search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
[Samba/vl.git] / source4 / heimdal / lib / krb5 / cache.c
blob616044e67baad8f0af23a40c2aa1c733520ccefa
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 /**
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
106 *
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
111 *
112 * @return Return an error code or 0, see krb5_get_error_message().
113 *
114 * @ingroup krb5_ccache
115 */
116
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
121 {
122 int i;
123
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
126 if(!override) {
127 krb5_set_error_message(context,
128 KRB5_CC_TYPE_EXISTS,
129 N_("cache type %s already exists", "type"),
130 ops->prefix);
131 return KRB5_CC_TYPE_EXISTS;
132 }
133 break;
134 }
135 }
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
140 if(o == NULL) {
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
144 }
145 context->cc_ops = o;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
148 }
149 context->cc_ops[i] = ops;
150 return 0;
151 }
152
153 /*
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
156 */
157
158 krb5_error_code
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
161 krb5_ccache *id)
162 {
163 krb5_ccache p;
164
165 p = malloc (sizeof(*p));
166 if(p == NULL) {
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
170 }
171 p->ops = ops;
172 *id = p;
173
174 return 0;
175 }
176
177 /*
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
180 */
181
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
186 krb5_ccache *id)
187 {
188 krb5_error_code ret;
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
191
192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
193 if (ret)
194 return ret;
195
196 residual = exp_residual;
197 #endif
198
199 ret = _krb5_cc_allocate(context, ops, id);
200 if (ret) {
201 #ifdef KRB5_USE_PATH_TOKENS
202 if (exp_residual)
203 free(exp_residual);
204 #endif
205 return ret;
206 }
207
208 ret = (*id)->ops->resolve(context, id, residual);
209 if(ret) {
210 free(*id);
211 *id = NULL;
212 }
213
214 #ifdef KRB5_USE_PATH_TOKENS
215 if (exp_residual)
216 free(exp_residual);
217 #endif
218
219 return ret;
220 }
221
222 static int
223 is_possible_path_name(const char * name)
224 {
225 const char * colon;
226
227 if ((colon = strchr(name, ':')) == NULL)
228 return TRUE;
229
230 #ifdef _WIN32
231 /* <drive letter>:\path\to\cache ? */
232
233 if (colon == name + 1 &&
234 strchr(colon + 1, ':') == NULL)
235 return TRUE;
236 #endif
237
238 return FALSE;
239 }
240
241 /**
242 * Find and allocate a ccache in `id' from the specification in `residual'.
243 * If the ccache name doesn't contain any colon, interpret it as a file name.
244 *
245 * @param context a Keberos context.
246 * @param name string name of a credential cache.
247 * @param id return pointer to a found credential cache.
248 *
249 * @return Return 0 or an error code. In case of an error, id is set
250 * to NULL, see krb5_get_error_message().
251 *
252 * @ingroup krb5_ccache
253 */
254
255
256 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
257 krb5_cc_resolve(krb5_context context,
258 const char *name,
259 krb5_ccache *id)
260 {
261 int i;
262
263 *id = NULL;
264
265 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
266 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
267
268 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
269 && name[prefix_len] == ':') {
270 return allocate_ccache (context, context->cc_ops[i],
271 name + prefix_len + 1,
272 id);
273 }
274 }
275 if (is_possible_path_name(name))
276 return allocate_ccache (context, &krb5_fcc_ops, name, id);
277 else {
278 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
279 N_("unknown ccache type %s", "name"), name);
280 return KRB5_CC_UNKNOWN_TYPE;
281 }
282 }
283
284 /**
285 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
286 * the library chooses the default credential cache type. The supplied
287 * `hint' (that can be NULL) is a string that the credential cache
288 * type can use to base the name of the credential on, this is to make
289 * it easier for the user to differentiate the credentials.
290 *
291 * @return Return an error code or 0, see krb5_get_error_message().
292 *
293 * @ingroup krb5_ccache
294 */
295
296 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
297 krb5_cc_new_unique(krb5_context context, const char *type,
298 const char *hint, krb5_ccache *id)
299 {
300 const krb5_cc_ops *ops;
301 krb5_error_code ret;
302
303 ops = krb5_cc_get_prefix_ops(context, type);
304 if (ops == NULL) {
305 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
306 "Credential cache type %s is unknown", type);
307 return KRB5_CC_UNKNOWN_TYPE;
308 }
309
310 ret = _krb5_cc_allocate(context, ops, id);
311 if (ret)
312 return ret;
313 ret = (*id)->ops->gen_new(context, id);
314 if (ret) {
315 free(*id);
316 *id = NULL;
317 }
318 return ret;
319 }
320
321 /**
322 * Return the name of the ccache `id'
323 *
324 * @ingroup krb5_ccache
325 */
326
327
328 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
329 krb5_cc_get_name(krb5_context context,
330 krb5_ccache id)
331 {
332 return id->ops->get_name(context, id);
333 }
334
335 /**
336 * Return the type of the ccache `id'.
337 *
338 * @ingroup krb5_ccache
339 */
340
341
342 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
343 krb5_cc_get_type(krb5_context context,
344 krb5_ccache id)
345 {
346 return id->ops->prefix;
347 }
348
349 /**
350 * Return the complete resolvable name the cache
351
352 * @param context a Keberos context
353 * @param id return pointer to a found credential cache
354 * @param str the returned name of a credential cache, free with krb5_xfree()
355 *
356 * @return Returns 0 or an error (and then *str is set to NULL).
357 *
358 * @ingroup krb5_ccache
359 */
360
361
362 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
363 krb5_cc_get_full_name(krb5_context context,
364 krb5_ccache id,
365 char **str)
366 {
367 const char *type, *name;
368
369 *str = NULL;
370
371 type = krb5_cc_get_type(context, id);
372 if (type == NULL) {
373 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
374 "cache have no name of type");
375 return KRB5_CC_UNKNOWN_TYPE;
376 }
377
378 name = krb5_cc_get_name(context, id);
379 if (name == NULL) {
380 krb5_set_error_message(context, KRB5_CC_BADNAME,
381 "cache of type %s have no name", type);
382 return KRB5_CC_BADNAME;
383 }
384
385 if (asprintf(str, "%s:%s", type, name) == -1) {
386 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
387 *str = NULL;
388 return ENOMEM;
389 }
390 return 0;
391 }
392
393 /**
394 * Return krb5_cc_ops of a the ccache `id'.
395 *
396 * @ingroup krb5_ccache
397 */
398
399
400 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
401 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
402 {
403 return id->ops;
404 }
405
406 /*
407 * Expand variables in `str' into `res'
408 */
409
410 krb5_error_code
411 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
412 {
413 return _krb5_expand_path_tokens(context, str, res);
414 }
415
416 /*
417 * Return non-zero if envirnoment that will determine default krb5cc
418 * name has changed.
419 */
420
421 static int
422 environment_changed(krb5_context context)
423 {
424 const char *e;
425
426 /* if the cc name was set, don't change it */
427 if (context->default_cc_name_set)
428 return 0;
429
430 /* XXX performance: always ask KCM/API if default name has changed */
431 if (context->default_cc_name &&
432 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
433 strncmp(context->default_cc_name, "API:", 4) == 0))
434 return 1;
435
436 if(issuid())
437 return 0;
438
439 e = getenv("KRB5CCNAME");
440 if (e == NULL) {
441 if (context->default_cc_name_env) {
442 free(context->default_cc_name_env);
443 context->default_cc_name_env = NULL;
444 return 1;
445 }
446 } else {
447 if (context->default_cc_name_env == NULL)
448 return 1;
449 if (strcmp(e, context->default_cc_name_env) != 0)
450 return 1;
451 }
452 return 0;
453 }
454
455 /**
456 * Switch the default default credential cache for a specific
457 * credcache type (and name for some implementations).
458 *
459 * @return Return an error code or 0, see krb5_get_error_message().
460 *
461 * @ingroup krb5_ccache
462 */
463
464 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
465 krb5_cc_switch(krb5_context context, krb5_ccache id)
466 {
467
468 if (id->ops->set_default == NULL)
469 return 0;
470
471 return (*id->ops->set_default)(context, id);
472 }
473
474 /**
475 * Return true if the default credential cache support switch
476 *
477 * @ingroup krb5_ccache
478 */
479
480 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
481 krb5_cc_support_switch(krb5_context context, const char *type)
482 {
483 const krb5_cc_ops *ops;
484
485 ops = krb5_cc_get_prefix_ops(context, type);
486 if (ops && ops->set_default)
487 return 1;
488 return FALSE;
489 }
490
491 /**
492 * Set the default cc name for `context' to `name'.
493 *
494 * @ingroup krb5_ccache
495 */
496
497 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
498 krb5_cc_set_default_name(krb5_context context, const char *name)
499 {
500 krb5_error_code ret = 0;
501 char *p = NULL, *exp_p = NULL;
502
503 if (name == NULL) {
504 const char *e = NULL;
505
506 if(!issuid()) {
507 e = getenv("KRB5CCNAME");
508 if (e) {
509 p = strdup(e);
510 if (context->default_cc_name_env)
511 free(context->default_cc_name_env);
512 context->default_cc_name_env = strdup(e);
513 }
514 }
515
516 #ifdef _WIN32
517 if (e == NULL) {
518 e = p = _krb5_get_default_cc_name_from_registry();
519 }
520 #endif
521 if (e == NULL) {
522 e = krb5_config_get_string(context, NULL, "libdefaults",
523 "default_cc_name", NULL);
524 if (e) {
525 ret = _krb5_expand_default_cc_name(context, e, &p);
526 if (ret)
527 return ret;
528 }
529 if (e == NULL) {
530 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
531 e = krb5_config_get_string(context, NULL, "libdefaults",
532 "default_cc_type", NULL);
533 if (e) {
534 ops = krb5_cc_get_prefix_ops(context, e);
535 if (ops == NULL) {
536 krb5_set_error_message(context,
537 KRB5_CC_UNKNOWN_TYPE,
538 "Credential cache type %s "
539 "is unknown", e);
540 return KRB5_CC_UNKNOWN_TYPE;
541 }
542 }
543 ret = (*ops->get_default_name)(context, &p);
544 if (ret)
545 return ret;
546 }
547 }
548 context->default_cc_name_set = 0;
549 } else {
550 p = strdup(name);
551 context->default_cc_name_set = 1;
552 }
553
554 if (p == NULL) {
555 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
556 return ENOMEM;
557 }
558
559 ret = _krb5_expand_path_tokens(context, p, &exp_p);
560 free(p);
561 if (ret)
562 return ret;
563
564 if (context->default_cc_name)
565 free(context->default_cc_name);
566
567 context->default_cc_name = exp_p;
568
569 return 0;
570 }
571
572 /**
573 * Return a pointer to a context static string containing the default
574 * ccache name.
575 *
576 * @return String to the default credential cache name.
577 *
578 * @ingroup krb5_ccache
579 */
580
581
582 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
583 krb5_cc_default_name(krb5_context context)
584 {
585 if (context->default_cc_name == NULL || environment_changed(context))
586 krb5_cc_set_default_name(context, NULL);
587
588 return context->default_cc_name;
589 }
590
591 /**
592 * Open the default ccache in `id'.
593 *
594 * @return Return an error code or 0, see krb5_get_error_message().
595 *
596 * @ingroup krb5_ccache
597 */
598
599
600 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
601 krb5_cc_default(krb5_context context,
602 krb5_ccache *id)
603 {
604 const char *p = krb5_cc_default_name(context);
605
606 if (p == NULL) {
607 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
608 return ENOMEM;
609 }
610 return krb5_cc_resolve(context, p, id);
611 }
612
613 /**
614 * Create a new ccache in `id' for `primary_principal'.
615 *
616 * @return Return an error code or 0, see krb5_get_error_message().
617 *
618 * @ingroup krb5_ccache
619 */
620
621
622 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
623 krb5_cc_initialize(krb5_context context,
624 krb5_ccache id,
625 krb5_principal primary_principal)
626 {
627 return (*id->ops->init)(context, id, primary_principal);
628 }
629
630
631 /**
632 * Remove the ccache `id'.
633 *
634 * @return Return an error code or 0, see krb5_get_error_message().
635 *
636 * @ingroup krb5_ccache
637 */
638
639
640 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
641 krb5_cc_destroy(krb5_context context,
642 krb5_ccache id)
643 {
644 krb5_error_code ret;
645
646 ret = (*id->ops->destroy)(context, id);
647 krb5_cc_close (context, id);
648 return ret;
649 }
650
651 /**
652 * Stop using the ccache `id' and free the related resources.
653 *
654 * @return Return an error code or 0, see krb5_get_error_message().
655 *
656 * @ingroup krb5_ccache
657 */
658
659
660 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
661 krb5_cc_close(krb5_context context,
662 krb5_ccache id)
663 {
664 krb5_error_code ret;
665 ret = (*id->ops->close)(context, id);
666 free(id);
667 return ret;
668 }
669
670 /**
671 * Store `creds' in the ccache `id'.
672 *
673 * @return Return an error code or 0, see krb5_get_error_message().
674 *
675 * @ingroup krb5_ccache
676 */
677
678
679 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
680 krb5_cc_store_cred(krb5_context context,
681 krb5_ccache id,
682 krb5_creds *creds)
683 {
684 return (*id->ops->store)(context, id, creds);
685 }
686
687 /**
688 * Retrieve the credential identified by `mcreds' (and `whichfields')
689 * from `id' in `creds'. 'creds' must be free by the caller using
690 * krb5_free_cred_contents.
691 *
692 * @param context A Kerberos 5 context
693 * @param id a Kerberos 5 credential cache
694 * @param whichfields what fields to use for matching credentials, same
695 * flags as whichfields in krb5_compare_creds()
696 * @param mcreds template credential to use for comparing
697 * @param creds returned credential, free with krb5_free_cred_contents()
698 *
699 * @return Return an error code or 0, see krb5_get_error_message().
700 *
701 * @ingroup krb5_ccache
702 */
703
704
705 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
706 krb5_cc_retrieve_cred(krb5_context context,
707 krb5_ccache id,
708 krb5_flags whichfields,
709 const krb5_creds *mcreds,
710 krb5_creds *creds)
711 {
712 krb5_error_code ret;
713 krb5_cc_cursor cursor;
714
715 if (id->ops->retrieve != NULL) {
716 return (*id->ops->retrieve)(context, id, whichfields,
717 mcreds, creds);
718 }
719
720 ret = krb5_cc_start_seq_get(context, id, &cursor);
721 if (ret)
722 return ret;
723 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
724 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
725 ret = 0;
726 break;
727 }
728 krb5_free_cred_contents (context, creds);
729 }
730 krb5_cc_end_seq_get(context, id, &cursor);
731 return ret;
732 }
733
734 /**
735 * Return the principal of `id' in `principal'.
736 *
737 * @return Return an error code or 0, see krb5_get_error_message().
738 *
739 * @ingroup krb5_ccache
740 */
741
742
743 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
744 krb5_cc_get_principal(krb5_context context,
745 krb5_ccache id,
746 krb5_principal *principal)
747 {
748 return (*id->ops->get_princ)(context, id, principal);
749 }
750
751 /**
752 * Start iterating over `id', `cursor' is initialized to the
753 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
754 *
755 * @return Return an error code or 0, see krb5_get_error_message().
756 *
757 * @ingroup krb5_ccache
758 */
759
760
761 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
762 krb5_cc_start_seq_get (krb5_context context,
763 const krb5_ccache id,
764 krb5_cc_cursor *cursor)
765 {
766 return (*id->ops->get_first)(context, id, cursor);
767 }
768
769 /**
770 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
771 * and advance `cursor'.
772 *
773 * @return Return an error code or 0, see krb5_get_error_message().
774 *
775 * @ingroup krb5_ccache
776 */
777
778
779 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
780 krb5_cc_next_cred (krb5_context context,
781 const krb5_ccache id,
782 krb5_cc_cursor *cursor,
783 krb5_creds *creds)
784 {
785 return (*id->ops->get_next)(context, id, cursor, creds);
786 }
787
788 /**
789 * Destroy the cursor `cursor'.
790 *
791 * @ingroup krb5_ccache
792 */
793
794
795 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
796 krb5_cc_end_seq_get (krb5_context context,
797 const krb5_ccache id,
798 krb5_cc_cursor *cursor)
799 {
800 return (*id->ops->end_get)(context, id, cursor);
801 }
802
803 /**
804 * Remove the credential identified by `cred', `which' from `id'.
805 *
806 * @ingroup krb5_ccache
807 */
808
809
810 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
811 krb5_cc_remove_cred(krb5_context context,
812 krb5_ccache id,
813 krb5_flags which,
814 krb5_creds *cred)
815 {
816 if(id->ops->remove_cred == NULL) {
817 krb5_set_error_message(context,
818 EACCES,
819 "ccache %s does not support remove_cred",
820 id->ops->prefix);
821 return EACCES; /* XXX */
822 }
823 return (*id->ops->remove_cred)(context, id, which, cred);
824 }
825
826 /**
827 * Set the flags of `id' to `flags'.
828 *
829 * @ingroup krb5_ccache
830 */
831
832
833 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
834 krb5_cc_set_flags(krb5_context context,
835 krb5_ccache id,
836 krb5_flags flags)
837 {
838 return (*id->ops->set_flags)(context, id, flags);
839 }
840
841 /**
842 * Get the flags of `id', store them in `flags'.
843 *
844 * @ingroup krb5_ccache
845 */
846
847 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
848 krb5_cc_get_flags(krb5_context context,
849 krb5_ccache id,
850 krb5_flags *flags)
851 {
852 *flags = 0;
853 return 0;
854 }
855
856 /**
857 * Copy the contents of `from' to `to' if the given match function
858 * return true.
859 *
860 * @param context A Kerberos 5 context.
861 * @param from the cache to copy data from.
862 * @param to the cache to copy data to.
863 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
864 * @param matchctx context passed to match function.
865 * @param matched set to true if there was a credential that matched, may be NULL.
866 *
867 * @return Return an error code or 0, see krb5_get_error_message().
868 *
869 * @ingroup krb5_ccache
870 */
871
872 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
873 krb5_cc_copy_match_f(krb5_context context,
874 const krb5_ccache from,
875 krb5_ccache to,
876 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
877 void *matchctx,
878 unsigned int *matched)
879 {
880 krb5_error_code ret;
881 krb5_cc_cursor cursor;
882 krb5_creds cred;
883 krb5_principal princ;
884
885 if (matched)
886 *matched = 0;
887
888 ret = krb5_cc_get_principal(context, from, &princ);
889 if (ret)
890 return ret;
891 ret = krb5_cc_initialize(context, to, princ);
892 if (ret) {
893 krb5_free_principal(context, princ);
894 return ret;
895 }
896 ret = krb5_cc_start_seq_get(context, from, &cursor);
897 if (ret) {
898 krb5_free_principal(context, princ);
899 return ret;
900 }
901
902 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
903 if (match == NULL || (*match)(context, matchctx, &cred) == 0) {
904 if (matched)
905 (*matched)++;
906 ret = krb5_cc_store_cred(context, to, &cred);
907 if (ret)
908 break;
909 }
910 krb5_free_cred_contents(context, &cred);
911 }
912 krb5_cc_end_seq_get(context, from, &cursor);
913 krb5_free_principal(context, princ);
914 if (ret == KRB5_CC_END)
915 ret = 0;
916 return ret;
917 }
918
919 /**
920 * Just like krb5_cc_copy_match_f(), but copy everything.
921 *
922 * @ingroup @krb5_ccache
923 */
924
925 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
926 krb5_cc_copy_cache(krb5_context context,
927 const krb5_ccache from,
928 krb5_ccache to)
929 {
930 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
931 }
932
933 /**
934 * Return the version of `id'.
935 *
936 * @ingroup krb5_ccache
937 */
938
939
940 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
941 krb5_cc_get_version(krb5_context context,
942 const krb5_ccache id)
943 {
944 if(id->ops->get_version)
945 return (*id->ops->get_version)(context, id);
946 else
947 return 0;
948 }
949
950 /**
951 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
952 *
953 * @ingroup krb5_ccache
954 */
955
956
957 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
958 krb5_cc_clear_mcred(krb5_creds *mcred)
959 {
960 memset(mcred, 0, sizeof(*mcred));
961 }
962
963 /**
964 * Get the cc ops that is registered in `context' to handle the
965 * prefix. prefix can be a complete credential cache name or a
966 * prefix, the function will only use part up to the first colon (:)
967 * if there is one. If prefix the argument is NULL, the default ccache
968 * implemtation is returned.
969 *
970 * @return Returns NULL if ops not found.
971 *
972 * @ingroup krb5_ccache
973 */
974
975
976 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
977 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
978 {
979 char *p, *p1;
980 int i;
981
982 if (prefix == NULL)
983 return KRB5_DEFAULT_CCTYPE;
984 if (prefix[0] == '/')
985 return &krb5_fcc_ops;
986
987 p = strdup(prefix);
988 if (p == NULL) {
989 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
990 return NULL;
991 }
992 p1 = strchr(p, ':');
993 if (p1)
994 *p1 = '\0';
995
996 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
997 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
998 free(p);
999 return context->cc_ops[i];
1000 }
1001 }
1002 free(p);
1003 return NULL;
1004 }
1005
1006 struct krb5_cc_cache_cursor_data {
1007 const krb5_cc_ops *ops;
1008 krb5_cc_cursor cursor;
1009 };
1010
1011 /**
1012 * Start iterating over all caches of specified type. See also
1013 * krb5_cccol_cursor_new().
1014
1015 * @param context A Kerberos 5 context
1016 * @param type optional type to iterate over, if NULL, the default cache is used.
1017 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1018 *
1019 * @return Return an error code or 0, see krb5_get_error_message().
1020 *
1021 * @ingroup krb5_ccache
1022 */
1023
1024
1025 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1026 krb5_cc_cache_get_first (krb5_context context,
1027 const char *type,
1028 krb5_cc_cache_cursor *cursor)
1029 {
1030 const krb5_cc_ops *ops;
1031 krb5_error_code ret;
1032
1033 if (type == NULL)
1034 type = krb5_cc_default_name(context);
1035
1036 ops = krb5_cc_get_prefix_ops(context, type);
1037 if (ops == NULL) {
1038 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1039 "Unknown type \"%s\" when iterating "
1040 "trying to iterate the credential caches", type);
1041 return KRB5_CC_UNKNOWN_TYPE;
1042 }
1043
1044 if (ops->get_cache_first == NULL) {
1045 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1046 N_("Credential cache type %s doesn't support "
1047 "iterations over caches", "type"),
1048 ops->prefix);
1049 return KRB5_CC_NOSUPP;
1050 }
1051
1052 *cursor = calloc(1, sizeof(**cursor));
1053 if (*cursor == NULL) {
1054 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1055 return ENOMEM;
1056 }
1057
1058 (*cursor)->ops = ops;
1059
1060 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1061 if (ret) {
1062 free(*cursor);
1063 *cursor = NULL;
1064 }
1065 return ret;
1066 }
1067
1068 /**
1069 * Retrieve the next cache pointed to by (`cursor') in `id'
1070 * and advance `cursor'.
1071 *
1072 * @param context A Kerberos 5 context
1073 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1074 * @param id next ccache
1075 *
1076 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1077 * of caches is reached, see krb5_get_error_message().
1078 *
1079 * @ingroup krb5_ccache
1080 */
1081
1082
1083 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1084 krb5_cc_cache_next (krb5_context context,
1085 krb5_cc_cache_cursor cursor,
1086 krb5_ccache *id)
1087 {
1088 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1089 }
1090
1091 /**
1092 * Destroy the cursor `cursor'.
1093 *
1094 * @return Return an error code or 0, see krb5_get_error_message().
1095 *
1096 * @ingroup krb5_ccache
1097 */
1098
1099
1100 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1101 krb5_cc_cache_end_seq_get (krb5_context context,
1102 krb5_cc_cache_cursor cursor)
1103 {
1104 krb5_error_code ret;
1105 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1106 cursor->ops = NULL;
1107 free(cursor);
1108 return ret;
1109 }
1110
1111 /**
1112 * Search for a matching credential cache that have the
1113 * `principal' as the default principal. On success, `id' needs to be
1114 * freed with krb5_cc_close() or krb5_cc_destroy().
1115 *
1116 * @param context A Kerberos 5 context
1117 * @param client The principal to search for
1118 * @param id the returned credential cache
1119 *
1120 * @return On failure, error code is returned and `id' is set to NULL.
1121 *
1122 * @ingroup krb5_ccache
1123 */
1124
1125
1126 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1127 krb5_cc_cache_match (krb5_context context,
1128 krb5_principal client,
1129 krb5_ccache *id)
1130 {
1131 krb5_cccol_cursor cursor;
1132 krb5_error_code ret;
1133 krb5_ccache cache = NULL;
1134
1135 *id = NULL;
1136
1137 ret = krb5_cccol_cursor_new (context, &cursor);
1138 if (ret)
1139 return ret;
1140
1141 while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) {
1142 krb5_principal principal;
1143
1144 ret = krb5_cc_get_principal(context, cache, &principal);
1145 if (ret == 0) {
1146 krb5_boolean match;
1147
1148 match = krb5_principal_compare(context, principal, client);
1149 krb5_free_principal(context, principal);
1150 if (match)
1151 break;
1152 }
1153
1154 krb5_cc_close(context, cache);
1155 cache = NULL;
1156 }
1157
1158 krb5_cccol_cursor_free(context, &cursor);
1159
1160 if (cache == NULL) {
1161 char *str;
1162
1163 krb5_unparse_name(context, client, &str);
1164
1165 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1166 N_("Principal %s not found in any "
1167 "credential cache", ""),
1168 str ? str : "<out of memory>");
1169 if (str)
1170 free(str);
1171 return KRB5_CC_NOTFOUND;
1172 }
1173 *id = cache;
1174
1175 return 0;
1176 }
1177
1178 /**
1179 * Move the content from one credential cache to another. The
1180 * operation is an atomic switch.
1181 *
1182 * @param context a Keberos context
1183 * @param from the credential cache to move the content from
1184 * @param to the credential cache to move the content to
1185
1186 * @return On sucess, from is freed. On failure, error code is
1187 * returned and from and to are both still allocated, see krb5_get_error_message().
1188 *
1189 * @ingroup krb5_ccache
1190 */
1191
1192 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1193 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1194 {
1195 krb5_error_code ret;
1196
1197 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1198 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1199 N_("Moving credentials between diffrent "
1200 "types not yet supported", ""));
1201 return KRB5_CC_NOSUPP;
1202 }
1203
1204 ret = (*to->ops->move)(context, from, to);
1205 if (ret == 0) {
1206 memset(from, 0, sizeof(*from));
1207 free(from);
1208 }
1209 return ret;
1210 }
1211
1212 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1213 #define KRB5_REALM_NAME "X-CACHECONF:"
1214
1215 static krb5_error_code
1216 build_conf_principals(krb5_context context, krb5_ccache id,
1217 krb5_const_principal principal,
1218 const char *name, krb5_creds *cred)
1219 {
1220 krb5_principal client;
1221 krb5_error_code ret;
1222 char *pname = NULL;
1223
1224 memset(cred, 0, sizeof(*cred));
1225
1226 ret = krb5_cc_get_principal(context, id, &client);
1227 if (ret)
1228 return ret;
1229
1230 if (principal) {
1231 ret = krb5_unparse_name(context, principal, &pname);
1232 if (ret)
1233 return ret;
1234 }
1235
1236 ret = krb5_make_principal(context, &cred->server,
1237 KRB5_REALM_NAME,
1238 KRB5_CONF_NAME, name, pname, NULL);
1239 free(pname);
1240 if (ret) {
1241 krb5_free_principal(context, client);
1242 return ret;
1243 }
1244 ret = krb5_copy_principal(context, client, &cred->client);
1245 krb5_free_principal(context, client);
1246 return ret;
1247 }
1248
1249 /**
1250 * Return TRUE (non zero) if the principal is a configuration
1251 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1252 * (zero) if not a configuration principal.
1253 *
1254 * @param context a Keberos context
1255 * @param principal principal to check if it a configuration principal
1256 *
1257 * @ingroup krb5_ccache
1258 */
1259
1260 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1261 krb5_is_config_principal(krb5_context context,
1262 krb5_const_principal principal)
1263 {
1264 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1265 return FALSE;
1266
1267 if (principal->name.name_string.len == 0 ||
1268 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1269 return FALSE;
1270
1271 return TRUE;
1272 }
1273
1274 /**
1275 * Store some configuration for the credential cache in the cache.
1276 * Existing configuration under the same name is over-written.
1277 *
1278 * @param context a Keberos context
1279 * @param id the credential cache to store the data for
1280 * @param principal configuration for a specific principal, if
1281 * NULL, global for the whole cache.
1282 * @param name name under which the configuraion is stored.
1283 * @param data data to store, if NULL, configure is removed.
1284 *
1285 * @ingroup krb5_ccache
1286 */
1287
1288 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1289 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1290 krb5_const_principal principal,
1291 const char *name, krb5_data *data)
1292 {
1293 krb5_error_code ret;
1294 krb5_creds cred;
1295
1296 ret = build_conf_principals(context, id, principal, name, &cred);
1297 if (ret)
1298 goto out;
1299
1300 /* Remove old configuration */
1301 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1302 if (ret && ret != KRB5_CC_NOTFOUND)
1303 goto out;
1304
1305 if (data) {
1306 /* not that anyone care when this expire */
1307 cred.times.authtime = time(NULL);
1308 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1309
1310 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1311 if (ret)
1312 goto out;
1313
1314 ret = krb5_cc_store_cred(context, id, &cred);
1315 }
1316
1317 out:
1318 krb5_free_cred_contents (context, &cred);
1319 return ret;
1320 }
1321
1322 /**
1323 * Get some configuration for the credential cache in the cache.
1324 *
1325 * @param context a Keberos context
1326 * @param id the credential cache to store the data for
1327 * @param principal configuration for a specific principal, if
1328 * NULL, global for the whole cache.
1329 * @param name name under which the configuraion is stored.
1330 * @param data data to fetched, free with krb5_data_free()
1331 *
1332 * @ingroup krb5_ccache
1333 */
1334
1335
1336 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1337 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1338 krb5_const_principal principal,
1339 const char *name, krb5_data *data)
1340 {
1341 krb5_creds mcred, cred;
1342 krb5_error_code ret;
1343
1344 memset(&cred, 0, sizeof(cred));
1345 krb5_data_zero(data);
1346
1347 ret = build_conf_principals(context, id, principal, name, &mcred);
1348 if (ret)
1349 goto out;
1350
1351 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1352 if (ret)
1353 goto out;
1354
1355 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1356
1357 out:
1358 krb5_free_cred_contents (context, &cred);
1359 krb5_free_cred_contents (context, &mcred);
1360 return ret;
1361 }
1362
1363 /*
1364 *
1365 */
1366
1367 struct krb5_cccol_cursor_data {
1368 int idx;
1369 krb5_cc_cache_cursor cursor;
1370 };
1371
1372 /**
1373 * Get a new cache interation cursor that will interate over all
1374 * credentials caches independent of type.
1375 *
1376 * @param context a Keberos context
1377 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1378 *
1379 * @return Returns 0 or and error code, see krb5_get_error_message().
1380 *
1381 * @ingroup krb5_ccache
1382 */
1383
1384 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1385 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1386 {
1387 *cursor = calloc(1, sizeof(**cursor));
1388 if (*cursor == NULL) {
1389 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1390 return ENOMEM;
1391 }
1392 (*cursor)->idx = 0;
1393 (*cursor)->cursor = NULL;
1394
1395 return 0;
1396 }
1397
1398 /**
1399 * Get next credential cache from the iteration.
1400 *
1401 * @param context A Kerberos 5 context
1402 * @param cursor the iteration cursor
1403 * @param cache the returned cursor, pointer is set to NULL on failure
1404 * and a cache on success. The returned cache needs to be freed
1405 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1406 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1407 * when all caches are iterated over and return 0.
1408 *
1409 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1410 * of iteration. See krb5_get_error_message().
1411 *
1412 * @ingroup krb5_ccache
1413 */
1414
1415
1416 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1417 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1418 krb5_ccache *cache)
1419 {
1420 krb5_error_code ret;
1421
1422 *cache = NULL;
1423
1424 while (cursor->idx < context->num_cc_ops) {
1425
1426 if (cursor->cursor == NULL) {
1427 ret = krb5_cc_cache_get_first (context,
1428 context->cc_ops[cursor->idx]->prefix,
1429 &cursor->cursor);
1430 if (ret) {
1431 cursor->idx++;
1432 continue;
1433 }
1434 }
1435 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1436 if (ret == 0)
1437 break;
1438
1439 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1440 cursor->cursor = NULL;
1441 if (ret != KRB5_CC_END)
1442 break;
1443
1444 cursor->idx++;
1445 }
1446 if (cursor->idx >= context->num_cc_ops) {
1447 krb5_set_error_message(context, KRB5_CC_END,
1448 N_("Reached end of credential caches", ""));
1449 return KRB5_CC_END;
1450 }
1451
1452 return 0;
1453 }
1454
1455 /**
1456 * End an iteration and free all resources, can be done before end is reached.
1457 *
1458 * @param context A Kerberos 5 context
1459 * @param cursor the iteration cursor to be freed.
1460 *
1461 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1462 * of iteration. See krb5_get_error_message().
1463 *
1464 * @ingroup krb5_ccache
1465 */
1466
1467 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1468 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1469 {
1470 krb5_cccol_cursor c = *cursor;
1471
1472 *cursor = NULL;
1473 if (c) {
1474 if (c->cursor)
1475 krb5_cc_cache_end_seq_get(context, c->cursor);
1476 free(c);
1477 }
1478 return 0;
1479 }
1480
1481 /**
1482 * Return the last time the credential cache was modified.
1483 *
1484 * @param context A Kerberos 5 context
1485 * @param id The credential cache to probe
1486 * @param mtime the last modification time, set to 0 on error.
1487
1488 * @return Return 0 or and error. See krb5_get_error_message().
1489 *
1490 * @ingroup krb5_ccache
1491 */
1492
1493
1494 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1495 krb5_cc_last_change_time(krb5_context context,
1496 krb5_ccache id,
1497 krb5_timestamp *mtime)
1498 {
1499 *mtime = 0;
1500 return (*id->ops->lastchange)(context, id, mtime);
1501 }
1502
1503 /**
1504 * Return the last modfication time for a cache collection. The query
1505 * can be limited to a specific cache type. If the function return 0
1506 * and mtime is 0, there was no credentials in the caches.
1507 *
1508 * @param context A Kerberos 5 context
1509 * @param type The credential cache to probe, if NULL, all type are traversed.
1510 * @param mtime the last modification time, set to 0 on error.
1511
1512 * @return Return 0 or and error. See krb5_get_error_message().
1513 *
1514 * @ingroup krb5_ccache
1515 */
1516
1517 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1518 krb5_cccol_last_change_time(krb5_context context,
1519 const char *type,
1520 krb5_timestamp *mtime)
1521 {
1522 krb5_cccol_cursor cursor;
1523 krb5_error_code ret;
1524 krb5_ccache id;
1525 krb5_timestamp t = 0;
1526
1527 *mtime = 0;
1528
1529 ret = krb5_cccol_cursor_new (context, &cursor);
1530 if (ret)
1531 return ret;
1532
1533 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1534
1535 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1536 continue;
1537
1538 ret = krb5_cc_last_change_time(context, id, &t);
1539 krb5_cc_close(context, id);
1540 if (ret)
1541 continue;
1542 if (t > *mtime)
1543 *mtime = t;
1544 }
1545
1546 krb5_cccol_cursor_free(context, &cursor);
1547
1548 return 0;
1549 }
1550 /**
1551 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1552 *
1553 * @return Return an error code or 0, see krb5_get_error_message().
1554 *
1555 * @ingroup krb5_ccache
1556 */
1557
1558 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1559 krb5_cc_get_friendly_name(krb5_context context,
1560 krb5_ccache id,
1561 char **name)
1562 {
1563 krb5_error_code ret;
1564 krb5_data data;
1565
1566 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1567 if (ret) {
1568 krb5_principal principal;
1569 ret = krb5_cc_get_principal(context, id, &principal);
1570 if (ret)
1571 return ret;
1572 ret = krb5_unparse_name(context, principal, name);
1573 krb5_free_principal(context, principal);
1574 } else {
1575 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1576 krb5_data_free(&data);
1577 if (ret <= 0) {
1578 ret = ENOMEM;
1579 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1580 } else
1581 ret = 0;
1582 }
1583
1584 return ret;
1585 }
1586
1587 /**
1588 * Set the friendly name on credential cache.
1589 *
1590 * @return Return an error code or 0, see krb5_get_error_message().
1591 *
1592 * @ingroup krb5_ccache
1593 */
1594
1595 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1596 krb5_cc_set_friendly_name(krb5_context context,
1597 krb5_ccache id,
1598 const char *name)
1599 {
1600 krb5_data data;
1601
1602 data.data = rk_UNCONST(name);
1603 data.length = strlen(name);
1604
1605 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1606 }
1607
1608 /**
1609 * Get the lifetime of the initial ticket in the cache
1610 *
1611 * Get the lifetime of the initial ticket in the cache, if the initial
1612 * ticket was not found, the error code KRB5_CC_END is returned.
1613 *
1614 * @param context A Kerberos 5 context.
1615 * @param id a credential cache
1616 * @param t the relative lifetime of the initial ticket
1617 *
1618 * @return Return an error code or 0, see krb5_get_error_message().
1619 *
1620 * @ingroup krb5_ccache
1621 */
1622
1623 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1624 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1625 {
1626 krb5_cc_cursor cursor;
1627 krb5_error_code ret;
1628 krb5_creds cred;
1629 time_t now;
1630
1631 *t = 0;
1632 now = time(NULL);
1633
1634 ret = krb5_cc_start_seq_get(context, id, &cursor);
1635 if (ret)
1636 return ret;
1637
1638 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1639 if (cred.flags.b.initial) {
1640 if (now < cred.times.endtime)
1641 *t = cred.times.endtime - now;
1642 krb5_free_cred_contents(context, &cred);
1643 break;
1644 }
1645 krb5_free_cred_contents(context, &cred);
1646 }
1647
1648 krb5_cc_end_seq_get(context, id, &cursor);
1649
1650 return ret;
1651 }
1652
1653 /**
1654 * Set the time offset betwen the client and the KDC
1655 *
1656 * If the backend doesn't support KDC offset, use the context global setting.
1657 *
1658 * @param context A Kerberos 5 context.
1659 * @param id a credential cache
1660 * @param offset the offset in seconds
1661 *
1662 * @return Return an error code or 0, see krb5_get_error_message().
1663 *
1664 * @ingroup krb5_ccache
1665 */
1666
1667 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1668 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1669 {
1670 if (id->ops->set_kdc_offset == NULL) {
1671 context->kdc_sec_offset = offset;
1672 context->kdc_usec_offset = 0;
1673 return 0;
1674 }
1675 return (*id->ops->set_kdc_offset)(context, id, offset);
1676 }
1677
1678 /**
1679 * Get the time offset betwen the client and the KDC
1680 *
1681 * If the backend doesn't support KDC offset, use the context global setting.
1682 *
1683 * @param context A Kerberos 5 context.
1684 * @param id a credential cache
1685 * @param offset the offset in seconds
1686 *
1687 * @return Return an error code or 0, see krb5_get_error_message().
1688 *
1689 * @ingroup krb5_ccache
1690 */
1691
1692 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1693 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1694 {
1695 if (id->ops->get_kdc_offset == NULL) {
1696 *offset = context->kdc_sec_offset;
1697 return 0;
1698 }
1699 return (*id->ops->get_kdc_offset)(context, id, offset);
1700 }
1701
1702
1703 #ifdef _WIN32
1704
1705 char *
1706 _krb5_get_default_cc_name_from_registry()
1707 {
1708 HKEY hk_k5 = 0;
1709 LONG code;
1710 char * ccname = NULL;
1711
1712 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1713 "Software\\MIT\\Kerberos5",
1714 0, KEY_READ, &hk_k5);
1715
1716 if (code != ERROR_SUCCESS)
1717 return NULL;
1718
1719 ccname = _krb5_parse_reg_value_as_string(NULL, hk_k5, "ccname",
1720 REG_NONE, 0);
1721
1722 RegCloseKey(hk_k5);
1723
1724 return ccname;
1725 }
1726
1727 #endif