2 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
39 * Add a new ccache type with operations `ops', overwriting any
40 * existing one if `override'.
42 * @param context a Keberos context
43 * @param ops type of plugin symbol
44 * @param override flag to select if the registration is to overide
45 * an existing ops with the same name.
47 * @return Return an error code or 0.
49 * @ingroup krb5_ccache
52 krb5_error_code KRB5_LIB_FUNCTION
53 krb5_cc_register(krb5_context context,
54 const krb5_cc_ops *ops,
55 krb5_boolean override)
59 for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
60 if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
62 krb5_set_error_string(context,
63 "ccache type %s already exists",
65 return KRB5_CC_TYPE_EXISTS;
70 if(i == context->num_cc_ops) {
71 krb5_cc_ops *o = realloc(context->cc_ops,
72 (context->num_cc_ops + 1) *
73 sizeof(*context->cc_ops));
75 krb5_set_error_string(context, "malloc: out of memory");
78 context->num_cc_ops++;
80 memset(context->cc_ops + i, 0,
81 (context->num_cc_ops - i) * sizeof(*context->cc_ops));
83 memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
88 * Allocate the memory for a `id' and the that function table to
89 * `ops'. Returns 0 or and error code.
93 _krb5_cc_allocate(krb5_context context,
94 const krb5_cc_ops *ops,
99 p = malloc (sizeof(*p));
101 krb5_set_error_string(context, "malloc: out of memory");
102 return KRB5_CC_NOMEM;
111 * Allocate memory for a new ccache in `id' with operations `ops'
112 * and name `residual'. Return 0 or an error code.
115 static krb5_error_code
116 allocate_ccache (krb5_context context,
117 const krb5_cc_ops *ops,
118 const char *residual,
123 ret = _krb5_cc_allocate(context, ops, id);
126 ret = (*id)->ops->resolve(context, id, residual);
133 * Find and allocate a ccache in `id' from the specification in `residual'.
134 * If the ccache name doesn't contain any colon, interpret it as a file name.
136 * @param context a Keberos context.
137 * @param name string name of a credential cache.
138 * @param id return pointer to a found credential cache.
140 * @return Return 0 or an error code. In case of an error, id is set
143 * @ingroup krb5_ccache
147 krb5_error_code KRB5_LIB_FUNCTION
148 krb5_cc_resolve(krb5_context context,
156 for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
157 size_t prefix_len = strlen(context->cc_ops[i].prefix);
159 if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
160 && name[prefix_len] == ':') {
161 return allocate_ccache (context, &context->cc_ops[i],
162 name + prefix_len + 1,
166 if (strchr (name, ':') == NULL)
167 return allocate_ccache (context, &krb5_fcc_ops, name, id);
169 krb5_set_error_string(context, "unknown ccache type %s", name);
170 return KRB5_CC_UNKNOWN_TYPE;
175 * Generate a new ccache of type `ops' in `id'.
177 * @return Return 0 or an error code.
179 * @ingroup krb5_ccache
183 krb5_error_code KRB5_LIB_FUNCTION
184 krb5_cc_gen_new(krb5_context context,
185 const krb5_cc_ops *ops,
188 return krb5_cc_new_unique(context, ops->prefix, NULL, id);
192 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
193 * the library chooses the default credential cache type. The supplied
194 * `hint' (that can be NULL) is a string that the credential cache
195 * type can use to base the name of the credential on, this is to make
196 * it easier for the user to differentiate the credentials.
198 * @return Returns 0 or an error code.
200 * @ingroup krb5_ccache
203 krb5_error_code KRB5_LIB_FUNCTION
204 krb5_cc_new_unique(krb5_context context, const char *type,
205 const char *hint, krb5_ccache *id)
207 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
211 ops = krb5_cc_get_prefix_ops(context, type);
213 krb5_set_error_string(context,
214 "Credential cache type %s is unknown", type);
215 return KRB5_CC_UNKNOWN_TYPE;
219 ret = _krb5_cc_allocate(context, ops, id);
222 return (*id)->ops->gen_new(context, id);
226 * Return the name of the ccache `id'
228 * @ingroup krb5_ccache
232 const char* KRB5_LIB_FUNCTION
233 krb5_cc_get_name(krb5_context context,
236 return id->ops->get_name(context, id);
240 * Return the type of the ccache `id'.
242 * @ingroup krb5_ccache
246 const char* KRB5_LIB_FUNCTION
247 krb5_cc_get_type(krb5_context context,
250 return id->ops->prefix;
254 * Return the complete resolvable name the ccache `id' in `str´.
255 * `str` should be freed with free(3).
256 * Returns 0 or an error (and then *str is set to NULL).
258 * @ingroup krb5_ccache
262 krb5_error_code KRB5_LIB_FUNCTION
263 krb5_cc_get_full_name(krb5_context context,
267 const char *type, *name;
271 type = krb5_cc_get_type(context, id);
273 krb5_set_error_string(context, "cache have no name of type");
274 return KRB5_CC_UNKNOWN_TYPE;
277 name = krb5_cc_get_name(context, id);
279 krb5_set_error_string(context, "cache of type %s have no name", type);
280 return KRB5_CC_BADNAME;
283 if (asprintf(str, "%s:%s", type, name) == -1) {
284 krb5_set_error_string(context, "malloc - out of memory");
292 * Return krb5_cc_ops of a the ccache `id'.
294 * @ingroup krb5_ccache
299 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
305 * Expand variables in `str' into `res'
309 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
311 size_t tlen, len = 0;
312 char *tmp, *tmp2, *append;
316 while (str && *str) {
317 tmp = strstr(str, "%{");
318 if (tmp && tmp != str) {
319 append = malloc((tmp - str) + 1);
321 memcpy(append, str, tmp - str);
322 append[tmp - str] = '\0';
326 tmp2 = strchr(tmp, '}');
330 krb5_set_error_string(context, "variable missing }");
331 return KRB5_CONFIG_BADFORMAT;
333 if (strncasecmp(tmp, "%{uid}", 6) == 0)
334 asprintf(&append, "%u", (unsigned)getuid());
335 else if (strncasecmp(tmp, "%{null}", 7) == 0)
340 krb5_set_error_string(context,
341 "expand default cache unknown "
343 (int)(tmp2 - tmp) - 2, tmp + 2);
344 return KRB5_CONFIG_BADFORMAT;
348 append = strdup(str);
351 if (append == NULL) {
354 krb5_set_error_string(context, "malloc - out of memory");
358 tlen = strlen(append);
359 tmp = realloc(*res, len + tlen + 1);
364 krb5_set_error_string(context, "malloc - out of memory");
368 memcpy(*res + len, append, tlen + 1);
376 * Return non-zero if envirnoment that will determine default krb5cc
381 environment_changed(krb5_context context)
385 /* if the cc name was set, don't change it */
386 if (context->default_cc_name_set)
392 e = getenv("KRB5CCNAME");
394 if (context->default_cc_name_env) {
395 free(context->default_cc_name_env);
396 context->default_cc_name_env = NULL;
400 if (context->default_cc_name_env == NULL)
402 if (strcmp(e, context->default_cc_name_env) != 0)
409 * Switch the default default credential cache for a specific
410 * credcache type (and name for some implementations).
412 * @return Returns 0 or an error code.
414 * @ingroup krb5_ccache
418 krb5_cc_switch(krb5_context context, krb5_ccache id)
421 if (id->ops->set_default == NULL)
424 return (*id->ops->set_default)(context, id);
428 * Set the default cc name for `context' to `name'.
430 * @ingroup krb5_ccache
433 krb5_error_code KRB5_LIB_FUNCTION
434 krb5_cc_set_default_name(krb5_context context, const char *name)
436 krb5_error_code ret = 0;
440 const char *e = NULL;
443 e = getenv("KRB5CCNAME");
446 if (context->default_cc_name_env)
447 free(context->default_cc_name_env);
448 context->default_cc_name_env = strdup(e);
452 e = krb5_config_get_string(context, NULL, "libdefaults",
453 "default_cc_name", NULL);
455 ret = _krb5_expand_default_cc_name(context, e, &p);
460 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
461 ret = (*ops->get_default_name)(context, &p);
466 context->default_cc_name_set = 0;
469 context->default_cc_name_set = 1;
473 krb5_set_error_string(context, "malloc - out of memory");
477 if (context->default_cc_name)
478 free(context->default_cc_name);
480 context->default_cc_name = p;
486 * Return a pointer to a context static string containing the default
489 * @return String to the default credential cache name.
491 * @ingroup krb5_ccache
495 const char* KRB5_LIB_FUNCTION
496 krb5_cc_default_name(krb5_context context)
498 if (context->default_cc_name == NULL || environment_changed(context))
499 krb5_cc_set_default_name(context, NULL);
501 return context->default_cc_name;
505 * Open the default ccache in `id'.
507 * @return Return 0 or an error code.
509 * @ingroup krb5_ccache
513 krb5_error_code KRB5_LIB_FUNCTION
514 krb5_cc_default(krb5_context context,
517 const char *p = krb5_cc_default_name(context);
520 krb5_set_error_string(context, "malloc - out of memory");
523 return krb5_cc_resolve(context, p, id);
527 * Create a new ccache in `id' for `primary_principal'.
529 * @return Return 0 or an error code.
531 * @ingroup krb5_ccache
535 krb5_error_code KRB5_LIB_FUNCTION
536 krb5_cc_initialize(krb5_context context,
538 krb5_principal primary_principal)
540 return (*id->ops->init)(context, id, primary_principal);
545 * Remove the ccache `id'.
547 * @return Return 0 or an error code.
549 * @ingroup krb5_ccache
553 krb5_error_code KRB5_LIB_FUNCTION
554 krb5_cc_destroy(krb5_context context,
559 ret = (*id->ops->destroy)(context, id);
560 krb5_cc_close (context, id);
565 * Stop using the ccache `id' and free the related resources.
567 * @return Return 0 or an error code.
569 * @ingroup krb5_ccache
573 krb5_error_code KRB5_LIB_FUNCTION
574 krb5_cc_close(krb5_context context,
578 ret = (*id->ops->close)(context, id);
584 * Store `creds' in the ccache `id'.
586 * @return Return 0 or an error code.
588 * @ingroup krb5_ccache
592 krb5_error_code KRB5_LIB_FUNCTION
593 krb5_cc_store_cred(krb5_context context,
597 return (*id->ops->store)(context, id, creds);
601 * Retrieve the credential identified by `mcreds' (and `whichfields')
602 * from `id' in `creds'. 'creds' must be free by the caller using
603 * krb5_free_cred_contents.
605 * @return Return 0 or an error code.
607 * @ingroup krb5_ccache
611 krb5_error_code KRB5_LIB_FUNCTION
612 krb5_cc_retrieve_cred(krb5_context context,
614 krb5_flags whichfields,
615 const krb5_creds *mcreds,
619 krb5_cc_cursor cursor;
621 if (id->ops->retrieve != NULL) {
622 return (*id->ops->retrieve)(context, id, whichfields,
626 ret = krb5_cc_start_seq_get(context, id, &cursor);
629 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
630 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
634 krb5_free_cred_contents (context, creds);
636 krb5_cc_end_seq_get(context, id, &cursor);
641 * Return the principal of `id' in `principal'.
643 * @return Return 0 or an error code.
645 * @ingroup krb5_ccache
649 krb5_error_code KRB5_LIB_FUNCTION
650 krb5_cc_get_principal(krb5_context context,
652 krb5_principal *principal)
654 return (*id->ops->get_princ)(context, id, principal);
658 * Start iterating over `id', `cursor' is initialized to the
661 * @return Return 0 or an error code.
663 * @ingroup krb5_ccache
667 krb5_error_code KRB5_LIB_FUNCTION
668 krb5_cc_start_seq_get (krb5_context context,
669 const krb5_ccache id,
670 krb5_cc_cursor *cursor)
672 return (*id->ops->get_first)(context, id, cursor);
676 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
677 * and advance `cursor'.
679 * @return Return 0 or an error code.
681 * @ingroup krb5_ccache
685 krb5_error_code KRB5_LIB_FUNCTION
686 krb5_cc_next_cred (krb5_context context,
687 const krb5_ccache id,
688 krb5_cc_cursor *cursor,
691 return (*id->ops->get_next)(context, id, cursor, creds);
695 * Like krb5_cc_next_cred, but allow for selective retrieval
697 * @ingroup krb5_ccache
701 krb5_error_code KRB5_LIB_FUNCTION
702 krb5_cc_next_cred_match(krb5_context context,
703 const krb5_ccache id,
704 krb5_cc_cursor * cursor,
706 krb5_flags whichfields,
707 const krb5_creds * mcreds)
711 ret = krb5_cc_next_cred(context, id, cursor, creds);
714 if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds))
716 krb5_free_cred_contents(context, creds);
721 * Destroy the cursor `cursor'.
723 * @ingroup krb5_ccache
727 krb5_error_code KRB5_LIB_FUNCTION
728 krb5_cc_end_seq_get (krb5_context context,
729 const krb5_ccache id,
730 krb5_cc_cursor *cursor)
732 return (*id->ops->end_get)(context, id, cursor);
736 * Remove the credential identified by `cred', `which' from `id'.
738 * @ingroup krb5_ccache
742 krb5_error_code KRB5_LIB_FUNCTION
743 krb5_cc_remove_cred(krb5_context context,
748 if(id->ops->remove_cred == NULL) {
749 krb5_set_error_string(context,
750 "ccache %s does not support remove_cred",
752 return EACCES; /* XXX */
754 return (*id->ops->remove_cred)(context, id, which, cred);
758 * Set the flags of `id' to `flags'.
760 * @ingroup krb5_ccache
764 krb5_error_code KRB5_LIB_FUNCTION
765 krb5_cc_set_flags(krb5_context context,
769 return (*id->ops->set_flags)(context, id, flags);
773 * Copy the contents of `from' to `to'.
775 * @ingroup krb5_ccache
779 krb5_error_code KRB5_LIB_FUNCTION
780 krb5_cc_copy_cache_match(krb5_context context,
781 const krb5_ccache from,
783 krb5_flags whichfields,
784 const krb5_creds * mcreds,
785 unsigned int *matched)
788 krb5_cc_cursor cursor;
790 krb5_principal princ;
792 ret = krb5_cc_get_principal(context, from, &princ);
795 ret = krb5_cc_initialize(context, to, princ);
797 krb5_free_principal(context, princ);
800 ret = krb5_cc_start_seq_get(context, from, &cursor);
802 krb5_free_principal(context, princ);
808 krb5_cc_next_cred_match(context, from, &cursor, &cred,
809 whichfields, mcreds) == 0) {
812 ret = krb5_cc_store_cred(context, to, &cred);
813 krb5_free_cred_contents(context, &cred);
815 krb5_cc_end_seq_get(context, from, &cursor);
816 krb5_free_principal(context, princ);
821 * Just like krb5_cc_copy_cache_match, but copy everything.
823 * @ingroup krb5_ccache
827 krb5_error_code KRB5_LIB_FUNCTION
828 krb5_cc_copy_cache(krb5_context context,
829 const krb5_ccache from,
832 return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL);
836 * Return the version of `id'.
838 * @ingroup krb5_ccache
842 krb5_error_code KRB5_LIB_FUNCTION
843 krb5_cc_get_version(krb5_context context,
844 const krb5_ccache id)
846 if(id->ops->get_version)
847 return (*id->ops->get_version)(context, id);
853 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
855 * @ingroup krb5_ccache
859 void KRB5_LIB_FUNCTION
860 krb5_cc_clear_mcred(krb5_creds *mcred)
862 memset(mcred, 0, sizeof(*mcred));
866 * Get the cc ops that is registered in `context' to handle the
867 * `prefix'. `prefix' can be a complete credential cache name or a
868 * prefix, the function will only use part up to the first colon (:)
870 * Returns NULL if ops not found.
872 * @ingroup krb5_ccache
877 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
882 if (prefix[0] == '/')
883 return &krb5_fcc_ops;
887 krb5_set_error_string(context, "malloc - out of memory");
894 for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
895 if(strcmp(context->cc_ops[i].prefix, p) == 0) {
897 return &context->cc_ops[i];
904 struct krb5_cc_cache_cursor_data {
905 const krb5_cc_ops *ops;
906 krb5_cc_cursor cursor;
910 * Start iterating over all caches of `type'. If `type' is NULL, the
911 * default type is * used. `cursor' is initialized to the beginning.
913 * @return Return 0 or an error code.
915 * @ingroup krb5_ccache
919 krb5_error_code KRB5_LIB_FUNCTION
920 krb5_cc_cache_get_first (krb5_context context,
922 krb5_cc_cache_cursor *cursor)
924 const krb5_cc_ops *ops;
928 type = krb5_cc_default_name(context);
930 ops = krb5_cc_get_prefix_ops(context, type);
932 krb5_set_error_string(context, "Unknown type \"%s\" when iterating "
933 "trying to iterate the credential caches", type);
934 return KRB5_CC_UNKNOWN_TYPE;
937 if (ops->get_cache_first == NULL) {
938 krb5_set_error_string(context, "Credential cache type %s doesn't support "
939 "iterations over caches", ops->prefix);
940 return KRB5_CC_NOSUPP;
943 *cursor = calloc(1, sizeof(**cursor));
944 if (*cursor == NULL) {
945 krb5_set_error_string(context, "malloc - out of memory");
949 (*cursor)->ops = ops;
951 ret = ops->get_cache_first(context, &(*cursor)->cursor);
960 * Retrieve the next cache pointed to by (`cursor') in `id'
961 * and advance `cursor'.
963 * @return Return 0 or an error code.
965 * @ingroup krb5_ccache
969 krb5_error_code KRB5_LIB_FUNCTION
970 krb5_cc_cache_next (krb5_context context,
971 krb5_cc_cache_cursor cursor,
974 return cursor->ops->get_cache_next(context, cursor->cursor, id);
978 * Destroy the cursor `cursor'.
980 * @return Return 0 or an error code.
982 * @ingroup krb5_ccache
986 krb5_error_code KRB5_LIB_FUNCTION
987 krb5_cc_cache_end_seq_get (krb5_context context,
988 krb5_cc_cache_cursor cursor)
991 ret = cursor->ops->end_cache_get(context, cursor->cursor);
998 * Search for a matching credential cache of type `type' that have the
999 * `principal' as the default principal. If NULL is used for `type',
1000 * the default type is used. On success, `id' needs to be freed with
1001 * krb5_cc_close or krb5_cc_destroy.
1003 * @return On failure, error code is returned and `id' is set to NULL.
1005 * @ingroup krb5_ccache
1009 krb5_error_code KRB5_LIB_FUNCTION
1010 krb5_cc_cache_match (krb5_context context,
1011 krb5_principal client,
1015 krb5_cc_cache_cursor cursor;
1016 krb5_error_code ret;
1017 krb5_ccache cache = NULL;
1021 ret = krb5_cc_cache_get_first (context, type, &cursor);
1025 while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) {
1026 krb5_principal principal;
1028 ret = krb5_cc_get_principal(context, cache, &principal);
1032 match = krb5_principal_compare(context, principal, client);
1033 krb5_free_principal(context, principal);
1038 krb5_cc_close(context, cache);
1042 krb5_cc_cache_end_seq_get(context, cursor);
1044 if (cache == NULL) {
1047 krb5_unparse_name(context, client, &str);
1049 krb5_set_error_string(context, "Principal %s not found in a "
1050 "credential cache", str ? str : "<out of memory>");
1053 return KRB5_CC_NOTFOUND;
1061 * Move the content from one credential cache to another. The
1062 * operation is an atomic switch.
1064 * @param context a Keberos context
1065 * @param from the credential cache to move the content from
1066 * @param to the credential cache to move the content to
1068 * @return On sucess, from is freed. On failure, error code is
1069 * returned and from and to are both still allocated.
1071 * @ingroup krb5_ccache
1075 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1077 krb5_error_code ret;
1079 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1080 krb5_set_error_string(context, "Moving credentials between diffrent "
1081 "types not yet supported");
1082 return KRB5_CC_NOSUPP;
1085 ret = (*to->ops->move)(context, from, to);
1087 memset(from, 0, sizeof(*from));
git.samba.org / metze / heimdal / wip.git / blob