search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use start_realm in cc lifetime
[heimdal.git] / lib / krb5 / cache.c
blob17a179282bd60bdaf25c3c9975985c90430c7d6d
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 /**
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
106 *
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
111 *
112 * @return Return an error code or 0, see krb5_get_error_message().
113 *
114 * @ingroup krb5_ccache
115 */
116
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
121 {
122 int i;
123
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
126 if(!override) {
127 krb5_set_error_message(context,
128 KRB5_CC_TYPE_EXISTS,
129 N_("cache type %s already exists", "type"),
130 ops->prefix);
131 return KRB5_CC_TYPE_EXISTS;
132 }
133 break;
134 }
135 }
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
140 if(o == NULL) {
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
144 }
145 context->cc_ops = o;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
148 }
149 context->cc_ops[i] = ops;
150 return 0;
151 }
152
153 /*
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
156 */
157
158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
161 krb5_ccache *id)
162 {
163 krb5_ccache p;
164
165 p = malloc (sizeof(*p));
166 if(p == NULL) {
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
170 }
171 p->ops = ops;
172 *id = p;
173
174 return 0;
175 }
176
177 /*
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
180 */
181
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
186 krb5_ccache *id)
187 {
188 krb5_error_code ret;
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
191 int filepath;
192
193 filepath = (strcmp("FILE", ops->prefix) == 0
194 || strcmp("DIR", ops->prefix) == 0
195 || strcmp("SCC", ops->prefix) == 0);
196
197 ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
198 if (ret)
199 return ret;
200
201 residual = exp_residual;
202 #endif
203
204 ret = _krb5_cc_allocate(context, ops, id);
205 if (ret) {
206 #ifdef KRB5_USE_PATH_TOKENS
207 if (exp_residual)
208 free(exp_residual);
209 #endif
210 return ret;
211 }
212
213 ret = (*id)->ops->resolve(context, id, residual);
214 if(ret) {
215 free(*id);
216 *id = NULL;
217 }
218
219 #ifdef KRB5_USE_PATH_TOKENS
220 if (exp_residual)
221 free(exp_residual);
222 #endif
223
224 return ret;
225 }
226
227 static int
228 is_possible_path_name(const char * name)
229 {
230 const char * colon;
231
232 if ((colon = strchr(name, ':')) == NULL)
233 return TRUE;
234
235 #ifdef _WIN32
236 /* <drive letter>:\path\to\cache ? */
237
238 if (colon == name + 1 &&
239 strchr(colon + 1, ':') == NULL)
240 return TRUE;
241 #endif
242
243 return FALSE;
244 }
245
246 /**
247 * Find and allocate a ccache in `id' from the specification in `residual'.
248 * If the ccache name doesn't contain any colon, interpret it as a file name.
249 *
250 * @param context a Keberos context.
251 * @param name string name of a credential cache.
252 * @param id return pointer to a found credential cache.
253 *
254 * @return Return 0 or an error code. In case of an error, id is set
255 * to NULL, see krb5_get_error_message().
256 *
257 * @ingroup krb5_ccache
258 */
259
260
261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
262 krb5_cc_resolve(krb5_context context,
263 const char *name,
264 krb5_ccache *id)
265 {
266 int i;
267
268 *id = NULL;
269
270 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
271 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
272
273 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
274 && name[prefix_len] == ':') {
275 return allocate_ccache (context, context->cc_ops[i],
276 name + prefix_len + 1,
277 id);
278 }
279 }
280 if (is_possible_path_name(name))
281 return allocate_ccache (context, &krb5_fcc_ops, name, id);
282 else {
283 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
284 N_("unknown ccache type %s", "name"), name);
285 return KRB5_CC_UNKNOWN_TYPE;
286 }
287 }
288
289 /**
290 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
291 * the library chooses the default credential cache type. The supplied
292 * `hint' (that can be NULL) is a string that the credential cache
293 * type can use to base the name of the credential on, this is to make
294 * it easier for the user to differentiate the credentials.
295 *
296 * @return Return an error code or 0, see krb5_get_error_message().
297 *
298 * @ingroup krb5_ccache
299 */
300
301 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
302 krb5_cc_new_unique(krb5_context context, const char *type,
303 const char *hint, krb5_ccache *id)
304 {
305 const krb5_cc_ops *ops;
306 krb5_error_code ret;
307
308 ops = krb5_cc_get_prefix_ops(context, type);
309 if (ops == NULL) {
310 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
311 "Credential cache type %s is unknown", type);
312 return KRB5_CC_UNKNOWN_TYPE;
313 }
314
315 ret = _krb5_cc_allocate(context, ops, id);
316 if (ret)
317 return ret;
318 ret = (*id)->ops->gen_new(context, id);
319 if (ret) {
320 free(*id);
321 *id = NULL;
322 }
323 return ret;
324 }
325
326 /**
327 * Return the name of the ccache `id'
328 *
329 * @ingroup krb5_ccache
330 */
331
332
333 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
334 krb5_cc_get_name(krb5_context context,
335 krb5_ccache id)
336 {
337 return id->ops->get_name(context, id);
338 }
339
340 /**
341 * Return the type of the ccache `id'.
342 *
343 * @ingroup krb5_ccache
344 */
345
346
347 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
348 krb5_cc_get_type(krb5_context context,
349 krb5_ccache id)
350 {
351 return id->ops->prefix;
352 }
353
354 /**
355 * Return the complete resolvable name the cache
356
357 * @param context a Keberos context
358 * @param id return pointer to a found credential cache
359 * @param str the returned name of a credential cache, free with krb5_xfree()
360 *
361 * @return Returns 0 or an error (and then *str is set to NULL).
362 *
363 * @ingroup krb5_ccache
364 */
365
366
367 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
368 krb5_cc_get_full_name(krb5_context context,
369 krb5_ccache id,
370 char **str)
371 {
372 const char *type, *name;
373
374 *str = NULL;
375
376 type = krb5_cc_get_type(context, id);
377 if (type == NULL) {
378 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
379 "cache have no name of type");
380 return KRB5_CC_UNKNOWN_TYPE;
381 }
382
383 name = krb5_cc_get_name(context, id);
384 if (name == NULL) {
385 krb5_set_error_message(context, KRB5_CC_BADNAME,
386 "cache of type %s have no name", type);
387 return KRB5_CC_BADNAME;
388 }
389
390 if (asprintf(str, "%s:%s", type, name) == -1) {
391 *str = NULL;
392 return krb5_enomem(context);
393 }
394 return 0;
395 }
396
397 /**
398 * Return krb5_cc_ops of a the ccache `id'.
399 *
400 * @ingroup krb5_ccache
401 */
402
403
404 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
405 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
406 {
407 return id->ops;
408 }
409
410 /*
411 * Expand variables in `str' into `res'
412 */
413
414 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
415 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
416 {
417 int filepath;
418
419 filepath = (strncmp("FILE:", str, 5) == 0
420 || strncmp("DIR:", str, 4) == 0
421 || strncmp("SCC:", str, 4) == 0);
422
423 return _krb5_expand_path_tokens(context, str, filepath, res);
424 }
425
426 /*
427 * Return non-zero if envirnoment that will determine default krb5cc
428 * name has changed.
429 */
430
431 static int
432 environment_changed(krb5_context context)
433 {
434 const char *e;
435
436 /* if the cc name was set, don't change it */
437 if (context->default_cc_name_set)
438 return 0;
439
440 /* XXX performance: always ask KCM/API if default name has changed */
441 if (context->default_cc_name &&
442 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
443 strncmp(context->default_cc_name, "API:", 4) == 0))
444 return 1;
445
446 if(issuid())
447 return 0;
448
449 e = getenv("KRB5CCNAME");
450 if (e == NULL) {
451 if (context->default_cc_name_env) {
452 free(context->default_cc_name_env);
453 context->default_cc_name_env = NULL;
454 return 1;
455 }
456 } else {
457 if (context->default_cc_name_env == NULL)
458 return 1;
459 if (strcmp(e, context->default_cc_name_env) != 0)
460 return 1;
461 }
462 return 0;
463 }
464
465 /**
466 * Switch the default default credential cache for a specific
467 * credcache type (and name for some implementations).
468 *
469 * @return Return an error code or 0, see krb5_get_error_message().
470 *
471 * @ingroup krb5_ccache
472 */
473
474 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
475 krb5_cc_switch(krb5_context context, krb5_ccache id)
476 {
477 #ifdef _WIN32
478 _krb5_set_default_cc_name_to_registry(context, id);
479 #endif
480
481 if (id->ops->set_default == NULL)
482 return 0;
483
484 return (*id->ops->set_default)(context, id);
485 }
486
487 /**
488 * Return true if the default credential cache support switch
489 *
490 * @ingroup krb5_ccache
491 */
492
493 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
494 krb5_cc_support_switch(krb5_context context, const char *type)
495 {
496 const krb5_cc_ops *ops;
497
498 ops = krb5_cc_get_prefix_ops(context, type);
499 if (ops && ops->set_default)
500 return 1;
501 return FALSE;
502 }
503
504 /**
505 * Set the default cc name for `context' to `name'.
506 *
507 * @ingroup krb5_ccache
508 */
509
510 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
511 krb5_cc_set_default_name(krb5_context context, const char *name)
512 {
513 krb5_error_code ret = 0;
514 char *p = NULL, *exp_p = NULL;
515 int filepath;
516
517 if (name == NULL) {
518 const char *e = NULL;
519
520 if(!issuid()) {
521 e = getenv("KRB5CCNAME");
522 if (e) {
523 p = strdup(e);
524 if (context->default_cc_name_env)
525 free(context->default_cc_name_env);
526 context->default_cc_name_env = strdup(e);
527 }
528 }
529
530 #ifdef _WIN32
531 if (e == NULL) {
532 e = p = _krb5_get_default_cc_name_from_registry(context);
533 }
534 #endif
535 if (e == NULL) {
536 e = krb5_config_get_string(context, NULL, "libdefaults",
537 "default_cc_name", NULL);
538 if (e) {
539 ret = _krb5_expand_default_cc_name(context, e, &p);
540 if (ret)
541 return ret;
542 }
543 if (e == NULL) {
544 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
545 e = krb5_config_get_string(context, NULL, "libdefaults",
546 "default_cc_type", NULL);
547 if (e) {
548 ops = krb5_cc_get_prefix_ops(context, e);
549 if (ops == NULL) {
550 krb5_set_error_message(context,
551 KRB5_CC_UNKNOWN_TYPE,
552 "Credential cache type %s "
553 "is unknown", e);
554 return KRB5_CC_UNKNOWN_TYPE;
555 }
556 }
557 ret = (*ops->get_default_name)(context, &p);
558 if (ret)
559 return ret;
560 }
561 }
562 context->default_cc_name_set = 0;
563 } else {
564 p = strdup(name);
565 context->default_cc_name_set = 1;
566 }
567
568 if (p == NULL)
569 return krb5_enomem(context);
570
571 filepath = (strncmp("FILE:", p, 5) == 0
572 || strncmp("DIR:", p, 4) == 0
573 || strncmp("SCC:", p, 4) == 0);
574
575 ret = _krb5_expand_path_tokens(context, p, filepath, &exp_p);
576 free(p);
577 p = exp_p;
578 if (ret)
579 return ret;
580
581 if (context->default_cc_name)
582 free(context->default_cc_name);
583
584 context->default_cc_name = p;
585
586 return 0;
587 }
588
589 /**
590 * Return a pointer to a context static string containing the default
591 * ccache name.
592 *
593 * @return String to the default credential cache name.
594 *
595 * @ingroup krb5_ccache
596 */
597
598
599 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
600 krb5_cc_default_name(krb5_context context)
601 {
602 if (context->default_cc_name == NULL || environment_changed(context))
603 krb5_cc_set_default_name(context, NULL);
604
605 return context->default_cc_name;
606 }
607
608 /**
609 * Open the default ccache in `id'.
610 *
611 * @return Return an error code or 0, see krb5_get_error_message().
612 *
613 * @ingroup krb5_ccache
614 */
615
616
617 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
618 krb5_cc_default(krb5_context context,
619 krb5_ccache *id)
620 {
621 const char *p = krb5_cc_default_name(context);
622
623 if (p == NULL)
624 return krb5_enomem(context);
625 return krb5_cc_resolve(context, p, id);
626 }
627
628 /**
629 * Create a new ccache in `id' for `primary_principal'.
630 *
631 * @return Return an error code or 0, see krb5_get_error_message().
632 *
633 * @ingroup krb5_ccache
634 */
635
636
637 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
638 krb5_cc_initialize(krb5_context context,
639 krb5_ccache id,
640 krb5_principal primary_principal)
641 {
642 krb5_error_code ret;
643
644 ret = (*id->ops->init)(context, id, primary_principal);
645 if (ret == 0)
646 id->initialized = 1;
647 return ret;
648 }
649
650
651 /**
652 * Remove the ccache `id'.
653 *
654 * @return Return an error code or 0, see krb5_get_error_message().
655 *
656 * @ingroup krb5_ccache
657 */
658
659
660 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
661 krb5_cc_destroy(krb5_context context,
662 krb5_ccache id)
663 {
664 krb5_error_code ret;
665
666 ret = (*id->ops->destroy)(context, id);
667 krb5_cc_close (context, id);
668 return ret;
669 }
670
671 /**
672 * Stop using the ccache `id' and free the related resources.
673 *
674 * @return Return an error code or 0, see krb5_get_error_message().
675 *
676 * @ingroup krb5_ccache
677 */
678
679
680 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
681 krb5_cc_close(krb5_context context,
682 krb5_ccache id)
683 {
684 krb5_error_code ret;
685 ret = (*id->ops->close)(context, id);
686 free(id);
687 return ret;
688 }
689
690 /**
691 * Store `creds' in the ccache `id'.
692 *
693 * @return Return an error code or 0, see krb5_get_error_message().
694 *
695 * @ingroup krb5_ccache
696 */
697
698
699 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
700 krb5_cc_store_cred(krb5_context context,
701 krb5_ccache id,
702 krb5_creds *creds)
703 {
704 krb5_error_code ret;
705 krb5_data realm;
706
707 ret = (*id->ops->store)(context, id, creds);
708
709 /* Look for and mark the first root TGT's realm as the start realm */
710 if (ret == 0 && id->initialized &&
711 !krb5_is_config_principal(context, creds->server) &&
712 krb5_principal_is_root_krbtgt(context, creds->server)) {
713
714 id->initialized = 1;
715 realm.length = strlen(creds->server->realm) + 1;
716 realm.data = creds->server->realm;
717 (void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
718 } else if (ret == 0 && id->initialized &&
719 krb5_is_config_principal(context, creds->server) &&
720 strcmp(creds->server->name.name_string.val[1], "start_realm") == 0) {
721
722 /*
723 * But if the caller is storing a start_realm ccconfig, then
724 * stop looking for root TGTs to mark as the start_realm.
725 *
726 * By honoring any start_realm cc config stored, we interop
727 * both, with ccache implementations that don't preserve
728 * insertion order, and Kerberos implementations that store this
729 * cc config before the TGT.
730 */
731 id->initialized = 1;
732 }
733 return ret;
734 }
735
736 /**
737 * Retrieve the credential identified by `mcreds' (and `whichfields')
738 * from `id' in `creds'. 'creds' must be free by the caller using
739 * krb5_free_cred_contents.
740 *
741 * @param context A Kerberos 5 context
742 * @param id a Kerberos 5 credential cache
743 * @param whichfields what fields to use for matching credentials, same
744 * flags as whichfields in krb5_compare_creds()
745 * @param mcreds template credential to use for comparing
746 * @param creds returned credential, free with krb5_free_cred_contents()
747 *
748 * @return Return an error code or 0, see krb5_get_error_message().
749 *
750 * @ingroup krb5_ccache
751 */
752
753
754 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
755 krb5_cc_retrieve_cred(krb5_context context,
756 krb5_ccache id,
757 krb5_flags whichfields,
758 const krb5_creds *mcreds,
759 krb5_creds *creds)
760 {
761 krb5_error_code ret;
762 krb5_cc_cursor cursor;
763
764 if (id->ops->retrieve != NULL) {
765 return (*id->ops->retrieve)(context, id, whichfields,
766 mcreds, creds);
767 }
768
769 ret = krb5_cc_start_seq_get(context, id, &cursor);
770 if (ret)
771 return ret;
772 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
773 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
774 ret = 0;
775 break;
776 }
777 krb5_free_cred_contents (context, creds);
778 }
779 krb5_cc_end_seq_get(context, id, &cursor);
780 return ret;
781 }
782
783 /**
784 * Return the principal of `id' in `principal'.
785 *
786 * @return Return an error code or 0, see krb5_get_error_message().
787 *
788 * @ingroup krb5_ccache
789 */
790
791
792 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
793 krb5_cc_get_principal(krb5_context context,
794 krb5_ccache id,
795 krb5_principal *principal)
796 {
797 return (*id->ops->get_princ)(context, id, principal);
798 }
799
800 /**
801 * Start iterating over `id', `cursor' is initialized to the
802 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
803 *
804 * @return Return an error code or 0, see krb5_get_error_message().
805 *
806 * @ingroup krb5_ccache
807 */
808
809
810 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
811 krb5_cc_start_seq_get (krb5_context context,
812 const krb5_ccache id,
813 krb5_cc_cursor *cursor)
814 {
815 return (*id->ops->get_first)(context, id, cursor);
816 }
817
818 /**
819 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
820 * and advance `cursor'.
821 *
822 * @return Return an error code or 0, see krb5_get_error_message().
823 *
824 * @ingroup krb5_ccache
825 */
826
827
828 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
829 krb5_cc_next_cred (krb5_context context,
830 const krb5_ccache id,
831 krb5_cc_cursor *cursor,
832 krb5_creds *creds)
833 {
834 return (*id->ops->get_next)(context, id, cursor, creds);
835 }
836
837 /**
838 * Destroy the cursor `cursor'.
839 *
840 * @ingroup krb5_ccache
841 */
842
843
844 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
845 krb5_cc_end_seq_get (krb5_context context,
846 const krb5_ccache id,
847 krb5_cc_cursor *cursor)
848 {
849 return (*id->ops->end_get)(context, id, cursor);
850 }
851
852 /**
853 * Remove the credential identified by `cred', `which' from `id'.
854 *
855 * @ingroup krb5_ccache
856 */
857
858
859 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
860 krb5_cc_remove_cred(krb5_context context,
861 krb5_ccache id,
862 krb5_flags which,
863 krb5_creds *cred)
864 {
865 if(id->ops->remove_cred == NULL) {
866 krb5_set_error_message(context,
867 EACCES,
868 "ccache %s does not support remove_cred",
869 id->ops->prefix);
870 return EACCES; /* XXX */
871 }
872 return (*id->ops->remove_cred)(context, id, which, cred);
873 }
874
875 /**
876 * Set the flags of `id' to `flags'.
877 *
878 * @ingroup krb5_ccache
879 */
880
881
882 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
883 krb5_cc_set_flags(krb5_context context,
884 krb5_ccache id,
885 krb5_flags flags)
886 {
887 return (*id->ops->set_flags)(context, id, flags);
888 }
889
890 /**
891 * Get the flags of `id', store them in `flags'.
892 *
893 * @ingroup krb5_ccache
894 */
895
896 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
897 krb5_cc_get_flags(krb5_context context,
898 krb5_ccache id,
899 krb5_flags *flags)
900 {
901 *flags = 0;
902 return 0;
903 }
904
905 /**
906 * Copy the contents of `from' to `to' if the given match function
907 * return true.
908 *
909 * @param context A Kerberos 5 context.
910 * @param from the cache to copy data from.
911 * @param to the cache to copy data to.
912 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
913 * @param matchctx context passed to match function.
914 * @param matched set to true if there was a credential that matched, may be NULL.
915 *
916 * @return Return an error code or 0, see krb5_get_error_message().
917 *
918 * @ingroup krb5_ccache
919 */
920
921 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
922 krb5_cc_copy_match_f(krb5_context context,
923 const krb5_ccache from,
924 krb5_ccache to,
925 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
926 void *matchctx,
927 unsigned int *matched)
928 {
929 krb5_error_code ret;
930 krb5_cc_cursor cursor;
931 krb5_creds cred;
932 krb5_principal princ;
933
934 if (matched)
935 *matched = 0;
936
937 ret = krb5_cc_get_principal(context, from, &princ);
938 if (ret)
939 return ret;
940 ret = krb5_cc_initialize(context, to, princ);
941 if (ret) {
942 krb5_free_principal(context, princ);
943 return ret;
944 }
945 ret = krb5_cc_start_seq_get(context, from, &cursor);
946 if (ret) {
947 krb5_free_principal(context, princ);
948 return ret;
949 }
950
951 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
952 if (match == NULL || (*match)(context, matchctx, &cred)) {
953 if (matched)
954 (*matched)++;
955 ret = krb5_cc_store_cred(context, to, &cred);
956 if (ret)
957 break;
958 }
959 krb5_free_cred_contents(context, &cred);
960 }
961 krb5_cc_end_seq_get(context, from, &cursor);
962 krb5_free_principal(context, princ);
963 if (ret == KRB5_CC_END)
964 ret = 0;
965 return ret;
966 }
967
968 /**
969 * Just like krb5_cc_copy_match_f(), but copy everything.
970 *
971 * @ingroup @krb5_ccache
972 */
973
974 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
975 krb5_cc_copy_cache(krb5_context context,
976 const krb5_ccache from,
977 krb5_ccache to)
978 {
979 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
980 }
981
982 /**
983 * Return the version of `id'.
984 *
985 * @ingroup krb5_ccache
986 */
987
988
989 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
990 krb5_cc_get_version(krb5_context context,
991 const krb5_ccache id)
992 {
993 if(id->ops->get_version)
994 return (*id->ops->get_version)(context, id);
995 else
996 return 0;
997 }
998
999 /**
1000 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
1001 *
1002 * @ingroup krb5_ccache
1003 */
1004
1005
1006 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1007 krb5_cc_clear_mcred(krb5_creds *mcred)
1008 {
1009 memset(mcred, 0, sizeof(*mcred));
1010 }
1011
1012 /**
1013 * Get the cc ops that is registered in `context' to handle the
1014 * prefix. prefix can be a complete credential cache name or a
1015 * prefix, the function will only use part up to the first colon (:)
1016 * if there is one. If prefix the argument is NULL, the default ccache
1017 * implemtation is returned.
1018 *
1019 * @return Returns NULL if ops not found.
1020 *
1021 * @ingroup krb5_ccache
1022 */
1023
1024
1025 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
1026 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
1027 {
1028 char *p, *p1;
1029 int i;
1030
1031 if (prefix == NULL)
1032 return KRB5_DEFAULT_CCTYPE;
1033
1034 /* Is absolute path? Or UNC path? */
1035 if (ISPATHSEP(prefix[0]))
1036 return &krb5_fcc_ops;
1037
1038 #ifdef _WIN32
1039 /* Is drive letter? */
1040 if (isalpha(prefix[0]) && prefix[1] == ':')
1041 return &krb5_fcc_ops;
1042 #endif
1043
1044 p = strdup(prefix);
1045 if (p == NULL) {
1046 krb5_enomem(context);
1047 return NULL;
1048 }
1049 p1 = strchr(p, ':');
1050 if (p1)
1051 *p1 = '\0';
1052
1053 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
1054 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
1055 free(p);
1056 return context->cc_ops[i];
1057 }
1058 }
1059 free(p);
1060 return NULL;
1061 }
1062
1063 struct krb5_cc_cache_cursor_data {
1064 const krb5_cc_ops *ops;
1065 krb5_cc_cursor cursor;
1066 };
1067
1068 /**
1069 * Start iterating over all caches of specified type. See also
1070 * krb5_cccol_cursor_new().
1071
1072 * @param context A Kerberos 5 context
1073 * @param type optional type to iterate over, if NULL, the default cache is used.
1074 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1075 *
1076 * @return Return an error code or 0, see krb5_get_error_message().
1077 *
1078 * @ingroup krb5_ccache
1079 */
1080
1081
1082 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1083 krb5_cc_cache_get_first (krb5_context context,
1084 const char *type,
1085 krb5_cc_cache_cursor *cursor)
1086 {
1087 const krb5_cc_ops *ops;
1088 krb5_error_code ret;
1089
1090 if (type == NULL)
1091 type = krb5_cc_default_name(context);
1092
1093 ops = krb5_cc_get_prefix_ops(context, type);
1094 if (ops == NULL) {
1095 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1096 "Unknown type \"%s\" when iterating "
1097 "trying to iterate the credential caches", type);
1098 return KRB5_CC_UNKNOWN_TYPE;
1099 }
1100
1101 if (ops->get_cache_first == NULL) {
1102 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1103 N_("Credential cache type %s doesn't support "
1104 "iterations over caches", "type"),
1105 ops->prefix);
1106 return KRB5_CC_NOSUPP;
1107 }
1108
1109 *cursor = calloc(1, sizeof(**cursor));
1110 if (*cursor == NULL)
1111 return krb5_enomem(context);
1112
1113 (*cursor)->ops = ops;
1114
1115 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1116 if (ret) {
1117 free(*cursor);
1118 *cursor = NULL;
1119 }
1120 return ret;
1121 }
1122
1123 /**
1124 * Retrieve the next cache pointed to by (`cursor') in `id'
1125 * and advance `cursor'.
1126 *
1127 * @param context A Kerberos 5 context
1128 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1129 * @param id next ccache
1130 *
1131 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1132 * of caches is reached, see krb5_get_error_message().
1133 *
1134 * @ingroup krb5_ccache
1135 */
1136
1137
1138 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1139 krb5_cc_cache_next (krb5_context context,
1140 krb5_cc_cache_cursor cursor,
1141 krb5_ccache *id)
1142 {
1143 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1144 }
1145
1146 /**
1147 * Destroy the cursor `cursor'.
1148 *
1149 * @return Return an error code or 0, see krb5_get_error_message().
1150 *
1151 * @ingroup krb5_ccache
1152 */
1153
1154
1155 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1156 krb5_cc_cache_end_seq_get (krb5_context context,
1157 krb5_cc_cache_cursor cursor)
1158 {
1159 krb5_error_code ret;
1160 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1161 cursor->ops = NULL;
1162 free(cursor);
1163 return ret;
1164 }
1165
1166 /**
1167 * Search for a matching credential cache that have the
1168 * `principal' as the default principal. On success, `id' needs to be
1169 * freed with krb5_cc_close() or krb5_cc_destroy().
1170 *
1171 * @param context A Kerberos 5 context
1172 * @param client The principal to search for
1173 * @param id the returned credential cache
1174 *
1175 * @return On failure, error code is returned and `id' is set to NULL.
1176 *
1177 * @ingroup krb5_ccache
1178 */
1179
1180
1181 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1182 krb5_cc_cache_match (krb5_context context,
1183 krb5_principal client,
1184 krb5_ccache *id)
1185 {
1186 krb5_cccol_cursor cursor;
1187 krb5_error_code ret;
1188 krb5_ccache cache = NULL;
1189 krb5_ccache expired_match = NULL;
1190
1191 *id = NULL;
1192
1193 ret = krb5_cccol_cursor_new (context, &cursor);
1194 if (ret)
1195 return ret;
1196
1197 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) {
1198 krb5_principal principal;
1199 krb5_boolean match;
1200 time_t lifetime;
1201
1202 ret = krb5_cc_get_principal(context, cache, &principal);
1203 if (ret)
1204 goto next;
1205
1206 if (client->name.name_string.len == 0)
1207 match = (strcmp(client->realm, principal->realm) == 0);
1208 else
1209 match = krb5_principal_compare(context, principal, client);
1210 krb5_free_principal(context, principal);
1211
1212 if (!match)
1213 goto next;
1214
1215 if (expired_match == NULL &&
1216 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) {
1217 expired_match = cache;
1218 cache = NULL;
1219 goto next;
1220 }
1221 break;
1222
1223 next:
1224 if (cache)
1225 krb5_cc_close(context, cache);
1226 cache = NULL;
1227 }
1228
1229 krb5_cccol_cursor_free(context, &cursor);
1230
1231 if (cache == NULL && expired_match) {
1232 cache = expired_match;
1233 expired_match = NULL;
1234 } else if (expired_match) {
1235 krb5_cc_close(context, expired_match);
1236 } else if (cache == NULL) {
1237 char *str;
1238
1239 krb5_unparse_name(context, client, &str);
1240
1241 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1242 N_("Principal %s not found in any "
1243 "credential cache", ""),
1244 str ? str : "<out of memory>");
1245 if (str)
1246 free(str);
1247 return KRB5_CC_NOTFOUND;
1248 }
1249
1250 *id = cache;
1251
1252 return 0;
1253 }
1254
1255 /**
1256 * Move the content from one credential cache to another. The
1257 * operation is an atomic switch.
1258 *
1259 * @param context a Keberos context
1260 * @param from the credential cache to move the content from
1261 * @param to the credential cache to move the content to
1262
1263 * @return On sucess, from is freed. On failure, error code is
1264 * returned and from and to are both still allocated, see krb5_get_error_message().
1265 *
1266 * @ingroup krb5_ccache
1267 */
1268
1269 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1270 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1271 {
1272 krb5_error_code ret;
1273
1274 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1275 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1276 N_("Moving credentials between diffrent "
1277 "types not yet supported", ""));
1278 return KRB5_CC_NOSUPP;
1279 }
1280
1281 ret = (*to->ops->move)(context, from, to);
1282 if (ret == 0) {
1283 memset(from, 0, sizeof(*from));
1284 free(from);
1285 }
1286 return ret;
1287 }
1288
1289 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1290 #define KRB5_REALM_NAME "X-CACHECONF:"
1291
1292 static krb5_error_code
1293 build_conf_principals(krb5_context context, krb5_ccache id,
1294 krb5_const_principal principal,
1295 const char *name, krb5_creds *cred)
1296 {
1297 krb5_principal client;
1298 krb5_error_code ret;
1299 char *pname = NULL;
1300
1301 memset(cred, 0, sizeof(*cred));
1302
1303 ret = krb5_cc_get_principal(context, id, &client);
1304 if (ret)
1305 return ret;
1306
1307 if (principal) {
1308 ret = krb5_unparse_name(context, principal, &pname);
1309 if (ret)
1310 return ret;
1311 }
1312
1313 ret = krb5_make_principal(context, &cred->server,
1314 KRB5_REALM_NAME,
1315 KRB5_CONF_NAME, name, pname, NULL);
1316 free(pname);
1317 if (ret) {
1318 krb5_free_principal(context, client);
1319 return ret;
1320 }
1321 ret = krb5_copy_principal(context, client, &cred->client);
1322 krb5_free_principal(context, client);
1323 return ret;
1324 }
1325
1326 /**
1327 * Return TRUE (non zero) if the principal is a configuration
1328 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1329 * (zero) if not a configuration principal.
1330 *
1331 * @param context a Keberos context
1332 * @param principal principal to check if it a configuration principal
1333 *
1334 * @ingroup krb5_ccache
1335 */
1336
1337 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1338 krb5_is_config_principal(krb5_context context,
1339 krb5_const_principal principal)
1340 {
1341 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1342 return FALSE;
1343
1344 if (principal->name.name_string.len == 0 ||
1345 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1346 return FALSE;
1347
1348 return TRUE;
1349 }
1350
1351 /**
1352 * Store some configuration for the credential cache in the cache.
1353 * Existing configuration under the same name is over-written.
1354 *
1355 * @param context a Keberos context
1356 * @param id the credential cache to store the data for
1357 * @param principal configuration for a specific principal, if
1358 * NULL, global for the whole cache.
1359 * @param name name under which the configuraion is stored.
1360 * @param data data to store, if NULL, configure is removed.
1361 *
1362 * @ingroup krb5_ccache
1363 */
1364
1365 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1366 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1367 krb5_const_principal principal,
1368 const char *name, krb5_data *data)
1369 {
1370 krb5_error_code ret;
1371 krb5_creds cred;
1372
1373 ret = build_conf_principals(context, id, principal, name, &cred);
1374 if (ret)
1375 goto out;
1376
1377 /* Remove old configuration */
1378 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1379 if (ret && ret != KRB5_CC_NOTFOUND)
1380 goto out;
1381
1382 if (data) {
1383 /* not that anyone care when this expire */
1384 cred.times.authtime = time(NULL);
1385 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1386
1387 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1388 if (ret)
1389 goto out;
1390
1391 ret = krb5_cc_store_cred(context, id, &cred);
1392 }
1393
1394 out:
1395 krb5_free_cred_contents (context, &cred);
1396 return ret;
1397 }
1398
1399 /**
1400 * Get some configuration for the credential cache in the cache.
1401 *
1402 * @param context a Keberos context
1403 * @param id the credential cache to store the data for
1404 * @param principal configuration for a specific principal, if
1405 * NULL, global for the whole cache.
1406 * @param name name under which the configuraion is stored.
1407 * @param data data to fetched, free with krb5_data_free()
1408 *
1409 * @ingroup krb5_ccache
1410 */
1411
1412
1413 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1414 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1415 krb5_const_principal principal,
1416 const char *name, krb5_data *data)
1417 {
1418 krb5_creds mcred, cred;
1419 krb5_error_code ret;
1420
1421 memset(&cred, 0, sizeof(cred));
1422 krb5_data_zero(data);
1423
1424 ret = build_conf_principals(context, id, principal, name, &mcred);
1425 if (ret)
1426 goto out;
1427
1428 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1429 if (ret)
1430 goto out;
1431
1432 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1433
1434 out:
1435 krb5_free_cred_contents (context, &cred);
1436 krb5_free_cred_contents (context, &mcred);
1437 return ret;
1438 }
1439
1440 /*
1441 *
1442 */
1443
1444 struct krb5_cccol_cursor_data {
1445 int idx;
1446 krb5_cc_cache_cursor cursor;
1447 };
1448
1449 /**
1450 * Get a new cache interation cursor that will interate over all
1451 * credentials caches independent of type.
1452 *
1453 * @param context a Keberos context
1454 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1455 *
1456 * @return Returns 0 or and error code, see krb5_get_error_message().
1457 *
1458 * @ingroup krb5_ccache
1459 */
1460
1461 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1462 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1463 {
1464 *cursor = calloc(1, sizeof(**cursor));
1465 if (*cursor == NULL)
1466 return krb5_enomem(context);
1467 (*cursor)->idx = 0;
1468 (*cursor)->cursor = NULL;
1469
1470 return 0;
1471 }
1472
1473 /**
1474 * Get next credential cache from the iteration.
1475 *
1476 * @param context A Kerberos 5 context
1477 * @param cursor the iteration cursor
1478 * @param cache the returned cursor, pointer is set to NULL on failure
1479 * and a cache on success. The returned cache needs to be freed
1480 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1481 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1482 * when all caches are iterated over and return 0.
1483 *
1484 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1485 * of iteration. See krb5_get_error_message().
1486 *
1487 * @ingroup krb5_ccache
1488 */
1489
1490
1491 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1492 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1493 krb5_ccache *cache)
1494 {
1495 krb5_error_code ret;
1496
1497 *cache = NULL;
1498
1499 while (cursor->idx < context->num_cc_ops) {
1500
1501 if (cursor->cursor == NULL) {
1502 ret = krb5_cc_cache_get_first (context,
1503 context->cc_ops[cursor->idx]->prefix,
1504 &cursor->cursor);
1505 if (ret) {
1506 cursor->idx++;
1507 continue;
1508 }
1509 }
1510 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1511 if (ret == 0)
1512 break;
1513
1514 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1515 cursor->cursor = NULL;
1516 if (ret != KRB5_CC_END)
1517 break;
1518
1519 cursor->idx++;
1520 }
1521 if (cursor->idx >= context->num_cc_ops) {
1522 krb5_set_error_message(context, KRB5_CC_END,
1523 N_("Reached end of credential caches", ""));
1524 return KRB5_CC_END;
1525 }
1526
1527 return 0;
1528 }
1529
1530 /**
1531 * End an iteration and free all resources, can be done before end is reached.
1532 *
1533 * @param context A Kerberos 5 context
1534 * @param cursor the iteration cursor to be freed.
1535 *
1536 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1537 * of iteration. See krb5_get_error_message().
1538 *
1539 * @ingroup krb5_ccache
1540 */
1541
1542 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1543 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1544 {
1545 krb5_cccol_cursor c = *cursor;
1546
1547 *cursor = NULL;
1548 if (c) {
1549 if (c->cursor)
1550 krb5_cc_cache_end_seq_get(context, c->cursor);
1551 free(c);
1552 }
1553 return 0;
1554 }
1555
1556 /**
1557 * Return the last time the credential cache was modified.
1558 *
1559 * @param context A Kerberos 5 context
1560 * @param id The credential cache to probe
1561 * @param mtime the last modification time, set to 0 on error.
1562
1563 * @return Return 0 or and error. See krb5_get_error_message().
1564 *
1565 * @ingroup krb5_ccache
1566 */
1567
1568
1569 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1570 krb5_cc_last_change_time(krb5_context context,
1571 krb5_ccache id,
1572 krb5_timestamp *mtime)
1573 {
1574 *mtime = 0;
1575 return (*id->ops->lastchange)(context, id, mtime);
1576 }
1577
1578 /**
1579 * Return the last modfication time for a cache collection. The query
1580 * can be limited to a specific cache type. If the function return 0
1581 * and mtime is 0, there was no credentials in the caches.
1582 *
1583 * @param context A Kerberos 5 context
1584 * @param type The credential cache to probe, if NULL, all type are traversed.
1585 * @param mtime the last modification time, set to 0 on error.
1586
1587 * @return Return 0 or and error. See krb5_get_error_message().
1588 *
1589 * @ingroup krb5_ccache
1590 */
1591
1592 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1593 krb5_cccol_last_change_time(krb5_context context,
1594 const char *type,
1595 krb5_timestamp *mtime)
1596 {
1597 krb5_cccol_cursor cursor;
1598 krb5_error_code ret;
1599 krb5_ccache id;
1600 krb5_timestamp t = 0;
1601
1602 *mtime = 0;
1603
1604 ret = krb5_cccol_cursor_new (context, &cursor);
1605 if (ret)
1606 return ret;
1607
1608 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1609
1610 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1611 continue;
1612
1613 ret = krb5_cc_last_change_time(context, id, &t);
1614 krb5_cc_close(context, id);
1615 if (ret)
1616 continue;
1617 if (t > *mtime)
1618 *mtime = t;
1619 }
1620
1621 krb5_cccol_cursor_free(context, &cursor);
1622
1623 return 0;
1624 }
1625 /**
1626 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1627 *
1628 * @return Return an error code or 0, see krb5_get_error_message().
1629 *
1630 * @ingroup krb5_ccache
1631 */
1632
1633 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1634 krb5_cc_get_friendly_name(krb5_context context,
1635 krb5_ccache id,
1636 char **name)
1637 {
1638 krb5_error_code ret;
1639 krb5_data data;
1640
1641 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1642 if (ret) {
1643 krb5_principal principal;
1644 ret = krb5_cc_get_principal(context, id, &principal);
1645 if (ret)
1646 return ret;
1647 ret = krb5_unparse_name(context, principal, name);
1648 krb5_free_principal(context, principal);
1649 } else {
1650 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1651 krb5_data_free(&data);
1652 if (ret <= 0)
1653 ret = krb5_enomem(context);
1654 else
1655 ret = 0;
1656 }
1657
1658 return ret;
1659 }
1660
1661 /**
1662 * Set the friendly name on credential cache.
1663 *
1664 * @return Return an error code or 0, see krb5_get_error_message().
1665 *
1666 * @ingroup krb5_ccache
1667 */
1668
1669 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1670 krb5_cc_set_friendly_name(krb5_context context,
1671 krb5_ccache id,
1672 const char *name)
1673 {
1674 krb5_data data;
1675
1676 data.data = rk_UNCONST(name);
1677 data.length = strlen(name);
1678
1679 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1680 }
1681
1682 /**
1683 * Get the lifetime of the initial ticket in the cache
1684 *
1685 * Get the lifetime of the initial ticket in the cache, if the initial
1686 * ticket was not found, the error code KRB5_CC_END is returned.
1687 *
1688 * @param context A Kerberos 5 context.
1689 * @param id a credential cache
1690 * @param t the relative lifetime of the initial ticket
1691 *
1692 * @return Return an error code or 0, see krb5_get_error_message().
1693 *
1694 * @ingroup krb5_ccache
1695 */
1696
1697 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1698 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1699 {
1700 krb5_data config_start_realm;
1701 char *start_realm;
1702 krb5_cc_cursor cursor;
1703 krb5_error_code ret;
1704 krb5_creds cred;
1705 time_t now, endtime = 0;
1706
1707 *t = 0;
1708 now = time(NULL);
1709
1710 ret = krb5_cc_get_config(context, id, NULL, "start_realm", &config_start_realm);
1711 if (ret == 0) {
1712 start_realm = strndup(config_start_realm.data, config_start_realm.length);
1713 krb5_data_free(&config_start_realm);
1714 } else {
1715 krb5_principal client;
1716
1717 ret = krb5_cc_get_principal(context, id, &client);
1718 if (ret)
1719 return ret;
1720 start_realm = strdup(krb5_principal_get_realm(context, client));
1721 krb5_free_principal(context, client);
1722 }
1723 if (start_realm == NULL)
1724 return krb5_enomem(context);
1725
1726 ret = krb5_cc_start_seq_get(context, id, &cursor);
1727 if (ret)
1728 return ret;
1729
1730 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1731 /**
1732 * If we find the start krbtgt in the cache, use that as the lifespan.
1733 */
1734 if (krb5_principal_is_root_krbtgt(context, cred.server) &&
1735 strcmp(cred.server->realm, start_realm) == 0) {
1736 if (now < cred.times.endtime)
1737 endtime = cred.times.endtime;
1738 krb5_free_cred_contents(context, &cred);
1739 break;
1740 }
1741 /*
1742 * Skip config entries
1743 */
1744 if (krb5_is_config_principal(context, cred.server)) {
1745 krb5_free_cred_contents(context, &cred);
1746 continue;
1747 }
1748 /**
1749 * If there was no krbtgt, use the shortest lifetime of
1750 * service tickets that have yet to expire. If all
1751 * credentials are expired, krb5_cc_get_lifetime() will fail.
1752 */
1753 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime)
1754 endtime = cred.times.endtime;
1755 krb5_free_cred_contents(context, &cred);
1756 }
1757 free(start_realm);
1758
1759 /* if we found an endtime use that */
1760 if (endtime) {
1761 *t = endtime - now;
1762 ret = 0;
1763 }
1764
1765 krb5_cc_end_seq_get(context, id, &cursor);
1766
1767 return ret;
1768 }
1769
1770 /**
1771 * Set the time offset betwen the client and the KDC
1772 *
1773 * If the backend doesn't support KDC offset, use the context global setting.
1774 *
1775 * @param context A Kerberos 5 context.
1776 * @param id a credential cache
1777 * @param offset the offset in seconds
1778 *
1779 * @return Return an error code or 0, see krb5_get_error_message().
1780 *
1781 * @ingroup krb5_ccache
1782 */
1783
1784 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1785 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1786 {
1787 if (id->ops->set_kdc_offset == NULL) {
1788 context->kdc_sec_offset = offset;
1789 context->kdc_usec_offset = 0;
1790 return 0;
1791 }
1792 return (*id->ops->set_kdc_offset)(context, id, offset);
1793 }
1794
1795 /**
1796 * Get the time offset betwen the client and the KDC
1797 *
1798 * If the backend doesn't support KDC offset, use the context global setting.
1799 *
1800 * @param context A Kerberos 5 context.
1801 * @param id a credential cache
1802 * @param offset the offset in seconds
1803 *
1804 * @return Return an error code or 0, see krb5_get_error_message().
1805 *
1806 * @ingroup krb5_ccache
1807 */
1808
1809 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1810 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1811 {
1812 if (id->ops->get_kdc_offset == NULL) {
1813 *offset = context->kdc_sec_offset;
1814 return 0;
1815 }
1816 return (*id->ops->get_kdc_offset)(context, id, offset);
1817 }
1818
1819
1820 #ifdef _WIN32
1821
1822 #define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
1823 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
1824 _krb5_get_default_cc_name_from_registry(krb5_context context)
1825 {
1826 HKEY hk_k5 = 0;
1827 LONG code;
1828 char * ccname = NULL;
1829
1830 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1831 REGPATH_MIT_KRB5,
1832 0, KEY_READ, &hk_k5);
1833
1834 if (code != ERROR_SUCCESS)
1835 return NULL;
1836
1837 ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
1838 REG_NONE, 0);
1839
1840 RegCloseKey(hk_k5);
1841
1842 return ccname;
1843 }
1844
1845 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
1846 _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
1847 {
1848 HKEY hk_k5 = 0;
1849 LONG code;
1850 int ret = -1;
1851 char * ccname = NULL;
1852
1853 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1854 REGPATH_MIT_KRB5,
1855 0, KEY_READ|KEY_WRITE, &hk_k5);
1856
1857 if (code != ERROR_SUCCESS)
1858 return -1;
1859
1860 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
1861 if (ret < 0)
1862 goto cleanup;
1863
1864 ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
1865 REG_SZ, ccname, -1, 0);
1866
1867 cleanup:
1868
1869 if (ccname)
1870 free(ccname);
1871
1872 RegCloseKey(hk_k5);
1873
1874 return ret;
1875 }
1876
1877 #endif
Heimdal