLFCN_H
37 #include <dlfcn.h>
38 #endif
39
40 RCSID("$Id$");
41
42 /* XXX should we fetch these for each open ? */
43 static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
44 static cc_initialize_func init_func;
45
46 #ifdef HAVE_DLOPEN
47 static void *cc_handle;
48 #endif
49
50 typedef struct krb5_acc {
51 char *cache_name;
52 cc_context_t context;
53 cc_ccache_t ccache;
54 } krb5_acc;
55
56 static krb5_error_code acc_close(krb5_context, krb5_ccache);
57
58 #define ACACHE(X) ((krb5_acc *)(X)->data.data)
59
60 static const struct {
61 cc_int32 error;
62 krb5_error_code ret;
63 } cc_errors[] = {
64 { ccErrBadName, KRB5_CC_BADNAME },
65 { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND },
66 { ccErrCCacheNotFound, KRB5_FCC_NOFILE },
67 { ccErrContextNotFound, KRB5_CC_NOTFOUND },
68 { ccIteratorEnd, KRB5_CC_END },
69 { ccErrNoMem, KRB5_CC_NOMEM },
70 { ccErrServerUnavailable, KRB5_CC_NOSUPP },
71 { ccErrInvalidCCache, KRB5_CC_BADNAME },
72 { ccNoError, 0 }
73 };
74
75 static krb5_error_code
76 translate_cc_error(krb5_context context, cc_int32 error)
77 {
78 int i;
79 krb5_clear_error_string(context);
80 for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
81 if (cc_errors[i].error == error)
82 return cc_errors[i].ret;
83 return KRB5_FCC_INTERNAL;
84 }
85
86 static krb5_error_code
87 init_ccapi(krb5_context context)
88 {
89 const char *lib;
90
91 HEIMDAL_MUTEX_lock(&acc_mutex);
92 if (init_func) {
93 HEIMDAL_MUTEX_unlock(&acc_mutex);
94 krb5_clear_error_string(context);
95 return 0;
96 }
97
98 lib = krb5_config_get_string(context, NULL,
99 "libdefaults", "ccapi_library",
100 NULL);
101 if (lib == NULL) {
102 #ifdef __APPLE__
103 lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
104 #else
105 lib = "/usr/lib/libkrb5_cc.so";
106 #endif
107 }
108
109 #ifdef HAVE_DLOPEN
110
111 #ifndef RTLD_LAZY
112 #define RTLD_LAZY 0
113 #endif
114
115 cc_handle = dlopen(lib, RTLD_LAZY);
116 if (cc_handle == NULL) {
117 HEIMDAL_MUTEX_unlock(&acc_mutex);
118 krb5_set_error_string(context, "Failed to load %s", lib);
119 return KRB5_CC_NOSUPP;
120 }
121
122 init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
123 HEIMDAL_MUTEX_unlock(&acc_mutex);
124 if (init_func == NULL) {
125 krb5_set_error_string(context, "Failed to find cc_initialize"
126 "in %s: %s", lib, dlerror());
127 dlclose(cc_handle);
128 return KRB5_CC_NOSUPP;
129 }
130
131 return 0;
132 #else
133 HEIMDAL_MUTEX_unlock(&acc_mutex);
134 krb5_set_error_string(context, "no support for shared object");
135 return KRB5_CC_NOSUPP;
136 #endif
137 }
138
139 static krb5_error_code
140 make_cred_from_ccred(krb5_context context,
141 const cc_credentials_v5_t *incred,
142 krb5_creds *cred)
143 {
144 krb5_error_code ret;
145 unsigned int i;
146
147 memset(cred, 0, sizeof(*cred));
148
149 ret = krb5_parse_name(context, incred->client, &cred->client);
150 if (ret)
151 goto fail;
152
153 ret = krb5_parse_name(context, incred->server, &cred->server);
154 if (ret)
155 goto fail;
156
157 cred->session.keytype = incred->keyblock.type;
158 cred->session.keyvalue.length = incred->keyblock.length;
159 cred->session.keyvalue.data = malloc(incred->keyblock.length);
160 if (cred->session.keyvalue.data == NULL)
161 goto nomem;
162 memcpy(cred->session.keyvalue.data, incred->keyblock.data,
163 incred->keyblock.length);
164
165 cred->times.authtime = incred->authtime;
166 cred->times.starttime = incred->starttime;
167 cred->times.endtime = incred->endtime;
168 cred->times.renew_till = incred->renew_till;
169
170 ret = krb5_data_copy(&cred->ticket,
171 incred->ticket.data,
172 incred->ticket.length);
173 if (ret)
174 goto nomem;
175
176 ret = krb5_data_copy(&cred->second_ticket,
177 incred->second_ticket.data,
178 incred->second_ticket.length);
179 if (ret)
180 goto nomem;
181
182 cred->authdata.val = NULL;
183 cred->authdata.len = 0;
184
185 cred->addresses.val = NULL;
186 cred->addresses.len = 0;
187
188 for (i = 0; incred->authdata && incred->authdata[i]; i++)
189 ;
190
191 if (i) {
192 cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
193 if (cred->authdata.val == NULL)
194 goto nomem;
195 cred->authdata.len = i;
196 for (i = 0; i < cred->authdata.len; i++) {
197 cred->authdata.val[i].ad_type = incred->authdata[i]->type;
198 ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
199 incred->authdata[i]->data,
200 incred->authdata[i]->length);
201 if (ret)
202 goto nomem;
203 }
204 }
205
206 for (i = 0; incred->addresses && incred->addresses[i]; i++)
207 ;
208
209 if (i) {
210 cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
211 if (cred->addresses.val == NULL)
212 goto nomem;
213 cred->addresses.len = i;
214
215 for (i = 0; i < cred->addresses.len; i++) {
216 cred->addresses.val[i].addr_type = incred->addresses[i]->type;
217 ret = krb5_data_copy(&cred->addresses.val[i].address,
218 incred->addresses[i]->data,
219 incred->addresses[i]->length);
220 if (ret)
221 goto nomem;
222 }
223 }
224
225 cred->flags.i = 0;
226 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
227 cred->flags.b.forwardable = 1;
228 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
229 cred->flags.b.forwarded = 1;
230 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
231 cred->flags.b.proxiable = 1;
232 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
233 cred->flags.b.proxy = 1;
234 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
235 cred->flags.b.may_postdate = 1;
236 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
237 cred->flags.b.postdated = 1;
238 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
239 cred->flags.b.invalid = 1;
240 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
241 cred->flags.b.renewable = 1;
242 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
243 cred->flags.b.initial = 1;
244 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
245 cred->flags.b.pre_authent = 1;
246 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
247 cred->flags.b.hw_authent = 1;
248 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
249 cred->flags.b.transited_policy_checked = 1;
250 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
251 cred->flags.b.ok_as_delegate = 1;
252 if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
253 cred->flags.b.anonymous = 1;
254
255 return 0;
256
257 nomem:
258 ret = ENOMEM;
259 krb5_set_error_string(context, "malloc - out of memory");
260
261 fail:
262 krb5_free_cred_contents(context, cred);
263 return ret;
264 }
265
266 static void
267 free_ccred(cc_credentials_v5_t *cred)
268 {
269 int i;
270
271 if (cred->addresses) {
272 for (i = 0; cred->addresses[i] != 0; i++) {
273 if (cred->addresses[i]->data)
274 free(cred->addresses[i]->data);
275 free(cred->addresses[i]);
276 }
277 free(cred->addresses);
278 }
279 if (cred->server)
280 free(cred->server);
281 if (cred->client)
282 free(cred->client);
283 memset(cred, 0, sizeof(*cred));
284 }
285
286 static krb5_error_code
287 make_ccred_from_cred(krb5_context context,
288 const krb5_creds *incred,
289 cc_credentials_v5_t *cred)
290 {
291 krb5_error_code ret;
292 int i;
293
294 memset(cred, 0, sizeof(*cred));
295
296 ret = krb5_unparse_name(context, incred->client, &cred->client);
297 if (ret)
298 goto fail;
299
300 ret = krb5_unparse_name(context, incred->server, &cred->server);
301 if (ret)
302 goto fail;
303
304 cred->keyblock.type = incred->session.keytype;
305 cred->keyblock.length = incred->session.keyvalue.length;
306 cred->keyblock.data = incred->session.keyvalue.data;
307
308 cred->authtime = incred->times.authtime;
309 cred->starttime = incred->times.starttime;
310 cred->endtime = incred->times.endtime;
311 cred->renew_till = incred->times.renew_till;
312
313 cred->ticket.length = incred->ticket.length;
314 cred->ticket.data = incred->ticket.data;
315
316 cred->second_ticket.length = incred->second_ticket.length;
317 cred->second_ticket.data = incred->second_ticket.data;
318
319 /* XXX this one should also be filled in */
320 cred->authdata = NULL;
321
322 cred->addresses = calloc(incred->addresses.len + 1,
323 sizeof(cred->addresses[0]));
324 if (cred->addresses == NULL) {
325
326 ret = ENOMEM;
327 goto fail;
328 }
329
330 for (i = 0; i < incred->addresses.len; i++) {
331 cc_data *addr;
332 addr = malloc(sizeof(*addr));
333 if (addr == NULL) {
334 ret = ENOMEM;
335 goto fail;
336 }
337 addr->type = incred->addresses.val[i].addr_type;
338 addr->length = incred->addresses.val[i].address.length;
339 addr->data = malloc(addr->length);
340 if (addr->data == NULL) {
341 ret = ENOMEM;
342 goto fail;
343 }
344 memcpy(addr->data, incred->addresses.val[i].address.data,
345 addr->length);
346 cred->addresses[i] = addr;
347 }
348 cred->addresses[i] = NULL;
349
350 cred->ticket_flags = 0;
351 if (incred->flags.b.forwardable)
352 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
353 if (incred->flags.b.forwarded)
354 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
355 if (incred->flags.b.proxiable)
356 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
357 if (incred->flags.b.proxy)
358 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
359 if (incred->flags.b.may_postdate)
360 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
361 if (incred->flags.b.postdated)
362 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
363 if (incred->flags.b.invalid)
364 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
365 if (incred->flags.b.renewable)
366 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
367 if (incred->flags.b.initial)
368 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
369 if (incred->flags.b.pre_authent)
370 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
371 if (incred->flags.b.hw_authent)
372 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
373 if (incred->flags.b.transited_policy_checked)
374 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
375 if (incred->flags.b.ok_as_delegate)
376 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
377 if (incred->flags.b.anonymous)
378 cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
379
380 return 0;
381
382 fail:
383 free_ccred(cred);
384
385 krb5_clear_error_string(context);
386 return ret;
387 }
388
389 static cc_int32
390 get_cc_name(krb5_acc *a)
391 {
392 cc_string_t name;
393 cc_int32 error;
394
395 error = (*a->ccache->func->get_name)(a->ccache, &name);
396 if (error)
397 return error;
398
399 a->cache_name = strdup(name->data);
400 (*name->func->release)(name);
401 if (a->cache_name == NULL)
402 return ccErrNoMem;
403 return ccNoError;
404 }
405
406
407 static const char*
408 acc_get_name(krb5_context context,
409 krb5_ccache id)
410 {
411 krb5_acc *a = ACACHE(id);
412 int32_t error;
413
414 if (a->cache_name == NULL) {
415 krb5_error_code ret;
416 krb5_principal principal;
417 char *name;
418
419 ret = _krb5_get_default_principal_local(context, &principal);
420 if (ret)
421 return NULL;
422
423 ret = krb5_unparse_name(context, principal, &name);
424 krb5_free_principal(context, principal);
425 if (ret)
426 return NULL;
427
428 error = (*a->context->func->create_new_ccache)(a->context,
429 cc_credentials_v5,
430 name,
431 &a->ccache);
432 krb5_xfree(name);
433 if (error)
434 return NULL;
435
436 error = get_cc_name(a);
437 if (error)
438 return NULL;
439 }
440
441 return a->cache_name;
442 }
443
444 static krb5_error_code
445 acc_alloc(krb5_context context, krb5_ccache *id)
446 {
447 krb5_error_code ret;
448 cc_int32 error;
449 krb5_acc *a;
450
451 ret = init_ccapi(context);
452 if (ret)
453 return ret;
454
455 ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
456 if (ret) {
457 krb5_clear_error_string(context);
458 return ret;
459 }
460
461 a = ACACHE(*id);
462
463 error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
464 if (error) {
465 krb5_data_free(&(*id)->data);
466 return translate_cc_error(context, error);
467 }
468
469 a->cache_name = NULL;
470
471 return 0;
472 }
473
474 static krb5_error_code
475 acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
476 {
477 krb5_error_code ret;
478 cc_int32 error;
479 krb5_acc *a;
480
481 ret = acc_alloc(context, id);
482 if (ret)
483 return ret;
484
485 a = ACACHE(*id);
486
487 error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
488 if (error == ccNoError) {
489 error = get_cc_name(a);
490 if (error != ccNoError) {
491 acc_close(context, *id);
492 *id = NULL;
493 return translate_cc_error(context, error);
494 }
495 } else if (error == ccErrCCacheNotFound) {
496 a->ccache = NULL;
497 a->cache_name = NULL;
498 error = 0;
499 } else {
500 *id = NULL;
501 return translate_cc_error(context, error);
502 }
503
504 return 0;
505 }
506
507 static krb5_error_code
508 acc_gen_new(krb5_context context, krb5_ccache *id)
509 {
510 krb5_error_code ret;
511 krb5_acc *a;
512
513 ret = acc_alloc(context, id);
514 if (ret)
515 return ret;
516
517 a = ACACHE(*id);
518
519 a->ccache = NULL;
520 a->cache_name = NULL;
521
522 return 0;
523 }
524
525 static krb5_error_code
526 acc_initialize(krb5_context context,
527 krb5_ccache id,
528 krb5_principal primary_principal)
529 {
530 krb5_acc *a = ACACHE(id);
531 krb5_error_code ret;
532 int32_t error;
533 char *name;
534
535 ret = krb5_unparse_name(context, primary_principal, &name);
536 if (ret)
537 return ret;
538
539 if (a->cache_name == NULL) {
540 error = (*a->context->func->create_new_ccache)(a->context,
541 cc_credentials_v5,
542 name,
543 &a->ccache);
544 free(name);
545 if (error == ccNoError)
546 error = get_cc_name(a);
547 } else {
548 cc_credentials_iterator_t iter;
549 cc_credentials_t ccred;
550
551 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
552 if (error) {
553 free(name);
554 return translate_cc_error(context, error);
555 }
556
557 while (1) {
558 error = (*iter->func->next)(iter, &ccred);
559 if (error)
560 break;
561 (*a->ccache->func->remove_credentials)(a->ccache, ccred);
562 (*ccred->func->release)(ccred);
563 }
564 (*iter->func->release)(iter);
565
566 error = (*a->ccache->func->set_principal)(a->ccache,
567 cc_credentials_v5,
568 name);
569 }
570
571 return translate_cc_error(context, error);
572 }
573
574 static krb5_error_code
575 acc_close(krb5_context context,
576 krb5_ccache id)
577 {
578 krb5_acc *a = ACACHE(id);
579
580 if (a->ccache) {
581 (*a->ccache->func->release)(a->ccache);
582 a->ccache = NULL;
583 }
584 if (a->cache_name) {
585 free(a->cache_name);
586 a->cache_name = NULL;
587 }
588 if (a->context) {
589 (*a->context->func->release)(a->context);
590 a->context = NULL;
591 }
592 krb5_data_free(&id->data);
593 return 0;
594 }
595
596 static krb5_error_code
597 acc_destroy(krb5_context context,
598 krb5_ccache id)
599 {
600 krb5_acc *a = ACACHE(id);
601 cc_int32 error = 0;
602
603 if (a->ccache) {
604 error = (*a->ccache->func->destroy)(a->ccache);
605 a->ccache = NULL;
606 }
607 if (a->context) {
608 error = (a->context->func->release)(a->context);
609 a->context = NULL;
610 }
611 return translate_cc_error(context, error);
612 }
613
614 static krb5_error_code
615 acc_store_cred(krb5_context context,
616 krb5_ccache id,
617 krb5_creds *creds)
618 {
619 krb5_acc *a = ACACHE(id);
620 cc_credentials_union cred;
621 cc_credentials_v5_t v5cred;
622 krb5_error_code ret;
623 cc_int32 error;
624
625 if (a->ccache == NULL) {
626 krb5_set_error_string(context, "No API credential found");
627 return KRB5_CC_NOTFOUND;
628 }
629
630 cred.version = cc_credentials_v5;
631 cred.credentials.credentials_v5 = &v5cred;
632
633 ret = make_ccred_from_cred(context,
634 creds,
635 &v5cred);
636 if (ret)
637 return ret;
638
639 error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
640 if (error)
641 ret = translate_cc_error(context, error);
642
643 free_ccred(&v5cred);
644
645 return ret;
646 }
647
648 static krb5_error_code
649 acc_get_principal(krb5_context context,
650 krb5_ccache id,
651 krb5_principal *principal)
652 {
653 krb5_acc *a = ACACHE(id);
654 krb5_error_code ret;
655 int32_t error;
656 cc_string_t name;
657
658 if (a->ccache == NULL) {
659 krb5_set_error_string(context, "No API credential found");
660 return KRB5_CC_NOTFOUND;
661 }
662
663 error = (*a->ccache->func->get_principal)(a->ccache,
664 cc_credentials_v5,
665 &name);
666 if (error)
667 return translate_cc_error(context, error);
668
669 ret = krb5_parse_name(context, name->data, principal);
670
671 (*name->func->release)(name);
672 return ret;
673 }
674
675 static krb5_error_code
676 acc_get_first (krb5_context context,
677 krb5_ccache id,
678 krb5_cc_cursor *cursor)
679 {
680 cc_credentials_iterator_t iter;
681 krb5_acc *a = ACACHE(id);
682 int32_t error;
683
684 if (a->ccache == NULL) {
685 krb5_set_error_string(context, "No API credential found");
686 return KRB5_CC_NOTFOUND;
687 }
688
689 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
690 if (error) {
691 krb5_clear_error_string(context);
692 return ENOENT;
693 }
694 *cursor = iter;
695 return 0;
696 }
697
698
699 static krb5_error_code
700 acc_get_next (krb5_context context,
701 krb5_ccache id,
702 krb5_cc_cursor *cursor,
703 krb5_creds *creds)
704 {
705 cc_credentials_iterator_t iter = *cursor;
706 cc_credentials_t cred;
707 krb5_error_code ret;
708 int32_t error;
709
710 while (1) {
711 error = (*iter->func->next)(iter, &cred);
712 if (error)
713 return translate_cc_error(context, error);
714 if (cred->data->version == cc_credentials_v5)
715 break;
716 (*cred->func->release)(cred);
717 }
718
719 ret = make_cred_from_ccred(context,
720 cred->data->credentials.credentials_v5,
721 creds);
722 (*cred->func->release)(cred);
723 return ret;
724 }
725
726 static krb5_error_code
727 acc_end_get (krb5_context context,
728 krb5_ccache id,
729 krb5_cc_cursor *cursor)
730 {
731 cc_credentials_iterator_t iter = *cursor;
732 (*iter->func->release)(iter);
733 return 0;
734 }
735
736 static krb5_error_code
737 acc_remove_cred(krb5_context context,
738 krb5_ccache id,
739 krb5_flags which,
740 krb5_creds *cred)
741 {
742 cc_credentials_iterator_t iter;
743 krb5_acc *a = ACACHE(id);
744 cc_credentials_t ccred;
745 krb5_error_code ret;
746 cc_int32 error;
747 char *client, *server;
748
749 if (a->ccache == NULL) {
750 krb5_set_error_string(context, "No API credential found");
751 return KRB5_CC_NOTFOUND;
752 }
753
754 if (cred->client) {
755 ret = krb5_unparse_name(context, cred->client, &client);
756 if (ret)
757 return ret;
758 } else
759 client = NULL;
760
761 ret = krb5_unparse_name(context, cred->server, &server);
762 if (ret) {
763 free(client);
764 return ret;
765 }
766
767 error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
768 if (error) {
769 free(server);
770 free(client);
771 return translate_cc_error(context, error);
772 }
773
774 ret = KRB5_CC_NOTFOUND;
775 while (1) {
776 cc_credentials_v5_t *v5cred;
777
778 error = (*iter->func->next)(iter, &ccred);
779 if (error)
780 break;
781
782 if (ccred->data->version != cc_credentials_v5)
783 goto next;
784
785 v5cred = ccred->data->credentials.credentials_v5;
786
787 if (client && strcmp(v5cred->client, client) != 0)
788 goto next;
789
790 if (strcmp(v5cred->server, server) != 0)
791 goto next;
792
793 (*a->ccache->func->remove_credentials)(a->ccache, ccred);
794 ret = 0;
795 next:
796 (*ccred->func->release)(ccred);
797 }
798
799 (*iter->func->release)(iter);
800
801 if (ret)
802 krb5_set_error_string(context, "Can't find credential %s in cache",
803 server);
804 free(server);
805 free(client);
806
807 return ret;
808 }
809
810 static krb5_error_code
811 acc_set_flags(krb5_context context,
812 krb5_ccache id,
813 krb5_flags flags)
814 {
815 return 0;
816 }
817
818 static int
819 acc_get_version(krb5_context context,
820 krb5_ccache id)
821 {
822 return 0;
823 }
824
825 struct cache_iter {
826 cc_context_t context;
827 cc_ccache_iterator_t iter;
828 };
829
830 static krb5_error_code
831 acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
832 {
833 struct cache_iter *iter;
834 krb5_error_code ret;
835 cc_int32 error;
836
837 ret = init_ccapi(context);
838 if (ret)
839 return ret;
840
841 iter = calloc(1, sizeof(*iter));
842 if (iter == NULL) {
843 krb5_set_error_string(context, "malloc - out of memory");
844 return ENOMEM;
845 }
846
847 error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
848 if (error) {
849 free(iter);
850 return translate_cc_error(context, error);
851 }
852
853 error = (*iter->context->func->new_ccache_iterator)(iter->context,
854 &iter->iter);
855 if (error) {
856 free(iter);
857 krb5_clear_error_string(context);
858 return ENOENT;
859 }
860 *cursor = iter;
861 return 0;
862 }
863
864 static krb5_error_code
865 acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
866 {
867 struct cache_iter *iter = cursor;
868 cc_ccache_t cache;
869 krb5_acc *a;
870 krb5_error_code ret;
871 int32_t error;
872
873 error = (*iter->iter->func->next)(iter->iter, &cache);
874 if (error)
875 return translate_cc_error(context, error);
876
877 ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
878 if (ret) {
879 (*cache->func->release)(cache);
880 return ret;
881 }
882
883 ret = acc_alloc(context, id);
884 if (ret) {
885 (*cache->func->release)(cache);
886 free(*id);
887 return ret;
888 }
889
890 a = ACACHE(*id);
891 a->ccache = cache;
892
893 error = get_cc_name(a);
894 if (error) {
895 acc_close(context, *id);
896 *id = NULL;
897 return translate_cc_error(context, error);
898 }
899 return 0;
900 }
901
902 static krb5_error_code
903 acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
904 {
905 struct cache_iter *iter = cursor;
906
907 (*iter->iter->func->release)(iter->iter);
908 iter->iter = NULL;
909 (*iter->context->func->release)(iter->context);
910 iter->context = NULL;
911 free(iter);
912 return 0;
913 }
914
915 static krb5_error_code
916 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
917 {
918 krb5_acc *afrom = ACACHE(from);
919 krb5_acc *ato = ACACHE(to);
920 int32_t error;
921
922 if (ato->ccache == NULL) {
923 cc_string_t name;
924
925 error = (*afrom->ccache->func->get_principal)(afrom->ccache,
926 cc_credentials_v5,
927 &name);
928 if (error)
929 return translate_cc_error(context, error);
930
931 error = (*ato->context->func->create_new_ccache)(ato->context,
932 cc_credentials_v5,
933 name->data,
934 &ato->ccache);
935 (*name->func->release)(name);
936 if (error)
937 return translate_cc_error(context, error);
938 }
939
940
941 error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
942 return translate_cc_error(context, error);
943 }
944
945 static krb5_error_code
946 acc_get_default_name(krb5_context context, char **str)
947 {
948 krb5_error_code ret;
949 cc_context_t cc;
950 cc_string_t name;
951 int32_t error;
952
953 ret = init_ccapi(context);
954 if (ret)
955 return ret;
956
957 error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
958 if (error)
959 return translate_cc_error(context, error);
960
961 error = (*cc->func->get_default_ccache_name)(cc, &name);
962 if (error) {
963 (*cc->func->release)(cc);
964 return translate_cc_error(context, error);
965 }
966
967 asprintf(str, "API:%s", name->data);
968 (*name->func->release)(name);
969 (*cc->func->release)(cc);
970
971 if (*str == NULL) {
972 krb5_set_error_string(context, "out of memory");
973 return ENOMEM;
974 }
975 return 0;
976 }
977
978 static krb5_error_code
979 acc_set_default(krb5_context context, krb5_ccache id)
980 {
981 krb5_acc *a = ACACHE(id);
982 cc_int32 error;
983
984 if (a->ccache == NULL) {
985 krb5_set_error_string(context, "No API credential found");
986 return KRB5_CC_NOTFOUND;
987 }
988
989 error = (*a->ccache->func->set_default)(a->ccache);
990 if (error)
991 return translate_cc_error(context, error);
992
993 return 0;
994 }
995
996 /**
997 * Variable containing the API based credential cache implemention.
998 *
999 * @ingroup krb5_ccache
1000 */
1001
1002 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
1003 KRB5_CC_OPS_VERSION,
1004 "API",
1005 acc_get_name,
1006 acc_resolve,
1007 acc_gen_new,
1008 acc_initialize,
1009 acc_destroy,
1010 acc_close,
1011 acc_store_cred,
1012 NULL, /* acc_retrieve */
1013 acc_get_principal,
1014 acc_get_first,
1015 acc_get_next,
1016 acc_end_get,
1017 acc_remove_cred,
1018 acc_set_flags,
1019 acc_get_version,
1020 acc_get_cache_first,
1021 acc_get_cache_next,
1022 acc_end_cache_get,
1023 acc_move,
1024 acc_get_default_name,
1025 acc_set_default
1026 };
Heimdal