1/* 2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 - 2011 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "krb5_locl.h" 37 38/** 39 * @page krb5_ccache_intro The credential cache functions 40 * @section section_krb5_ccache Kerberos credential caches 41 * 42 * krb5_ccache structure holds a Kerberos credential cache. 43 * 44 * Heimdal support the follow types of credential caches: 45 * 46 * - SCC 47 * Store the credential in a database 48 * - FILE 49 * Store the credential in memory 50 * - MEMORY 51 * Store the credential in memory 52 * - API 53 * A credential cache server based solution for Mac OS X 54 * - KCM 55 * A credential cache server based solution for all platforms 56 * 57 * @subsection Example 58 * 59 * This is a minimalistic version of klist: 60@code 61#include <krb5.h> 62 63int 64main (int argc, char **argv) 65{ 66 krb5_context context; 67 krb5_cc_cursor cursor; 68 krb5_error_code ret; 69 krb5_ccache id; 70 krb5_creds creds; 71 72 if (krb5_init_context (&context) != 0) 73 errx(1, "krb5_context"); 74 75 ret = krb5_cc_default (context, &id); 76 if (ret) 77 krb5_err(context, 1, ret, "krb5_cc_default"); 78 79 ret = krb5_cc_start_seq_get(context, id, &cursor); 80 if (ret) 81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); 82 83 while ((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){ 84 char *principal; 85 86 krb5_unparse_name(context, creds.server, &principal); 87 printf("principal: %s\\n", principal); 88 free(principal); 89 krb5_free_cred_contents (context, &creds); 90 } 91 ret = krb5_cc_end_seq_get(context, id, &cursor); 92 if (ret) 93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get"); 94 95 krb5_cc_close(context, id); 96 97 krb5_free_context(context); 98 return 0; 99} 100* @endcode 101*/ 102 103/** 104 * Add a new ccache type with operations `ops', overwriting any 105 * existing one if `override'. 106 * 107 * @param context a Keberos context 108 * @param ops type of plugin symbol 109 * @param override flag to select if the registration is to overide 110 * an existing ops with the same name. 111 * 112 * @return Return an error code or 0, see krb5_get_error_message(). 113 * 114 * @ingroup krb5_ccache 115 */ 116 117KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 118krb5_cc_register(krb5_context context, 119 const krb5_cc_ops *ops, 120 krb5_boolean override) 121{ 122 int i; 123 124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) { 126 if(!override) { 127 krb5_set_error_message(context, 128 KRB5_CC_TYPE_EXISTS, 129 N_("cache type %s already exists", "type"), 130 ops->prefix); 131 return KRB5_CC_TYPE_EXISTS; 132 } 133 break; 134 } 135 } 136 if(i == context->num_cc_ops) { 137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops), 138 (context->num_cc_ops + 1) * 139 sizeof(context->cc_ops[0])); 140 if(o == NULL) { 141 krb5_set_error_message(context, KRB5_CC_NOMEM, 142 N_("malloc: out of memory", "")); 143 return KRB5_CC_NOMEM; 144 } 145 context->cc_ops = o; 146 context->cc_ops[context->num_cc_ops] = NULL; 147 context->num_cc_ops++; 148 } 149 context->cc_ops[i] = ops; 150 return 0; 151} 152 153/* 154 * Allocate the memory for a `id' and the that function table to 155 * `ops'. Returns 0 or and error code. 156 */ 157 158krb5_error_code 159_krb5_cc_allocate(krb5_context context, 160 const krb5_cc_ops *ops, 161 krb5_ccache *id) 162{ 163 krb5_ccache p; 164 165 p = malloc (sizeof(*p)); 166 if(p == NULL) { 167 krb5_set_error_message(context, KRB5_CC_NOMEM, 168 N_("malloc: out of memory", "")); 169 return KRB5_CC_NOMEM; 170 } 171 p->ops = ops; 172 *id = p; 173 174 return 0; 175} 176 177/* 178 * Allocate memory for a new ccache in `id' with operations `ops' 179 * and name `residual'. Return 0 or an error code. 180 */ 181 182static krb5_error_code 183allocate_ccache (krb5_context context, 184 const krb5_cc_ops *ops, 185 const char *residual, 186 krb5_ccache *id) 187{ 188 krb5_error_code ret; 189#ifdef KRB5_USE_PATH_TOKENS 190 char * exp_residual = NULL; 191 192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual); 193 if (ret) 194 return ret; 195 196 residual = exp_residual; 197#endif 198 199 ret = _krb5_cc_allocate(context, ops, id); 200 if (ret) { 201#ifdef KRB5_USE_PATH_TOKENS 202 if (exp_residual) 203 free(exp_residual); 204#endif 205 return ret; 206 } 207 208 ret = (*id)->ops->resolve(context, id, residual); 209 if(ret) { 210 free(*id); 211 *id = NULL; 212 } 213 214#ifdef KRB5_USE_PATH_TOKENS 215 if (exp_residual) 216 free(exp_residual); 217#endif 218 219 return ret; 220} 221 222static int 223is_possible_path_name(const char * name) 224{ 225 const char * colon; 226 227 if ((colon = strchr(name, ':')) == NULL) 228 return TRUE; 229 230#ifdef _WIN32 231 /* <drive letter>:\path\to\cache ? */ 232 233 if (colon == name + 1 && 234 strchr(colon + 1, ':') == NULL) 235 return TRUE; 236#endif 237 238 return FALSE; 239} 240 241/** 242 * Find and allocate a ccache in `id' from the specification in `residual'. 243 * If the ccache name doesn't contain any colon, interpret it as a file name. 244 * 245 * @param context a Keberos context. 246 * @param name string name of a credential cache. 247 * @param id return pointer to a found credential cache. 248 * 249 * @return Return 0 or an error code. In case of an error, id is set 250 * to NULL, see krb5_get_error_message(). 251 * 252 * @ingroup krb5_ccache 253 */ 254 255 256KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 257krb5_cc_resolve(krb5_context context, 258 const char *name, 259 krb5_ccache *id) 260{ 261 int i; 262 263 *id = NULL; 264 265 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 266 size_t prefix_len = strlen(context->cc_ops[i]->prefix); 267 268 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0 269 && name[prefix_len] == ':') { 270 return allocate_ccache (context, context->cc_ops[i], 271 name + prefix_len + 1, 272 id); 273 } 274 } 275 if (is_possible_path_name(name)) 276 return allocate_ccache (context, &krb5_fcc_ops, name, id); 277 else { 278 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 279 N_("unknown ccache type %s", "name"), name); 280 return KRB5_CC_UNKNOWN_TYPE; 281 } 282} 283 284/** 285 * Generates a new unique ccache of `type` in `id'. If `type' is NULL, 286 * the library chooses the default credential cache type. The supplied 287 * `hint' (that can be NULL) is a string that the credential cache 288 * type can use to base the name of the credential on, this is to make 289 * it easier for the user to differentiate the credentials. 290 * 291 * @return Return an error code or 0, see krb5_get_error_message(). 292 * 293 * @ingroup krb5_ccache 294 */ 295 296KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 297krb5_cc_new_unique(krb5_context context, const char *type, 298 const char *hint, krb5_ccache *id) 299{ 300 const krb5_cc_ops *ops; 301 krb5_error_code ret; 302 303 ops = krb5_cc_get_prefix_ops(context, type); 304 if (ops == NULL) { 305 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 306 "Credential cache type %s is unknown", type); 307 return KRB5_CC_UNKNOWN_TYPE; 308 } 309 310 ret = _krb5_cc_allocate(context, ops, id); 311 if (ret) 312 return ret; 313 ret = (*id)->ops->gen_new(context, id); 314 if (ret) { 315 free(*id); 316 *id = NULL; 317 } 318 return ret; 319} 320 321/** 322 * Return the name of the ccache `id' 323 * 324 * @ingroup krb5_ccache 325 */ 326 327 328KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 329krb5_cc_get_name(krb5_context context, 330 krb5_ccache id) 331{ 332 return id->ops->get_name(context, id); 333} 334 335/** 336 * Return the type of the ccache `id'. 337 * 338 * @ingroup krb5_ccache 339 */ 340 341 342KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 343krb5_cc_get_type(krb5_context context, 344 krb5_ccache id) 345{ 346 return id->ops->prefix; 347} 348 349/** 350 * Return the complete resolvable name the cache 351 352 * @param context a Keberos context 353 * @param id return pointer to a found credential cache 354 * @param str the returned name of a credential cache, free with krb5_xfree() 355 * 356 * @return Returns 0 or an error (and then *str is set to NULL). 357 * 358 * @ingroup krb5_ccache 359 */ 360 361 362KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 363krb5_cc_get_full_name(krb5_context context, 364 krb5_ccache id, 365 char **str) 366{ 367 const char *type, *name; 368 369 *str = NULL; 370 371 type = krb5_cc_get_type(context, id); 372 if (type == NULL) { 373 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 374 "cache have no name of type"); 375 return KRB5_CC_UNKNOWN_TYPE; 376 } 377 378 name = krb5_cc_get_name(context, id); 379 if (name == NULL) { 380 krb5_set_error_message(context, KRB5_CC_BADNAME, 381 "cache of type %s have no name", type); 382 return KRB5_CC_BADNAME; 383 } 384 385 if (asprintf(str, "%s:%s", type, name) == -1) { 386 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 387 *str = NULL; 388 return ENOMEM; 389 } 390 return 0; 391} 392 393/** 394 * Return krb5_cc_ops of a the ccache `id'. 395 * 396 * @ingroup krb5_ccache 397 */ 398 399 400KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL 401krb5_cc_get_ops(krb5_context context, krb5_ccache id) 402{ 403 return id->ops; 404} 405 406/* 407 * Expand variables in `str' into `res' 408 */ 409 410krb5_error_code 411_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) 412{ 413 return _krb5_expand_path_tokens(context, str, res); 414} 415 416/* 417 * Return non-zero if envirnoment that will determine default krb5cc 418 * name has changed. 419 */ 420 421static int 422environment_changed(krb5_context context) 423{ 424 const char *e; 425 426 /* if the cc name was set, don't change it */ 427 if (context->default_cc_name_set) 428 return 0; 429 430 /* XXX performance: always ask KCM/API if default name has changed */ 431 if (context->default_cc_name && 432 (strncmp(context->default_cc_name, "KCM:", 4) == 0 || 433 strncmp(context->default_cc_name, "API:", 4) == 0 || 434 strncmp(context->default_cc_name, "XCACHE:", 4) == 0 || 435 strncmp(context->default_cc_name, "KCC:", 4) == 0)) 436 return 1; 437 438 if(issuid()) 439 return 0; 440 441 e = getenv("KRB5CCNAME"); 442 if (e == NULL) { 443 if (context->default_cc_name_env) { 444 free(context->default_cc_name_env); 445 context->default_cc_name_env = NULL; 446 return 1; 447 } 448 } else { 449 if (context->default_cc_name_env == NULL) 450 return 1; 451 if (strcmp(e, context->default_cc_name_env) != 0) 452 return 1; 453 } 454 return 0; 455} 456 457/** 458 * Switch the default default credential cache for a specific 459 * credcache type (and name for some implementations). 460 * 461 * @return Return an error code or 0, see krb5_get_error_message(). 462 * 463 * @ingroup krb5_ccache 464 */ 465 466KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 467krb5_cc_switch(krb5_context context, krb5_ccache id) 468{ 469#ifdef _WIN32 470 _krb5_set_default_cc_name_to_registry(context, id); 471#endif 472 473 if (id->ops->set_default == NULL) 474 return 0; 475 476 return (*id->ops->set_default)(context, id); 477} 478 479/** 480 * Return true if the default credential cache support switch 481 * 482 * @ingroup krb5_ccache 483 */ 484 485KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 486krb5_cc_support_switch(krb5_context context, const char *type) 487{ 488 const krb5_cc_ops *ops; 489 490 ops = krb5_cc_get_prefix_ops(context, type); 491 if (ops && ops->set_default) 492 return 1; 493 return FALSE; 494} 495 496/** 497 * Set the default cc name for `context' to `name'. 498 * 499 * @param context a krb5 context 500 * @param name if set, will use this as the default name, if NULL, default name will be set 501 * 502 * @return Return an error code or 0, see krb5_get_error_message(). 503 * 504 * @ingroup krb5_ccache 505 */ 506 507KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 508krb5_cc_set_default_name(krb5_context context, const char *name) 509{ 510 krb5_error_code ret = 0; 511 char *p = NULL, *exp_p = NULL; 512 513 if (name == NULL) { 514 const char *e = NULL; 515 516 if(!issuid()) { 517 e = getenv("KRB5CCPRINCIPAL"); 518 if (e) { 519 krb5_principal client; 520 krb5_ccache id; 521 522 if (e[0] == '@') { 523 client = calloc(1, sizeof(*client)); 524 if (client == NULL) 525 return krb5_enomem(context); 526 client->realm = strdup(&e[1]); 527 if (client->realm == NULL) { 528 free(client); 529 return krb5_enomem(context); 530 } 531 } else { 532 ret = krb5_parse_name(context, e, &client); 533 if (ret) 534 return ret; 535 } 536 537 ret = krb5_cc_cache_match(context, client, &id); 538 if (ret == 0) { 539 krb5_cc_get_full_name(context, id, &p); 540 krb5_cc_close(context, id); 541 } 542 } 543 if (p == NULL) { 544 e = getenv("KRB5CCNAME"); 545 if (e) 546 p = strdup(e); 547 } 548 if (p) { 549 if (context->default_cc_name_env) 550 free(context->default_cc_name_env); 551 context->default_cc_name_env = strdup(p); 552 } 553 } 554 555#ifdef _WIN32 556 if (e == NULL) { 557 e = p = _krb5_get_default_cc_name_from_registry(context); 558 } 559#endif 560 if (e == NULL) { 561 e = krb5_config_get_string(context, NULL, "libdefaults", 562 "default_cc_name", NULL); 563 if (e) { 564 ret = _krb5_expand_default_cc_name(context, e, &p); 565 if (ret) 566 return ret; 567 } 568 if (e == NULL) { 569 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; 570 e = krb5_config_get_string(context, NULL, "libdefaults", 571 "default_cc_type", NULL); 572 if (e) { 573 ops = krb5_cc_get_prefix_ops(context, e); 574 if (ops == NULL) { 575 krb5_set_error_message(context, 576 KRB5_CC_UNKNOWN_TYPE, 577 "Credential cache type %s " 578 "is unknown", e); 579 return KRB5_CC_UNKNOWN_TYPE; 580 } 581 } 582 ret = (*ops->get_default_name)(context, &p); 583 if (ret) 584 return ret; 585 } 586 } 587 context->default_cc_name_set = 0; 588 } else { 589 p = strdup(name); 590 context->default_cc_name_set = 1; 591 } 592 593 if (p == NULL) { 594 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 595 return ENOMEM; 596 } 597 598 ret = _krb5_expand_path_tokens(context, p, &exp_p); 599 free(p); 600 if (ret) 601 return ret; 602 603 if (context->default_cc_name) 604 free(context->default_cc_name); 605 606 context->default_cc_name = exp_p; 607 608 return 0; 609} 610 611/** 612 * Return a pointer to a context static string containing the default 613 * ccache name. 614 * 615 * @return String to the default credential cache name. 616 * 617 * @ingroup krb5_ccache 618 */ 619 620 621KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 622krb5_cc_default_name(krb5_context context) 623{ 624 if (context->default_cc_name == NULL || environment_changed(context)) 625 krb5_cc_set_default_name(context, NULL); 626 627 return context->default_cc_name; 628} 629 630/** 631 * Open the default ccache in `id'. 632 * 633 * @return Return an error code or 0, see krb5_get_error_message(). 634 * 635 * @ingroup krb5_ccache 636 */ 637 638 639KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 640krb5_cc_default(krb5_context context, 641 krb5_ccache *id) 642{ 643 const char *p = krb5_cc_default_name(context); 644 645 if (p == NULL) { 646 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 647 return ENOMEM; 648 } 649 return krb5_cc_resolve(context, p, id); 650} 651 652/** 653 * Create a new ccache in `id' for `primary_principal'. 654 * 655 * @return Return an error code or 0, see krb5_get_error_message(). 656 * 657 * @ingroup krb5_ccache 658 */ 659 660 661KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 662krb5_cc_initialize(krb5_context context, 663 krb5_ccache id, 664 krb5_principal primary_principal) 665{ 666 return (*id->ops->init)(context, id, primary_principal); 667} 668 669 670/** 671 * Remove the ccache `id'. 672 * 673 * @return Return an error code or 0, see krb5_get_error_message(). 674 * 675 * @ingroup krb5_ccache 676 */ 677 678 679KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 680krb5_cc_destroy(krb5_context context, 681 krb5_ccache id) 682{ 683 krb5_error_code ret; 684 685 ret = (*id->ops->destroy)(context, id); 686 krb5_cc_close (context, id); 687 return ret; 688} 689 690/** 691 * Stop using the ccache `id' and free the related resources. 692 * 693 * @return Return an error code or 0, see krb5_get_error_message(). 694 * 695 * @ingroup krb5_ccache 696 */ 697 698 699KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 700krb5_cc_close(krb5_context context, 701 krb5_ccache id) 702{ 703 krb5_error_code ret; 704 ret = (*id->ops->close)(context, id); 705 free(id); 706 return ret; 707} 708 709/** 710 * Store `creds' in the ccache `id'. 711 * 712 * @return Return an error code or 0, see krb5_get_error_message(). 713 * 714 * @ingroup krb5_ccache 715 */ 716 717 718KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 719krb5_cc_store_cred(krb5_context context, 720 krb5_ccache id, 721 krb5_creds *creds) 722{ 723 return (*id->ops->store)(context, id, creds); 724} 725 726/* 727 * To linear search for name in credential cache 728 */ 729 730static krb5_error_code 731retrieve_cred(krb5_context context, 732 krb5_ccache id, 733 krb5_flags whichfields, 734 const krb5_creds *mcreds, 735 krb5_creds *creds) 736{ 737 krb5_error_code ret; 738 krb5_cc_cursor cursor; 739 740 ret = krb5_cc_start_seq_get(context, id, &cursor); 741 if (ret) 742 return ret; 743 while ((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0) { 744 if (krb5_compare_creds(context, whichfields, mcreds, creds)) { 745 ret = 0; 746 break; 747 } 748 krb5_free_cred_contents(context, creds); 749 } 750 krb5_cc_end_seq_get(context, id, &cursor); 751 752 return ret; 753} 754 755/** 756 * Retrieve the credential identified by `mcreds' (and `whichfields') 757 * from `id' in `creds'. 'creds' must be free by the caller using 758 * krb5_free_cred_contents. 759 * 760 * @param context A Kerberos 5 context 761 * @param id a Kerberos 5 credential cache 762 * @param whichfields what fields to use for matching credentials, same 763 * flags as whichfields in krb5_compare_creds() 764 * @param mcreds template credential to use for comparing 765 * @param creds returned credential, free with krb5_free_cred_contents() 766 * 767 * @return Return an error code or 0, see krb5_get_error_message(). 768 * 769 * @ingroup krb5_ccache 770 */ 771 772KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 773krb5_cc_retrieve_cred(krb5_context context, 774 krb5_ccache id, 775 krb5_flags whichfields, 776 const krb5_creds *mcreds, 777 krb5_creds *creds) 778{ 779 krb5_error_code ret; 780 781 if (id->ops->retrieve != NULL) { 782 ret = id->ops->retrieve(context, id, whichfields, mcreds, creds); 783 } else { 784 ret = retrieve_cred(context, id, whichfields, mcreds, creds); 785 786 if ((ret == KRB5_CC_END) && (whichfields & KRB5_TC_MATCH_REFERRAL)) 787 ret = retrieve_cred(context, id, 788 whichfields | KRB5_TC_DONT_MATCH_REALM, 789 mcreds, creds); 790 } 791 792 /** 793 * When not finding the credential when we reached the credential 794 * cache, the error code KRB5_CC_NOTFOUND is returned. 795 */ 796 if (ret == KRB5_CC_END) { 797 char *fn = NULL, *name = NULL; 798 799 ret = KRB5_CC_NOTFOUND; 800 krb5_cc_get_full_name(context, id, &fn); 801 krb5_unparse_name(context, mcreds->server, &name); 802 krb5_set_error_message(context, ret, "Did not find credential for %s in cache %s", 803 name ? name : "server", 804 fn ? fn : "unknown"); 805 free(fn); 806 free(name); 807 } 808 return ret; 809} 810 811/** 812 * Return the principal of `id' in `principal'. 813 * 814 * @return Return an error code or 0, see krb5_get_error_message(). 815 * 816 * @ingroup krb5_ccache 817 */ 818 819 820KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 821krb5_cc_get_principal(krb5_context context, 822 krb5_ccache id, 823 krb5_principal *principal) 824{ 825 return (*id->ops->get_princ)(context, id, principal); 826} 827 828/** 829 * Start iterating over `id', `cursor' is initialized to the 830 * beginning. Caller must free the cursor with krb5_cc_end_seq_get(). 831 * 832 * @return Return an error code or 0, see krb5_get_error_message(). 833 * 834 * @ingroup krb5_ccache 835 */ 836 837 838KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 839krb5_cc_start_seq_get (krb5_context context, 840 const krb5_ccache id, 841 krb5_cc_cursor *cursor) 842{ 843 return (*id->ops->get_first)(context, id, cursor); 844} 845 846/** 847 * Retrieve the next cred pointed to by (`id', `cursor') in `creds' 848 * and advance `cursor'. 849 * 850 * @return Return an error code or 0, see krb5_get_error_message(). 851 * 852 * @ingroup krb5_ccache 853 */ 854 855 856KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 857krb5_cc_next_cred (krb5_context context, 858 const krb5_ccache id, 859 krb5_cc_cursor *cursor, 860 krb5_creds *creds) 861{ 862 return (*id->ops->get_next)(context, id, cursor, creds); 863} 864 865/** 866 * Destroy the cursor `cursor'. 867 * 868 * @ingroup krb5_ccache 869 */ 870 871 872KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 873krb5_cc_end_seq_get (krb5_context context, 874 const krb5_ccache id, 875 krb5_cc_cursor *cursor) 876{ 877 return (*id->ops->end_get)(context, id, cursor); 878} 879 880/** 881 * Remove the credential identified by `cred', `which' from `id'. 882 * 883 * @ingroup krb5_ccache 884 */ 885 886 887KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 888krb5_cc_remove_cred(krb5_context context, 889 krb5_ccache id, 890 krb5_flags which, 891 krb5_creds *cred) 892{ 893 if(id->ops->remove_cred == NULL) { 894 krb5_set_error_message(context, 895 EACCES, 896 "ccache %s does not support remove_cred", 897 id->ops->prefix); 898 return EACCES; /* XXX */ 899 } 900 return (*id->ops->remove_cred)(context, id, which, cred); 901} 902 903/** 904 * Set the flags of `id' to `flags'. 905 * 906 * @ingroup krb5_ccache 907 */ 908 909 910KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 911krb5_cc_set_flags(krb5_context context, 912 krb5_ccache id, 913 krb5_flags flags) 914{ 915 return (*id->ops->set_flags)(context, id, flags); 916} 917 918/** 919 * Get the flags of `id', store them in `flags'. 920 * 921 * @ingroup krb5_ccache 922 */ 923 924KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 925krb5_cc_get_flags(krb5_context context, 926 krb5_ccache id, 927 krb5_flags *flags) 928{ 929 *flags = 0; 930 return 0; 931} 932 933/** 934 * Copy the contents of `from' to `to' if the given match function 935 * return true. 936 * 937 * @param context A Kerberos 5 context. 938 * @param from the cache to copy data from. 939 * @param to the cache to copy data to. 940 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied. 941 * @param matchctx context passed to match function. 942 * @param matched set to true if there was a credential that matched, may be NULL. 943 * 944 * @return Return an error code or 0, see krb5_get_error_message(). 945 * 946 * @ingroup krb5_ccache 947 */ 948 949KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 950krb5_cc_copy_match_f(krb5_context context, 951 const krb5_ccache from, 952 krb5_ccache to, 953 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *), 954 void *matchctx, 955 unsigned int *matched) 956{ 957 krb5_error_code ret; 958 krb5_cc_cursor cursor; 959 krb5_creds cred; 960 krb5_principal princ; 961 962 if (matched) 963 *matched = 0; 964 965 ret = krb5_cc_get_principal(context, from, &princ); 966 if (ret) 967 return ret; 968 ret = krb5_cc_initialize(context, to, princ); 969 if (ret) { 970 krb5_free_principal(context, princ); 971 return ret; 972 } 973 ret = krb5_cc_start_seq_get(context, from, &cursor); 974 if (ret) { 975 krb5_free_principal(context, princ); 976 return ret; 977 } 978 979 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) { 980 if (match == NULL || (*match)(context, matchctx, &cred)) { 981 if (matched) 982 (*matched)++; 983 ret = krb5_cc_store_cred(context, to, &cred); 984 if (ret) 985 break; 986 } 987 krb5_free_cred_contents(context, &cred); 988 } 989 krb5_cc_end_seq_get(context, from, &cursor); 990 krb5_free_principal(context, princ); 991 if (ret == KRB5_CC_END) 992 ret = 0; 993 return ret; 994} 995 996/** 997 * Just like krb5_cc_copy_match_f(), but copy everything. 998 * 999 * @ingroup @krb5_ccache 1000 */ 1001 1002KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1003krb5_cc_copy_cache(krb5_context context, 1004 const krb5_ccache from, 1005 krb5_ccache to) 1006{ 1007 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL); 1008} 1009 1010/** 1011 * Return the version of `id'. 1012 * 1013 * @ingroup krb5_ccache 1014 */ 1015 1016 1017KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1018krb5_cc_get_version(krb5_context context, 1019 const krb5_ccache id) 1020{ 1021 if(id->ops->get_version) 1022 return (*id->ops->get_version)(context, id); 1023 else 1024 return 0; 1025} 1026 1027/** 1028 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred 1029 * 1030 * @ingroup krb5_ccache 1031 */ 1032 1033 1034KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1035krb5_cc_clear_mcred(krb5_creds *mcred) 1036{ 1037 memset(mcred, 0, sizeof(*mcred)); 1038} 1039 1040/** 1041 * Get the cc ops that is registered in `context' to handle the 1042 * prefix. prefix can be a complete credential cache name or a 1043 * prefix, the function will only use part up to the first colon (:) 1044 * if there is one. If prefix the argument is NULL, the default ccache 1045 * implemtation is returned. 1046 * 1047 * @return Returns NULL if ops not found. 1048 * 1049 * @ingroup krb5_ccache 1050 */ 1051 1052 1053KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL 1054krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) 1055{ 1056 char *p, *p1; 1057 int i; 1058 1059 if (prefix == NULL) 1060 return KRB5_DEFAULT_CCTYPE; 1061 if (prefix[0] == '/') 1062 return &krb5_fcc_ops; 1063 1064 p = strdup(prefix); 1065 if (p == NULL) { 1066 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1067 return NULL; 1068 } 1069 p1 = strchr(p, ':'); 1070 if (p1) 1071 *p1 = '\0'; 1072 1073 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 1074 if(strcmp(context->cc_ops[i]->prefix, p) == 0) { 1075 free(p); 1076 return context->cc_ops[i]; 1077 } 1078 } 1079 free(p); 1080 return NULL; 1081} 1082 1083struct krb5_cc_cache_cursor_data { 1084 const krb5_cc_ops *ops; 1085 krb5_cc_cursor cursor; 1086}; 1087 1088/** 1089 * Start iterating over all caches of specified type. See also 1090 * krb5_cccol_cursor_new(). 1091 1092 * @param context A Kerberos 5 context 1093 * @param type optional type to iterate over, if NULL, the default cache is used. 1094 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get(). 1095 * 1096 * @return Return an error code or 0, see krb5_get_error_message(). 1097 * 1098 * @ingroup krb5_ccache 1099 */ 1100 1101 1102KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1103krb5_cc_cache_get_first (krb5_context context, 1104 const char *type, 1105 krb5_cc_cache_cursor *cursor) 1106{ 1107 const krb5_cc_ops *ops; 1108 krb5_error_code ret; 1109 1110 if (type == NULL) 1111 type = krb5_cc_default_name(context); 1112 1113 ops = krb5_cc_get_prefix_ops(context, type); 1114 if (ops == NULL) { 1115 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1116 "Unknown type \"%s\" when iterating " 1117 "trying to iterate the credential caches", type); 1118 return KRB5_CC_UNKNOWN_TYPE; 1119 } 1120 1121 if (ops->get_cache_first == NULL) { 1122 krb5_set_error_message(context, KRB5_CC_NOSUPP, 1123 N_("Credential cache type %s doesn't support " 1124 "iterations over caches", "type"), 1125 ops->prefix); 1126 return KRB5_CC_NOSUPP; 1127 } 1128 1129 *cursor = calloc(1, sizeof(**cursor)); 1130 if (*cursor == NULL) { 1131 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1132 return ENOMEM; 1133 } 1134 1135 (*cursor)->ops = ops; 1136 1137 ret = ops->get_cache_first(context, &(*cursor)->cursor); 1138 if (ret) { 1139 free(*cursor); 1140 *cursor = NULL; 1141 } 1142 return ret; 1143} 1144 1145/** 1146 * Retrieve the next cache pointed to by (`cursor') in `id' 1147 * and advance `cursor'. 1148 * 1149 * @param context A Kerberos 5 context 1150 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first() 1151 * @param id next ccache 1152 * 1153 * @return Return 0 or an error code. Returns KRB5_CC_END when the end 1154 * of caches is reached, see krb5_get_error_message(). 1155 * 1156 * @ingroup krb5_ccache 1157 */ 1158 1159 1160KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1161krb5_cc_cache_next (krb5_context context, 1162 krb5_cc_cache_cursor cursor, 1163 krb5_ccache *id) 1164{ 1165 return cursor->ops->get_cache_next(context, cursor->cursor, id); 1166} 1167 1168/** 1169 * Destroy the cursor `cursor'. 1170 * 1171 * @return Return an error code or 0, see krb5_get_error_message(). 1172 * 1173 * @ingroup krb5_ccache 1174 */ 1175 1176 1177KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1178krb5_cc_cache_end_seq_get (krb5_context context, 1179 krb5_cc_cache_cursor cursor) 1180{ 1181 krb5_error_code ret; 1182 ret = cursor->ops->end_cache_get(context, cursor->cursor); 1183 cursor->ops = NULL; 1184 free(cursor); 1185 return ret; 1186} 1187 1188/** 1189 * Search for a matching credential cache that have the 1190 * `principal' as the default principal. On success, `id' needs to be 1191 * freed with krb5_cc_close() or krb5_cc_destroy(). 1192 * 1193 * If the input principal have 0 name_string, the code will only 1194 * compare the realm (and ignore the name_strings of the pricipal in 1195 * the cache). 1196 * 1197 * @param context A Kerberos 5 context 1198 * @param client The principal to search for 1199 * @param id the returned credential cache 1200 * 1201 * @return On failure, error code is returned and `id' is set to NULL. 1202 * 1203 * @ingroup krb5_ccache 1204 */ 1205 1206 1207KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1208krb5_cc_cache_match (krb5_context context, 1209 krb5_principal client, 1210 krb5_ccache *id) 1211{ 1212 krb5_cccol_cursor cursor; 1213 krb5_error_code ret; 1214 krb5_ccache cache = NULL; 1215 krb5_ccache expired_match = NULL; 1216 1217 *id = NULL; 1218 1219 ret = krb5_cccol_cursor_new (context, &cursor); 1220 if (ret) 1221 return ret; 1222 1223 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) { 1224 krb5_principal principal; 1225 krb5_boolean match; 1226 time_t lifetime; 1227 1228 ret = krb5_cc_get_principal(context, cache, &principal); 1229 if (ret) 1230 goto next; 1231 1232 if (client->name.name_string.len == 0) 1233 match = (strcmp(client->realm, principal->realm) == 0); 1234 else 1235 match = krb5_principal_compare(context, principal, client); 1236 krb5_free_principal(context, principal); 1237 1238 if (!match) 1239 goto next; 1240 1241 if (expired_match == NULL && 1242 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) { 1243 expired_match = cache; 1244 cache = NULL; 1245 goto next; 1246 } 1247 break; 1248 1249 next: 1250 if (cache) 1251 krb5_cc_close(context, cache); 1252 cache = NULL; 1253 } 1254 1255 krb5_cccol_cursor_free(context, &cursor); 1256 1257 if (cache == NULL && expired_match) { 1258 cache = expired_match; 1259 expired_match = NULL; 1260 } else if (expired_match) { 1261 krb5_cc_close(context, expired_match); 1262 } else if (cache == NULL) { 1263 char *str; 1264 1265 krb5_unparse_name(context, client, &str); 1266 1267 krb5_set_error_message(context, KRB5_CC_NOTFOUND, 1268 N_("Principal %s not found in any " 1269 "credential cache", ""), 1270 str ? str : "<out of memory>"); 1271 if (str) 1272 free(str); 1273 return KRB5_CC_NOTFOUND; 1274 } 1275 1276 *id = cache; 1277 1278 return 0; 1279} 1280 1281/** 1282 * Move the content from one credential cache to another. The 1283 * operation is an atomic switch. 1284 * 1285 * @param context a Keberos context 1286 * @param from the credential cache to move the content from 1287 * @param to the credential cache to move the content to 1288 1289 * @return On sucess, from is freed. On failure, error code is 1290 * returned and from and to are both still allocated, see krb5_get_error_message(). 1291 * 1292 * @ingroup krb5_ccache 1293 */ 1294 1295KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1296krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to) 1297{ 1298 krb5_error_code ret; 1299 1300 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) { 1301 krb5_set_error_message(context, KRB5_CC_NOSUPP, 1302 N_("Moving credentials between diffrent " 1303 "types not yet supported (from %s to %s)", ""), 1304 from->ops->prefix, to->ops->prefix); 1305 return KRB5_CC_NOSUPP; 1306 } 1307 1308 ret = (*to->ops->move)(context, from, to); 1309 if (ret == 0) { 1310 memset(from, 0, sizeof(*from)); 1311 free(from); 1312 } 1313 return ret; 1314} 1315 1316#define KRB5_CONF_NAME "krb5_ccache_conf_data" 1317#define KRB5_REALM_NAME "X-CACHECONF:" 1318 1319static krb5_error_code 1320build_conf_principals(krb5_context context, krb5_ccache id, 1321 krb5_const_principal principal, 1322 const char *name, krb5_creds *cred) 1323{ 1324 krb5_principal client; 1325 krb5_error_code ret; 1326 char *pname = NULL; 1327 1328 memset(cred, 0, sizeof(*cred)); 1329 1330 ret = krb5_cc_get_principal(context, id, &client); 1331 if (ret) 1332 return ret; 1333 1334 if (principal) { 1335 ret = krb5_unparse_name(context, principal, &pname); 1336 if (ret) 1337 return ret; 1338 } 1339 1340 ret = krb5_make_principal(context, &cred->server, 1341 KRB5_REALM_NAME, 1342 KRB5_CONF_NAME, name, pname, NULL); 1343 free(pname); 1344 if (ret) { 1345 krb5_free_principal(context, client); 1346 return ret; 1347 } 1348 ret = krb5_copy_principal(context, client, &cred->client); 1349 krb5_free_principal(context, client); 1350 return ret; 1351} 1352 1353/** 1354 * Return TRUE (non zero) if the principal is a configuration 1355 * principal (generated part of krb5_cc_set_config()). Returns FALSE 1356 * (zero) if not a configuration principal. 1357 * 1358 * @param context a Keberos context 1359 * @param principal principal to check if it a configuration principal 1360 * 1361 * @ingroup krb5_ccache 1362 */ 1363 1364KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1365krb5_is_config_principal(krb5_context context, 1366 krb5_const_principal principal) 1367{ 1368 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0) 1369 return FALSE; 1370 1371 if (principal->name.name_string.len == 0 || 1372 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0) 1373 return FALSE; 1374 1375 return TRUE; 1376} 1377 1378/** 1379 * Store some configuration for the credential cache in the cache. 1380 * Existing configuration under the same name is over-written. 1381 * 1382 * @param context a Keberos context 1383 * @param id the credential cache to store the data for 1384 * @param principal configuration for a specific principal, if 1385 * NULL, global for the whole cache. 1386 * @param name name under which the configuraion is stored. 1387 * @param data data to store, if NULL, configure is removed. 1388 * 1389 * @ingroup krb5_ccache 1390 */ 1391 1392KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1393krb5_cc_set_config(krb5_context context, krb5_ccache id, 1394 krb5_const_principal principal, 1395 const char *name, krb5_data *data) 1396{ 1397 krb5_error_code ret; 1398 krb5_creds cred; 1399 1400 ret = build_conf_principals(context, id, principal, name, &cred); 1401 if (ret) 1402 goto out; 1403 1404 /* Remove old configuration */ 1405 ret = krb5_cc_remove_cred(context, id, 0, &cred); 1406 if (ret && ret != KRB5_CC_NOTFOUND) 1407 goto out; 1408 1409 if (data) { 1410 /* make sure expiration time is not past now */ 1411 cred.times.authtime = time(NULL) - 10; 1412 cred.times.endtime = cred.times.authtime; 1413 1414 ret = krb5_data_copy(&cred.ticket, data->data, data->length); 1415 if (ret) 1416 goto out; 1417 1418 ret = krb5_cc_store_cred(context, id, &cred); 1419 } 1420 1421out: 1422 krb5_free_cred_contents (context, &cred); 1423 return ret; 1424} 1425 1426/** 1427 * Get some configuration for the credential cache in the cache. 1428 * 1429 * @param context a Keberos context 1430 * @param id the credential cache to store the data for 1431 * @param principal configuration for a specific principal, if 1432 * NULL, global for the whole cache. 1433 * @param name name under which the configuraion is stored. 1434 * @param data data to fetched, free with krb5_data_free() 1435 * 1436 * @ingroup krb5_ccache 1437 */ 1438 1439 1440KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1441krb5_cc_get_config(krb5_context context, krb5_ccache id, 1442 krb5_const_principal principal, 1443 const char *name, krb5_data *data) 1444{ 1445 krb5_creds mcred, cred; 1446 krb5_error_code ret; 1447 1448 memset(&cred, 0, sizeof(cred)); 1449 krb5_data_zero(data); 1450 1451 ret = build_conf_principals(context, id, principal, name, &mcred); 1452 if (ret) 1453 goto out; 1454 1455 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); 1456 if (ret) 1457 goto out; 1458 1459 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length); 1460 1461out: 1462 krb5_free_cred_contents (context, &cred); 1463 krb5_free_cred_contents (context, &mcred); 1464 return ret; 1465} 1466 1467/* 1468 * 1469 */ 1470 1471struct krb5_cccol_cursor_data { 1472 int idx; 1473 krb5_cc_cache_cursor cursor; 1474 char *env_cache; 1475}; 1476 1477/** 1478 * Get a new cache interation cursor that will interate over all 1479 * credentials caches independent of type. 1480 * 1481 * @param context a Keberos context 1482 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free(). 1483 * 1484 * @return Returns 0 or and error code, see krb5_get_error_message(). 1485 * 1486 * @ingroup krb5_ccache 1487 */ 1488 1489KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1490krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor) 1491{ 1492 *cursor = calloc(1, sizeof(**cursor)); 1493 if (*cursor == NULL) { 1494 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1495 return ENOMEM; 1496 } 1497 (*cursor)->idx = -1; 1498 1499 return 0; 1500} 1501 1502/** 1503 * Get next credential cache from the iteration. 1504 * 1505 * @param context A Kerberos 5 context 1506 * @param cursor the iteration cursor 1507 * @param cache the returned cursor, pointer is set to NULL on failure 1508 * and a cache on success. The returned cache needs to be freed 1509 * with krb5_cc_close() or destroyed with krb5_cc_destroy(). 1510 * MIT Kerberos behavies slightly diffrent and sets cache to NULL 1511 * when all caches are iterated over and return 0. 1512 * 1513 * @return Return 0 or and error, KRB5_CC_END is returned at the end 1514 * of iteration. See krb5_get_error_message(). 1515 * 1516 * @ingroup krb5_ccache 1517 */ 1518 1519 1520KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1521krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, 1522 krb5_ccache *cache) 1523{ 1524 krb5_error_code ret; 1525 1526 *cache = NULL; 1527 1528 if (cursor->idx == -1) { 1529 char *env = getenv("KRB5CCNAME"); 1530 cursor->idx++; 1531 if (env != NULL) { 1532 ret = krb5_cc_resolve(context, env, cache); 1533 if (ret == 0) { 1534 krb5_cc_get_full_name(context, *cache, &cursor->env_cache); 1535 return 0; 1536 } 1537 } 1538 } 1539 while (cursor->idx < context->num_cc_ops) { 1540 1541 if (cursor->cursor == NULL) { 1542 ret = krb5_cc_cache_get_first (context, 1543 context->cc_ops[cursor->idx]->prefix, 1544 &cursor->cursor); 1545 if (ret) { 1546 cursor->idx++; 1547 continue; 1548 } 1549 } 1550 ret = krb5_cc_cache_next(context, cursor->cursor, cache); 1551 if (ret == 0) { 1552 if (cursor->env_cache) { 1553 char *full_name = NULL; 1554 if (krb5_cc_get_full_name(context, *cache, &full_name) == 0) { 1555 if (strcmp(cursor->env_cache, full_name) == 0) { 1556 free(full_name); 1557 continue; 1558 } 1559 free(full_name); 1560 } 1561 } 1562 break; 1563 } 1564 1565 krb5_cc_cache_end_seq_get(context, cursor->cursor); 1566 cursor->cursor = NULL; 1567 if (ret != KRB5_CC_END) 1568 break; 1569 1570 cursor->idx++; 1571 } 1572 if (cursor->idx >= context->num_cc_ops) { 1573 krb5_set_error_message(context, KRB5_CC_END, 1574 N_("Reached end of credential caches", "")); 1575 return KRB5_CC_END; 1576 } 1577 1578 return 0; 1579} 1580 1581/** 1582 * End an iteration and free all resources, can be done before end is reached. 1583 * 1584 * @param context A Kerberos 5 context 1585 * @param cursor the iteration cursor to be freed. 1586 * 1587 * @return Return 0 or and error, KRB5_CC_END is returned at the end 1588 * of iteration. See krb5_get_error_message(). 1589 * 1590 * @ingroup krb5_ccache 1591 */ 1592 1593KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1594krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor) 1595{ 1596 krb5_cccol_cursor c = *cursor; 1597 1598 *cursor = NULL; 1599 if (c) { 1600 if (c->cursor) 1601 krb5_cc_cache_end_seq_get(context, c->cursor); 1602 if (c->env_cache) 1603 free(c->env_cache); 1604 free(c); 1605 } 1606 return 0; 1607} 1608 1609/** 1610 * Return the last time the credential cache was modified. 1611 * 1612 * @param context A Kerberos 5 context 1613 * @param id The credential cache to probe 1614 * @param mtime the last modification time, set to 0 on error. 1615 1616 * @return Return 0 or and error. See krb5_get_error_message(). 1617 * 1618 * @ingroup krb5_ccache 1619 */ 1620 1621 1622KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1623krb5_cc_last_change_time(krb5_context context, 1624 krb5_ccache id, 1625 krb5_timestamp *mtime) 1626{ 1627 *mtime = 0; 1628 return (*id->ops->lastchange)(context, id, mtime); 1629} 1630 1631/** 1632 * Return the last modfication time for a cache collection. The query 1633 * can be limited to a specific cache type. If the function return 0 1634 * and mtime is 0, there was no credentials in the caches. 1635 * 1636 * @param context A Kerberos 5 context 1637 * @param type The credential cache to probe, if NULL, all type are traversed. 1638 * @param mtime the last modification time, set to 0 on error. 1639 1640 * @return Return 0 or and error. See krb5_get_error_message(). 1641 * 1642 * @ingroup krb5_ccache 1643 */ 1644 1645KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1646krb5_cccol_last_change_time(krb5_context context, 1647 const char *type, 1648 krb5_timestamp *mtime) 1649{ 1650 krb5_cccol_cursor cursor; 1651 krb5_error_code ret; 1652 krb5_ccache id; 1653 krb5_timestamp t = 0; 1654 1655 *mtime = 0; 1656 1657 ret = krb5_cccol_cursor_new (context, &cursor); 1658 if (ret) 1659 return ret; 1660 1661 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) { 1662 1663 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0) 1664 continue; 1665 1666 ret = krb5_cc_last_change_time(context, id, &t); 1667 krb5_cc_close(context, id); 1668 if (ret) 1669 continue; 1670 if (t > *mtime) 1671 *mtime = t; 1672 } 1673 1674 krb5_cccol_cursor_free(context, &cursor); 1675 1676 return 0; 1677} 1678/** 1679 * Return a friendly name on credential cache. Free the result with krb5_xfree(). 1680 * 1681 * @return Return an error code or 0, see krb5_get_error_message(). 1682 * 1683 * @ingroup krb5_ccache 1684 */ 1685 1686KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1687krb5_cc_get_friendly_name(krb5_context context, 1688 krb5_ccache id, 1689 char **name) 1690{ 1691 krb5_error_code ret; 1692 krb5_data data; 1693 1694 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data); 1695 if (ret) { 1696 krb5_principal principal; 1697 ret = krb5_cc_get_principal(context, id, &principal); 1698 if (ret) 1699 return ret; 1700 ret = krb5_unparse_name(context, principal, name); 1701 krb5_free_principal(context, principal); 1702 } else { 1703 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data); 1704 krb5_data_free(&data); 1705 if (ret <= 0) { 1706 ret = ENOMEM; 1707 krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); 1708 } else 1709 ret = 0; 1710 } 1711 1712 return ret; 1713} 1714 1715/** 1716 * Set the friendly name on credential cache. 1717 * 1718 * @return Return an error code or 0, see krb5_get_error_message(). 1719 * 1720 * @ingroup krb5_ccache 1721 */ 1722 1723KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1724krb5_cc_set_friendly_name(krb5_context context, 1725 krb5_ccache id, 1726 const char *name) 1727{ 1728 krb5_data data; 1729 1730 data.data = rk_UNCONST(name); 1731 data.length = strlen(name); 1732 1733 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data); 1734} 1735 1736/** 1737 * Get the aproximate lifetime of credential cache 1738 * 1739 * Time t is always set to a known value, in case of an error, its set to 0. 1740 * 1741 * @param context A Kerberos 5 context. 1742 * @param id a credential cache. 1743 * @param t the relative lifetime of cache. 1744 * 1745 * @return Return an error code or 0, see krb5_get_error_message(). 1746 * 1747 * @ingroup krb5_ccache 1748 */ 1749 1750KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1751krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) 1752{ 1753 krb5_cc_cursor cursor; 1754 krb5_error_code ret; 1755 krb5_creds cred; 1756 time_t now, endtime = 0; 1757 1758 *t = 0; 1759 now = time(NULL); 1760 1761 ret = krb5_cc_start_seq_get(context, id, &cursor); 1762 if (ret) 1763 return ret; 1764 1765 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) { 1766 /** 1767 * If we find a krbtgt in the cache, use that as the lifespan. 1768 */ 1769 if (krb5_principal_is_root_krbtgt(context, cred.server)) { 1770 if (now < cred.times.endtime) 1771 endtime = cred.times.endtime; 1772 krb5_free_cred_contents(context, &cred); 1773 break; 1774 } 1775 /* 1776 * Skip config entries 1777 */ 1778 if (krb5_is_config_principal(context, cred.server)) { 1779 krb5_free_cred_contents(context, &cred); 1780 continue; 1781 } 1782 /** 1783 * If there was no krbtgt, use the shortest lifetime of 1784 * service tickets that have yet to expire. If all 1785 * credentials are expired, krb5_cc_get_lifetime() will fail. 1786 */ 1787 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime) 1788 endtime = cred.times.endtime; 1789 krb5_free_cred_contents(context, &cred); 1790 } 1791 1792 /* if we found an endtime use that */ 1793 if (endtime) { 1794 *t = endtime - now; 1795 ret = 0; 1796 } 1797 1798 krb5_cc_end_seq_get(context, id, &cursor); 1799 1800 return ret; 1801} 1802 1803/** 1804 * Set the time offset betwen the client and the KDC 1805 * 1806 * If the backend doesn't support KDC offset, use the context global setting. 1807 * 1808 * @param context A Kerberos 5 context. 1809 * @param id a credential cache 1810 * @param offset the offset in seconds 1811 * 1812 * @return Return an error code or 0, see krb5_get_error_message(). 1813 * 1814 * @ingroup krb5_ccache 1815 */ 1816 1817KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1818krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset) 1819{ 1820 if (id->ops->set_kdc_offset == NULL) { 1821 context->kdc_sec_offset = (int)offset; 1822 context->kdc_usec_offset = 0; 1823 return 0; 1824 } 1825 return (*id->ops->set_kdc_offset)(context, id, offset); 1826} 1827 1828/** 1829 * Get the time offset betwen the client and the KDC 1830 * 1831 * If the backend doesn't support KDC offset, use the context global setting. 1832 * 1833 * @param context A Kerberos 5 context. 1834 * @param id a credential cache 1835 * @param offset the offset in seconds 1836 * 1837 * @return Return an error code or 0, see krb5_get_error_message(). 1838 * 1839 * @ingroup krb5_ccache 1840 */ 1841 1842KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1843krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset) 1844{ 1845 if (id->ops->get_kdc_offset == NULL) { 1846 *offset = context->kdc_sec_offset; 1847 return 0; 1848 } 1849 return (*id->ops->get_kdc_offset)(context, id, offset); 1850} 1851 1852krb5_error_code 1853krb5_cc_hold(krb5_context context, krb5_ccache id) 1854{ 1855 if (id->ops->hold == 0) 1856 return 0; 1857 return id->ops->hold(context, id); 1858} 1859 1860krb5_error_code 1861krb5_cc_unhold(krb5_context context, krb5_ccache id) 1862{ 1863 if (id->ops->unhold == 0) 1864 return 0; 1865 return id->ops->unhold(context, id); 1866} 1867 1868krb5_error_code 1869krb5_cc_get_uuid(krb5_context context, krb5_ccache id, krb5_uuid uuid) 1870{ 1871 if (id->ops->get_uuid == NULL) { 1872 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1873 "Credential cache type %s doesn't support uuid", 1874 id->ops->prefix); 1875 return KRB5_CC_UNKNOWN_TYPE; 1876 } 1877 return id->ops->get_uuid(context, id, uuid); 1878} 1879 1880krb5_error_code 1881krb5_cc_resolve_by_uuid(krb5_context context, const char *type, 1882 krb5_ccache *id, krb5_uuid uuid) 1883{ 1884 const krb5_cc_ops *ops; 1885 krb5_error_code ret; 1886 1887 if (type) { 1888 ops = krb5_cc_get_prefix_ops(context, type); 1889 if (ops == NULL) { 1890 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1891 "Credential cache type %s is unknown", type); 1892 return KRB5_CC_UNKNOWN_TYPE; 1893 } 1894 } else { 1895 ops = KRB5_DEFAULT_CCTYPE; 1896 } 1897 1898 if (ops->resolve_by_uuid == NULL) { 1899 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1900 "Credential cache type %s doesn't support uuid", 1901 ops->prefix); 1902 return KRB5_CC_UNKNOWN_TYPE; 1903 } 1904 1905 ret = _krb5_cc_allocate(context, ops, id); 1906 if (ret) 1907 return ret; 1908 ret = (*id)->ops->resolve_by_uuid(context, *id, uuid); 1909 if (ret) { 1910 free(*id); 1911 *id = NULL; 1912 } 1913 return ret; 1914} 1915 1916krb5_error_code 1917krb5_cc_set_acl(krb5_context context, krb5_ccache id, const char *type, void *ptr) 1918{ 1919 if (id->ops->set_acl) 1920 return id->ops->set_acl(context, id, type, ptr); 1921 return 0; 1922} 1923 1924krb5_error_code 1925krb5_cc_copy_data(krb5_context context, krb5_ccache id, void *keys, void **data) 1926{ 1927 *data = NULL; 1928 if (id->ops->copy_data) 1929 return id->ops->copy_data(context, id, keys, data); 1930 return 0; 1931} 1932 1933#ifdef _WIN32 1934 1935#define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5" 1936char * 1937_krb5_get_default_cc_name_from_registry(krb5_context context) 1938{ 1939 HKEY hk_k5 = 0; 1940 LONG code; 1941 char * ccname = NULL; 1942 1943 code = RegOpenKeyEx(HKEY_CURRENT_USER, 1944 REGPATH_MIT_KRB5, 1945 0, KEY_READ, &hk_k5); 1946 1947 if (code != ERROR_SUCCESS) 1948 return NULL; 1949 1950 ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname", 1951 REG_NONE, 0); 1952 1953 RegCloseKey(hk_k5); 1954 1955 return ccname; 1956} 1957 1958int 1959_krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id) 1960{ 1961 HKEY hk_k5 = 0; 1962 LONG code; 1963 int ret = -1; 1964 char * ccname = NULL; 1965 1966 code = RegOpenKeyEx(HKEY_CURRENT_USER, 1967 REGPATH_MIT_KRB5, 1968 0, KEY_READ|KEY_WRITE, &hk_k5); 1969 1970 if (code != ERROR_SUCCESS) 1971 return -1; 1972 1973 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id)); 1974 if (ret < 0) 1975 goto cleanup; 1976 1977 ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname", 1978 REG_SZ, ccname, -1, 0); 1979 1980 cleanup: 1981 1982 if (ccname) 1983 free(ccname); 1984 1985 RegCloseKey(hk_k5); 1986 1987 return ret; 1988} 1989 1990#endif 1991