search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Properly terminate ifdef conditional in krb5-types.h
[heimdal.git] / lib / krb5 / cache.c
blob40682c4ab72ed51bf9e2f053ecb24677a391f2df
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 /**
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
106 *
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
111 *
112 * @return Return an error code or 0, see krb5_get_error_message().
113 *
114 * @ingroup krb5_ccache
115 */
116
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
121 {
122 int i;
123
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
126 if(!override) {
127 krb5_set_error_message(context,
128 KRB5_CC_TYPE_EXISTS,
129 N_("cache type %s already exists", "type"),
130 ops->prefix);
131 return KRB5_CC_TYPE_EXISTS;
132 }
133 break;
134 }
135 }
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
140 if(o == NULL) {
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
144 }
145 context->cc_ops = o;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
148 }
149 context->cc_ops[i] = ops;
150 return 0;
151 }
152
153 /*
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
156 */
157
158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
161 krb5_ccache *id)
162 {
163 krb5_ccache p;
164
165 p = malloc (sizeof(*p));
166 if(p == NULL) {
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
170 }
171 p->ops = ops;
172 *id = p;
173
174 return 0;
175 }
176
177 /*
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
180 */
181
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
186 krb5_ccache *id)
187 {
188 krb5_error_code ret;
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
191
192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
193 if (ret)
194 return ret;
195
196 residual = exp_residual;
197 #endif
198
199 ret = _krb5_cc_allocate(context, ops, id);
200 if (ret) {
201 #ifdef KRB5_USE_PATH_TOKENS
202 if (exp_residual)
203 free(exp_residual);
204 #endif
205 return ret;
206 }
207
208 ret = (*id)->ops->resolve(context, id, residual);
209 if(ret) {
210 free(*id);
211 *id = NULL;
212 }
213
214 #ifdef KRB5_USE_PATH_TOKENS
215 if (exp_residual)
216 free(exp_residual);
217 #endif
218
219 return ret;
220 }
221
222 static int
223 is_possible_path_name(const char * name)
224 {
225 const char * colon;
226
227 if ((colon = strchr(name, ':')) == NULL)
228 return TRUE;
229
230 #ifdef _WIN32
231 /* <drive letter>:\path\to\cache ? */
232
233 if (colon == name + 1 &&
234 strchr(colon + 1, ':') == NULL)
235 return TRUE;
236 #endif
237
238 return FALSE;
239 }
240
241 /**
242 * Find and allocate a ccache in `id' from the specification in `residual'.
243 * If the ccache name doesn't contain any colon, interpret it as a file name.
244 *
245 * @param context a Keberos context.
246 * @param name string name of a credential cache.
247 * @param id return pointer to a found credential cache.
248 *
249 * @return Return 0 or an error code. In case of an error, id is set
250 * to NULL, see krb5_get_error_message().
251 *
252 * @ingroup krb5_ccache
253 */
254
255
256 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
257 krb5_cc_resolve(krb5_context context,
258 const char *name,
259 krb5_ccache *id)
260 {
261 int i;
262
263 *id = NULL;
264
265 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
266 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
267
268 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
269 && name[prefix_len] == ':') {
270 return allocate_ccache (context, context->cc_ops[i],
271 name + prefix_len + 1,
272 id);
273 }
274 }
275 if (is_possible_path_name(name))
276 return allocate_ccache (context, &krb5_fcc_ops, name, id);
277 else {
278 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
279 N_("unknown ccache type %s", "name"), name);
280 return KRB5_CC_UNKNOWN_TYPE;
281 }
282 }
283
284 /**
285 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
286 * the library chooses the default credential cache type. The supplied
287 * `hint' (that can be NULL) is a string that the credential cache
288 * type can use to base the name of the credential on, this is to make
289 * it easier for the user to differentiate the credentials.
290 *
291 * @return Return an error code or 0, see krb5_get_error_message().
292 *
293 * @ingroup krb5_ccache
294 */
295
296 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
297 krb5_cc_new_unique(krb5_context context, const char *type,
298 const char *hint, krb5_ccache *id)
299 {
300 const krb5_cc_ops *ops;
301 krb5_error_code ret;
302
303 ops = krb5_cc_get_prefix_ops(context, type);
304 if (ops == NULL) {
305 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
306 "Credential cache type %s is unknown", type);
307 return KRB5_CC_UNKNOWN_TYPE;
308 }
309
310 ret = _krb5_cc_allocate(context, ops, id);
311 if (ret)
312 return ret;
313 ret = (*id)->ops->gen_new(context, id);
314 if (ret) {
315 free(*id);
316 *id = NULL;
317 }
318 return ret;
319 }
320
321 /**
322 * Return the name of the ccache `id'
323 *
324 * @ingroup krb5_ccache
325 */
326
327
328 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
329 krb5_cc_get_name(krb5_context context,
330 krb5_ccache id)
331 {
332 return id->ops->get_name(context, id);
333 }
334
335 /**
336 * Return the type of the ccache `id'.
337 *
338 * @ingroup krb5_ccache
339 */
340
341
342 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
343 krb5_cc_get_type(krb5_context context,
344 krb5_ccache id)
345 {
346 return id->ops->prefix;
347 }
348
349 /**
350 * Return the complete resolvable name the cache
351
352 * @param context a Keberos context
353 * @param id return pointer to a found credential cache
354 * @param str the returned name of a credential cache, free with krb5_xfree()
355 *
356 * @return Returns 0 or an error (and then *str is set to NULL).
357 *
358 * @ingroup krb5_ccache
359 */
360
361
362 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
363 krb5_cc_get_full_name(krb5_context context,
364 krb5_ccache id,
365 char **str)
366 {
367 const char *type, *name;
368
369 *str = NULL;
370
371 type = krb5_cc_get_type(context, id);
372 if (type == NULL) {
373 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
374 "cache have no name of type");
375 return KRB5_CC_UNKNOWN_TYPE;
376 }
377
378 name = krb5_cc_get_name(context, id);
379 if (name == NULL) {
380 krb5_set_error_message(context, KRB5_CC_BADNAME,
381 "cache of type %s have no name", type);
382 return KRB5_CC_BADNAME;
383 }
384
385 if (asprintf(str, "%s:%s", type, name) == -1) {
386 *str = NULL;
387 return krb5_enomem(context);
388 }
389 return 0;
390 }
391
392 /**
393 * Return krb5_cc_ops of a the ccache `id'.
394 *
395 * @ingroup krb5_ccache
396 */
397
398
399 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
400 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
401 {
402 return id->ops;
403 }
404
405 /*
406 * Expand variables in `str' into `res'
407 */
408
409 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
410 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
411 {
412 return _krb5_expand_path_tokens(context, str, res);
413 }
414
415 /*
416 * Return non-zero if envirnoment that will determine default krb5cc
417 * name has changed.
418 */
419
420 static int
421 environment_changed(krb5_context context)
422 {
423 const char *e;
424
425 /* if the cc name was set, don't change it */
426 if (context->default_cc_name_set)
427 return 0;
428
429 /* XXX performance: always ask KCM/API if default name has changed */
430 if (context->default_cc_name &&
431 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
432 strncmp(context->default_cc_name, "API:", 4) == 0))
433 return 1;
434
435 if(issuid())
436 return 0;
437
438 e = getenv("KRB5CCNAME");
439 if (e == NULL) {
440 if (context->default_cc_name_env) {
441 free(context->default_cc_name_env);
442 context->default_cc_name_env = NULL;
443 return 1;
444 }
445 } else {
446 if (context->default_cc_name_env == NULL)
447 return 1;
448 if (strcmp(e, context->default_cc_name_env) != 0)
449 return 1;
450 }
451 return 0;
452 }
453
454 /**
455 * Switch the default default credential cache for a specific
456 * credcache type (and name for some implementations).
457 *
458 * @return Return an error code or 0, see krb5_get_error_message().
459 *
460 * @ingroup krb5_ccache
461 */
462
463 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
464 krb5_cc_switch(krb5_context context, krb5_ccache id)
465 {
466 #ifdef _WIN32
467 _krb5_set_default_cc_name_to_registry(context, id);
468 #endif
469
470 if (id->ops->set_default == NULL)
471 return 0;
472
473 return (*id->ops->set_default)(context, id);
474 }
475
476 /**
477 * Return true if the default credential cache support switch
478 *
479 * @ingroup krb5_ccache
480 */
481
482 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
483 krb5_cc_support_switch(krb5_context context, const char *type)
484 {
485 const krb5_cc_ops *ops;
486
487 ops = krb5_cc_get_prefix_ops(context, type);
488 if (ops && ops->set_default)
489 return 1;
490 return FALSE;
491 }
492
493 /**
494 * Set the default cc name for `context' to `name'.
495 *
496 * @ingroup krb5_ccache
497 */
498
499 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
500 krb5_cc_set_default_name(krb5_context context, const char *name)
501 {
502 krb5_error_code ret = 0;
503 char *p = NULL, *exp_p = NULL;
504
505 if (name == NULL) {
506 const char *e = NULL;
507
508 if(!issuid()) {
509 e = getenv("KRB5CCNAME");
510 if (e) {
511 p = strdup(e);
512 if (context->default_cc_name_env)
513 free(context->default_cc_name_env);
514 context->default_cc_name_env = strdup(e);
515 }
516 }
517
518 #ifdef _WIN32
519 if (e == NULL) {
520 e = p = _krb5_get_default_cc_name_from_registry(context);
521 }
522 #endif
523 if (e == NULL) {
524 e = krb5_config_get_string(context, NULL, "libdefaults",
525 "default_cc_name", NULL);
526 if (e) {
527 ret = _krb5_expand_default_cc_name(context, e, &p);
528 if (ret)
529 return ret;
530 }
531 if (e == NULL) {
532 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
533 e = krb5_config_get_string(context, NULL, "libdefaults",
534 "default_cc_type", NULL);
535 if (e) {
536 ops = krb5_cc_get_prefix_ops(context, e);
537 if (ops == NULL) {
538 krb5_set_error_message(context,
539 KRB5_CC_UNKNOWN_TYPE,
540 "Credential cache type %s "
541 "is unknown", e);
542 return KRB5_CC_UNKNOWN_TYPE;
543 }
544 }
545 ret = (*ops->get_default_name)(context, &p);
546 if (ret)
547 return ret;
548 }
549 }
550 context->default_cc_name_set = 0;
551 } else {
552 p = strdup(name);
553 context->default_cc_name_set = 1;
554 }
555
556 if (p == NULL)
557 return krb5_enomem(context);
558
559 ret = _krb5_expand_path_tokens(context, p, &exp_p);
560 free(p);
561 if (ret)
562 return ret;
563
564 if (context->default_cc_name)
565 free(context->default_cc_name);
566
567 context->default_cc_name = exp_p;
568
569 return 0;
570 }
571
572 /**
573 * Return a pointer to a context static string containing the default
574 * ccache name.
575 *
576 * @return String to the default credential cache name.
577 *
578 * @ingroup krb5_ccache
579 */
580
581
582 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
583 krb5_cc_default_name(krb5_context context)
584 {
585 if (context->default_cc_name == NULL || environment_changed(context))
586 krb5_cc_set_default_name(context, NULL);
587
588 return context->default_cc_name;
589 }
590
591 /**
592 * Open the default ccache in `id'.
593 *
594 * @return Return an error code or 0, see krb5_get_error_message().
595 *
596 * @ingroup krb5_ccache
597 */
598
599
600 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
601 krb5_cc_default(krb5_context context,
602 krb5_ccache *id)
603 {
604 const char *p = krb5_cc_default_name(context);
605
606 if (p == NULL)
607 return krb5_enomem(context);
608 return krb5_cc_resolve(context, p, id);
609 }
610
611 /**
612 * Create a new ccache in `id' for `primary_principal'.
613 *
614 * @return Return an error code or 0, see krb5_get_error_message().
615 *
616 * @ingroup krb5_ccache
617 */
618
619
620 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
621 krb5_cc_initialize(krb5_context context,
622 krb5_ccache id,
623 krb5_principal primary_principal)
624 {
625 return (*id->ops->init)(context, id, primary_principal);
626 }
627
628
629 /**
630 * Remove the ccache `id'.
631 *
632 * @return Return an error code or 0, see krb5_get_error_message().
633 *
634 * @ingroup krb5_ccache
635 */
636
637
638 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
639 krb5_cc_destroy(krb5_context context,
640 krb5_ccache id)
641 {
642 krb5_error_code ret;
643
644 ret = (*id->ops->destroy)(context, id);
645 krb5_cc_close (context, id);
646 return ret;
647 }
648
649 /**
650 * Stop using the ccache `id' and free the related resources.
651 *
652 * @return Return an error code or 0, see krb5_get_error_message().
653 *
654 * @ingroup krb5_ccache
655 */
656
657
658 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
659 krb5_cc_close(krb5_context context,
660 krb5_ccache id)
661 {
662 krb5_error_code ret;
663 ret = (*id->ops->close)(context, id);
664 free(id);
665 return ret;
666 }
667
668 /**
669 * Store `creds' in the ccache `id'.
670 *
671 * @return Return an error code or 0, see krb5_get_error_message().
672 *
673 * @ingroup krb5_ccache
674 */
675
676
677 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
678 krb5_cc_store_cred(krb5_context context,
679 krb5_ccache id,
680 krb5_creds *creds)
681 {
682 return (*id->ops->store)(context, id, creds);
683 }
684
685 /**
686 * Retrieve the credential identified by `mcreds' (and `whichfields')
687 * from `id' in `creds'. 'creds' must be free by the caller using
688 * krb5_free_cred_contents.
689 *
690 * @param context A Kerberos 5 context
691 * @param id a Kerberos 5 credential cache
692 * @param whichfields what fields to use for matching credentials, same
693 * flags as whichfields in krb5_compare_creds()
694 * @param mcreds template credential to use for comparing
695 * @param creds returned credential, free with krb5_free_cred_contents()
696 *
697 * @return Return an error code or 0, see krb5_get_error_message().
698 *
699 * @ingroup krb5_ccache
700 */
701
702
703 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
704 krb5_cc_retrieve_cred(krb5_context context,
705 krb5_ccache id,
706 krb5_flags whichfields,
707 const krb5_creds *mcreds,
708 krb5_creds *creds)
709 {
710 krb5_error_code ret;
711 krb5_cc_cursor cursor;
712
713 if (id->ops->retrieve != NULL) {
714 return (*id->ops->retrieve)(context, id, whichfields,
715 mcreds, creds);
716 }
717
718 ret = krb5_cc_start_seq_get(context, id, &cursor);
719 if (ret)
720 return ret;
721 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
722 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
723 ret = 0;
724 break;
725 }
726 krb5_free_cred_contents (context, creds);
727 }
728 krb5_cc_end_seq_get(context, id, &cursor);
729 return ret;
730 }
731
732 /**
733 * Return the principal of `id' in `principal'.
734 *
735 * @return Return an error code or 0, see krb5_get_error_message().
736 *
737 * @ingroup krb5_ccache
738 */
739
740
741 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
742 krb5_cc_get_principal(krb5_context context,
743 krb5_ccache id,
744 krb5_principal *principal)
745 {
746 return (*id->ops->get_princ)(context, id, principal);
747 }
748
749 /**
750 * Start iterating over `id', `cursor' is initialized to the
751 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
752 *
753 * @return Return an error code or 0, see krb5_get_error_message().
754 *
755 * @ingroup krb5_ccache
756 */
757
758
759 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
760 krb5_cc_start_seq_get (krb5_context context,
761 const krb5_ccache id,
762 krb5_cc_cursor *cursor)
763 {
764 return (*id->ops->get_first)(context, id, cursor);
765 }
766
767 /**
768 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
769 * and advance `cursor'.
770 *
771 * @return Return an error code or 0, see krb5_get_error_message().
772 *
773 * @ingroup krb5_ccache
774 */
775
776
777 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
778 krb5_cc_next_cred (krb5_context context,
779 const krb5_ccache id,
780 krb5_cc_cursor *cursor,
781 krb5_creds *creds)
782 {
783 return (*id->ops->get_next)(context, id, cursor, creds);
784 }
785
786 /**
787 * Destroy the cursor `cursor'.
788 *
789 * @ingroup krb5_ccache
790 */
791
792
793 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
794 krb5_cc_end_seq_get (krb5_context context,
795 const krb5_ccache id,
796 krb5_cc_cursor *cursor)
797 {
798 return (*id->ops->end_get)(context, id, cursor);
799 }
800
801 /**
802 * Remove the credential identified by `cred', `which' from `id'.
803 *
804 * @ingroup krb5_ccache
805 */
806
807
808 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
809 krb5_cc_remove_cred(krb5_context context,
810 krb5_ccache id,
811 krb5_flags which,
812 krb5_creds *cred)
813 {
814 if(id->ops->remove_cred == NULL) {
815 krb5_set_error_message(context,
816 EACCES,
817 "ccache %s does not support remove_cred",
818 id->ops->prefix);
819 return EACCES; /* XXX */
820 }
821 return (*id->ops->remove_cred)(context, id, which, cred);
822 }
823
824 /**
825 * Set the flags of `id' to `flags'.
826 *
827 * @ingroup krb5_ccache
828 */
829
830
831 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
832 krb5_cc_set_flags(krb5_context context,
833 krb5_ccache id,
834 krb5_flags flags)
835 {
836 return (*id->ops->set_flags)(context, id, flags);
837 }
838
839 /**
840 * Get the flags of `id', store them in `flags'.
841 *
842 * @ingroup krb5_ccache
843 */
844
845 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
846 krb5_cc_get_flags(krb5_context context,
847 krb5_ccache id,
848 krb5_flags *flags)
849 {
850 *flags = 0;
851 return 0;
852 }
853
854 /**
855 * Copy the contents of `from' to `to' if the given match function
856 * return true.
857 *
858 * @param context A Kerberos 5 context.
859 * @param from the cache to copy data from.
860 * @param to the cache to copy data to.
861 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
862 * @param matchctx context passed to match function.
863 * @param matched set to true if there was a credential that matched, may be NULL.
864 *
865 * @return Return an error code or 0, see krb5_get_error_message().
866 *
867 * @ingroup krb5_ccache
868 */
869
870 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
871 krb5_cc_copy_match_f(krb5_context context,
872 const krb5_ccache from,
873 krb5_ccache to,
874 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
875 void *matchctx,
876 unsigned int *matched)
877 {
878 krb5_error_code ret;
879 krb5_cc_cursor cursor;
880 krb5_creds cred;
881 krb5_principal princ;
882
883 if (matched)
884 *matched = 0;
885
886 ret = krb5_cc_get_principal(context, from, &princ);
887 if (ret)
888 return ret;
889 ret = krb5_cc_initialize(context, to, princ);
890 if (ret) {
891 krb5_free_principal(context, princ);
892 return ret;
893 }
894 ret = krb5_cc_start_seq_get(context, from, &cursor);
895 if (ret) {
896 krb5_free_principal(context, princ);
897 return ret;
898 }
899
900 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
901 if (match == NULL || (*match)(context, matchctx, &cred)) {
902 if (matched)
903 (*matched)++;
904 ret = krb5_cc_store_cred(context, to, &cred);
905 if (ret)
906 break;
907 }
908 krb5_free_cred_contents(context, &cred);
909 }
910 krb5_cc_end_seq_get(context, from, &cursor);
911 krb5_free_principal(context, princ);
912 if (ret == KRB5_CC_END)
913 ret = 0;
914 return ret;
915 }
916
917 /**
918 * Just like krb5_cc_copy_match_f(), but copy everything.
919 *
920 * @ingroup @krb5_ccache
921 */
922
923 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
924 krb5_cc_copy_cache(krb5_context context,
925 const krb5_ccache from,
926 krb5_ccache to)
927 {
928 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
929 }
930
931 /**
932 * Return the version of `id'.
933 *
934 * @ingroup krb5_ccache
935 */
936
937
938 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
939 krb5_cc_get_version(krb5_context context,
940 const krb5_ccache id)
941 {
942 if(id->ops->get_version)
943 return (*id->ops->get_version)(context, id);
944 else
945 return 0;
946 }
947
948 /**
949 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
950 *
951 * @ingroup krb5_ccache
952 */
953
954
955 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
956 krb5_cc_clear_mcred(krb5_creds *mcred)
957 {
958 memset(mcred, 0, sizeof(*mcred));
959 }
960
961 /**
962 * Get the cc ops that is registered in `context' to handle the
963 * prefix. prefix can be a complete credential cache name or a
964 * prefix, the function will only use part up to the first colon (:)
965 * if there is one. If prefix the argument is NULL, the default ccache
966 * implemtation is returned.
967 *
968 * @return Returns NULL if ops not found.
969 *
970 * @ingroup krb5_ccache
971 */
972
973
974 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
975 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
976 {
977 char *p, *p1;
978 int i;
979
980 if (prefix == NULL)
981 return KRB5_DEFAULT_CCTYPE;
982
983 /* Is absolute path? Or UNC path? */
984 if (ISPATHSEP(prefix[0]))
985 return &krb5_fcc_ops;
986
987 #ifdef _WIN32
988 /* Is drive letter? */
989 if (isalpha(prefix[0]) && prefix[1] == ':')
990 return &krb5_fcc_ops;
991 #endif
992
993 p = strdup(prefix);
994 if (p == NULL) {
995 krb5_enomem(context);
996 return NULL;
997 }
998 p1 = strchr(p, ':');
999 if (p1)
1000 *p1 = '\0';
1001
1002 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
1003 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
1004 free(p);
1005 return context->cc_ops[i];
1006 }
1007 }
1008 free(p);
1009 return NULL;
1010 }
1011
1012 struct krb5_cc_cache_cursor_data {
1013 const krb5_cc_ops *ops;
1014 krb5_cc_cursor cursor;
1015 };
1016
1017 /**
1018 * Start iterating over all caches of specified type. See also
1019 * krb5_cccol_cursor_new().
1020
1021 * @param context A Kerberos 5 context
1022 * @param type optional type to iterate over, if NULL, the default cache is used.
1023 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1024 *
1025 * @return Return an error code or 0, see krb5_get_error_message().
1026 *
1027 * @ingroup krb5_ccache
1028 */
1029
1030
1031 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1032 krb5_cc_cache_get_first (krb5_context context,
1033 const char *type,
1034 krb5_cc_cache_cursor *cursor)
1035 {
1036 const krb5_cc_ops *ops;
1037 krb5_error_code ret;
1038
1039 if (type == NULL)
1040 type = krb5_cc_default_name(context);
1041
1042 ops = krb5_cc_get_prefix_ops(context, type);
1043 if (ops == NULL) {
1044 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1045 "Unknown type \"%s\" when iterating "
1046 "trying to iterate the credential caches", type);
1047 return KRB5_CC_UNKNOWN_TYPE;
1048 }
1049
1050 if (ops->get_cache_first == NULL) {
1051 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1052 N_("Credential cache type %s doesn't support "
1053 "iterations over caches", "type"),
1054 ops->prefix);
1055 return KRB5_CC_NOSUPP;
1056 }
1057
1058 *cursor = calloc(1, sizeof(**cursor));
1059 if (*cursor == NULL)
1060 return krb5_enomem(context);
1061
1062 (*cursor)->ops = ops;
1063
1064 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1065 if (ret) {
1066 free(*cursor);
1067 *cursor = NULL;
1068 }
1069 return ret;
1070 }
1071
1072 /**
1073 * Retrieve the next cache pointed to by (`cursor') in `id'
1074 * and advance `cursor'.
1075 *
1076 * @param context A Kerberos 5 context
1077 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1078 * @param id next ccache
1079 *
1080 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1081 * of caches is reached, see krb5_get_error_message().
1082 *
1083 * @ingroup krb5_ccache
1084 */
1085
1086
1087 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1088 krb5_cc_cache_next (krb5_context context,
1089 krb5_cc_cache_cursor cursor,
1090 krb5_ccache *id)
1091 {
1092 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1093 }
1094
1095 /**
1096 * Destroy the cursor `cursor'.
1097 *
1098 * @return Return an error code or 0, see krb5_get_error_message().
1099 *
1100 * @ingroup krb5_ccache
1101 */
1102
1103
1104 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1105 krb5_cc_cache_end_seq_get (krb5_context context,
1106 krb5_cc_cache_cursor cursor)
1107 {
1108 krb5_error_code ret;
1109 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1110 cursor->ops = NULL;
1111 free(cursor);
1112 return ret;
1113 }
1114
1115 /**
1116 * Search for a matching credential cache that have the
1117 * `principal' as the default principal. On success, `id' needs to be
1118 * freed with krb5_cc_close() or krb5_cc_destroy().
1119 *
1120 * @param context A Kerberos 5 context
1121 * @param client The principal to search for
1122 * @param id the returned credential cache
1123 *
1124 * @return On failure, error code is returned and `id' is set to NULL.
1125 *
1126 * @ingroup krb5_ccache
1127 */
1128
1129
1130 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1131 krb5_cc_cache_match (krb5_context context,
1132 krb5_principal client,
1133 krb5_ccache *id)
1134 {
1135 krb5_cccol_cursor cursor;
1136 krb5_error_code ret;
1137 krb5_ccache cache = NULL;
1138 krb5_ccache expired_match = NULL;
1139
1140 *id = NULL;
1141
1142 ret = krb5_cccol_cursor_new (context, &cursor);
1143 if (ret)
1144 return ret;
1145
1146 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) {
1147 krb5_principal principal;
1148 krb5_boolean match;
1149 time_t lifetime;
1150
1151 ret = krb5_cc_get_principal(context, cache, &principal);
1152 if (ret)
1153 goto next;
1154
1155 if (client->name.name_string.len == 0)
1156 match = (strcmp(client->realm, principal->realm) == 0);
1157 else
1158 match = krb5_principal_compare(context, principal, client);
1159 krb5_free_principal(context, principal);
1160
1161 if (!match)
1162 goto next;
1163
1164 if (expired_match == NULL &&
1165 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) {
1166 expired_match = cache;
1167 cache = NULL;
1168 goto next;
1169 }
1170 break;
1171
1172 next:
1173 if (cache)
1174 krb5_cc_close(context, cache);
1175 cache = NULL;
1176 }
1177
1178 krb5_cccol_cursor_free(context, &cursor);
1179
1180 if (cache == NULL && expired_match) {
1181 cache = expired_match;
1182 expired_match = NULL;
1183 } else if (expired_match) {
1184 krb5_cc_close(context, expired_match);
1185 } else if (cache == NULL) {
1186 char *str;
1187
1188 krb5_unparse_name(context, client, &str);
1189
1190 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1191 N_("Principal %s not found in any "
1192 "credential cache", ""),
1193 str ? str : "<out of memory>");
1194 if (str)
1195 free(str);
1196 return KRB5_CC_NOTFOUND;
1197 }
1198
1199 *id = cache;
1200
1201 return 0;
1202 }
1203
1204 /**
1205 * Move the content from one credential cache to another. The
1206 * operation is an atomic switch.
1207 *
1208 * @param context a Keberos context
1209 * @param from the credential cache to move the content from
1210 * @param to the credential cache to move the content to
1211
1212 * @return On sucess, from is freed. On failure, error code is
1213 * returned and from and to are both still allocated, see krb5_get_error_message().
1214 *
1215 * @ingroup krb5_ccache
1216 */
1217
1218 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1219 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1220 {
1221 krb5_error_code ret;
1222
1223 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1224 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1225 N_("Moving credentials between diffrent "
1226 "types not yet supported", ""));
1227 return KRB5_CC_NOSUPP;
1228 }
1229
1230 ret = (*to->ops->move)(context, from, to);
1231 if (ret == 0) {
1232 memset(from, 0, sizeof(*from));
1233 free(from);
1234 }
1235 return ret;
1236 }
1237
1238 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1239 #define KRB5_REALM_NAME "X-CACHECONF:"
1240
1241 static krb5_error_code
1242 build_conf_principals(krb5_context context, krb5_ccache id,
1243 krb5_const_principal principal,
1244 const char *name, krb5_creds *cred)
1245 {
1246 krb5_principal client;
1247 krb5_error_code ret;
1248 char *pname = NULL;
1249
1250 memset(cred, 0, sizeof(*cred));
1251
1252 ret = krb5_cc_get_principal(context, id, &client);
1253 if (ret)
1254 return ret;
1255
1256 if (principal) {
1257 ret = krb5_unparse_name(context, principal, &pname);
1258 if (ret)
1259 return ret;
1260 }
1261
1262 ret = krb5_make_principal(context, &cred->server,
1263 KRB5_REALM_NAME,
1264 KRB5_CONF_NAME, name, pname, NULL);
1265 free(pname);
1266 if (ret) {
1267 krb5_free_principal(context, client);
1268 return ret;
1269 }
1270 ret = krb5_copy_principal(context, client, &cred->client);
1271 krb5_free_principal(context, client);
1272 return ret;
1273 }
1274
1275 /**
1276 * Return TRUE (non zero) if the principal is a configuration
1277 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1278 * (zero) if not a configuration principal.
1279 *
1280 * @param context a Keberos context
1281 * @param principal principal to check if it a configuration principal
1282 *
1283 * @ingroup krb5_ccache
1284 */
1285
1286 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1287 krb5_is_config_principal(krb5_context context,
1288 krb5_const_principal principal)
1289 {
1290 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1291 return FALSE;
1292
1293 if (principal->name.name_string.len == 0 ||
1294 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1295 return FALSE;
1296
1297 return TRUE;
1298 }
1299
1300 /**
1301 * Store some configuration for the credential cache in the cache.
1302 * Existing configuration under the same name is over-written.
1303 *
1304 * @param context a Keberos context
1305 * @param id the credential cache to store the data for
1306 * @param principal configuration for a specific principal, if
1307 * NULL, global for the whole cache.
1308 * @param name name under which the configuraion is stored.
1309 * @param data data to store, if NULL, configure is removed.
1310 *
1311 * @ingroup krb5_ccache
1312 */
1313
1314 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1315 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1316 krb5_const_principal principal,
1317 const char *name, krb5_data *data)
1318 {
1319 krb5_error_code ret;
1320 krb5_creds cred;
1321
1322 ret = build_conf_principals(context, id, principal, name, &cred);
1323 if (ret)
1324 goto out;
1325
1326 /* Remove old configuration */
1327 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1328 if (ret && ret != KRB5_CC_NOTFOUND)
1329 goto out;
1330
1331 if (data) {
1332 /* not that anyone care when this expire */
1333 cred.times.authtime = time(NULL);
1334 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1335
1336 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1337 if (ret)
1338 goto out;
1339
1340 ret = krb5_cc_store_cred(context, id, &cred);
1341 }
1342
1343 out:
1344 krb5_free_cred_contents (context, &cred);
1345 return ret;
1346 }
1347
1348 /**
1349 * Get some configuration for the credential cache in the cache.
1350 *
1351 * @param context a Keberos context
1352 * @param id the credential cache to store the data for
1353 * @param principal configuration for a specific principal, if
1354 * NULL, global for the whole cache.
1355 * @param name name under which the configuraion is stored.
1356 * @param data data to fetched, free with krb5_data_free()
1357 *
1358 * @ingroup krb5_ccache
1359 */
1360
1361
1362 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1363 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1364 krb5_const_principal principal,
1365 const char *name, krb5_data *data)
1366 {
1367 krb5_creds mcred, cred;
1368 krb5_error_code ret;
1369
1370 memset(&cred, 0, sizeof(cred));
1371 krb5_data_zero(data);
1372
1373 ret = build_conf_principals(context, id, principal, name, &mcred);
1374 if (ret)
1375 goto out;
1376
1377 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1378 if (ret)
1379 goto out;
1380
1381 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1382
1383 out:
1384 krb5_free_cred_contents (context, &cred);
1385 krb5_free_cred_contents (context, &mcred);
1386 return ret;
1387 }
1388
1389 /*
1390 *
1391 */
1392
1393 struct krb5_cccol_cursor_data {
1394 int idx;
1395 krb5_cc_cache_cursor cursor;
1396 };
1397
1398 /**
1399 * Get a new cache interation cursor that will interate over all
1400 * credentials caches independent of type.
1401 *
1402 * @param context a Keberos context
1403 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1404 *
1405 * @return Returns 0 or and error code, see krb5_get_error_message().
1406 *
1407 * @ingroup krb5_ccache
1408 */
1409
1410 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1411 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1412 {
1413 *cursor = calloc(1, sizeof(**cursor));
1414 if (*cursor == NULL)
1415 return krb5_enomem(context);
1416 (*cursor)->idx = 0;
1417 (*cursor)->cursor = NULL;
1418
1419 return 0;
1420 }
1421
1422 /**
1423 * Get next credential cache from the iteration.
1424 *
1425 * @param context A Kerberos 5 context
1426 * @param cursor the iteration cursor
1427 * @param cache the returned cursor, pointer is set to NULL on failure
1428 * and a cache on success. The returned cache needs to be freed
1429 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1430 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1431 * when all caches are iterated over and return 0.
1432 *
1433 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1434 * of iteration. See krb5_get_error_message().
1435 *
1436 * @ingroup krb5_ccache
1437 */
1438
1439
1440 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1441 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1442 krb5_ccache *cache)
1443 {
1444 krb5_error_code ret;
1445
1446 *cache = NULL;
1447
1448 while (cursor->idx < context->num_cc_ops) {
1449
1450 if (cursor->cursor == NULL) {
1451 ret = krb5_cc_cache_get_first (context,
1452 context->cc_ops[cursor->idx]->prefix,
1453 &cursor->cursor);
1454 if (ret) {
1455 cursor->idx++;
1456 continue;
1457 }
1458 }
1459 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1460 if (ret == 0)
1461 break;
1462
1463 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1464 cursor->cursor = NULL;
1465 if (ret != KRB5_CC_END)
1466 break;
1467
1468 cursor->idx++;
1469 }
1470 if (cursor->idx >= context->num_cc_ops) {
1471 krb5_set_error_message(context, KRB5_CC_END,
1472 N_("Reached end of credential caches", ""));
1473 return KRB5_CC_END;
1474 }
1475
1476 return 0;
1477 }
1478
1479 /**
1480 * End an iteration and free all resources, can be done before end is reached.
1481 *
1482 * @param context A Kerberos 5 context
1483 * @param cursor the iteration cursor to be freed.
1484 *
1485 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1486 * of iteration. See krb5_get_error_message().
1487 *
1488 * @ingroup krb5_ccache
1489 */
1490
1491 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1492 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1493 {
1494 krb5_cccol_cursor c = *cursor;
1495
1496 *cursor = NULL;
1497 if (c) {
1498 if (c->cursor)
1499 krb5_cc_cache_end_seq_get(context, c->cursor);
1500 free(c);
1501 }
1502 return 0;
1503 }
1504
1505 /**
1506 * Return the last time the credential cache was modified.
1507 *
1508 * @param context A Kerberos 5 context
1509 * @param id The credential cache to probe
1510 * @param mtime the last modification time, set to 0 on error.
1511
1512 * @return Return 0 or and error. See krb5_get_error_message().
1513 *
1514 * @ingroup krb5_ccache
1515 */
1516
1517
1518 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1519 krb5_cc_last_change_time(krb5_context context,
1520 krb5_ccache id,
1521 krb5_timestamp *mtime)
1522 {
1523 *mtime = 0;
1524 return (*id->ops->lastchange)(context, id, mtime);
1525 }
1526
1527 /**
1528 * Return the last modfication time for a cache collection. The query
1529 * can be limited to a specific cache type. If the function return 0
1530 * and mtime is 0, there was no credentials in the caches.
1531 *
1532 * @param context A Kerberos 5 context
1533 * @param type The credential cache to probe, if NULL, all type are traversed.
1534 * @param mtime the last modification time, set to 0 on error.
1535
1536 * @return Return 0 or and error. See krb5_get_error_message().
1537 *
1538 * @ingroup krb5_ccache
1539 */
1540
1541 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1542 krb5_cccol_last_change_time(krb5_context context,
1543 const char *type,
1544 krb5_timestamp *mtime)
1545 {
1546 krb5_cccol_cursor cursor;
1547 krb5_error_code ret;
1548 krb5_ccache id;
1549 krb5_timestamp t = 0;
1550
1551 *mtime = 0;
1552
1553 ret = krb5_cccol_cursor_new (context, &cursor);
1554 if (ret)
1555 return ret;
1556
1557 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1558
1559 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1560 continue;
1561
1562 ret = krb5_cc_last_change_time(context, id, &t);
1563 krb5_cc_close(context, id);
1564 if (ret)
1565 continue;
1566 if (t > *mtime)
1567 *mtime = t;
1568 }
1569
1570 krb5_cccol_cursor_free(context, &cursor);
1571
1572 return 0;
1573 }
1574 /**
1575 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1576 *
1577 * @return Return an error code or 0, see krb5_get_error_message().
1578 *
1579 * @ingroup krb5_ccache
1580 */
1581
1582 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1583 krb5_cc_get_friendly_name(krb5_context context,
1584 krb5_ccache id,
1585 char **name)
1586 {
1587 krb5_error_code ret;
1588 krb5_data data;
1589
1590 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1591 if (ret) {
1592 krb5_principal principal;
1593 ret = krb5_cc_get_principal(context, id, &principal);
1594 if (ret)
1595 return ret;
1596 ret = krb5_unparse_name(context, principal, name);
1597 krb5_free_principal(context, principal);
1598 } else {
1599 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1600 krb5_data_free(&data);
1601 if (ret <= 0)
1602 ret = krb5_enomem(context);
1603 else
1604 ret = 0;
1605 }
1606
1607 return ret;
1608 }
1609
1610 /**
1611 * Set the friendly name on credential cache.
1612 *
1613 * @return Return an error code or 0, see krb5_get_error_message().
1614 *
1615 * @ingroup krb5_ccache
1616 */
1617
1618 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1619 krb5_cc_set_friendly_name(krb5_context context,
1620 krb5_ccache id,
1621 const char *name)
1622 {
1623 krb5_data data;
1624
1625 data.data = rk_UNCONST(name);
1626 data.length = strlen(name);
1627
1628 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1629 }
1630
1631 /**
1632 * Get the lifetime of the initial ticket in the cache
1633 *
1634 * Get the lifetime of the initial ticket in the cache, if the initial
1635 * ticket was not found, the error code KRB5_CC_END is returned.
1636 *
1637 * @param context A Kerberos 5 context.
1638 * @param id a credential cache
1639 * @param t the relative lifetime of the initial ticket
1640 *
1641 * @return Return an error code or 0, see krb5_get_error_message().
1642 *
1643 * @ingroup krb5_ccache
1644 */
1645
1646 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1647 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1648 {
1649 krb5_cc_cursor cursor;
1650 krb5_error_code ret;
1651 krb5_creds cred;
1652 time_t now, endtime = 0;
1653
1654 *t = 0;
1655 now = time(NULL);
1656
1657 ret = krb5_cc_start_seq_get(context, id, &cursor);
1658 if (ret)
1659 return ret;
1660
1661 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1662 /**
1663 * If we find a krbtgt in the cache, use that as the lifespan.
1664 */
1665 if (krb5_principal_is_root_krbtgt(context, cred.client)) {
1666 if (now < cred.times.endtime)
1667 endtime = cred.times.endtime;
1668 krb5_free_cred_contents(context, &cred);
1669 break;
1670 }
1671 /*
1672 * Skip config entries
1673 */
1674 if (krb5_is_config_principal(context, cred.server)) {
1675 krb5_free_cred_contents(context, &cred);
1676 continue;
1677 }
1678 /**
1679 * If there was no krbtgt, use the shortest lifetime of
1680 * service tickets that have yet to expire. If all
1681 * credentials are expired, krb5_cc_get_lifetime() will fail.
1682 */
1683 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime)
1684 endtime = cred.times.endtime;
1685 krb5_free_cred_contents(context, &cred);
1686 }
1687
1688 /* if we found an endtime use that */
1689 if (endtime) {
1690 *t = endtime - now;
1691 ret = 0;
1692 }
1693
1694 krb5_cc_end_seq_get(context, id, &cursor);
1695
1696 return ret;
1697 }
1698
1699 /**
1700 * Set the time offset betwen the client and the KDC
1701 *
1702 * If the backend doesn't support KDC offset, use the context global setting.
1703 *
1704 * @param context A Kerberos 5 context.
1705 * @param id a credential cache
1706 * @param offset the offset in seconds
1707 *
1708 * @return Return an error code or 0, see krb5_get_error_message().
1709 *
1710 * @ingroup krb5_ccache
1711 */
1712
1713 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1714 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1715 {
1716 if (id->ops->set_kdc_offset == NULL) {
1717 context->kdc_sec_offset = offset;
1718 context->kdc_usec_offset = 0;
1719 return 0;
1720 }
1721 return (*id->ops->set_kdc_offset)(context, id, offset);
1722 }
1723
1724 /**
1725 * Get the time offset betwen the client and the KDC
1726 *
1727 * If the backend doesn't support KDC offset, use the context global setting.
1728 *
1729 * @param context A Kerberos 5 context.
1730 * @param id a credential cache
1731 * @param offset the offset in seconds
1732 *
1733 * @return Return an error code or 0, see krb5_get_error_message().
1734 *
1735 * @ingroup krb5_ccache
1736 */
1737
1738 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1739 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1740 {
1741 if (id->ops->get_kdc_offset == NULL) {
1742 *offset = context->kdc_sec_offset;
1743 return 0;
1744 }
1745 return (*id->ops->get_kdc_offset)(context, id, offset);
1746 }
1747
1748
1749 #ifdef _WIN32
1750
1751 #define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
1752 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
1753 _krb5_get_default_cc_name_from_registry(krb5_context context)
1754 {
1755 HKEY hk_k5 = 0;
1756 LONG code;
1757 char * ccname = NULL;
1758
1759 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1760 REGPATH_MIT_KRB5,
1761 0, KEY_READ, &hk_k5);
1762
1763 if (code != ERROR_SUCCESS)
1764 return NULL;
1765
1766 ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
1767 REG_NONE, 0);
1768
1769 RegCloseKey(hk_k5);
1770
1771 return ccname;
1772 }
1773
1774 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
1775 _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
1776 {
1777 HKEY hk_k5 = 0;
1778 LONG code;
1779 int ret = -1;
1780 char * ccname = NULL;
1781
1782 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1783 REGPATH_MIT_KRB5,
1784 0, KEY_READ|KEY_WRITE, &hk_k5);
1785
1786 if (code != ERROR_SUCCESS)
1787 return -1;
1788
1789 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
1790 if (ret < 0)
1791 goto cleanup;
1792
1793 ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
1794 REG_SZ, ccname, -1, 0);
1795
1796 cleanup:
1797
1798 if (ccname)
1799 free(ccname);
1800
1801 RegCloseKey(hk_k5);
1802
1803 return ret;
1804 }
1805
1806 #endif
Heimdal