contain duplicate authenticators; the storage must be non-volatile for
the site-determined validity period of authenticators.
+Each replay cache has a string ``name'' associated with it. The use of
+this name is dependent on the underlying caching strategy (for
+file-based things, it would be a cache file name). The
+caching strategy should use non-volatile storage so that replay
+integrity can be maintained across system failures.
+
+\subsubsection{Per-type functions}
+The following entry points must be implemented for each type of
+credentials cache.
+
+\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcarg{krb5_deltat}{auth_lifespan}
+\end{funcdecl}
+
+Creates/refreshes the replay cache identified by \funcparam{id} and sets its
+authenticator lifespan to \funcparam{auth_lifespan}. If the
+replay cache already exists, its contents are destroyed.
+
+Errors: permission errors, system errors
+
+\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+Attempts to recover the replay cache \funcparam{id}, (presumably after a
+system crash or server restart).
+
+Errors: error indicating that no cache was found to recover
+
+\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Destroys the replay cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Errors: permission errors.
+
+\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Closes the replay cache \funcparam{id}, invalidates \funcparam{id},
+and releases any other resources acquired during use of the replay cache.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Errors: permission errors
+
+\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcarg{krb5_tkt_authent *}{tkt_auth}
+\end{funcdecl}
+Stores \funcparam{tkt_auth} in the replay cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Returns KRB5KRB_AP_ERR_REPEAT if \funcparam{tkt_auth} is already in the
+cache. May also return permission errors, storage failure errors.
+
+\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+Removes all expired replay information (i.e. those entries which are
+older than then authenticator lifespan of the cache) from the cache
+\funcparam{id}. Requires that \funcparam{id} identifies a valid replay
+cache.
+
+Errors: permission errors.
+
+\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcout
+\funcarg{krb5_deltat *}{auth_lifespan}
+\end{funcdecl}
+Fills in \funcparam{auth_lifespan} with the lifespan of
+the cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache}{id}
+\funcin
+\funcarg{char *}{name}
+\end{funcdecl}
+
+Initializes private data attached to \funcparam{id}. This function MUST
+be called before the other per-replay cache functions.
+
+Requires that \funcparam{id} points to allocated space, with an
+initialized \funcparam{id{\ptsto}ops} field.
+
+Returns: allocation errors.
+
+
+\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Returns the name (excluding the type) of the rcache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+\subsubsection{Glue functions}
+The following functions are implemented in the base library and serve to
+glue together the various types of replay caches.
+
+\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache *}{id}
+\funcin
+\funcarg{char *}{string_name}
+\end{funcdecl}
+
+\funcparam{id} is filled in to identify a replay cache which
+corresponds to the name in \funcparam{string_name}. The cache is not opened.
+Requires that \funcparam{string_name} be of the form ``type:residual''
+and that ``type'' is a type known to the library.
+
+Errors: error if cannot resolve name.
+
+\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
+\funcarg{krb5_rc_ops *}{ops}
+\end{funcdecl}
+Adds a new replay cache type implemented and identified by
+\funcparam{ops} to the set recognized by
+\funcname{krb5_rc_resolve}. Requires that a ticket cache type named
+\funcparam{ops{\ptsto}prefix} is not yet known.
+
+
+\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcvoid}
+\end{funcdecl}
+Returns the name of the default replay cache; this may be equivalent to
+\funcnamenoparens{getenv}({\tt "KRB5RCACHE"}) with an appropriate fallback.
+
+\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcvoid}
+\end{funcdecl}
+
+Returns the type of the default replay cache.
+
+\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache *}{id}
+\end{funcdecl}
+Equivalent to \funcnamenoparens{krb5_rc_resolve_full}(\funcparam{id},
+\funcnamenoparens{strcat}(\funcnamenoparens{strcat}(\funcname{krb5_rc_default_type},``:''),
+\funcname{krb5_rc_default_name})) (except of course you can't do the
+strcat's with the return values\ldots).
contain duplicate authenticators; the storage must be non-volatile for
the site-determined validity period of authenticators.
+Each replay cache has a string ``name'' associated with it. The use of
+this name is dependent on the underlying caching strategy (for
+file-based things, it would be a cache file name). The
+caching strategy should use non-volatile storage so that replay
+integrity can be maintained across system failures.
+
+\subsubsection{Per-type functions}
+The following entry points must be implemented for each type of
+credentials cache.
+
+\begin{funcdecl}{krb5_rc_initialize}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcarg{krb5_deltat}{auth_lifespan}
+\end{funcdecl}
+
+Creates/refreshes the replay cache identified by \funcparam{id} and sets its
+authenticator lifespan to \funcparam{auth_lifespan}. If the
+replay cache already exists, its contents are destroyed.
+
+Errors: permission errors, system errors
+
+\begin{funcdecl}{krb5_rc_recover}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+Attempts to recover the replay cache \funcparam{id}, (presumably after a
+system crash or server restart).
+
+Errors: error indicating that no cache was found to recover
+
+\begin{funcdecl}{krb5_rc_destroy}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Destroys the replay cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Errors: permission errors.
+
+\begin{funcdecl}{krb5_rc_close}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Closes the replay cache \funcparam{id}, invalidates \funcparam{id},
+and releases any other resources acquired during use of the replay cache.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Errors: permission errors
+
+\begin{funcdecl}{krb5_rc_store}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcarg{krb5_tkt_authent *}{tkt_auth}
+\end{funcdecl}
+Stores \funcparam{tkt_auth} in the replay cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+Returns KRB5KRB_AP_ERR_REPEAT if \funcparam{tkt_auth} is already in the
+cache. May also return permission errors, storage failure errors.
+
+\begin{funcdecl}{krb5_rc_expunge}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+Removes all expired replay information (i.e. those entries which are
+older than then authenticator lifespan of the cache) from the cache
+\funcparam{id}. Requires that \funcparam{id} identifies a valid replay
+cache.
+
+Errors: permission errors.
+
+\begin{funcdecl}{krb5_rc_get_lifespan}{krb5_error_code}{\funcin}
+\funcarg{krb5_rcache}{id}
+\funcout
+\funcarg{krb5_deltat *}{auth_lifespan}
+\end{funcdecl}
+Fills in \funcparam{auth_lifespan} with the lifespan of
+the cache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+\begin{funcdecl}{krb5_rc_resolve}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache}{id}
+\funcin
+\funcarg{char *}{name}
+\end{funcdecl}
+
+Initializes private data attached to \funcparam{id}. This function MUST
+be called before the other per-replay cache functions.
+
+Requires that \funcparam{id} points to allocated space, with an
+initialized \funcparam{id{\ptsto}ops} field.
+
+Returns: allocation errors.
+
+
+\begin{funcdecl}{krb5_rc_get_name}{char *}{\funcin}
+\funcarg{krb5_rcache}{id}
+\end{funcdecl}
+
+Returns the name (excluding the type) of the rcache \funcparam{id}.
+Requires that \funcparam{id} identifies a valid replay cache.
+
+\subsubsection{Glue functions}
+The following functions are implemented in the base library and serve to
+glue together the various types of replay caches.
+
+\begin{funcdecl}{krb5_rc_resolve_full}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache *}{id}
+\funcin
+\funcarg{char *}{string_name}
+\end{funcdecl}
+
+\funcparam{id} is filled in to identify a replay cache which
+corresponds to the name in \funcparam{string_name}. The cache is not opened.
+Requires that \funcparam{string_name} be of the form ``type:residual''
+and that ``type'' is a type known to the library.
+
+Errors: error if cannot resolve name.
+
+\begin{funcdecl}{krb5_rc_register_type}{krb5_error_code}{\funcin}
+\funcarg{krb5_rc_ops *}{ops}
+\end{funcdecl}
+Adds a new replay cache type implemented and identified by
+\funcparam{ops} to the set recognized by
+\funcname{krb5_rc_resolve}. Requires that a ticket cache type named
+\funcparam{ops{\ptsto}prefix} is not yet known.
+
+
+\begin{funcdecl}{krb5_rc_default_name}{char *}{\funcvoid}
+\end{funcdecl}
+Returns the name of the default replay cache; this may be equivalent to
+\funcnamenoparens{getenv}({\tt "KRB5RCACHE"}) with an appropriate fallback.
+
+\begin{funcdecl}{krb5_rc_default_type}{char *}{\funcvoid}
+\end{funcdecl}
+
+Returns the type of the default replay cache.
+
+\begin{funcdecl}{krb5_rc_default}{krb5_error_code}{\funcinout}
+\funcarg{krb5_rcache *}{id}
+\end{funcdecl}
+Equivalent to \funcnamenoparens{krb5_rc_resolve_full}(\funcparam{id},
+\funcnamenoparens{strcat}(\funcnamenoparens{strcat}(\funcname{krb5_rc_default_type},``:''),
+\funcname{krb5_rc_default_name})) (except of course you can't do the
+strcat's with the return values\ldots).