xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/krb5/cache.c (revision d3273b5b76f5afaafe308cead5511dbb8df8c5e9)
1 /*	$NetBSD: cache.c,v 1.2 2017/01/28 21:31:49 christos Exp $	*/
2 
3 /*
4  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  *
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  *
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  *
21  * 3. Neither the name of the Institute nor the names of its contributors
22  *    may be used to endorse or promote products derived from this software
23  *    without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  */
37 
38 #include "krb5_locl.h"
39 
40 /**
41  * @page krb5_ccache_intro The credential cache functions
42  * @section section_krb5_ccache Kerberos credential caches
43  *
44  * krb5_ccache structure holds a Kerberos credential cache.
45  *
46  * Heimdal support the follow types of credential caches:
47  *
48  * - SCC
49  *   Store the credential in a database
50  * - FILE
51  *   Store the credential in memory
52  * - MEMORY
53  *   Store the credential in memory
54  * - API
55  *   A credential cache server based solution for Mac OS X
56  * - KCM
57  *   A credential cache server based solution for all platforms
58  *
59  * @subsection Example
60  *
61  * This is a minimalistic version of klist:
62 @code
63 #include <krb5/krb5.h>
64 
65 int
66 main (int argc, char **argv)
67 {
68     krb5_context context;
69     krb5_cc_cursor cursor;
70     krb5_error_code ret;
71     krb5_ccache id;
72     krb5_creds creds;
73 
74     if (krb5_init_context (&context) != 0)
75 	errx(1, "krb5_context");
76 
77     ret = krb5_cc_default (context, &id);
78     if (ret)
79 	krb5_err(context, 1, ret, "krb5_cc_default");
80 
81     ret = krb5_cc_start_seq_get(context, id, &cursor);
82     if (ret)
83 	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
84 
85     while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
86         char *principal;
87 
88 	krb5_unparse_name(context, creds.server, &principal);
89 	printf("principal: %s\\n", principal);
90 	free(principal);
91 	krb5_free_cred_contents (context, &creds);
92     }
93     ret = krb5_cc_end_seq_get(context, id, &cursor);
94     if (ret)
95 	krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
96 
97     krb5_cc_close(context, id);
98 
99     krb5_free_context(context);
100     return 0;
101 }
102 * @endcode
103 */
104 
105 /**
106  * Add a new ccache type with operations `ops', overwriting any
107  * existing one if `override'.
108  *
109  * @param context a Keberos context
110  * @param ops type of plugin symbol
111  * @param override flag to select if the registration is to overide
112  * an existing ops with the same name.
113  *
114  * @return Return an error code or 0, see krb5_get_error_message().
115  *
116  * @ingroup krb5_ccache
117  */
118 
119 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_register(krb5_context context,const krb5_cc_ops * ops,krb5_boolean override)120 krb5_cc_register(krb5_context context,
121 		 const krb5_cc_ops *ops,
122 		 krb5_boolean override)
123 {
124     int i;
125 
126     for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
127 	if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
128 	    if(!override) {
129 		krb5_set_error_message(context,
130 				       KRB5_CC_TYPE_EXISTS,
131 				       N_("cache type %s already exists", "type"),
132 				       ops->prefix);
133 		return KRB5_CC_TYPE_EXISTS;
134 	    }
135 	    break;
136 	}
137     }
138     if(i == context->num_cc_ops) {
139 	const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
140 					(context->num_cc_ops + 1) *
141 					sizeof(context->cc_ops[0]));
142 	if(o == NULL) {
143 	    krb5_set_error_message(context, KRB5_CC_NOMEM,
144 				   N_("malloc: out of memory", ""));
145 	    return KRB5_CC_NOMEM;
146 	}
147 	context->cc_ops = o;
148 	context->cc_ops[context->num_cc_ops] = NULL;
149 	context->num_cc_ops++;
150     }
151     context->cc_ops[i] = ops;
152     return 0;
153 }
154 
155 /*
156  * Allocate the memory for a `id' and the that function table to
157  * `ops'. Returns 0 or and error code.
158  */
159 
160 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_cc_allocate(krb5_context context,const krb5_cc_ops * ops,krb5_ccache * id)161 _krb5_cc_allocate(krb5_context context,
162 		  const krb5_cc_ops *ops,
163 		  krb5_ccache *id)
164 {
165     krb5_ccache p;
166 
167     p = calloc(1, sizeof(*p));
168     if (p == NULL) {
169 	krb5_set_error_message(context, KRB5_CC_NOMEM,
170 			       N_("malloc: out of memory", ""));
171 	return KRB5_CC_NOMEM;
172     }
173     p->ops = ops;
174     *id = p;
175 
176     return 0;
177 }
178 
179 /*
180  * Allocate memory for a new ccache in `id' with operations `ops'
181  * and name `residual'. Return 0 or an error code.
182  */
183 
184 static krb5_error_code
allocate_ccache(krb5_context context,const krb5_cc_ops * ops,const char * residual,krb5_ccache * id)185 allocate_ccache (krb5_context context,
186 		 const krb5_cc_ops *ops,
187 		 const char *residual,
188 		 krb5_ccache *id)
189 {
190     krb5_error_code ret;
191 #ifdef KRB5_USE_PATH_TOKENS
192     char * exp_residual = NULL;
193     int filepath;
194 
195     filepath = (strcmp("FILE", ops->prefix) == 0
196 		 || strcmp("DIR", ops->prefix) == 0
197 		 || strcmp("SCC", ops->prefix) == 0);
198 
199     ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
200     if (ret)
201 	return ret;
202 
203     residual = exp_residual;
204 #endif
205 
206     ret = _krb5_cc_allocate(context, ops, id);
207     if (ret) {
208 #ifdef KRB5_USE_PATH_TOKENS
209 	if (exp_residual)
210 	    free(exp_residual);
211 #endif
212 	return ret;
213     }
214 
215     ret = (*id)->ops->resolve(context, id, residual);
216     if(ret) {
217 	free(*id);
218         *id = NULL;
219     }
220 
221 #ifdef KRB5_USE_PATH_TOKENS
222     if (exp_residual)
223 	free(exp_residual);
224 #endif
225 
226     return ret;
227 }
228 
229 static int
is_possible_path_name(const char * name)230 is_possible_path_name(const char * name)
231 {
232     const char * colon;
233 
234     if ((colon = strchr(name, ':')) == NULL)
235         return TRUE;
236 
237 #ifdef _WIN32
238     /* <drive letter>:\path\to\cache ? */
239 
240     if (colon == name + 1 &&
241         strchr(colon + 1, ':') == NULL)
242         return TRUE;
243 #endif
244 
245     return FALSE;
246 }
247 
248 /**
249  * Find and allocate a ccache in `id' from the specification in `residual'.
250  * If the ccache name doesn't contain any colon, interpret it as a file name.
251  *
252  * @param context a Keberos context.
253  * @param name string name of a credential cache.
254  * @param id return pointer to a found credential cache.
255  *
256  * @return Return 0 or an error code. In case of an error, id is set
257  * to NULL, see krb5_get_error_message().
258  *
259  * @ingroup krb5_ccache
260  */
261 
262 
263 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_resolve(krb5_context context,const char * name,krb5_ccache * id)264 krb5_cc_resolve(krb5_context context,
265 		const char *name,
266 		krb5_ccache *id)
267 {
268     int i;
269 
270     *id = NULL;
271 
272     for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
273 	size_t prefix_len = strlen(context->cc_ops[i]->prefix);
274 
275 	if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
276 	   && name[prefix_len] == ':') {
277 	    return allocate_ccache (context, context->cc_ops[i],
278 				    name + prefix_len + 1,
279 				    id);
280 	}
281     }
282     if (is_possible_path_name(name))
283 	return allocate_ccache (context, &krb5_fcc_ops, name, id);
284     else {
285 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
286 			       N_("unknown ccache type %s", "name"), name);
287 	return KRB5_CC_UNKNOWN_TYPE;
288     }
289 }
290 
291 /**
292  * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
293  * the library chooses the default credential cache type. The supplied
294  * `hint' (that can be NULL) is a string that the credential cache
295  * type can use to base the name of the credential on, this is to make
296  * it easier for the user to differentiate the credentials.
297  *
298  * @return Return an error code or 0, see krb5_get_error_message().
299  *
300  * @ingroup krb5_ccache
301  */
302 
303 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_new_unique(krb5_context context,const char * type,const char * hint,krb5_ccache * id)304 krb5_cc_new_unique(krb5_context context, const char *type,
305 		   const char *hint, krb5_ccache *id)
306 {
307     const krb5_cc_ops *ops;
308     krb5_error_code ret;
309 
310     ops = krb5_cc_get_prefix_ops(context, type);
311     if (ops == NULL) {
312 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
313 			      "Credential cache type %s is unknown", type);
314 	return KRB5_CC_UNKNOWN_TYPE;
315     }
316 
317     ret = _krb5_cc_allocate(context, ops, id);
318     if (ret)
319 	return ret;
320     ret = (*id)->ops->gen_new(context, id);
321     if (ret) {
322 	free(*id);
323 	*id = NULL;
324     }
325     return ret;
326 }
327 
328 /**
329  * Return the name of the ccache `id'
330  *
331  * @ingroup krb5_ccache
332  */
333 
334 
335 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_get_name(krb5_context context,krb5_ccache id)336 krb5_cc_get_name(krb5_context context,
337 		 krb5_ccache id)
338 {
339     return id->ops->get_name(context, id);
340 }
341 
342 /**
343  * Return the type of the ccache `id'.
344  *
345  * @ingroup krb5_ccache
346  */
347 
348 
349 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_get_type(krb5_context context,krb5_ccache id)350 krb5_cc_get_type(krb5_context context,
351 		 krb5_ccache id)
352 {
353     return id->ops->prefix;
354 }
355 
356 /**
357  * Return the complete resolvable name the cache
358 
359  * @param context a Keberos context
360  * @param id return pointer to a found credential cache
361  * @param str the returned name of a credential cache, free with krb5_xfree()
362  *
363  * @return Returns 0 or an error (and then *str is set to NULL).
364  *
365  * @ingroup krb5_ccache
366  */
367 
368 
369 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_full_name(krb5_context context,krb5_ccache id,char ** str)370 krb5_cc_get_full_name(krb5_context context,
371 		      krb5_ccache id,
372 		      char **str)
373 {
374     const char *type, *name;
375 
376     *str = NULL;
377 
378     type = krb5_cc_get_type(context, id);
379     if (type == NULL) {
380 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
381 			       "cache have no name of type");
382 	return KRB5_CC_UNKNOWN_TYPE;
383     }
384 
385     name = krb5_cc_get_name(context, id);
386     if (name == NULL) {
387 	krb5_set_error_message(context, KRB5_CC_BADNAME,
388 			       "cache of type %s have no name", type);
389 	return KRB5_CC_BADNAME;
390     }
391 
392     if (asprintf(str, "%s:%s", type, name) == -1) {
393 	*str = NULL;
394 	return krb5_enomem(context);
395     }
396     return 0;
397 }
398 
399 /**
400  * Return krb5_cc_ops of a the ccache `id'.
401  *
402  * @ingroup krb5_ccache
403  */
404 
405 
406 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
krb5_cc_get_ops(krb5_context context,krb5_ccache id)407 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
408 {
409     return id->ops;
410 }
411 
412 /*
413  * Expand variables in `str' into `res'
414  */
415 
416 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_expand_default_cc_name(krb5_context context,const char * str,char ** res)417 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
418 {
419     int filepath;
420 
421     filepath = (strncmp("FILE:", str, 5) == 0
422 		 || strncmp("DIR:", str, 4) == 0
423 		 || strncmp("SCC:", str, 4) == 0);
424 
425     return _krb5_expand_path_tokens(context, str, filepath, res);
426 }
427 
428 /*
429  * Return non-zero if envirnoment that will determine default krb5cc
430  * name has changed.
431  */
432 
433 static int
environment_changed(krb5_context context)434 environment_changed(krb5_context context)
435 {
436     const char *e;
437 
438     /* if the cc name was set, don't change it */
439     if (context->default_cc_name_set)
440 	return 0;
441 
442     /* XXX performance: always ask KCM/API if default name has changed */
443     if (context->default_cc_name &&
444 	(strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
445 	 strncmp(context->default_cc_name, "API:", 4) == 0))
446 	return 1;
447 
448     if(issuid())
449 	return 0;
450 
451     e = getenv("KRB5CCNAME");
452     if (e == NULL) {
453 	if (context->default_cc_name_env) {
454 	    free(context->default_cc_name_env);
455 	    context->default_cc_name_env = NULL;
456 	    return 1;
457 	}
458     } else {
459 	if (context->default_cc_name_env == NULL)
460 	    return 1;
461 	if (strcmp(e, context->default_cc_name_env) != 0)
462 	    return 1;
463     }
464     return 0;
465 }
466 
467 /**
468  * Switch the default default credential cache for a specific
469  * credcache type (and name for some implementations).
470  *
471  * @return Return an error code or 0, see krb5_get_error_message().
472  *
473  * @ingroup krb5_ccache
474  */
475 
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_switch(krb5_context context,krb5_ccache id)477 krb5_cc_switch(krb5_context context, krb5_ccache id)
478 {
479 #ifdef _WIN32
480     _krb5_set_default_cc_name_to_registry(context, id);
481 #endif
482 
483     if (id->ops->set_default == NULL)
484 	return 0;
485 
486     return (*id->ops->set_default)(context, id);
487 }
488 
489 /**
490  * Return true if the default credential cache support switch
491  *
492  * @ingroup krb5_ccache
493  */
494 
495 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_cc_support_switch(krb5_context context,const char * type)496 krb5_cc_support_switch(krb5_context context, const char *type)
497 {
498     const krb5_cc_ops *ops;
499 
500     ops = krb5_cc_get_prefix_ops(context, type);
501     if (ops && ops->set_default)
502 	return 1;
503     return FALSE;
504 }
505 
506 /**
507  * Set the default cc name for `context' to `name'.
508  *
509  * @ingroup krb5_ccache
510  */
511 
512 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_default_name(krb5_context context,const char * name)513 krb5_cc_set_default_name(krb5_context context, const char *name)
514 {
515     krb5_error_code ret = 0;
516     char *p = NULL, *exp_p = NULL;
517     int filepath;
518     const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
519 
520     if (name == NULL) {
521 	const char *e = NULL;
522 
523 	if (!issuid()) {
524 	    e = getenv("KRB5CCNAME");
525 	    if (e) {
526 		p = strdup(e);
527 		if (context->default_cc_name_env)
528 		    free(context->default_cc_name_env);
529 		context->default_cc_name_env = strdup(e);
530 	    }
531 	}
532 
533 #ifdef _WIN32
534 	if (p == NULL) {
535 	    p = _krb5_get_default_cc_name_from_registry(context);
536         }
537 #endif
538 	if (p == NULL) {
539 	    e = krb5_config_get_string(context, NULL, "libdefaults",
540 				       "default_cc_name", NULL);
541 	    if (e) {
542 		ret = _krb5_expand_default_cc_name(context, e, &p);
543 		if (ret)
544 		    return ret;
545 	    }
546 	}
547 	if (p == NULL) {
548 	    e = krb5_config_get_string(context, NULL, "libdefaults",
549 				       "default_cc_type", NULL);
550 	    if (e) {
551 		ops = krb5_cc_get_prefix_ops(context, e);
552 		if (ops == NULL) {
553 		    krb5_set_error_message(context,
554 					   KRB5_CC_UNKNOWN_TYPE,
555 					   "Credential cache type %s "
556 					   "is unknown", e);
557 		    return KRB5_CC_UNKNOWN_TYPE;
558 		}
559 	    }
560 	}
561 #ifdef _WIN32
562 	if (p == NULL) {
563 	    /*
564 	     * If the MSLSA ccache type has a principal name,
565 	     * use it as the default.
566 	     */
567 	    krb5_ccache id;
568 	    ret = krb5_cc_resolve(context, "MSLSA:", &id);
569 	    if (ret == 0) {
570 		krb5_principal princ;
571 		ret = krb5_cc_get_principal(context, id, &princ);
572 		if (ret == 0) {
573 		    krb5_free_principal(context, princ);
574 		    p = strdup("MSLSA:");
575 		}
576 		krb5_cc_close(context, id);
577 	    }
578 	}
579 	if (p == NULL) {
580 	    /*
581 	     * If the API:krb5cc ccache can be resolved,
582 	     * use it as the default.
583 	     */
584 	    krb5_ccache api_id;
585 	    ret = krb5_cc_resolve(context, "API:krb5cc", &api_id);
586 	    if (ret == 0)
587 		krb5_cc_close(context, api_id);
588 	}
589 	/* Otherwise, fallback to the FILE ccache */
590 #endif
591 	if (p == NULL) {
592 	    ret = (*ops->get_default_name)(context, &p);
593 	    if (ret)
594 		return ret;
595 	}
596 	context->default_cc_name_set = 0;
597     } else {
598 	p = strdup(name);
599 	if (p == NULL)
600 	    return krb5_enomem(context);
601 	context->default_cc_name_set = 1;
602     }
603 
604     filepath = (strncmp("FILE:", p, 5) == 0
605 		 || strncmp("DIR:", p, 4) == 0
606 		 || strncmp("SCC:", p, 4) == 0);
607 
608     ret = _krb5_expand_path_tokens(context, p, filepath, &exp_p);
609     free(p);
610     p = exp_p;
611     if (ret)
612 	return ret;
613 
614     if (context->default_cc_name)
615 	free(context->default_cc_name);
616 
617     context->default_cc_name = p;
618 
619     return 0;
620 }
621 
622 /**
623  * Return a pointer to a context static string containing the default
624  * ccache name.
625  *
626  * @return String to the default credential cache name.
627  *
628  * @ingroup krb5_ccache
629  */
630 
631 
632 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_cc_default_name(krb5_context context)633 krb5_cc_default_name(krb5_context context)
634 {
635     if (context->default_cc_name == NULL || environment_changed(context))
636 	krb5_cc_set_default_name(context, NULL);
637 
638     return context->default_cc_name;
639 }
640 
641 /**
642  * Open the default ccache in `id'.
643  *
644  * @return Return an error code or 0, see krb5_get_error_message().
645  *
646  * @ingroup krb5_ccache
647  */
648 
649 
650 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_default(krb5_context context,krb5_ccache * id)651 krb5_cc_default(krb5_context context,
652 		krb5_ccache *id)
653 {
654     const char *p = krb5_cc_default_name(context);
655 
656     if (p == NULL)
657 	return krb5_enomem(context);
658     return krb5_cc_resolve(context, p, id);
659 }
660 
661 /**
662  * Create a new ccache in `id' for `primary_principal'.
663  *
664  * @return Return an error code or 0, see krb5_get_error_message().
665  *
666  * @ingroup krb5_ccache
667  */
668 
669 
670 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_initialize(krb5_context context,krb5_ccache id,krb5_principal primary_principal)671 krb5_cc_initialize(krb5_context context,
672 		   krb5_ccache id,
673 		   krb5_principal primary_principal)
674 {
675     krb5_error_code ret;
676 
677     ret = (*id->ops->init)(context, id, primary_principal);
678     if (ret == 0)
679         id->initialized = 1;
680     return ret;
681 }
682 
683 
684 /**
685  * Remove the ccache `id'.
686  *
687  * @return Return an error code or 0, see krb5_get_error_message().
688  *
689  * @ingroup krb5_ccache
690  */
691 
692 
693 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_destroy(krb5_context context,krb5_ccache id)694 krb5_cc_destroy(krb5_context context,
695 		krb5_ccache id)
696 {
697     krb5_error_code ret;
698 
699     ret = (*id->ops->destroy)(context, id);
700     krb5_cc_close (context, id);
701     return ret;
702 }
703 
704 /**
705  * Stop using the ccache `id' and free the related resources.
706  *
707  * @return Return an error code or 0, see krb5_get_error_message().
708  *
709  * @ingroup krb5_ccache
710  */
711 
712 
713 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_close(krb5_context context,krb5_ccache id)714 krb5_cc_close(krb5_context context,
715 	      krb5_ccache id)
716 {
717     krb5_error_code ret;
718     ret = (*id->ops->close)(context, id);
719     free(id);
720     return ret;
721 }
722 
723 /**
724  * Store `creds' in the ccache `id'.
725  *
726  * @return Return an error code or 0, see krb5_get_error_message().
727  *
728  * @ingroup krb5_ccache
729  */
730 
731 
732 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_store_cred(krb5_context context,krb5_ccache id,krb5_creds * creds)733 krb5_cc_store_cred(krb5_context context,
734 		   krb5_ccache id,
735 		   krb5_creds *creds)
736 {
737     krb5_error_code ret;
738     krb5_data realm;
739 
740     ret = (*id->ops->store)(context, id, creds);
741 
742     /* Look for and mark the first root TGT's realm as the start realm */
743     if (ret == 0 && id->initialized &&
744         krb5_principal_is_root_krbtgt(context, creds->server)) {
745 
746         id->initialized = 0;
747         realm.length = strlen(creds->server->realm);
748         realm.data = creds->server->realm;
749         (void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
750     } else if (ret == 0 && id->initialized &&
751         krb5_is_config_principal(context, creds->server) &&
752         strcmp(creds->server->name.name_string.val[1], "start_realm") == 0) {
753 
754         /*
755          * But if the caller is storing a start_realm ccconfig, then
756          * stop looking for root TGTs to mark as the start_realm.
757          *
758          * By honoring any start_realm cc config stored, we interop
759          * both, with ccache implementations that don't preserve
760          * insertion order, and Kerberos implementations that store this
761          * cc config before the TGT.
762          */
763         id->initialized = 0;
764     }
765     return ret;
766 }
767 
768 /**
769  * Retrieve the credential identified by `mcreds' (and `whichfields')
770  * from `id' in `creds'. 'creds' must be free by the caller using
771  * krb5_free_cred_contents.
772  *
773  * @param context A Kerberos 5 context
774  * @param id a Kerberos 5 credential cache
775  * @param whichfields what fields to use for matching credentials, same
776  *        flags as whichfields in krb5_compare_creds()
777  * @param mcreds template credential to use for comparing
778  * @param creds returned credential, free with krb5_free_cred_contents()
779  *
780  * @return Return an error code or 0, see krb5_get_error_message().
781  *
782  * @ingroup krb5_ccache
783  */
784 
785 
786 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_retrieve_cred(krb5_context context,krb5_ccache id,krb5_flags whichfields,const krb5_creds * mcreds,krb5_creds * creds)787 krb5_cc_retrieve_cred(krb5_context context,
788 		      krb5_ccache id,
789 		      krb5_flags whichfields,
790 		      const krb5_creds *mcreds,
791 		      krb5_creds *creds)
792 {
793     krb5_error_code ret;
794     krb5_cc_cursor cursor;
795 
796     if (id->ops->retrieve != NULL) {
797 	return (*id->ops->retrieve)(context, id, whichfields,
798 				    mcreds, creds);
799     }
800 
801     ret = krb5_cc_start_seq_get(context, id, &cursor);
802     if (ret)
803 	return ret;
804     while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
805 	if(krb5_compare_creds(context, whichfields, mcreds, creds)){
806 	    ret = 0;
807 	    break;
808 	}
809 	krb5_free_cred_contents (context, creds);
810     }
811     krb5_cc_end_seq_get(context, id, &cursor);
812     return ret;
813 }
814 
815 /**
816  * Return the principal of `id' in `principal'.
817  *
818  * @return Return an error code or 0, see krb5_get_error_message().
819  *
820  * @ingroup krb5_ccache
821  */
822 
823 
824 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_principal(krb5_context context,krb5_ccache id,krb5_principal * principal)825 krb5_cc_get_principal(krb5_context context,
826 		      krb5_ccache id,
827 		      krb5_principal *principal)
828 {
829     return (*id->ops->get_princ)(context, id, principal);
830 }
831 
832 /**
833  * Start iterating over `id', `cursor' is initialized to the
834  * beginning.  Caller must free the cursor with krb5_cc_end_seq_get().
835  *
836  * @return Return an error code or 0, see krb5_get_error_message().
837  *
838  * @ingroup krb5_ccache
839  */
840 
841 
842 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_start_seq_get(krb5_context context,const krb5_ccache id,krb5_cc_cursor * cursor)843 krb5_cc_start_seq_get (krb5_context context,
844 		       const krb5_ccache id,
845 		       krb5_cc_cursor *cursor)
846 {
847     return (*id->ops->get_first)(context, id, cursor);
848 }
849 
850 /**
851  * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
852  * and advance `cursor'.
853  *
854  * @return Return an error code or 0, see krb5_get_error_message().
855  *
856  * @ingroup krb5_ccache
857  */
858 
859 
860 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_next_cred(krb5_context context,const krb5_ccache id,krb5_cc_cursor * cursor,krb5_creds * creds)861 krb5_cc_next_cred (krb5_context context,
862 		   const krb5_ccache id,
863 		   krb5_cc_cursor *cursor,
864 		   krb5_creds *creds)
865 {
866     return (*id->ops->get_next)(context, id, cursor, creds);
867 }
868 
869 /**
870  * Destroy the cursor `cursor'.
871  *
872  * @ingroup krb5_ccache
873  */
874 
875 
876 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_end_seq_get(krb5_context context,const krb5_ccache id,krb5_cc_cursor * cursor)877 krb5_cc_end_seq_get (krb5_context context,
878 		     const krb5_ccache id,
879 		     krb5_cc_cursor *cursor)
880 {
881     return (*id->ops->end_get)(context, id, cursor);
882 }
883 
884 /**
885  * Remove the credential identified by `cred', `which' from `id'.
886  *
887  * @ingroup krb5_ccache
888  */
889 
890 
891 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_remove_cred(krb5_context context,krb5_ccache id,krb5_flags which,krb5_creds * cred)892 krb5_cc_remove_cred(krb5_context context,
893 		    krb5_ccache id,
894 		    krb5_flags which,
895 		    krb5_creds *cred)
896 {
897     if(id->ops->remove_cred == NULL) {
898 	krb5_set_error_message(context,
899 			       EACCES,
900 			       "ccache %s does not support remove_cred",
901 			       id->ops->prefix);
902 	return EACCES; /* XXX */
903     }
904     return (*id->ops->remove_cred)(context, id, which, cred);
905 }
906 
907 /**
908  * Set the flags of `id' to `flags'.
909  *
910  * @ingroup krb5_ccache
911  */
912 
913 
914 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_flags(krb5_context context,krb5_ccache id,krb5_flags flags)915 krb5_cc_set_flags(krb5_context context,
916 		  krb5_ccache id,
917 		  krb5_flags flags)
918 {
919     return (*id->ops->set_flags)(context, id, flags);
920 }
921 
922 /**
923  * Get the flags of `id', store them in `flags'.
924  *
925  * @ingroup krb5_ccache
926  */
927 
928 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_flags(krb5_context context,krb5_ccache id,krb5_flags * flags)929 krb5_cc_get_flags(krb5_context context,
930 		  krb5_ccache id,
931 		  krb5_flags *flags)
932 {
933     *flags = 0;
934     return 0;
935 }
936 
937 /**
938  * Copy the contents of `from' to `to' if the given match function
939  * return true.
940  *
941  * @param context A Kerberos 5 context.
942  * @param from the cache to copy data from.
943  * @param to the cache to copy data to.
944  * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
945  * @param matchctx context passed to match function.
946  * @param matched set to true if there was a credential that matched, may be NULL.
947  *
948  * @return Return an error code or 0, see krb5_get_error_message().
949  *
950  * @ingroup krb5_ccache
951  */
952 
953 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_copy_match_f(krb5_context context,const krb5_ccache from,krb5_ccache to,krb5_boolean (* match)(krb5_context,void *,const krb5_creds *),void * matchctx,unsigned int * matched)954 krb5_cc_copy_match_f(krb5_context context,
955 		     const krb5_ccache from,
956 		     krb5_ccache to,
957 		     krb5_boolean (*match)(krb5_context, void *, const krb5_creds *),
958 		     void *matchctx,
959 		     unsigned int *matched)
960 {
961     krb5_error_code ret;
962     krb5_cc_cursor cursor;
963     krb5_creds cred;
964     krb5_principal princ;
965 
966     if (matched)
967 	*matched = 0;
968 
969     ret = krb5_cc_get_principal(context, from, &princ);
970     if (ret)
971 	return ret;
972     ret = krb5_cc_initialize(context, to, princ);
973     if (ret) {
974 	krb5_free_principal(context, princ);
975 	return ret;
976     }
977     ret = krb5_cc_start_seq_get(context, from, &cursor);
978     if (ret) {
979 	krb5_free_principal(context, princ);
980 	return ret;
981     }
982 
983     while ((ret = krb5_cc_next_cred(context, from, &cursor, &cred)) == 0) {
984 	   if (match == NULL || (*match)(context, matchctx, &cred)) {
985 	       if (matched)
986 		   (*matched)++;
987 	       ret = krb5_cc_store_cred(context, to, &cred);
988 	       if (ret)
989 		   break;
990 	   }
991 	   krb5_free_cred_contents(context, &cred);
992     }
993     krb5_cc_end_seq_get(context, from, &cursor);
994     krb5_free_principal(context, princ);
995     if (ret == KRB5_CC_END)
996 	ret = 0;
997     return ret;
998 }
999 
1000 /**
1001  * Just like krb5_cc_copy_match_f(), but copy everything.
1002  *
1003  * @ingroup @krb5_ccache
1004  */
1005 
1006 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_copy_cache(krb5_context context,const krb5_ccache from,krb5_ccache to)1007 krb5_cc_copy_cache(krb5_context context,
1008 		   const krb5_ccache from,
1009 		   krb5_ccache to)
1010 {
1011     return krb5_cc_copy_match_f(context, from, to, NULL, NULL, NULL);
1012 }
1013 
1014 /**
1015  * Return the version of `id'.
1016  *
1017  * @ingroup krb5_ccache
1018  */
1019 
1020 
1021 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_version(krb5_context context,const krb5_ccache id)1022 krb5_cc_get_version(krb5_context context,
1023 		    const krb5_ccache id)
1024 {
1025     if(id->ops->get_version)
1026 	return (*id->ops->get_version)(context, id);
1027     else
1028 	return 0;
1029 }
1030 
1031 /**
1032  * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
1033  *
1034  * @ingroup krb5_ccache
1035  */
1036 
1037 
1038 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_cc_clear_mcred(krb5_creds * mcred)1039 krb5_cc_clear_mcred(krb5_creds *mcred)
1040 {
1041     memset(mcred, 0, sizeof(*mcred));
1042 }
1043 
1044 /**
1045  * Get the cc ops that is registered in `context' to handle the
1046  * prefix. prefix can be a complete credential cache name or a
1047  * prefix, the function will only use part up to the first colon (:)
1048  * if there is one. If prefix the argument is NULL, the default ccache
1049  * implemtation is returned.
1050  *
1051  * @return Returns NULL if ops not found.
1052  *
1053  * @ingroup krb5_ccache
1054  */
1055 
1056 
1057 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
krb5_cc_get_prefix_ops(krb5_context context,const char * prefix)1058 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
1059 {
1060     char *p, *p1;
1061     int i;
1062 
1063     if (prefix == NULL)
1064 	return KRB5_DEFAULT_CCTYPE;
1065 
1066     /* Is absolute path? Or UNC path? */
1067     if (ISPATHSEP(prefix[0]))
1068 	return &krb5_fcc_ops;
1069 
1070 #ifdef _WIN32
1071     /* Is drive letter? */
1072     if (isalpha(prefix[0]) && prefix[1] == ':')
1073 	return &krb5_fcc_ops;
1074 #endif
1075 
1076     p = strdup(prefix);
1077     if (p == NULL) {
1078 	krb5_enomem(context);
1079 	return NULL;
1080     }
1081     p1 = strchr(p, ':');
1082     if (p1)
1083 	*p1 = '\0';
1084 
1085     for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
1086 	if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
1087 	    free(p);
1088 	    return context->cc_ops[i];
1089 	}
1090     }
1091     free(p);
1092     return NULL;
1093 }
1094 
1095 struct krb5_cc_cache_cursor_data {
1096     const krb5_cc_ops *ops;
1097     krb5_cc_cursor cursor;
1098 };
1099 
1100 /**
1101  * Start iterating over all caches of specified type. See also
1102  * krb5_cccol_cursor_new().
1103 
1104  * @param context A Kerberos 5 context
1105  * @param type optional type to iterate over, if NULL, the default cache is used.
1106  * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
1107  *
1108  * @return Return an error code or 0, see krb5_get_error_message().
1109  *
1110  * @ingroup krb5_ccache
1111  */
1112 
1113 
1114 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_get_first(krb5_context context,const char * type,krb5_cc_cache_cursor * cursor)1115 krb5_cc_cache_get_first (krb5_context context,
1116 			 const char *type,
1117 			 krb5_cc_cache_cursor *cursor)
1118 {
1119     const krb5_cc_ops *ops;
1120     krb5_error_code ret;
1121 
1122     if (type == NULL)
1123 	type = krb5_cc_default_name(context);
1124 
1125     ops = krb5_cc_get_prefix_ops(context, type);
1126     if (ops == NULL) {
1127 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
1128 			       "Unknown type \"%s\" when iterating "
1129 			       "trying to iterate the credential caches", type);
1130 	return KRB5_CC_UNKNOWN_TYPE;
1131     }
1132 
1133     if (ops->get_cache_first == NULL) {
1134 	krb5_set_error_message(context, KRB5_CC_NOSUPP,
1135 			       N_("Credential cache type %s doesn't support "
1136 				 "iterations over caches", "type"),
1137 			       ops->prefix);
1138 	return KRB5_CC_NOSUPP;
1139     }
1140 
1141     *cursor = calloc(1, sizeof(**cursor));
1142     if (*cursor == NULL)
1143 	return krb5_enomem(context);
1144 
1145     (*cursor)->ops = ops;
1146 
1147     ret = ops->get_cache_first(context, &(*cursor)->cursor);
1148     if (ret) {
1149 	free(*cursor);
1150 	*cursor = NULL;
1151     }
1152     return ret;
1153 }
1154 
1155 /**
1156  * Retrieve the next cache pointed to by (`cursor') in `id'
1157  * and advance `cursor'.
1158  *
1159  * @param context A Kerberos 5 context
1160  * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
1161  * @param id next ccache
1162  *
1163  * @return Return 0 or an error code. Returns KRB5_CC_END when the end
1164  *         of caches is reached, see krb5_get_error_message().
1165  *
1166  * @ingroup krb5_ccache
1167  */
1168 
1169 
1170 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_next(krb5_context context,krb5_cc_cache_cursor cursor,krb5_ccache * id)1171 krb5_cc_cache_next (krb5_context context,
1172 		   krb5_cc_cache_cursor cursor,
1173 		   krb5_ccache *id)
1174 {
1175     return cursor->ops->get_cache_next(context, cursor->cursor, id);
1176 }
1177 
1178 /**
1179  * Destroy the cursor `cursor'.
1180  *
1181  * @return Return an error code or 0, see krb5_get_error_message().
1182  *
1183  * @ingroup krb5_ccache
1184  */
1185 
1186 
1187 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_end_seq_get(krb5_context context,krb5_cc_cache_cursor cursor)1188 krb5_cc_cache_end_seq_get (krb5_context context,
1189 			   krb5_cc_cache_cursor cursor)
1190 {
1191     krb5_error_code ret;
1192     ret = cursor->ops->end_cache_get(context, cursor->cursor);
1193     cursor->ops = NULL;
1194     free(cursor);
1195     return ret;
1196 }
1197 
1198 /**
1199  * Search for a matching credential cache that have the
1200  * `principal' as the default principal. On success, `id' needs to be
1201  * freed with krb5_cc_close() or krb5_cc_destroy().
1202  *
1203  * @param context A Kerberos 5 context
1204  * @param client The principal to search for
1205  * @param id the returned credential cache
1206  *
1207  * @return On failure, error code is returned and `id' is set to NULL.
1208  *
1209  * @ingroup krb5_ccache
1210  */
1211 
1212 
1213 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_cache_match(krb5_context context,krb5_principal client,krb5_ccache * id)1214 krb5_cc_cache_match (krb5_context context,
1215 		     krb5_principal client,
1216 		     krb5_ccache *id)
1217 {
1218     krb5_cccol_cursor cursor;
1219     krb5_error_code ret;
1220     krb5_ccache cache = NULL;
1221     krb5_ccache expired_match = NULL;
1222 
1223     *id = NULL;
1224 
1225     ret = krb5_cccol_cursor_new (context, &cursor);
1226     if (ret)
1227 	return ret;
1228 
1229     while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && cache != NULL) {
1230 	krb5_principal principal;
1231 	krb5_boolean match;
1232 	time_t lifetime;
1233 
1234 	ret = krb5_cc_get_principal(context, cache, &principal);
1235 	if (ret)
1236 	    goto next;
1237 
1238 	if (client->name.name_string.len == 0)
1239 	    match = (strcmp(client->realm, principal->realm) == 0);
1240 	else
1241 	    match = krb5_principal_compare(context, principal, client);
1242 	krb5_free_principal(context, principal);
1243 
1244 	if (!match)
1245 	    goto next;
1246 
1247 	if (expired_match == NULL &&
1248 	    (krb5_cc_get_lifetime(context, cache, &lifetime) != 0 || lifetime == 0)) {
1249 	    expired_match = cache;
1250 	    cache = NULL;
1251 	    goto next;
1252 	}
1253 	break;
1254 
1255     next:
1256         if (cache)
1257 	    krb5_cc_close(context, cache);
1258 	cache = NULL;
1259     }
1260 
1261     krb5_cccol_cursor_free(context, &cursor);
1262 
1263     if (cache == NULL && expired_match) {
1264 	cache = expired_match;
1265 	expired_match = NULL;
1266     } else if (expired_match) {
1267 	krb5_cc_close(context, expired_match);
1268     } else if (cache == NULL) {
1269 	char *str;
1270 
1271 	krb5_unparse_name(context, client, &str);
1272 
1273 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
1274 			       N_("Principal %s not found in any "
1275 				  "credential cache", ""),
1276 			       str ? str : "<out of memory>");
1277 	if (str)
1278 	    free(str);
1279 	return KRB5_CC_NOTFOUND;
1280     }
1281 
1282     *id = cache;
1283 
1284     return 0;
1285 }
1286 
1287 /**
1288  * Move the content from one credential cache to another. The
1289  * operation is an atomic switch.
1290  *
1291  * @param context a Keberos context
1292  * @param from the credential cache to move the content from
1293  * @param to the credential cache to move the content to
1294 
1295  * @return On sucess, from is freed. On failure, error code is
1296  * returned and from and to are both still allocated, see krb5_get_error_message().
1297  *
1298  * @ingroup krb5_ccache
1299  */
1300 
1301 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_move(krb5_context context,krb5_ccache from,krb5_ccache to)1302 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
1303 {
1304     krb5_error_code ret;
1305 
1306     if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
1307 	krb5_set_error_message(context, KRB5_CC_NOSUPP,
1308 			       N_("Moving credentials between diffrent "
1309 				 "types not yet supported", ""));
1310 	return KRB5_CC_NOSUPP;
1311     }
1312 
1313     ret = (*to->ops->move)(context, from, to);
1314     if (ret == 0) {
1315 	memset(from, 0, sizeof(*from));
1316 	free(from);
1317     }
1318     return ret;
1319 }
1320 
1321 #define KRB5_CONF_NAME "krb5_ccache_conf_data"
1322 #define KRB5_REALM_NAME "X-CACHECONF:"
1323 
1324 static krb5_error_code
build_conf_principals(krb5_context context,krb5_ccache id,krb5_const_principal principal,const char * name,krb5_creds * cred)1325 build_conf_principals(krb5_context context, krb5_ccache id,
1326 		      krb5_const_principal principal,
1327 		      const char *name, krb5_creds *cred)
1328 {
1329     krb5_principal client;
1330     krb5_error_code ret;
1331     char *pname = NULL;
1332 
1333     memset(cred, 0, sizeof(*cred));
1334 
1335     ret = krb5_cc_get_principal(context, id, &client);
1336     if (ret)
1337 	return ret;
1338 
1339     if (principal) {
1340 	ret = krb5_unparse_name(context, principal, &pname);
1341 	if (ret)
1342 	    return ret;
1343     }
1344 
1345     ret = krb5_make_principal(context, &cred->server,
1346 			      KRB5_REALM_NAME,
1347 			      KRB5_CONF_NAME, name, pname, NULL);
1348     free(pname);
1349     if (ret) {
1350 	krb5_free_principal(context, client);
1351 	return ret;
1352     }
1353     ret = krb5_copy_principal(context, client, &cred->client);
1354     krb5_free_principal(context, client);
1355     return ret;
1356 }
1357 
1358 /**
1359  * Return TRUE (non zero) if the principal is a configuration
1360  * principal (generated part of krb5_cc_set_config()). Returns FALSE
1361  * (zero) if not a configuration principal.
1362  *
1363  * @param context a Keberos context
1364  * @param principal principal to check if it a configuration principal
1365  *
1366  * @ingroup krb5_ccache
1367  */
1368 
1369 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_is_config_principal(krb5_context context,krb5_const_principal principal)1370 krb5_is_config_principal(krb5_context context,
1371 			 krb5_const_principal principal)
1372 {
1373     if (strcmp(principal->realm, KRB5_REALM_NAME) != 0)
1374 	return FALSE;
1375 
1376     if (principal->name.name_string.len == 0 ||
1377 	strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
1378 	return FALSE;
1379 
1380     return TRUE;
1381 }
1382 
1383 /**
1384  * Store some configuration for the credential cache in the cache.
1385  * Existing configuration under the same name is over-written.
1386  *
1387  * @param context a Keberos context
1388  * @param id the credential cache to store the data for
1389  * @param principal configuration for a specific principal, if
1390  * NULL, global for the whole cache.
1391  * @param name name under which the configuraion is stored.
1392  * @param data data to store, if NULL, configure is removed.
1393  *
1394  * @ingroup krb5_ccache
1395  */
1396 
1397 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_config(krb5_context context,krb5_ccache id,krb5_const_principal principal,const char * name,krb5_data * data)1398 krb5_cc_set_config(krb5_context context, krb5_ccache id,
1399 		   krb5_const_principal principal,
1400 		   const char *name, krb5_data *data)
1401 {
1402     krb5_error_code ret;
1403     krb5_creds cred;
1404 
1405     ret = build_conf_principals(context, id, principal, name, &cred);
1406     if (ret)
1407 	goto out;
1408 
1409     /* Remove old configuration */
1410     ret = krb5_cc_remove_cred(context, id, 0, &cred);
1411     if (ret && ret != KRB5_CC_NOTFOUND)
1412         goto out;
1413 
1414     if (data) {
1415 	/* not that anyone care when this expire */
1416 	cred.times.authtime = time(NULL);
1417 	cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
1418 
1419 	ret = krb5_data_copy(&cred.ticket, data->data, data->length);
1420 	if (ret)
1421 	    goto out;
1422 
1423 	ret = krb5_cc_store_cred(context, id, &cred);
1424     }
1425 
1426 out:
1427     krb5_free_cred_contents (context, &cred);
1428     return ret;
1429 }
1430 
1431 /**
1432  * Get some configuration for the credential cache in the cache.
1433  *
1434  * @param context a Keberos context
1435  * @param id the credential cache to store the data for
1436  * @param principal configuration for a specific principal, if
1437  * NULL, global for the whole cache.
1438  * @param name name under which the configuraion is stored.
1439  * @param data data to fetched, free with krb5_data_free()
1440  *
1441  * @ingroup krb5_ccache
1442  */
1443 
1444 
1445 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_config(krb5_context context,krb5_ccache id,krb5_const_principal principal,const char * name,krb5_data * data)1446 krb5_cc_get_config(krb5_context context, krb5_ccache id,
1447 		   krb5_const_principal principal,
1448 		   const char *name, krb5_data *data)
1449 {
1450     krb5_creds mcred, cred;
1451     krb5_error_code ret;
1452 
1453     memset(&cred, 0, sizeof(cred));
1454     krb5_data_zero(data);
1455 
1456     ret = build_conf_principals(context, id, principal, name, &mcred);
1457     if (ret)
1458 	goto out;
1459 
1460     ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
1461     if (ret)
1462 	goto out;
1463 
1464     ret = krb5_data_copy(data, cred.ticket.data, cred.ticket.length);
1465 
1466 out:
1467     krb5_free_cred_contents (context, &cred);
1468     krb5_free_cred_contents (context, &mcred);
1469     return ret;
1470 }
1471 
1472 /*
1473  *
1474  */
1475 
1476 struct krb5_cccol_cursor_data {
1477     int idx;
1478     krb5_cc_cache_cursor cursor;
1479 };
1480 
1481 /**
1482  * Get a new cache interation cursor that will interate over all
1483  * credentials caches independent of type.
1484  *
1485  * @param context a Keberos context
1486  * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
1487  *
1488  * @return Returns 0 or and error code, see krb5_get_error_message().
1489  *
1490  * @ingroup krb5_ccache
1491  */
1492 
1493 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cccol_cursor_new(krb5_context context,krb5_cccol_cursor * cursor)1494 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
1495 {
1496     *cursor = calloc(1, sizeof(**cursor));
1497     if (*cursor == NULL)
1498 	return krb5_enomem(context);
1499     (*cursor)->idx = 0;
1500     (*cursor)->cursor = NULL;
1501 
1502     return 0;
1503 }
1504 
1505 /**
1506  * Get next credential cache from the iteration.
1507  *
1508  * @param context A Kerberos 5 context
1509  * @param cursor the iteration cursor
1510  * @param cache the returned cursor, pointer is set to NULL on failure
1511  *        and a cache on success. The returned cache needs to be freed
1512  *        with krb5_cc_close() or destroyed with krb5_cc_destroy().
1513  *        MIT Kerberos behavies slightly diffrent and sets cache to NULL
1514  *        when all caches are iterated over and return 0.
1515  *
1516  * @return Return 0 or and error, KRB5_CC_END is returned at the end
1517  *        of iteration. See krb5_get_error_message().
1518  *
1519  * @ingroup krb5_ccache
1520  */
1521 
1522 
1523 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cccol_cursor_next(krb5_context context,krb5_cccol_cursor cursor,krb5_ccache * cache)1524 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
1525 		       krb5_ccache *cache)
1526 {
1527     krb5_error_code ret;
1528 
1529     *cache = NULL;
1530 
1531     while (cursor->idx < context->num_cc_ops) {
1532 
1533 	if (cursor->cursor == NULL) {
1534 	    ret = krb5_cc_cache_get_first (context,
1535 					   context->cc_ops[cursor->idx]->prefix,
1536 					   &cursor->cursor);
1537 	    if (ret) {
1538 		cursor->idx++;
1539 		continue;
1540 	    }
1541 	}
1542 	ret = krb5_cc_cache_next(context, cursor->cursor, cache);
1543 	if (ret == 0)
1544 	    break;
1545 
1546 	krb5_cc_cache_end_seq_get(context, cursor->cursor);
1547 	cursor->cursor = NULL;
1548 	if (ret != KRB5_CC_END)
1549 	    break;
1550 
1551 	cursor->idx++;
1552     }
1553     if (cursor->idx >= context->num_cc_ops) {
1554 	krb5_set_error_message(context, KRB5_CC_END,
1555 			       N_("Reached end of credential caches", ""));
1556 	return KRB5_CC_END;
1557     }
1558 
1559     return 0;
1560 }
1561 
1562 /**
1563  * End an iteration and free all resources, can be done before end is reached.
1564  *
1565  * @param context A Kerberos 5 context
1566  * @param cursor the iteration cursor to be freed.
1567  *
1568  * @return Return 0 or and error, KRB5_CC_END is returned at the end
1569  *        of iteration. See krb5_get_error_message().
1570  *
1571  * @ingroup krb5_ccache
1572  */
1573 
1574 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cccol_cursor_free(krb5_context context,krb5_cccol_cursor * cursor)1575 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
1576 {
1577     krb5_cccol_cursor c = *cursor;
1578 
1579     *cursor = NULL;
1580     if (c) {
1581 	if (c->cursor)
1582 	    krb5_cc_cache_end_seq_get(context, c->cursor);
1583 	free(c);
1584     }
1585     return 0;
1586 }
1587 
1588 /**
1589  * Return the last time the credential cache was modified.
1590  *
1591  * @param context A Kerberos 5 context
1592  * @param id The credential cache to probe
1593  * @param mtime the last modification time, set to 0 on error.
1594 
1595  * @return Return 0 or and error. See krb5_get_error_message().
1596  *
1597  * @ingroup krb5_ccache
1598  */
1599 
1600 
1601 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_last_change_time(krb5_context context,krb5_ccache id,krb5_timestamp * mtime)1602 krb5_cc_last_change_time(krb5_context context,
1603 			 krb5_ccache id,
1604 			 krb5_timestamp *mtime)
1605 {
1606     *mtime = 0;
1607     return (*id->ops->lastchange)(context, id, mtime);
1608 }
1609 
1610 /**
1611  * Return the last modfication time for a cache collection. The query
1612  * can be limited to a specific cache type. If the function return 0
1613  * and mtime is 0, there was no credentials in the caches.
1614  *
1615  * @param context A Kerberos 5 context
1616  * @param type The credential cache to probe, if NULL, all type are traversed.
1617  * @param mtime the last modification time, set to 0 on error.
1618 
1619  * @return Return 0 or and error. See krb5_get_error_message().
1620  *
1621  * @ingroup krb5_ccache
1622  */
1623 
1624 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cccol_last_change_time(krb5_context context,const char * type,krb5_timestamp * mtime)1625 krb5_cccol_last_change_time(krb5_context context,
1626 			    const char *type,
1627 			    krb5_timestamp *mtime)
1628 {
1629     krb5_cccol_cursor cursor;
1630     krb5_error_code ret;
1631     krb5_ccache id;
1632     krb5_timestamp t = 0;
1633 
1634     *mtime = 0;
1635 
1636     ret = krb5_cccol_cursor_new (context, &cursor);
1637     if (ret)
1638 	return ret;
1639 
1640     while (krb5_cccol_cursor_next(context, cursor, &id) == 0 && id != NULL) {
1641 
1642 	if (type && strcmp(krb5_cc_get_type(context, id), type) != 0)
1643 	    continue;
1644 
1645 	ret = krb5_cc_last_change_time(context, id, &t);
1646 	krb5_cc_close(context, id);
1647 	if (ret)
1648 	    continue;
1649 	if (t > *mtime)
1650 	    *mtime = t;
1651     }
1652 
1653     krb5_cccol_cursor_free(context, &cursor);
1654 
1655     return 0;
1656 }
1657 /**
1658  * Return a friendly name on credential cache. Free the result with krb5_xfree().
1659  *
1660  * @return Return an error code or 0, see krb5_get_error_message().
1661  *
1662  * @ingroup krb5_ccache
1663  */
1664 
1665 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_friendly_name(krb5_context context,krb5_ccache id,char ** name)1666 krb5_cc_get_friendly_name(krb5_context context,
1667 			  krb5_ccache id,
1668 			  char **name)
1669 {
1670     krb5_error_code ret;
1671     krb5_data data;
1672 
1673     ret = krb5_cc_get_config(context, id, NULL, "FriendlyName", &data);
1674     if (ret) {
1675 	krb5_principal principal;
1676 	ret = krb5_cc_get_principal(context, id, &principal);
1677 	if (ret)
1678 	    return ret;
1679 	ret = krb5_unparse_name(context, principal, name);
1680 	krb5_free_principal(context, principal);
1681     } else {
1682 	ret = asprintf(name, "%.*s", (int)data.length, (char *)data.data);
1683 	krb5_data_free(&data);
1684 	if (ret <= 0)
1685 	    ret = krb5_enomem(context);
1686 	else
1687 	    ret = 0;
1688     }
1689 
1690     return ret;
1691 }
1692 
1693 /**
1694  * Set the friendly name on credential cache.
1695  *
1696  * @return Return an error code or 0, see krb5_get_error_message().
1697  *
1698  * @ingroup krb5_ccache
1699  */
1700 
1701 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_friendly_name(krb5_context context,krb5_ccache id,const char * name)1702 krb5_cc_set_friendly_name(krb5_context context,
1703 			  krb5_ccache id,
1704 			  const char *name)
1705 {
1706     krb5_data data;
1707 
1708     data.data = rk_UNCONST(name);
1709     data.length = strlen(name);
1710 
1711     return krb5_cc_set_config(context, id, NULL, "FriendlyName", &data);
1712 }
1713 
1714 /**
1715  * Get the lifetime of the initial ticket in the cache
1716  *
1717  * Get the lifetime of the initial ticket in the cache, if the initial
1718  * ticket was not found, the error code KRB5_CC_END is returned.
1719  *
1720  * @param context A Kerberos 5 context.
1721  * @param id a credential cache
1722  * @param t the relative lifetime of the initial ticket
1723  *
1724  * @return Return an error code or 0, see krb5_get_error_message().
1725  *
1726  * @ingroup krb5_ccache
1727  */
1728 
1729 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_lifetime(krb5_context context,krb5_ccache id,time_t * t)1730 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
1731 {
1732     krb5_data config_start_realm;
1733     char *start_realm;
1734     krb5_cc_cursor cursor;
1735     krb5_error_code ret;
1736     krb5_creds cred;
1737     time_t now, endtime = 0;
1738 
1739     *t = 0;
1740     krb5_timeofday(context, &now);
1741 
1742     ret = krb5_cc_get_config(context, id, NULL, "start_realm", &config_start_realm);
1743     if (ret == 0) {
1744 	start_realm = strndup(config_start_realm.data, config_start_realm.length);
1745 	krb5_data_free(&config_start_realm);
1746     } else {
1747 	krb5_principal client;
1748 
1749 	ret = krb5_cc_get_principal(context, id, &client);
1750 	if (ret)
1751 	    return ret;
1752 	start_realm = strdup(krb5_principal_get_realm(context, client));
1753 	krb5_free_principal(context, client);
1754     }
1755     if (start_realm == NULL)
1756 	return krb5_enomem(context);
1757 
1758     ret = krb5_cc_start_seq_get(context, id, &cursor);
1759     if (ret) {
1760         free(start_realm);
1761 	return ret;
1762     }
1763 
1764     while ((ret = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
1765 	/**
1766 	 * If we find the start krbtgt in the cache, use that as the lifespan.
1767 	 */
1768 	if (krb5_principal_is_root_krbtgt(context, cred.server) &&
1769 	    strcmp(cred.server->realm, start_realm) == 0) {
1770 	    if (now < cred.times.endtime)
1771 		endtime = cred.times.endtime;
1772 	    krb5_free_cred_contents(context, &cred);
1773 	    break;
1774 	}
1775 	/*
1776 	 * Skip config entries
1777 	 */
1778 	if (krb5_is_config_principal(context, cred.server)) {
1779 	    krb5_free_cred_contents(context, &cred);
1780 	    continue;
1781 	}
1782 	/**
1783 	 * If there was no krbtgt, use the shortest lifetime of
1784 	 * service tickets that have yet to expire.  If all
1785 	 * credentials are expired, krb5_cc_get_lifetime() will fail.
1786 	 */
1787 	if ((endtime == 0 || cred.times.endtime < endtime) && now < cred.times.endtime)
1788 	    endtime = cred.times.endtime;
1789 	krb5_free_cred_contents(context, &cred);
1790     }
1791     free(start_realm);
1792 
1793     /* if we found an endtime use that */
1794     if (endtime) {
1795 	*t = endtime - now;
1796 	ret = 0;
1797     }
1798 
1799     krb5_cc_end_seq_get(context, id, &cursor);
1800 
1801     return ret;
1802 }
1803 
1804 /**
1805  * Set the time offset betwen the client and the KDC
1806  *
1807  * If the backend doesn't support KDC offset, use the context global setting.
1808  *
1809  * @param context A Kerberos 5 context.
1810  * @param id a credential cache
1811  * @param offset the offset in seconds
1812  *
1813  * @return Return an error code or 0, see krb5_get_error_message().
1814  *
1815  * @ingroup krb5_ccache
1816  */
1817 
1818 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_set_kdc_offset(krb5_context context,krb5_ccache id,krb5_deltat offset)1819 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
1820 {
1821     if (id->ops->set_kdc_offset == NULL) {
1822 	context->kdc_sec_offset = offset;
1823 	context->kdc_usec_offset = 0;
1824 	return 0;
1825     }
1826     return (*id->ops->set_kdc_offset)(context, id, offset);
1827 }
1828 
1829 /**
1830  * Get the time offset betwen the client and the KDC
1831  *
1832  * If the backend doesn't support KDC offset, use the context global setting.
1833  *
1834  * @param context A Kerberos 5 context.
1835  * @param id a credential cache
1836  * @param offset the offset in seconds
1837  *
1838  * @return Return an error code or 0, see krb5_get_error_message().
1839  *
1840  * @ingroup krb5_ccache
1841  */
1842 
1843 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_get_kdc_offset(krb5_context context,krb5_ccache id,krb5_deltat * offset)1844 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
1845 {
1846     if (id->ops->get_kdc_offset == NULL) {
1847 	*offset = context->kdc_sec_offset;
1848 	return 0;
1849     }
1850     return (*id->ops->get_kdc_offset)(context, id, offset);
1851 }
1852 
1853 #ifdef _WIN32
1854 #define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
1855 
1856 static char *
_get_default_cc_name_from_registry(krb5_context context,HKEY hkBase)1857 _get_default_cc_name_from_registry(krb5_context context, HKEY hkBase)
1858 {
1859     HKEY hk_k5 = 0;
1860     LONG code;
1861     char *ccname = NULL;
1862 
1863     code = RegOpenKeyEx(hkBase,
1864                         REGPATH_MIT_KRB5,
1865                         0, KEY_READ, &hk_k5);
1866 
1867     if (code != ERROR_SUCCESS)
1868         return NULL;
1869 
1870     ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
1871                                              REG_NONE, 0);
1872 
1873     RegCloseKey(hk_k5);
1874 
1875     return ccname;
1876 }
1877 
1878 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
_krb5_get_default_cc_name_from_registry(krb5_context context)1879 _krb5_get_default_cc_name_from_registry(krb5_context context)
1880 {
1881     char *ccname;
1882 
1883     ccname = _get_default_cc_name_from_registry(context, HKEY_CURRENT_USER);
1884     if (ccname == NULL)
1885 	ccname = _get_default_cc_name_from_registry(context,
1886 						    HKEY_LOCAL_MACHINE);
1887 
1888     return ccname;
1889 }
1890 
1891 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
_krb5_set_default_cc_name_to_registry(krb5_context context,krb5_ccache id)1892 _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
1893 {
1894     HKEY hk_k5 = 0;
1895     LONG code;
1896     int ret = -1;
1897     char * ccname = NULL;
1898 
1899     code = RegOpenKeyEx(HKEY_CURRENT_USER,
1900                         REGPATH_MIT_KRB5,
1901                         0, KEY_READ|KEY_WRITE, &hk_k5);
1902 
1903     if (code != ERROR_SUCCESS)
1904         return -1;
1905 
1906     ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
1907     if (ret < 0)
1908         goto cleanup;
1909 
1910     ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
1911                                           REG_SZ, ccname, -1, 0);
1912 
1913   cleanup:
1914 
1915     if (ccname)
1916         free(ccname);
1917 
1918     RegCloseKey(hk_k5);
1919 
1920     return ret;
1921 }
1922 #endif
1923