search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Round #2 of scan-build warnings cleanup
[heimdal.git] / lib / krb5 / cache.c
blobc43cd0ab7096dd149d8a36f8bc26f9c1deb83c53
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 /**
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
106 *
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
111 *
112 * @return Return an error code or 0, see krb5_get_error_message().
113 *
114 * @ingroup krb5_ccache
115 */
116
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
121 {
122 int i;
123
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
126 if(!override) {
127 krb5_set_error_message(context,
128 KRB5_CC_TYPE_EXISTS,
129 N_("cache type %s already exists", "type"),
130 ops->prefix);
131 return KRB5_CC_TYPE_EXISTS;
132 }
133 break;
134 }
135 }
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
140 if(o == NULL) {
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
144 }
145 context->cc_ops = o;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
148 }
149 context->cc_ops[i] = ops;
150 return 0;
151 }
152
153 /*
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
156 */
157
158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
161 krb5_ccache *id)
162 {
163 krb5_ccache p;
164
165 p = calloc(1, sizeof(*p));
166 if (p == NULL) {
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
170 }
171 p->ops = ops;
172 *id = p;
173
174 return 0;
175 }
176
177 /*
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
180 */
181
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
186 krb5_ccache *id)
187 {
188 krb5_error_code ret;
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
191 int filepath;
192
193 filepath = (strcmp("FILE", ops->prefix) == 0
194 || strcmp("DIR", ops->prefix) == 0
195 || strcmp("SCC", ops->prefix) == 0);
196
197 ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
198 if (ret)
199 return ret;
200
201 residual = exp_residual;
202 #endif
203
204 ret = _krb5_cc_allocate(context, ops, id);
205 if (ret) {
206 #ifdef KRB5_USE_PATH_TOKENS
207 if (exp_residual)
208 free(exp_residual);
209 #endif
210 return ret;
211 }
212
213 ret = (*id)->ops->resolve(context, id, residual);
214 if(ret) {
215 free(*id);
216 *id = NULL;
217 }
218
219 #ifdef KRB5_USE_PATH_TOKENS
220 if (exp_residual)
221 free(exp_residual);
222 #endif
223
224 return ret;
225 }
226
227 static int
228 is_possible_path_name(const char * name)
229 {
230 const char * colon;
231
232 if ((colon = strchr(name, ':')) == NULL)
233 return TRUE;
234
235 #ifdef _WIN32
236 /* <drive letter>:\path\to\cache ? */
237
238 if (colon == name + 1 &&
239 strchr(colon + 1, ':') == NULL)
240 return TRUE;
241 #endif
242
243 return FALSE;
244 }
245
246 /**
247 * Find and allocate a ccache in `id' from the specification in `residual'.
248 * If the ccache name doesn't contain any colon, interpret it as a file name.
249 *
250 * @param context a Keberos context.
251 * @param name string name of a credential cache.
252 * @param id return pointer to a found credential cache.
253 *
254 * @return Return 0 or an error code. In case of an error, id is set
255 * to NULL, see krb5_get_error_message().
256 *
257 * @ingroup krb5_ccache
258 */
259
260
261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
262 krb5_cc_resolve(krb5_context context,
263 const char *name,
264 krb5_ccache *id)
265 {
266 int i;
267
268 *id = NULL;
269
270 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
271 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
272
273 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
274 && name[prefix_len] == ':') {
275 return allocate_ccache (context, context->cc_ops[i],
276 name + prefix_len + 1,
277 id);
278 }
279 }
280 if (is_possible_path_name(name))
281 return allocate_ccache (context, &krb5_fcc_ops, name, id);
282 else {
283 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
284 N_("unknown ccache type %s", "name"), name);
285 return KRB5_CC_UNKNOWN_TYPE;
286 }
287 }
288
289 /**
290 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
291 * the library chooses the default credential cache type. The supplied
292 * `hint' (that can be NULL) is a string that the credential cache
293 * type can use to base the name of the credential on, this is to make
294 * it easier for the user to differentiate the credentials.
295 *
296 * @return Return an error code or 0, see krb5_get_error_message().
297 *
298 * @ingroup krb5_ccache
299 */
300
301 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
302 krb5_cc_new_unique(krb5_context context, const char *type,
303 const char *hint, krb5_ccache *id)
304 {
305 const krb5_cc_ops *ops;
306 krb5_error_code ret;
307
308 ops = krb5_cc_get_prefix_ops(context, type);
309 if (ops == NULL) {
310 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
311 "Credential cache type %s is unknown", type);
312 return KRB5_CC_UNKNOWN_TYPE;
313 }
314
315 ret = _krb5_cc_allocate(context, ops, id);
316 if (ret)
317 return ret;
318 ret = (*id)->ops->gen_new(context, id);
319 if (ret) {
320 free(*id);
321 *id = NULL;
322 }
323 return ret;
324 }
325
326 /**
327 * Return the name of the ccache `id'
328 *
329 * @ingroup krb5_ccache
330 */
331
332
333 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
334 krb5_cc_get_name(krb5_context context,
335 krb5_ccache id)
336 {
337 return id->ops->get_name(context, id);
338 }
339
340 /**
341 * Return the type of the ccache `id'.
342 *
343 * @ingroup krb5_ccache
344 */
345
346
347 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
348 krb5_cc_get_type(krb5_context context,
349 krb5_ccache id)
350 {
351 return id->ops->prefix;
352 }
353
354 /**
355 * Return the complete resolvable name the cache
356
357 * @param context a Keberos context
358 * @param id return pointer to a found credential cache
359 * @param str the returned name of a credential cache, free with krb5_xfree()
360 *
361 * @return Returns 0 or an error (and then *str is set to NULL).
362 *
363 * @ingroup krb5_ccache
364 */
365
366
367 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
368 krb5_cc_get_full_name(krb5_context context,
369 krb5_ccache id,
370 char **str)
371 {
372 const char *type, *name;
373
374 *str = NULL;
375
376 type = krb5_cc_get_type(context, id);
377 if (type == NULL) {
378 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
379 "cache have no name of type");
380 return KRB5_CC_UNKNOWN_TYPE;
381 }
382
383 name = krb5_cc_get_name(context, id);
384 if (name == NULL) {
385 krb5_set_error_message(context, KRB5_CC_BADNAME,
386 "cache of type %s have no name", type);
387 return KRB5_CC_BADNAME;
388 }
389
390 if (asprintf(str, "%s:%s", type, name) == -1) {
391 *str = NULL;
392 return krb5_enomem(context);
393 }
394 return 0;
395 }
396
397 /**
398 * Return krb5_cc_ops of a the ccache `id'.
399 *
400 * @ingroup krb5_ccache
401 */
402
403
404 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
405 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
406 {
407 return id->ops;
408 }
409
410 /*
411 * Expand variables in `str' into `res'
412 */
413
414 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
415 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
416 {
417 int filepath;
418
419 filepath = (strncmp("FILE:", str, 5) == 0
420 || strncmp("DIR:", str, 4) == 0
421 || strncmp("SCC:", str, 4) == 0);
422
423 return _krb5_expand_path_tokens(context, str, filepath, res);
424 }
425
426 /*
427 * Return non-zero if envirnoment that will determine default krb5cc
428 * name has changed.
429 */
430
431 static int
432 environment_changed(krb5_context context)
433 {
434 const char *e;
435
436 /* if the cc name was set, don't change it */
437 if (context->default_cc_name_set)
438 return 0;
439
440 /* XXX performance: always ask KCM/API if default name has changed */
441 if (context->default_cc_name &&
442 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
443 strncmp(context->default_cc_name, "API:", 4) == 0))
444 return 1;
445
446 if(issuid())
447 return 0;
448
449 e = getenv("KRB5CCNAME");
450 if (e == NULL) {
451 if (context->default_cc_name_env) {
452 free(context->default_cc_name_env);
453 context->default_cc_name_env = NULL;
454 return 1;
455 }
456 } else {
457 if (context->default_cc_name_env == NULL)
458 return 1;
459 if (strcmp(e, context->default_cc_name_env) != 0)
460 return 1;
461 }
462 return 0;
463 }
464
465 /**
466 * Switch the default default credential cache for a specific
467 * credcache type (and name for some implementations).
468 *
469 * @return Return an error code or 0, see krb5_get_error_message().
470 *
471 * @ingroup krb5_ccache
472 */
473
474 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
475 krb5_cc_switch(krb5_context context, krb5_ccache id)
476 {
477 #ifdef _WIN32
478 _krb5_set_default_cc_name_to_registry(context, id);
479 #endif
480
481 if (id->ops->set_default == NULL)
482 return 0;
483
484 return (*id->ops->set_default)(context, id);
485 }
486
487 /**
488 * Return true if the default credential cache support switch
489 *
490 * @ingroup krb5_ccache
491 */
492
493 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
494 krb5_cc_support_switch(krb5_context context, const char *type)
495 {
496 const krb5_cc_ops *ops;
497
498 ops = krb5_cc_get_prefix_ops(context, type);
499 if (ops && ops->set_default)
500 return 1;
501 return FALSE;
502 }
503
504 /**
505 * Set the default cc name for `context' to `name'.
506 *
507 * @ingroup krb5_ccache
508 */
509
510 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
511 krb5_cc_set_default_name(krb5_context context, const char *name)
512 {
513 krb5_error_code ret = 0;
514 char *p = NULL, *exp_p = NULL;
515 int filepath;
516 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
517
518 if (name == NULL) {
519 const char *e = NULL;
520
521 if (!issuid()) {
522 e = getenv("KRB5CCNAME");
523 if (e) {
524 p = strdup(e);
525 if (context->default_cc_name_env)
526 free(context->default_cc_name_env);
527 context->default_cc_name_env = strdup(e);
528 }
529 }
530
531 #ifdef _WIN32
532 if (p == NULL) {
533 p = _krb5_get_default_cc_name_from_registry(context);
534 }
535 #endif
536 if (p == NULL) {
537 e = krb5_config_get_string(context, NULL, "libdefaults",
538 "default_cc_name", NULL);
539 if (e) {
540 ret = _krb5_expand_default_cc_name(context, e, &p);
541 if (ret)
542 return ret;
543 }
544 }
545 if (p == NULL) {
546 e = krb5_config_get_string(context, NULL, "libdefaults",
547 "default_cc_type", NULL);
548 if (e) {
549 ops = krb5_cc_get_prefix_ops(context, e);
550 if (ops == NULL) {
551 krb5_set_error_message(context,
552 KRB5_CC_UNKNOWN_TYPE,
553 "Credential cache type %s "
554 "is unknown", e);
555 return KRB5_CC_UNKNOWN_TYPE;
556 }
557 }
558 }
559 #ifdef _WIN32
560 if (p == NULL) {
561 /*
562 * If the MSLSA ccache type has a principal name,
563 * use it as the default.
564 */
565 krb5_ccache id;
566 ret = krb5_cc_resolve(context, "MSLSA:", &id);
567 if (ret == 0) {
568 krb5_principal princ;
569 ret = krb5_cc_get_principal(context, id, &princ);
570 if (ret == 0) {
571 krb5_free_principal(context, princ);
572 p = strdup("MSLSA:");
573 }
574 krb5_cc_close(context, id);
575 }
576 }
577 if (p == NULL) {
578 /*
579 * If the API:krb5cc ccache can be resolved,
580 * use it as the default.
581 */
582 krb5_ccache api_id;
583 ret = krb5_cc_resolve(context, "API:krb5cc", &api_id);
584 if (ret == 0)
585 krb5_cc_close(context, api_id);
586 }
587 /* Otherwise, fallback to the FILE ccache */
588 #endif
589 if (p == NULL) {
590 ret = (*ops->get_default_name)(context, &p);
591 if (ret)
592 return ret;
593 }
594 context->default_cc_name_set = 0;
595 } else {
596 p = strdup(name);
597 if (p == NULL)
598 return krb5_enomem(context);
599 context->default_cc_name_set = 1;
600 }
601
602 filepath = (strncmp("FILE:", p, 5) == 0
603 || strncmp("DIR:", p, 4) == 0
604 || strncmp("SCC:", p, 4) == 0);
605
606 ret = _krb5_expand_path_tokens(context, p, filepath, &exp_p);
607 free(p);
608 p = exp_p;
609 if (ret)
610 return ret;
611
612 if (context->default_cc_name)
613 free(context->default_cc_name);
614
615 context->default_cc_name = p;
616
617 return 0;
618 }
619
620 /**
621 * Return a pointer to a context static string containing the default
622 * ccache name.
623 *
624 * @return String to the default credential cache name.
625 *
626 * @ingroup krb5_ccache
627 */
628
629
630 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
631 krb5_cc_default_name(krb5_context context)
632 {
633 if (context->default_cc_name == NULL || environment_changed(context))
634 krb5_cc_set_default_name(context, NULL);
635
636 return context->default_cc_name;
637 }
638
639 /**
640 * Open the default ccache in `id'.
641 *
642 * @return Return an error code or 0, see krb5_get_error_message().
643 *
644 * @ingroup krb5_ccache
645 */
646
647
648 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
649 krb5_cc_default(krb5_context context,
650 krb5_ccache *id)
651 {
652 const char *p = krb5_cc_default_name(context);
653
654 if (p == NULL)
655 return krb5_enomem(context);
656 return krb5_cc_resolve(context, p, id);
657 }
658
659 /**
660 * Create a new ccache in `id' for `primary_principal'.
661 *
662 * @return Return an error code or 0, see krb5_get_error_message().
663 *
664 * @ingroup krb5_ccache
665 */
666
667
668 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
669 krb5_cc_initialize(krb5_context context,
670 krb5_ccache id,
671 krb5_principal primary_principal)
672 {
673 krb5_error_code ret;
674
675 ret = (*id->ops->init)(context, id, primary_principal);
676 if (ret == 0)
677 id->initialized = 1;
678 return ret;
679 }
680
681
682 /**
683 * Remove the ccache `id'.
684 *
685 * @return Return an error code or 0, see krb5_get_error_message().
686 *
687 * @ingroup krb5_ccache
688 */
689
690
691 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
692 krb5_cc_destroy(krb5_context context,
693 krb5_ccache id)
694 {
695 krb5_error_code ret;
696
697 ret = (*id->ops->destroy)(context, id);
698 krb5_cc_close (context, id);
699 return ret;
700 }
701
702 /**
703 * Stop using the ccache `id' and free the related resources.
704 *
705 * @return Return an error code or 0, see krb5_get_error_message().
706 *
707 * @ingroup krb5_ccache
708 */
709
710
711 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
712 krb5_cc_close(krb5_context context,
713 krb5_ccache id)
714 {
715 krb5_error_code ret;
716 ret = (*id->ops->close)(context, id);
717 free(id);
718 return ret;
719 }
720
721 /**
722 * Store `creds' in the ccache `id'.
723 *
724 * @return Return an error code or 0, see krb5_get_error_message().
725 *
726 * @ingroup krb5_ccache
727 */
728
729
730 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
731 krb5_cc_store_cred(krb5_context context,
732 krb5_ccache id,
733 krb5_creds *creds)
734 {
735 krb5_error_code ret;
736 krb5_data realm;
737
738 ret = (*id->ops->store)(context, id, creds);
739
740 /* Look for and mark the first root TGT's realm as the start realm */
741 if (ret == 0 && id->initialized &&
742 krb5_principal_is_root_krbtgt(context, creds->server)) {
743
744 id->initialized = 0;
745 realm.length = strlen(creds->server->realm);
746 realm.data = creds->server->realm;
747 (void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
748 } else if (ret == 0 && id->initialized &&
749 krb5_is_config_principal(context, creds->server) &&
750 strcmp(creds->server->name.name_string.val[1], "start_realm") == 0) {
751
752 /*
753 * But if the caller is storing a start_realm ccconfig, then
754 * stop looking for root TGTs to mark as the start_realm.
755 *
756 * By honoring any start_realm cc config stored, we interop
757 * both, with ccache implementations that don't preserve
758 * insertion order, and Kerberos implementations that store this
759 * cc config before the TGT.
760 */
761 id->initialized = 0;
762 }
763 return ret;
764 }
765
766 /**
767 * Retrieve the credential identified by `mcreds' (and `whichfields')
768 * from `id' in `creds'. 'creds' must be free by the caller using
769 * krb5_free_cred_contents.
770 *
771 * @param context A Kerberos 5 context
772 * @param id a Kerberos 5 credential cache
773 * @param whichfields what fields to use for matching credentials, same
774 * flags as whichfields in krb5_compare_creds()
775 * @param mcreds template credential to use for comparing
776 * @param creds returned credential, free with krb5_free_cred_contents()
777 *
778 * @return Return an error code or 0, see krb5_get_error_message().
779 *
780 * @ingroup krb5_ccache
781 */
782
783
784 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
785 krb5_cc_retrieve_cred(krb5_context context,
786 krb5_ccache id,
787 krb5_flags whichfields,
788 const krb5_creds *mcreds,
789 krb5_creds *creds)
790 {
791 krb5_error_code ret;
792 krb5_cc_cursor cursor;
793
794 if (id->ops->retrieve != NULL) {
795 return (*id->ops->retrieve)(context, id, whichfields,
796 mcreds, creds);
797 }
798
799 ret = krb5_cc_start_seq_get(context, id, &cursor);
800 if (ret)
801 return ret;
802 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
803 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
804 ret = 0;
805 break;
806 }
807 krb5_free_cred_contents (context, creds);
808 }
809 krb5_cc_end_seq_get(context, id, &cursor);
810 return ret;
811 }
812
813 /**
814 * Return the principal of `id' in `principal'.
815 *
816 * @return Return an error code or 0, see krb5_get_error_message().
817 *
818 * @ingroup krb5_ccache
819 */
820
821
822 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
823 krb5_cc_get_principal(krb5_context context,
824 krb5_ccache id,
825 krb5_principal *principal)
826 {
827 return (*id->ops->get_princ)(context, id, principal);
828 }
829
830 /**
831 * Start iterating over `id', `cursor' is initialized to the
832 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
833 *
834 * @return Return an error code or 0, see krb5_get_error_message().
835 *
836 * @ingroup krb5_ccache
837 */
838
839
840 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
841 krb5_cc_start_seq_get (krb5_context context,
842 const krb5_ccache id,
843 krb5_cc_cursor *cursor)
844 {
845 return (*id->ops->get_first)(context, id, cursor);
846 }
847
848 /**
849 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
850 * and advance `cursor'.
851 *
852 * @return Return an error code or 0, see krb5_get_error_message().
853 *
854 * @ingroup krb5_ccache
855 */
856
857
858 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
859 krb5_cc_next_cred (krb5_context context,
860 const krb5_ccache id,
861 krb5_cc_cursor *cursor,
862 krb5_creds *creds)
863 {
864 return (*id->ops->get_next)(context, id, cursor, creds);
865 }
866
867 /**
868 * Destroy the cursor `cursor'.
869 *
870 * @ingroup krb5_ccache
871 */
872
873
874 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
875 krb5_cc_end_seq_get (krb5_context context,
876 const krb5_ccache id,
877 krb5_cc_cursor *cursor)
878 {
879 return (*id->ops->end_get)(context, id, cursor);
880 }
881
882 /**
883 * Remove the credential identified by `cred', `which' from `id'.
884 *
885 * @ingroup krb5_ccache
886 */
887
888
889 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
890 krb5_cc_remove_cred(krb5_context context,
891 krb5_ccache id,
892 krb5_flags which,
893 krb5_creds *cred)
894 {
895 if(id->ops->remove_cred == NULL) {
896 krb5_set_error_message(context,
897 EACCES,
898 "ccache %s does not support remove_cred",
899 id->ops->prefix);
900 return EACCES; /* XXX */
901 }
902 return (*id->ops->remove_cred)(context, id, which, cred);
903 }
904
905 /**
906 * Set the flags of `id' to `flags'.
907 *
908 * @ingroup krb5_ccache
909 */
910
911
912 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
913 krb5_cc_set_flags(krb5_context context,
914 krb5_ccache id,
915 krb5_flags flags)
916 {
917 return (*id->ops->set_flags)(context, id, flags);
918 }
919
920 /**
921 * Get the flags of `id', store them in `flags'.
922 *
923 * @ingroup krb5_ccache
924 */
925
926 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
927 krb5_cc_get_flags(krb5_context context,
928 krb5_ccache id,
929 krb5_flags *flags)
930 {
931 *flags = 0;
932 return 0;
933 }
934
935 /**
936 * Copy the contents of `from' to `to' if the given match function
937 * return true.
938 *
939 * @param context A Kerberos 5 context.
940 * @param from the cache to copy data from.
941 * @param to the cache to copy data to.
942 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
943 * @param matchctx context passed to match function.
944 * @param matched set to true if there was a credential that matched, may be NULL.
945 *
946 * @return Return an error code or 0, see krb5_get_error_message().
947 *
948 * @ingroup krb5_ccache
949 */
950
951 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
952 krb5_cc_copy_match_f(krb5_context context,
953 const krb5_ccache from,
954 krb5_ccache to,
955 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
956 void *matchctx,
957 unsigned int *matched)
958 {
959 krb5_error_code ret;
960 krb5_cc_cursor cursor;
961 krb5_creds cred;
962 krb5_principal princ;
963
964 if (matched)
965 *matched = 0;
966
967 ret = krb5_cc_get_principal(context, from, &princ);
968 if (ret)
969 return ret;
970 ret = krb5_cc_initialize(context, to, princ);
971 if (ret) {
972 krb5_free_principal(context, princ);
973 return ret;
974 }
975 ret = krb5_cc_start_seq_get(context, from, &cursor);
976 if (ret) {
977 krb5_free_principal(context, princ);
978 return ret;
979 }
980
981 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
982 if (match == NULL || (*match)(context, matchctx, &cred)) {
983 if (matched)
984 (*matched)++;
985 ret = krb5_cc_store_cred(context, to, &cred);
986 if (ret)
987 break;
988 }
989 krb5_free_cred_contents(context, &cred);
990 }
991 krb5_cc_end_seq_get(context, from, &cursor);
992 krb5_free_principal(context, princ);
993 if (ret == KRB5_CC_END)
994 ret = 0;
995 return ret;
996 }
997
998 /**
999 * Just like krb5_cc_copy_match_f(), but copy everything.
1000 *
1001 * @ingroup @krb5_ccache
1002 */
1003
1004 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1005 krb5_cc_copy_cache(krb5_context context,
1006 const krb5_ccache from,
1007 krb5_ccache to)
1008 {
1009 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
1010 }
1011
1012 /**
1013 * Return the version of `id'.
1014 *
1015 * @ingroup krb5_ccache
1016 */
1017
1018
1019 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1020 krb5_cc_get_version(krb5_context context,
1021 const krb5_ccache id)
1022 {
1023 if(id->ops->get_version)
1024 return (*id->ops->get_version)(context, id);
1025 else
1026 return 0;
1027 }
1028
1029 /**
1030 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
1031 *
1032 * @ingroup krb5_ccache
1033 */
1034
1035
1036 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1037 krb5_cc_clear_mcred(krb5_creds *mcred)
1038 {
1039 memset(mcred, 0, sizeof(*mcred));
1040 }
1041
1042 /**
1043 * Get the cc ops that is registered in `context' to handle the
1044 * prefix. prefix can be a complete credential cache name or a
1045 * prefix, the function will only use part up to the first colon (:)
1046 * if there is one. If prefix the argument is NULL, the default ccache
1047 * implemtation is returned.
1048 *
1049 * @return Returns NULL if ops not found.
1050 *
1051 * @ingroup krb5_ccache
1052 */
1053
1054
1055 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
1056 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
1057 {
1058 char *p, *p1;
1059 int i;
1060
1061 if (prefix == NULL)
1062 return KRB5_DEFAULT_CCTYPE;
1063
1064 /* Is absolute path? Or UNC path? */
1065 if (ISPATHSEP(prefix[0]))
1066 return &krb5_fcc_ops;
1067
1068 #ifdef _WIN32
1069 /* Is drive letter? */
1070 if (isalpha(prefix[0]) && prefix[1] == ':')
1071 return &krb5_fcc_ops;
1072 #endif
1073
1074 p = strdup(prefix);
1075 if (p == NULL) {
1076 krb5_enomem(context);
1077 return NULL;
1078 }
1079 p1 = strchr(p, ':');
1080 if (p1)
1081 *p1 = '\0';
1082
1083 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
1084 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
1085 free(p);
1086 return context->cc_ops[i];
1087 }
1088 }
1089 free(p);
1090 return NULL;
1091 }
1092
1093 struct krb5_cc_cache_cursor_data {
1094 const krb5_cc_ops *ops;
1095 krb5_cc_cursor cursor;
1096 };
1097
1098 /**
1099 * Start iterating over all caches of specified type. See also
1100 * krb5_cccol_cursor_new().
1101
1102 * @param context A Kerberos 5 context
1103 * @param type optional type to iterate over, if NULL, the default cache is used.
1104 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1105 *
1106 * @return Return an error code or 0, see krb5_get_error_message().
1107 *
1108 * @ingroup krb5_ccache
1109 */
1110
1111
1112 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1113 krb5_cc_cache_get_first (krb5_context context,
1114 const char *type,
1115 krb5_cc_cache_cursor *cursor)
1116 {
1117 const krb5_cc_ops *ops;
1118 krb5_error_code ret;
1119
1120 if (type == NULL)
1121 type = krb5_cc_default_name(context);
1122
1123 ops = krb5_cc_get_prefix_ops(context, type);
1124 if (ops == NULL) {
1125 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1126 "Unknown type \"%s\" when iterating "
1127 "trying to iterate the credential caches", type);
1128 return KRB5_CC_UNKNOWN_TYPE;
1129 }
1130
1131 if (ops->get_cache_first == NULL) {
1132 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1133 N_("Credential cache type %s doesn't support "
1134 "iterations over caches", "type"),
1135 ops->prefix);
1136 return KRB5_CC_NOSUPP;
1137 }
1138
1139 *cursor = calloc(1, sizeof(**cursor));
1140 if (*cursor == NULL)
1141 return krb5_enomem(context);
1142
1143 (*cursor)->ops = ops;
1144
1145 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1146 if (ret) {
1147 free(*cursor);
1148 *cursor = NULL;
1149 }
1150 return ret;
1151 }
1152
1153 /**
1154 * Retrieve the next cache pointed to by (`cursor') in `id'
1155 * and advance `cursor'.
1156 *
1157 * @param context A Kerberos 5 context
1158 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1159 * @param id next ccache
1160 *
1161 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1162 * of caches is reached, see krb5_get_error_message().
1163 *
1164 * @ingroup krb5_ccache
1165 */
1166
1167
1168 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1169 krb5_cc_cache_next (krb5_context context,
1170 krb5_cc_cache_cursor cursor,
1171 krb5_ccache *id)
1172 {
1173 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1174 }
1175
1176 /**
1177 * Destroy the cursor `cursor'.
1178 *
1179 * @return Return an error code or 0, see krb5_get_error_message().
1180 *
1181 * @ingroup krb5_ccache
1182 */
1183
1184
1185 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1186 krb5_cc_cache_end_seq_get (krb5_context context,
1187 krb5_cc_cache_cursor cursor)
1188 {
1189 krb5_error_code ret;
1190 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1191 cursor->ops = NULL;
1192 free(cursor);
1193 return ret;
1194 }
1195
1196 /**
1197 * Search for a matching credential cache that have the
1198 * `principal' as the default principal. On success, `id' needs to be
1199 * freed with krb5_cc_close() or krb5_cc_destroy().
1200 *
1201 * @param context A Kerberos 5 context
1202 * @param client The principal to search for
1203 * @param id the returned credential cache
1204 *
1205 * @return On failure, error code is returned and `id' is set to NULL.
1206 *
1207 * @ingroup krb5_ccache
1208 */
1209
1210
1211 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1212 krb5_cc_cache_match (krb5_context context,
1213 krb5_principal client,
1214 krb5_ccache *id)
1215 {
1216 krb5_cccol_cursor cursor;
1217 krb5_error_code ret;
1218 krb5_ccache cache = NULL;
1219 krb5_ccache expired_match = NULL;
1220
1221 *id = NULL;
1222
1223 ret = krb5_cccol_cursor_new (context, &cursor);
1224 if (ret)
1225 return ret;
1226
1227 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) {
1228 krb5_principal principal;
1229 krb5_boolean match;
1230 time_t lifetime;
1231
1232 ret = krb5_cc_get_principal(context, cache, &principal);
1233 if (ret)
1234 goto next;
1235
1236 if (client->name.name_string.len == 0)
1237 match = (strcmp(client->realm, principal->realm) == 0);
1238 else
1239 match = krb5_principal_compare(context, principal, client);
1240 krb5_free_principal(context, principal);
1241
1242 if (!match)
1243 goto next;
1244
1245 if (expired_match == NULL &&
1246 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) {
1247 expired_match = cache;
1248 cache = NULL;
1249 goto next;
1250 }
1251 break;
1252
1253 next:
1254 if (cache)
1255 krb5_cc_close(context, cache);
1256 cache = NULL;
1257 }
1258
1259 krb5_cccol_cursor_free(context, &cursor);
1260
1261 if (cache == NULL && expired_match) {
1262 cache = expired_match;
1263 expired_match = NULL;
1264 } else if (expired_match) {
1265 krb5_cc_close(context, expired_match);
1266 } else if (cache == NULL) {
1267 char *str;
1268
1269 krb5_unparse_name(context, client, &str);
1270
1271 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1272 N_("Principal %s not found in any "
1273 "credential cache", ""),
1274 str ? str : "<out of memory>");
1275 if (str)
1276 free(str);
1277 return KRB5_CC_NOTFOUND;
1278 }
1279
1280 *id = cache;
1281
1282 return 0;
1283 }
1284
1285 /**
1286 * Move the content from one credential cache to another. The
1287 * operation is an atomic switch.
1288 *
1289 * @param context a Keberos context
1290 * @param from the credential cache to move the content from
1291 * @param to the credential cache to move the content to
1292
1293 * @return On sucess, from is freed. On failure, error code is
1294 * returned and from and to are both still allocated, see krb5_get_error_message().
1295 *
1296 * @ingroup krb5_ccache
1297 */
1298
1299 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1300 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1301 {
1302 krb5_error_code ret;
1303
1304 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1305 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1306 N_("Moving credentials between diffrent "
1307 "types not yet supported", ""));
1308 return KRB5_CC_NOSUPP;
1309 }
1310
1311 ret = (*to->ops->move)(context, from, to);
1312 if (ret == 0) {
1313 memset(from, 0, sizeof(*from));
1314 free(from);
1315 }
1316 return ret;
1317 }
1318
1319 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1320 #define KRB5_REALM_NAME "X-CACHECONF:"
1321
1322 static krb5_error_code
1323 build_conf_principals(krb5_context context, krb5_ccache id,
1324 krb5_const_principal principal,
1325 const char *name, krb5_creds *cred)
1326 {
1327 krb5_principal client;
1328 krb5_error_code ret;
1329 char *pname = NULL;
1330
1331 memset(cred, 0, sizeof(*cred));
1332
1333 ret = krb5_cc_get_principal(context, id, &client);
1334 if (ret)
1335 return ret;
1336
1337 if (principal) {
1338 ret = krb5_unparse_name(context, principal, &pname);
1339 if (ret)
1340 return ret;
1341 }
1342
1343 ret = krb5_make_principal(context, &cred->server,
1344 KRB5_REALM_NAME,
1345 KRB5_CONF_NAME, name, pname, NULL);
1346 free(pname);
1347 if (ret) {
1348 krb5_free_principal(context, client);
1349 return ret;
1350 }
1351 ret = krb5_copy_principal(context, client, &cred->client);
1352 krb5_free_principal(context, client);
1353 return ret;
1354 }
1355
1356 /**
1357 * Return TRUE (non zero) if the principal is a configuration
1358 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1359 * (zero) if not a configuration principal.
1360 *
1361 * @param context a Keberos context
1362 * @param principal principal to check if it a configuration principal
1363 *
1364 * @ingroup krb5_ccache
1365 */
1366
1367 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1368 krb5_is_config_principal(krb5_context context,
1369 krb5_const_principal principal)
1370 {
1371 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1372 return FALSE;
1373
1374 if (principal->name.name_string.len == 0 ||
1375 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1376 return FALSE;
1377
1378 return TRUE;
1379 }
1380
1381 /**
1382 * Store some configuration for the credential cache in the cache.
1383 * Existing configuration under the same name is over-written.
1384 *
1385 * @param context a Keberos context
1386 * @param id the credential cache to store the data for
1387 * @param principal configuration for a specific principal, if
1388 * NULL, global for the whole cache.
1389 * @param name name under which the configuraion is stored.
1390 * @param data data to store, if NULL, configure is removed.
1391 *
1392 * @ingroup krb5_ccache
1393 */
1394
1395 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1396 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1397 krb5_const_principal principal,
1398 const char *name, krb5_data *data)
1399 {
1400 krb5_error_code ret;
1401 krb5_creds cred;
1402
1403 ret = build_conf_principals(context, id, principal, name, &cred);
1404 if (ret)
1405 goto out;
1406
1407 /* Remove old configuration */
1408 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1409 if (ret && ret != KRB5_CC_NOTFOUND)
1410 goto out;
1411
1412 if (data) {
1413 /* not that anyone care when this expire */
1414 cred.times.authtime = time(NULL);
1415 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1416
1417 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1418 if (ret)
1419 goto out;
1420
1421 ret = krb5_cc_store_cred(context, id, &cred);
1422 }
1423
1424 out:
1425 krb5_free_cred_contents (context, &cred);
1426 return ret;
1427 }
1428
1429 /**
1430 * Get some configuration for the credential cache in the cache.
1431 *
1432 * @param context a Keberos context
1433 * @param id the credential cache to store the data for
1434 * @param principal configuration for a specific principal, if
1435 * NULL, global for the whole cache.
1436 * @param name name under which the configuraion is stored.
1437 * @param data data to fetched, free with krb5_data_free()
1438 *
1439 * @ingroup krb5_ccache
1440 */
1441
1442
1443 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1444 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1445 krb5_const_principal principal,
1446 const char *name, krb5_data *data)
1447 {
1448 krb5_creds mcred, cred;
1449 krb5_error_code ret;
1450
1451 memset(&cred, 0, sizeof(cred));
1452 krb5_data_zero(data);
1453
1454 ret = build_conf_principals(context, id, principal, name, &mcred);
1455 if (ret)
1456 goto out;
1457
1458 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1459 if (ret)
1460 goto out;
1461
1462 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1463
1464 out:
1465 krb5_free_cred_contents (context, &cred);
1466 krb5_free_cred_contents (context, &mcred);
1467 return ret;
1468 }
1469
1470 /*
1471 *
1472 */
1473
1474 struct krb5_cccol_cursor_data {
1475 int idx;
1476 krb5_cc_cache_cursor cursor;
1477 };
1478
1479 /**
1480 * Get a new cache interation cursor that will interate over all
1481 * credentials caches independent of type.
1482 *
1483 * @param context a Keberos context
1484 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1485 *
1486 * @return Returns 0 or and error code, see krb5_get_error_message().
1487 *
1488 * @ingroup krb5_ccache
1489 */
1490
1491 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1492 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1493 {
1494 *cursor = calloc(1, sizeof(**cursor));
1495 if (*cursor == NULL)
1496 return krb5_enomem(context);
1497 (*cursor)->idx = 0;
1498 (*cursor)->cursor = NULL;
1499
1500 return 0;
1501 }
1502
1503 /**
1504 * Get next credential cache from the iteration.
1505 *
1506 * @param context A Kerberos 5 context
1507 * @param cursor the iteration cursor
1508 * @param cache the returned cursor, pointer is set to NULL on failure
1509 * and a cache on success. The returned cache needs to be freed
1510 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1511 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1512 * when all caches are iterated over and return 0.
1513 *
1514 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1515 * of iteration. See krb5_get_error_message().
1516 *
1517 * @ingroup krb5_ccache
1518 */
1519
1520
1521 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1522 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1523 krb5_ccache *cache)
1524 {
1525 krb5_error_code ret;
1526
1527 *cache = NULL;
1528
1529 while (cursor->idx < context->num_cc_ops) {
1530
1531 if (cursor->cursor == NULL) {
1532 ret = krb5_cc_cache_get_first (context,
1533 context->cc_ops[cursor->idx]->prefix,
1534 &cursor->cursor);
1535 if (ret) {
1536 cursor->idx++;
1537 continue;
1538 }
1539 }
1540 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1541 if (ret == 0)
1542 break;
1543
1544 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1545 cursor->cursor = NULL;
1546 if (ret != KRB5_CC_END)
1547 break;
1548
1549 cursor->idx++;
1550 }
1551 if (cursor->idx >= context->num_cc_ops) {
1552 krb5_set_error_message(context, KRB5_CC_END,
1553 N_("Reached end of credential caches", ""));
1554 return KRB5_CC_END;
1555 }
1556
1557 return 0;
1558 }
1559
1560 /**
1561 * End an iteration and free all resources, can be done before end is reached.
1562 *
1563 * @param context A Kerberos 5 context
1564 * @param cursor the iteration cursor to be freed.
1565 *
1566 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1567 * of iteration. See krb5_get_error_message().
1568 *
1569 * @ingroup krb5_ccache
1570 */
1571
1572 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1573 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1574 {
1575 krb5_cccol_cursor c = *cursor;
1576
1577 *cursor = NULL;
1578 if (c) {
1579 if (c->cursor)
1580 krb5_cc_cache_end_seq_get(context, c->cursor);
1581 free(c);
1582 }
1583 return 0;
1584 }
1585
1586 /**
1587 * Return the last time the credential cache was modified.
1588 *
1589 * @param context A Kerberos 5 context
1590 * @param id The credential cache to probe
1591 * @param mtime the last modification time, set to 0 on error.
1592
1593 * @return Return 0 or and error. See krb5_get_error_message().
1594 *
1595 * @ingroup krb5_ccache
1596 */
1597
1598
1599 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1600 krb5_cc_last_change_time(krb5_context context,
1601 krb5_ccache id,
1602 krb5_timestamp *mtime)
1603 {
1604 *mtime = 0;
1605 return (*id->ops->lastchange)(context, id, mtime);
1606 }
1607
1608 /**
1609 * Return the last modfication time for a cache collection. The query
1610 * can be limited to a specific cache type. If the function return 0
1611 * and mtime is 0, there was no credentials in the caches.
1612 *
1613 * @param context A Kerberos 5 context
1614 * @param type The credential cache to probe, if NULL, all type are traversed.
1615 * @param mtime the last modification time, set to 0 on error.
1616
1617 * @return Return 0 or and error. See krb5_get_error_message().
1618 *
1619 * @ingroup krb5_ccache
1620 */
1621
1622 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1623 krb5_cccol_last_change_time(krb5_context context,
1624 const char *type,
1625 krb5_timestamp *mtime)
1626 {
1627 krb5_cccol_cursor cursor;
1628 krb5_error_code ret;
1629 krb5_ccache id;
1630 krb5_timestamp t = 0;
1631
1632 *mtime = 0;
1633
1634 ret = krb5_cccol_cursor_new (context, &cursor);
1635 if (ret)
1636 return ret;
1637
1638 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1639
1640 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1641 continue;
1642
1643 ret = krb5_cc_last_change_time(context, id, &t);
1644 krb5_cc_close(context, id);
1645 if (ret)
1646 continue;
1647 if (t > *mtime)
1648 *mtime = t;
1649 }
1650
1651 krb5_cccol_cursor_free(context, &cursor);
1652
1653 return 0;
1654 }
1655 /**
1656 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1657 *
1658 * @return Return an error code or 0, see krb5_get_error_message().
1659 *
1660 * @ingroup krb5_ccache
1661 */
1662
1663 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1664 krb5_cc_get_friendly_name(krb5_context context,
1665 krb5_ccache id,
1666 char **name)
1667 {
1668 krb5_error_code ret;
1669 krb5_data data;
1670
1671 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1672 if (ret) {
1673 krb5_principal principal;
1674 ret = krb5_cc_get_principal(context, id, &principal);
1675 if (ret)
1676 return ret;
1677 ret = krb5_unparse_name(context, principal, name);
1678 krb5_free_principal(context, principal);
1679 } else {
1680 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1681 krb5_data_free(&data);
1682 if (ret <= 0)
1683 ret = krb5_enomem(context);
1684 else
1685 ret = 0;
1686 }
1687
1688 return ret;
1689 }
1690
1691 /**
1692 * Set the friendly name on credential cache.
1693 *
1694 * @return Return an error code or 0, see krb5_get_error_message().
1695 *
1696 * @ingroup krb5_ccache
1697 */
1698
1699 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1700 krb5_cc_set_friendly_name(krb5_context context,
1701 krb5_ccache id,
1702 const char *name)
1703 {
1704 krb5_data data;
1705
1706 data.data = rk_UNCONST(name);
1707 data.length = strlen(name);
1708
1709 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1710 }
1711
1712 /**
1713 * Get the lifetime of the initial ticket in the cache
1714 *
1715 * Get the lifetime of the initial ticket in the cache, if the initial
1716 * ticket was not found, the error code KRB5_CC_END is returned.
1717 *
1718 * @param context A Kerberos 5 context.
1719 * @param id a credential cache
1720 * @param t the relative lifetime of the initial ticket
1721 *
1722 * @return Return an error code or 0, see krb5_get_error_message().
1723 *
1724 * @ingroup krb5_ccache
1725 */
1726
1727 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1728 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1729 {
1730 krb5_data config_start_realm;
1731 char *start_realm;
1732 krb5_cc_cursor cursor;
1733 krb5_error_code ret;
1734 krb5_creds cred;
1735 time_t now, endtime = 0;
1736
1737 *t = 0;
1738 krb5_timeofday(context, &now);
1739
1740 ret = krb5_cc_get_config(context, id, NULL, "start_realm", &config_start_realm);
1741 if (ret == 0) {
1742 start_realm = strndup(config_start_realm.data, config_start_realm.length);
1743 krb5_data_free(&config_start_realm);
1744 } else {
1745 krb5_principal client;
1746
1747 ret = krb5_cc_get_principal(context, id, &client);
1748 if (ret)
1749 return ret;
1750 start_realm = strdup(krb5_principal_get_realm(context, client));
1751 krb5_free_principal(context, client);
1752 }
1753 if (start_realm == NULL)
1754 return krb5_enomem(context);
1755
1756 ret = krb5_cc_start_seq_get(context, id, &cursor);
1757 if (ret) {
1758 free(start_realm);
1759 return ret;
1760 }
1761
1762 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1763 /**
1764 * If we find the start krbtgt in the cache, use that as the lifespan.
1765 */
1766 if (krb5_principal_is_root_krbtgt(context, cred.server) &&
1767 strcmp(cred.server->realm, start_realm) == 0) {
1768 if (now < cred.times.endtime)
1769 endtime = cred.times.endtime;
1770 krb5_free_cred_contents(context, &cred);
1771 break;
1772 }
1773 /*
1774 * Skip config entries
1775 */
1776 if (krb5_is_config_principal(context, cred.server)) {
1777 krb5_free_cred_contents(context, &cred);
1778 continue;
1779 }
1780 /**
1781 * If there was no krbtgt, use the shortest lifetime of
1782 * service tickets that have yet to expire. If all
1783 * credentials are expired, krb5_cc_get_lifetime() will fail.
1784 */
1785 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime)
1786 endtime = cred.times.endtime;
1787 krb5_free_cred_contents(context, &cred);
1788 }
1789 free(start_realm);
1790
1791 /* if we found an endtime use that */
1792 if (endtime) {
1793 *t = endtime - now;
1794 ret = 0;
1795 }
1796
1797 krb5_cc_end_seq_get(context, id, &cursor);
1798
1799 return ret;
1800 }
1801
1802 /**
1803 * Set the time offset betwen the client and the KDC
1804 *
1805 * If the backend doesn't support KDC offset, use the context global setting.
1806 *
1807 * @param context A Kerberos 5 context.
1808 * @param id a credential cache
1809 * @param offset the offset in seconds
1810 *
1811 * @return Return an error code or 0, see krb5_get_error_message().
1812 *
1813 * @ingroup krb5_ccache
1814 */
1815
1816 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1817 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1818 {
1819 if (id->ops->set_kdc_offset == NULL) {
1820 context->kdc_sec_offset = offset;
1821 context->kdc_usec_offset = 0;
1822 return 0;
1823 }
1824 return (*id->ops->set_kdc_offset)(context, id, offset);
1825 }
1826
1827 /**
1828 * Get the time offset betwen the client and the KDC
1829 *
1830 * If the backend doesn't support KDC offset, use the context global setting.
1831 *
1832 * @param context A Kerberos 5 context.
1833 * @param id a credential cache
1834 * @param offset the offset in seconds
1835 *
1836 * @return Return an error code or 0, see krb5_get_error_message().
1837 *
1838 * @ingroup krb5_ccache
1839 */
1840
1841 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1842 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1843 {
1844 if (id->ops->get_kdc_offset == NULL) {
1845 *offset = context->kdc_sec_offset;
1846 return 0;
1847 }
1848 return (*id->ops->get_kdc_offset)(context, id, offset);
1849 }
1850
1851 #ifdef _WIN32
1852 #define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
1853
1854 static char *
1855 _get_default_cc_name_from_registry(krb5_context context, HKEY hkBase)
1856 {
1857 HKEY hk_k5 = 0;
1858 LONG code;
1859 char *ccname = NULL;
1860
1861 code = RegOpenKeyEx(hkBase,
1862 REGPATH_MIT_KRB5,
1863 0, KEY_READ, &hk_k5);
1864
1865 if (code != ERROR_SUCCESS)
1866 return NULL;
1867
1868 ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
1869 REG_NONE, 0);
1870
1871 RegCloseKey(hk_k5);
1872
1873 return ccname;
1874 }
1875
1876 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
1877 _krb5_get_default_cc_name_from_registry(krb5_context context)
1878 {
1879 char *ccname;
1880
1881 ccname = _get_default_cc_name_from_registry(context, HKEY_CURRENT_USER);
1882 if (ccname == NULL)
1883 ccname = _get_default_cc_name_from_registry(context,
1884 HKEY_LOCAL_MACHINE);
1885
1886 return ccname;
1887 }
1888
1889 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
1890 _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
1891 {
1892 HKEY hk_k5 = 0;
1893 LONG code;
1894 int ret = -1;
1895 char * ccname = NULL;
1896
1897 code = RegOpenKeyEx(HKEY_CURRENT_USER,
1898 REGPATH_MIT_KRB5,
1899 0, KEY_READ|KEY_WRITE, &hk_k5);
1900
1901 if (code != ERROR_SUCCESS)
1902 return -1;
1903
1904 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
1905 if (ret < 0)
1906 goto cleanup;
1907
1908 ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
1909 REG_SZ, ccname, -1, 0);
1910
1911 cleanup:
1912
1913 if (ccname)
1914 free(ccname);
1915
1916 RegCloseKey(hk_k5);
1917
1918 return ret;
1919 }
1920 #endif
Heimdal