]> CyberLeo.Net >> Repos - FreeBSD/releng/10.0.git/blob - crypto/heimdal/lib/krb5/acache.c
projects / FreeBSD / releng / 10.0.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- Copy stable/10 (r259064) to releng/10.0 as part of the
[FreeBSD/releng/10.0.git] / crypto / heimdal / lib / krb5 / acache.c
1 /*
2  * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35
36 #include "krb5_locl.h"
37 #include <krb5_ccapi.h>
38 #ifdef HAVE_DLFCN_H
39 #include <dlfcn.h>
40 #endif
41
42 #ifndef KCM_IS_API_CACHE
43
44 static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
45 static cc_initialize_func init_func;
46 static void (KRB5_CALLCONV *set_target_uid)(uid_t);
47 static void (KRB5_CALLCONV *clear_target)(void);
48
49 #ifdef HAVE_DLOPEN
50 static void *cc_handle;
51 #endif
52
53 typedef struct krb5_acc {
54     char *cache_name;
55     cc_context_t context;
56     cc_ccache_t ccache;
57 } krb5_acc;
58
59 static krb5_error_code KRB5_CALLCONV acc_close(krb5_context, krb5_ccache);
60
61 #define ACACHE(X) ((krb5_acc *)(X)->data.data)
62
63 static const struct {
64     cc_int32 error;
65     krb5_error_code ret;
66 } cc_errors[] = {
67     { ccErrBadName,             KRB5_CC_BADNAME },
68     { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND },
69     { ccErrCCacheNotFound,      KRB5_FCC_NOFILE },
70     { ccErrContextNotFound,     KRB5_CC_NOTFOUND },
71     { ccIteratorEnd,            KRB5_CC_END },
72     { ccErrNoMem,               KRB5_CC_NOMEM },
73     { ccErrServerUnavailable,   KRB5_CC_NOSUPP },
74     { ccErrInvalidCCache,       KRB5_CC_BADNAME },
75     { ccNoError,                0 }
76 };
77
78 static krb5_error_code
79 translate_cc_error(krb5_context context, cc_int32 error)
80 {
81     size_t i;
82     krb5_clear_error_message(context);
83     for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
84         if (cc_errors[i].error == error)
85             return cc_errors[i].ret;
86     return KRB5_FCC_INTERNAL;
87 }
88
89 static krb5_error_code
90 init_ccapi(krb5_context context)
91 {
92     const char *lib = NULL;
93
94     HEIMDAL_MUTEX_lock(&acc_mutex);
95     if (init_func) {
96         HEIMDAL_MUTEX_unlock(&acc_mutex);
97         if (context)
98             krb5_clear_error_message(context);
99         return 0;
100     }
101
102     if (context)
103         lib = krb5_config_get_string(context, NULL,
104                                      "libdefaults", "ccapi_library",
105                                      NULL);
106     if (lib == NULL) {
107 #ifdef __APPLE__
108         lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
109 #elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
110         lib = "%{LIBDIR}/libkrb5_cc.dll";
111 #else
112         lib = "/usr/lib/libkrb5_cc.so";
113 #endif
114     }
115
116 #ifdef HAVE_DLOPEN
117
118 #ifndef RTLD_LAZY
119 #define RTLD_LAZY 0
120 #endif
121 #ifndef RTLD_LOCAL
122 #define RTLD_LOCAL 0
123 #endif
124
125 #ifdef KRB5_USE_PATH_TOKENS
126     {
127       char * explib = NULL;
128       if (_krb5_expand_path_tokens(context, lib, &explib) == 0) {
129         cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
130         free(explib);
131       }
132     }
133 #else
134     cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
135 #endif
136
137     if (cc_handle == NULL) {
138         HEIMDAL_MUTEX_unlock(&acc_mutex);
139         if (context)
140             krb5_set_error_message(context, KRB5_CC_NOSUPP,
141                                    N_("Failed to load API cache module %s", "file"),
142                                    lib);
143         return KRB5_CC_NOSUPP;
144     }
145
146     init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
147     set_target_uid = (void (KRB5_CALLCONV *)(uid_t))
148         dlsym(cc_handle, "krb5_ipc_client_set_target_uid");
149     clear_target = (void (KRB5_CALLCONV *)(void))
150         dlsym(cc_handle, "krb5_ipc_client_clear_target");
151     HEIMDAL_MUTEX_unlock(&acc_mutex);
152     if (init_func == NULL) {
153         if (context)
154             krb5_set_error_message(context, KRB5_CC_NOSUPP,
155                                    N_("Failed to find cc_initialize"
156                                       "in %s: %s", "file, error"), lib, dlerror());
157         dlclose(cc_handle);
158         return KRB5_CC_NOSUPP;
159     }
160
161     return 0;
162 #else
163     HEIMDAL_MUTEX_unlock(&acc_mutex);
164     if (context)
165         krb5_set_error_message(context, KRB5_CC_NOSUPP,
166                                N_("no support for shared object", ""));
167     return KRB5_CC_NOSUPP;
168 #endif
169 }
170
171 void
172 _heim_krb5_ipc_client_set_target_uid(uid_t uid)
173 {
174     init_ccapi(NULL);
175     if (set_target_uid != NULL)
176         (*set_target_uid)(uid);
177 }
178
179 void
180 _heim_krb5_ipc_client_clear_target(void)
181 {
182     init_ccapi(NULL);
183     if (clear_target != NULL)
184         (*clear_target)();
185 }
186
187 static krb5_error_code
188 make_cred_from_ccred(krb5_context context,
189                      const cc_credentials_v5_t *incred,
190                      krb5_creds *cred)
191 {
192     krb5_error_code ret;
193     unsigned int i;
194
195     memset(cred, 0, sizeof(*cred));
196
197     ret = krb5_parse_name(context, incred->client, &cred->client);
198     if (ret)
199         goto fail;
200
201     ret = krb5_parse_name(context, incred->server, &cred->server);
202     if (ret)
203         goto fail;
204
205     cred->session.keytype = incred->keyblock.type;
206     cred->session.keyvalue.length = incred->keyblock.length;
207     cred->session.keyvalue.data = malloc(incred->keyblock.length);
208     if (cred->session.keyvalue.data == NULL)
209         goto nomem;
210     memcpy(cred->session.keyvalue.data, incred->keyblock.data,
211            incred->keyblock.length);
212
213     cred->times.authtime = incred->authtime;
214     cred->times.starttime = incred->starttime;
215     cred->times.endtime = incred->endtime;
216     cred->times.renew_till = incred->renew_till;
217
218     ret = krb5_data_copy(&cred->ticket,
219                          incred->ticket.data,
220                          incred->ticket.length);
221     if (ret)
222         goto nomem;
223
224     ret = krb5_data_copy(&cred->second_ticket,
225                          incred->second_ticket.data,
226                          incred->second_ticket.length);
227     if (ret)
228         goto nomem;
229
230     cred->authdata.val = NULL;
231     cred->authdata.len = 0;
232
233     cred->addresses.val = NULL;
234     cred->addresses.len = 0;
235
236     for (i = 0; incred->authdata && incred->authdata[i]; i++)
237         ;
238
239     if (i) {
240         cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
241         if (cred->authdata.val == NULL)
242             goto nomem;
243         cred->authdata.len = i;
244         for (i = 0; i < cred->authdata.len; i++) {
245             cred->authdata.val[i].ad_type = incred->authdata[i]->type;
246             ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
247                                  incred->authdata[i]->data,
248                                  incred->authdata[i]->length);
249             if (ret)
250                 goto nomem;
251         }
252     }
253
254     for (i = 0; incred->addresses && incred->addresses[i]; i++)
255         ;
256
257     if (i) {
258         cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
259         if (cred->addresses.val == NULL)
260             goto nomem;
261         cred->addresses.len = i;
262
263         for (i = 0; i < cred->addresses.len; i++) {
264             cred->addresses.val[i].addr_type = incred->addresses[i]->type;
265             ret = krb5_data_copy(&cred->addresses.val[i].address,
266                                  incred->addresses[i]->data,
267                                  incred->addresses[i]->length);
268             if (ret)
269                 goto nomem;
270         }
271     }
272
273     cred->flags.i = 0;
274     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
275         cred->flags.b.forwardable = 1;
276     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
277         cred->flags.b.forwarded = 1;
278     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
279         cred->flags.b.proxiable = 1;
280     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
281         cred->flags.b.proxy = 1;
282     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
283         cred->flags.b.may_postdate = 1;
284     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
285         cred->flags.b.postdated = 1;
286     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
287         cred->flags.b.invalid = 1;
288     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
289         cred->flags.b.renewable = 1;
290     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
291         cred->flags.b.initial = 1;
292     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
293         cred->flags.b.pre_authent = 1;
294     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
295         cred->flags.b.hw_authent = 1;
296     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
297         cred->flags.b.transited_policy_checked = 1;
298     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
299         cred->flags.b.ok_as_delegate = 1;
300     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
301         cred->flags.b.anonymous = 1;
302
303     return 0;
304
305 nomem:
306     ret = ENOMEM;
307     krb5_set_error_message(context, ret, N_("malloc: out of memory", "malloc"));
308
309 fail:
310     krb5_free_cred_contents(context, cred);
311     return ret;
312 }
313
314 static void
315 free_ccred(cc_credentials_v5_t *cred)
316 {
317     int i;
318
319     if (cred->addresses) {
320         for (i = 0; cred->addresses[i] != 0; i++) {
321             if (cred->addresses[i]->data)
322                 free(cred->addresses[i]->data);
323             free(cred->addresses[i]);
324         }
325         free(cred->addresses);
326     }
327     if (cred->server)
328         free(cred->server);
329     if (cred->client)
330         free(cred->client);
331     memset(cred, 0, sizeof(*cred));
332 }
333
334 static krb5_error_code
335 make_ccred_from_cred(krb5_context context,
336                      const krb5_creds *incred,
337                      cc_credentials_v5_t *cred)
338 {
339     krb5_error_code ret;
340     size_t i;
341
342     memset(cred, 0, sizeof(*cred));
343
344     ret = krb5_unparse_name(context, incred->client, &cred->client);
345     if (ret)
346         goto fail;
347
348     ret = krb5_unparse_name(context, incred->server, &cred->server);
349     if (ret)
350         goto fail;
351
352     cred->keyblock.type = incred->session.keytype;
353     cred->keyblock.length = incred->session.keyvalue.length;
354     cred->keyblock.data = incred->session.keyvalue.data;
355
356     cred->authtime = incred->times.authtime;
357     cred->starttime = incred->times.starttime;
358     cred->endtime = incred->times.endtime;
359     cred->renew_till = incred->times.renew_till;
360
361     cred->ticket.length = incred->ticket.length;
362     cred->ticket.data = incred->ticket.data;
363
364     cred->second_ticket.length = incred->second_ticket.length;
365     cred->second_ticket.data = incred->second_ticket.data;
366
367     /* XXX this one should also be filled in */
368     cred->authdata = NULL;
369
370     cred->addresses = calloc(incred->addresses.len + 1,
371                              sizeof(cred->addresses[0]));
372     if (cred->addresses == NULL) {
373
374         ret = ENOMEM;
375         goto fail;
376     }
377
378     for (i = 0; i < incred->addresses.len; i++) {
379         cc_data *addr;
380         addr = malloc(sizeof(*addr));
381         if (addr == NULL) {
382             ret = ENOMEM;
383             goto fail;
384         }
385         addr->type = incred->addresses.val[i].addr_type;
386         addr->length = incred->addresses.val[i].address.length;
387         addr->data = malloc(addr->length);
388         if (addr->data == NULL) {
389             free(addr);
390             ret = ENOMEM;
391             goto fail;
392         }
393         memcpy(addr->data, incred->addresses.val[i].address.data,
394                addr->length);
395         cred->addresses[i] = addr;
396     }
397     cred->addresses[i] = NULL;
398
399     cred->ticket_flags = 0;
400     if (incred->flags.b.forwardable)
401         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
402     if (incred->flags.b.forwarded)
403         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
404     if (incred->flags.b.proxiable)
405         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
406     if (incred->flags.b.proxy)
407         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
408     if (incred->flags.b.may_postdate)
409         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
410     if (incred->flags.b.postdated)
411         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
412     if (incred->flags.b.invalid)
413         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
414     if (incred->flags.b.renewable)
415         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
416     if (incred->flags.b.initial)
417         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
418     if (incred->flags.b.pre_authent)
419         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
420     if (incred->flags.b.hw_authent)
421         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
422     if (incred->flags.b.transited_policy_checked)
423         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
424     if (incred->flags.b.ok_as_delegate)
425         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
426     if (incred->flags.b.anonymous)
427         cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
428
429     return 0;
430
431 fail:
432     free_ccred(cred);
433
434     krb5_clear_error_message(context);
435     return ret;
436 }
437
438 static cc_int32
439 get_cc_name(krb5_acc *a)
440 {
441     cc_string_t name;
442     cc_int32 error;
443
444     error = (*a->ccache->func->get_name)(a->ccache, &name);
445     if (error)
446         return error;
447
448     a->cache_name = strdup(name->data);
449     (*name->func->release)(name);
450     if (a->cache_name == NULL)
451         return ccErrNoMem;
452     return ccNoError;
453 }
454
455
456 static const char* KRB5_CALLCONV
457 acc_get_name(krb5_context context,
458              krb5_ccache id)
459 {
460     krb5_acc *a = ACACHE(id);
461     int32_t error;
462
463     if (a->cache_name == NULL) {
464         krb5_error_code ret;
465         krb5_principal principal;
466         char *name;
467
468         ret = _krb5_get_default_principal_local(context, &principal);
469         if (ret)
470             return NULL;
471
472         ret = krb5_unparse_name(context, principal, &name);
473         krb5_free_principal(context, principal);
474         if (ret)
475             return NULL;
476
477         error = (*a->context->func->create_new_ccache)(a->context,
478                                                        cc_credentials_v5,
479                                                        name,
480                                                        &a->ccache);
481         krb5_xfree(name);
482         if (error)
483             return NULL;
484
485         error = get_cc_name(a);
486         if (error)
487             return NULL;
488     }
489
490     return a->cache_name;
491 }
492
493 static krb5_error_code KRB5_CALLCONV
494 acc_alloc(krb5_context context, krb5_ccache *id)
495 {
496     krb5_error_code ret;
497     cc_int32 error;
498     krb5_acc *a;
499
500     ret = init_ccapi(context);
501     if (ret)
502         return ret;
503
504     ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
505     if (ret) {
506         krb5_clear_error_message(context);
507         return ret;
508     }
509
510     a = ACACHE(*id);
511
512     error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
513     if (error) {
514         krb5_data_free(&(*id)->data);
515         return translate_cc_error(context, error);
516     }
517
518     a->cache_name = NULL;
519
520     return 0;
521 }
522
523 static krb5_error_code KRB5_CALLCONV
524 acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
525 {
526     krb5_error_code ret;
527     cc_int32 error;
528     krb5_acc *a;
529
530     ret = acc_alloc(context, id);
531     if (ret)
532         return ret;
533
534     a = ACACHE(*id);
535
536     error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
537     if (error == ccNoError) {
538         cc_time_t offset;
539         error = get_cc_name(a);
540         if (error != ccNoError) {
541             acc_close(context, *id);
542             *id = NULL;
543             return translate_cc_error(context, error);
544         }
545
546         error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
547                                                         cc_credentials_v5,
548                                                         &offset);
549         if (error == 0)
550             context->kdc_sec_offset = offset;
551
552     } else if (error == ccErrCCacheNotFound) {
553         a->ccache = NULL;
554         a->cache_name = NULL;
555     } else {
556         *id = NULL;
557         return translate_cc_error(context, error);
558     }
559
560     return 0;
561 }
562
563 static krb5_error_code KRB5_CALLCONV
564 acc_gen_new(krb5_context context, krb5_ccache *id)
565 {
566     krb5_error_code ret;
567     krb5_acc *a;
568
569     ret = acc_alloc(context, id);
570     if (ret)
571         return ret;
572
573     a = ACACHE(*id);
574
575     a->ccache = NULL;
576     a->cache_name = NULL;
577
578     return 0;
579 }
580
581 static krb5_error_code KRB5_CALLCONV
582 acc_initialize(krb5_context context,
583                krb5_ccache id,
584                krb5_principal primary_principal)
585 {
586     krb5_acc *a = ACACHE(id);
587     krb5_error_code ret;
588     int32_t error;
589     char *name;
590
591     ret = krb5_unparse_name(context, primary_principal, &name);
592     if (ret)
593         return ret;
594
595     if (a->cache_name == NULL) {
596         error = (*a->context->func->create_new_ccache)(a->context,
597                                                        cc_credentials_v5,
598                                                        name,
599                                                        &a->ccache);
600         free(name);
601         if (error == ccNoError)
602             error = get_cc_name(a);
603     } else {
604         cc_credentials_iterator_t iter;
605         cc_credentials_t ccred;
606
607         error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
608         if (error) {
609             free(name);
610             return translate_cc_error(context, error);
611         }
612
613         while (1) {
614             error = (*iter->func->next)(iter, &ccred);
615             if (error)
616                 break;
617             (*a->ccache->func->remove_credentials)(a->ccache, ccred);
618             (*ccred->func->release)(ccred);
619         }
620         (*iter->func->release)(iter);
621
622         error = (*a->ccache->func->set_principal)(a->ccache,
623                                                   cc_credentials_v5,
624                                                   name);
625     }
626
627     if (error == 0 && context->kdc_sec_offset)
628         error = (*a->ccache->func->set_kdc_time_offset)(a->ccache,
629                                                         cc_credentials_v5,
630                                                         context->kdc_sec_offset);
631
632     return translate_cc_error(context, error);
633 }
634
635 static krb5_error_code KRB5_CALLCONV
636 acc_close(krb5_context context,
637           krb5_ccache id)
638 {
639     krb5_acc *a = ACACHE(id);
640
641     if (a->ccache) {
642         (*a->ccache->func->release)(a->ccache);
643         a->ccache = NULL;
644     }
645     if (a->cache_name) {
646         free(a->cache_name);
647         a->cache_name = NULL;
648     }
649     if (a->context) {
650         (*a->context->func->release)(a->context);
651         a->context = NULL;
652     }
653     krb5_data_free(&id->data);
654     return 0;
655 }
656
657 static krb5_error_code KRB5_CALLCONV
658 acc_destroy(krb5_context context,
659             krb5_ccache id)
660 {
661     krb5_acc *a = ACACHE(id);
662     cc_int32 error = 0;
663
664     if (a->ccache) {
665         error = (*a->ccache->func->destroy)(a->ccache);
666         a->ccache = NULL;
667     }
668     if (a->context) {
669         error = (a->context->func->release)(a->context);
670         a->context = NULL;
671     }
672     return translate_cc_error(context, error);
673 }
674
675 static krb5_error_code KRB5_CALLCONV
676 acc_store_cred(krb5_context context,
677                krb5_ccache id,
678                krb5_creds *creds)
679 {
680     krb5_acc *a = ACACHE(id);
681     cc_credentials_union cred;
682     cc_credentials_v5_t v5cred;
683     krb5_error_code ret;
684     cc_int32 error;
685
686     if (a->ccache == NULL) {
687         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
688                                N_("No API credential found", ""));
689         return KRB5_CC_NOTFOUND;
690     }
691
692     cred.version = cc_credentials_v5;
693     cred.credentials.credentials_v5 = &v5cred;
694
695     ret = make_ccred_from_cred(context,
696                                creds,
697                                &v5cred);
698     if (ret)
699         return ret;
700
701     error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
702     if (error)
703         ret = translate_cc_error(context, error);
704
705     free_ccred(&v5cred);
706
707     return ret;
708 }
709
710 static krb5_error_code KRB5_CALLCONV
711 acc_get_principal(krb5_context context,
712                   krb5_ccache id,
713                   krb5_principal *principal)
714 {
715     krb5_acc *a = ACACHE(id);
716     krb5_error_code ret;
717     int32_t error;
718     cc_string_t name;
719
720     if (a->ccache == NULL) {
721         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
722                                N_("No API credential found", ""));
723         return KRB5_CC_NOTFOUND;
724     }
725
726     error = (*a->ccache->func->get_principal)(a->ccache,
727                                               cc_credentials_v5,
728                                               &name);
729     if (error)
730         return translate_cc_error(context, error);
731
732     ret = krb5_parse_name(context, name->data, principal);
733
734     (*name->func->release)(name);
735     return ret;
736 }
737
738 static krb5_error_code KRB5_CALLCONV
739 acc_get_first (krb5_context context,
740                krb5_ccache id,
741                krb5_cc_cursor *cursor)
742 {
743     cc_credentials_iterator_t iter;
744     krb5_acc *a = ACACHE(id);
745     int32_t error;
746
747     if (a->ccache == NULL) {
748         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
749                                N_("No API credential found", ""));
750         return KRB5_CC_NOTFOUND;
751     }
752
753     error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
754     if (error) {
755         krb5_clear_error_message(context);
756         return ENOENT;
757     }
758     *cursor = iter;
759     return 0;
760 }
761
762
763 static krb5_error_code KRB5_CALLCONV
764 acc_get_next (krb5_context context,
765               krb5_ccache id,
766               krb5_cc_cursor *cursor,
767               krb5_creds *creds)
768 {
769     cc_credentials_iterator_t iter = *cursor;
770     cc_credentials_t cred;
771     krb5_error_code ret;
772     int32_t error;
773
774     while (1) {
775         error = (*iter->func->next)(iter, &cred);
776         if (error)
777             return translate_cc_error(context, error);
778         if (cred->data->version == cc_credentials_v5)
779             break;
780         (*cred->func->release)(cred);
781     }
782
783     ret = make_cred_from_ccred(context,
784                                cred->data->credentials.credentials_v5,
785                                creds);
786     (*cred->func->release)(cred);
787     return ret;
788 }
789
790 static krb5_error_code KRB5_CALLCONV
791 acc_end_get (krb5_context context,
792              krb5_ccache id,
793              krb5_cc_cursor *cursor)
794 {
795     cc_credentials_iterator_t iter = *cursor;
796     (*iter->func->release)(iter);
797     return 0;
798 }
799
800 static krb5_error_code KRB5_CALLCONV
801 acc_remove_cred(krb5_context context,
802                 krb5_ccache id,
803                 krb5_flags which,
804                 krb5_creds *cred)
805 {
806     cc_credentials_iterator_t iter;
807     krb5_acc *a = ACACHE(id);
808     cc_credentials_t ccred;
809     krb5_error_code ret;
810     cc_int32 error;
811     char *client, *server;
812
813     if (a->ccache == NULL) {
814         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
815                                N_("No API credential found", ""));
816         return KRB5_CC_NOTFOUND;
817     }
818
819     if (cred->client) {
820         ret = krb5_unparse_name(context, cred->client, &client);
821         if (ret)
822             return ret;
823     } else
824         client = NULL;
825
826     ret = krb5_unparse_name(context, cred->server, &server);
827     if (ret) {
828         free(client);
829         return ret;
830     }
831
832     error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
833     if (error) {
834         free(server);
835         free(client);
836         return translate_cc_error(context, error);
837     }
838
839     ret = KRB5_CC_NOTFOUND;
840     while (1) {
841         cc_credentials_v5_t *v5cred;
842
843         error = (*iter->func->next)(iter, &ccred);
844         if (error)
845             break;
846
847         if (ccred->data->version != cc_credentials_v5)
848             goto next;
849
850         v5cred = ccred->data->credentials.credentials_v5;
851
852         if (client && strcmp(v5cred->client, client) != 0)
853             goto next;
854
855         if (strcmp(v5cred->server, server) != 0)
856             goto next;
857
858         (*a->ccache->func->remove_credentials)(a->ccache, ccred);
859         ret = 0;
860     next:
861         (*ccred->func->release)(ccred);
862     }
863
864     (*iter->func->release)(iter);
865
866     if (ret)
867         krb5_set_error_message(context, ret,
868                                N_("Can't find credential %s in cache",
869                                  "principal"), server);
870     free(server);
871     free(client);
872
873     return ret;
874 }
875
876 static krb5_error_code KRB5_CALLCONV
877 acc_set_flags(krb5_context context,
878               krb5_ccache id,
879               krb5_flags flags)
880 {
881     return 0;
882 }
883
884 static int KRB5_CALLCONV
885 acc_get_version(krb5_context context,
886                 krb5_ccache id)
887 {
888     return 0;
889 }
890
891 struct cache_iter {
892     cc_context_t context;
893     cc_ccache_iterator_t iter;
894 };
895
896 static krb5_error_code KRB5_CALLCONV
897 acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
898 {
899     struct cache_iter *iter;
900     krb5_error_code ret;
901     cc_int32 error;
902
903     ret = init_ccapi(context);
904     if (ret)
905         return ret;
906
907     iter = calloc(1, sizeof(*iter));
908     if (iter == NULL) {
909         krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
910         return ENOMEM;
911     }
912
913     error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
914     if (error) {
915         free(iter);
916         return translate_cc_error(context, error);
917     }
918
919     error = (*iter->context->func->new_ccache_iterator)(iter->context,
920                                                         &iter->iter);
921     if (error) {
922         free(iter);
923         krb5_clear_error_message(context);
924         return ENOENT;
925     }
926     *cursor = iter;
927     return 0;
928 }
929
930 static krb5_error_code KRB5_CALLCONV
931 acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
932 {
933     struct cache_iter *iter = cursor;
934     cc_ccache_t cache;
935     krb5_acc *a;
936     krb5_error_code ret;
937     int32_t error;
938
939     error = (*iter->iter->func->next)(iter->iter, &cache);
940     if (error)
941         return translate_cc_error(context, error);
942
943     ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
944     if (ret) {
945         (*cache->func->release)(cache);
946         return ret;
947     }
948
949     ret = acc_alloc(context, id);
950     if (ret) {
951         (*cache->func->release)(cache);
952         free(*id);
953         return ret;
954     }
955
956     a = ACACHE(*id);
957     a->ccache = cache;
958
959     error = get_cc_name(a);
960     if (error) {
961         acc_close(context, *id);
962         *id = NULL;
963         return translate_cc_error(context, error);
964     }
965     return 0;
966 }
967
968 static krb5_error_code KRB5_CALLCONV
969 acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
970 {
971     struct cache_iter *iter = cursor;
972
973     (*iter->iter->func->release)(iter->iter);
974     iter->iter = NULL;
975     (*iter->context->func->release)(iter->context);
976     iter->context = NULL;
977     free(iter);
978     return 0;
979 }
980
981 static krb5_error_code KRB5_CALLCONV
982 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
983 {
984     krb5_acc *afrom = ACACHE(from);
985     krb5_acc *ato = ACACHE(to);
986     int32_t error;
987
988     if (ato->ccache == NULL) {
989         cc_string_t name;
990
991         error = (*afrom->ccache->func->get_principal)(afrom->ccache,
992                                                       cc_credentials_v5,
993                                                       &name);
994         if (error)
995             return translate_cc_error(context, error);
996
997         error = (*ato->context->func->create_new_ccache)(ato->context,
998                                                          cc_credentials_v5,
999                                                          name->data,
1000                                                          &ato->ccache);
1001         (*name->func->release)(name);
1002         if (error)
1003             return translate_cc_error(context, error);
1004     }
1005
1006     error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
1007
1008     acc_destroy(context, from);
1009
1010     return translate_cc_error(context, error);
1011 }
1012
1013 static krb5_error_code KRB5_CALLCONV
1014 acc_get_default_name(krb5_context context, char **str)
1015 {
1016     krb5_error_code ret;
1017     cc_context_t cc;
1018     cc_string_t name;
1019     int32_t error;
1020
1021     ret = init_ccapi(context);
1022     if (ret)
1023         return ret;
1024
1025     error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
1026     if (error)
1027         return translate_cc_error(context, error);
1028
1029     error = (*cc->func->get_default_ccache_name)(cc, &name);
1030     if (error) {
1031         (*cc->func->release)(cc);
1032         return translate_cc_error(context, error);
1033     }
1034
1035     error = asprintf(str, "API:%s", name->data);
1036     (*name->func->release)(name);
1037     (*cc->func->release)(cc);
1038
1039     if (error < 0 || *str == NULL) {
1040         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1041         return ENOMEM;
1042     }
1043     return 0;
1044 }
1045
1046 static krb5_error_code KRB5_CALLCONV
1047 acc_set_default(krb5_context context, krb5_ccache id)
1048 {
1049     krb5_acc *a = ACACHE(id);
1050     cc_int32 error;
1051
1052     if (a->ccache == NULL) {
1053         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1054                                N_("No API credential found", ""));
1055         return KRB5_CC_NOTFOUND;
1056     }
1057
1058     error = (*a->ccache->func->set_default)(a->ccache);
1059     if (error)
1060         return translate_cc_error(context, error);
1061
1062     return 0;
1063 }
1064
1065 static krb5_error_code KRB5_CALLCONV
1066 acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
1067 {
1068     krb5_acc *a = ACACHE(id);
1069     cc_int32 error;
1070     cc_time_t t;
1071
1072     if (a->ccache == NULL) {
1073         krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1074                                N_("No API credential found", ""));
1075         return KRB5_CC_NOTFOUND;
1076     }
1077
1078     error = (*a->ccache->func->get_change_time)(a->ccache, &t);
1079     if (error)
1080         return translate_cc_error(context, error);
1081
1082     *mtime = t;
1083
1084     return 0;
1085 }
1086
1087 /**
1088  * Variable containing the API based credential cache implemention.
1089  *
1090  * @ingroup krb5_ccache
1091  */
1092
1093 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
1094     KRB5_CC_OPS_VERSION,
1095     "API",
1096     acc_get_name,
1097     acc_resolve,
1098     acc_gen_new,
1099     acc_initialize,
1100     acc_destroy,
1101     acc_close,
1102     acc_store_cred,
1103     NULL, /* acc_retrieve */
1104     acc_get_principal,
1105     acc_get_first,
1106     acc_get_next,
1107     acc_end_get,
1108     acc_remove_cred,
1109     acc_set_flags,
1110     acc_get_version,
1111     acc_get_cache_first,
1112     acc_get_cache_next,
1113     acc_end_cache_get,
1114     acc_move,
1115     acc_get_default_name,
1116     acc_set_default,
1117     acc_lastchange,
1118     NULL,
1119     NULL,
1120 };
1121
1122 #endif
10.0-RELEASE