doc/api/rcache.tex


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

The replay cache functions deal with verifying that AP_REQ's do not
contain duplicate authenticators; the storage must be non-volatile for
the site-determined validity period of authenticators.

Each replay cache has a string ``name'' associated with it.  The use of
this name is dependent on the underlying caching strategy (for
file-based things, it would be a cache file name).  The
caching strategy uses non-volatile storage so that replay
integrity can be maintained across system failures.

\begin{funcdecl}{krb5_auth_to_rep}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcin
\funcarg{krb5_tkt_authent *}{auth}
\funcout
\funcarg{krb5_donot_replay *}{rep}
\end{funcdecl}
Extract the relevant parts of \funcparam{auth} and fill them into the
structure pointed to by \funcparam{rep}.  \funcparam{rep{\ptsto}client}
and \funcparam{rep{\ptsto}server} are set to allocated storage and
should be freed when \funcparam{*rep} is no longer needed.

\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{string_name}
\end{funcdecl}

\begin{sloppypar}
\funcparam{id} is filled in to identify a replay cache which
corresponds to the name in \funcparam{string_name}.  The cache is not opened.
Requires that \funcparam{string_name} be of the form ``type:residual''
and that ``type'' is a type known to the library.
\end{sloppypar}

Before the cache can be used \funcname{krb5_rc_initialize} or
\funcname{krb5_rc_recover} must be called.

Errors: error if cannot resolve name.


\begin{funcdecl}{krb5_rc_resolve_type}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{type}
\end{funcdecl}

\internalfunc

Looks up \funcparam{type} in the list of knows cache types and if found
attaches the operations to \funcparam{*id} which must be previously
allocated. 

If \funcparam{type} is not found, {\sc krb5_rc_type_notfound} is returned.

\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rc_ops *}{ops}
\end{funcdecl}
Adds a new replay cache type implemented and identified by
\funcparam{ops} to the set recognized by
\funcname{krb5_rc_resolve}.  This function requires that a ticket
cache of the type named in 
\funcparam{ops{\ptsto}prefix} has not been previously registered.


\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcin}
\funcarg{krb5_context}{context}
\end{funcdecl}

\begin{sloppypar}
Returns  the name of the default replay cache; this may be equivalent to
\funcnamenoparens{getenv}({\tt "KRB5RCACHE"}) with an appropriate fallback.
\end{sloppypar}

\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcin}
\funcarg{krb5_context}{context}
\end{funcdecl}

Returns the type of the default replay cache.

\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache *}{id}
\end{funcdecl}

This function returns an unopened replay cache of the default type and
default name (as would be returned by \funcname{krb5_rc_default_type}
and \funcname{krb5_rc_default_name}).  Before the cache can be used
\funcname{krb5_rc_initialize} or \funcname{krb5_rc_recover} must be
called.


\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_deltat}{auth_lifespan}
\end{funcdecl}

Creates/refreshes the replay cache identified by \funcparam{id} and sets its
authenticator lifespan to \funcparam{auth_lifespan}.  If the 
replay cache already exists, its contents are destroyed.

Errors: permission errors, system errors

\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Attempts to recover the replay cache \funcparam{id}, (presumably after a
system crash or server restart).

Errors: error indicating that no cache was found to recover

\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Destroys the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

Errors: permission errors.

\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Closes the replay cache \funcparam{id}, invalidates \funcparam{id},
and releases any other resources acquired during use of the replay cache.
Requires that \funcparam{id} identifies a valid replay cache.

Errors: permission errors

\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_donot_replay *}{rep}
\end{funcdecl}
Stores \funcparam{rep} in the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

Returns KRB5KRB_AP_ERR_REPEAT if \funcparam{rep} is already in the
cache.  May also return permission errors, storage failure errors.

\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Removes all expired replay information (i.e. those entries which are
older than then authenticator lifespan of the cache) from the cache
\funcparam{id}.  Requires that \funcparam{id} identifies a valid replay
cache.

Errors: permission errors.

\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\funcout
\funcarg{krb5_deltat *}{auth_lifespan}
\end{funcdecl}
Fills in \funcparam{auth_lifespan} with the lifespan of
the cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\funcin
\funcarg{char *}{name}
\end{funcdecl}

Initializes private data attached to \funcparam{id}.  This function MUST
be called before the other per-replay cache functions.

Requires that \funcparam{id} points to allocated space, with an
initialized \funcparam{id{\ptsto}ops} field.

Since \funcname{krb5_rc_resolve} allocates memory,
\funcname{krb5_rc_close} must be called to free the allocated memory,
even if neither \funcname{krb5_rc_initialize} or
\funcname{krb5_rc_recover} were successfully called by the application.

Returns:  allocation errors.


\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Returns the name (excluding the type) of the rcache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

\begin{funcdecl}{krb5_rc_get_type}{char *}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Returns the type (excluding the name) of the rcache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.