search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Windows: Enable weak crypto by default
[heimdal.git] / lib / krb5 / cache.c
blob09fbe1d9640f96cf0c0cb7419088132f8e3046f2
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name_short(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 /**
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
106 *
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
111 *
112 * @return Return an error code or 0, see krb5_get_error_message().
113 *
114 * @ingroup krb5_ccache
115 */
116
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
121 {
122 int i;
123
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
126 if(!override) {
127 krb5_set_error_message(context,
128 KRB5_CC_TYPE_EXISTS,
129 N_("cache type %s already exists", "type"),
130 ops->prefix);
131 return KRB5_CC_TYPE_EXISTS;
132 }
133 break;
134 }
135 }
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(context->cc_ops,
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
140 if(o == NULL) {
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
144 }
145 context->cc_ops = o;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
148 }
149 context->cc_ops[i] = ops;
150 return 0;
151 }
152
153 /*
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
156 */
157
158 krb5_error_code
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
161 krb5_ccache *id)
162 {
163 krb5_ccache p;
164
165 p = malloc (sizeof(*p));
166 if(p == NULL) {
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
170 }
171 p->ops = ops;
172 *id = p;
173
174 return 0;
175 }
176
177 /*
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
180 */
181
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
186 krb5_ccache *id)
187 {
188 krb5_error_code ret;
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
191
192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
193 if (ret)
194 return ret;
195
196 residual = exp_residual;
197 #endif
198
199 ret = _krb5_cc_allocate(context, ops, id);
200 if (ret) {
201 #ifdef KRB5_USE_PATH_TOKENS
202 if (exp_residual)
203 free(exp_residual);
204 #endif
205 return ret;
206 }
207
208 ret = (*id)->ops->resolve(context, id, residual);
209 if(ret)
210 free(*id);
211
212 #ifdef KRB5_USE_PATH_TOKENS
213 if (exp_residual)
214 free(exp_residual);
215 #endif
216
217 return ret;
218 }
219
220 /**
221 * Find and allocate a ccache in `id' from the specification in `residual'.
222 * If the ccache name doesn't contain any colon, interpret it as a file name.
223 *
224 * @param context a Keberos context.
225 * @param name string name of a credential cache.
226 * @param id return pointer to a found credential cache.
227 *
228 * @return Return 0 or an error code. In case of an error, id is set
229 * to NULL, see krb5_get_error_message().
230 *
231 * @ingroup krb5_ccache
232 */
233
234
235 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
236 krb5_cc_resolve(krb5_context context,
237 const char *name,
238 krb5_ccache *id)
239 {
240 int i;
241
242 *id = NULL;
243
244 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
245 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
246
247 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
248 && name[prefix_len] == ':') {
249 return allocate_ccache (context, context->cc_ops[i],
250 name + prefix_len + 1,
251 id);
252 }
253 }
254 if (strchr (name, ':') == NULL)
255 return allocate_ccache (context, &krb5_fcc_ops, name, id);
256 else {
257 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
258 N_("unknown ccache type %s", "name"), name);
259 return KRB5_CC_UNKNOWN_TYPE;
260 }
261 }
262
263 /**
264 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
265 * the library chooses the default credential cache type. The supplied
266 * `hint' (that can be NULL) is a string that the credential cache
267 * type can use to base the name of the credential on, this is to make
268 * it easier for the user to differentiate the credentials.
269 *
270 * @return Return an error code or 0, see krb5_get_error_message().
271 *
272 * @ingroup krb5_ccache
273 */
274
275 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
276 krb5_cc_new_unique(krb5_context context, const char *type,
277 const char *hint, krb5_ccache *id)
278 {
279 const krb5_cc_ops *ops;
280 krb5_error_code ret;
281
282 ops = krb5_cc_get_prefix_ops(context, type);
283 if (ops == NULL) {
284 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
285 "Credential cache type %s is unknown", type);
286 return KRB5_CC_UNKNOWN_TYPE;
287 }
288
289 ret = _krb5_cc_allocate(context, ops, id);
290 if (ret)
291 return ret;
292 ret = (*id)->ops->gen_new(context, id);
293 if (ret) {
294 free(*id);
295 *id = NULL;
296 }
297 return ret;
298 }
299
300 /**
301 * Return the name of the ccache `id'
302 *
303 * @ingroup krb5_ccache
304 */
305
306
307 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
308 krb5_cc_get_name(krb5_context context,
309 krb5_ccache id)
310 {
311 return id->ops->get_name(context, id);
312 }
313
314 /**
315 * Return the type of the ccache `id'.
316 *
317 * @ingroup krb5_ccache
318 */
319
320
321 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
322 krb5_cc_get_type(krb5_context context,
323 krb5_ccache id)
324 {
325 return id->ops->prefix;
326 }
327
328 /**
329 * Return the complete resolvable name the cache
330
331 * @param context a Keberos context
332 * @param id return pointer to a found credential cache
333 * @param str the returned name of a credential cache, free with krb5_xfree()
334 *
335 * @return Returns 0 or an error (and then *str is set to NULL).
336 *
337 * @ingroup krb5_ccache
338 */
339
340
341 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
342 krb5_cc_get_full_name(krb5_context context,
343 krb5_ccache id,
344 char **str)
345 {
346 const char *type, *name;
347
348 *str = NULL;
349
350 type = krb5_cc_get_type(context, id);
351 if (type == NULL) {
352 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
353 "cache have no name of type");
354 return KRB5_CC_UNKNOWN_TYPE;
355 }
356
357 name = krb5_cc_get_name(context, id);
358 if (name == NULL) {
359 krb5_set_error_message(context, KRB5_CC_BADNAME,
360 "cache of type %s have no name", type);
361 return KRB5_CC_BADNAME;
362 }
363
364 if (asprintf(str, "%s:%s", type, name) == -1) {
365 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
366 *str = NULL;
367 return ENOMEM;
368 }
369 return 0;
370 }
371
372 /**
373 * Return krb5_cc_ops of a the ccache `id'.
374 *
375 * @ingroup krb5_ccache
376 */
377
378
379 const krb5_cc_ops *
380 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
381 {
382 return id->ops;
383 }
384
385 /*
386 * Expand variables in `str' into `res'
387 */
388
389 krb5_error_code
390 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
391 {
392 return _krb5_expand_path_tokens(context, str, res);
393 }
394
395 /*
396 * Return non-zero if envirnoment that will determine default krb5cc
397 * name has changed.
398 */
399
400 static int
401 environment_changed(krb5_context context)
402 {
403 const char *e;
404
405 /* if the cc name was set, don't change it */
406 if (context->default_cc_name_set)
407 return 0;
408
409 /* XXX performance: always ask KCM/API if default name has changed */
410 if (context->default_cc_name &&
411 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
412 strncmp(context->default_cc_name, "API:", 4) == 0))
413 return 1;
414
415 if(issuid())
416 return 0;
417
418 e = getenv("KRB5CCNAME");
419 if (e == NULL) {
420 if (context->default_cc_name_env) {
421 free(context->default_cc_name_env);
422 context->default_cc_name_env = NULL;
423 return 1;
424 }
425 } else {
426 if (context->default_cc_name_env == NULL)
427 return 1;
428 if (strcmp(e, context->default_cc_name_env) != 0)
429 return 1;
430 }
431 return 0;
432 }
433
434 /**
435 * Switch the default default credential cache for a specific
436 * credcache type (and name for some implementations).
437 *
438 * @return Return an error code or 0, see krb5_get_error_message().
439 *
440 * @ingroup krb5_ccache
441 */
442
443 krb5_error_code KRB5_LIB_FUNCTION
444 krb5_cc_switch(krb5_context context, krb5_ccache id)
445 {
446
447 if (id->ops->set_default == NULL)
448 return 0;
449
450 return (*id->ops->set_default)(context, id);
451 }
452
453 /**
454 * Return true if the default credential cache support switch
455 *
456 * @ingroup krb5_ccache
457 */
458
459 krb5_boolean KRB5_LIB_FUNCTION
460 krb5_cc_support_switch(krb5_context context, const char *type)
461 {
462 const krb5_cc_ops *ops;
463
464 ops = krb5_cc_get_prefix_ops(context, type);
465 if (ops && ops->set_default)
466 return 1;
467 return FALSE;
468 }
469
470 /**
471 * Set the default cc name for `context' to `name'.
472 *
473 * @ingroup krb5_ccache
474 */
475
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
477 krb5_cc_set_default_name(krb5_context context, const char *name)
478 {
479 krb5_error_code ret = 0;
480 char *p = NULL, *exp_p = NULL;
481
482 if (name == NULL) {
483 const char *e = NULL;
484
485 if(!issuid()) {
486 e = getenv("KRB5CCNAME");
487 if (e) {
488 p = strdup(e);
489 if (context->default_cc_name_env)
490 free(context->default_cc_name_env);
491 context->default_cc_name_env = strdup(e);
492 }
493 }
494 if (e == NULL) {
495 e = krb5_config_get_string(context, NULL, "libdefaults",
496 "default_cc_name", NULL);
497 if (e) {
498 ret = _krb5_expand_default_cc_name(context, e, &p);
499 if (ret)
500 return ret;
501 }
502 if (e == NULL) {
503 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
504 e = krb5_config_get_string(context, NULL, "libdefaults",
505 "default_cc_type", NULL);
506 if (e) {
507 ops = krb5_cc_get_prefix_ops(context, e);
508 if (ops == NULL) {
509 krb5_set_error_message(context,
510 KRB5_CC_UNKNOWN_TYPE,
511 "Credential cache type %s "
512 "is unknown", e);
513 return KRB5_CC_UNKNOWN_TYPE;
514 }
515 }
516 ret = (*ops->get_default_name)(context, &p);
517 if (ret)
518 return ret;
519 }
520 }
521 context->default_cc_name_set = 0;
522 } else {
523 p = strdup(name);
524 context->default_cc_name_set = 1;
525 }
526
527 if (p == NULL) {
528 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
529 return ENOMEM;
530 }
531
532 ret = _krb5_expand_path_tokens(context, p, &exp_p);
533 free(p);
534 if (ret)
535 return ret;
536
537 if (context->default_cc_name)
538 free(context->default_cc_name);
539
540 context->default_cc_name = exp_p;
541
542 return 0;
543 }
544
545 /**
546 * Return a pointer to a context static string containing the default
547 * ccache name.
548 *
549 * @return String to the default credential cache name.
550 *
551 * @ingroup krb5_ccache
552 */
553
554
555 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
556 krb5_cc_default_name(krb5_context context)
557 {
558 if (context->default_cc_name == NULL || environment_changed(context))
559 krb5_cc_set_default_name(context, NULL);
560
561 return context->default_cc_name;
562 }
563
564 /**
565 * Open the default ccache in `id'.
566 *
567 * @return Return an error code or 0, see krb5_get_error_message().
568 *
569 * @ingroup krb5_ccache
570 */
571
572
573 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
574 krb5_cc_default(krb5_context context,
575 krb5_ccache *id)
576 {
577 const char *p = krb5_cc_default_name(context);
578
579 if (p == NULL) {
580 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
581 return ENOMEM;
582 }
583 return krb5_cc_resolve(context, p, id);
584 }
585
586 /**
587 * Create a new ccache in `id' for `primary_principal'.
588 *
589 * @return Return an error code or 0, see krb5_get_error_message().
590 *
591 * @ingroup krb5_ccache
592 */
593
594
595 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
596 krb5_cc_initialize(krb5_context context,
597 krb5_ccache id,
598 krb5_principal primary_principal)
599 {
600 return (*id->ops->init)(context, id, primary_principal);
601 }
602
603
604 /**
605 * Remove the ccache `id'.
606 *
607 * @return Return an error code or 0, see krb5_get_error_message().
608 *
609 * @ingroup krb5_ccache
610 */
611
612
613 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
614 krb5_cc_destroy(krb5_context context,
615 krb5_ccache id)
616 {
617 krb5_error_code ret;
618
619 ret = (*id->ops->destroy)(context, id);
620 krb5_cc_close (context, id);
621 return ret;
622 }
623
624 /**
625 * Stop using the ccache `id' and free the related resources.
626 *
627 * @return Return an error code or 0, see krb5_get_error_message().
628 *
629 * @ingroup krb5_ccache
630 */
631
632
633 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
634 krb5_cc_close(krb5_context context,
635 krb5_ccache id)
636 {
637 krb5_error_code ret;
638 ret = (*id->ops->close)(context, id);
639 free(id);
640 return ret;
641 }
642
643 /**
644 * Store `creds' in the ccache `id'.
645 *
646 * @return Return an error code or 0, see krb5_get_error_message().
647 *
648 * @ingroup krb5_ccache
649 */
650
651
652 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
653 krb5_cc_store_cred(krb5_context context,
654 krb5_ccache id,
655 krb5_creds *creds)
656 {
657 return (*id->ops->store)(context, id, creds);
658 }
659
660 /**
661 * Retrieve the credential identified by `mcreds' (and `whichfields')
662 * from `id' in `creds'. 'creds' must be free by the caller using
663 * krb5_free_cred_contents.
664 *
665 * @param context A Kerberos 5 context
666 * @param id a Kerberos 5 credential cache
667 * @param whichfields what fields to use for matching credentials, same
668 * flags as whichfields in krb5_compare_creds()
669 * @param mcreds template credential to use for comparing
670 * @param creds returned credential, free with krb5_free_cred_contents()
671 *
672 * @return Return an error code or 0, see krb5_get_error_message().
673 *
674 * @ingroup krb5_ccache
675 */
676
677
678 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
679 krb5_cc_retrieve_cred(krb5_context context,
680 krb5_ccache id,
681 krb5_flags whichfields,
682 const krb5_creds *mcreds,
683 krb5_creds *creds)
684 {
685 krb5_error_code ret;
686 krb5_cc_cursor cursor;
687
688 if (id->ops->retrieve != NULL) {
689 return (*id->ops->retrieve)(context, id, whichfields,
690 mcreds, creds);
691 }
692
693 ret = krb5_cc_start_seq_get(context, id, &cursor);
694 if (ret)
695 return ret;
696 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
697 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
698 ret = 0;
699 break;
700 }
701 krb5_free_cred_contents (context, creds);
702 }
703 krb5_cc_end_seq_get(context, id, &cursor);
704 return ret;
705 }
706
707 /**
708 * Return the principal of `id' in `principal'.
709 *
710 * @return Return an error code or 0, see krb5_get_error_message().
711 *
712 * @ingroup krb5_ccache
713 */
714
715
716 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
717 krb5_cc_get_principal(krb5_context context,
718 krb5_ccache id,
719 krb5_principal *principal)
720 {
721 return (*id->ops->get_princ)(context, id, principal);
722 }
723
724 /**
725 * Start iterating over `id', `cursor' is initialized to the
726 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
727 *
728 * @return Return an error code or 0, see krb5_get_error_message().
729 *
730 * @ingroup krb5_ccache
731 */
732
733
734 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
735 krb5_cc_start_seq_get (krb5_context context,
736 const krb5_ccache id,
737 krb5_cc_cursor *cursor)
738 {
739 return (*id->ops->get_first)(context, id, cursor);
740 }
741
742 /**
743 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
744 * and advance `cursor'.
745 *
746 * @return Return an error code or 0, see krb5_get_error_message().
747 *
748 * @ingroup krb5_ccache
749 */
750
751
752 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
753 krb5_cc_next_cred (krb5_context context,
754 const krb5_ccache id,
755 krb5_cc_cursor *cursor,
756 krb5_creds *creds)
757 {
758 return (*id->ops->get_next)(context, id, cursor, creds);
759 }
760
761 /**
762 * Destroy the cursor `cursor'.
763 *
764 * @ingroup krb5_ccache
765 */
766
767
768 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
769 krb5_cc_end_seq_get (krb5_context context,
770 const krb5_ccache id,
771 krb5_cc_cursor *cursor)
772 {
773 return (*id->ops->end_get)(context, id, cursor);
774 }
775
776 /**
777 * Remove the credential identified by `cred', `which' from `id'.
778 *
779 * @ingroup krb5_ccache
780 */
781
782
783 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
784 krb5_cc_remove_cred(krb5_context context,
785 krb5_ccache id,
786 krb5_flags which,
787 krb5_creds *cred)
788 {
789 if(id->ops->remove_cred == NULL) {
790 krb5_set_error_message(context,
791 EACCES,
792 "ccache %s does not support remove_cred",
793 id->ops->prefix);
794 return EACCES; /* XXX */
795 }
796 return (*id->ops->remove_cred)(context, id, which, cred);
797 }
798
799 /**
800 * Set the flags of `id' to `flags'.
801 *
802 * @ingroup krb5_ccache
803 */
804
805
806 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
807 krb5_cc_set_flags(krb5_context context,
808 krb5_ccache id,
809 krb5_flags flags)
810 {
811 return (*id->ops->set_flags)(context, id, flags);
812 }
813
814 /**
815 * Get the flags of `id', store them in `flags'.
816 *
817 * @ingroup krb5_ccache
818 */
819
820 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
821 krb5_cc_get_flags(krb5_context context,
822 krb5_ccache id,
823 krb5_flags *flags)
824 {
825 *flags = 0;
826 return 0;
827 }
828
829 /**
830 * Copy the contents of `from' to `to' if the given match function
831 * return true.
832 *
833 * @param context A Kerberos 5 context.
834 * @param from the cache to copy data from.
835 * @param to the cache to copy data to.
836 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
837 * @param matchctx context passed to match function.
838 * @param matched set to true if there was a credential that matched, may be NULL.
839 *
840 * @return Return an error code or 0, see krb5_get_error_message().
841 *
842 * @ingroup krb5_ccache
843 */
844
845 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
846 krb5_cc_copy_match_f(krb5_context context,
847 const krb5_ccache from,
848 krb5_ccache to,
849 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
850 void *matchctx,
851 unsigned int *matched)
852 {
853 krb5_error_code ret;
854 krb5_cc_cursor cursor;
855 krb5_creds cred;
856 krb5_principal princ;
857
858 if (matched)
859 *matched = 0;
860
861 ret = krb5_cc_get_principal(context, from, &princ);
862 if (ret)
863 return ret;
864 ret = krb5_cc_initialize(context, to, princ);
865 if (ret) {
866 krb5_free_principal(context, princ);
867 return ret;
868 }
869 ret = krb5_cc_start_seq_get(context, from, &cursor);
870 if (ret) {
871 krb5_free_principal(context, princ);
872 return ret;
873 }
874
875 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
876 if (match == NULL || (*match)(context, matchctx, &cred) == 0) {
877 if (matched)
878 (*matched)++;
879 ret = krb5_cc_store_cred(context, to, &cred);
880 if (ret)
881 break;
882 }
883 krb5_free_cred_contents(context, &cred);
884 }
885 krb5_cc_end_seq_get(context, from, &cursor);
886 krb5_free_principal(context, princ);
887 if (ret == KRB5_CC_END)
888 ret = 0;
889 return ret;
890 }
891
892 /**
893 * Just like krb5_cc_copy_match_f(), but copy everything.
894 *
895 * @ingroup @krb5_ccache
896 */
897
898 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
899 krb5_cc_copy_cache(krb5_context context,
900 const krb5_ccache from,
901 krb5_ccache to)
902 {
903 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
904 }
905
906 /**
907 * Return the version of `id'.
908 *
909 * @ingroup krb5_ccache
910 */
911
912
913 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
914 krb5_cc_get_version(krb5_context context,
915 const krb5_ccache id)
916 {
917 if(id->ops->get_version)
918 return (*id->ops->get_version)(context, id);
919 else
920 return 0;
921 }
922
923 /**
924 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
925 *
926 * @ingroup krb5_ccache
927 */
928
929
930 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
931 krb5_cc_clear_mcred(krb5_creds *mcred)
932 {
933 memset(mcred, 0, sizeof(*mcred));
934 }
935
936 /**
937 * Get the cc ops that is registered in `context' to handle the
938 * prefix. prefix can be a complete credential cache name or a
939 * prefix, the function will only use part up to the first colon (:)
940 * if there is one. If prefix the argument is NULL, the default ccache
941 * implemtation is returned.
942 *
943 * @return Returns NULL if ops not found.
944 *
945 * @ingroup krb5_ccache
946 */
947
948
949 const krb5_cc_ops *
950 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
951 {
952 char *p, *p1;
953 int i;
954
955 if (prefix == NULL)
956 return KRB5_DEFAULT_CCTYPE;
957 if (prefix[0] == '/')
958 return &krb5_fcc_ops;
959
960 p = strdup(prefix);
961 if (p == NULL) {
962 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
963 return NULL;
964 }
965 p1 = strchr(p, ':');
966 if (p1)
967 *p1 = '\0';
968
969 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
970 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
971 free(p);
972 return context->cc_ops[i];
973 }
974 }
975 free(p);
976 return NULL;
977 }
978
979 struct krb5_cc_cache_cursor_data {
980 const krb5_cc_ops *ops;
981 krb5_cc_cursor cursor;
982 };
983
984 /**
985 * Start iterating over all caches of specified type. See also
986 * krb5_cccol_cursor_new().
987
988 * @param context A Kerberos 5 context
989 * @param type optional type to iterate over, if NULL, the default cache is used.
990 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
991 *
992 * @return Return an error code or 0, see krb5_get_error_message().
993 *
994 * @ingroup krb5_ccache
995 */
996
997
998 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
999 krb5_cc_cache_get_first (krb5_context context,
1000 const char *type,
1001 krb5_cc_cache_cursor *cursor)
1002 {
1003 const krb5_cc_ops *ops;
1004 krb5_error_code ret;
1005
1006 if (type == NULL)
1007 type = krb5_cc_default_name(context);
1008
1009 ops = krb5_cc_get_prefix_ops(context, type);
1010 if (ops == NULL) {
1011 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1012 "Unknown type \"%s\" when iterating "
1013 "trying to iterate the credential caches", type);
1014 return KRB5_CC_UNKNOWN_TYPE;
1015 }
1016
1017 if (ops->get_cache_first == NULL) {
1018 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1019 N_("Credential cache type %s doesn't support "
1020 "iterations over caches", "type"),
1021 ops->prefix);
1022 return KRB5_CC_NOSUPP;
1023 }
1024
1025 *cursor = calloc(1, sizeof(**cursor));
1026 if (*cursor == NULL) {
1027 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1028 return ENOMEM;
1029 }
1030
1031 (*cursor)->ops = ops;
1032
1033 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1034 if (ret) {
1035 free(*cursor);
1036 *cursor = NULL;
1037 }
1038 return ret;
1039 }
1040
1041 /**
1042 * Retrieve the next cache pointed to by (`cursor') in `id'
1043 * and advance `cursor'.
1044 *
1045 * @param context A Kerberos 5 context
1046 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1047 * @param id next ccache
1048 *
1049 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1050 * of caches is reached, see krb5_get_error_message().
1051 *
1052 * @ingroup krb5_ccache
1053 */
1054
1055
1056 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1057 krb5_cc_cache_next (krb5_context context,
1058 krb5_cc_cache_cursor cursor,
1059 krb5_ccache *id)
1060 {
1061 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1062 }
1063
1064 /**
1065 * Destroy the cursor `cursor'.
1066 *
1067 * @return Return an error code or 0, see krb5_get_error_message().
1068 *
1069 * @ingroup krb5_ccache
1070 */
1071
1072
1073 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1074 krb5_cc_cache_end_seq_get (krb5_context context,
1075 krb5_cc_cache_cursor cursor)
1076 {
1077 krb5_error_code ret;
1078 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1079 cursor->ops = NULL;
1080 free(cursor);
1081 return ret;
1082 }
1083
1084 /**
1085 * Search for a matching credential cache that have the
1086 * `principal' as the default principal. On success, `id' needs to be
1087 * freed with krb5_cc_close() or krb5_cc_destroy().
1088 *
1089 * @param context A Kerberos 5 context
1090 * @param client The principal to search for
1091 * @param id the returned credential cache
1092 *
1093 * @return On failure, error code is returned and `id' is set to NULL.
1094 *
1095 * @ingroup krb5_ccache
1096 */
1097
1098
1099 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1100 krb5_cc_cache_match (krb5_context context,
1101 krb5_principal client,
1102 krb5_ccache *id)
1103 {
1104 krb5_cccol_cursor cursor;
1105 krb5_error_code ret;
1106 krb5_ccache cache = NULL;
1107
1108 *id = NULL;
1109
1110 ret = krb5_cccol_cursor_new (context, &cursor);
1111 if (ret)
1112 return ret;
1113
1114 while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) {
1115 krb5_principal principal;
1116
1117 ret = krb5_cc_get_principal(context, cache, &principal);
1118 if (ret == 0) {
1119 krb5_boolean match;
1120
1121 match = krb5_principal_compare(context, principal, client);
1122 krb5_free_principal(context, principal);
1123 if (match)
1124 break;
1125 }
1126
1127 krb5_cc_close(context, cache);
1128 cache = NULL;
1129 }
1130
1131 krb5_cccol_cursor_free(context, &cursor);
1132
1133 if (cache == NULL) {
1134 char *str;
1135
1136 krb5_unparse_name(context, client, &str);
1137
1138 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1139 N_("Principal %s not found in any "
1140 "credential cache", ""),
1141 str ? str : "<out of memory>");
1142 if (str)
1143 free(str);
1144 return KRB5_CC_NOTFOUND;
1145 }
1146 *id = cache;
1147
1148 return 0;
1149 }
1150
1151 /**
1152 * Move the content from one credential cache to another. The
1153 * operation is an atomic switch.
1154 *
1155 * @param context a Keberos context
1156 * @param from the credential cache to move the content from
1157 * @param to the credential cache to move the content to
1158
1159 * @return On sucess, from is freed. On failure, error code is
1160 * returned and from and to are both still allocated, see krb5_get_error_message().
1161 *
1162 * @ingroup krb5_ccache
1163 */
1164
1165 krb5_error_code
1166 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1167 {
1168 krb5_error_code ret;
1169
1170 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1171 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1172 N_("Moving credentials between diffrent "
1173 "types not yet supported", ""));
1174 return KRB5_CC_NOSUPP;
1175 }
1176
1177 ret = (*to->ops->move)(context, from, to);
1178 if (ret == 0) {
1179 memset(from, 0, sizeof(*from));
1180 free(from);
1181 }
1182 return ret;
1183 }
1184
1185 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1186 #define KRB5_REALM_NAME "X-CACHECONF:"
1187
1188 static krb5_error_code
1189 build_conf_principals(krb5_context context, krb5_ccache id,
1190 krb5_const_principal principal,
1191 const char *name, krb5_creds *cred)
1192 {
1193 krb5_principal client;
1194 krb5_error_code ret;
1195 char *pname = NULL;
1196
1197 memset(cred, 0, sizeof(*cred));
1198
1199 ret = krb5_cc_get_principal(context, id, &client);
1200 if (ret)
1201 return ret;
1202
1203 if (principal) {
1204 ret = krb5_unparse_name(context, principal, &pname);
1205 if (ret)
1206 return ret;
1207 }
1208
1209 ret = krb5_make_principal(context, &cred->server,
1210 KRB5_REALM_NAME,
1211 KRB5_CONF_NAME, name, pname, NULL);
1212 free(pname);
1213 if (ret) {
1214 krb5_free_principal(context, client);
1215 return ret;
1216 }
1217 ret = krb5_copy_principal(context, client, &cred->client);
1218 krb5_free_principal(context, client);
1219 return ret;
1220 }
1221
1222 /**
1223 * Return TRUE (non zero) if the principal is a configuration
1224 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1225 * (zero) if not a configuration principal.
1226 *
1227 * @param context a Keberos context
1228 * @param principal principal to check if it a configuration principal
1229 *
1230 * @ingroup krb5_ccache
1231 */
1232
1233 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1234 krb5_is_config_principal(krb5_context context,
1235 krb5_const_principal principal)
1236 {
1237 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1238 return FALSE;
1239
1240 if (principal->name.name_string.len == 0 ||
1241 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1242 return FALSE;
1243
1244 return TRUE;
1245 }
1246
1247 /**
1248 * Store some configuration for the credential cache in the cache.
1249 * Existing configuration under the same name is over-written.
1250 *
1251 * @param context a Keberos context
1252 * @param id the credential cache to store the data for
1253 * @param principal configuration for a specific principal, if
1254 * NULL, global for the whole cache.
1255 * @param name name under which the configuraion is stored.
1256 * @param data data to store, if NULL, configure is removed.
1257 *
1258 * @ingroup krb5_ccache
1259 */
1260
1261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1262 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1263 krb5_const_principal principal,
1264 const char *name, krb5_data *data)
1265 {
1266 krb5_error_code ret;
1267 krb5_creds cred;
1268
1269 ret = build_conf_principals(context, id, principal, name, &cred);
1270 if (ret)
1271 goto out;
1272
1273 /* Remove old configuration */
1274 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1275 if (ret && ret != KRB5_CC_NOTFOUND)
1276 goto out;
1277
1278 if (data) {
1279 /* not that anyone care when this expire */
1280 cred.times.authtime = time(NULL);
1281 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1282
1283 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1284 if (ret)
1285 goto out;
1286
1287 ret = krb5_cc_store_cred(context, id, &cred);
1288 }
1289
1290 out:
1291 krb5_free_cred_contents (context, &cred);
1292 return ret;
1293 }
1294
1295 /**
1296 * Get some configuration for the credential cache in the cache.
1297 *
1298 * @param context a Keberos context
1299 * @param id the credential cache to store the data for
1300 * @param principal configuration for a specific principal, if
1301 * NULL, global for the whole cache.
1302 * @param name name under which the configuraion is stored.
1303 * @param data data to fetched, free with krb5_data_free()
1304 *
1305 * @ingroup krb5_ccache
1306 */
1307
1308
1309 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1310 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1311 krb5_const_principal principal,
1312 const char *name, krb5_data *data)
1313 {
1314 krb5_creds mcred, cred;
1315 krb5_error_code ret;
1316
1317 memset(&cred, 0, sizeof(cred));
1318 krb5_data_zero(data);
1319
1320 ret = build_conf_principals(context, id, principal, name, &mcred);
1321 if (ret)
1322 goto out;
1323
1324 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1325 if (ret)
1326 goto out;
1327
1328 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1329
1330 out:
1331 krb5_free_cred_contents (context, &cred);
1332 krb5_free_cred_contents (context, &mcred);
1333 return ret;
1334 }
1335
1336 /*
1337 *
1338 */
1339
1340 struct krb5_cccol_cursor_data {
1341 int idx;
1342 krb5_cc_cache_cursor cursor;
1343 };
1344
1345 /**
1346 * Get a new cache interation cursor that will interate over all
1347 * credentials caches independent of type.
1348 *
1349 * @param context a Keberos context
1350 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1351 *
1352 * @return Returns 0 or and error code, see krb5_get_error_message().
1353 *
1354 * @ingroup krb5_ccache
1355 */
1356
1357 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1358 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1359 {
1360 *cursor = calloc(1, sizeof(**cursor));
1361 if (*cursor == NULL) {
1362 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1363 return ENOMEM;
1364 }
1365 (*cursor)->idx = 0;
1366 (*cursor)->cursor = NULL;
1367
1368 return 0;
1369 }
1370
1371 /**
1372 * Get next credential cache from the iteration.
1373 *
1374 * @param context A Kerberos 5 context
1375 * @param cursor the iteration cursor
1376 * @param cache the returned cursor, pointer is set to NULL on failure
1377 * and a cache on success. The returned cache needs to be freed
1378 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1379 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1380 * when all caches are iterated over and return 0.
1381 *
1382 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1383 * of iteration. See krb5_get_error_message().
1384 *
1385 * @ingroup krb5_ccache
1386 */
1387
1388
1389 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1390 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1391 krb5_ccache *cache)
1392 {
1393 krb5_error_code ret;
1394
1395 *cache = NULL;
1396
1397 while (cursor->idx < context->num_cc_ops) {
1398
1399 if (cursor->cursor == NULL) {
1400 ret = krb5_cc_cache_get_first (context,
1401 context->cc_ops[cursor->idx]->prefix,
1402 &cursor->cursor);
1403 if (ret) {
1404 cursor->idx++;
1405 continue;
1406 }
1407 }
1408 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1409 if (ret == 0)
1410 break;
1411
1412 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1413 cursor->cursor = NULL;
1414 if (ret != KRB5_CC_END)
1415 break;
1416
1417 cursor->idx++;
1418 }
1419 if (cursor->idx >= context->num_cc_ops) {
1420 krb5_set_error_message(context, KRB5_CC_END,
1421 N_("Reached end of credential caches", ""));
1422 return KRB5_CC_END;
1423 }
1424
1425 return 0;
1426 }
1427
1428 /**
1429 * End an iteration and free all resources, can be done before end is reached.
1430 *
1431 * @param context A Kerberos 5 context
1432 * @param cursor the iteration cursor to be freed.
1433 *
1434 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1435 * of iteration. See krb5_get_error_message().
1436 *
1437 * @ingroup krb5_ccache
1438 */
1439
1440 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1441 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1442 {
1443 krb5_cccol_cursor c = *cursor;
1444
1445 *cursor = NULL;
1446 if (c) {
1447 if (c->cursor)
1448 krb5_cc_cache_end_seq_get(context, c->cursor);
1449 free(c);
1450 }
1451 return 0;
1452 }
1453
1454 /**
1455 * Return the last time the credential cache was modified.
1456 *
1457 * @param context A Kerberos 5 context
1458 * @param id The credential cache to probe
1459 * @param mtime the last modification time, set to 0 on error.
1460
1461 * @return Return 0 or and error. See krb5_get_error_message().
1462 *
1463 * @ingroup krb5_ccache
1464 */
1465
1466
1467 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1468 krb5_cc_last_change_time(krb5_context context,
1469 krb5_ccache id,
1470 krb5_timestamp *mtime)
1471 {
1472 *mtime = 0;
1473 return (*id->ops->lastchange)(context, id, mtime);
1474 }
1475
1476 /**
1477 * Return the last modfication time for a cache collection. The query
1478 * can be limited to a specific cache type. If the function return 0
1479 * and mtime is 0, there was no credentials in the caches.
1480 *
1481 * @param context A Kerberos 5 context
1482 * @param type The credential cache to probe, if NULL, all type are traversed.
1483 * @param mtime the last modification time, set to 0 on error.
1484
1485 * @return Return 0 or and error. See krb5_get_error_message().
1486 *
1487 * @ingroup krb5_ccache
1488 */
1489
1490 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1491 krb5_cccol_last_change_time(krb5_context context,
1492 const char *type,
1493 krb5_timestamp *mtime)
1494 {
1495 krb5_cccol_cursor cursor;
1496 krb5_error_code ret;
1497 krb5_ccache id;
1498 krb5_timestamp t = 0;
1499
1500 *mtime = 0;
1501
1502 ret = krb5_cccol_cursor_new (context, &cursor);
1503 if (ret)
1504 return ret;
1505
1506 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1507
1508 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1509 continue;
1510
1511 ret = krb5_cc_last_change_time(context, id, &t);
1512 krb5_cc_close(context, id);
1513 if (ret)
1514 continue;
1515 if (t > *mtime)
1516 *mtime = t;
1517 }
1518
1519 krb5_cccol_cursor_free(context, &cursor);
1520
1521 return 0;
1522 }
1523 /**
1524 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1525 *
1526 * @return Return an error code or 0, see krb5_get_error_message().
1527 *
1528 * @ingroup krb5_ccache
1529 */
1530
1531 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1532 krb5_cc_get_friendly_name(krb5_context context,
1533 krb5_ccache id,
1534 char **name)
1535 {
1536 krb5_error_code ret;
1537 krb5_data data;
1538
1539 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1540 if (ret) {
1541 krb5_principal principal;
1542 ret = krb5_cc_get_principal(context, id, &principal);
1543 if (ret)
1544 return ret;
1545 ret = krb5_unparse_name(context, principal, name);
1546 krb5_free_principal(context, principal);
1547 } else {
1548 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1549 krb5_data_free(&data);
1550 if (ret <= 0) {
1551 ret = ENOMEM;
1552 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1553 } else
1554 ret = 0;
1555 }
1556
1557 return ret;
1558 }
1559
1560 /**
1561 * Set the friendly name on credential cache.
1562 *
1563 * @return Return an error code or 0, see krb5_get_error_message().
1564 *
1565 * @ingroup krb5_ccache
1566 */
1567
1568 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1569 krb5_cc_set_friendly_name(krb5_context context,
1570 krb5_ccache id,
1571 const char *name)
1572 {
1573 krb5_data data;
1574
1575 data.data = rk_UNCONST(name);
1576 data.length = strlen(name);
1577
1578 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1579 }
1580
1581 /**
1582 * Get the lifetime of the initial ticket in the cache
1583 *
1584 * Get the lifetime of the initial ticket in the cache, if the initial
1585 * ticket was not found, the error code KRB5_CC_END is returned.
1586 *
1587 * @param context A Kerberos 5 context.
1588 * @param id a credential cache
1589 * @param t the relative lifetime of the initial ticket
1590 *
1591 * @return Return an error code or 0, see krb5_get_error_message().
1592 *
1593 * @ingroup krb5_ccache
1594 */
1595
1596 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1597 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1598 {
1599 krb5_cc_cursor cursor;
1600 krb5_error_code ret;
1601 krb5_creds cred;
1602 time_t now;
1603
1604 *t = 0;
1605 now = time(NULL);
1606
1607 ret = krb5_cc_start_seq_get(context, id, &cursor);
1608 if (ret)
1609 return ret;
1610
1611 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1612 if (cred.flags.b.initial) {
1613 if (now < cred.times.endtime)
1614 *t = cred.times.endtime - now;
1615 krb5_free_cred_contents(context, &cred);
1616 break;
1617 }
1618 krb5_free_cred_contents(context, &cred);
1619 }
1620
1621 krb5_cc_end_seq_get(context, id, &cursor);
1622
1623 return ret;
1624 }
1625
1626 /**
1627 * Set the time offset betwen the client and the KDC
1628 *
1629 * If the backend doesn't support KDC offset, use the context global setting.
1630 *
1631 * @param context A Kerberos 5 context.
1632 * @param id a credential cache
1633 * @param offset the offset in seconds
1634 *
1635 * @return Return an error code or 0, see krb5_get_error_message().
1636 *
1637 * @ingroup krb5_ccache
1638 */
1639
1640 krb5_error_code
1641 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1642 {
1643 if (id->ops->set_kdc_offset == NULL) {
1644 context->kdc_sec_offset = offset;
1645 context->kdc_usec_offset = 0;
1646 return 0;
1647 }
1648 return (*id->ops->set_kdc_offset)(context, id, offset);
1649 }
1650
1651 /**
1652 * Get the time offset betwen the client and the KDC
1653 *
1654 * If the backend doesn't support KDC offset, use the context global setting.
1655 *
1656 * @param context A Kerberos 5 context.
1657 * @param id a credential cache
1658 * @param offset the offset in seconds
1659 *
1660 * @return Return an error code or 0, see krb5_get_error_message().
1661 *
1662 * @ingroup krb5_ccache
1663 */
1664
1665 krb5_error_code
1666 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1667 {
1668 if (id->ops->get_kdc_offset == NULL) {
1669 *offset = context->kdc_sec_offset;
1670 return 0;
1671 }
1672 return (*id->ops->get_kdc_offset)(context, id, offset);
1673 }
Heimdal