xref: /freebsd/crypto/heimdal/lib/krb5/acache.c (revision 2da066ef6d85d3f7cd8aaec14369d66254836536)
1 /*
2  * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 #include <krb5_ccapi.h>
38 #ifdef HAVE_DLFCN_H
39 #include <dlfcn.h>
40 #endif
41 
42 #ifndef KCM_IS_API_CACHE
43 
44 static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
45 static cc_initialize_func init_func;
46 static void (KRB5_CALLCONV *set_target_uid)(uid_t);
47 static void (KRB5_CALLCONV *clear_target)(void);
48 
49 #ifdef HAVE_DLOPEN
50 static void *cc_handle;
51 #endif
52 
53 typedef struct krb5_acc {
54     char *cache_name;
55     cc_context_t context;
56     cc_ccache_t ccache;
57 } krb5_acc;
58 
59 static krb5_error_code KRB5_CALLCONV acc_close(krb5_context, krb5_ccache);
60 
61 #define ACACHE(X) ((krb5_acc *)(X)->data.data)
62 
63 static const struct {
64     cc_int32 error;
65     krb5_error_code ret;
66 } cc_errors[] = {
67     { ccErrBadName,		KRB5_CC_BADNAME },
68     { ccErrCredentialsNotFound,	KRB5_CC_NOTFOUND },
69     { ccErrCCacheNotFound,	KRB5_FCC_NOFILE },
70     { ccErrContextNotFound,	KRB5_CC_NOTFOUND },
71     { ccIteratorEnd,		KRB5_CC_END },
72     { ccErrNoMem,		KRB5_CC_NOMEM },
73     { ccErrServerUnavailable,	KRB5_CC_NOSUPP },
74     { ccErrInvalidCCache,	KRB5_CC_BADNAME },
75     { ccNoError,		0 }
76 };
77 
78 static krb5_error_code
79 translate_cc_error(krb5_context context, cc_int32 error)
80 {
81     size_t i;
82     krb5_clear_error_message(context);
83     for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
84 	if (cc_errors[i].error == error)
85 	    return cc_errors[i].ret;
86     return KRB5_FCC_INTERNAL;
87 }
88 
89 static krb5_error_code
90 init_ccapi(krb5_context context)
91 {
92     const char *lib = NULL;
93 
94     HEIMDAL_MUTEX_lock(&acc_mutex);
95     if (init_func) {
96 	HEIMDAL_MUTEX_unlock(&acc_mutex);
97 	if (context)
98 	    krb5_clear_error_message(context);
99 	return 0;
100     }
101 
102     if (context)
103 	lib = krb5_config_get_string(context, NULL,
104 				     "libdefaults", "ccapi_library",
105 				     NULL);
106     if (lib == NULL) {
107 #ifdef __APPLE__
108 	lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
109 #elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
110 	lib = "%{LIBDIR}/libkrb5_cc.dll";
111 #else
112 	lib = "/usr/lib/libkrb5_cc.so";
113 #endif
114     }
115 
116 #ifdef HAVE_DLOPEN
117 
118 #ifndef RTLD_LAZY
119 #define RTLD_LAZY 0
120 #endif
121 #ifndef RTLD_LOCAL
122 #define RTLD_LOCAL 0
123 #endif
124 
125 #ifdef KRB5_USE_PATH_TOKENS
126     {
127       char * explib = NULL;
128       if (_krb5_expand_path_tokens(context, lib, &explib) == 0) {
129 	cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
130 	free(explib);
131       }
132     }
133 #else
134     cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
135 #endif
136 
137     if (cc_handle == NULL) {
138 	HEIMDAL_MUTEX_unlock(&acc_mutex);
139 	if (context)
140 	    krb5_set_error_message(context, KRB5_CC_NOSUPP,
141 				   N_("Failed to load API cache module %s", "file"),
142 				   lib);
143 	return KRB5_CC_NOSUPP;
144     }
145 
146     init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
147     set_target_uid = (void (KRB5_CALLCONV *)(uid_t))
148 	dlsym(cc_handle, "krb5_ipc_client_set_target_uid");
149     clear_target = (void (KRB5_CALLCONV *)(void))
150 	dlsym(cc_handle, "krb5_ipc_client_clear_target");
151     HEIMDAL_MUTEX_unlock(&acc_mutex);
152     if (init_func == NULL) {
153 	if (context)
154 	    krb5_set_error_message(context, KRB5_CC_NOSUPP,
155 				   N_("Failed to find cc_initialize"
156 				      "in %s: %s", "file, error"), lib, dlerror());
157 	dlclose(cc_handle);
158 	return KRB5_CC_NOSUPP;
159     }
160 
161     return 0;
162 #else
163     HEIMDAL_MUTEX_unlock(&acc_mutex);
164     if (context)
165 	krb5_set_error_message(context, KRB5_CC_NOSUPP,
166 			       N_("no support for shared object", ""));
167     return KRB5_CC_NOSUPP;
168 #endif
169 }
170 
171 void
172 _heim_krb5_ipc_client_set_target_uid(uid_t uid)
173 {
174     init_ccapi(NULL);
175     if (set_target_uid != NULL)
176         (*set_target_uid)(uid);
177 }
178 
179 void
180 _heim_krb5_ipc_client_clear_target(void)
181 {
182     init_ccapi(NULL);
183     if (clear_target != NULL)
184         (*clear_target)();
185 }
186 
187 static krb5_error_code
188 make_cred_from_ccred(krb5_context context,
189 		     const cc_credentials_v5_t *incred,
190 		     krb5_creds *cred)
191 {
192     krb5_error_code ret;
193     unsigned int i;
194 
195     memset(cred, 0, sizeof(*cred));
196 
197     ret = krb5_parse_name(context, incred->client, &cred->client);
198     if (ret)
199 	goto fail;
200 
201     ret = krb5_parse_name(context, incred->server, &cred->server);
202     if (ret)
203 	goto fail;
204 
205     cred->session.keytype = incred->keyblock.type;
206     cred->session.keyvalue.length = incred->keyblock.length;
207     cred->session.keyvalue.data = malloc(incred->keyblock.length);
208     if (cred->session.keyvalue.data == NULL)
209 	goto nomem;
210     memcpy(cred->session.keyvalue.data, incred->keyblock.data,
211 	   incred->keyblock.length);
212 
213     cred->times.authtime = incred->authtime;
214     cred->times.starttime = incred->starttime;
215     cred->times.endtime = incred->endtime;
216     cred->times.renew_till = incred->renew_till;
217 
218     ret = krb5_data_copy(&cred->ticket,
219 			 incred->ticket.data,
220 			 incred->ticket.length);
221     if (ret)
222 	goto nomem;
223 
224     ret = krb5_data_copy(&cred->second_ticket,
225 			 incred->second_ticket.data,
226 			 incred->second_ticket.length);
227     if (ret)
228 	goto nomem;
229 
230     cred->authdata.val = NULL;
231     cred->authdata.len = 0;
232 
233     cred->addresses.val = NULL;
234     cred->addresses.len = 0;
235 
236     for (i = 0; incred->authdata && incred->authdata[i]; i++)
237 	;
238 
239     if (i) {
240 	cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
241 	if (cred->authdata.val == NULL)
242 	    goto nomem;
243 	cred->authdata.len = i;
244 	for (i = 0; i < cred->authdata.len; i++) {
245 	    cred->authdata.val[i].ad_type = incred->authdata[i]->type;
246 	    ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
247 				 incred->authdata[i]->data,
248 				 incred->authdata[i]->length);
249 	    if (ret)
250 		goto nomem;
251 	}
252     }
253 
254     for (i = 0; incred->addresses && incred->addresses[i]; i++)
255 	;
256 
257     if (i) {
258 	cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
259 	if (cred->addresses.val == NULL)
260 	    goto nomem;
261 	cred->addresses.len = i;
262 
263 	for (i = 0; i < cred->addresses.len; i++) {
264 	    cred->addresses.val[i].addr_type = incred->addresses[i]->type;
265 	    ret = krb5_data_copy(&cred->addresses.val[i].address,
266 				 incred->addresses[i]->data,
267 				 incred->addresses[i]->length);
268 	    if (ret)
269 		goto nomem;
270 	}
271     }
272 
273     cred->flags.i = 0;
274     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
275 	cred->flags.b.forwardable = 1;
276     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
277 	cred->flags.b.forwarded = 1;
278     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
279 	cred->flags.b.proxiable = 1;
280     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
281 	cred->flags.b.proxy = 1;
282     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
283 	cred->flags.b.may_postdate = 1;
284     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
285 	cred->flags.b.postdated = 1;
286     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
287 	cred->flags.b.invalid = 1;
288     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
289 	cred->flags.b.renewable = 1;
290     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
291 	cred->flags.b.initial = 1;
292     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
293 	cred->flags.b.pre_authent = 1;
294     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
295 	cred->flags.b.hw_authent = 1;
296     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
297 	cred->flags.b.transited_policy_checked = 1;
298     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
299 	cred->flags.b.ok_as_delegate = 1;
300     if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
301 	cred->flags.b.anonymous = 1;
302 
303     return 0;
304 
305 nomem:
306     ret = ENOMEM;
307     krb5_set_error_message(context, ret, N_("malloc: out of memory", "malloc"));
308 
309 fail:
310     krb5_free_cred_contents(context, cred);
311     return ret;
312 }
313 
314 static void
315 free_ccred(cc_credentials_v5_t *cred)
316 {
317     int i;
318 
319     if (cred->addresses) {
320 	for (i = 0; cred->addresses[i] != 0; i++) {
321 	    if (cred->addresses[i]->data)
322 		free(cred->addresses[i]->data);
323 	    free(cred->addresses[i]);
324 	}
325 	free(cred->addresses);
326     }
327     if (cred->server)
328 	free(cred->server);
329     if (cred->client)
330 	free(cred->client);
331     memset(cred, 0, sizeof(*cred));
332 }
333 
334 static krb5_error_code
335 make_ccred_from_cred(krb5_context context,
336 		     const krb5_creds *incred,
337 		     cc_credentials_v5_t *cred)
338 {
339     krb5_error_code ret;
340     size_t i;
341 
342     memset(cred, 0, sizeof(*cred));
343 
344     ret = krb5_unparse_name(context, incred->client, &cred->client);
345     if (ret)
346 	goto fail;
347 
348     ret = krb5_unparse_name(context, incred->server, &cred->server);
349     if (ret)
350 	goto fail;
351 
352     cred->keyblock.type = incred->session.keytype;
353     cred->keyblock.length = incred->session.keyvalue.length;
354     cred->keyblock.data = incred->session.keyvalue.data;
355 
356     cred->authtime = incred->times.authtime;
357     cred->starttime = incred->times.starttime;
358     cred->endtime = incred->times.endtime;
359     cred->renew_till = incred->times.renew_till;
360 
361     cred->ticket.length = incred->ticket.length;
362     cred->ticket.data = incred->ticket.data;
363 
364     cred->second_ticket.length = incred->second_ticket.length;
365     cred->second_ticket.data = incred->second_ticket.data;
366 
367     /* XXX this one should also be filled in */
368     cred->authdata = NULL;
369 
370     cred->addresses = calloc(incred->addresses.len + 1,
371 			     sizeof(cred->addresses[0]));
372     if (cred->addresses == NULL) {
373 
374 	ret = ENOMEM;
375 	goto fail;
376     }
377 
378     for (i = 0; i < incred->addresses.len; i++) {
379 	cc_data *addr;
380 	addr = malloc(sizeof(*addr));
381 	if (addr == NULL) {
382 	    ret = ENOMEM;
383 	    goto fail;
384 	}
385 	addr->type = incred->addresses.val[i].addr_type;
386 	addr->length = incred->addresses.val[i].address.length;
387 	addr->data = malloc(addr->length);
388 	if (addr->data == NULL) {
389 	    free(addr);
390 	    ret = ENOMEM;
391 	    goto fail;
392 	}
393 	memcpy(addr->data, incred->addresses.val[i].address.data,
394 	       addr->length);
395 	cred->addresses[i] = addr;
396     }
397     cred->addresses[i] = NULL;
398 
399     cred->ticket_flags = 0;
400     if (incred->flags.b.forwardable)
401 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
402     if (incred->flags.b.forwarded)
403 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
404     if (incred->flags.b.proxiable)
405 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
406     if (incred->flags.b.proxy)
407 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
408     if (incred->flags.b.may_postdate)
409 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
410     if (incred->flags.b.postdated)
411 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
412     if (incred->flags.b.invalid)
413 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
414     if (incred->flags.b.renewable)
415 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
416     if (incred->flags.b.initial)
417 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
418     if (incred->flags.b.pre_authent)
419 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
420     if (incred->flags.b.hw_authent)
421 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
422     if (incred->flags.b.transited_policy_checked)
423 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
424     if (incred->flags.b.ok_as_delegate)
425 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
426     if (incred->flags.b.anonymous)
427 	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
428 
429     return 0;
430 
431 fail:
432     free_ccred(cred);
433 
434     krb5_clear_error_message(context);
435     return ret;
436 }
437 
438 static cc_int32
439 get_cc_name(krb5_acc *a)
440 {
441     cc_string_t name;
442     cc_int32 error;
443 
444     error = (*a->ccache->func->get_name)(a->ccache, &name);
445     if (error)
446 	return error;
447 
448     a->cache_name = strdup(name->data);
449     (*name->func->release)(name);
450     if (a->cache_name == NULL)
451 	return ccErrNoMem;
452     return ccNoError;
453 }
454 
455 
456 static const char* KRB5_CALLCONV
457 acc_get_name(krb5_context context,
458 	     krb5_ccache id)
459 {
460     krb5_acc *a = ACACHE(id);
461     int32_t error;
462 
463     if (a->cache_name == NULL) {
464 	krb5_error_code ret;
465 	krb5_principal principal;
466 	char *name;
467 
468 	ret = _krb5_get_default_principal_local(context, &principal);
469 	if (ret)
470 	    return NULL;
471 
472 	ret = krb5_unparse_name(context, principal, &name);
473 	krb5_free_principal(context, principal);
474 	if (ret)
475 	    return NULL;
476 
477 	error = (*a->context->func->create_new_ccache)(a->context,
478 						       cc_credentials_v5,
479 						       name,
480 						       &a->ccache);
481 	krb5_xfree(name);
482 	if (error)
483 	    return NULL;
484 
485 	error = get_cc_name(a);
486 	if (error)
487 	    return NULL;
488     }
489 
490     return a->cache_name;
491 }
492 
493 static krb5_error_code KRB5_CALLCONV
494 acc_alloc(krb5_context context, krb5_ccache *id)
495 {
496     krb5_error_code ret;
497     cc_int32 error;
498     krb5_acc *a;
499 
500     ret = init_ccapi(context);
501     if (ret)
502 	return ret;
503 
504     ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
505     if (ret) {
506 	krb5_clear_error_message(context);
507 	return ret;
508     }
509 
510     a = ACACHE(*id);
511 
512     error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
513     if (error) {
514 	krb5_data_free(&(*id)->data);
515 	return translate_cc_error(context, error);
516     }
517 
518     a->cache_name = NULL;
519 
520     return 0;
521 }
522 
523 static krb5_error_code KRB5_CALLCONV
524 acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
525 {
526     krb5_error_code ret;
527     cc_int32 error;
528     krb5_acc *a;
529 
530     ret = acc_alloc(context, id);
531     if (ret)
532 	return ret;
533 
534     a = ACACHE(*id);
535 
536     error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
537     if (error == ccNoError) {
538 	cc_time_t offset;
539 	error = get_cc_name(a);
540 	if (error != ccNoError) {
541 	    acc_close(context, *id);
542 	    *id = NULL;
543 	    return translate_cc_error(context, error);
544 	}
545 
546 	error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
547 							cc_credentials_v5,
548 							&offset);
549 	if (error == 0)
550 	    context->kdc_sec_offset = offset;
551 
552     } else if (error == ccErrCCacheNotFound) {
553 	a->ccache = NULL;
554 	a->cache_name = NULL;
555     } else {
556 	*id = NULL;
557 	return translate_cc_error(context, error);
558     }
559 
560     return 0;
561 }
562 
563 static krb5_error_code KRB5_CALLCONV
564 acc_gen_new(krb5_context context, krb5_ccache *id)
565 {
566     krb5_error_code ret;
567     krb5_acc *a;
568 
569     ret = acc_alloc(context, id);
570     if (ret)
571 	return ret;
572 
573     a = ACACHE(*id);
574 
575     a->ccache = NULL;
576     a->cache_name = NULL;
577 
578     return 0;
579 }
580 
581 static krb5_error_code KRB5_CALLCONV
582 acc_initialize(krb5_context context,
583 	       krb5_ccache id,
584 	       krb5_principal primary_principal)
585 {
586     krb5_acc *a = ACACHE(id);
587     krb5_error_code ret;
588     int32_t error;
589     char *name;
590 
591     ret = krb5_unparse_name(context, primary_principal, &name);
592     if (ret)
593 	return ret;
594 
595     if (a->cache_name == NULL) {
596 	error = (*a->context->func->create_new_ccache)(a->context,
597 						       cc_credentials_v5,
598 						       name,
599 						       &a->ccache);
600 	free(name);
601 	if (error == ccNoError)
602 	    error = get_cc_name(a);
603     } else {
604 	cc_credentials_iterator_t iter;
605 	cc_credentials_t ccred;
606 
607 	error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
608 	if (error) {
609 	    free(name);
610 	    return translate_cc_error(context, error);
611 	}
612 
613 	while (1) {
614 	    error = (*iter->func->next)(iter, &ccred);
615 	    if (error)
616 		break;
617 	    (*a->ccache->func->remove_credentials)(a->ccache, ccred);
618 	    (*ccred->func->release)(ccred);
619 	}
620 	(*iter->func->release)(iter);
621 
622 	error = (*a->ccache->func->set_principal)(a->ccache,
623 						  cc_credentials_v5,
624 						  name);
625     }
626 
627     if (error == 0 && context->kdc_sec_offset)
628 	error = (*a->ccache->func->set_kdc_time_offset)(a->ccache,
629 							cc_credentials_v5,
630 							context->kdc_sec_offset);
631 
632     return translate_cc_error(context, error);
633 }
634 
635 static krb5_error_code KRB5_CALLCONV
636 acc_close(krb5_context context,
637 	  krb5_ccache id)
638 {
639     krb5_acc *a = ACACHE(id);
640 
641     if (a->ccache) {
642 	(*a->ccache->func->release)(a->ccache);
643 	a->ccache = NULL;
644     }
645     if (a->cache_name) {
646 	free(a->cache_name);
647 	a->cache_name = NULL;
648     }
649     if (a->context) {
650 	(*a->context->func->release)(a->context);
651 	a->context = NULL;
652     }
653     krb5_data_free(&id->data);
654     return 0;
655 }
656 
657 static krb5_error_code KRB5_CALLCONV
658 acc_destroy(krb5_context context,
659 	    krb5_ccache id)
660 {
661     krb5_acc *a = ACACHE(id);
662     cc_int32 error = 0;
663 
664     if (a->ccache) {
665 	error = (*a->ccache->func->destroy)(a->ccache);
666 	a->ccache = NULL;
667     }
668     if (a->context) {
669 	error = (a->context->func->release)(a->context);
670 	a->context = NULL;
671     }
672     return translate_cc_error(context, error);
673 }
674 
675 static krb5_error_code KRB5_CALLCONV
676 acc_store_cred(krb5_context context,
677 	       krb5_ccache id,
678 	       krb5_creds *creds)
679 {
680     krb5_acc *a = ACACHE(id);
681     cc_credentials_union cred;
682     cc_credentials_v5_t v5cred;
683     krb5_error_code ret;
684     cc_int32 error;
685 
686     if (a->ccache == NULL) {
687 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
688 			       N_("No API credential found", ""));
689 	return KRB5_CC_NOTFOUND;
690     }
691 
692     cred.version = cc_credentials_v5;
693     cred.credentials.credentials_v5 = &v5cred;
694 
695     ret = make_ccred_from_cred(context,
696 			       creds,
697 			       &v5cred);
698     if (ret)
699 	return ret;
700 
701     error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
702     if (error)
703 	ret = translate_cc_error(context, error);
704 
705     free_ccred(&v5cred);
706 
707     return ret;
708 }
709 
710 static krb5_error_code KRB5_CALLCONV
711 acc_get_principal(krb5_context context,
712 		  krb5_ccache id,
713 		  krb5_principal *principal)
714 {
715     krb5_acc *a = ACACHE(id);
716     krb5_error_code ret;
717     int32_t error;
718     cc_string_t name;
719 
720     if (a->ccache == NULL) {
721 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
722 			       N_("No API credential found", ""));
723 	return KRB5_CC_NOTFOUND;
724     }
725 
726     error = (*a->ccache->func->get_principal)(a->ccache,
727 					      cc_credentials_v5,
728 					      &name);
729     if (error)
730 	return translate_cc_error(context, error);
731 
732     ret = krb5_parse_name(context, name->data, principal);
733 
734     (*name->func->release)(name);
735     return ret;
736 }
737 
738 static krb5_error_code KRB5_CALLCONV
739 acc_get_first (krb5_context context,
740 	       krb5_ccache id,
741 	       krb5_cc_cursor *cursor)
742 {
743     cc_credentials_iterator_t iter;
744     krb5_acc *a = ACACHE(id);
745     int32_t error;
746 
747     if (a->ccache == NULL) {
748 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
749 			       N_("No API credential found", ""));
750 	return KRB5_CC_NOTFOUND;
751     }
752 
753     error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
754     if (error) {
755 	krb5_clear_error_message(context);
756 	return ENOENT;
757     }
758     *cursor = iter;
759     return 0;
760 }
761 
762 
763 static krb5_error_code KRB5_CALLCONV
764 acc_get_next (krb5_context context,
765 	      krb5_ccache id,
766 	      krb5_cc_cursor *cursor,
767 	      krb5_creds *creds)
768 {
769     cc_credentials_iterator_t iter = *cursor;
770     cc_credentials_t cred;
771     krb5_error_code ret;
772     int32_t error;
773 
774     while (1) {
775 	error = (*iter->func->next)(iter, &cred);
776 	if (error)
777 	    return translate_cc_error(context, error);
778 	if (cred->data->version == cc_credentials_v5)
779 	    break;
780 	(*cred->func->release)(cred);
781     }
782 
783     ret = make_cred_from_ccred(context,
784 			       cred->data->credentials.credentials_v5,
785 			       creds);
786     (*cred->func->release)(cred);
787     return ret;
788 }
789 
790 static krb5_error_code KRB5_CALLCONV
791 acc_end_get (krb5_context context,
792 	     krb5_ccache id,
793 	     krb5_cc_cursor *cursor)
794 {
795     cc_credentials_iterator_t iter = *cursor;
796     (*iter->func->release)(iter);
797     return 0;
798 }
799 
800 static krb5_error_code KRB5_CALLCONV
801 acc_remove_cred(krb5_context context,
802 		krb5_ccache id,
803 		krb5_flags which,
804 		krb5_creds *cred)
805 {
806     cc_credentials_iterator_t iter;
807     krb5_acc *a = ACACHE(id);
808     cc_credentials_t ccred;
809     krb5_error_code ret;
810     cc_int32 error;
811     char *client, *server;
812 
813     if (a->ccache == NULL) {
814 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
815 			       N_("No API credential found", ""));
816 	return KRB5_CC_NOTFOUND;
817     }
818 
819     if (cred->client) {
820 	ret = krb5_unparse_name(context, cred->client, &client);
821 	if (ret)
822 	    return ret;
823     } else
824 	client = NULL;
825 
826     ret = krb5_unparse_name(context, cred->server, &server);
827     if (ret) {
828 	free(client);
829 	return ret;
830     }
831 
832     error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
833     if (error) {
834 	free(server);
835 	free(client);
836 	return translate_cc_error(context, error);
837     }
838 
839     ret = KRB5_CC_NOTFOUND;
840     while (1) {
841 	cc_credentials_v5_t *v5cred;
842 
843 	error = (*iter->func->next)(iter, &ccred);
844 	if (error)
845 	    break;
846 
847 	if (ccred->data->version != cc_credentials_v5)
848 	    goto next;
849 
850 	v5cred = ccred->data->credentials.credentials_v5;
851 
852 	if (client && strcmp(v5cred->client, client) != 0)
853 	    goto next;
854 
855 	if (strcmp(v5cred->server, server) != 0)
856 	    goto next;
857 
858 	(*a->ccache->func->remove_credentials)(a->ccache, ccred);
859 	ret = 0;
860     next:
861 	(*ccred->func->release)(ccred);
862     }
863 
864     (*iter->func->release)(iter);
865 
866     if (ret)
867 	krb5_set_error_message(context, ret,
868 			       N_("Can't find credential %s in cache",
869 				 "principal"), server);
870     free(server);
871     free(client);
872 
873     return ret;
874 }
875 
876 static krb5_error_code KRB5_CALLCONV
877 acc_set_flags(krb5_context context,
878 	      krb5_ccache id,
879 	      krb5_flags flags)
880 {
881     return 0;
882 }
883 
884 static int KRB5_CALLCONV
885 acc_get_version(krb5_context context,
886 		krb5_ccache id)
887 {
888     return 0;
889 }
890 
891 struct cache_iter {
892     cc_context_t context;
893     cc_ccache_iterator_t iter;
894 };
895 
896 static krb5_error_code KRB5_CALLCONV
897 acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
898 {
899     struct cache_iter *iter;
900     krb5_error_code ret;
901     cc_int32 error;
902 
903     ret = init_ccapi(context);
904     if (ret)
905 	return ret;
906 
907     iter = calloc(1, sizeof(*iter));
908     if (iter == NULL) {
909 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
910 	return ENOMEM;
911     }
912 
913     error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
914     if (error) {
915 	free(iter);
916 	return translate_cc_error(context, error);
917     }
918 
919     error = (*iter->context->func->new_ccache_iterator)(iter->context,
920 							&iter->iter);
921     if (error) {
922 	free(iter);
923 	krb5_clear_error_message(context);
924 	return ENOENT;
925     }
926     *cursor = iter;
927     return 0;
928 }
929 
930 static krb5_error_code KRB5_CALLCONV
931 acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
932 {
933     struct cache_iter *iter = cursor;
934     cc_ccache_t cache;
935     krb5_acc *a;
936     krb5_error_code ret;
937     int32_t error;
938 
939     error = (*iter->iter->func->next)(iter->iter, &cache);
940     if (error)
941 	return translate_cc_error(context, error);
942 
943     ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
944     if (ret) {
945 	(*cache->func->release)(cache);
946 	return ret;
947     }
948 
949     ret = acc_alloc(context, id);
950     if (ret) {
951 	(*cache->func->release)(cache);
952 	free(*id);
953 	return ret;
954     }
955 
956     a = ACACHE(*id);
957     a->ccache = cache;
958 
959     error = get_cc_name(a);
960     if (error) {
961 	acc_close(context, *id);
962 	*id = NULL;
963 	return translate_cc_error(context, error);
964     }
965     return 0;
966 }
967 
968 static krb5_error_code KRB5_CALLCONV
969 acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
970 {
971     struct cache_iter *iter = cursor;
972 
973     (*iter->iter->func->release)(iter->iter);
974     iter->iter = NULL;
975     (*iter->context->func->release)(iter->context);
976     iter->context = NULL;
977     free(iter);
978     return 0;
979 }
980 
981 static krb5_error_code KRB5_CALLCONV
982 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
983 {
984     krb5_acc *afrom = ACACHE(from);
985     krb5_acc *ato = ACACHE(to);
986     int32_t error;
987 
988     if (ato->ccache == NULL) {
989 	cc_string_t name;
990 
991 	error = (*afrom->ccache->func->get_principal)(afrom->ccache,
992 						      cc_credentials_v5,
993 						      &name);
994 	if (error)
995 	    return translate_cc_error(context, error);
996 
997 	error = (*ato->context->func->create_new_ccache)(ato->context,
998 							 cc_credentials_v5,
999 							 name->data,
1000 							 &ato->ccache);
1001 	(*name->func->release)(name);
1002 	if (error)
1003 	    return translate_cc_error(context, error);
1004     }
1005 
1006     error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
1007 
1008     acc_destroy(context, from);
1009 
1010     return translate_cc_error(context, error);
1011 }
1012 
1013 static krb5_error_code KRB5_CALLCONV
1014 acc_get_default_name(krb5_context context, char **str)
1015 {
1016     krb5_error_code ret;
1017     cc_context_t cc;
1018     cc_string_t name;
1019     int32_t error;
1020 
1021     ret = init_ccapi(context);
1022     if (ret)
1023 	return ret;
1024 
1025     error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
1026     if (error)
1027 	return translate_cc_error(context, error);
1028 
1029     error = (*cc->func->get_default_ccache_name)(cc, &name);
1030     if (error) {
1031 	(*cc->func->release)(cc);
1032 	return translate_cc_error(context, error);
1033     }
1034 
1035     error = asprintf(str, "API:%s", name->data);
1036     (*name->func->release)(name);
1037     (*cc->func->release)(cc);
1038 
1039     if (error < 0 || *str == NULL) {
1040 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1041 	return ENOMEM;
1042     }
1043     return 0;
1044 }
1045 
1046 static krb5_error_code KRB5_CALLCONV
1047 acc_set_default(krb5_context context, krb5_ccache id)
1048 {
1049     krb5_acc *a = ACACHE(id);
1050     cc_int32 error;
1051 
1052     if (a->ccache == NULL) {
1053 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1054 			       N_("No API credential found", ""));
1055 	return KRB5_CC_NOTFOUND;
1056     }
1057 
1058     error = (*a->ccache->func->set_default)(a->ccache);
1059     if (error)
1060 	return translate_cc_error(context, error);
1061 
1062     return 0;
1063 }
1064 
1065 static krb5_error_code KRB5_CALLCONV
1066 acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
1067 {
1068     krb5_acc *a = ACACHE(id);
1069     cc_int32 error;
1070     cc_time_t t;
1071 
1072     if (a->ccache == NULL) {
1073 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1074 			       N_("No API credential found", ""));
1075 	return KRB5_CC_NOTFOUND;
1076     }
1077 
1078     error = (*a->ccache->func->get_change_time)(a->ccache, &t);
1079     if (error)
1080 	return translate_cc_error(context, error);
1081 
1082     *mtime = t;
1083 
1084     return 0;
1085 }
1086 
1087 /**
1088  * Variable containing the API based credential cache implemention.
1089  *
1090  * @ingroup krb5_ccache
1091  */
1092 
1093 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
1094     KRB5_CC_OPS_VERSION,
1095     "API",
1096     acc_get_name,
1097     acc_resolve,
1098     acc_gen_new,
1099     acc_initialize,
1100     acc_destroy,
1101     acc_close,
1102     acc_store_cred,
1103     NULL, /* acc_retrieve */
1104     acc_get_principal,
1105     acc_get_first,
1106     acc_get_next,
1107     acc_end_get,
1108     acc_remove_cred,
1109     acc_set_flags,
1110     acc_get_version,
1111     acc_get_cache_first,
1112     acc_get_cache_next,
1113     acc_end_cache_get,
1114     acc_move,
1115     acc_get_default_name,
1116     acc_set_default,
1117     acc_lastchange,
1118     NULL,
1119     NULL,
1120 };
1121 
1122 #endif
1123