1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
The replay cache functions deal with verifying that AP_REQ's do not
contain duplicate authenticators; the storage must be non-volatile for
the site-determined validity period of authenticators.
Each replay cache has a string ``name'' associated with it. The use of
this name is dependent on the underlying caching strategy (for
file-based things, it would be a cache file name). The
caching strategy should use non-volatile storage so that replay
integrity can be maintained across system failures.
\subsubsection{Per-type functions}
The following entry points must be implemented for each type of
credentials cache.
\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_deltat}{auth_lifespan}
\end{funcdecl}
Creates/refreshes the replay cache identified by \funcparam{id} and sets its
authenticator lifespan to \funcparam{auth_lifespan}. If the
replay cache already exists, its contents are destroyed.
Errors: permission errors, system errors
\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Attempts to recover the replay cache \funcparam{id}, (presumably after a
system crash or server restart).
Errors: error indicating that no cache was found to recover
\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Destroys the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.
Errors: permission errors.
\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Closes the replay cache \funcparam{id}, invalidates \funcparam{id},
and releases any other resources acquired during use of the replay cache.
Requires that \funcparam{id} identifies a valid replay cache.
Errors: permission errors
\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_dont_replay *}{rep}
\end{funcdecl}
Stores \funcparam{rep} in the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.
Returns KRB5KRB_AP_ERR_REPEAT if \funcparam{rep} is already in the
cache. May also return permission errors, storage failure errors.
\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Removes all expired replay information (i.e. those entries which are
older than then authenticator lifespan of the cache) from the cache
\funcparam{id}. Requires that \funcparam{id} identifies a valid replay
cache.
Errors: permission errors.
\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcout
\funcarg{krb5_deltat *}{auth_lifespan}
\end{funcdecl}
Fills in \funcparam{auth_lifespan} with the lifespan of
the cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.
\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache}{id}
\funcin
\funcarg{char *}{name}
\end{funcdecl}
Initializes private data attached to \funcparam{id}. This function MUST
be called before the other per-replay cache functions.
Requires that \funcparam{id} points to allocated space, with an
initialized \funcparam{id{\ptsto}ops} field.
Since \funcname{krb5_rc_resolve} allocates memory,
\funcname{krb5_rc_close} must be called to free the allocated memory,
even if neither \funcname{krb5_rc_initialize} or
\funcname{krb5_rc_recover} were successfully called by the application.
Returns: allocation errors.
\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Returns the name (excluding the type) of the rcache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.
\subsubsection{Glue functions}
The following functions are implemented in the base library and serve to
glue together the various types of replay caches.
\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{string_name}
\end{funcdecl}
\funcparam{id} is filled in to identify a replay cache which
corresponds to the name in \funcparam{string_name}. The cache is not opened.
Requires that \funcparam{string_name} be of the form ``type:residual''
and that ``type'' is a type known to the library.
Errors: error if cannot resolve name.
\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
\funcarg{krb5_rc_ops *}{ops}
\end{funcdecl}
Adds a new replay cache type implemented and identified by
\funcparam{ops} to the set recognized by
\funcname{krb5_rc_resolve}. Requires that a ticket cache type named
\funcparam{ops{\ptsto}prefix} is not yet known.
\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcvoid}
\end{funcdecl}
Returns the name of the default replay cache; this may be equivalent to
\funcnamenoparens{getenv}({\tt "KRB5RCACHE"}) with an appropriate fallback.
\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcvoid}
\end{funcdecl}
Returns the type of the default replay cache.
\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache *}{id}
\end{funcdecl}
Equivalent to \funcnamenoparens{krb5_rc_resolve_full}(\funcparam{id},
\funcnamenoparens{strcat}(\funcnamenoparens{strcat}(\funcname{krb5_rc_default_type},``:''),
\funcname{krb5_rc_default_name})) (except of course you can't do the
strcat's with the return values\ldots).
|
