2
* Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3
* (Royal Institute of Technology, Stockholm, Sweden).
6
* Redistribution and use in source and binary forms, with or without
7
* modification, are permitted provided that the following conditions
10
* 1. Redistributions of source code must retain the above copyright
11
* notice, this list of conditions and the following disclaimer.
13
* 2. Redistributions in binary form must reproduce the above copyright
14
* notice, this list of conditions and the following disclaimer in the
15
* documentation and/or other materials provided with the distribution.
17
* 3. Neither the name of the Institute nor the names of its contributors
18
* may be used to endorse or promote products derived from this software
19
* without specific prior written permission.
21
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34
#include "krb5_locl.h"
35
#include <krb5_ccapi.h>
42
/* XXX should we fetch these for each open ? */
43
static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
44
static cc_initialize_func init_func;
47
static void *cc_handle;
50
typedef struct krb5_acc {
56
static krb5_error_code acc_close(krb5_context, krb5_ccache);
58
#define ACACHE(X) ((krb5_acc *)(X)->data.data)
64
{ ccErrBadName, KRB5_CC_BADNAME },
65
{ ccErrCredentialsNotFound, KRB5_CC_NOTFOUND },
66
{ ccErrCCacheNotFound, KRB5_FCC_NOFILE },
67
{ ccErrContextNotFound, KRB5_CC_NOTFOUND },
68
{ ccIteratorEnd, KRB5_CC_END },
69
{ ccErrNoMem, KRB5_CC_NOMEM },
70
{ ccErrServerUnavailable, KRB5_CC_NOSUPP },
71
{ ccErrInvalidCCache, KRB5_CC_BADNAME },
75
static krb5_error_code
76
translate_cc_error(krb5_context context, cc_int32 error)
79
krb5_clear_error_message(context);
80
for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
81
if (cc_errors[i].error == error)
82
return cc_errors[i].ret;
83
return KRB5_FCC_INTERNAL;
86
static krb5_error_code
87
init_ccapi(krb5_context context)
91
HEIMDAL_MUTEX_lock(&acc_mutex);
93
HEIMDAL_MUTEX_unlock(&acc_mutex);
94
krb5_clear_error_message(context);
98
lib = krb5_config_get_string(context, NULL,
99
"libdefaults", "ccapi_library",
103
lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
105
lib = "/usr/lib/libkrb5_cc.so";
115
cc_handle = dlopen(lib, RTLD_LAZY);
116
if (cc_handle == NULL) {
117
HEIMDAL_MUTEX_unlock(&acc_mutex);
118
krb5_set_error_message(context, KRB5_CC_NOSUPP,
119
N_("Failed to load API cache module %s", "file"),
121
return KRB5_CC_NOSUPP;
124
init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
125
HEIMDAL_MUTEX_unlock(&acc_mutex);
126
if (init_func == NULL) {
127
krb5_set_error_message(context, KRB5_CC_NOSUPP,
128
N_("Failed to find cc_initialize"
129
"in %s: %s", "file, error"), lib, dlerror());
131
return KRB5_CC_NOSUPP;
136
HEIMDAL_MUTEX_unlock(&acc_mutex);
137
krb5_set_error_message(context, KRB5_CC_NOSUPP,
138
N_("no support for shared object", "file, error"));
139
return KRB5_CC_NOSUPP;
143
static krb5_error_code
144
make_cred_from_ccred(krb5_context context,
145
const cc_credentials_v5_t *incred,
151
memset(cred, 0, sizeof(*cred));
153
ret = krb5_parse_name(context, incred->client, &cred->client);
157
ret = krb5_parse_name(context, incred->server, &cred->server);
161
cred->session.keytype = incred->keyblock.type;
162
cred->session.keyvalue.length = incred->keyblock.length;
163
cred->session.keyvalue.data = malloc(incred->keyblock.length);
164
if (cred->session.keyvalue.data == NULL)
166
memcpy(cred->session.keyvalue.data, incred->keyblock.data,
167
incred->keyblock.length);
169
cred->times.authtime = incred->authtime;
170
cred->times.starttime = incred->starttime;
171
cred->times.endtime = incred->endtime;
172
cred->times.renew_till = incred->renew_till;
174
ret = krb5_data_copy(&cred->ticket,
176
incred->ticket.length);
180
ret = krb5_data_copy(&cred->second_ticket,
181
incred->second_ticket.data,
182
incred->second_ticket.length);
186
cred->authdata.val = NULL;
187
cred->authdata.len = 0;
189
cred->addresses.val = NULL;
190
cred->addresses.len = 0;
192
for (i = 0; incred->authdata && incred->authdata[i]; i++)
196
cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
197
if (cred->authdata.val == NULL)
199
cred->authdata.len = i;
200
for (i = 0; i < cred->authdata.len; i++) {
201
cred->authdata.val[i].ad_type = incred->authdata[i]->type;
202
ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
203
incred->authdata[i]->data,
204
incred->authdata[i]->length);
210
for (i = 0; incred->addresses && incred->addresses[i]; i++)
214
cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
215
if (cred->addresses.val == NULL)
217
cred->addresses.len = i;
219
for (i = 0; i < cred->addresses.len; i++) {
220
cred->addresses.val[i].addr_type = incred->addresses[i]->type;
221
ret = krb5_data_copy(&cred->addresses.val[i].address,
222
incred->addresses[i]->data,
223
incred->addresses[i]->length);
230
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
231
cred->flags.b.forwardable = 1;
232
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
233
cred->flags.b.forwarded = 1;
234
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
235
cred->flags.b.proxiable = 1;
236
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
237
cred->flags.b.proxy = 1;
238
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
239
cred->flags.b.may_postdate = 1;
240
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
241
cred->flags.b.postdated = 1;
242
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
243
cred->flags.b.invalid = 1;
244
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
245
cred->flags.b.renewable = 1;
246
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
247
cred->flags.b.initial = 1;
248
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
249
cred->flags.b.pre_authent = 1;
250
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
251
cred->flags.b.hw_authent = 1;
252
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
253
cred->flags.b.transited_policy_checked = 1;
254
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
255
cred->flags.b.ok_as_delegate = 1;
256
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
257
cred->flags.b.anonymous = 1;
263
krb5_set_error_message(context, ret, N_("malloc: out of memory", "malloc"));
266
krb5_free_cred_contents(context, cred);
271
free_ccred(cc_credentials_v5_t *cred)
275
if (cred->addresses) {
276
for (i = 0; cred->addresses[i] != 0; i++) {
277
if (cred->addresses[i]->data)
278
free(cred->addresses[i]->data);
279
free(cred->addresses[i]);
281
free(cred->addresses);
287
memset(cred, 0, sizeof(*cred));
290
static krb5_error_code
291
make_ccred_from_cred(krb5_context context,
292
const krb5_creds *incred,
293
cc_credentials_v5_t *cred)
298
memset(cred, 0, sizeof(*cred));
300
ret = krb5_unparse_name(context, incred->client, &cred->client);
304
ret = krb5_unparse_name(context, incred->server, &cred->server);
308
cred->keyblock.type = incred->session.keytype;
309
cred->keyblock.length = incred->session.keyvalue.length;
310
cred->keyblock.data = incred->session.keyvalue.data;
312
cred->authtime = incred->times.authtime;
313
cred->starttime = incred->times.starttime;
314
cred->endtime = incred->times.endtime;
315
cred->renew_till = incred->times.renew_till;
317
cred->ticket.length = incred->ticket.length;
318
cred->ticket.data = incred->ticket.data;
320
cred->second_ticket.length = incred->second_ticket.length;
321
cred->second_ticket.data = incred->second_ticket.data;
323
/* XXX this one should also be filled in */
324
cred->authdata = NULL;
326
cred->addresses = calloc(incred->addresses.len + 1,
327
sizeof(cred->addresses[0]));
328
if (cred->addresses == NULL) {
334
for (i = 0; i < incred->addresses.len; i++) {
336
addr = malloc(sizeof(*addr));
341
addr->type = incred->addresses.val[i].addr_type;
342
addr->length = incred->addresses.val[i].address.length;
343
addr->data = malloc(addr->length);
344
if (addr->data == NULL) {
348
memcpy(addr->data, incred->addresses.val[i].address.data,
350
cred->addresses[i] = addr;
352
cred->addresses[i] = NULL;
354
cred->ticket_flags = 0;
355
if (incred->flags.b.forwardable)
356
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
357
if (incred->flags.b.forwarded)
358
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
359
if (incred->flags.b.proxiable)
360
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
361
if (incred->flags.b.proxy)
362
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
363
if (incred->flags.b.may_postdate)
364
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
365
if (incred->flags.b.postdated)
366
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
367
if (incred->flags.b.invalid)
368
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
369
if (incred->flags.b.renewable)
370
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
371
if (incred->flags.b.initial)
372
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
373
if (incred->flags.b.pre_authent)
374
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
375
if (incred->flags.b.hw_authent)
376
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
377
if (incred->flags.b.transited_policy_checked)
378
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
379
if (incred->flags.b.ok_as_delegate)
380
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
381
if (incred->flags.b.anonymous)
382
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
389
krb5_clear_error_message(context);
394
get_cc_name(krb5_acc *a)
399
error = (*a->ccache->func->get_name)(a->ccache, &name);
403
a->cache_name = strdup(name->data);
404
(*name->func->release)(name);
405
if (a->cache_name == NULL)
412
acc_get_name(krb5_context context,
415
krb5_acc *a = ACACHE(id);
418
if (a->cache_name == NULL) {
420
krb5_principal principal;
423
ret = _krb5_get_default_principal_local(context, &principal);
427
ret = krb5_unparse_name(context, principal, &name);
428
krb5_free_principal(context, principal);
432
error = (*a->context->func->create_new_ccache)(a->context,
440
error = get_cc_name(a);
445
return a->cache_name;
448
static krb5_error_code
449
acc_alloc(krb5_context context, krb5_ccache *id)
455
ret = init_ccapi(context);
459
ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
461
krb5_clear_error_message(context);
467
error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
469
krb5_data_free(&(*id)->data);
470
return translate_cc_error(context, error);
473
a->cache_name = NULL;
478
static krb5_error_code
479
acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
485
ret = acc_alloc(context, id);
491
error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
492
if (error == ccNoError) {
493
error = get_cc_name(a);
494
if (error != ccNoError) {
495
acc_close(context, *id);
497
return translate_cc_error(context, error);
499
} else if (error == ccErrCCacheNotFound) {
501
a->cache_name = NULL;
505
return translate_cc_error(context, error);
511
static krb5_error_code
512
acc_gen_new(krb5_context context, krb5_ccache *id)
517
ret = acc_alloc(context, id);
524
a->cache_name = NULL;
529
static krb5_error_code
530
acc_initialize(krb5_context context,
532
krb5_principal primary_principal)
534
krb5_acc *a = ACACHE(id);
539
ret = krb5_unparse_name(context, primary_principal, &name);
543
if (a->cache_name == NULL) {
544
error = (*a->context->func->create_new_ccache)(a->context,
549
if (error == ccNoError)
550
error = get_cc_name(a);
552
cc_credentials_iterator_t iter;
553
cc_credentials_t ccred;
555
error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
558
return translate_cc_error(context, error);
562
error = (*iter->func->next)(iter, &ccred);
565
(*a->ccache->func->remove_credentials)(a->ccache, ccred);
566
(*ccred->func->release)(ccred);
568
(*iter->func->release)(iter);
570
error = (*a->ccache->func->set_principal)(a->ccache,
575
return translate_cc_error(context, error);
578
static krb5_error_code
579
acc_close(krb5_context context,
582
krb5_acc *a = ACACHE(id);
585
(*a->ccache->func->release)(a->ccache);
590
a->cache_name = NULL;
593
(*a->context->func->release)(a->context);
596
krb5_data_free(&id->data);
600
static krb5_error_code
601
acc_destroy(krb5_context context,
604
krb5_acc *a = ACACHE(id);
608
error = (*a->ccache->func->destroy)(a->ccache);
612
error = (a->context->func->release)(a->context);
615
return translate_cc_error(context, error);
618
static krb5_error_code
619
acc_store_cred(krb5_context context,
623
krb5_acc *a = ACACHE(id);
624
cc_credentials_union cred;
625
cc_credentials_v5_t v5cred;
629
if (a->ccache == NULL) {
630
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
631
N_("No API credential found", ""));
632
return KRB5_CC_NOTFOUND;
635
cred.version = cc_credentials_v5;
636
cred.credentials.credentials_v5 = &v5cred;
638
ret = make_ccred_from_cred(context,
644
error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
646
ret = translate_cc_error(context, error);
653
static krb5_error_code
654
acc_get_principal(krb5_context context,
656
krb5_principal *principal)
658
krb5_acc *a = ACACHE(id);
663
if (a->ccache == NULL) {
664
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
665
N_("No API credential found", ""));
666
return KRB5_CC_NOTFOUND;
669
error = (*a->ccache->func->get_principal)(a->ccache,
673
return translate_cc_error(context, error);
675
ret = krb5_parse_name(context, name->data, principal);
677
(*name->func->release)(name);
681
static krb5_error_code
682
acc_get_first (krb5_context context,
684
krb5_cc_cursor *cursor)
686
cc_credentials_iterator_t iter;
687
krb5_acc *a = ACACHE(id);
690
if (a->ccache == NULL) {
691
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
692
N_("No API credential found", ""));
693
return KRB5_CC_NOTFOUND;
696
error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
698
krb5_clear_error_message(context);
706
static krb5_error_code
707
acc_get_next (krb5_context context,
709
krb5_cc_cursor *cursor,
712
cc_credentials_iterator_t iter = *cursor;
713
cc_credentials_t cred;
718
error = (*iter->func->next)(iter, &cred);
720
return translate_cc_error(context, error);
721
if (cred->data->version == cc_credentials_v5)
723
(*cred->func->release)(cred);
726
ret = make_cred_from_ccred(context,
727
cred->data->credentials.credentials_v5,
729
(*cred->func->release)(cred);
733
static krb5_error_code
734
acc_end_get (krb5_context context,
736
krb5_cc_cursor *cursor)
738
cc_credentials_iterator_t iter = *cursor;
739
(*iter->func->release)(iter);
743
static krb5_error_code
744
acc_remove_cred(krb5_context context,
749
cc_credentials_iterator_t iter;
750
krb5_acc *a = ACACHE(id);
751
cc_credentials_t ccred;
754
char *client, *server;
756
if (a->ccache == NULL) {
757
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
758
N_("No API credential found", ""));
759
return KRB5_CC_NOTFOUND;
763
ret = krb5_unparse_name(context, cred->client, &client);
769
ret = krb5_unparse_name(context, cred->server, &server);
775
error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
779
return translate_cc_error(context, error);
782
ret = KRB5_CC_NOTFOUND;
784
cc_credentials_v5_t *v5cred;
786
error = (*iter->func->next)(iter, &ccred);
790
if (ccred->data->version != cc_credentials_v5)
793
v5cred = ccred->data->credentials.credentials_v5;
795
if (client && strcmp(v5cred->client, client) != 0)
798
if (strcmp(v5cred->server, server) != 0)
801
(*a->ccache->func->remove_credentials)(a->ccache, ccred);
804
(*ccred->func->release)(ccred);
807
(*iter->func->release)(iter);
810
krb5_set_error_message(context, ret,
811
N_("Can't find credential %s in cache",
812
"principal"), server);
819
static krb5_error_code
820
acc_set_flags(krb5_context context,
828
acc_get_version(krb5_context context,
835
cc_context_t context;
836
cc_ccache_iterator_t iter;
839
static krb5_error_code
840
acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
842
struct cache_iter *iter;
846
ret = init_ccapi(context);
850
iter = calloc(1, sizeof(*iter));
852
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
856
error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
859
return translate_cc_error(context, error);
862
error = (*iter->context->func->new_ccache_iterator)(iter->context,
866
krb5_clear_error_message(context);
873
static krb5_error_code
874
acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
876
struct cache_iter *iter = cursor;
882
error = (*iter->iter->func->next)(iter->iter, &cache);
884
return translate_cc_error(context, error);
886
ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
888
(*cache->func->release)(cache);
892
ret = acc_alloc(context, id);
894
(*cache->func->release)(cache);
902
error = get_cc_name(a);
904
acc_close(context, *id);
906
return translate_cc_error(context, error);
911
static krb5_error_code
912
acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
914
struct cache_iter *iter = cursor;
916
(*iter->iter->func->release)(iter->iter);
918
(*iter->context->func->release)(iter->context);
919
iter->context = NULL;
924
static krb5_error_code
925
acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
927
krb5_acc *afrom = ACACHE(from);
928
krb5_acc *ato = ACACHE(to);
931
if (ato->ccache == NULL) {
934
error = (*afrom->ccache->func->get_principal)(afrom->ccache,
938
return translate_cc_error(context, error);
940
error = (*ato->context->func->create_new_ccache)(ato->context,
944
(*name->func->release)(name);
946
return translate_cc_error(context, error);
950
error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
951
return translate_cc_error(context, error);
954
static krb5_error_code
955
acc_get_default_name(krb5_context context, char **str)
962
ret = init_ccapi(context);
966
error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
968
return translate_cc_error(context, error);
970
error = (*cc->func->get_default_ccache_name)(cc, &name);
972
(*cc->func->release)(cc);
973
return translate_cc_error(context, error);
976
asprintf(str, "API:%s", name->data);
977
(*name->func->release)(name);
978
(*cc->func->release)(cc);
981
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
987
static krb5_error_code
988
acc_set_default(krb5_context context, krb5_ccache id)
990
krb5_acc *a = ACACHE(id);
993
if (a->ccache == NULL) {
994
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
995
N_("No API credential found", ""));
996
return KRB5_CC_NOTFOUND;
999
error = (*a->ccache->func->set_default)(a->ccache);
1001
return translate_cc_error(context, error);
1006
static krb5_error_code
1007
acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
1009
krb5_acc *a = ACACHE(id);
1013
if (a->ccache == NULL) {
1014
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1015
N_("No API credential found", ""));
1016
return KRB5_CC_NOTFOUND;
1019
error = (*a->ccache->func->get_change_time)(a->ccache, &t);
1021
return translate_cc_error(context, error);
1029
* Variable containing the API based credential cache implemention.
1031
* @ingroup krb5_ccache
1034
KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
1035
KRB5_CC_OPS_VERSION,
1044
NULL, /* acc_retrieve */
1052
acc_get_cache_first,
1056
acc_get_default_name,