search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cf/largefile.m4: Fix build with autoconf-2.72
[heimdal.git] / lib / krb5 / cache.c
blob3f16d6996e830746736739389f86a1352aceb883
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
41 *
42 * krb5_ccache structure holds a Kerberos credential cache.
43 *
44 * Heimdal support the follow types of credential caches:
45 *
46 * - SCC
47 * Store the credential in a database
48 * - FILE
49 * Store the credential in memory
50 * - MEMORY
51 * Store the credential in memory
52 * - API
53 * A credential cache server based solution for Mac OS X
54 * - KCM
55 * A credential cache server based solution for all platforms
56 *
57 * @subsection Example
58 *
59 * This is a minimalistic version of klist:
60 @code
61 #include <krb5.h>
62
63 int
64 main (int argc, char **argv)
65 {
66 krb5_context context;
67 krb5_cc_cursor cursor;
68 krb5_error_code ret;
69 krb5_ccache id;
70 krb5_creds creds;
71
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
74
75 ret = krb5_cc_default (context, &id);
76 if (ret)
77 krb5_err(context, 1, ret, "krb5_cc_default");
78
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
80 if (ret)
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
82
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
84 char *principal;
85
86 krb5_unparse_name(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
88 free(principal);
89 krb5_free_cred_contents (context, &creds);
90 }
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
92 if (ret)
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
94
95 krb5_cc_close(context, id);
96
97 krb5_free_context(context);
98 return 0;
99 }
100 * @endcode
101 */
102
103 static const krb5_cc_ops *
104 cc_get_prefix_ops(krb5_context context,
105 const char *prefix,
106 const char **residual);
107
108 /**
109 * Add a new ccache type with operations `ops', overwriting any
110 * existing one if `override'.
111 *
112 * @param context a Kerberos context
113 * @param ops type of plugin symbol
114 * @param override flag to select if the registration is to overide
115 * an existing ops with the same name.
116 *
117 * @return Return an error code or 0, see krb5_get_error_message().
118 *
119 * @ingroup krb5_ccache
120 */
121
122 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
123 krb5_cc_register(krb5_context context,
124 const krb5_cc_ops *ops,
125 krb5_boolean override)
126 {
127 int i;
128
129 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
130 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
131 if(!override) {
132 krb5_set_error_message(context,
133 KRB5_CC_TYPE_EXISTS,
134 N_("cache type %s already exists", "type"),
135 ops->prefix);
136 return KRB5_CC_TYPE_EXISTS;
137 }
138 break;
139 }
140 }
141 if(i == context->num_cc_ops) {
142 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
143 (context->num_cc_ops + 1) *
144 sizeof(context->cc_ops[0]));
145 if(o == NULL) {
146 krb5_set_error_message(context, KRB5_CC_NOMEM,
147 N_("malloc: out of memory", ""));
148 return KRB5_CC_NOMEM;
149 }
150 context->cc_ops = o;
151 context->cc_ops[context->num_cc_ops] = NULL;
152 context->num_cc_ops++;
153 }
154 context->cc_ops[i] = ops;
155 return 0;
156 }
157
158 /*
159 * Allocate the memory for a `id' and the that function table to
160 * `ops'. Returns 0 or and error code.
161 */
162
163 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
164 _krb5_cc_allocate(krb5_context context,
165 const krb5_cc_ops *ops,
166 krb5_ccache *id)
167 {
168 krb5_ccache p;
169
170 p = calloc(1, sizeof(*p));
171 if (p == NULL) {
172 krb5_set_error_message(context, KRB5_CC_NOMEM,
173 N_("malloc: out of memory", ""));
174 return KRB5_CC_NOMEM;
175 }
176 p->ops = ops;
177 *id = p;
178
179 return 0;
180 }
181
182 /*
183 * Allocate memory for a new ccache in `id' with operations `ops'
184 * and name `residual'. Return 0 or an error code.
185 */
186
187 static krb5_error_code
188 allocate_ccache(krb5_context context,
189 const krb5_cc_ops *ops,
190 const char *residual,
191 const char *subsidiary,
192 krb5_ccache *id)
193 {
194 krb5_error_code ret = 0;
195 char *exp_residual = NULL;
196 int filepath;
197
198 filepath = (strcmp("FILE", ops->prefix) == 0
199 || strcmp("DIR", ops->prefix) == 0
200 || strcmp("SCC", ops->prefix) == 0);
201
202 if (residual)
203 ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
204 if (ret == 0)
205 ret = _krb5_cc_allocate(context, ops, id);
206
207 if (ret == 0) {
208 if ((*id)->ops->version < KRB5_CC_OPS_VERSION_5
209 || (*id)->ops->resolve_2 == NULL) {
210 ret = (*id)->ops->resolve(context, id, exp_residual);
211 } else {
212 ret = (*id)->ops->resolve_2(context, id, exp_residual, subsidiary);
213 }
214 }
215 if (ret) {
216 free(*id);
217 *id = NULL;
218 }
219 free(exp_residual);
220 return ret;
221 }
222
223
224 /**
225 * Find and allocate a ccache in `id' from the specification in `residual'.
226 * If the ccache name doesn't contain any colon, interpret it as a file name.
227 *
228 * @param context a Kerberos context.
229 * @param name string name of a credential cache.
230 * @param id return pointer to a found credential cache.
231 *
232 * @return Return 0 or an error code. In case of an error, id is set
233 * to NULL, see krb5_get_error_message().
234 *
235 * @ingroup krb5_ccache
236 */
237
238
239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
240 krb5_cc_resolve(krb5_context context,
241 const char *name,
242 krb5_ccache *id)
243 {
244 const krb5_cc_ops *ops;
245 const char *residual = NULL;
246
247 *id = NULL;
248
249 ops = cc_get_prefix_ops(context, name, &residual);
250 if (ops == NULL)
251 ops = &krb5_fcc_ops; /* residual will point to name */
252
253 return allocate_ccache(context, ops, residual, NULL, id);
254 }
255
256 #ifdef _WIN32
257 static const char *
258 get_default_cc_type_win32(krb5_context context)
259 {
260 krb5_error_code ret;
261 krb5_ccache id;
262
263 /*
264 * If the MSLSA ccache type has a principal name,
265 * use it as the default.
266 */
267 ret = krb5_cc_resolve(context, "MSLSA:", &id);
268 if (ret == 0) {
269 krb5_principal princ;
270 ret = krb5_cc_get_principal(context, id, &princ);
271 krb5_cc_close(context, id);
272 if (ret == 0) {
273 krb5_free_principal(context, princ);
274 return "MSLSA";
275 }
276 }
277
278 /*
279 * If the API: ccache can be resolved,
280 * use it as the default.
281 */
282 ret = krb5_cc_resolve(context, "API:", &id);
283 if (ret == 0) {
284 krb5_cc_close(context, id);
285 return "API";
286 }
287
288 return NULL;
289 }
290 #endif /* _WIN32 */
291
292 static const char *
293 get_default_cc_type(krb5_context context, int simple)
294 {
295 const char *def_ccname;
296 const char *def_cctype =
297 krb5_config_get_string_default(context, NULL,
298 secure_getenv("KRB5CCTYPE"),
299 "libdefaults", "default_cc_type", NULL);
300 const char *def_cccol =
301 krb5_config_get_string(context, NULL, "libdefaults",
302 "default_cc_collection", NULL);
303 const krb5_cc_ops *ops;
304
305 if (!simple && (def_ccname = krb5_cc_default_name(context))) {
306 ops = cc_get_prefix_ops(context, def_ccname, NULL);
307 if (ops)
308 return ops->prefix;
309 }
310 if (!def_cctype && def_cccol) {
311 ops = cc_get_prefix_ops(context, def_cccol, NULL);
312 if (ops)
313 return ops->prefix;
314 }
315 #ifdef _WIN32
316 if (def_cctype == NULL)
317 def_cctype = get_default_cc_type_win32(context);
318 #endif
319 if (def_cctype == NULL)
320 def_cctype = KRB5_DEFAULT_CCTYPE->prefix;
321 return def_cctype;
322 }
323
324 /**
325 * Find and allocate a ccache in `id' for the subsidiary cache named by
326 * `subsidiary' in the collection named by `collection'.
327 *
328 * @param context a Kerberos context.
329 * @param cctype string name of a credential cache collection type.
330 * @param collection string name of a credential cache collection.
331 * @param subsidiary string name of a credential cache in a collection.
332 * @param id return pointer to a found credential cache.
333 *
334 * @return Return 0 or an error code. In case of an error, id is set
335 * to NULL, see krb5_get_error_message().
336 *
337 * @ingroup krb5_ccache
338 */
339
340
341 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
342 krb5_cc_resolve_sub(krb5_context context,
343 const char *cctype,
344 const char *collection,
345 const char *subsidiary,
346 krb5_ccache *id)
347 {
348 const krb5_cc_ops *ops = NULL;
349
350 *id = NULL;
351
352 /* Get the cctype from the collection, maybe */
353 if (cctype == NULL && collection)
354 ops = cc_get_prefix_ops(context, collection, &collection);
355
356 if (ops == NULL)
357 ops = cc_get_prefix_ops(context, get_default_cc_type(context, 0), NULL);
358
359 if (ops == NULL) {
360 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
361 N_("unknown ccache type %s", ""), cctype);
362 return KRB5_CC_UNKNOWN_TYPE;
363 }
364
365 return allocate_ccache(context, ops, collection, subsidiary, id);
366 }
367
368
369 /**
370 * Find and allocate a ccache in `id' from the specification in `residual', but
371 * specific to the given principal `principal' by using the principal name as
372 * the name of a "subsidiary" credentials cache in the collection named by
373 * `name'. If the ccache name doesn't contain any colon, interpret it as a
374 * file name.
375 *
376 * @param context a Kerberos context.
377 * @param name string name of a credential cache.
378 * @param principal principal name of desired credentials.
379 * @param id return pointer to a found credential cache.
380 *
381 * @return Return 0 or an error code. In case of an error, id is set
382 * to NULL, see krb5_get_error_message().
383 *
384 * @ingroup krb5_ccache
385 */
386
387 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
388 krb5_cc_resolve_for(krb5_context context,
389 const char *cctype,
390 const char *name,
391 krb5_const_principal principal,
392 krb5_ccache *id)
393 {
394 krb5_error_code ret;
395 char *p, *s;
396
397 *id = NULL;
398
399 ret = krb5_unparse_name(context, principal, &p);
400 if (ret)
401 return ret;
402 /*
403 * Subsidiary components cannot have various chars in them that are used as
404 * separators. ':' is used for subsidiary separators in all ccache types
405 * except FILE, where '+' is used instead because we can't use ':' in file
406 * paths on Windows and because ':' is not in the POSIX safe set.
407 */
408 for (s = p; *s; s++) {
409 switch (s[0]) {
410 case ':':
411 case '+':
412 case '/':
413 case '\\':
414 s[0] = '-';
415 default: break;
416 }
417 }
418 ret = krb5_cc_resolve_sub(context, cctype, name, p, id);
419 free(p);
420 return ret;
421 }
422
423 /**
424 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
425 * the library chooses the default credential cache type. The supplied
426 * `hint' (that can be NULL) is a string that the credential cache
427 * type can use to base the name of the credential on, this is to make
428 * it easier for the user to differentiate the credentials.
429 *
430 * @return Return an error code or 0, see krb5_get_error_message().
431 *
432 * @ingroup krb5_ccache
433 */
434
435 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
436 krb5_cc_new_unique(krb5_context context, const char *type,
437 const char *hint, krb5_ccache *id)
438 {
439 const krb5_cc_ops *ops;
440 krb5_error_code ret;
441
442 if (type == NULL)
443 type = get_default_cc_type(context, 1);
444
445 ops = krb5_cc_get_prefix_ops(context, type);
446 if (ops == NULL) {
447 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
448 "Credential cache type %s is unknown", type);
449 return KRB5_CC_UNKNOWN_TYPE;
450 }
451
452 ret = _krb5_cc_allocate(context, ops, id);
453 if (ret)
454 return ret;
455 ret = (*id)->ops->gen_new(context, id);
456 if (ret) {
457 free(*id);
458 *id = NULL;
459 }
460 return ret;
461 }
462
463 /**
464 * Return the name of the ccache `id'
465 *
466 * @ingroup krb5_ccache
467 */
468
469
470 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
471 krb5_cc_get_name(krb5_context context,
472 krb5_ccache id)
473 {
474 const char *name = NULL;
475
476 if (id->ops->version < KRB5_CC_OPS_VERSION_5
477 || id->ops->get_name_2 == NULL)
478 return id->ops->get_name(context, id);
479
480 (void) id->ops->get_name_2(context, id, &name, NULL, NULL);
481 return name;
482 }
483
484 /**
485 * Return the name of the ccache collection associated with `id'
486 *
487 * @ingroup krb5_ccache
488 */
489
490
491 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
492 krb5_cc_get_collection(krb5_context context, krb5_ccache id)
493 {
494 const char *name = NULL;
495
496 if (id->ops->version < KRB5_CC_OPS_VERSION_5
497 || id->ops->get_name_2 == NULL)
498 return NULL;
499
500 (void) id->ops->get_name_2(context, id, NULL, &name, NULL);
501 return name;
502 }
503
504 /**
505 * Return the name of the subsidiary ccache of `id'
506 *
507 * @ingroup krb5_ccache
508 */
509
510
511 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
512 krb5_cc_get_subsidiary(krb5_context context, krb5_ccache id)
513 {
514 const char *name = NULL;
515
516 if (id->ops->version >= KRB5_CC_OPS_VERSION_5
517 && id->ops->get_name_2 != NULL)
518 (void) id->ops->get_name_2(context, id, NULL, NULL, &name);
519 return name;
520 }
521
522 /**
523 * Return the type of the ccache `id'.
524 *
525 * @ingroup krb5_ccache
526 */
527
528
529 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
530 krb5_cc_get_type(krb5_context context,
531 krb5_ccache id)
532 {
533 return id->ops->prefix;
534 }
535
536 /**
537 * Return the complete resolvable name the cache
538
539 * @param context a Kerberos context
540 * @param id return pointer to a found credential cache
541 * @param str the returned name of a credential cache, free with krb5_xfree()
542 *
543 * @return Returns 0 or an error (and then *str is set to NULL).
544 *
545 * @ingroup krb5_ccache
546 */
547
548
549 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
550 krb5_cc_get_full_name(krb5_context context,
551 krb5_ccache id,
552 char **str)
553 {
554 const char *type, *name;
555
556 *str = NULL;
557
558 type = krb5_cc_get_type(context, id);
559 if (type == NULL) {
560 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
561 "cache has no name of type");
562 return KRB5_CC_UNKNOWN_TYPE;
563 }
564
565 name = krb5_cc_get_name(context, id);
566 if (name == NULL) {
567 krb5_set_error_message(context, KRB5_CC_BADNAME,
568 "cache of type %s has no name", type);
569 return KRB5_CC_BADNAME;
570 }
571
572 if (asprintf(str, "%s:%s", type, name) == -1) {
573 *str = NULL;
574 return krb5_enomem(context);
575 }
576 return 0;
577 }
578
579 /**
580 * Return krb5_cc_ops of a the ccache `id'.
581 *
582 * @ingroup krb5_ccache
583 */
584
585
586 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
587 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
588 {
589 return id->ops;
590 }
591
592 /*
593 * Expand variables in `str' into `res'
594 */
595
596 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
597 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
598 {
599 int filepath;
600
601 filepath = (strncmp("FILE:", str, 5) == 0
602 || strncmp("DIR:", str, 4) == 0
603 || strncmp("SCC:", str, 4) == 0);
604
605 return _krb5_expand_path_tokens(context, str, filepath, res);
606 }
607
608 /*
609 * Return non-zero if envirnoment that will determine default krb5cc
610 * name has changed.
611 */
612
613 static int
614 environment_changed(krb5_context context)
615 {
616 const char *e;
617
618 /* if the cc name was set, don't change it */
619 if (context->default_cc_name_set)
620 return 0;
621
622 /* XXX performance: always ask KCM/API if default name has changed */
623 if (context->default_cc_name &&
624 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
625 strncmp(context->default_cc_name, "API:", 4) == 0))
626 return 1;
627
628 e = secure_getenv("KRB5CCNAME");
629 if (e == NULL) {
630 if (context->default_cc_name_env) {
631 free(context->default_cc_name_env);
632 context->default_cc_name_env = NULL;
633 return 1;
634 }
635 } else {
636 if (context->default_cc_name_env == NULL)
637 return 1;
638 if (strcmp(e, context->default_cc_name_env) != 0)
639 return 1;
640 }
641 return 0;
642 }
643
644 /**
645 * Switch the default default credential cache for a specific
646 * credcache type (and name for some implementations).
647 *
648 * @return Return an error code or 0, see krb5_get_error_message().
649 *
650 * @ingroup krb5_ccache
651 */
652
653 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
654 krb5_cc_switch(krb5_context context, krb5_ccache id)
655 {
656 #ifdef _WIN32
657 _krb5_set_default_cc_name_to_registry(context, id);
658 #endif
659
660 if (id->ops->version == KRB5_CC_OPS_VERSION_0
661 || id->ops->set_default == NULL)
662 return 0;
663
664 return (*id->ops->set_default)(context, id);
665 }
666
667 /**
668 * Return true if the default credential cache support switch
669 *
670 * @ingroup krb5_ccache
671 */
672
673 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
674 krb5_cc_support_switch(krb5_context context, const char *type)
675 {
676 const krb5_cc_ops *ops;
677
678 ops = krb5_cc_get_prefix_ops(context, type);
679 if (ops && ops->version > KRB5_CC_OPS_VERSION_0 && ops->set_default)
680 return 1;
681 return FALSE;
682 }
683
684 /**
685 * Set the default cc name for `context' to `name'.
686 *
687 * @ingroup krb5_ccache
688 */
689
690 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
691 krb5_cc_set_default_name(krb5_context context, const char *name)
692 {
693 krb5_error_code ret = 0;
694 char *p = NULL;
695
696 if (name == NULL) {
697 const char *e;
698
699 if ((e = secure_getenv("KRB5CCNAME"))) {
700 if ((p = strdup(e)) == NULL)
701 return krb5_enomem(context);
702
703 free(context->default_cc_name_env);
704 context->default_cc_name_env = p;
705
706 if ((p = strdup(e)) == NULL)
707 return krb5_enomem(context);
708
709 /*
710 * We're resetting the default ccache name. Recall that we got
711 * this from the environment, which might change.
712 */
713 context->default_cc_name_set = 0;
714 } else if ((e = krb5_cc_configured_default_name(context))) {
715 if ((p = strdup(e)) == NULL)
716 return krb5_enomem(context);
717
718 /*
719 * Since $KRB5CCNAME was not set, and since we got the default
720 * ccache name from configuration, we'll not want
721 * environment_changed() to return true to avoid re-doing the
722 * krb5_cc_configured_default_name() call unnecessarily.
723 *
724 * XXX Perhaps if we got the ccache name from the registry then
725 * we'd want to recheck it? If so we might need an indication
726 * from krb5_cc_configured_default_name() about that!
727 */
728 context->default_cc_name_set = 1;
729 }
730 } else {
731 int filepath = (strncmp("FILE:", name, 5) == 0 ||
732 strncmp("DIR:", name, 4) == 0 ||
733 strncmp("SCC:", name, 4) == 0);
734
735 ret = _krb5_expand_path_tokens(context, name, filepath, &p);
736 if (ret)
737 return ret;
738
739 /*
740 * Since the default ccache name was set explicitly, we won't want
741 * environment_changed() to return true until the default ccache name
742 * is reset.
743 */
744 context->default_cc_name_set = 1;
745 }
746
747 free(context->default_cc_name);
748 context->default_cc_name = p;
749 return 0;
750 }
751
752 /**
753 * Return a pointer to a context static string containing the default
754 * ccache name.
755 *
756 * @return String to the default credential cache name.
757 *
758 * @ingroup krb5_ccache
759 */
760
761
762 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
763 krb5_cc_default_name(krb5_context context)
764 {
765 if (context->default_cc_name == NULL || environment_changed(context))
766 krb5_cc_set_default_name(context, NULL);
767
768 return context->default_cc_name;
769 }
770
771 KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
772 krb5_cc_configured_default_name(krb5_context context)
773 {
774 krb5_error_code ret = 0;
775 #ifdef _WIN32
776 krb5_ccache id;
777 #endif
778 const char *cfg;
779 char *expanded;
780 const krb5_cc_ops *ops;
781
782 if (context->configured_default_cc_name)
783 return context->configured_default_cc_name;
784
785 #ifdef _WIN32
786 if ((expanded = _krb5_get_default_cc_name_from_registry(context)))
787 return context->configured_default_cc_name = expanded;
788 #endif
789
790 /* If there's a configured default, expand the tokens and use it */
791 cfg = krb5_config_get_string(context, NULL, "libdefaults",
792 "default_cc_name", NULL);
793 if (cfg == NULL)
794 cfg = krb5_config_get_string(context, NULL, "libdefaults",
795 "default_ccache_name", NULL);
796 if (cfg) {
797 ret = _krb5_expand_default_cc_name(context, cfg, &expanded);
798 if (ret) {
799 krb5_set_error_message(context, ret,
800 "token expansion failed for %s", cfg);
801 return NULL;
802 }
803 return context->configured_default_cc_name = expanded;
804 }
805
806 /* Else try a configured default ccache type's default */
807 cfg = get_default_cc_type(context, 1);
808 if ((ops = krb5_cc_get_prefix_ops(context, cfg)) == NULL) {
809 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
810 "unknown configured credential cache "
811 "type %s", cfg);
812 return NULL;
813 }
814
815 /* The get_default_name() method expands any tokens */
816 ret = (*ops->get_default_name)(context, &expanded);
817 if (ret) {
818 krb5_set_error_message(context, ret, "failed to find a default "
819 "ccache for default ccache type %s", cfg);
820 return NULL;
821 }
822 return context->configured_default_cc_name = expanded;
823 }
824
825 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
826 krb5_cccol_get_default_ccname(krb5_context context)
827 {
828 const char *cfg = get_default_cc_type(context, 1);
829 char *cccol_default_ccname;
830 const krb5_cc_ops *ops = krb5_cc_get_prefix_ops(context, cfg);
831
832 (void) (*ops->get_default_name)(context, &cccol_default_ccname);
833 return cccol_default_ccname;
834 }
835
836 /**
837 * Open the default ccache in `id'.
838 *
839 * @return Return an error code or 0, see krb5_get_error_message().
840 *
841 * @ingroup krb5_ccache
842 */
843
844 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
845 krb5_cc_default(krb5_context context,
846 krb5_ccache *id)
847 {
848 const char *p = krb5_cc_default_name(context);
849
850 *id = NULL;
851 if (p == NULL)
852 return krb5_enomem(context);
853 return krb5_cc_resolve(context, p, id);
854 }
855
856 /**
857 * Open the named subsidiary cache from the default ccache collection in `id'.
858 *
859 * @return Return an error code or 0, see krb5_get_error_message().
860 *
861 * @ingroup krb5_ccache
862 */
863
864 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
865 krb5_cc_default_sub(krb5_context context,
866 const char *subsidiary,
867 krb5_ccache *id)
868 {
869 return krb5_cc_resolve_sub(context, get_default_cc_type(context, 0), NULL,
870 subsidiary, id);
871 }
872
873 /**
874 * Open the default ccache in `id' that corresponds to the given principal.
875 *
876 * @return Return an error code or 0, see krb5_get_error_message().
877 *
878 * @ingroup krb5_ccache
879 */
880
881 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
882 krb5_cc_default_for(krb5_context context,
883 krb5_const_principal principal,
884 krb5_ccache *id)
885 {
886 return krb5_cc_resolve_for(context, get_default_cc_type(context, 0), NULL,
887 principal, id);
888 }
889
890 /**
891 * Create a new ccache in `id' for `primary_principal'.
892 *
893 * @return Return an error code or 0, see krb5_get_error_message().
894 *
895 * @ingroup krb5_ccache
896 */
897
898
899 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
900 krb5_cc_initialize(krb5_context context,
901 krb5_ccache id,
902 krb5_principal primary_principal)
903 {
904 krb5_error_code ret;
905
906 ret = (*id->ops->init)(context, id, primary_principal);
907 if (ret == 0) {
908 id->cc_kx509_done = 0;
909 id->cc_initialized = 1;
910 id->cc_need_start_realm = 1;
911 id->cc_start_tgt_stored = 0;
912 }
913 return ret;
914 }
915
916
917 /**
918 * Remove the ccache `id'.
919 *
920 * @return Return an error code or 0, see krb5_get_error_message().
921 *
922 * @ingroup krb5_ccache
923 */
924
925
926 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
927 krb5_cc_destroy(krb5_context context,
928 krb5_ccache id)
929 {
930 krb5_error_code ret2 = 0;
931 krb5_error_code ret;
932 krb5_data d;
933
934 /*
935 * Destroy associated hx509 PKIX credential store created by krb5_kx509*().
936 */
937 if (krb5_cc_get_config(context, id, NULL, "kx509store", &d) == 0) {
938 char *name;
939
940 if ((name = strndup(d.data, d.length)) == NULL) {
941 ret2 = krb5_enomem(context);
942 } else {
943 hx509_certs certs;
944 ret = hx509_certs_init(context->hx509ctx, name, 0, NULL, &certs);
945 if (ret == 0)
946 ret2 = hx509_certs_destroy(context->hx509ctx, &certs);
947 else
948 hx509_certs_free(&certs);
949 free(name);
950 }
951 }
952
953 ret = (*id->ops->destroy)(context, id);
954 (void) krb5_cc_close(context, id);
955 return ret ? ret : ret2;
956 }
957
958 /**
959 * Stop using the ccache `id' and free the related resources.
960 *
961 * @return Return an error code or 0, see krb5_get_error_message().
962 *
963 * @ingroup krb5_ccache
964 */
965
966
967 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
968 krb5_cc_close(krb5_context context,
969 krb5_ccache id)
970 {
971 krb5_error_code ret;
972
973 if (!id)
974 return 0;
975
976 /*
977 * We want to automatically acquire a PKIX credential using kx509.
978 *
979 * This can be slow if we're generating an RSA key. Plus it means talking
980 * to the KDC.
981 *
982 * We only want to do this when:
983 *
984 * - krb5_cc_initialize() was called on this ccache handle,
985 * - a start TGT was stored (actually, a cross-realm TGT would do),
986 *
987 * and
988 *
989 * - we aren't creating a gss_cred_id_t for a delegated credential.
990 *
991 * We only have a heuristic for the last condition: that `id' is not a
992 * MEMORY ccache, which is what's used for delegated credentials.
993 *
994 * We really only want to do this when storing a credential in a user's
995 * default ccache, but we leave it to krb5_kx509() to do that check.
996 *
997 * XXX Perhaps we should do what krb5_kx509() does here, and just call
998 * krb5_kx509_ext() (renamed to krb5_kx509()). Then we wouldn't need
999 * the delegated cred handle heuristic.
1000 */
1001 if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
1002 strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
1003 krb5_boolean enabled;
1004
1005 krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
1006 &enabled);
1007 if (enabled) {
1008 _krb5_debug(context, 2, "attempting to fetch a certificate using "
1009 "kx509");
1010 ret = krb5_kx509(context, id, NULL);
1011 if (ret)
1012 _krb5_debug(context, 2, "failed to fetch a certificate");
1013 else
1014 _krb5_debug(context, 2, "fetched a certificate");
1015 }
1016 }
1017
1018 ret = (*id->ops->close)(context, id);
1019 free(id);
1020 return ret;
1021 }
1022
1023 /**
1024 * Store `creds' in the ccache `id'.
1025 *
1026 * @return Return an error code or 0, see krb5_get_error_message().
1027 *
1028 * @ingroup krb5_ccache
1029 */
1030
1031
1032 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1033 krb5_cc_store_cred(krb5_context context,
1034 krb5_ccache id,
1035 krb5_creds *creds)
1036 {
1037 krb5_error_code ret;
1038 krb5_data realm;
1039 const char *cfg = "";
1040
1041 /* Automatic cc_config-setting and other actions */
1042 if (krb5_principal_get_num_comp(context, creds->server) > 1 &&
1043 krb5_is_config_principal(context, creds->server))
1044 cfg = krb5_principal_get_comp_string(context, creds->server, 1);
1045
1046 if (id->cc_initialized && !id->cc_need_start_realm &&
1047 strcmp(cfg, "start_realm") == 0)
1048 return 0;
1049
1050 ret = (*id->ops->store)(context, id, creds);
1051 if (ret)
1052 return ret;
1053
1054 if (id->cc_initialized && !id->cc_start_tgt_stored &&
1055 id->cc_need_start_realm &&
1056 krb5_principal_is_root_krbtgt(context, creds->server)) {
1057 /* Mark the first root TGT's realm as the start realm */
1058 id->cc_start_tgt_stored = 1;
1059 realm.length = strlen(creds->server->realm);
1060 realm.data = creds->server->realm;
1061 (void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
1062 id->cc_need_start_realm = 0;
1063 } else if (id->cc_initialized && id->cc_start_tgt_stored &&
1064 !id->cc_kx509_done && strcmp(cfg, "kx509cert") == 0) {
1065 /*
1066 * Do not attempt kx509 at cc close time -- we're copying a ccache and
1067 * we've already got a cert (and private key).
1068 */
1069 id->cc_kx509_done = 1;
1070 } else if (id->cc_initialized && id->cc_start_tgt_stored &&
1071 !id->cc_kx509_done && strcmp(cfg, "kx509_service_status") == 0) {
1072 /*
1073 * Do not attempt kx509 at cc close time -- we're copying a ccache and
1074 * we know the kx509 service is not available.
1075 */
1076 id->cc_kx509_done = 1;
1077 } else if (id->cc_initialized && strcmp(cfg, "start_realm") == 0) {
1078 /*
1079 * If the caller is storing a start_realm ccconfig, then stop looking
1080 * for root TGTs to mark as the start_realm.
1081 *
1082 * By honoring any start_realm cc config stored, we interop both, with
1083 * ccache implementations that don't preserve insertion order, and
1084 * Kerberos implementations that store this cc config before the TGT.
1085 */
1086 id->cc_need_start_realm = 0;
1087 }
1088 return ret;
1089 }
1090
1091 /**
1092 * Retrieve the credential identified by `mcreds' (and `whichfields')
1093 * from `id' in `creds'. 'creds' must be free by the caller using
1094 * krb5_free_cred_contents.
1095 *
1096 * @param context A Kerberos 5 context
1097 * @param id a Kerberos 5 credential cache
1098 * @param whichfields what fields to use for matching credentials, same
1099 * flags as whichfields in krb5_compare_creds()
1100 * @param mcreds template credential to use for comparing
1101 * @param creds returned credential, free with krb5_free_cred_contents()
1102 *
1103 * @return Return an error code or 0, see krb5_get_error_message().
1104 *
1105 * @ingroup krb5_ccache
1106 */
1107
1108
1109 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1110 krb5_cc_retrieve_cred(krb5_context context,
1111 krb5_ccache id,
1112 krb5_flags whichfields,
1113 const krb5_creds *mcreds,
1114 krb5_creds *creds)
1115 {
1116 krb5_error_code ret;
1117 krb5_cc_cursor cursor;
1118
1119 if (id->ops->retrieve != NULL) {
1120 return (*id->ops->retrieve)(context, id, whichfields,
1121 mcreds, creds);
1122 }
1123
1124 ret = krb5_cc_start_seq_get(context, id, &cursor);
1125 if (ret)
1126 return ret;
1127 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
1128 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
1129 ret = 0;
1130 break;
1131 }
1132 krb5_free_cred_contents (context, creds);
1133 }
1134 krb5_cc_end_seq_get(context, id, &cursor);
1135 return ret;
1136 }
1137
1138 /**
1139 * Return the principal of `id' in `principal'.
1140 *
1141 * @return Return an error code or 0, see krb5_get_error_message().
1142 *
1143 * @ingroup krb5_ccache
1144 */
1145
1146
1147 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1148 krb5_cc_get_principal(krb5_context context,
1149 krb5_ccache id,
1150 krb5_principal *principal)
1151 {
1152 return (*id->ops->get_princ)(context, id, principal);
1153 }
1154
1155 /**
1156 * Start iterating over `id', `cursor' is initialized to the
1157 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
1158 *
1159 * @return Return an error code or 0, see krb5_get_error_message().
1160 *
1161 * @ingroup krb5_ccache
1162 */
1163
1164
1165 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1166 krb5_cc_start_seq_get (krb5_context context,
1167 const krb5_ccache id,
1168 krb5_cc_cursor *cursor)
1169 {
1170 return (*id->ops->get_first)(context, id, cursor);
1171 }
1172
1173 /**
1174 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
1175 * and advance `cursor'.
1176 *
1177 * @return Return an error code or 0, see krb5_get_error_message().
1178 *
1179 * @ingroup krb5_ccache
1180 */
1181
1182
1183 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1184 krb5_cc_next_cred (krb5_context context,
1185 const krb5_ccache id,
1186 krb5_cc_cursor *cursor,
1187 krb5_creds *creds)
1188 {
1189 return (*id->ops->get_next)(context, id, cursor, creds);
1190 }
1191
1192 /**
1193 * Destroy the cursor `cursor'.
1194 *
1195 * @ingroup krb5_ccache
1196 */
1197
1198
1199 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1200 krb5_cc_end_seq_get (krb5_context context,
1201 const krb5_ccache id,
1202 krb5_cc_cursor *cursor)
1203 {
1204 return (*id->ops->end_get)(context, id, cursor);
1205 }
1206
1207 /**
1208 * Remove the credential identified by `cred', `which' from `id'.
1209 *
1210 * @ingroup krb5_ccache
1211 */
1212
1213
1214 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1215 krb5_cc_remove_cred(krb5_context context,
1216 krb5_ccache id,
1217 krb5_flags which,
1218 krb5_creds *cred)
1219 {
1220 if(id->ops->remove_cred == NULL) {
1221 krb5_set_error_message(context,
1222 EACCES,
1223 "ccache %s does not support remove_cred",
1224 id->ops->prefix);
1225 return EACCES; /* XXX */
1226 }
1227 return (*id->ops->remove_cred)(context, id, which, cred);
1228 }
1229
1230 /**
1231 * Set the flags of `id' to `flags'.
1232 *
1233 * @ingroup krb5_ccache
1234 */
1235
1236
1237 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1238 krb5_cc_set_flags(krb5_context context,
1239 krb5_ccache id,
1240 krb5_flags flags)
1241 {
1242 return (*id->ops->set_flags)(context, id, flags);
1243 }
1244
1245 /**
1246 * Get the flags of `id', store them in `flags'.
1247 *
1248 * @ingroup krb5_ccache
1249 */
1250
1251 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1252 krb5_cc_get_flags(krb5_context context,
1253 krb5_ccache id,
1254 krb5_flags *flags)
1255 {
1256 *flags = 0;
1257 return 0;
1258 }
1259
1260 /**
1261 * Copy the contents of `from' to `to' if the given match function
1262 * return true.
1263 *
1264 * @param context A Kerberos 5 context.
1265 * @param from the cache to copy data from.
1266 * @param to the cache to copy data to.
1267 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
1268 * @param matchctx context passed to match function.
1269 * @param matched set to true if there was a credential that matched, may be NULL.
1270 *
1271 * @return Return an error code or 0, see krb5_get_error_message().
1272 *
1273 * @ingroup krb5_ccache
1274 */
1275
1276 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1277 krb5_cc_copy_match_f(krb5_context context,
1278 const krb5_ccache from,
1279 krb5_ccache to,
1280 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
1281 void *matchctx,
1282 unsigned int *matched)
1283 {
1284 krb5_error_code ret;
1285 krb5_cc_cursor cursor;
1286 krb5_creds cred;
1287 krb5_principal princ;
1288
1289 if (matched)
1290 *matched = 0;
1291
1292 ret = krb5_cc_get_principal(context, from, &princ);
1293 if (ret)
1294 return ret;
1295 ret = krb5_cc_initialize(context, to, princ);
1296 if (ret) {
1297 krb5_free_principal(context, princ);
1298 return ret;
1299 }
1300 ret = krb5_cc_start_seq_get(context, from, &cursor);
1301 if (ret) {
1302 krb5_free_principal(context, princ);
1303 return ret;
1304 }
1305
1306 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
1307 if (match == NULL || (*match)(context, matchctx, &cred)) {
1308 if (matched)
1309 (*matched)++;
1310 ret = krb5_cc_store_cred(context, to, &cred);
1311 if (ret)
1312 break;
1313 }
1314 krb5_free_cred_contents(context, &cred);
1315 }
1316 krb5_cc_end_seq_get(context, from, &cursor);
1317 krb5_free_principal(context, princ);
1318 if (ret == KRB5_CC_END)
1319 ret = 0;
1320 return ret;
1321 }
1322
1323 /**
1324 * Just like krb5_cc_copy_match_f(), but copy everything.
1325 *
1326 * @ingroup @krb5_ccache
1327 */
1328
1329 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1330 krb5_cc_copy_cache(krb5_context context,
1331 const krb5_ccache from,
1332 krb5_ccache to)
1333 {
1334 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
1335 }
1336
1337 /**
1338 * Return the version of `id'.
1339 *
1340 * @ingroup krb5_ccache
1341 */
1342
1343
1344 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1345 krb5_cc_get_version(krb5_context context,
1346 const krb5_ccache id)
1347 {
1348 if(id->ops->get_version)
1349 return (*id->ops->get_version)(context, id);
1350 else
1351 return 0;
1352 }
1353
1354 /**
1355 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
1356 *
1357 * @ingroup krb5_ccache
1358 */
1359
1360
1361 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1362 krb5_cc_clear_mcred(krb5_creds *mcred)
1363 {
1364 memset(mcred, 0, sizeof(*mcred));
1365 }
1366
1367 /**
1368 * Get the cc ops that is registered in `context' to handle the
1369 * prefix. prefix can be a complete credential cache name or a
1370 * prefix, the function will only use part up to the first colon (:)
1371 * if there is one. If prefix the argument is NULL, the default ccache
1372 * implemtation is returned.
1373 *
1374 * @return Returns NULL if ops not found.
1375 *
1376 * @ingroup krb5_ccache
1377 */
1378
1379
1380 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
1381 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
1382 {
1383 return cc_get_prefix_ops(context, prefix, NULL);
1384 }
1385
1386 /**
1387 * Get the cc ops that is registered in `context' to handle the
1388 * prefix. prefix can be a complete credential cache name or a
1389 * prefix, the function will only use part up to the first colon (:)
1390 * if there is one. If prefix the argument is NULL, the default ccache
1391 * implementation is returned.
1392 *
1393 * If residual is non-NULL, it is set to the residual component of
1394 * prefix (if present) or the prefix itself.
1395 *
1396 * @return Returns NULL if ops not found.
1397 *
1398 * @ingroup krb5_ccache
1399 */
1400
1401
1402 static const krb5_cc_ops *
1403 cc_get_prefix_ops(krb5_context context,
1404 const char *prefix,
1405 const char **residual)
1406 {
1407 int i;
1408
1409 if (residual)
1410 *residual = prefix;
1411
1412 if (prefix == NULL)
1413 return KRB5_DEFAULT_CCTYPE;
1414
1415 /* Is absolute path? Or UNC path? */
1416 if (ISPATHSEP(prefix[0]))
1417 return &krb5_fcc_ops;
1418
1419 #ifdef _WIN32
1420 /* Is drive letter? */
1421 if (isalpha((unsigned char)prefix[0]) && prefix[1] == ':')
1422 return &krb5_fcc_ops;
1423 #endif
1424
1425 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
1426 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
1427
1428 if (strncmp(context->cc_ops[i]->prefix, prefix, prefix_len) == 0 &&
1429 (prefix[prefix_len] == ':' || prefix[prefix_len] == '\0')) {
1430 if (residual) {
1431 if (prefix[prefix_len] == ':' && prefix[prefix_len + 1] != '\0')
1432 *residual = &prefix[prefix_len + 1];
1433 else
1434 *residual = NULL;
1435 }
1436
1437 return context->cc_ops[i];
1438 }
1439 }
1440
1441 return NULL;
1442 }
1443
1444 struct krb5_cc_cache_cursor_data {
1445 const krb5_cc_ops *ops;
1446 krb5_cc_cursor cursor;
1447 };
1448
1449 /**
1450 * Start iterating over all caches of specified type. See also
1451 * krb5_cccol_cursor_new().
1452
1453 * @param context A Kerberos 5 context
1454 * @param type optional type to iterate over, if NULL, the default cache is used.
1455 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1456 *
1457 * @return Return an error code or 0, see krb5_get_error_message().
1458 *
1459 * @ingroup krb5_ccache
1460 */
1461
1462
1463 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1464 krb5_cc_cache_get_first (krb5_context context,
1465 const char *type,
1466 krb5_cc_cache_cursor *cursor)
1467 {
1468 const krb5_cc_ops *ops;
1469 krb5_error_code ret;
1470
1471 if (type == NULL)
1472 type = krb5_cc_default_name(context);
1473
1474 ops = krb5_cc_get_prefix_ops(context, type);
1475 if (ops == NULL) {
1476 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1477 "Unknown type \"%s\" when iterating "
1478 "trying to iterate the credential caches", type);
1479 return KRB5_CC_UNKNOWN_TYPE;
1480 }
1481
1482 if (ops->get_cache_first == NULL) {
1483 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1484 N_("Credential cache type %s doesn't support "
1485 "iterations over caches", "type"),
1486 ops->prefix);
1487 return KRB5_CC_NOSUPP;
1488 }
1489
1490 *cursor = calloc(1, sizeof(**cursor));
1491 if (*cursor == NULL)
1492 return krb5_enomem(context);
1493
1494 (*cursor)->ops = ops;
1495
1496 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1497 if (ret) {
1498 free(*cursor);
1499 *cursor = NULL;
1500 }
1501 return ret;
1502 }
1503
1504 /**
1505 * Retrieve the next cache pointed to by (`cursor') in `id'
1506 * and advance `cursor'.
1507 *
1508 * @param context A Kerberos 5 context
1509 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1510 * @param id next ccache
1511 *
1512 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1513 * of caches is reached, see krb5_get_error_message().
1514 *
1515 * @ingroup krb5_ccache
1516 */
1517
1518
1519 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1520 krb5_cc_cache_next (krb5_context context,
1521 krb5_cc_cache_cursor cursor,
1522 krb5_ccache *id)
1523 {
1524 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1525 }
1526
1527 /**
1528 * Destroy the cursor `cursor'.
1529 *
1530 * @return Return an error code or 0, see krb5_get_error_message().
1531 *
1532 * @ingroup krb5_ccache
1533 */
1534
1535
1536 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1537 krb5_cc_cache_end_seq_get (krb5_context context,
1538 krb5_cc_cache_cursor cursor)
1539 {
1540 krb5_error_code ret;
1541 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1542 cursor->ops = NULL;
1543 free(cursor);
1544 return ret;
1545 }
1546
1547 /**
1548 * Search for a matching credential cache that have the
1549 * `principal' as the default principal. On success, `id' needs to be
1550 * freed with krb5_cc_close() or krb5_cc_destroy().
1551 *
1552 * @param context A Kerberos 5 context
1553 * @param client The principal to search for
1554 * @param id the returned credential cache
1555 *
1556 * @return On failure, error code is returned and `id' is set to NULL.
1557 *
1558 * @ingroup krb5_ccache
1559 */
1560
1561
1562 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1563 krb5_cc_cache_match (krb5_context context,
1564 krb5_principal client,
1565 krb5_ccache *id)
1566 {
1567 krb5_cccol_cursor cursor;
1568 krb5_error_code ret;
1569 krb5_ccache cache = NULL;
1570 krb5_ccache expired_match = NULL;
1571
1572 *id = NULL;
1573
1574 ret = krb5_cccol_cursor_new (context, &cursor);
1575 if (ret)
1576 return ret;
1577
1578 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) {
1579 krb5_principal principal;
1580 krb5_boolean match;
1581 time_t lifetime;
1582
1583 ret = krb5_cc_get_principal(context, cache, &principal);
1584 if (ret)
1585 goto next;
1586
1587 if (client->name.name_string.len == 0)
1588 match = (strcmp(client->realm, principal->realm) == 0);
1589 else
1590 match = krb5_principal_compare(context, principal, client);
1591 krb5_free_principal(context, principal);
1592
1593 if (!match)
1594 goto next;
1595
1596 if (expired_match == NULL &&
1597 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) {
1598 expired_match = cache;
1599 cache = NULL;
1600 goto next;
1601 }
1602 break;
1603
1604 next:
1605 if (cache)
1606 krb5_cc_close(context, cache);
1607 cache = NULL;
1608 }
1609
1610 krb5_cccol_cursor_free(context, &cursor);
1611
1612 if (cache == NULL && expired_match) {
1613 cache = expired_match;
1614 expired_match = NULL;
1615 } else if (expired_match) {
1616 krb5_cc_close(context, expired_match);
1617 } else if (cache == NULL) {
1618 char *str;
1619
1620 (void) krb5_unparse_name(context, client, &str);
1621 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1622 N_("Principal %s not found in any "
1623 "credential cache", ""),
1624 str ? str : "<out of memory>");
1625 if (str)
1626 free(str);
1627 return KRB5_CC_NOTFOUND;
1628 }
1629
1630 *id = cache;
1631
1632 return 0;
1633 }
1634
1635 /**
1636 * Move the content from one credential cache to another. The
1637 * operation is an atomic switch.
1638 *
1639 * @param context a Kerberos context
1640 * @param from the credential cache to move the content from
1641 * @param to the credential cache to move the content to
1642
1643 * @return On sucess, from is destroyed and closed. On failure, error code is
1644 * returned and from and to are both still allocated; see
1645 * krb5_get_error_message().
1646 *
1647 * @ingroup krb5_ccache
1648 */
1649
1650 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1651 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1652 {
1653 krb5_error_code ret = ENOTSUP;
1654 krb5_principal princ = NULL;
1655
1656 if (to->ops->move &&
1657 strcmp(from->ops->prefix, to->ops->prefix) == 0) {
1658 /*
1659 * NOTE: to->ops->move() is expected to call
1660 * krb5_cc_destroy(context, from) on success.
1661 */
1662 ret = (*to->ops->move)(context, from, to);
1663 if (ret == 0)
1664 return 0;
1665 if (ret != EXDEV && ret != ENOTSUP && ret != KRB5_CC_NOSUPP &&
1666 ret != KRB5_FCC_INTERNAL)
1667 return ret;
1668 /* Fallback to high-level copy */
1669 } /* Else high-level copy */
1670
1671 /*
1672 * Initialize destination, copy the source's contents to the destination,
1673 * then destroy the source on success.
1674 *
1675 * It'd be nice if we could destroy any half-built destination if the copy
1676 * fails, but the interface is not documented as doing so.
1677 */
1678 ret = krb5_cc_get_principal(context, from, &princ);
1679 if (ret == 0)
1680 ret = krb5_cc_initialize(context, to, princ);
1681 krb5_free_principal(context, princ);
1682 if (ret == 0)
1683 ret = krb5_cc_copy_cache(context, from, to);
1684 if (ret == 0)
1685 krb5_cc_destroy(context, from);
1686 return ret;
1687 }
1688
1689 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1690 #define KRB5_REALM_NAME "X-CACHECONF:"
1691
1692 static krb5_error_code
1693 build_conf_principals(krb5_context context, krb5_ccache id,
1694 krb5_const_principal principal,
1695 const char *name, krb5_creds *cred)
1696 {
1697 krb5_principal client;
1698 krb5_error_code ret;
1699 char *pname = NULL;
1700
1701 memset(cred, 0, sizeof(*cred));
1702
1703 ret = krb5_cc_get_principal(context, id, &client);
1704 if (ret)
1705 return ret;
1706
1707 if (principal) {
1708 ret = krb5_unparse_name(context, principal, &pname);
1709 if (ret)
1710 return ret;
1711 }
1712
1713 ret = krb5_make_principal(context, &cred->server,
1714 KRB5_REALM_NAME,
1715 KRB5_CONF_NAME, name, pname, NULL);
1716 free(pname);
1717 if (ret) {
1718 krb5_free_principal(context, client);
1719 return ret;
1720 }
1721 ret = krb5_copy_principal(context, client, &cred->client);
1722 krb5_free_principal(context, client);
1723 return ret;
1724 }
1725
1726 /**
1727 * Return TRUE (non zero) if the principal is a configuration
1728 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1729 * (zero) if not a configuration principal.
1730 *
1731 * @param context a Kerberos context
1732 * @param principal principal to check if it a configuration principal
1733 *
1734 * @ingroup krb5_ccache
1735 */
1736
1737 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1738 krb5_is_config_principal(krb5_context context,
1739 krb5_const_principal principal)
1740 {
1741 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1742 return FALSE;
1743
1744 if (principal->name.name_string.len == 0 ||
1745 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1746 return FALSE;
1747
1748 return TRUE;
1749 }
1750
1751 /**
1752 * Store some configuration for the credential cache in the cache.
1753 * Existing configuration under the same name is over-written.
1754 *
1755 * @param context a Kerberos context
1756 * @param id the credential cache to store the data for
1757 * @param principal configuration for a specific principal, if
1758 * NULL, global for the whole cache.
1759 * @param name name under which the configuraion is stored.
1760 * @param data data to store, if NULL, configure is removed.
1761 *
1762 * @ingroup krb5_ccache
1763 */
1764
1765 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1766 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1767 krb5_const_principal principal,
1768 const char *name, krb5_data *data)
1769 {
1770 krb5_error_code ret;
1771 krb5_creds cred;
1772
1773 ret = build_conf_principals(context, id, principal, name, &cred);
1774 if (ret)
1775 goto out;
1776
1777 /* Remove old configuration */
1778 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1779 if (ret && ret != KRB5_CC_NOTFOUND && ret != KRB5_CC_NOSUPP &&
1780 ret != KRB5_FCC_INTERNAL)
1781 goto out;
1782
1783 if (data) {
1784 /* not that anyone care when this expire */
1785 cred.times.authtime = time(NULL);
1786 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1787
1788 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1789 if (ret)
1790 goto out;
1791
1792 ret = krb5_cc_store_cred(context, id, &cred);
1793 }
1794
1795 out:
1796 krb5_free_cred_contents (context, &cred);
1797 return ret;
1798 }
1799
1800 /**
1801 * Get some configuration for the credential cache in the cache.
1802 *
1803 * @param context a Kerberos context
1804 * @param id the credential cache to store the data for
1805 * @param principal configuration for a specific principal, if
1806 * NULL, global for the whole cache.
1807 * @param name name under which the configuraion is stored.
1808 * @param data data to fetched, free with krb5_data_free()
1809 * @return 0 on success, KRB5_CC_NOTFOUND or KRB5_CC_END if not found,
1810 * or other system error.
1811 *
1812 * @ingroup krb5_ccache
1813 */
1814
1815
1816 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1817 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1818 krb5_const_principal principal,
1819 const char *name, krb5_data *data)
1820 {
1821 krb5_creds mcred, cred;
1822 krb5_error_code ret;
1823
1824 memset(&cred, 0, sizeof(cred));
1825 krb5_data_zero(data);
1826
1827 ret = build_conf_principals(context, id, principal, name, &mcred);
1828 if (ret)
1829 goto out;
1830
1831 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1832 if (ret)
1833 goto out;
1834
1835 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1836
1837 out:
1838 krb5_free_cred_contents (context, &cred);
1839 krb5_free_cred_contents (context, &mcred);
1840 return ret;
1841 }
1842
1843 /*
1844 *
1845 */
1846
1847 struct krb5_cccol_cursor_data {
1848 int idx;
1849 krb5_cc_cache_cursor cursor;
1850 };
1851
1852 /**
1853 * Get a new cache interation cursor that will interate over all
1854 * credentials caches independent of type.
1855 *
1856 * @param context a Kerberos context
1857 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1858 *
1859 * @return Returns 0 or and error code, see krb5_get_error_message().
1860 *
1861 * @ingroup krb5_ccache
1862 */
1863
1864 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1865 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1866 {
1867 *cursor = calloc(1, sizeof(**cursor));
1868 if (*cursor == NULL)
1869 return krb5_enomem(context);
1870 (*cursor)->idx = 0;
1871 (*cursor)->cursor = NULL;
1872
1873 return 0;
1874 }
1875
1876 /**
1877 * Get next credential cache from the iteration.
1878 *
1879 * @param context A Kerberos 5 context
1880 * @param cursor the iteration cursor
1881 * @param cache the returned cursor, pointer is set to NULL on failure
1882 * and a cache on success. The returned cache needs to be freed
1883 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1884 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1885 * when all caches are iterated over and return 0.
1886 *
1887 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1888 * of iteration. See krb5_get_error_message().
1889 *
1890 * @ingroup krb5_ccache
1891 */
1892
1893
1894 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1895 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1896 krb5_ccache *cache)
1897 {
1898 krb5_error_code ret = 0;
1899
1900 *cache = NULL;
1901
1902 while (cursor->idx < context->num_cc_ops) {
1903
1904 if (cursor->cursor == NULL) {
1905 ret = krb5_cc_cache_get_first (context,
1906 context->cc_ops[cursor->idx]->prefix,
1907 &cursor->cursor);
1908 if (ret) {
1909 cursor->idx++;
1910 continue;
1911 }
1912 }
1913 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1914 if (ret == 0)
1915 break;
1916
1917 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1918 cursor->cursor = NULL;
1919 if (ret != KRB5_CC_END)
1920 break;
1921
1922 cursor->idx++;
1923 }
1924 if (cursor->idx >= context->num_cc_ops) {
1925 krb5_set_error_message(context, KRB5_CC_END,
1926 N_("Reached end of credential caches", ""));
1927 return KRB5_CC_END;
1928 }
1929
1930 return ret;
1931 }
1932
1933 /**
1934 * End an iteration and free all resources, can be done before end is reached.
1935 *
1936 * @param context A Kerberos 5 context
1937 * @param cursor the iteration cursor to be freed.
1938 *
1939 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1940 * of iteration. See krb5_get_error_message().
1941 *
1942 * @ingroup krb5_ccache
1943 */
1944
1945 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1946 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1947 {
1948 krb5_cccol_cursor c = *cursor;
1949
1950 *cursor = NULL;
1951 if (c) {
1952 if (c->cursor)
1953 krb5_cc_cache_end_seq_get(context, c->cursor);
1954 free(c);
1955 }
1956 return 0;
1957 }
1958
1959 /**
1960 * Return the last time the credential cache was modified.
1961 *
1962 * @param context A Kerberos 5 context
1963 * @param id The credential cache to probe
1964 * @param mtime the last modification time, set to 0 on error.
1965
1966 * @return Return 0 or and error. See krb5_get_error_message().
1967 *
1968 * @ingroup krb5_ccache
1969 */
1970
1971
1972 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1973 krb5_cc_last_change_time(krb5_context context,
1974 krb5_ccache id,
1975 krb5_timestamp *mtime)
1976 {
1977 *mtime = 0;
1978
1979 if (id->ops->version < KRB5_CC_OPS_VERSION_2
1980 || id->ops->lastchange == NULL)
1981 return KRB5_CC_NOSUPP;
1982
1983 return (*id->ops->lastchange)(context, id, mtime);
1984 }
1985
1986 /**
1987 * Return the last modfication time for a cache collection. The query
1988 * can be limited to a specific cache type. If the function return 0
1989 * and mtime is 0, there was no credentials in the caches.
1990 *
1991 * @param context A Kerberos 5 context
1992 * @param type The credential cache to probe, if NULL, all type are traversed.
1993 * @param mtime the last modification time, set to 0 on error.
1994
1995 * @return Return 0 or and error. See krb5_get_error_message().
1996 *
1997 * @ingroup krb5_ccache
1998 */
1999
2000 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2001 krb5_cccol_last_change_time(krb5_context context,
2002 const char *type,
2003 krb5_timestamp *mtime)
2004 {
2005 krb5_cccol_cursor cursor;
2006 krb5_error_code ret;
2007 krb5_ccache id;
2008 krb5_timestamp t = 0;
2009
2010 *mtime = 0;
2011
2012 ret = krb5_cccol_cursor_new (context, &cursor);
2013 if (ret)
2014 return ret;
2015
2016 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
2017
2018 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
2019 continue;
2020
2021 ret = krb5_cc_last_change_time(context, id, &t);
2022 krb5_cc_close(context, id);
2023 if (ret)
2024 continue;
2025 if (t > *mtime)
2026 *mtime = t;
2027 }
2028
2029 krb5_cccol_cursor_free(context, &cursor);
2030
2031 return 0;
2032 }
2033 /**
2034 * Return a friendly name on credential cache. Free the result with krb5_xfree().
2035 *
2036 * @return Return an error code or 0, see krb5_get_error_message().
2037 *
2038 * @ingroup krb5_ccache
2039 */
2040
2041 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2042 krb5_cc_get_friendly_name(krb5_context context,
2043 krb5_ccache id,
2044 char **name)
2045 {
2046 krb5_error_code ret;
2047 krb5_data data;
2048
2049 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
2050 if (ret) {
2051 krb5_principal principal;
2052 ret = krb5_cc_get_principal(context, id, &principal);
2053 if (ret)
2054 return ret;
2055 ret = krb5_unparse_name(context, principal, name);
2056 krb5_free_principal(context, principal);
2057 } else {
2058 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
2059 krb5_data_free(&data);
2060 if (ret <= 0)
2061 ret = krb5_enomem(context);
2062 else
2063 ret = 0;
2064 }
2065
2066 return ret;
2067 }
2068
2069 /**
2070 * Set the friendly name on credential cache.
2071 *
2072 * @return Return an error code or 0, see krb5_get_error_message().
2073 *
2074 * @ingroup krb5_ccache
2075 */
2076
2077 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2078 krb5_cc_set_friendly_name(krb5_context context,
2079 krb5_ccache id,
2080 const char *name)
2081 {
2082 krb5_data data;
2083
2084 data.data = rk_UNCONST(name);
2085 data.length = strlen(name);
2086
2087 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
2088 }
2089
2090 /**
2091 * Get the lifetime of the initial ticket in the cache
2092 *
2093 * Get the lifetime of the initial ticket in the cache, if the initial
2094 * ticket was not found, the error code KRB5_CC_END is returned.
2095 *
2096 * @param context A Kerberos 5 context.
2097 * @param id a credential cache
2098 * @param t the relative lifetime of the initial ticket
2099 *
2100 * @return Return an error code or 0, see krb5_get_error_message().
2101 *
2102 * @ingroup krb5_ccache
2103 */
2104
2105 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2106 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
2107 {
2108 krb5_data config_start_realm;
2109 char *start_realm;
2110 krb5_cc_cursor cursor;
2111 krb5_error_code ret;
2112 krb5_creds cred;
2113 time_t now, endtime = 0;
2114
2115 *t = 0;
2116 krb5_timeofday(context, &now);
2117
2118 ret = krb5_cc_get_config(context, id, NULL, "start_realm", &config_start_realm);
2119 if (ret == 0) {
2120 start_realm = strndup(config_start_realm.data, config_start_realm.length);
2121 krb5_data_free(&config_start_realm);
2122 } else {
2123 krb5_principal client;
2124
2125 ret = krb5_cc_get_principal(context, id, &client);
2126 if (ret)
2127 return ret;
2128 start_realm = strdup(krb5_principal_get_realm(context, client));
2129 krb5_free_principal(context, client);
2130 }
2131 if (start_realm == NULL)
2132 return krb5_enomem(context);
2133
2134 ret = krb5_cc_start_seq_get(context, id, &cursor);
2135 if (ret) {
2136 free(start_realm);
2137 return ret;
2138 }
2139
2140 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
2141 /**
2142 * If we find the start krbtgt in the cache, use that as the lifespan.
2143 */
2144 if (krb5_principal_is_root_krbtgt(context, cred.server) &&
2145 strcmp(cred.server->realm, start_realm) == 0) {
2146 if (now < cred.times.endtime)
2147 endtime = cred.times.endtime;
2148 krb5_free_cred_contents(context, &cred);
2149 break;
2150 }
2151 /*
2152 * Skip config entries
2153 */
2154 if (krb5_is_config_principal(context, cred.server)) {
2155 krb5_free_cred_contents(context, &cred);
2156 continue;
2157 }
2158 /**
2159 * If there was no krbtgt, use the shortest lifetime of
2160 * service tickets that have yet to expire. If all
2161 * credentials are expired, krb5_cc_get_lifetime() will fail.
2162 */
2163 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime)
2164 endtime = cred.times.endtime;
2165 krb5_free_cred_contents(context, &cred);
2166 }
2167 free(start_realm);
2168
2169 /* if we found an endtime use that */
2170 if (endtime) {
2171 *t = endtime - now;
2172 ret = 0;
2173 }
2174
2175 krb5_cc_end_seq_get(context, id, &cursor);
2176
2177 return ret;
2178 }
2179
2180 /**
2181 * Set the time offset betwen the client and the KDC
2182 *
2183 * If the backend doesn't support KDC offset, use the context global setting.
2184 *
2185 * @param context A Kerberos 5 context.
2186 * @param id a credential cache
2187 * @param offset the offset in seconds
2188 *
2189 * @return Return an error code or 0, see krb5_get_error_message().
2190 *
2191 * @ingroup krb5_ccache
2192 */
2193
2194 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2195 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
2196 {
2197 if (id->ops->version < KRB5_CC_OPS_VERSION_3
2198 || id->ops->set_kdc_offset == NULL) {
2199 context->kdc_sec_offset = offset;
2200 context->kdc_usec_offset = 0;
2201 return 0;
2202 }
2203 return (*id->ops->set_kdc_offset)(context, id, offset);
2204 }
2205
2206 /**
2207 * Get the time offset betwen the client and the KDC
2208 *
2209 * If the backend doesn't support KDC offset, use the context global setting.
2210 *
2211 * @param context A Kerberos 5 context.
2212 * @param id a credential cache
2213 * @param offset the offset in seconds
2214 *
2215 * @return Return an error code or 0, see krb5_get_error_message().
2216 *
2217 * @ingroup krb5_ccache
2218 */
2219
2220 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2221 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
2222 {
2223 if (id->ops->version < KRB5_CC_OPS_VERSION_3
2224 || id->ops->get_kdc_offset == NULL) {
2225 *offset = context->kdc_sec_offset;
2226 return 0;
2227 }
2228 return (*id->ops->get_kdc_offset)(context, id, offset);
2229 }
2230
2231 #ifdef _WIN32
2232 #define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
2233
2234 static char *
2235 _get_default_cc_name_from_registry(krb5_context context, HKEY hkBase)
2236 {
2237 HKEY hk_k5 = 0;
2238 LONG code;
2239 char *ccname = NULL;
2240
2241 code = RegOpenKeyEx(hkBase,
2242 REGPATH_MIT_KRB5,
2243 0, KEY_READ, &hk_k5);
2244
2245 if (code != ERROR_SUCCESS)
2246 return NULL;
2247
2248 ccname = heim_parse_reg_value_as_string(context->hcontext, hk_k5, "ccname",
2249 REG_NONE, 0);
2250
2251 RegCloseKey(hk_k5);
2252
2253 return ccname;
2254 }
2255
2256 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
2257 _krb5_get_default_cc_name_from_registry(krb5_context context)
2258 {
2259 char *ccname;
2260
2261 ccname = _get_default_cc_name_from_registry(context, HKEY_CURRENT_USER);
2262 if (ccname == NULL)
2263 ccname = _get_default_cc_name_from_registry(context,
2264 HKEY_LOCAL_MACHINE);
2265
2266 return ccname;
2267 }
2268
2269 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
2270 _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
2271 {
2272 HKEY hk_k5 = 0;
2273 LONG code;
2274 int ret = -1;
2275 char * ccname = NULL;
2276
2277 code = RegOpenKeyEx(HKEY_CURRENT_USER,
2278 REGPATH_MIT_KRB5,
2279 0, KEY_READ|KEY_WRITE, &hk_k5);
2280
2281 if (code != ERROR_SUCCESS)
2282 return -1;
2283
2284 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
2285 if (ret < 0)
2286 goto cleanup;
2287
2288 ret = heim_store_string_to_reg_value(context->hcontext, hk_k5, "ccname",
2289 REG_SZ, ccname, -1, 0);
2290
2291 cleanup:
2292
2293 if (ccname)
2294 free(ccname);
2295
2296 RegCloseKey(hk_k5);
2297
2298 return ret;
2299 }
2300 #endif
Heimdal