The replay cache functions deal with verifying that AP_REQ's do not
contain duplicate authenticators; the storage must be non-volatile for
the site-determined validity period of authenticators.

Each replay cache has a string ``name'' associated with it.  The use of
this name is dependent on the underlying caching strategy (for
file-based things, it would be a cache file name).  The
caching strategy should use non-volatile storage so that replay
integrity can be maintained across system failures.

\subsubsection{Per-type functions}
The following entry points must be implemented for each type of
credentials cache.

\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_deltat}{auth_lifespan}
\end{funcdecl}

Creates/refreshes the replay cache identified by \funcparam{id} and sets its
authenticator lifespan to \funcparam{auth_lifespan}.  If the 
replay cache already exists, its contents are destroyed.

Errors: permission errors, system errors

\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Attempts to recover the replay cache \funcparam{id}, (presumably after a
system crash or server restart).

Errors: error indicating that no cache was found to recover

\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Destroys the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

Errors: permission errors.

\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Closes the replay cache \funcparam{id}, invalidates \funcparam{id},
and releases any other resources acquired during use of the replay cache.
Requires that \funcparam{id} identifies a valid replay cache.

Errors: permission errors

\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_donot_replay *}{rep}
\end{funcdecl}
Stores \funcparam{rep} in the replay cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

Returns KRB5KRB_AP_ERR_REPEAT if \funcparam{rep} is already in the
cache.  May also return permission errors, storage failure errors.

\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Removes all expired replay information (i.e. those entries which are
older than then authenticator lifespan of the cache) from the cache
\funcparam{id}.  Requires that \funcparam{id} identifies a valid replay
cache.

Errors: permission errors.

\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
\funcarg{krb5_rcache}{id}
\funcout
\funcarg{krb5_deltat *}{auth_lifespan}
\end{funcdecl}
Fills in \funcparam{auth_lifespan} with the lifespan of
the cache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache}{id}
\funcin
\funcarg{char *}{name}
\end{funcdecl}

Initializes private data attached to \funcparam{id}.  This function MUST
be called before the other per-replay cache functions.

Requires that \funcparam{id} points to allocated space, with an
initialized \funcparam{id{\ptsto}ops} field.

Since \funcname{krb5_rc_resolve} allocates memory,
\funcname{krb5_rc_close} must be called to free the allocated memory,
even if neither \funcname{krb5_rc_initialize} or
\funcname{krb5_rc_recover} were successfully called by the application.

Returns:  allocation errors.


\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Returns the name (excluding the type) of the rcache \funcparam{id}.
Requires that \funcparam{id} identifies a valid replay cache.

\subsubsection{Glue functions}
The following functions are implemented in the base library and serve to
glue together the various types of replay caches.

\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{string_name}
\end{funcdecl}

\funcparam{id} is filled in to identify a replay cache which
corresponds to the name in \funcparam{string_name}.  The cache is not opened.
Requires that \funcparam{string_name} be of the form ``type:residual''
and that ``type'' is a type known to the library.

Errors: error if cannot resolve name.

\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
\funcarg{krb5_rc_ops *}{ops}
\end{funcdecl}
Adds a new replay cache type implemented and identified by
\funcparam{ops} to the set recognized by
\funcname{krb5_rc_resolve}.  Requires that a ticket cache type named
\funcparam{ops{\ptsto}prefix} is not yet known.


\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcvoid}
\end{funcdecl}
Returns  the name of the default replay cache; this may be equivalent to
\funcnamenoparens{getenv}({\tt "KRB5RCACHE"}) with an appropriate fallback.

\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcvoid}
\end{funcdecl}

Returns the type of the default replay cache.

\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
\funcarg{krb5_rcache *}{id}
\end{funcdecl}

Equivalent to:
\begin{verbatim}
krb5_rc_resolve_full(id, 
                     strcat(strcat(krb5_rc_default_type(),``:''),
                                   krb5_rc_default_name)) ;
\end{verbatim}
Except of course you can't do the strcat's with the return values.