1/* 2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 - 2011 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "krb5_locl.h" 37 38/** 39 * @page krb5_ccache_intro The credential cache functions 40 * @section section_krb5_ccache Kerberos credential caches 41 * 42 * krb5_ccache structure holds a Kerberos credential cache. 43 * 44 * Heimdal support the follow types of credential caches: 45 * 46 * - SCC 47 * Store the credential in a database 48 * - FILE 49 * Store the credential in memory 50 * - MEMORY 51 * Store the credential in memory 52 * - API 53 * A credential cache server based solution for Mac OS X 54 * - KCM 55 * A credential cache server based solution for all platforms 56 * 57 * @subsection Example 58 * 59 * This is a minimalistic version of klist: 60@code 61#include <krb5.h> 62 63int 64main (int argc, char **argv) 65{ 66 krb5_context context; 67 krb5_cc_cursor cursor; 68 krb5_error_code ret; 69 krb5_ccache id; 70 krb5_creds creds; 71 72 if (krb5_init_context (&context) != 0) 73 errx(1, "krb5_context"); 74 75 ret = krb5_cc_default (context, &id); 76 if (ret) 77 krb5_err(context, 1, ret, "krb5_cc_default"); 78 79 ret = krb5_cc_start_seq_get(context, id, &cursor); 80 if (ret) 81 krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); 82 83 while ((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){ 84 char *principal; 85 86 krb5_unparse_name(context, creds.server, &principal); 87 printf("principal: %s\\n", principal); 88 free(principal); 89 krb5_free_cred_contents (context, &creds); 90 } 91 ret = krb5_cc_end_seq_get(context, id, &cursor); 92 if (ret) 93 krb5_err(context, 1, ret, "krb5_cc_end_seq_get"); 94 95 krb5_cc_close(context, id); 96 97 krb5_free_context(context); 98 return 0; 99} 100* @endcode 101*/ 102 103/** 104 * Add a new ccache type with operations `ops', overwriting any 105 * existing one if `override'. 106 * 107 * @param context a Keberos context 108 * @param ops type of plugin symbol 109 * @param override flag to select if the registration is to overide 110 * an existing ops with the same name. 111 * 112 * @return Return an error code or 0, see krb5_get_error_message(). 113 * 114 * @ingroup krb5_ccache 115 */ 116 117KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 118krb5_cc_register(krb5_context context, 119 const krb5_cc_ops *ops, 120 krb5_boolean override) 121{ 122 int i; 123 124 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 125 if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) { 126 if(!override) { 127 krb5_set_error_message(context, 128 KRB5_CC_TYPE_EXISTS, 129 N_("cache type %s already exists", "type"), 130 ops->prefix); 131 return KRB5_CC_TYPE_EXISTS; 132 } 133 break; 134 } 135 } 136 if(i == context->num_cc_ops) { 137 const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops), 138 (context->num_cc_ops + 1) * 139 sizeof(context->cc_ops[0])); 140 if(o == NULL) { 141 krb5_set_error_message(context, KRB5_CC_NOMEM, 142 N_("malloc: out of memory", "")); 143 return KRB5_CC_NOMEM; 144 } 145 context->cc_ops = o; 146 context->cc_ops[context->num_cc_ops] = NULL; 147 context->num_cc_ops++; 148 } 149 context->cc_ops[i] = ops; 150 return 0; 151} 152 153/* 154 * Allocate the memory for a `id' and the that function table to 155 * `ops'. Returns 0 or and error code. 156 */ 157 158krb5_error_code 159_krb5_cc_allocate(krb5_context context, 160 const krb5_cc_ops *ops, 161 krb5_ccache *id) 162{ 163 krb5_ccache p; 164 165 p = malloc (sizeof(*p)); 166 if(p == NULL) { 167 krb5_set_error_message(context, KRB5_CC_NOMEM, 168 N_("malloc: out of memory", "")); 169 return KRB5_CC_NOMEM; 170 } 171 p->ops = ops; 172 *id = p; 173 174 return 0; 175} 176 177/* 178 * Allocate memory for a new ccache in `id' with operations `ops' 179 * and name `residual'. Return 0 or an error code. 180 */ 181 182static krb5_error_code 183allocate_ccache (krb5_context context, 184 const krb5_cc_ops *ops, 185 const char *residual, 186 krb5_ccache *id) 187{ 188 krb5_error_code ret; 189#ifdef KRB5_USE_PATH_TOKENS 190 char * exp_residual = NULL; 191 192 ret = _krb5_expand_path_tokens(context, residual, &exp_residual); 193 if (ret) 194 return ret; 195 196 residual = exp_residual; 197#endif 198 199 ret = _krb5_cc_allocate(context, ops, id); 200 if (ret) { 201#ifdef KRB5_USE_PATH_TOKENS 202 if (exp_residual) 203 free(exp_residual); 204#endif 205 return ret; 206 } 207 208 ret = (*id)->ops->resolve(context, id, residual); 209 if(ret) { 210 free(*id); 211 *id = NULL; 212 } 213 214#ifdef KRB5_USE_PATH_TOKENS 215 if (exp_residual) 216 free(exp_residual); 217#endif 218 219 return ret; 220} 221 222static int 223is_possible_path_name(const char * name) 224{ 225 const char * colon; 226 227 if ((colon = strchr(name, ':')) == NULL) 228 return TRUE; 229 230#ifdef _WIN32 231 /* <drive letter>:\path\to\cache ? */ 232 233 if (colon == name + 1 && 234 strchr(colon + 1, ':') == NULL) 235 return TRUE; 236#endif 237 238 return FALSE; 239} 240 241/** 242 * Find and allocate a ccache in `id' from the specification in `residual'. 243 * If the ccache name doesn't contain any colon, interpret it as a file name. 244 * 245 * @param context a Keberos context. 246 * @param name string name of a credential cache. 247 * @param id return pointer to a found credential cache. 248 * 249 * @return Return 0 or an error code. In case of an error, id is set 250 * to NULL, see krb5_get_error_message(). 251 * 252 * @ingroup krb5_ccache 253 */ 254 255 256KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 257krb5_cc_resolve(krb5_context context, 258 const char *name, 259 krb5_ccache *id) 260{ 261 int i; 262 263 *id = NULL; 264 265 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 266 size_t prefix_len = strlen(context->cc_ops[i]->prefix); 267 268 if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0 269 && name[prefix_len] == ':') { 270 return allocate_ccache (context, context->cc_ops[i], 271 name + prefix_len + 1, 272 id); 273 } 274 } 275 if (is_possible_path_name(name)) 276 return allocate_ccache (context, &krb5_fcc_ops, name, id); 277 else { 278 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 279 N_("unknown ccache type %s", "name"), name); 280 return KRB5_CC_UNKNOWN_TYPE; 281 } 282} 283 284/** 285 * Generates a new unique ccache of `type` in `id'. If `type' is NULL, 286 * the library chooses the default credential cache type. The supplied 287 * `hint' (that can be NULL) is a string that the credential cache 288 * type can use to base the name of the credential on, this is to make 289 * it easier for the user to differentiate the credentials. 290 * 291 * @return Return an error code or 0, see krb5_get_error_message(). 292 * 293 * @ingroup krb5_ccache 294 */ 295 296KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 297krb5_cc_new_unique(krb5_context context, const char *type, 298 const char *hint, krb5_ccache *id) 299{ 300 const krb5_cc_ops *ops; 301 krb5_error_code ret; 302 303 ops = krb5_cc_get_prefix_ops(context, type); 304 if (ops == NULL) { 305 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 306 "Credential cache type %s is unknown", type); 307 return KRB5_CC_UNKNOWN_TYPE; 308 } 309 310 ret = _krb5_cc_allocate(context, ops, id); 311 if (ret) 312 return ret; 313 ret = (*id)->ops->gen_new(context, id); 314 if (ret) { 315 free(*id); 316 *id = NULL; 317 } 318 return ret; 319} 320 321/** 322 * Return the name of the ccache `id' 323 * 324 * @ingroup krb5_ccache 325 */ 326 327 328KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 329krb5_cc_get_name(krb5_context context, 330 krb5_ccache id) 331{ 332 return id->ops->get_name(context, id); 333} 334 335/** 336 * Return the type of the ccache `id'. 337 * 338 * @ingroup krb5_ccache 339 */ 340 341 342KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 343krb5_cc_get_type(krb5_context context, 344 krb5_ccache id) 345{ 346 return id->ops->prefix; 347} 348 349/** 350 * Return the complete resolvable name the cache 351 352 * @param context a Keberos context 353 * @param id return pointer to a found credential cache 354 * @param str the returned name of a credential cache, free with krb5_xfree() 355 * 356 * @return Returns 0 or an error (and then *str is set to NULL). 357 * 358 * @ingroup krb5_ccache 359 */ 360 361 362KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 363krb5_cc_get_full_name(krb5_context context, 364 krb5_ccache id, 365 char **str) 366{ 367 const char *type, *name; 368 369 *str = NULL; 370 371 type = krb5_cc_get_type(context, id); 372 if (type == NULL) { 373 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 374 "cache have no name of type"); 375 return KRB5_CC_UNKNOWN_TYPE; 376 } 377 378 name = krb5_cc_get_name(context, id); 379 if (name == NULL) { 380 krb5_set_error_message(context, KRB5_CC_BADNAME, 381 "cache of type %s have no name", type); 382 return KRB5_CC_BADNAME; 383 } 384 385 if (asprintf(str, "%s:%s", type, name) == -1) { 386 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 387 *str = NULL; 388 return ENOMEM; 389 } 390 return 0; 391} 392 393/** 394 * Return krb5_cc_ops of a the ccache `id'. 395 * 396 * @ingroup krb5_ccache 397 */ 398 399 400KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL 401krb5_cc_get_ops(krb5_context context, krb5_ccache id) 402{ 403 return id->ops; 404} 405 406/* 407 * Expand variables in `str' into `res' 408 */ 409 410krb5_error_code 411_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) 412{ 413 return _krb5_expand_path_tokens(context, str, res); 414} 415 416/* 417 * Return non-zero if envirnoment that will determine default krb5cc 418 * name has changed. 419 */ 420 421static int 422environment_changed(krb5_context context) 423{ 424 const char *e; 425 426 /* if the cc name was set, don't change it */ 427 if (context->default_cc_name_set) 428 return 0; 429 430 /* XXX performance: always ask KCM/API if default name has changed */ 431 if (context->default_cc_name && 432 (strncmp(context->default_cc_name, "KCM:", 4) == 0 || 433 strncmp(context->default_cc_name, "API:", 4) == 0 || 434 strncmp(context->default_cc_name, "KCC:", 4) == 0)) 435 return 1; 436 437 if(issuid()) 438 return 0; 439 440 e = getenv("KRB5CCNAME"); 441 if (e == NULL) { 442 if (context->default_cc_name_env) { 443 free(context->default_cc_name_env); 444 context->default_cc_name_env = NULL; 445 return 1; 446 } 447 } else { 448 if (context->default_cc_name_env == NULL) 449 return 1; 450 if (strcmp(e, context->default_cc_name_env) != 0) 451 return 1; 452 } 453 return 0; 454} 455 456/** 457 * Switch the default default credential cache for a specific 458 * credcache type (and name for some implementations). 459 * 460 * @return Return an error code or 0, see krb5_get_error_message(). 461 * 462 * @ingroup krb5_ccache 463 */ 464 465KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 466krb5_cc_switch(krb5_context context, krb5_ccache id) 467{ 468#ifdef _WIN32 469 _krb5_set_default_cc_name_to_registry(context, id); 470#endif 471 472 if (id->ops->set_default == NULL) 473 return 0; 474 475 return (*id->ops->set_default)(context, id); 476} 477 478/** 479 * Return true if the default credential cache support switch 480 * 481 * @ingroup krb5_ccache 482 */ 483 484KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 485krb5_cc_support_switch(krb5_context context, const char *type) 486{ 487 const krb5_cc_ops *ops; 488 489 ops = krb5_cc_get_prefix_ops(context, type); 490 if (ops && ops->set_default) 491 return 1; 492 return FALSE; 493} 494 495/** 496 * Set the default cc name for `context' to `name'. 497 * 498 * @param context a krb5 context 499 * @param name if set, will use this as the default name, if NULL, default name will be set 500 * 501 * @return Return an error code or 0, see krb5_get_error_message(). 502 * 503 * @ingroup krb5_ccache 504 */ 505 506KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 507krb5_cc_set_default_name(krb5_context context, const char *name) 508{ 509 krb5_error_code ret = 0; 510 char *p = NULL, *exp_p = NULL; 511 512 if (name == NULL) { 513 const char *e = NULL; 514 515 if(!issuid()) { 516 e = getenv("KRB5CCPRINCIPAL"); 517 if (e) { 518 krb5_principal client; 519 krb5_ccache id; 520 521 if (e[0] == '@') { 522 client = calloc(1, sizeof(*client)); 523 if (client == NULL) 524 return krb5_enomem(context); 525 client->realm = strdup(&e[1]); 526 if (client->realm == NULL) { 527 free(client); 528 return krb5_enomem(context); 529 } 530 } else { 531 ret = krb5_parse_name(context, e, &client); 532 if (ret) 533 return ret; 534 } 535 536 ret = krb5_cc_cache_match(context, client, &id); 537 if (ret == 0) { 538 krb5_cc_get_full_name(context, id, &p); 539 krb5_cc_close(context, id); 540 } 541 } 542 if (p == NULL) { 543 e = getenv("KRB5CCNAME"); 544 if (e) 545 p = strdup(e); 546 } 547 if (p) { 548 if (context->default_cc_name_env) 549 free(context->default_cc_name_env); 550 context->default_cc_name_env = strdup(p); 551 } 552 } 553 554#ifdef _WIN32 555 if (e == NULL) { 556 e = p = _krb5_get_default_cc_name_from_registry(context); 557 } 558#endif 559 if (e == NULL) { 560 e = krb5_config_get_string(context, NULL, "libdefaults", 561 "default_cc_name", NULL); 562 if (e) { 563 ret = _krb5_expand_default_cc_name(context, e, &p); 564 if (ret) 565 return ret; 566 } 567 if (e == NULL) { 568 const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; 569 e = krb5_config_get_string(context, NULL, "libdefaults", 570 "default_cc_type", NULL); 571 if (e) { 572 ops = krb5_cc_get_prefix_ops(context, e); 573 if (ops == NULL) { 574 krb5_set_error_message(context, 575 KRB5_CC_UNKNOWN_TYPE, 576 "Credential cache type %s " 577 "is unknown", e); 578 return KRB5_CC_UNKNOWN_TYPE; 579 } 580 } 581 ret = (*ops->get_default_name)(context, &p); 582 if (ret) 583 return ret; 584 } 585 } 586 context->default_cc_name_set = 0; 587 } else { 588 p = strdup(name); 589 context->default_cc_name_set = 1; 590 } 591 592 if (p == NULL) { 593 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 594 return ENOMEM; 595 } 596 597 ret = _krb5_expand_path_tokens(context, p, &exp_p); 598 free(p); 599 if (ret) 600 return ret; 601 602 if (context->default_cc_name) 603 free(context->default_cc_name); 604 605 context->default_cc_name = exp_p; 606 607 return 0; 608} 609 610/** 611 * Return a pointer to a context static string containing the default 612 * ccache name. 613 * 614 * @return String to the default credential cache name. 615 * 616 * @ingroup krb5_ccache 617 */ 618 619 620KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL 621krb5_cc_default_name(krb5_context context) 622{ 623 if (context->default_cc_name == NULL || environment_changed(context)) 624 krb5_cc_set_default_name(context, NULL); 625 626 return context->default_cc_name; 627} 628 629/** 630 * Open the default ccache in `id'. 631 * 632 * @return Return an error code or 0, see krb5_get_error_message(). 633 * 634 * @ingroup krb5_ccache 635 */ 636 637 638KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 639krb5_cc_default(krb5_context context, 640 krb5_ccache *id) 641{ 642 const char *p = krb5_cc_default_name(context); 643 644 if (p == NULL) { 645 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 646 return ENOMEM; 647 } 648 return krb5_cc_resolve(context, p, id); 649} 650 651/** 652 * Create a new ccache in `id' for `primary_principal'. 653 * 654 * @return Return an error code or 0, see krb5_get_error_message(). 655 * 656 * @ingroup krb5_ccache 657 */ 658 659 660KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 661krb5_cc_initialize(krb5_context context, 662 krb5_ccache id, 663 krb5_principal primary_principal) 664{ 665 return (*id->ops->init)(context, id, primary_principal); 666} 667 668 669/** 670 * Remove the ccache `id'. 671 * 672 * @return Return an error code or 0, see krb5_get_error_message(). 673 * 674 * @ingroup krb5_ccache 675 */ 676 677 678KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 679krb5_cc_destroy(krb5_context context, 680 krb5_ccache id) 681{ 682 krb5_error_code ret; 683 684 ret = (*id->ops->destroy)(context, id); 685 krb5_cc_close (context, id); 686 return ret; 687} 688 689/** 690 * Stop using the ccache `id' and free the related resources. 691 * 692 * @return Return an error code or 0, see krb5_get_error_message(). 693 * 694 * @ingroup krb5_ccache 695 */ 696 697 698KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 699krb5_cc_close(krb5_context context, 700 krb5_ccache id) 701{ 702 krb5_error_code ret; 703 ret = (*id->ops->close)(context, id); 704 free(id); 705 return ret; 706} 707 708/** 709 * Store `creds' in the ccache `id'. 710 * 711 * @return Return an error code or 0, see krb5_get_error_message(). 712 * 713 * @ingroup krb5_ccache 714 */ 715 716 717KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 718krb5_cc_store_cred(krb5_context context, 719 krb5_ccache id, 720 krb5_creds *creds) 721{ 722 return (*id->ops->store)(context, id, creds); 723} 724 725/* 726 * To linear search for name in credential cache 727 */ 728 729static krb5_error_code 730retrieve_cred(krb5_context context, 731 krb5_ccache id, 732 krb5_flags whichfields, 733 const krb5_creds *mcreds, 734 krb5_creds *creds) 735{ 736 krb5_error_code ret; 737 krb5_cc_cursor cursor; 738 739 ret = krb5_cc_start_seq_get(context, id, &cursor); 740 if (ret) 741 return ret; 742 while ((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0) { 743 if (krb5_compare_creds(context, whichfields, mcreds, creds)) { 744 ret = 0; 745 break; 746 } 747 krb5_free_cred_contents(context, creds); 748 } 749 krb5_cc_end_seq_get(context, id, &cursor); 750 751 return ret; 752} 753 754/** 755 * Retrieve the credential identified by `mcreds' (and `whichfields') 756 * from `id' in `creds'. 'creds' must be free by the caller using 757 * krb5_free_cred_contents. 758 * 759 * @param context A Kerberos 5 context 760 * @param id a Kerberos 5 credential cache 761 * @param whichfields what fields to use for matching credentials, same 762 * flags as whichfields in krb5_compare_creds() 763 * @param mcreds template credential to use for comparing 764 * @param creds returned credential, free with krb5_free_cred_contents() 765 * 766 * @return Return an error code or 0, see krb5_get_error_message(). 767 * 768 * @ingroup krb5_ccache 769 */ 770 771KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 772krb5_cc_retrieve_cred(krb5_context context, 773 krb5_ccache id, 774 krb5_flags whichfields, 775 const krb5_creds *mcreds, 776 krb5_creds *creds) 777{ 778 krb5_error_code ret; 779 780 if (id->ops->retrieve != NULL) { 781 ret = id->ops->retrieve(context, id, whichfields, mcreds, creds); 782 } else { 783 ret = retrieve_cred(context, id, whichfields, mcreds, creds); 784 785 if ((ret == KRB5_CC_END) && (whichfields & KRB5_TC_MATCH_REFERRAL)) 786 ret = retrieve_cred(context, id, 787 whichfields | KRB5_TC_DONT_MATCH_REALM, 788 mcreds, creds); 789 } 790 791 /** 792 * When not finding the credential when we reached the credential 793 * cache, the error code KRB5_CC_NOTFOUND is returned. 794 */ 795 if (ret == KRB5_CC_END) { 796 char *fn = NULL, *name = NULL; 797 798 ret = KRB5_CC_NOTFOUND; 799 krb5_cc_get_full_name(context, id, &fn); 800 krb5_unparse_name(context, mcreds->server, &name); 801 krb5_set_error_message(context, ret, "Did not find credential for %s in cache %s", 802 name ? name : "server", 803 fn ? fn : "unknown"); 804 free(fn); 805 free(name); 806 } 807 return ret; 808} 809 810/** 811 * Return the principal of `id' in `principal'. 812 * 813 * @return Return an error code or 0, see krb5_get_error_message(). 814 * 815 * @ingroup krb5_ccache 816 */ 817 818 819KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 820krb5_cc_get_principal(krb5_context context, 821 krb5_ccache id, 822 krb5_principal *principal) 823{ 824 return (*id->ops->get_princ)(context, id, principal); 825} 826 827/** 828 * Start iterating over `id', `cursor' is initialized to the 829 * beginning. Caller must free the cursor with krb5_cc_end_seq_get(). 830 * 831 * @return Return an error code or 0, see krb5_get_error_message(). 832 * 833 * @ingroup krb5_ccache 834 */ 835 836 837KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 838krb5_cc_start_seq_get (krb5_context context, 839 const krb5_ccache id, 840 krb5_cc_cursor *cursor) 841{ 842 return (*id->ops->get_first)(context, id, cursor); 843} 844 845/** 846 * Retrieve the next cred pointed to by (`id', `cursor') in `creds' 847 * and advance `cursor'. 848 * 849 * @return Return an error code or 0, see krb5_get_error_message(). 850 * 851 * @ingroup krb5_ccache 852 */ 853 854 855KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 856krb5_cc_next_cred (krb5_context context, 857 const krb5_ccache id, 858 krb5_cc_cursor *cursor, 859 krb5_creds *creds) 860{ 861 return (*id->ops->get_next)(context, id, cursor, creds); 862} 863 864/** 865 * Destroy the cursor `cursor'. 866 * 867 * @ingroup krb5_ccache 868 */ 869 870 871KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 872krb5_cc_end_seq_get (krb5_context context, 873 const krb5_ccache id, 874 krb5_cc_cursor *cursor) 875{ 876 return (*id->ops->end_get)(context, id, cursor); 877} 878 879/** 880 * Remove the credential identified by `cred', `which' from `id'. 881 * 882 * @ingroup krb5_ccache 883 */ 884 885 886KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 887krb5_cc_remove_cred(krb5_context context, 888 krb5_ccache id, 889 krb5_flags which, 890 krb5_creds *cred) 891{ 892 if(id->ops->remove_cred == NULL) { 893 krb5_set_error_message(context, 894 EACCES, 895 "ccache %s does not support remove_cred", 896 id->ops->prefix); 897 return EACCES; /* XXX */ 898 } 899 return (*id->ops->remove_cred)(context, id, which, cred); 900} 901 902/** 903 * Set the flags of `id' to `flags'. 904 * 905 * @ingroup krb5_ccache 906 */ 907 908 909KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 910krb5_cc_set_flags(krb5_context context, 911 krb5_ccache id, 912 krb5_flags flags) 913{ 914 return (*id->ops->set_flags)(context, id, flags); 915} 916 917/** 918 * Get the flags of `id', store them in `flags'. 919 * 920 * @ingroup krb5_ccache 921 */ 922 923KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 924krb5_cc_get_flags(krb5_context context, 925 krb5_ccache id, 926 krb5_flags *flags) 927{ 928 *flags = 0; 929 return 0; 930} 931 932/** 933 * Copy the contents of `from' to `to' if the given match function 934 * return true. 935 * 936 * @param context A Kerberos 5 context. 937 * @param from the cache to copy data from. 938 * @param to the cache to copy data to. 939 * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied. 940 * @param matchctx context passed to match function. 941 * @param matched set to true if there was a credential that matched, may be NULL. 942 * 943 * @return Return an error code or 0, see krb5_get_error_message(). 944 * 945 * @ingroup krb5_ccache 946 */ 947 948KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 949krb5_cc_copy_match_f(krb5_context context, 950 const krb5_ccache from, 951 krb5_ccache to, 952 krb5_boolean (*match)(krb5_context, void *, const krb5_creds *), 953 void *matchctx, 954 unsigned int *matched) 955{ 956 krb5_error_code ret; 957 krb5_cc_cursor cursor; 958 krb5_creds cred; 959 krb5_principal princ; 960 961 if (matched) 962 *matched = 0; 963 964 ret = krb5_cc_get_principal(context, from, &princ); 965 if (ret) 966 return ret; 967 ret = krb5_cc_initialize(context, to, princ); 968 if (ret) { 969 krb5_free_principal(context, princ); 970 return ret; 971 } 972 ret = krb5_cc_start_seq_get(context, from, &cursor); 973 if (ret) { 974 krb5_free_principal(context, princ); 975 return ret; 976 } 977 978 while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) { 979 if (match == NULL || (*match)(context, matchctx, &cred)) { 980 if (matched) 981 (*matched)++; 982 ret = krb5_cc_store_cred(context, to, &cred); 983 if (ret) 984 break; 985 } 986 krb5_free_cred_contents(context, &cred); 987 } 988 krb5_cc_end_seq_get(context, from, &cursor); 989 krb5_free_principal(context, princ); 990 if (ret == KRB5_CC_END) 991 ret = 0; 992 return ret; 993} 994 995/** 996 * Just like krb5_cc_copy_match_f(), but copy everything. 997 * 998 * @ingroup @krb5_ccache 999 */ 1000 1001KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1002krb5_cc_copy_cache(krb5_context context, 1003 const krb5_ccache from, 1004 krb5_ccache to) 1005{ 1006 return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL); 1007} 1008 1009/** 1010 * Return the version of `id'. 1011 * 1012 * @ingroup krb5_ccache 1013 */ 1014 1015 1016KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1017krb5_cc_get_version(krb5_context context, 1018 const krb5_ccache id) 1019{ 1020 if(id->ops->get_version) 1021 return (*id->ops->get_version)(context, id); 1022 else 1023 return 0; 1024} 1025 1026/** 1027 * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred 1028 * 1029 * @ingroup krb5_ccache 1030 */ 1031 1032 1033KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1034krb5_cc_clear_mcred(krb5_creds *mcred) 1035{ 1036 memset(mcred, 0, sizeof(*mcred)); 1037} 1038 1039/** 1040 * Get the cc ops that is registered in `context' to handle the 1041 * prefix. prefix can be a complete credential cache name or a 1042 * prefix, the function will only use part up to the first colon (:) 1043 * if there is one. If prefix the argument is NULL, the default ccache 1044 * implemtation is returned. 1045 * 1046 * @return Returns NULL if ops not found. 1047 * 1048 * @ingroup krb5_ccache 1049 */ 1050 1051 1052KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL 1053krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) 1054{ 1055 char *p, *p1; 1056 int i; 1057 1058 if (prefix == NULL) 1059 return KRB5_DEFAULT_CCTYPE; 1060 if (prefix[0] == '/') 1061 return &krb5_fcc_ops; 1062 1063 p = strdup(prefix); 1064 if (p == NULL) { 1065 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1066 return NULL; 1067 } 1068 p1 = strchr(p, ':'); 1069 if (p1) 1070 *p1 = '\0'; 1071 1072 for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) { 1073 if(strcmp(context->cc_ops[i]->prefix, p) == 0) { 1074 free(p); 1075 return context->cc_ops[i]; 1076 } 1077 } 1078 free(p); 1079 return NULL; 1080} 1081 1082struct krb5_cc_cache_cursor_data { 1083 const krb5_cc_ops *ops; 1084 krb5_cc_cursor cursor; 1085}; 1086 1087/** 1088 * Start iterating over all caches of specified type. See also 1089 * krb5_cccol_cursor_new(). 1090 1091 * @param context A Kerberos 5 context 1092 * @param type optional type to iterate over, if NULL, the default cache is used. 1093 * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get(). 1094 * 1095 * @return Return an error code or 0, see krb5_get_error_message(). 1096 * 1097 * @ingroup krb5_ccache 1098 */ 1099 1100 1101KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1102krb5_cc_cache_get_first (krb5_context context, 1103 const char *type, 1104 krb5_cc_cache_cursor *cursor) 1105{ 1106 const krb5_cc_ops *ops; 1107 krb5_error_code ret; 1108 1109 if (type == NULL) 1110 type = krb5_cc_default_name(context); 1111 1112 ops = krb5_cc_get_prefix_ops(context, type); 1113 if (ops == NULL) { 1114 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1115 "Unknown type \"%s\" when iterating " 1116 "trying to iterate the credential caches", type); 1117 return KRB5_CC_UNKNOWN_TYPE; 1118 } 1119 1120 if (ops->get_cache_first == NULL) { 1121 krb5_set_error_message(context, KRB5_CC_NOSUPP, 1122 N_("Credential cache type %s doesn't support " 1123 "iterations over caches", "type"), 1124 ops->prefix); 1125 return KRB5_CC_NOSUPP; 1126 } 1127 1128 *cursor = calloc(1, sizeof(**cursor)); 1129 if (*cursor == NULL) { 1130 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1131 return ENOMEM; 1132 } 1133 1134 (*cursor)->ops = ops; 1135 1136 ret = ops->get_cache_first(context, &(*cursor)->cursor); 1137 if (ret) { 1138 free(*cursor); 1139 *cursor = NULL; 1140 } 1141 return ret; 1142} 1143 1144/** 1145 * Retrieve the next cache pointed to by (`cursor') in `id' 1146 * and advance `cursor'. 1147 * 1148 * @param context A Kerberos 5 context 1149 * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first() 1150 * @param id next ccache 1151 * 1152 * @return Return 0 or an error code. Returns KRB5_CC_END when the end 1153 * of caches is reached, see krb5_get_error_message(). 1154 * 1155 * @ingroup krb5_ccache 1156 */ 1157 1158 1159KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1160krb5_cc_cache_next (krb5_context context, 1161 krb5_cc_cache_cursor cursor, 1162 krb5_ccache *id) 1163{ 1164 return cursor->ops->get_cache_next(context, cursor->cursor, id); 1165} 1166 1167/** 1168 * Destroy the cursor `cursor'. 1169 * 1170 * @return Return an error code or 0, see krb5_get_error_message(). 1171 * 1172 * @ingroup krb5_ccache 1173 */ 1174 1175 1176KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1177krb5_cc_cache_end_seq_get (krb5_context context, 1178 krb5_cc_cache_cursor cursor) 1179{ 1180 krb5_error_code ret; 1181 ret = cursor->ops->end_cache_get(context, cursor->cursor); 1182 cursor->ops = NULL; 1183 free(cursor); 1184 return ret; 1185} 1186 1187/** 1188 * Search for a matching credential cache that have the 1189 * `principal' as the default principal. On success, `id' needs to be 1190 * freed with krb5_cc_close() or krb5_cc_destroy(). 1191 * 1192 * If the input principal have 0 name_string, the code will only 1193 * compare the realm (and ignore the name_strings of the pricipal in 1194 * the cache). 1195 * 1196 * @param context A Kerberos 5 context 1197 * @param client The principal to search for 1198 * @param id the returned credential cache 1199 * 1200 * @return On failure, error code is returned and `id' is set to NULL. 1201 * 1202 * @ingroup krb5_ccache 1203 */ 1204 1205 1206KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1207krb5_cc_cache_match (krb5_context context, 1208 krb5_principal client, 1209 krb5_ccache *id) 1210{ 1211 krb5_cccol_cursor cursor; 1212 krb5_error_code ret; 1213 krb5_ccache cache = NULL; 1214 krb5_ccache expired_match = NULL; 1215 1216 *id = NULL; 1217 1218 ret = krb5_cccol_cursor_new (context, &cursor); 1219 if (ret) 1220 return ret; 1221 1222 while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) { 1223 krb5_principal principal; 1224 krb5_boolean match; 1225 time_t lifetime; 1226 1227 ret = krb5_cc_get_principal(context, cache, &principal); 1228 if (ret) 1229 goto next; 1230 1231 if (client->name.name_string.len == 0) 1232 match = (strcmp(client->realm, principal->realm) == 0); 1233 else 1234 match = krb5_principal_compare(context, principal, client); 1235 krb5_free_principal(context, principal); 1236 1237 if (!match) 1238 goto next; 1239 1240 if (expired_match == NULL && 1241 (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) { 1242 expired_match = cache; 1243 cache = NULL; 1244 goto next; 1245 } 1246 break; 1247 1248 next: 1249 if (cache) 1250 krb5_cc_close(context, cache); 1251 cache = NULL; 1252 } 1253 1254 krb5_cccol_cursor_free(context, &cursor); 1255 1256 if (cache == NULL && expired_match) { 1257 cache = expired_match; 1258 expired_match = NULL; 1259 } else if (expired_match) { 1260 krb5_cc_close(context, expired_match); 1261 } else if (cache == NULL) { 1262 char *str; 1263 1264 krb5_unparse_name(context, client, &str); 1265 1266 krb5_set_error_message(context, KRB5_CC_NOTFOUND, 1267 N_("Principal %s not found in any " 1268 "credential cache", ""), 1269 str ? str : "<out of memory>"); 1270 if (str) 1271 free(str); 1272 return KRB5_CC_NOTFOUND; 1273 } 1274 1275 *id = cache; 1276 1277 return 0; 1278} 1279 1280/** 1281 * Move the content from one credential cache to another. The 1282 * operation is an atomic switch. 1283 * 1284 * @param context a Keberos context 1285 * @param from the credential cache to move the content from 1286 * @param to the credential cache to move the content to 1287 1288 * @return On sucess, from is freed. On failure, error code is 1289 * returned and from and to are both still allocated, see krb5_get_error_message(). 1290 * 1291 * @ingroup krb5_ccache 1292 */ 1293 1294KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1295krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to) 1296{ 1297 krb5_error_code ret; 1298 1299 if (strcmp(from->ops->prefix, to->ops->prefix) != 0) { 1300 krb5_set_error_message(context, KRB5_CC_NOSUPP, 1301 N_("Moving credentials between diffrent " 1302 "types not yet supported", "")); 1303 return KRB5_CC_NOSUPP; 1304 } 1305 1306 ret = (*to->ops->move)(context, from, to); 1307 if (ret == 0) { 1308 memset(from, 0, sizeof(*from)); 1309 free(from); 1310 } 1311 return ret; 1312} 1313 1314#define KRB5_CONF_NAME "krb5_ccache_conf_data" 1315#define KRB5_REALM_NAME "X-CACHECONF:" 1316 1317static krb5_error_code 1318build_conf_principals(krb5_context context, krb5_ccache id, 1319 krb5_const_principal principal, 1320 const char *name, krb5_creds *cred) 1321{ 1322 krb5_principal client; 1323 krb5_error_code ret; 1324 char *pname = NULL; 1325 1326 memset(cred, 0, sizeof(*cred)); 1327 1328 ret = krb5_cc_get_principal(context, id, &client); 1329 if (ret) 1330 return ret; 1331 1332 if (principal) { 1333 ret = krb5_unparse_name(context, principal, &pname); 1334 if (ret) 1335 return ret; 1336 } 1337 1338 ret = krb5_make_principal(context, &cred->server, 1339 KRB5_REALM_NAME, 1340 KRB5_CONF_NAME, name, pname, NULL); 1341 free(pname); 1342 if (ret) { 1343 krb5_free_principal(context, client); 1344 return ret; 1345 } 1346 ret = krb5_copy_principal(context, client, &cred->client); 1347 krb5_free_principal(context, client); 1348 return ret; 1349} 1350 1351/** 1352 * Return TRUE (non zero) if the principal is a configuration 1353 * principal (generated part of krb5_cc_set_config()). Returns FALSE 1354 * (zero) if not a configuration principal. 1355 * 1356 * @param context a Keberos context 1357 * @param principal principal to check if it a configuration principal 1358 * 1359 * @ingroup krb5_ccache 1360 */ 1361 1362KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1363krb5_is_config_principal(krb5_context context, 1364 krb5_const_principal principal) 1365{ 1366 if (strcmp(principal->realm, KRB5_REALM_NAME) != 0) 1367 return FALSE; 1368 1369 if (principal->name.name_string.len == 0 || 1370 strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0) 1371 return FALSE; 1372 1373 return TRUE; 1374} 1375 1376/** 1377 * Store some configuration for the credential cache in the cache. 1378 * Existing configuration under the same name is over-written. 1379 * 1380 * @param context a Keberos context 1381 * @param id the credential cache to store the data for 1382 * @param principal configuration for a specific principal, if 1383 * NULL, global for the whole cache. 1384 * @param name name under which the configuraion is stored. 1385 * @param data data to store, if NULL, configure is removed. 1386 * 1387 * @ingroup krb5_ccache 1388 */ 1389 1390KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1391krb5_cc_set_config(krb5_context context, krb5_ccache id, 1392 krb5_const_principal principal, 1393 const char *name, krb5_data *data) 1394{ 1395 krb5_error_code ret; 1396 krb5_creds cred; 1397 1398 ret = build_conf_principals(context, id, principal, name, &cred); 1399 if (ret) 1400 goto out; 1401 1402 /* Remove old configuration */ 1403 ret = krb5_cc_remove_cred(context, id, 0, &cred); 1404 if (ret && ret != KRB5_CC_NOTFOUND) 1405 goto out; 1406 1407 if (data) { 1408 /* make sure expiration time is not past now */ 1409 cred.times.authtime = time(NULL) - 10; 1410 cred.times.endtime = cred.times.authtime; 1411 1412 ret = krb5_data_copy(&cred.ticket, data->data, data->length); 1413 if (ret) 1414 goto out; 1415 1416 ret = krb5_cc_store_cred(context, id, &cred); 1417 } 1418 1419out: 1420 krb5_free_cred_contents (context, &cred); 1421 return ret; 1422} 1423 1424/** 1425 * Get some configuration for the credential cache in the cache. 1426 * 1427 * @param context a Keberos context 1428 * @param id the credential cache to store the data for 1429 * @param principal configuration for a specific principal, if 1430 * NULL, global for the whole cache. 1431 * @param name name under which the configuraion is stored. 1432 * @param data data to fetched, free with krb5_data_free() 1433 * 1434 * @ingroup krb5_ccache 1435 */ 1436 1437 1438KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1439krb5_cc_get_config(krb5_context context, krb5_ccache id, 1440 krb5_const_principal principal, 1441 const char *name, krb5_data *data) 1442{ 1443 krb5_creds mcred, cred; 1444 krb5_error_code ret; 1445 1446 memset(&cred, 0, sizeof(cred)); 1447 krb5_data_zero(data); 1448 1449 ret = build_conf_principals(context, id, principal, name, &mcred); 1450 if (ret) 1451 goto out; 1452 1453 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); 1454 if (ret) 1455 goto out; 1456 1457 ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length); 1458 1459out: 1460 krb5_free_cred_contents (context, &cred); 1461 krb5_free_cred_contents (context, &mcred); 1462 return ret; 1463} 1464 1465/* 1466 * 1467 */ 1468 1469struct krb5_cccol_cursor_data { 1470 int idx; 1471 krb5_cc_cache_cursor cursor; 1472 char *env_cache; 1473}; 1474 1475/** 1476 * Get a new cache interation cursor that will interate over all 1477 * credentials caches independent of type. 1478 * 1479 * @param context a Keberos context 1480 * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free(). 1481 * 1482 * @return Returns 0 or and error code, see krb5_get_error_message(). 1483 * 1484 * @ingroup krb5_ccache 1485 */ 1486 1487KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1488krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor) 1489{ 1490 *cursor = calloc(1, sizeof(**cursor)); 1491 if (*cursor == NULL) { 1492 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 1493 return ENOMEM; 1494 } 1495 (*cursor)->idx = -1; 1496 1497 return 0; 1498} 1499 1500/** 1501 * Get next credential cache from the iteration. 1502 * 1503 * @param context A Kerberos 5 context 1504 * @param cursor the iteration cursor 1505 * @param cache the returned cursor, pointer is set to NULL on failure 1506 * and a cache on success. The returned cache needs to be freed 1507 * with krb5_cc_close() or destroyed with krb5_cc_destroy(). 1508 * MIT Kerberos behavies slightly diffrent and sets cache to NULL 1509 * when all caches are iterated over and return 0. 1510 * 1511 * @return Return 0 or and error, KRB5_CC_END is returned at the end 1512 * of iteration. See krb5_get_error_message(). 1513 * 1514 * @ingroup krb5_ccache 1515 */ 1516 1517 1518KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1519krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, 1520 krb5_ccache *cache) 1521{ 1522 krb5_error_code ret; 1523 1524 *cache = NULL; 1525 1526 if (cursor->idx == -1) { 1527 char *env = getenv("KRB5CCNAME"); 1528 cursor->idx++; 1529 if (env != NULL) { 1530 ret = krb5_cc_resolve(context, env, cache); 1531 if (ret == 0) { 1532 krb5_cc_get_full_name(context, *cache, &cursor->env_cache); 1533 return 0; 1534 } 1535 } 1536 } 1537 while (cursor->idx < context->num_cc_ops) { 1538 1539 if (cursor->cursor == NULL) { 1540 ret = krb5_cc_cache_get_first (context, 1541 context->cc_ops[cursor->idx]->prefix, 1542 &cursor->cursor); 1543 if (ret) { 1544 cursor->idx++; 1545 continue; 1546 } 1547 } 1548 ret = krb5_cc_cache_next(context, cursor->cursor, cache); 1549 if (ret == 0) { 1550 if (cursor->env_cache) { 1551 char *full_name = NULL; 1552 if (krb5_cc_get_full_name(context, *cache, &full_name) == 0) { 1553 if (strcmp(cursor->env_cache, full_name) == 0) { 1554 free(full_name); 1555 continue; 1556 } 1557 free(full_name); 1558 } 1559 } 1560 break; 1561 } 1562 1563 krb5_cc_cache_end_seq_get(context, cursor->cursor); 1564 cursor->cursor = NULL; 1565 if (ret != KRB5_CC_END) 1566 break; 1567 1568 cursor->idx++; 1569 } 1570 if (cursor->idx >= context->num_cc_ops) { 1571 krb5_set_error_message(context, KRB5_CC_END, 1572 N_("Reached end of credential caches", "")); 1573 return KRB5_CC_END; 1574 } 1575 1576 return 0; 1577} 1578 1579/** 1580 * End an iteration and free all resources, can be done before end is reached. 1581 * 1582 * @param context A Kerberos 5 context 1583 * @param cursor the iteration cursor to be freed. 1584 * 1585 * @return Return 0 or and error, KRB5_CC_END is returned at the end 1586 * of iteration. See krb5_get_error_message(). 1587 * 1588 * @ingroup krb5_ccache 1589 */ 1590 1591KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1592krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor) 1593{ 1594 krb5_cccol_cursor c = *cursor; 1595 1596 *cursor = NULL; 1597 if (c) { 1598 if (c->cursor) 1599 krb5_cc_cache_end_seq_get(context, c->cursor); 1600 if (c->env_cache) 1601 free(c->env_cache); 1602 free(c); 1603 } 1604 return 0; 1605} 1606 1607/** 1608 * Return the last time the credential cache was modified. 1609 * 1610 * @param context A Kerberos 5 context 1611 * @param id The credential cache to probe 1612 * @param mtime the last modification time, set to 0 on error. 1613 1614 * @return Return 0 or and error. See krb5_get_error_message(). 1615 * 1616 * @ingroup krb5_ccache 1617 */ 1618 1619 1620KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1621krb5_cc_last_change_time(krb5_context context, 1622 krb5_ccache id, 1623 krb5_timestamp *mtime) 1624{ 1625 *mtime = 0; 1626 return (*id->ops->lastchange)(context, id, mtime); 1627} 1628 1629/** 1630 * Return the last modfication time for a cache collection. The query 1631 * can be limited to a specific cache type. If the function return 0 1632 * and mtime is 0, there was no credentials in the caches. 1633 * 1634 * @param context A Kerberos 5 context 1635 * @param type The credential cache to probe, if NULL, all type are traversed. 1636 * @param mtime the last modification time, set to 0 on error. 1637 1638 * @return Return 0 or and error. See krb5_get_error_message(). 1639 * 1640 * @ingroup krb5_ccache 1641 */ 1642 1643KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1644krb5_cccol_last_change_time(krb5_context context, 1645 const char *type, 1646 krb5_timestamp *mtime) 1647{ 1648 krb5_cccol_cursor cursor; 1649 krb5_error_code ret; 1650 krb5_ccache id; 1651 krb5_timestamp t = 0; 1652 1653 *mtime = 0; 1654 1655 ret = krb5_cccol_cursor_new (context, &cursor); 1656 if (ret) 1657 return ret; 1658 1659 while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) { 1660 1661 if (type && strcmp(krb5_cc_get_type(context, id), type) != 0) 1662 continue; 1663 1664 ret = krb5_cc_last_change_time(context, id, &t); 1665 krb5_cc_close(context, id); 1666 if (ret) 1667 continue; 1668 if (t > *mtime) 1669 *mtime = t; 1670 } 1671 1672 krb5_cccol_cursor_free(context, &cursor); 1673 1674 return 0; 1675} 1676/** 1677 * Return a friendly name on credential cache. Free the result with krb5_xfree(). 1678 * 1679 * @return Return an error code or 0, see krb5_get_error_message(). 1680 * 1681 * @ingroup krb5_ccache 1682 */ 1683 1684KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1685krb5_cc_get_friendly_name(krb5_context context, 1686 krb5_ccache id, 1687 char **name) 1688{ 1689 krb5_error_code ret; 1690 krb5_data data; 1691 1692 ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data); 1693 if (ret) { 1694 krb5_principal principal; 1695 ret = krb5_cc_get_principal(context, id, &principal); 1696 if (ret) 1697 return ret; 1698 ret = krb5_unparse_name(context, principal, name); 1699 krb5_free_principal(context, principal); 1700 } else { 1701 ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data); 1702 krb5_data_free(&data); 1703 if (ret <= 0) { 1704 ret = ENOMEM; 1705 krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); 1706 } else 1707 ret = 0; 1708 } 1709 1710 return ret; 1711} 1712 1713/** 1714 * Set the friendly name on credential cache. 1715 * 1716 * @return Return an error code or 0, see krb5_get_error_message(). 1717 * 1718 * @ingroup krb5_ccache 1719 */ 1720 1721KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1722krb5_cc_set_friendly_name(krb5_context context, 1723 krb5_ccache id, 1724 const char *name) 1725{ 1726 krb5_data data; 1727 1728 data.data = rk_UNCONST(name); 1729 data.length = strlen(name); 1730 1731 return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data); 1732} 1733 1734/** 1735 * Get the aproximate lifetime of credential cache 1736 * 1737 * Time t is always set to a known value, in case of an error, its set to 0. 1738 * 1739 * @param context A Kerberos 5 context. 1740 * @param id a credential cache. 1741 * @param t the relative lifetime of cache. 1742 * 1743 * @return Return an error code or 0, see krb5_get_error_message(). 1744 * 1745 * @ingroup krb5_ccache 1746 */ 1747 1748KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1749krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t) 1750{ 1751 krb5_cc_cursor cursor; 1752 krb5_error_code ret; 1753 krb5_creds cred; 1754 time_t now, endtime = 0; 1755 1756 *t = 0; 1757 now = time(NULL); 1758 1759 ret = krb5_cc_start_seq_get(context, id, &cursor); 1760 if (ret) 1761 return ret; 1762 1763 while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) { 1764 /** 1765 * If we find a krbtgt in the cache, use that as the lifespan. 1766 */ 1767 if (krb5_principal_is_root_krbtgt(context, cred.server)) { 1768 if (now < cred.times.endtime) 1769 endtime = cred.times.endtime; 1770 krb5_free_cred_contents(context, &cred); 1771 break; 1772 } 1773 /* 1774 * Skip config entries 1775 */ 1776 if (krb5_is_config_principal(context, cred.server)) { 1777 krb5_free_cred_contents(context, &cred); 1778 continue; 1779 } 1780 /** 1781 * If there was no krbtgt, use the shortest lifetime of 1782 * service tickets that have yet to expire. If all 1783 * credentials are expired, krb5_cc_get_lifetime() will fail. 1784 */ 1785 if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime) 1786 endtime = cred.times.endtime; 1787 krb5_free_cred_contents(context, &cred); 1788 } 1789 1790 /* if we found an endtime use that */ 1791 if (endtime) { 1792 *t = endtime - now; 1793 ret = 0; 1794 } 1795 1796 krb5_cc_end_seq_get(context, id, &cursor); 1797 1798 return ret; 1799} 1800 1801/** 1802 * Set the time offset betwen the client and the KDC 1803 * 1804 * If the backend doesn't support KDC offset, use the context global setting. 1805 * 1806 * @param context A Kerberos 5 context. 1807 * @param id a credential cache 1808 * @param offset the offset in seconds 1809 * 1810 * @return Return an error code or 0, see krb5_get_error_message(). 1811 * 1812 * @ingroup krb5_ccache 1813 */ 1814 1815KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1816krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset) 1817{ 1818 if (id->ops->set_kdc_offset == NULL) { 1819 context->kdc_sec_offset = (int)offset; 1820 context->kdc_usec_offset = 0; 1821 return 0; 1822 } 1823 return (*id->ops->set_kdc_offset)(context, id, offset); 1824} 1825 1826/** 1827 * Get the time offset betwen the client and the KDC 1828 * 1829 * If the backend doesn't support KDC offset, use the context global setting. 1830 * 1831 * @param context A Kerberos 5 context. 1832 * @param id a credential cache 1833 * @param offset the offset in seconds 1834 * 1835 * @return Return an error code or 0, see krb5_get_error_message(). 1836 * 1837 * @ingroup krb5_ccache 1838 */ 1839 1840KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1841krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset) 1842{ 1843 if (id->ops->get_kdc_offset == NULL) { 1844 *offset = context->kdc_sec_offset; 1845 return 0; 1846 } 1847 return (*id->ops->get_kdc_offset)(context, id, offset); 1848} 1849 1850krb5_error_code 1851krb5_cc_hold(krb5_context context, krb5_ccache id) 1852{ 1853 if (id->ops->hold == 0) 1854 return 0; 1855 return id->ops->hold(context, id); 1856} 1857 1858krb5_error_code 1859krb5_cc_unhold(krb5_context context, krb5_ccache id) 1860{ 1861 if (id->ops->unhold == 0) 1862 return 0; 1863 return id->ops->unhold(context, id); 1864} 1865 1866krb5_error_code 1867krb5_cc_get_uuid(krb5_context context, krb5_ccache id, krb5_uuid uuid) 1868{ 1869 if (id->ops->get_uuid == NULL) { 1870 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1871 "Credential cache type %s doesn't support uuid", 1872 id->ops->prefix); 1873 return KRB5_CC_UNKNOWN_TYPE; 1874 } 1875 return id->ops->get_uuid(context, id, uuid); 1876} 1877 1878krb5_error_code 1879krb5_cc_resolve_by_uuid(krb5_context context, const char *type, 1880 krb5_ccache *id, krb5_uuid uuid) 1881{ 1882 const krb5_cc_ops *ops; 1883 krb5_error_code ret; 1884 1885 if (type) { 1886 ops = krb5_cc_get_prefix_ops(context, type); 1887 if (ops == NULL) { 1888 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1889 "Credential cache type %s is unknown", type); 1890 return KRB5_CC_UNKNOWN_TYPE; 1891 } 1892 } else { 1893 ops = KRB5_DEFAULT_CCTYPE; 1894 } 1895 1896 if (ops->resolve_by_uuid == NULL) { 1897 krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE, 1898 "Credential cache type %s doesn't support uuid", 1899 ops->prefix); 1900 return KRB5_CC_UNKNOWN_TYPE; 1901 } 1902 1903 ret = _krb5_cc_allocate(context, ops, id); 1904 if (ret) 1905 return ret; 1906 ret = (*id)->ops->resolve_by_uuid(context, *id, uuid); 1907 if (ret) { 1908 free(*id); 1909 *id = NULL; 1910 } 1911 return ret; 1912} 1913 1914krb5_error_code 1915krb5_cc_set_acl(krb5_context context, krb5_ccache id, const char *type, void *ptr) 1916{ 1917 if (id->ops->set_acl) 1918 return id->ops->set_acl(context, id, type, ptr); 1919 return 0; 1920} 1921 1922#ifdef _WIN32 1923 1924#define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5" 1925char * 1926_krb5_get_default_cc_name_from_registry(krb5_context context) 1927{ 1928 HKEY hk_k5 = 0; 1929 LONG code; 1930 char * ccname = NULL; 1931 1932 code = RegOpenKeyEx(HKEY_CURRENT_USER, 1933 REGPATH_MIT_KRB5, 1934 0, KEY_READ, &hk_k5); 1935 1936 if (code != ERROR_SUCCESS) 1937 return NULL; 1938 1939 ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname", 1940 REG_NONE, 0); 1941 1942 RegCloseKey(hk_k5); 1943 1944 return ccname; 1945} 1946 1947int 1948_krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id) 1949{ 1950 HKEY hk_k5 = 0; 1951 LONG code; 1952 int ret = -1; 1953 char * ccname = NULL; 1954 1955 code = RegOpenKeyEx(HKEY_CURRENT_USER, 1956 REGPATH_MIT_KRB5, 1957 0, KEY_READ|KEY_WRITE, &hk_k5); 1958 1959 if (code != ERROR_SUCCESS) 1960 return -1; 1961 1962 ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id)); 1963 if (ret < 0) 1964 goto cleanup; 1965 1966 ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname", 1967 REG_SZ, ccname, -1, 0); 1968 1969 cleanup: 1970 1971 if (ccname) 1972 free(ccname); 1973 1974 RegCloseKey(hk_k5); 1975 1976 return ret; 1977} 1978 1979#endif 1980