summaryrefslogtreecommitdiffstats
path: root/lib/krb5/cache.c
diff options
context:
space:
mode:
authorstas <stas@FreeBSD.org>2011-10-05 07:23:29 +0000
committerstas <stas@FreeBSD.org>2011-10-05 07:23:29 +0000
commit33f661cecdad3182ee66b47805fa4bb212e0da6c (patch)
tree57a48e7e9b592f2d5b713e80a4455820625c2b7b /lib/krb5/cache.c
parent100a21d381c0fe86cfacf55ea7b18ec0bd2322bf (diff)
downloadFreeBSD-src-33f661cecdad3182ee66b47805fa4bb212e0da6c.zip
FreeBSD-src-33f661cecdad3182ee66b47805fa4bb212e0da6c.tar.gz
- Import Heimdal 1.5 distribution.
Diffstat (limited to 'lib/krb5/cache.c')
-rw-r--r--lib/krb5/cache.c1228
1 files changed, 941 insertions, 287 deletions
diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index 5db6d2b..616044e 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -1,39 +1,104 @@
/*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include "krb5_locl.h"
-RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $");
+/**
+ * @page krb5_ccache_intro The credential cache functions
+ * @section section_krb5_ccache Kerberos credential caches
+ *
+ * krb5_ccache structure holds a Kerberos credential cache.
+ *
+ * Heimdal support the follow types of credential caches:
+ *
+ * - SCC
+ * Store the credential in a database
+ * - FILE
+ * Store the credential in memory
+ * - MEMORY
+ * Store the credential in memory
+ * - API
+ * A credential cache server based solution for Mac OS X
+ * - KCM
+ * A credential cache server based solution for all platforms
+ *
+ * @subsection Example
+ *
+ * This is a minimalistic version of klist:
+@code
+#include <krb5.h>
+
+int
+main (int argc, char **argv)
+{
+ krb5_context context;
+ krb5_cc_cursor cursor;
+ krb5_error_code ret;
+ krb5_ccache id;
+ krb5_creds creds;
+
+ if (krb5_init_context (&context) != 0)
+ errx(1, "krb5_context");
+
+ ret = krb5_cc_default (context, &id);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_default");
+
+ ret = krb5_cc_start_seq_get(context, id, &cursor);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
+
+ while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
+ char *principal;
+
+ krb5_unparse_name(context, creds.server, &principal);
+ printf("principal: %s\\n", principal);
+ free(principal);
+ krb5_free_cred_contents (context, &creds);
+ }
+ ret = krb5_cc_end_seq_get(context, id, &cursor);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
+
+ krb5_cc_close(context, id);
+
+ krb5_free_context(context);
+ return 0;
+}
+* @endcode
+*/
/**
* Add a new ccache type with operations `ops', overwriting any
@@ -44,43 +109,44 @@ RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $");
* @param override flag to select if the registration is to overide
* an existing ops with the same name.
*
- * @return Return an error code or 0.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_register(krb5_context context,
- const krb5_cc_ops *ops,
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_register(krb5_context context,
+ const krb5_cc_ops *ops,
krb5_boolean override)
{
int i;
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
if(!override) {
- krb5_set_error_string(context,
- "ccache type %s already exists",
- ops->prefix);
+ krb5_set_error_message(context,
+ KRB5_CC_TYPE_EXISTS,
+ N_("cache type %s already exists", "type"),
+ ops->prefix);
return KRB5_CC_TYPE_EXISTS;
}
break;
}
}
if(i == context->num_cc_ops) {
- krb5_cc_ops *o = realloc(context->cc_ops,
- (context->num_cc_ops + 1) *
- sizeof(*context->cc_ops));
+ const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
+ (context->num_cc_ops + 1) *
+ sizeof(context->cc_ops[0]));
if(o == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
+ krb5_set_error_message(context, KRB5_CC_NOMEM,
+ N_("malloc: out of memory", ""));
return KRB5_CC_NOMEM;
}
- context->num_cc_ops++;
context->cc_ops = o;
- memset(context->cc_ops + i, 0,
- (context->num_cc_ops - i) * sizeof(*context->cc_ops));
+ context->cc_ops[context->num_cc_ops] = NULL;
+ context->num_cc_ops++;
}
- memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
+ context->cc_ops[i] = ops;
return 0;
}
@@ -90,7 +156,7 @@ krb5_cc_register(krb5_context context,
*/
krb5_error_code
-_krb5_cc_allocate(krb5_context context,
+_krb5_cc_allocate(krb5_context context,
const krb5_cc_ops *ops,
krb5_ccache *id)
{
@@ -98,7 +164,8 @@ _krb5_cc_allocate(krb5_context context,
p = malloc (sizeof(*p));
if(p == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
+ krb5_set_error_message(context, KRB5_CC_NOMEM,
+ N_("malloc: out of memory", ""));
return KRB5_CC_NOMEM;
}
p->ops = ops;
@@ -119,16 +186,58 @@ allocate_ccache (krb5_context context,
krb5_ccache *id)
{
krb5_error_code ret;
+#ifdef KRB5_USE_PATH_TOKENS
+ char * exp_residual = NULL;
- ret = _krb5_cc_allocate(context, ops, id);
+ ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
if (ret)
return ret;
+
+ residual = exp_residual;
+#endif
+
+ ret = _krb5_cc_allocate(context, ops, id);
+ if (ret) {
+#ifdef KRB5_USE_PATH_TOKENS
+ if (exp_residual)
+ free(exp_residual);
+#endif
+ return ret;
+ }
+
ret = (*id)->ops->resolve(context, id, residual);
- if(ret)
+ if(ret) {
free(*id);
+ *id = NULL;
+ }
+
+#ifdef KRB5_USE_PATH_TOKENS
+ if (exp_residual)
+ free(exp_residual);
+#endif
+
return ret;
}
+static int
+is_possible_path_name(const char * name)
+{
+ const char * colon;
+
+ if ((colon = strchr(name, ':')) == NULL)
+ return TRUE;
+
+#ifdef _WIN32
+ /* <drive letter>:\path\to\cache ? */
+
+ if (colon == name + 1 &&
+ strchr(colon + 1, ':') == NULL)
+ return TRUE;
+#endif
+
+ return FALSE;
+}
+
/**
* Find and allocate a ccache in `id' from the specification in `residual'.
* If the ccache name doesn't contain any colon, interpret it as a file name.
@@ -138,13 +247,13 @@ allocate_ccache (krb5_context context,
* @param id return pointer to a found credential cache.
*
* @return Return 0 or an error code. In case of an error, id is set
- * to NULL.
+ * to NULL, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_resolve(krb5_context context,
const char *name,
krb5_ccache *id)
@@ -153,73 +262,60 @@ krb5_cc_resolve(krb5_context context,
*id = NULL;
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- size_t prefix_len = strlen(context->cc_ops[i].prefix);
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ size_t prefix_len = strlen(context->cc_ops[i]->prefix);
- if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
+ if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
&& name[prefix_len] == ':') {
- return allocate_ccache (context, &context->cc_ops[i],
+ return allocate_ccache (context, context->cc_ops[i],
name + prefix_len + 1,
id);
}
}
- if (strchr (name, ':') == NULL)
+ if (is_possible_path_name(name))
return allocate_ccache (context, &krb5_fcc_ops, name, id);
else {
- krb5_set_error_string(context, "unknown ccache type %s", name);
+ krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+ N_("unknown ccache type %s", "name"), name);
return KRB5_CC_UNKNOWN_TYPE;
}
}
/**
- * Generate a new ccache of type `ops' in `id'.
- *
- * @return Return 0 or an error code.
- *
- * @ingroup krb5_ccache
- */
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_gen_new(krb5_context context,
- const krb5_cc_ops *ops,
- krb5_ccache *id)
-{
- return krb5_cc_new_unique(context, ops->prefix, NULL, id);
-}
-
-/**
* Generates a new unique ccache of `type` in `id'. If `type' is NULL,
* the library chooses the default credential cache type. The supplied
* `hint' (that can be NULL) is a string that the credential cache
* type can use to base the name of the credential on, this is to make
* it easier for the user to differentiate the credentials.
*
- * @return Returns 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_new_unique(krb5_context context, const char *type,
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_new_unique(krb5_context context, const char *type,
const char *hint, krb5_ccache *id)
{
- const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
+ const krb5_cc_ops *ops;
krb5_error_code ret;
- if (type) {
- ops = krb5_cc_get_prefix_ops(context, type);
- if (ops == NULL) {
- krb5_set_error_string(context,
- "Credential cache type %s is unknown", type);
- return KRB5_CC_UNKNOWN_TYPE;
- }
+ ops = krb5_cc_get_prefix_ops(context, type);
+ if (ops == NULL) {
+ krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+ "Credential cache type %s is unknown", type);
+ return KRB5_CC_UNKNOWN_TYPE;
}
ret = _krb5_cc_allocate(context, ops, id);
if (ret)
return ret;
- return (*id)->ops->gen_new(context, id);
+ ret = (*id)->ops->gen_new(context, id);
+ if (ret) {
+ free(*id);
+ *id = NULL;
+ }
+ return ret;
}
/**
@@ -229,7 +325,7 @@ krb5_cc_new_unique(krb5_context context, const char *type,
*/
-const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_get_name(krb5_context context,
krb5_ccache id)
{
@@ -243,7 +339,7 @@ krb5_cc_get_name(krb5_context context,
*/
-const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_get_type(krb5_context context,
krb5_ccache id)
{
@@ -251,15 +347,19 @@ krb5_cc_get_type(krb5_context context,
}
/**
- * Return the complete resolvable name the ccache `id' in `str´.
- * `str` should be freed with free(3).
- * Returns 0 or an error (and then *str is set to NULL).
+ * Return the complete resolvable name the cache
+
+ * @param context a Keberos context
+ * @param id return pointer to a found credential cache
+ * @param str the returned name of a credential cache, free with krb5_xfree()
+ *
+ * @return Returns 0 or an error (and then *str is set to NULL).
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_full_name(krb5_context context,
krb5_ccache id,
char **str)
@@ -270,18 +370,20 @@ krb5_cc_get_full_name(krb5_context context,
type = krb5_cc_get_type(context, id);
if (type == NULL) {
- krb5_set_error_string(context, "cache have no name of type");
+ krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+ "cache have no name of type");
return KRB5_CC_UNKNOWN_TYPE;
}
name = krb5_cc_get_name(context, id);
if (name == NULL) {
- krb5_set_error_string(context, "cache of type %s have no name", type);
+ krb5_set_error_message(context, KRB5_CC_BADNAME,
+ "cache of type %s have no name", type);
return KRB5_CC_BADNAME;
}
-
+
if (asprintf(str, "%s:%s", type, name) == -1) {
- krb5_set_error_string(context, "malloc - out of memory");
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
*str = NULL;
return ENOMEM;
}
@@ -295,7 +397,7 @@ krb5_cc_get_full_name(krb5_context context,
*/
-const krb5_cc_ops *
+KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
krb5_cc_get_ops(krb5_context context, krb5_ccache id)
{
return id->ops;
@@ -308,68 +410,7 @@ krb5_cc_get_ops(krb5_context context, krb5_ccache id)
krb5_error_code
_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
{
- size_t tlen, len = 0;
- char *tmp, *tmp2, *append;
-
- *res = NULL;
-
- while (str && *str) {
- tmp = strstr(str, "%{");
- if (tmp && tmp != str) {
- append = malloc((tmp - str) + 1);
- if (append) {
- memcpy(append, str, tmp - str);
- append[tmp - str] = '\0';
- }
- str = tmp;
- } else if (tmp) {
- tmp2 = strchr(tmp, '}');
- if (tmp2 == NULL) {
- free(*res);
- *res = NULL;
- krb5_set_error_string(context, "variable missing }");
- return KRB5_CONFIG_BADFORMAT;
- }
- if (strncasecmp(tmp, "%{uid}", 6) == 0)
- asprintf(&append, "%u", (unsigned)getuid());
- else if (strncasecmp(tmp, "%{null}", 7) == 0)
- append = strdup("");
- else {
- free(*res);
- *res = NULL;
- krb5_set_error_string(context,
- "expand default cache unknown "
- "variable \"%.*s\"",
- (int)(tmp2 - tmp) - 2, tmp + 2);
- return KRB5_CONFIG_BADFORMAT;
- }
- str = tmp2 + 1;
- } else {
- append = strdup(str);
- str = NULL;
- }
- if (append == NULL) {
- free(*res);
- *res = NULL;
- krb5_set_error_string(context, "malloc - out of memory");
- return ENOMEM;
- }
-
- tlen = strlen(append);
- tmp = realloc(*res, len + tlen + 1);
- if (tmp == NULL) {
- free(append);
- free(*res);
- *res = NULL;
- krb5_set_error_string(context, "malloc - out of memory");
- return ENOMEM;
- }
- *res = tmp;
- memcpy(*res + len, append, tlen + 1);
- len = len + tlen;
- free(append);
- }
- return 0;
+ return _krb5_expand_path_tokens(context, str, res);
}
/*
@@ -386,6 +427,12 @@ environment_changed(krb5_context context)
if (context->default_cc_name_set)
return 0;
+ /* XXX performance: always ask KCM/API if default name has changed */
+ if (context->default_cc_name &&
+ (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
+ strncmp(context->default_cc_name, "API:", 4) == 0))
+ return 1;
+
if(issuid())
return 0;
@@ -406,17 +453,52 @@ environment_changed(krb5_context context)
}
/**
- * Set the default cc name for `context' to `name'.
+ * Switch the default default credential cache for a specific
+ * credcache type (and name for some implementations).
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_switch(krb5_context context, krb5_ccache id)
+{
+
+ if (id->ops->set_default == NULL)
+ return 0;
+
+ return (*id->ops->set_default)(context, id);
+}
+
+/**
+ * Return true if the default credential cache support switch
*
* @ingroup krb5_ccache
*/
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_cc_support_switch(krb5_context context, const char *type)
+{
+ const krb5_cc_ops *ops;
-krb5_error_code KRB5_LIB_FUNCTION
+ ops = krb5_cc_get_prefix_ops(context, type);
+ if (ops && ops->set_default)
+ return 1;
+ return FALSE;
+}
+
+/**
+ * Set the default cc name for `context' to `name'.
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_default_name(krb5_context context, const char *name)
{
krb5_error_code ret = 0;
- char *p;
+ char *p = NULL, *exp_p = NULL;
if (name == NULL) {
const char *e = NULL;
@@ -430,6 +512,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
context->default_cc_name_env = strdup(e);
}
}
+
+#ifdef _WIN32
+ if (e == NULL) {
+ e = p = _krb5_get_default_cc_name_from_registry();
+ }
+#endif
if (e == NULL) {
e = krb5_config_get_string(context, NULL, "libdefaults",
"default_cc_name", NULL);
@@ -440,7 +528,19 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
}
if (e == NULL) {
const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
- ret = (*ops->default_name)(context, &p);
+ e = krb5_config_get_string(context, NULL, "libdefaults",
+ "default_cc_type", NULL);
+ if (e) {
+ ops = krb5_cc_get_prefix_ops(context, e);
+ if (ops == NULL) {
+ krb5_set_error_message(context,
+ KRB5_CC_UNKNOWN_TYPE,
+ "Credential cache type %s "
+ "is unknown", e);
+ return KRB5_CC_UNKNOWN_TYPE;
+ }
+ }
+ ret = (*ops->get_default_name)(context, &p);
if (ret)
return ret;
}
@@ -452,16 +552,21 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
}
if (p == NULL) {
- krb5_set_error_string(context, "malloc - out of memory");
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
+ ret = _krb5_expand_path_tokens(context, p, &exp_p);
+ free(p);
+ if (ret)
+ return ret;
+
if (context->default_cc_name)
free(context->default_cc_name);
- context->default_cc_name = p;
+ context->default_cc_name = exp_p;
- return ret;
+ return 0;
}
/**
@@ -474,7 +579,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
*/
-const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_default_name(krb5_context context)
{
if (context->default_cc_name == NULL || environment_changed(context))
@@ -486,20 +591,20 @@ krb5_cc_default_name(krb5_context context)
/**
* Open the default ccache in `id'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_default(krb5_context context,
krb5_ccache *id)
{
const char *p = krb5_cc_default_name(context);
if (p == NULL) {
- krb5_set_error_string(context, "malloc - out of memory");
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
return krb5_cc_resolve(context, p, id);
@@ -508,13 +613,13 @@ krb5_cc_default(krb5_context context,
/**
* Create a new ccache in `id' for `primary_principal'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_initialize(krb5_context context,
krb5_ccache id,
krb5_principal primary_principal)
@@ -526,13 +631,13 @@ krb5_cc_initialize(krb5_context context,
/**
* Remove the ccache `id'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_destroy(krb5_context context,
krb5_ccache id)
{
@@ -546,13 +651,13 @@ krb5_cc_destroy(krb5_context context,
/**
* Stop using the ccache `id' and free the related resources.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_close(krb5_context context,
krb5_ccache id)
{
@@ -565,13 +670,13 @@ krb5_cc_close(krb5_context context,
/**
* Store `creds' in the ccache `id'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_store_cred(krb5_context context,
krb5_ccache id,
krb5_creds *creds)
@@ -584,13 +689,20 @@ krb5_cc_store_cred(krb5_context context,
* from `id' in `creds'. 'creds' must be free by the caller using
* krb5_free_cred_contents.
*
- * @return Return 0 or an error code.
+ * @param context A Kerberos 5 context
+ * @param id a Kerberos 5 credential cache
+ * @param whichfields what fields to use for matching credentials, same
+ * flags as whichfields in krb5_compare_creds()
+ * @param mcreds template credential to use for comparing
+ * @param creds returned credential, free with krb5_free_cred_contents()
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_retrieve_cred(krb5_context context,
krb5_ccache id,
krb5_flags whichfields,
@@ -622,13 +734,13 @@ krb5_cc_retrieve_cred(krb5_context context,
/**
* Return the principal of `id' in `principal'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_principal(krb5_context context,
krb5_ccache id,
krb5_principal *principal)
@@ -638,15 +750,15 @@ krb5_cc_get_principal(krb5_context context,
/**
* Start iterating over `id', `cursor' is initialized to the
- * beginning.
+ * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_start_seq_get (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor)
@@ -658,13 +770,13 @@ krb5_cc_start_seq_get (krb5_context context,
* Retrieve the next cred pointed to by (`id', `cursor') in `creds'
* and advance `cursor'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_next_cred (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor,
@@ -674,39 +786,13 @@ krb5_cc_next_cred (krb5_context context,
}
/**
- * Like krb5_cc_next_cred, but allow for selective retrieval
- *
- * @ingroup krb5_ccache
- */
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_next_cred_match(krb5_context context,
- const krb5_ccache id,
- krb5_cc_cursor * cursor,
- krb5_creds * creds,
- krb5_flags whichfields,
- const krb5_creds * mcreds)
-{
- krb5_error_code ret;
- while (1) {
- ret = krb5_cc_next_cred(context, id, cursor, creds);
- if (ret)
- return ret;
- if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds))
- return 0;
- krb5_free_cred_contents(context, creds);
- }
-}
-
-/**
* Destroy the cursor `cursor'.
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_end_seq_get (krb5_context context,
const krb5_ccache id,
krb5_cc_cursor *cursor)
@@ -721,16 +807,17 @@ krb5_cc_end_seq_get (krb5_context context,
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_remove_cred(krb5_context context,
krb5_ccache id,
krb5_flags which,
krb5_creds *cred)
{
if(id->ops->remove_cred == NULL) {
- krb5_set_error_string(context,
- "ccache %s does not support remove_cred",
- id->ops->prefix);
+ krb5_set_error_message(context,
+ EACCES,
+ "ccache %s does not support remove_cred",
+ id->ops->prefix);
return EACCES; /* XXX */
}
return (*id->ops->remove_cred)(context, id, which, cred);
@@ -743,34 +830,61 @@ krb5_cc_remove_cred(krb5_context context,
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_flags(krb5_context context,
krb5_ccache id,
krb5_flags flags)
{
return (*id->ops->set_flags)(context, id, flags);
}
-
+
/**
- * Copy the contents of `from' to `to'.
+ * Get the flags of `id', store them in `flags'.
*
* @ingroup krb5_ccache
*/
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_flags(krb5_context context,
+ krb5_ccache id,
+ krb5_flags *flags)
+{
+ *flags = 0;
+ return 0;
+}
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_cc_copy_cache_match(krb5_context context,
- const krb5_ccache from,
- krb5_ccache to,
- krb5_flags whichfields,
- const krb5_creds * mcreds,
- unsigned int *matched)
+/**
+ * Copy the contents of `from' to `to' if the given match function
+ * return true.
+ *
+ * @param context A Kerberos 5 context.
+ * @param from the cache to copy data from.
+ * @param to the cache to copy data to.
+ * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
+ * @param matchctx context passed to match function.
+ * @param matched set to true if there was a credential that matched, may be NULL.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_copy_match_f(krb5_context context,
+ const krb5_ccache from,
+ krb5_ccache to,
+ krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
+ void *matchctx,
+ unsigned int *matched)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
krb5_creds cred;
krb5_principal princ;
+ if (matched)
+ *matched = 0;
+
ret = krb5_cc_get_principal(context, from, &princ);
if (ret)
return ret;
@@ -784,34 +898,36 @@ krb5_cc_copy_cache_match(krb5_context context,
krb5_free_principal(context, princ);
return ret;
}
- if (matched)
- *matched = 0;
- while (ret == 0 &&
- krb5_cc_next_cred_match(context, from, &cursor, &cred,
- whichfields, mcreds) == 0) {
- if (matched)
- (*matched)++;
- ret = krb5_cc_store_cred(context, to, &cred);
- krb5_free_cred_contents(context, &cred);
+
+ while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
+ if (match == NULL || (*match)(context, matchctx, &cred) == 0) {
+ if (matched)
+ (*matched)++;
+ ret = krb5_cc_store_cred(context, to, &cred);
+ if (ret)
+ break;
+ }
+ krb5_free_cred_contents(context, &cred);
}
krb5_cc_end_seq_get(context, from, &cursor);
krb5_free_principal(context, princ);
+ if (ret == KRB5_CC_END)
+ ret = 0;
return ret;
}
/**
- * Just like krb5_cc_copy_cache_match, but copy everything.
+ * Just like krb5_cc_copy_match_f(), but copy everything.
*
- * @ingroup krb5_ccache
+ * @ingroup @krb5_ccache
*/
-
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_copy_cache(krb5_context context,
const krb5_ccache from,
krb5_ccache to)
{
- return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL);
+ return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
}
/**
@@ -821,7 +937,7 @@ krb5_cc_copy_cache(krb5_context context,
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_version(krb5_context context,
const krb5_ccache id)
{
@@ -838,7 +954,7 @@ krb5_cc_get_version(krb5_context context,
*/
-void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_cc_clear_mcred(krb5_creds *mcred)
{
memset(mcred, 0, sizeof(*mcred));
@@ -846,37 +962,41 @@ krb5_cc_clear_mcred(krb5_creds *mcred)
/**
* Get the cc ops that is registered in `context' to handle the
- * `prefix'. `prefix' can be a complete credential cache name or a
+ * prefix. prefix can be a complete credential cache name or a
* prefix, the function will only use part up to the first colon (:)
- * if there is one.
- * Returns NULL if ops not found.
+ * if there is one. If prefix the argument is NULL, the default ccache
+ * implemtation is returned.
+ *
+ * @return Returns NULL if ops not found.
*
* @ingroup krb5_ccache
*/
-const krb5_cc_ops *
+KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
{
char *p, *p1;
int i;
-
+
+ if (prefix == NULL)
+ return KRB5_DEFAULT_CCTYPE;
if (prefix[0] == '/')
return &krb5_fcc_ops;
p = strdup(prefix);
if (p == NULL) {
- krb5_set_error_string(context, "malloc - out of memory");
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return NULL;
}
p1 = strchr(p, ':');
if (p1)
*p1 = '\0';
- for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
- if(strcmp(context->cc_ops[i].prefix, p) == 0) {
+ for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+ if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
free(p);
- return &context->cc_ops[i];
+ return context->cc_ops[i];
}
}
free(p);
@@ -889,16 +1009,20 @@ struct krb5_cc_cache_cursor_data {
};
/**
- * Start iterating over all caches of `type'. If `type' is NULL, the
- * default type is * used. `cursor' is initialized to the beginning.
+ * Start iterating over all caches of specified type. See also
+ * krb5_cccol_cursor_new().
+
+ * @param context A Kerberos 5 context
+ * @param type optional type to iterate over, if NULL, the default cache is used.
+ * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_get_first (krb5_context context,
const char *type,
krb5_cc_cache_cursor *cursor)
@@ -911,20 +1035,23 @@ krb5_cc_cache_get_first (krb5_context context,
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL) {
- krb5_set_error_string(context, "Unknown type \"%s\" when iterating "
- "trying to iterate the credential caches", type);
+ krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+ "Unknown type \"%s\" when iterating "
+ "trying to iterate the credential caches", type);
return KRB5_CC_UNKNOWN_TYPE;
}
if (ops->get_cache_first == NULL) {
- krb5_set_error_string(context, "Credential cache type %s doesn't support "
- "iterations over caches", ops->prefix);
+ krb5_set_error_message(context, KRB5_CC_NOSUPP,
+ N_("Credential cache type %s doesn't support "
+ "iterations over caches", "type"),
+ ops->prefix);
return KRB5_CC_NOSUPP;
}
*cursor = calloc(1, sizeof(**cursor));
if (*cursor == NULL) {
- krb5_set_error_string(context, "malloc - out of memory");
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
@@ -942,13 +1069,18 @@ krb5_cc_cache_get_first (krb5_context context,
* Retrieve the next cache pointed to by (`cursor') in `id'
* and advance `cursor'.
*
- * @return Return 0 or an error code.
+ * @param context A Kerberos 5 context
+ * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
+ * @param id next ccache
+ *
+ * @return Return 0 or an error code. Returns KRB5_CC_END when the end
+ * of caches is reached, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_next (krb5_context context,
krb5_cc_cache_cursor cursor,
krb5_ccache *id)
@@ -959,13 +1091,13 @@ krb5_cc_cache_next (krb5_context context,
/**
* Destroy the cursor `cursor'.
*
- * @return Return 0 or an error code.
+ * @return Return an error code or 0, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_end_seq_get (krb5_context context,
krb5_cc_cache_cursor cursor)
{
@@ -977,10 +1109,13 @@ krb5_cc_cache_end_seq_get (krb5_context context,
}
/**
- * Search for a matching credential cache of type `type' that have the
- * `principal' as the default principal. If NULL is used for `type',
- * the default type is used. On success, `id' needs to be freed with
- * krb5_cc_close or krb5_cc_destroy.
+ * Search for a matching credential cache that have the
+ * `principal' as the default principal. On success, `id' needs to be
+ * freed with krb5_cc_close() or krb5_cc_destroy().
+ *
+ * @param context A Kerberos 5 context
+ * @param client The principal to search for
+ * @param id the returned credential cache
*
* @return On failure, error code is returned and `id' is set to NULL.
*
@@ -988,29 +1123,28 @@ krb5_cc_cache_end_seq_get (krb5_context context,
*/
-krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_match (krb5_context context,
krb5_principal client,
- const char *type,
krb5_ccache *id)
{
- krb5_cc_cache_cursor cursor;
+ krb5_cccol_cursor cursor;
krb5_error_code ret;
krb5_ccache cache = NULL;
*id = NULL;
- ret = krb5_cc_cache_get_first (context, type, &cursor);
+ ret = krb5_cccol_cursor_new (context, &cursor);
if (ret)
return ret;
- while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) {
+ while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) {
krb5_principal principal;
ret = krb5_cc_get_principal(context, cache, &principal);
if (ret == 0) {
krb5_boolean match;
-
+
match = krb5_principal_compare(context, principal, client);
krb5_free_principal(context, principal);
if (match)
@@ -1021,15 +1155,17 @@ krb5_cc_cache_match (krb5_context context,
cache = NULL;
}
- krb5_cc_cache_end_seq_get(context, cursor);
+ krb5_cccol_cursor_free(context, &cursor);
if (cache == NULL) {
char *str;
krb5_unparse_name(context, client, &str);
- krb5_set_error_string(context, "Principal %s not found in a "
- "credential cache", str ? str : "<out of memory>");
+ krb5_set_error_message(context, KRB5_CC_NOTFOUND,
+ N_("Principal %s not found in any "
+ "credential cache", ""),
+ str ? str : "<out of memory>");
if (str)
free(str);
return KRB5_CC_NOTFOUND;
@@ -1041,26 +1177,27 @@ krb5_cc_cache_match (krb5_context context,
/**
* Move the content from one credential cache to another. The
- * operation is an atomic switch.
+ * operation is an atomic switch.
*
* @param context a Keberos context
* @param from the credential cache to move the content from
* @param to the credential cache to move the content to
* @return On sucess, from is freed. On failure, error code is
- * returned and from and to are both still allocated.
+ * returned and from and to are both still allocated, see krb5_get_error_message().
*
* @ingroup krb5_ccache
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
{
krb5_error_code ret;
if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
- krb5_set_error_string(context, "Moving credentials between diffrent "
- "types not yet supported");
+ krb5_set_error_message(context, KRB5_CC_NOSUPP,
+ N_("Moving credentials between diffrent "
+ "types not yet supported", ""));
return KRB5_CC_NOSUPP;
}
@@ -1071,3 +1208,520 @@ krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
}
return ret;
}
+
+#define KRB5_CONF_NAME "krb5_ccache_conf_data"
+#define KRB5_REALM_NAME "X-CACHECONF:"
+
+static krb5_error_code
+build_conf_principals(krb5_context context, krb5_ccache id,
+ krb5_const_principal principal,
+ const char *name, krb5_creds *cred)
+{
+ krb5_principal client;
+ krb5_error_code ret;
+ char *pname = NULL;
+
+ memset(cred, 0, sizeof(*cred));
+
+ ret = krb5_cc_get_principal(context, id, &client);
+ if (ret)
+ return ret;
+
+ if (principal) {
+ ret = krb5_unparse_name(context, principal, &pname);
+ if (ret)
+ return ret;
+ }
+
+ ret = krb5_make_principal(context, &cred->server,
+ KRB5_REALM_NAME,
+ KRB5_CONF_NAME, name, pname, NULL);
+ free(pname);
+ if (ret) {
+ krb5_free_principal(context, client);
+ return ret;
+ }
+ ret = krb5_copy_principal(context, client, &cred->client);
+ krb5_free_principal(context, client);
+ return ret;
+}
+
+/**
+ * Return TRUE (non zero) if the principal is a configuration
+ * principal (generated part of krb5_cc_set_config()). Returns FALSE
+ * (zero) if not a configuration principal.
+ *
+ * @param context a Keberos context
+ * @param principal principal to check if it a configuration principal
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_config_principal(krb5_context context,
+ krb5_const_principal principal)
+{
+ if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
+ return FALSE;
+
+ if (principal->name.name_string.len == 0 ||
+ strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
+ return FALSE;
+
+ return TRUE;
+}
+
+/**
+ * Store some configuration for the credential cache in the cache.
+ * Existing configuration under the same name is over-written.
+ *
+ * @param context a Keberos context
+ * @param id the credential cache to store the data for
+ * @param principal configuration for a specific principal, if
+ * NULL, global for the whole cache.
+ * @param name name under which the configuraion is stored.
+ * @param data data to store, if NULL, configure is removed.
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_set_config(krb5_context context, krb5_ccache id,
+ krb5_const_principal principal,
+ const char *name, krb5_data *data)
+{
+ krb5_error_code ret;
+ krb5_creds cred;
+
+ ret = build_conf_principals(context, id, principal, name, &cred);
+ if (ret)
+ goto out;
+
+ /* Remove old configuration */
+ ret = krb5_cc_remove_cred(context, id, 0, &cred);
+ if (ret && ret != KRB5_CC_NOTFOUND)
+ goto out;
+
+ if (data) {
+ /* not that anyone care when this expire */
+ cred.times.authtime = time(NULL);
+ cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
+
+ ret = krb5_data_copy(&cred.ticket, data->data, data->length);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_store_cred(context, id, &cred);
+ }
+
+out:
+ krb5_free_cred_contents (context, &cred);
+ return ret;
+}
+
+/**
+ * Get some configuration for the credential cache in the cache.
+ *
+ * @param context a Keberos context
+ * @param id the credential cache to store the data for
+ * @param principal configuration for a specific principal, if
+ * NULL, global for the whole cache.
+ * @param name name under which the configuraion is stored.
+ * @param data data to fetched, free with krb5_data_free()
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_config(krb5_context context, krb5_ccache id,
+ krb5_const_principal principal,
+ const char *name, krb5_data *data)
+{
+ krb5_creds mcred, cred;
+ krb5_error_code ret;
+
+ memset(&cred, 0, sizeof(cred));
+ krb5_data_zero(data);
+
+ ret = build_conf_principals(context, id, principal, name, &mcred);
+ if (ret)
+ goto out;
+
+ ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+ if (ret)
+ goto out;
+
+ ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
+
+out:
+ krb5_free_cred_contents (context, &cred);
+ krb5_free_cred_contents (context, &mcred);
+ return ret;
+}
+
+/*
+ *
+ */
+
+struct krb5_cccol_cursor_data {
+ int idx;
+ krb5_cc_cache_cursor cursor;
+};
+
+/**
+ * Get a new cache interation cursor that will interate over all
+ * credentials caches independent of type.
+ *
+ * @param context a Keberos context
+ * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
+ *
+ * @return Returns 0 or and error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
+{
+ *cursor = calloc(1, sizeof(**cursor));
+ if (*cursor == NULL) {
+ krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+ return ENOMEM;
+ }
+ (*cursor)->idx = 0;
+ (*cursor)->cursor = NULL;
+
+ return 0;
+}
+
+/**
+ * Get next credential cache from the iteration.
+ *
+ * @param context A Kerberos 5 context
+ * @param cursor the iteration cursor
+ * @param cache the returned cursor, pointer is set to NULL on failure
+ * and a cache on success. The returned cache needs to be freed
+ * with krb5_cc_close() or destroyed with krb5_cc_destroy().
+ * MIT Kerberos behavies slightly diffrent and sets cache to NULL
+ * when all caches are iterated over and return 0.
+ *
+ * @return Return 0 or and error, KRB5_CC_END is returned at the end
+ * of iteration. See krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
+ krb5_ccache *cache)
+{
+ krb5_error_code ret;
+
+ *cache = NULL;
+
+ while (cursor->idx < context->num_cc_ops) {
+
+ if (cursor->cursor == NULL) {
+ ret = krb5_cc_cache_get_first (context,
+ context->cc_ops[cursor->idx]->prefix,
+ &cursor->cursor);
+ if (ret) {
+ cursor->idx++;
+ continue;
+ }
+ }
+ ret = krb5_cc_cache_next(context, cursor->cursor, cache);
+ if (ret == 0)
+ break;
+
+ krb5_cc_cache_end_seq_get(context, cursor->cursor);
+ cursor->cursor = NULL;
+ if (ret != KRB5_CC_END)
+ break;
+
+ cursor->idx++;
+ }
+ if (cursor->idx >= context->num_cc_ops) {
+ krb5_set_error_message(context, KRB5_CC_END,
+ N_("Reached end of credential caches", ""));
+ return KRB5_CC_END;
+ }
+
+ return 0;
+}
+
+/**
+ * End an iteration and free all resources, can be done before end is reached.
+ *
+ * @param context A Kerberos 5 context
+ * @param cursor the iteration cursor to be freed.
+ *
+ * @return Return 0 or and error, KRB5_CC_END is returned at the end
+ * of iteration. See krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
+{
+ krb5_cccol_cursor c = *cursor;
+
+ *cursor = NULL;
+ if (c) {
+ if (c->cursor)
+ krb5_cc_cache_end_seq_get(context, c->cursor);
+ free(c);
+ }
+ return 0;
+}
+
+/**
+ * Return the last time the credential cache was modified.
+ *
+ * @param context A Kerberos 5 context
+ * @param id The credential cache to probe
+ * @param mtime the last modification time, set to 0 on error.
+
+ * @return Return 0 or and error. See krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_last_change_time(krb5_context context,
+ krb5_ccache id,
+ krb5_timestamp *mtime)
+{
+ *mtime = 0;
+ return (*id->ops->lastchange)(context, id, mtime);
+}
+
+/**
+ * Return the last modfication time for a cache collection. The query
+ * can be limited to a specific cache type. If the function return 0
+ * and mtime is 0, there was no credentials in the caches.
+ *
+ * @param context A Kerberos 5 context
+ * @param type The credential cache to probe, if NULL, all type are traversed.
+ * @param mtime the last modification time, set to 0 on error.
+
+ * @return Return 0 or and error. See krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cccol_last_change_time(krb5_context context,
+ const char *type,
+ krb5_timestamp *mtime)
+{
+ krb5_cccol_cursor cursor;
+ krb5_error_code ret;
+ krb5_ccache id;
+ krb5_timestamp t = 0;
+
+ *mtime = 0;
+
+ ret = krb5_cccol_cursor_new (context, &cursor);
+ if (ret)
+ return ret;
+
+ while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
+
+ if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
+ continue;
+
+ ret = krb5_cc_last_change_time(context, id, &t);
+ krb5_cc_close(context, id);
+ if (ret)
+ continue;
+ if (t > *mtime)
+ *mtime = t;
+ }
+
+ krb5_cccol_cursor_free(context, &cursor);
+
+ return 0;
+}
+/**
+ * Return a friendly name on credential cache. Free the result with krb5_xfree().
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_friendly_name(krb5_context context,
+ krb5_ccache id,
+ char **name)
+{
+ krb5_error_code ret;
+ krb5_data data;
+
+ ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
+ if (ret) {
+ krb5_principal principal;
+ ret = krb5_cc_get_principal(context, id, &principal);
+ if (ret)
+ return ret;
+ ret = krb5_unparse_name(context, principal, name);
+ krb5_free_principal(context, principal);
+ } else {
+ ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
+ krb5_data_free(&data);
+ if (ret <= 0) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ } else
+ ret = 0;
+ }
+
+ return ret;
+}
+
+/**
+ * Set the friendly name on credential cache.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_set_friendly_name(krb5_context context,
+ krb5_ccache id,
+ const char *name)
+{
+ krb5_data data;
+
+ data.data = rk_UNCONST(name);
+ data.length = strlen(name);
+
+ return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
+}
+
+/**
+ * Get the lifetime of the initial ticket in the cache
+ *
+ * Get the lifetime of the initial ticket in the cache, if the initial
+ * ticket was not found, the error code KRB5_CC_END is returned.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param t the relative lifetime of the initial ticket
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
+{
+ krb5_cc_cursor cursor;
+ krb5_error_code ret;
+ krb5_creds cred;
+ time_t now;
+
+ *t = 0;
+ now = time(NULL);
+
+ ret = krb5_cc_start_seq_get(context, id, &cursor);
+ if (ret)
+ return ret;
+
+ while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
+ if (cred.flags.b.initial) {
+ if (now < cred.times.endtime)
+ *t = cred.times.endtime - now;
+ krb5_free_cred_contents(context, &cred);
+ break;
+ }
+ krb5_free_cred_contents(context, &cred);
+ }
+
+ krb5_cc_end_seq_get(context, id, &cursor);
+
+ return ret;
+}
+
+/**
+ * Set the time offset betwen the client and the KDC
+ *
+ * If the backend doesn't support KDC offset, use the context global setting.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param offset the offset in seconds
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
+{
+ if (id->ops->set_kdc_offset == NULL) {
+ context->kdc_sec_offset = offset;
+ context->kdc_usec_offset = 0;
+ return 0;
+ }
+ return (*id->ops->set_kdc_offset)(context, id, offset);
+}
+
+/**
+ * Get the time offset betwen the client and the KDC
+ *
+ * If the backend doesn't support KDC offset, use the context global setting.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param offset the offset in seconds
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
+{
+ if (id->ops->get_kdc_offset == NULL) {
+ *offset = context->kdc_sec_offset;
+ return 0;
+ }
+ return (*id->ops->get_kdc_offset)(context, id, offset);
+}
+
+
+#ifdef _WIN32
+
+char *
+_krb5_get_default_cc_name_from_registry()
+{
+ HKEY hk_k5 = 0;
+ LONG code;
+ char * ccname = NULL;
+
+ code = RegOpenKeyEx(HKEY_CURRENT_USER,
+ "Software\\MIT\\Kerberos5",
+ 0, KEY_READ, &hk_k5);
+
+ if (code != ERROR_SUCCESS)
+ return NULL;
+
+ ccname = _krb5_parse_reg_value_as_string(NULL, hk_k5, "ccname",
+ REG_NONE, 0);
+
+ RegCloseKey(hk_k5);
+
+ return ccname;
+}
+
+#endif
OpenPOWER on IntegriCloud