next up previous contents index
Next: Key table functions Up: libkrb5.a functions Previous: Credentials cache functions   Contents   Index

Replay cache functions

The replay cache functions deal with verifying that AP_REQ's do not contain duplicate authenticators; the storage must be non-volatile for the site-determined validity period of authenticators.

Each replay cache has a string ``name'' associated with it. The use of this name is dependent on the underlying caching strategy (for file-based things, it would be a cache file name). The caching strategy uses non-volatile storage so that replay integrity can be maintained across system failures.


\begin{funcdecl}{krb5_auth_to_rep}{krb5_error_code}{\funcinout}
\funcarg{krb5_co...
..._tkt_authent *}{auth}
\funcout
\funcarg{krb5_donot_replay *}{rep}
\end{funcdecl}
Extract the relevant parts of auth and fill them into the structure pointed to by rep. repclient and repserver are set to allocated storage and should be freed when *rep is no longer needed.


\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
\funcarg{krb...
...\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{string_name}
\end{funcdecl}

id is filled in to identify a replay cache which corresponds to the name in string_name. The cache is not opened. Requires that string_name be of the form ``type:residual'' and that ``type'' is a type known to the library.

Before the cache can be used krb5_rc_initialize or krb5_rc_recover must be called.

Errors: error if cannot resolve name.


\begin{funcdecl}{krb5_rc_resolve_type}{krb5_error_code}{\funcinout}
\funcarg{krb...
...ntext}
\funcarg{krb5_rcache *}{id}
\funcin
\funcarg{char *}{type}
\end{funcdecl}

NOTE: This is an internal function, which is not necessarily intended for use by application programs. Its interface may change at any time.

Looks up type in the list of knows cache types and if found attaches the operations to *id which must be previously allocated.

If type is not found, KRB5_RC_TYPE_NOTFOUND is returned.


\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rc_ops *}{ops}
\end{funcdecl}
Adds a new replay cache type implemented and identified by ops to the set recognized by krb5_rc_resolve. This function requires that a ticket cache of the type named in opsprefix has not been previously registered.


\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcin}
\funcarg{krb5_context}{context}
\end{funcdecl}

Returns the name of the default replay cache; this may be equivalent to getenv("KRB5RCACHE") with an appropriate fallback.


\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcin}
\funcarg{krb5_context}{context}
\end{funcdecl}

Returns the type of the default replay cache.


\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache *}{id}
\end{funcdecl}

This function returns an unopened replay cache of the default type and default name (as would be returned by krb5_rc_default_type and krb5_rc_default_name). Before the cache can be used krb5_rc_initialize or krb5_rc_recover must be called.


\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
\funcarg{krb5_con...
...t}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_deltat}{auth_lifespan}
\end{funcdecl}

Creates/refreshes the replay cache identified by id and sets its authenticator lifespan to auth_lifespan. If the replay cache already exists, its contents are destroyed.

Errors: permission errors, system errors


\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Attempts to recover the replay cache id, (presumably after a system crash or server restart).

Errors: error indicating that no cache was found to recover


\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Destroys the replay cache id. Requires that id identifies a valid replay cache.

Errors: permission errors.


\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Closes the replay cache id, invalidates id, and releases any other resources acquired during use of the replay cache. Requires that id identifies a valid replay cache.

Errors: permission errors


\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
\funcarg{krb5_context}...
...ext}
\funcarg{krb5_rcache}{id}
\funcarg{krb5_donot_replay *}{rep}
\end{funcdecl}
Stores rep in the replay cache id. Requires that id identifies a valid replay cache.

Returns KRB5KRB_AP_ERR_REPEAT if rep is already in the cache. May also return permission errors, storage failure errors.


\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}
Removes all expired replay information (i.e. those entries which are older than then authenticator lifespan of the cache) from the cache id. Requires that id identifies a valid replay cache.

Errors: permission errors.


\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
\funcarg{krb5_c...
...{krb5_rcache}{id}
\funcout
\funcarg{krb5_deltat *}{auth_lifespan}
\end{funcdecl}
Fills in auth_lifespan with the lifespan of the cache id. Requires that id identifies a valid replay cache.


\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
\funcarg{krb5_con...
...context}
\funcarg{krb5_rcache}{id}
\funcin
\funcarg{char *}{name}
\end{funcdecl}

Initializes private data attached to id. This function MUST be called before the other per-replay cache functions.

Requires that id points to allocated space, with an initialized idops field.

Since krb5_rc_resolve allocates memory, krb5_rc_close must be called to free the allocated memory, even if neither krb5_rc_initialize or krb5_rc_recover were successfully called by the application.

Returns: allocation errors.


\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Returns the name (excluding the type) of the rcache id. Requires that id identifies a valid replay cache.


\begin{funcdecl}{krb5_rc_get_type}{char *}{\funcin}
\funcarg{krb5_context}{context}
\funcarg{krb5_rcache}{id}
\end{funcdecl}

Returns the type (excluding the name) of the rcache id. Requires that id identifies a valid replay cache.


next up previous contents index
Next: Key table functions Up: libkrb5.a functions Previous: Credentials cache functions   Contents   Index
Autobuild 2009-09-05