2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
39 * @page krb5_ccache_intro The credential cache functions
40 * @section section_krb5_ccache Kerberos credential caches
42 * krb5_ccache structure holds a Kerberos credential cache.
44 * Heimdal support the follow types of credential caches:
47 * Store the credential in a database
49 * Store the credential in memory
51 * Store the credential in memory
53 * A credential cache server based solution for Mac OS X
55 * A credential cache server based solution for all platforms
59 * This is a minimalistic version of klist:
64 main (int argc, char **argv)
67 krb5_cc_cursor cursor;
72 if (krb5_init_context (&context) != 0)
73 errx(1, "krb5_context");
75 ret = krb5_cc_default (context, &id);
77 krb5_err(context, 1, ret, "krb5_cc_default");
79 ret = krb5_cc_start_seq_get(context, id, &cursor);
81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
83 while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
86 krb5_unparse_name_short(context, creds.server, &principal);
87 printf("principal: %s\\n", principal);
89 krb5_free_cred_contents (context, &creds);
91 ret = krb5_cc_end_seq_get(context, id, &cursor);
93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
95 krb5_cc_close(context, id);
97 krb5_free_context(context);
104 * Add a new ccache type with operations `ops', overwriting any
105 * existing one if `override'.
107 * @param context a Keberos context
108 * @param ops type of plugin symbol
109 * @param override flag to select if the registration is to overide
110 * an existing ops with the same name.
112 * @return Return an error code or 0, see krb5_get_error_message().
114 * @ingroup krb5_ccache
117 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
118 krb5_cc_register(krb5_context context,
119 const krb5_cc_ops *ops,
120 krb5_boolean override)
124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
127 krb5_set_error_message(context,
129 N_("cache type %s already exists", "type"),
131 return KRB5_CC_TYPE_EXISTS;
136 if(i == context->num_cc_ops) {
137 const krb5_cc_ops **o = realloc(context->cc_ops,
138 (context->num_cc_ops + 1) *
139 sizeof(context->cc_ops[0]));
141 krb5_set_error_message(context, KRB5_CC_NOMEM,
142 N_("malloc: out of memory", ""));
143 return KRB5_CC_NOMEM;
146 context->cc_ops[context->num_cc_ops] = NULL;
147 context->num_cc_ops++;
149 context->cc_ops[i] = ops;
154 * Allocate the memory for a `id' and the that function table to
155 * `ops'. Returns 0 or and error code.
159 _krb5_cc_allocate(krb5_context context,
160 const krb5_cc_ops *ops,
165 p = malloc (sizeof(*p));
167 krb5_set_error_message(context, KRB5_CC_NOMEM,
168 N_("malloc: out of memory", ""));
169 return KRB5_CC_NOMEM;
178 * Allocate memory for a new ccache in `id' with operations `ops'
179 * and name `residual'. Return 0 or an error code.
182 static krb5_error_code
183 allocate_ccache (krb5_context context,
184 const krb5_cc_ops *ops,
185 const char *residual,
189 #ifdef KRB5_USE_PATH_TOKENS
190 char * exp_residual = NULL;
192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
196 residual = exp_residual;
199 ret = _krb5_cc_allocate(context, ops, id);
201 #ifdef KRB5_USE_PATH_TOKENS
208 ret = (*id)->ops->resolve(context, id, residual);
212 #ifdef KRB5_USE_PATH_TOKENS
221 is_possible_path_name(const char * name)
225 if ((colon = strchr(name, ':')) == NULL)
229 /* <drive letter>:\path\to\cache ? */
231 if (colon == name + 1 &&
232 strchr(colon + 1, ':') == NULL)
240 * Find and allocate a ccache in `id' from the specification in `residual'.
241 * If the ccache name doesn't contain any colon, interpret it as a file name.
243 * @param context a Keberos context.
244 * @param name string name of a credential cache.
245 * @param id return pointer to a found credential cache.
247 * @return Return 0 or an error code. In case of an error, id is set
248 * to NULL, see krb5_get_error_message().
250 * @ingroup krb5_ccache
254 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
255 krb5_cc_resolve(krb5_context context,
263 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
264 size_t prefix_len = strlen(context->cc_ops[i]->prefix);
266 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
267 && name[prefix_len] == ':') {
268 return allocate_ccache (context, context->cc_ops[i],
269 name + prefix_len + 1,
273 if (is_possible_path_name(name))
274 return allocate_ccache (context, &krb5_fcc_ops, name, id);
276 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
277 N_("unknown ccache type %s", "name"), name);
278 return KRB5_CC_UNKNOWN_TYPE;
283 * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
284 * the library chooses the default credential cache type. The supplied
285 * `hint' (that can be NULL) is a string that the credential cache
286 * type can use to base the name of the credential on, this is to make
287 * it easier for the user to differentiate the credentials.
289 * @return Return an error code or 0, see krb5_get_error_message().
291 * @ingroup krb5_ccache
294 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
295 krb5_cc_new_unique(krb5_context context, const char *type,
296 const char *hint, krb5_ccache *id)
298 const krb5_cc_ops *ops;
301 ops = krb5_cc_get_prefix_ops(context, type);
303 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
304 "Credential cache type %s is unknown", type);
305 return KRB5_CC_UNKNOWN_TYPE;
308 ret = _krb5_cc_allocate(context, ops, id);
311 ret = (*id)->ops->gen_new(context, id);
320 * Return the name of the ccache `id'
322 * @ingroup krb5_ccache
326 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
327 krb5_cc_get_name(krb5_context context,
330 return id->ops->get_name(context, id);
334 * Return the type of the ccache `id'.
336 * @ingroup krb5_ccache
340 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
341 krb5_cc_get_type(krb5_context context,
344 return id->ops->prefix;
348 * Return the complete resolvable name the cache
350 * @param context a Keberos context
351 * @param id return pointer to a found credential cache
352 * @param str the returned name of a credential cache, free with krb5_xfree()
354 * @return Returns 0 or an error (and then *str is set to NULL).
356 * @ingroup krb5_ccache
360 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
361 krb5_cc_get_full_name(krb5_context context,
365 const char *type, *name;
369 type = krb5_cc_get_type(context, id);
371 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
372 "cache have no name of type");
373 return KRB5_CC_UNKNOWN_TYPE;
376 name = krb5_cc_get_name(context, id);
378 krb5_set_error_message(context, KRB5_CC_BADNAME,
379 "cache of type %s have no name", type);
380 return KRB5_CC_BADNAME;
383 if (asprintf(str, "%s:%s", type, name) == -1) {
384 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
392 * Return krb5_cc_ops of a the ccache `id'.
394 * @ingroup krb5_ccache
399 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
405 * Expand variables in `str' into `res'
409 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
411 return _krb5_expand_path_tokens(context, str, res);
415 * Return non-zero if envirnoment that will determine default krb5cc
420 environment_changed(krb5_context context)
424 /* if the cc name was set, don't change it */
425 if (context->default_cc_name_set)
428 /* XXX performance: always ask KCM/API if default name has changed */
429 if (context->default_cc_name &&
430 (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
431 strncmp(context->default_cc_name, "API:", 4) == 0))
437 e = getenv("KRB5CCNAME");
439 if (context->default_cc_name_env) {
440 free(context->default_cc_name_env);
441 context->default_cc_name_env = NULL;
445 if (context->default_cc_name_env == NULL)
447 if (strcmp(e, context->default_cc_name_env) != 0)
454 * Switch the default default credential cache for a specific
455 * credcache type (and name for some implementations).
457 * @return Return an error code or 0, see krb5_get_error_message().
459 * @ingroup krb5_ccache
462 krb5_error_code KRB5_LIB_FUNCTION
463 krb5_cc_switch(krb5_context context, krb5_ccache id)
466 if (id->ops->set_default == NULL)
469 return (*id->ops->set_default)(context, id);
473 * Return true if the default credential cache support switch
475 * @ingroup krb5_ccache
478 krb5_boolean KRB5_LIB_FUNCTION
479 krb5_cc_support_switch(krb5_context context, const char *type)
481 const krb5_cc_ops *ops;
483 ops = krb5_cc_get_prefix_ops(context, type);
484 if (ops && ops->set_default)
490 * Set the default cc name for `context' to `name'.
492 * @ingroup krb5_ccache
495 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
496 krb5_cc_set_default_name(krb5_context context, const char *name)
498 krb5_error_code ret = 0;
499 char *p = NULL, *exp_p = NULL;
502 const char *e = NULL;
505 e = getenv("KRB5CCNAME");
508 if (context->default_cc_name_env)
509 free(context->default_cc_name_env);
510 context->default_cc_name_env = strdup(e);
514 e = krb5_config_get_string(context, NULL, "libdefaults",
515 "default_cc_name", NULL);
517 ret = _krb5_expand_default_cc_name(context, e, &p);
522 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
523 e = krb5_config_get_string(context, NULL, "libdefaults",
524 "default_cc_type", NULL);
526 ops = krb5_cc_get_prefix_ops(context, e);
528 krb5_set_error_message(context,
529 KRB5_CC_UNKNOWN_TYPE,
530 "Credential cache type %s "
532 return KRB5_CC_UNKNOWN_TYPE;
535 ret = (*ops->get_default_name)(context, &p);
540 context->default_cc_name_set = 0;
543 context->default_cc_name_set = 1;
547 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
551 ret = _krb5_expand_path_tokens(context, p, &exp_p);
556 if (context->default_cc_name)
557 free(context->default_cc_name);
559 context->default_cc_name = exp_p;
565 * Return a pointer to a context static string containing the default
568 * @return String to the default credential cache name.
570 * @ingroup krb5_ccache
574 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
575 krb5_cc_default_name(krb5_context context)
577 if (context->default_cc_name == NULL || environment_changed(context))
578 krb5_cc_set_default_name(context, NULL);
580 return context->default_cc_name;
584 * Open the default ccache in `id'.
586 * @return Return an error code or 0, see krb5_get_error_message().
588 * @ingroup krb5_ccache
592 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
593 krb5_cc_default(krb5_context context,
596 const char *p = krb5_cc_default_name(context);
599 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
602 return krb5_cc_resolve(context, p, id);
606 * Create a new ccache in `id' for `primary_principal'.
608 * @return Return an error code or 0, see krb5_get_error_message().
610 * @ingroup krb5_ccache
614 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
615 krb5_cc_initialize(krb5_context context,
617 krb5_principal primary_principal)
619 return (*id->ops->init)(context, id, primary_principal);
624 * Remove the ccache `id'.
626 * @return Return an error code or 0, see krb5_get_error_message().
628 * @ingroup krb5_ccache
632 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
633 krb5_cc_destroy(krb5_context context,
638 ret = (*id->ops->destroy)(context, id);
639 krb5_cc_close (context, id);
644 * Stop using the ccache `id' and free the related resources.
646 * @return Return an error code or 0, see krb5_get_error_message().
648 * @ingroup krb5_ccache
652 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
653 krb5_cc_close(krb5_context context,
657 ret = (*id->ops->close)(context, id);
663 * Store `creds' in the ccache `id'.
665 * @return Return an error code or 0, see krb5_get_error_message().
667 * @ingroup krb5_ccache
671 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
672 krb5_cc_store_cred(krb5_context context,
676 return (*id->ops->store)(context, id, creds);
680 * Retrieve the credential identified by `mcreds' (and `whichfields')
681 * from `id' in `creds'. 'creds' must be free by the caller using
682 * krb5_free_cred_contents.
684 * @param context A Kerberos 5 context
685 * @param id a Kerberos 5 credential cache
686 * @param whichfields what fields to use for matching credentials, same
687 * flags as whichfields in krb5_compare_creds()
688 * @param mcreds template credential to use for comparing
689 * @param creds returned credential, free with krb5_free_cred_contents()
691 * @return Return an error code or 0, see krb5_get_error_message().
693 * @ingroup krb5_ccache
697 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
698 krb5_cc_retrieve_cred(krb5_context context,
700 krb5_flags whichfields,
701 const krb5_creds *mcreds,
705 krb5_cc_cursor cursor;
707 if (id->ops->retrieve != NULL) {
708 return (*id->ops->retrieve)(context, id, whichfields,
712 ret = krb5_cc_start_seq_get(context, id, &cursor);
715 while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
716 if(krb5_compare_creds(context, whichfields, mcreds, creds)){
720 krb5_free_cred_contents (context, creds);
722 krb5_cc_end_seq_get(context, id, &cursor);
727 * Return the principal of `id' in `principal'.
729 * @return Return an error code or 0, see krb5_get_error_message().
731 * @ingroup krb5_ccache
735 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
736 krb5_cc_get_principal(krb5_context context,
738 krb5_principal *principal)
740 return (*id->ops->get_princ)(context, id, principal);
744 * Start iterating over `id', `cursor' is initialized to the
745 * beginning. Caller must free the cursor with krb5_cc_end_seq_get().
747 * @return Return an error code or 0, see krb5_get_error_message().
749 * @ingroup krb5_ccache
753 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
754 krb5_cc_start_seq_get (krb5_context context,
755 const krb5_ccache id,
756 krb5_cc_cursor *cursor)
758 return (*id->ops->get_first)(context, id, cursor);
762 * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
763 * and advance `cursor'.
765 * @return Return an error code or 0, see krb5_get_error_message().
767 * @ingroup krb5_ccache
771 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
772 krb5_cc_next_cred (krb5_context context,
773 const krb5_ccache id,
774 krb5_cc_cursor *cursor,
777 return (*id->ops->get_next)(context, id, cursor, creds);
781 * Destroy the cursor `cursor'.
783 * @ingroup krb5_ccache
787 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
788 krb5_cc_end_seq_get (krb5_context context,
789 const krb5_ccache id,
790 krb5_cc_cursor *cursor)
792 return (*id->ops->end_get)(context, id, cursor);
796 * Remove the credential identified by `cred', `which' from `id'.
798 * @ingroup krb5_ccache
802 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
803 krb5_cc_remove_cred(krb5_context context,
808 if(id->ops->remove_cred == NULL) {
809 krb5_set_error_message(context,
811 "ccache %s does not support remove_cred",
813 return EACCES; /* XXX */
815 return (*id->ops->remove_cred)(context, id, which, cred);
819 * Set the flags of `id' to `flags'.
821 * @ingroup krb5_ccache
825 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
826 krb5_cc_set_flags(krb5_context context,
830 return (*id->ops->set_flags)(context, id, flags);
834 * Get the flags of `id', store them in `flags'.
836 * @ingroup krb5_ccache
839 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
840 krb5_cc_get_flags(krb5_context context,
849 * Copy the contents of `from' to `to' if the given match function
852 * @param context A Kerberos 5 context.
853 * @param from the cache to copy data from.
854 * @param to the cache to copy data to.
855 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
856 * @param matchctx context passed to match function.
857 * @param matched set to true if there was a credential that matched, may be NULL.
859 * @return Return an error code or 0, see krb5_get_error_message().
861 * @ingroup krb5_ccache
864 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
865 krb5_cc_copy_match_f(krb5_context context,
866 const krb5_ccache from,
868 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
870 unsigned int *matched)
873 krb5_cc_cursor cursor;
875 krb5_principal princ;
880 ret = krb5_cc_get_principal(context, from, &princ);
883 ret = krb5_cc_initialize(context, to, princ);
885 krb5_free_principal(context, princ);
888 ret = krb5_cc_start_seq_get(context, from, &cursor);
890 krb5_free_principal(context, princ);
894 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
895 if (match == NULL || (*match)(context, matchctx, &cred) == 0) {
898 ret = krb5_cc_store_cred(context, to, &cred);
902 krb5_free_cred_contents(context, &cred);
904 krb5_cc_end_seq_get(context, from, &cursor);
905 krb5_free_principal(context, princ);
906 if (ret == KRB5_CC_END)
912 * Just like krb5_cc_copy_match_f(), but copy everything.
914 * @ingroup @krb5_ccache
917 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
918 krb5_cc_copy_cache(krb5_context context,
919 const krb5_ccache from,
922 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
926 * Return the version of `id'.
928 * @ingroup krb5_ccache
932 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
933 krb5_cc_get_version(krb5_context context,
934 const krb5_ccache id)
936 if(id->ops->get_version)
937 return (*id->ops->get_version)(context, id);
943 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
945 * @ingroup krb5_ccache
949 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
950 krb5_cc_clear_mcred(krb5_creds *mcred)
952 memset(mcred, 0, sizeof(*mcred));
956 * Get the cc ops that is registered in `context' to handle the
957 * prefix. prefix can be a complete credential cache name or a
958 * prefix, the function will only use part up to the first colon (:)
959 * if there is one. If prefix the argument is NULL, the default ccache
960 * implemtation is returned.
962 * @return Returns NULL if ops not found.
964 * @ingroup krb5_ccache
969 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
975 return KRB5_DEFAULT_CCTYPE;
976 if (prefix[0] == '/')
977 return &krb5_fcc_ops;
981 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
988 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
989 if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
991 return context->cc_ops[i];
998 struct krb5_cc_cache_cursor_data {
999 const krb5_cc_ops *ops;
1000 krb5_cc_cursor cursor;
1004 * Start iterating over all caches of specified type. See also
1005 * krb5_cccol_cursor_new().
1007 * @param context A Kerberos 5 context
1008 * @param type optional type to iterate over, if NULL, the default cache is used.
1009 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1011 * @return Return an error code or 0, see krb5_get_error_message().
1013 * @ingroup krb5_ccache
1017 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1018 krb5_cc_cache_get_first (krb5_context context,
1020 krb5_cc_cache_cursor *cursor)
1022 const krb5_cc_ops *ops;
1023 krb5_error_code ret;
1026 type = krb5_cc_default_name(context);
1028 ops = krb5_cc_get_prefix_ops(context, type);
1030 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1031 "Unknown type \"%s\" when iterating "
1032 "trying to iterate the credential caches", type);
1033 return KRB5_CC_UNKNOWN_TYPE;
1036 if (ops->get_cache_first == NULL) {
1037 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1038 N_("Credential cache type %s doesn't support "
1039 "iterations over caches", "type"),
1041 return KRB5_CC_NOSUPP;
1044 *cursor = calloc(1, sizeof(**cursor));
1045 if (*cursor == NULL) {
1046 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1050 (*cursor)->ops = ops;
1052 ret = ops->get_cache_first(context, &(*cursor)->cursor);
1061 * Retrieve the next cache pointed to by (`cursor') in `id'
1062 * and advance `cursor'.
1064 * @param context A Kerberos 5 context
1065 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1066 * @param id next ccache
1068 * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1069 * of caches is reached, see krb5_get_error_message().
1071 * @ingroup krb5_ccache
1075 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1076 krb5_cc_cache_next (krb5_context context,
1077 krb5_cc_cache_cursor cursor,
1080 return cursor->ops->get_cache_next(context, cursor->cursor, id);
1084 * Destroy the cursor `cursor'.
1086 * @return Return an error code or 0, see krb5_get_error_message().
1088 * @ingroup krb5_ccache
1092 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1093 krb5_cc_cache_end_seq_get (krb5_context context,
1094 krb5_cc_cache_cursor cursor)
1096 krb5_error_code ret;
1097 ret = cursor->ops->end_cache_get(context, cursor->cursor);
1104 * Search for a matching credential cache that have the
1105 * `principal' as the default principal. On success, `id' needs to be
1106 * freed with krb5_cc_close() or krb5_cc_destroy().
1108 * @param context A Kerberos 5 context
1109 * @param client The principal to search for
1110 * @param id the returned credential cache
1112 * @return On failure, error code is returned and `id' is set to NULL.
1114 * @ingroup krb5_ccache
1118 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1119 krb5_cc_cache_match (krb5_context context,
1120 krb5_principal client,
1123 krb5_cccol_cursor cursor;
1124 krb5_error_code ret;
1125 krb5_ccache cache = NULL;
1129 ret = krb5_cccol_cursor_new (context, &cursor);
1133 while (krb5_cccol_cursor_next (context, cursor, &cache) == 0 && cache != NULL) {
1134 krb5_principal principal;
1136 ret = krb5_cc_get_principal(context, cache, &principal);
1140 match = krb5_principal_compare(context, principal, client);
1141 krb5_free_principal(context, principal);
1146 krb5_cc_close(context, cache);
1150 krb5_cccol_cursor_free(context, &cursor);
1152 if (cache == NULL) {
1155 krb5_unparse_name(context, client, &str);
1157 krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1158 N_("Principal %s not found in any "
1159 "credential cache", ""),
1160 str ? str : "<out of memory>");
1163 return KRB5_CC_NOTFOUND;
1171 * Move the content from one credential cache to another. The
1172 * operation is an atomic switch.
1174 * @param context a Keberos context
1175 * @param from the credential cache to move the content from
1176 * @param to the credential cache to move the content to
1178 * @return On sucess, from is freed. On failure, error code is
1179 * returned and from and to are both still allocated, see krb5_get_error_message().
1181 * @ingroup krb5_ccache
1185 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1187 krb5_error_code ret;
1189 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1190 krb5_set_error_message(context, KRB5_CC_NOSUPP,
1191 N_("Moving credentials between diffrent "
1192 "types not yet supported", ""));
1193 return KRB5_CC_NOSUPP;
1196 ret = (*to->ops->move)(context, from, to);
1198 memset(from, 0, sizeof(*from));
1204 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1205 #define KRB5_REALM_NAME "X-CACHECONF:"
1207 static krb5_error_code
1208 build_conf_principals(krb5_context context, krb5_ccache id,
1209 krb5_const_principal principal,
1210 const char *name, krb5_creds *cred)
1212 krb5_principal client;
1213 krb5_error_code ret;
1216 memset(cred, 0, sizeof(*cred));
1218 ret = krb5_cc_get_principal(context, id, &client);
1223 ret = krb5_unparse_name(context, principal, &pname);
1228 ret = krb5_make_principal(context, &cred->server,
1230 KRB5_CONF_NAME, name, pname, NULL);
1233 krb5_free_principal(context, client);
1236 ret = krb5_copy_principal(context, client, &cred->client);
1237 krb5_free_principal(context, client);
1242 * Return TRUE (non zero) if the principal is a configuration
1243 * principal (generated part of krb5_cc_set_config()). Returns FALSE
1244 * (zero) if not a configuration principal.
1246 * @param context a Keberos context
1247 * @param principal principal to check if it a configuration principal
1249 * @ingroup krb5_ccache
1252 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1253 krb5_is_config_principal(krb5_context context,
1254 krb5_const_principal principal)
1256 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1259 if (principal->name.name_string.len == 0 ||
1260 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1267 * Store some configuration for the credential cache in the cache.
1268 * Existing configuration under the same name is over-written.
1270 * @param context a Keberos context
1271 * @param id the credential cache to store the data for
1272 * @param principal configuration for a specific principal, if
1273 * NULL, global for the whole cache.
1274 * @param name name under which the configuraion is stored.
1275 * @param data data to store, if NULL, configure is removed.
1277 * @ingroup krb5_ccache
1280 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1281 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1282 krb5_const_principal principal,
1283 const char *name, krb5_data *data)
1285 krb5_error_code ret;
1288 ret = build_conf_principals(context, id, principal, name, &cred);
1292 /* Remove old configuration */
1293 ret = krb5_cc_remove_cred(context, id, 0, &cred);
1294 if (ret && ret != KRB5_CC_NOTFOUND)
1298 /* not that anyone care when this expire */
1299 cred.times.authtime = time(NULL);
1300 cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1302 ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1306 ret = krb5_cc_store_cred(context, id, &cred);
1310 krb5_free_cred_contents (context, &cred);
1315 * Get some configuration for the credential cache in the cache.
1317 * @param context a Keberos context
1318 * @param id the credential cache to store the data for
1319 * @param principal configuration for a specific principal, if
1320 * NULL, global for the whole cache.
1321 * @param name name under which the configuraion is stored.
1322 * @param data data to fetched, free with krb5_data_free()
1324 * @ingroup krb5_ccache
1328 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1329 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1330 krb5_const_principal principal,
1331 const char *name, krb5_data *data)
1333 krb5_creds mcred, cred;
1334 krb5_error_code ret;
1336 memset(&cred, 0, sizeof(cred));
1337 krb5_data_zero(data);
1339 ret = build_conf_principals(context, id, principal, name, &mcred);
1343 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1347 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1350 krb5_free_cred_contents (context, &cred);
1351 krb5_free_cred_contents (context, &mcred);
1359 struct krb5_cccol_cursor_data {
1361 krb5_cc_cache_cursor cursor;
1365 * Get a new cache interation cursor that will interate over all
1366 * credentials caches independent of type.
1368 * @param context a Keberos context
1369 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1371 * @return Returns 0 or and error code, see krb5_get_error_message().
1373 * @ingroup krb5_ccache
1376 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1377 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1379 *cursor = calloc(1, sizeof(**cursor));
1380 if (*cursor == NULL) {
1381 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1385 (*cursor)->cursor = NULL;
1391 * Get next credential cache from the iteration.
1393 * @param context A Kerberos 5 context
1394 * @param cursor the iteration cursor
1395 * @param cache the returned cursor, pointer is set to NULL on failure
1396 * and a cache on success. The returned cache needs to be freed
1397 * with krb5_cc_close() or destroyed with krb5_cc_destroy().
1398 * MIT Kerberos behavies slightly diffrent and sets cache to NULL
1399 * when all caches are iterated over and return 0.
1401 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1402 * of iteration. See krb5_get_error_message().
1404 * @ingroup krb5_ccache
1408 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1409 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1412 krb5_error_code ret;
1416 while (cursor->idx < context->num_cc_ops) {
1418 if (cursor->cursor == NULL) {
1419 ret = krb5_cc_cache_get_first (context,
1420 context->cc_ops[cursor->idx]->prefix,
1427 ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1431 krb5_cc_cache_end_seq_get(context, cursor->cursor);
1432 cursor->cursor = NULL;
1433 if (ret != KRB5_CC_END)
1438 if (cursor->idx >= context->num_cc_ops) {
1439 krb5_set_error_message(context, KRB5_CC_END,
1440 N_("Reached end of credential caches", ""));
1448 * End an iteration and free all resources, can be done before end is reached.
1450 * @param context A Kerberos 5 context
1451 * @param cursor the iteration cursor to be freed.
1453 * @return Return 0 or and error, KRB5_CC_END is returned at the end
1454 * of iteration. See krb5_get_error_message().
1456 * @ingroup krb5_ccache
1459 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1460 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1462 krb5_cccol_cursor c = *cursor;
1467 krb5_cc_cache_end_seq_get(context, c->cursor);
1474 * Return the last time the credential cache was modified.
1476 * @param context A Kerberos 5 context
1477 * @param id The credential cache to probe
1478 * @param mtime the last modification time, set to 0 on error.
1480 * @return Return 0 or and error. See krb5_get_error_message().
1482 * @ingroup krb5_ccache
1486 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1487 krb5_cc_last_change_time(krb5_context context,
1489 krb5_timestamp *mtime)
1492 return (*id->ops->lastchange)(context, id, mtime);
1496 * Return the last modfication time for a cache collection. The query
1497 * can be limited to a specific cache type. If the function return 0
1498 * and mtime is 0, there was no credentials in the caches.
1500 * @param context A Kerberos 5 context
1501 * @param type The credential cache to probe, if NULL, all type are traversed.
1502 * @param mtime the last modification time, set to 0 on error.
1504 * @return Return 0 or and error. See krb5_get_error_message().
1506 * @ingroup krb5_ccache
1509 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1510 krb5_cccol_last_change_time(krb5_context context,
1512 krb5_timestamp *mtime)
1514 krb5_cccol_cursor cursor;
1515 krb5_error_code ret;
1517 krb5_timestamp t = 0;
1521 ret = krb5_cccol_cursor_new (context, &cursor);
1525 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1527 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1530 ret = krb5_cc_last_change_time(context, id, &t);
1531 krb5_cc_close(context, id);
1538 krb5_cccol_cursor_free(context, &cursor);
1543 * Return a friendly name on credential cache. Free the result with krb5_xfree().
1545 * @return Return an error code or 0, see krb5_get_error_message().
1547 * @ingroup krb5_ccache
1550 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1551 krb5_cc_get_friendly_name(krb5_context context,
1555 krb5_error_code ret;
1558 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1560 krb5_principal principal;
1561 ret = krb5_cc_get_principal(context, id, &principal);
1564 ret = krb5_unparse_name(context, principal, name);
1565 krb5_free_principal(context, principal);
1567 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1568 krb5_data_free(&data);
1571 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1580 * Set the friendly name on credential cache.
1582 * @return Return an error code or 0, see krb5_get_error_message().
1584 * @ingroup krb5_ccache
1587 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1588 krb5_cc_set_friendly_name(krb5_context context,
1594 data.data = rk_UNCONST(name);
1595 data.length = strlen(name);
1597 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1601 * Get the lifetime of the initial ticket in the cache
1603 * Get the lifetime of the initial ticket in the cache, if the initial
1604 * ticket was not found, the error code KRB5_CC_END is returned.
1606 * @param context A Kerberos 5 context.
1607 * @param id a credential cache
1608 * @param t the relative lifetime of the initial ticket
1610 * @return Return an error code or 0, see krb5_get_error_message().
1612 * @ingroup krb5_ccache
1615 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1616 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1618 krb5_cc_cursor cursor;
1619 krb5_error_code ret;
1626 ret = krb5_cc_start_seq_get(context, id, &cursor);
1630 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1631 if (cred.flags.b.initial) {
1632 if (now < cred.times.endtime)
1633 *t = cred.times.endtime - now;
1634 krb5_free_cred_contents(context, &cred);
1637 krb5_free_cred_contents(context, &cred);
1640 krb5_cc_end_seq_get(context, id, &cursor);
1646 * Set the time offset betwen the client and the KDC
1648 * If the backend doesn't support KDC offset, use the context global setting.
1650 * @param context A Kerberos 5 context.
1651 * @param id a credential cache
1652 * @param offset the offset in seconds
1654 * @return Return an error code or 0, see krb5_get_error_message().
1656 * @ingroup krb5_ccache
1660 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1662 if (id->ops->set_kdc_offset == NULL) {
1663 context->kdc_sec_offset = offset;
1664 context->kdc_usec_offset = 0;
1667 return (*id->ops->set_kdc_offset)(context, id, offset);
1671 * Get the time offset betwen the client and the KDC
1673 * If the backend doesn't support KDC offset, use the context global setting.
1675 * @param context A Kerberos 5 context.
1676 * @param id a credential cache
1677 * @param offset the offset in seconds
1679 * @return Return an error code or 0, see krb5_get_error_message().
1681 * @ingroup krb5_ccache
1685 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1687 if (id->ops->get_kdc_offset == NULL) {
1688 *offset = context->kdc_sec_offset;
1691 return (*id->ops->get_kdc_offset)(context, id, offset);