Context Navigation

get_cred.c

Last change on this file was 1, checked in by Paul Smedley, 10 years ago
Initial commit of Heimdal 1.5.3
File size: 39.1 KB

Line
1	/*
2	* Copyright (c) 1997 - 2008 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in the
17	* documentation and/or other materials provided with the distribution.
18	*
19	* 3. Neither the name of the Institute nor the names of its contributors
20	* may be used to endorse or promote products derived from this software
21	* without specific prior written permission.
22	*
23	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33	* SUCH DAMAGE.
34	*/
35
36	#include "krb5_locl.h"
37	#include <assert.h>
38
39	static krb5_error_code
40	get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
41	krb5_ccache, krb5_creds *, krb5_principal,
42	Ticket , krb5_creds , krb5_creds **);
43
44	/*
45	* Take the `body' and encode it into `padata' using the credentials
46	* in `creds'.
47	*/
48
49	static krb5_error_code
50	make_pa_tgs_req(krb5_context context,
51	krb5_auth_context ac,
52	KDC_REQ_BODY *body,
53	PA_DATA *padata,
54	krb5_creds *creds)
55	{
56	u_char *buf;
57	size_t buf_size;
58	size_t len = 0;
59	krb5_data in_data;
60	krb5_error_code ret;
61
62	ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
63	if (ret)
64	goto out;
65	if(buf_size != len)
66	krb5_abortx(context, "internal error in ASN.1 encoder");
67
68	in_data.length = len;
69	in_data.data = buf;
70	ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
71	&padata->padata_value,
72	KRB5_KU_TGS_REQ_AUTH_CKSUM,
73	KRB5_KU_TGS_REQ_AUTH);
74	out:
75	free (buf);
76	if(ret)
77	return ret;
78	padata->padata_type = KRB5_PADATA_TGS_REQ;
79	return 0;
80	}
81
82	/*
83	* Set the `enc-authorization-data' in `req_body' based on `authdata'
84	*/
85
86	static krb5_error_code
87	set_auth_data (krb5_context context,
88	KDC_REQ_BODY *req_body,
89	krb5_authdata *authdata,
90	krb5_keyblock *subkey)
91	{
92	if(authdata->len) {
93	size_t len = 0, buf_size;
94	unsigned char *buf;
95	krb5_crypto crypto;
96	krb5_error_code ret;
97
98	ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata,
99	&len, ret);
100	if (ret)
101	return ret;
102	if (buf_size != len)
103	krb5_abortx(context, "internal error in ASN.1 encoder");
104
105	ALLOC(req_body->enc_authorization_data, 1);
106	if (req_body->enc_authorization_data == NULL) {
107	free (buf);
108	krb5_set_error_message(context, ENOMEM,
109	N_("malloc: out of memory", ""));
110	return ENOMEM;
111	}
112	ret = krb5_crypto_init(context, subkey, 0, &crypto);
113	if (ret) {
114	free (buf);
115	free (req_body->enc_authorization_data);
116	req_body->enc_authorization_data = NULL;
117	return ret;
118	}
119	krb5_encrypt_EncryptedData(context,
120	crypto,
121	KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
122	buf,
123	len,
124	0,
125	req_body->enc_authorization_data);
126	free (buf);
127	krb5_crypto_destroy(context, crypto);
128	} else {
129	req_body->enc_authorization_data = NULL;
130	}
131	return 0;
132	}
133
134	/*
135	* Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
136	* (if not-NULL), `in_creds', `krbtgt', and returning the generated
137	* subkey in `subkey'.
138	*/
139
140	static krb5_error_code
141	init_tgs_req (krb5_context context,
142	krb5_ccache ccache,
143	krb5_addresses *addresses,
144	krb5_kdc_flags flags,
145	Ticket *second_ticket,
146	krb5_creds *in_creds,
147	krb5_creds *krbtgt,
148	unsigned nonce,
149	const METHOD_DATA *padata,
150	krb5_keyblock **subkey,
151	TGS_REQ *t)
152	{
153	krb5_auth_context ac = NULL;
154	krb5_error_code ret = 0;
155
156	memset(t, 0, sizeof(*t));
157	t->pvno = 5;
158	t->msg_type = krb_tgs_req;
159	if (in_creds->session.keytype) {
160	ALLOC_SEQ(&t->req_body.etype, 1);
161	if(t->req_body.etype.val == NULL) {
162	ret = ENOMEM;
163	krb5_set_error_message(context, ret,
164	N_("malloc: out of memory", ""));
165	goto fail;
166	}
167	t->req_body.etype.val[0] = in_creds->session.keytype;
168	} else {
169	ret = _krb5_init_etype(context,
170	KRB5_PDU_TGS_REQUEST,
171	&t->req_body.etype.len,
172	&t->req_body.etype.val,
173	NULL);
174	}
175	if (ret)
176	goto fail;
177	t->req_body.addresses = addresses;
178	t->req_body.kdc_options = flags.b;
179	t->req_body.kdc_options.forwardable = krbtgt->flags.b.forwardable;
180	t->req_body.kdc_options.renewable = krbtgt->flags.b.renewable;
181	t->req_body.kdc_options.proxiable = krbtgt->flags.b.proxiable;
182	ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
183	if (ret)
184	goto fail;
185	ALLOC(t->req_body.sname, 1);
186	if (t->req_body.sname == NULL) {
187	ret = ENOMEM;
188	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
189	goto fail;
190	}
191
192	/* some versions of some code might require that the client be
193	present in TGS-REQs, but this is clearly against the spec */
194
195	ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
196	if (ret)
197	goto fail;
198
199	if (krbtgt->times.starttime) {
200	ALLOC(t->req_body.from, 1);
201	if(t->req_body.from == NULL){
202	ret = krb5_enomem(context);
203	goto fail;
204	}
205	*t->req_body.from = in_creds->times.starttime;
206	}
207
208	/* req_body.till should be NULL if there is no endtime specified,
209	but old MIT code (like DCE secd) doesn't like that */
210	ALLOC(t->req_body.till, 1);
211	if(t->req_body.till == NULL){
212	ret = ENOMEM;
213	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
214	goto fail;
215	}
216	*t->req_body.till = in_creds->times.endtime;
217
218	if (t->req_body.kdc_options.renewable && krbtgt->times.renew_till) {
219	ALLOC(t->req_body.rtime, 1);
220	if(t->req_body.rtime == NULL){
221	ret = krb5_enomem(context);
222	goto fail;
223	}
224	*t->req_body.rtime = in_creds->times.renew_till;
225	}
226
227	t->req_body.nonce = nonce;
228	if(second_ticket){
229	ALLOC(t->req_body.additional_tickets, 1);
230	if (t->req_body.additional_tickets == NULL) {
231	ret = ENOMEM;
232	krb5_set_error_message(context, ret,
233	N_("malloc: out of memory", ""));
234	goto fail;
235	}
236	ALLOC_SEQ(t->req_body.additional_tickets, 1);
237	if (t->req_body.additional_tickets->val == NULL) {
238	ret = ENOMEM;
239	krb5_set_error_message(context, ret,
240	N_("malloc: out of memory", ""));
241	goto fail;
242	}
243	ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
244	if (ret)
245	goto fail;
246	}
247	ALLOC(t->padata, 1);
248	if (t->padata == NULL) {
249	ret = ENOMEM;
250	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
251	goto fail;
252	}
253	ALLOC_SEQ(t->padata, 1 + padata->len);
254	if (t->padata->val == NULL) {
255	ret = ENOMEM;
256	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
257	goto fail;
258	}
259	{
260	size_t i;
261	for (i = 0; i < padata->len; i++) {
262	ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
263	if (ret) {
264	krb5_set_error_message(context, ret,
265	N_("malloc: out of memory", ""));
266	goto fail;
267	}
268	}
269	}
270
271	ret = krb5_auth_con_init(context, &ac);
272	if(ret)
273	goto fail;
274
275	ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
276	if (ret)
277	goto fail;
278
279	ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
280	ac->local_subkey);
281	if (ret)
282	goto fail;
283
284	ret = make_pa_tgs_req(context,
285	ac,
286	&t->req_body,
287	&t->padata->val[0],
288	krbtgt);
289	if(ret)
290	goto fail;
291
292	ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
293	if (ret)
294	goto fail;
295
296	fail:
297	if (ac)
298	krb5_auth_con_free(context, ac);
299	if (ret) {
300	t->req_body.addresses = NULL;
301	free_TGS_REQ (t);
302	}
303	return ret;
304	}
305
306	krb5_error_code
307	_krb5_get_krbtgt(krb5_context context,
308	krb5_ccache id,
309	krb5_realm realm,
310	krb5_creds **cred)
311	{
312	krb5_error_code ret;
313	krb5_creds tmp_cred;
314
315	memset(&tmp_cred, 0, sizeof(tmp_cred));
316
317	ret = krb5_cc_get_principal(context, id, &tmp_cred.client);
318	if (ret)
319	return ret;
320
321	ret = krb5_make_principal(context,
322	&tmp_cred.server,
323	realm,
324	KRB5_TGS_NAME,
325	realm,
326	NULL);
327	if(ret) {
328	krb5_free_principal(context, tmp_cred.client);
329	return ret;
330	}
331	ret = krb5_get_credentials(context,
332	KRB5_GC_CACHED,
333	id,
334	&tmp_cred,
335	cred);
336	krb5_free_principal(context, tmp_cred.client);
337	krb5_free_principal(context, tmp_cred.server);
338	if(ret)
339	return ret;
340	return 0;
341	}
342
343	/* DCE compatible decrypt proc */
344	static krb5_error_code KRB5_CALLCONV
345	decrypt_tkt_with_subkey (krb5_context context,
346	krb5_keyblock *key,
347	krb5_key_usage usage,
348	krb5_const_pointer skey,
349	krb5_kdc_rep *dec_rep)
350	{
351	const krb5_keyblock *subkey = skey;
352	krb5_error_code ret = 0;
353	krb5_data data;
354	size_t size;
355	krb5_crypto crypto;
356
357	assert(usage == 0);
358
359	krb5_data_zero(&data);
360
361	/*
362	* start out with trying with subkey if we have one
363	*/
364	if (subkey) {
365	ret = krb5_crypto_init(context, subkey, 0, &crypto);
366	if (ret)
367	return ret;
368	ret = krb5_decrypt_EncryptedData (context,
369	crypto,
370	KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
371	&dec_rep->kdc_rep.enc_part,
372	&data);
373	/*
374	* If the is Windows 2000 DC, we need to retry with key usage
375	* 8 when doing ARCFOUR.
376	*/
377	if (ret && subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
378	ret = krb5_decrypt_EncryptedData(context,
379	crypto,
380	8,
381	&dec_rep->kdc_rep.enc_part,
382	&data);
383	}
384	krb5_crypto_destroy(context, crypto);
385	}
386	if (subkey == NULL \|\| ret) {
387	ret = krb5_crypto_init(context, key, 0, &crypto);
388	if (ret)
389	return ret;
390	ret = krb5_decrypt_EncryptedData (context,
391	crypto,
392	KRB5_KU_TGS_REP_ENC_PART_SESSION,
393	&dec_rep->kdc_rep.enc_part,
394	&data);
395	krb5_crypto_destroy(context, crypto);
396	}
397	if (ret)
398	return ret;
399
400	ret = decode_EncASRepPart(data.data,
401	data.length,
402	&dec_rep->enc_part,
403	&size);
404	if (ret)
405	ret = decode_EncTGSRepPart(data.data,
406	data.length,
407	&dec_rep->enc_part,
408	&size);
409	if (ret)
410	krb5_set_error_message(context, ret,
411	N_("Failed to decode encpart in ticket", ""));
412	krb5_data_free (&data);
413	return ret;
414	}
415
416	static krb5_error_code
417	get_cred_kdc(krb5_context context,
418	krb5_ccache id,
419	krb5_kdc_flags flags,
420	krb5_addresses *addresses,
421	krb5_creds *in_creds,
422	krb5_creds *krbtgt,
423	krb5_principal impersonate_principal,
424	Ticket *second_ticket,
425	krb5_creds *out_creds)
426	{
427	TGS_REQ req;
428	krb5_data enc;
429	krb5_data resp;
430	krb5_kdc_rep rep;
431	KRB_ERROR error;
432	krb5_error_code ret;
433	unsigned nonce;
434	krb5_keyblock *subkey = NULL;
435	size_t len = 0;
436	Ticket second_ticket_data;
437	METHOD_DATA padata;
438
439	krb5_data_zero(&resp);
440	krb5_data_zero(&enc);
441	padata.val = NULL;
442	padata.len = 0;
443
444	krb5_generate_random_block(&nonce, sizeof(nonce));
445	nonce &= 0xffffffff;
446
447	if(flags.b.enc_tkt_in_skey && second_ticket == NULL){
448	ret = decode_Ticket(in_creds->second_ticket.data,
449	in_creds->second_ticket.length,
450	&second_ticket_data, &len);
451	if(ret)
452	return ret;
453	second_ticket = &second_ticket_data;
454	}
455
456
457	if (impersonate_principal) {
458	krb5_crypto crypto;
459	PA_S4U2Self self;
460	krb5_data data;
461	void *buf;
462	size_t size = 0;
463
464	self.name = impersonate_principal->name;
465	self.realm = impersonate_principal->realm;
466	self.auth = estrdup("Kerberos");
467
468	ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
469	if (ret) {
470	free(self.auth);
471	goto out;
472	}
473
474	ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
475	if (ret) {
476	free(self.auth);
477	krb5_data_free(&data);
478	goto out;
479	}
480
481	ret = krb5_create_checksum(context,
482	crypto,
483	KRB5_KU_OTHER_CKSUM,
484	0,
485	data.data,
486	data.length,
487	&self.cksum);
488	krb5_crypto_destroy(context, crypto);
489	krb5_data_free(&data);
490	if (ret) {
491	free(self.auth);
492	goto out;
493	}
494
495	ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
496	free(self.auth);
497	free_Checksum(&self.cksum);
498	if (ret)
499	goto out;
500	if (len != size)
501	krb5_abortx(context, "internal asn1 error");
502
503	ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);
504	if (ret)
505	goto out;
506	}
507
508	ret = init_tgs_req (context,
509	id,
510	addresses,
511	flags,
512	second_ticket,
513	in_creds,
514	krbtgt,
515	nonce,
516	&padata,
517	&subkey,
518	&req);
519	if (ret)
520	goto out;
521
522	ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret);
523	if (ret)
524	goto out;
525	if(enc.length != len)
526	krb5_abortx(context, "internal error in ASN.1 encoder");
527
528	/* don't free addresses */
529	req.req_body.addresses = NULL;
530	free_TGS_REQ(&req);
531
532	/*
533	* Send and receive
534	*/
535	{
536	krb5_sendto_ctx stctx;
537	ret = krb5_sendto_ctx_alloc(context, &stctx);
538	if (ret)
539	return ret;
540	krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
541
542	ret = krb5_sendto_context (context, stctx, &enc,
543	krbtgt->server->name.name_string.val[1],
544	&resp);
545	krb5_sendto_ctx_free(context, stctx);
546	}
547	if(ret)
548	goto out;
549
550	memset(&rep, 0, sizeof(rep));
551	if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
552	unsigned eflags = 0;
553
554	ret = krb5_copy_principal(context,
555	in_creds->client,
556	&out_creds->client);
557	if(ret)
558	goto out2;
559	ret = krb5_copy_principal(context,
560	in_creds->server,
561	&out_creds->server);
562	if(ret)
563	goto out2;
564	/* this should go someplace else */
565	out_creds->times.endtime = in_creds->times.endtime;
566
567	/* XXX should do better testing */
568	if (flags.b.constrained_delegation \|\| impersonate_principal)
569	eflags \|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
570
571	ret = _krb5_extract_ticket(context,
572	&rep,
573	out_creds,
574	&krbtgt->session,
575	NULL,
576	0,
577	&krbtgt->addresses,
578	nonce,
579	eflags,
580	decrypt_tkt_with_subkey,
581	subkey);
582	out2:
583	krb5_free_kdc_rep(context, &rep);
584	} else if(krb5_rd_error(context, &resp, &error) == 0) {
585	ret = krb5_error_from_rd_error(context, &error, in_creds);
586	krb5_free_error_contents(context, &error);
587	} else if(resp.length > 0 && ((char*)resp.data)[0] == 4) {
588	ret = KRB5KRB_AP_ERR_V4_REPLY;
589	krb5_clear_error_message(context);
590	} else {
591	ret = KRB5KRB_AP_ERR_MSG_TYPE;
592	krb5_clear_error_message(context);
593	}
594
595	out:
596	if (second_ticket == &second_ticket_data)
597	free_Ticket(&second_ticket_data);
598	free_METHOD_DATA(&padata);
599	krb5_data_free(&resp);
600	krb5_data_free(&enc);
601	if(subkey)
602	krb5_free_keyblock(context, subkey);
603	return ret;
604
605	}
606
607	/*
608	* same as above, just get local addresses first if the krbtgt have
609	* them and the realm is not addressless
610	*/
611
612	static krb5_error_code
613	get_cred_kdc_address(krb5_context context,
614	krb5_ccache id,
615	krb5_kdc_flags flags,
616	krb5_addresses *addrs,
617	krb5_creds *in_creds,
618	krb5_creds *krbtgt,
619	krb5_principal impersonate_principal,
620	Ticket *second_ticket,
621	krb5_creds *out_creds)
622	{
623	krb5_error_code ret;
624	krb5_addresses addresses = { 0, NULL };
625
626	/*
627	* Inherit the address-ness of the krbtgt if the address is not
628	* specified.
629	*/
630
631	if (addrs == NULL && krbtgt->addresses.len != 0) {
632	krb5_boolean noaddr;
633
634	krb5_appdefault_boolean(context, NULL, krbtgt->server->realm,
635	"no-addresses", FALSE, &noaddr);
636
637	if (!noaddr) {
638	krb5_get_all_client_addrs(context, &addresses);
639	/* XXX this sucks. */
640	addrs = &addresses;
641	if(addresses.len == 0)
642	addrs = NULL;
643	}
644	}
645	ret = get_cred_kdc(context, id, flags, addrs, in_creds,
646	krbtgt, impersonate_principal,
647	second_ticket, out_creds);
648	krb5_free_addresses(context, &addresses);
649	return ret;
650	}
651
652	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
653	krb5_get_kdc_cred(krb5_context context,
654	krb5_ccache id,
655	krb5_kdc_flags flags,
656	krb5_addresses *addresses,
657	Ticket *second_ticket,
658	krb5_creds *in_creds,
659	krb5_creds **out_creds
660	)
661	{
662	krb5_error_code ret;
663	krb5_creds *krbtgt;
664
665	out_creds = calloc(1, sizeof(*out_creds));
666	if(*out_creds == NULL) {
667	krb5_set_error_message(context, ENOMEM,
668	N_("malloc: out of memory", ""));
669	return ENOMEM;
670	}
671	ret = _krb5_get_krbtgt (context,
672	id,
673	in_creds->server->realm,
674	&krbtgt);
675	if(ret) {
676	free(*out_creds);
677	*out_creds = NULL;
678	return ret;
679	}
680	ret = get_cred_kdc(context, id, flags, addresses,
681	in_creds, krbtgt, NULL, NULL, *out_creds);
682	krb5_free_creds (context, krbtgt);
683	if(ret) {
684	free(*out_creds);
685	*out_creds = NULL;
686	}
687	return ret;
688	}
689
690	static int
691	not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
692	{
693	krb5_error_code ret;
694	char *str;
695
696	ret = krb5_unparse_name(context, p, &str);
697	if(ret) {
698	krb5_clear_error_message(context);
699	return code;
700	}
701	krb5_set_error_message(context, code,
702	N_("Matching credential (%s) not found", ""), str);
703	free(str);
704	return code;
705	}
706
707	static krb5_error_code
708	find_cred(krb5_context context,
709	krb5_ccache id,
710	krb5_principal server,
711	krb5_creds **tgts,
712	krb5_creds *out_creds)
713	{
714	krb5_error_code ret;
715	krb5_creds mcreds;
716
717	krb5_cc_clear_mcred(&mcreds);
718	mcreds.server = server;
719	ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM,
720	&mcreds, out_creds);
721	if(ret == 0)
722	return 0;
723	while(tgts && *tgts){
724	if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM,
725	&mcreds, *tgts)){
726	ret = krb5_copy_creds_contents(context, *tgts, out_creds);
727	return ret;
728	}
729	tgts++;
730	}
731	return not_found(context, server, KRB5_CC_NOTFOUND);
732	}
733
734	static krb5_error_code
735	add_cred(krb5_context context, krb5_creds const tkt, krb5_creds **tgts)
736	{
737	int i;
738	krb5_error_code ret;
739	krb5_creds *tmp = tgts;
740
741	for(i = 0; tmp && tmp[i]; i++); /* XXX */
742	tmp = realloc(tmp, (i+2)sizeof(tmp));
743	if(tmp == NULL) {
744	krb5_set_error_message(context, ENOMEM,
745	N_("malloc: out of memory", ""));
746	return ENOMEM;
747	}
748	*tgts = tmp;
749	ret = krb5_copy_creds(context, tkt, &tmp[i]);
750	tmp[i+1] = NULL;
751	return ret;
752	}
753
754	static krb5_error_code
755	get_cred_kdc_capath_worker(krb5_context context,
756	krb5_kdc_flags flags,
757	krb5_ccache ccache,
758	krb5_creds *in_creds,
759	krb5_const_realm try_realm,
760	krb5_principal impersonate_principal,
761	Ticket *second_ticket,
762	krb5_creds **out_creds,
763	krb5_creds ***ret_tgts)
764	{
765	krb5_error_code ret;
766	krb5_creds *tgt, tmp_creds;
767	krb5_const_realm client_realm, server_realm;
768	int ok_as_delegate = 1;
769
770	*out_creds = NULL;
771
772	client_realm = krb5_principal_get_realm(context, in_creds->client);
773	server_realm = krb5_principal_get_realm(context, in_creds->server);
774	memset(&tmp_creds, 0, sizeof(tmp_creds));
775	ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
776	if(ret)
777	return ret;
778
779	ret = krb5_make_principal(context,
780	&tmp_creds.server,
781	try_realm,
782	KRB5_TGS_NAME,
783	server_realm,
784	NULL);
785	if(ret){
786	krb5_free_principal(context, tmp_creds.client);
787	return ret;
788	}
789	{
790	krb5_creds tgts;
791
792	ret = find_cred(context, ccache, tmp_creds.server,
793	*ret_tgts, &tgts);
794	if(ret == 0){
795	/* only allow implicit ok_as_delegate if the realm is the clients realm */
796	if (strcmp(try_realm, client_realm) != 0 \|\| strcmp(try_realm, server_realm) != 0)
797	ok_as_delegate = tgts.flags.b.ok_as_delegate;
798
799	out_creds = calloc(1, sizeof(*out_creds));
800	if(*out_creds == NULL) {
801	ret = ENOMEM;
802	krb5_set_error_message(context, ret,
803	N_("malloc: out of memory", ""));
804	} else {
805	ret = get_cred_kdc_address(context, ccache, flags, NULL,
806	in_creds, &tgts,
807	impersonate_principal,
808	second_ticket,
809	*out_creds);
810	if (ret) {
811	free (*out_creds);
812	*out_creds = NULL;
813	} else if (ok_as_delegate == 0)
814	(*out_creds)->flags.b.ok_as_delegate = 0;
815	}
816	krb5_free_cred_contents(context, &tgts);
817	krb5_free_principal(context, tmp_creds.server);
818	krb5_free_principal(context, tmp_creds.client);
819	return ret;
820	}
821	}
822	if(krb5_realm_compare(context, in_creds->client, in_creds->server))
823	return not_found(context, in_creds->server, KRB5_CC_NOTFOUND);
824
825	/* XXX this can loop forever */
826	while(1){
827	heim_general_string tgt_inst;
828
829	ret = get_cred_kdc_capath(context, flags, ccache, &tmp_creds,
830	NULL, NULL, &tgt, ret_tgts);
831	if(ret) {
832	krb5_free_principal(context, tmp_creds.server);
833	krb5_free_principal(context, tmp_creds.client);
834	return ret;
835	}
836	/*
837	* if either of the chain or the ok_as_delegate was stripped
838	* by the kdc, make sure we strip it too.
839	*/
840	if (ok_as_delegate == 0 \|\| tgt->flags.b.ok_as_delegate == 0) {
841	ok_as_delegate = 0;
842	tgt->flags.b.ok_as_delegate = 0;
843	}
844
845	ret = add_cred(context, tgt, ret_tgts);
846	if(ret) {
847	krb5_free_principal(context, tmp_creds.server);
848	krb5_free_principal(context, tmp_creds.client);
849	return ret;
850	}
851	tgt_inst = tgt->server->name.name_string.val[1];
852	if(strcmp(tgt_inst, server_realm) == 0)
853	break;
854	krb5_free_principal(context, tmp_creds.server);
855	ret = krb5_make_principal(context, &tmp_creds.server,
856	tgt_inst, KRB5_TGS_NAME, server_realm, NULL);
857	if(ret) {
858	krb5_free_principal(context, tmp_creds.server);
859	krb5_free_principal(context, tmp_creds.client);
860	return ret;
861	}
862	ret = krb5_free_creds(context, tgt);
863	if(ret) {
864	krb5_free_principal(context, tmp_creds.server);
865	krb5_free_principal(context, tmp_creds.client);
866	return ret;
867	}
868	}
869
870	krb5_free_principal(context, tmp_creds.server);
871	krb5_free_principal(context, tmp_creds.client);
872	out_creds = calloc(1, sizeof(*out_creds));
873	if(*out_creds == NULL) {
874	ret = ENOMEM;
875	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
876	} else {
877	ret = get_cred_kdc_address (context, ccache, flags, NULL,
878	in_creds, tgt, impersonate_principal,
879	second_ticket, *out_creds);
880	if (ret) {
881	free (*out_creds);
882	*out_creds = NULL;
883	}
884	}
885	krb5_free_creds(context, tgt);
886	return ret;
887	}
888
889	/*
890	get_cred(server)
891	creds = cc_get_cred(server)
892	if(creds) return creds
893	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
894	if(tgt)
895	return get_cred_tgt(server, tgt)
896	if(client_realm == server_realm)
897	return NULL
898	tgt = get_cred(krbtgt/server_realm@client_realm)
899	while(tgt_inst != server_realm)
900	tgt = get_cred(krbtgt/server_realm@tgt_inst)
901	return get_cred_tgt(server, tgt)
902	*/
903
904	static krb5_error_code
905	get_cred_kdc_capath(krb5_context context,
906	krb5_kdc_flags flags,
907	krb5_ccache ccache,
908	krb5_creds *in_creds,
909	krb5_principal impersonate_principal,
910	Ticket *second_ticket,
911	krb5_creds **out_creds,
912	krb5_creds ***ret_tgts)
913	{
914	krb5_error_code ret;
915	krb5_const_realm client_realm, server_realm, try_realm;
916
917	client_realm = krb5_principal_get_realm(context, in_creds->client);
918	server_realm = krb5_principal_get_realm(context, in_creds->server);
919
920	try_realm = client_realm;
921	ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm,
922	impersonate_principal, second_ticket, out_creds,
923	ret_tgts);
924
925	if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
926	try_realm = krb5_config_get_string(context, NULL, "capaths",
927	client_realm, server_realm, NULL);
928
929	if (try_realm != NULL && strcmp(try_realm, client_realm)) {
930	ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds,
931	try_realm, impersonate_principal,
932	second_ticket, out_creds, ret_tgts);
933	}
934	}
935
936	return ret;
937	}
938
939	static krb5_error_code
940	get_cred_kdc_referral(krb5_context context,
941	krb5_kdc_flags flags,
942	krb5_ccache ccache,
943	krb5_creds *in_creds,
944	krb5_principal impersonate_principal,
945	Ticket *second_ticket,
946	krb5_creds **out_creds,
947	krb5_creds ***ret_tgts)
948	{
949	krb5_const_realm client_realm;
950	krb5_error_code ret;
951	krb5_creds tgt, referral, ticket;
952	int loop = 0;
953	int ok_as_delegate = 1;
954
955	if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) {
956	krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
957	N_("Name too short to do referals, skipping", ""));
958	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
959	}
960
961	memset(&tgt, 0, sizeof(tgt));
962	memset(&ticket, 0, sizeof(ticket));
963
964	flags.b.canonicalize = 1;
965
966	*out_creds = NULL;
967
968	client_realm = krb5_principal_get_realm(context, in_creds->client);
969
970	/* find tgt for the clients base realm */
971	{
972	krb5_principal tgtname;
973
974	ret = krb5_make_principal(context, &tgtname,
975	client_realm,
976	KRB5_TGS_NAME,
977	client_realm,
978	NULL);
979	if(ret)
980	return ret;
981
982	ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
983	krb5_free_principal(context, tgtname);
984	if (ret)
985	return ret;
986	}
987
988	referral = *in_creds;
989	ret = krb5_copy_principal(context, in_creds->server, &referral.server);
990	if (ret) {
991	krb5_free_cred_contents(context, &tgt);
992	return ret;
993	}
994	ret = krb5_principal_set_realm(context, referral.server, client_realm);
995	if (ret) {
996	krb5_free_cred_contents(context, &tgt);
997	krb5_free_principal(context, referral.server);
998	return ret;
999	}
1000
1001	while (loop++ < 17) {
1002	krb5_creds **tickets;
1003	krb5_creds mcreds;
1004	char *referral_realm;
1005
1006	/* Use cache if we are not doing impersonation or contrainte deleg */
1007	if (impersonate_principal == NULL \|\| flags.b.constrained_delegation) {
1008	krb5_cc_clear_mcred(&mcreds);
1009	mcreds.server = referral.server;
1010	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket);
1011	} else
1012	ret = EINVAL;
1013
1014	if (ret) {
1015	ret = get_cred_kdc_address(context, ccache, flags, NULL,
1016	&referral, &tgt, impersonate_principal,
1017	second_ticket, &ticket);
1018	if (ret)
1019	goto out;
1020	}
1021
1022	/* Did we get the right ticket ? */
1023	if (krb5_principal_compare_any_realm(context,
1024	referral.server,
1025	ticket.server))
1026	break;
1027
1028	if (!krb5_principal_is_krbtgt(context, ticket.server)) {
1029	krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
1030	N_("Got back an non krbtgt "
1031	"ticket referrals", ""));
1032	ret = KRB5KRB_AP_ERR_NOT_US;
1033	goto out;
1034	}
1035
1036	referral_realm = ticket.server->name.name_string.val[1];
1037
1038	/* check that there are no referrals loops */
1039	tickets = *ret_tgts;
1040
1041	krb5_cc_clear_mcred(&mcreds);
1042	mcreds.server = ticket.server;
1043
1044	while(tickets && *tickets){
1045	if(krb5_compare_creds(context,
1046	KRB5_TC_DONT_MATCH_REALM,
1047	&mcreds,
1048	*tickets))
1049	{
1050	krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
1051	N_("Referral from %s "
1052	"loops back to realm %s", ""),
1053	tgt.server->realm,
1054	referral_realm);
1055	ret = KRB5_GET_IN_TKT_LOOP;
1056	goto out;
1057	}
1058	tickets++;
1059	}
1060
1061	/*
1062	* if either of the chain or the ok_as_delegate was stripped
1063	* by the kdc, make sure we strip it too.
1064	*/
1065
1066	if (ok_as_delegate == 0 \|\| ticket.flags.b.ok_as_delegate == 0) {
1067	ok_as_delegate = 0;
1068	ticket.flags.b.ok_as_delegate = 0;
1069	}
1070
1071	ret = add_cred(context, &ticket, ret_tgts);
1072	if (ret)
1073	goto out;
1074
1075	/* try realm in the referral */
1076	ret = krb5_principal_set_realm(context,
1077	referral.server,
1078	referral_realm);
1079	krb5_free_cred_contents(context, &tgt);
1080	tgt = ticket;
1081	memset(&ticket, 0, sizeof(ticket));
1082	if (ret)
1083	goto out;
1084	}
1085
1086	ret = krb5_copy_creds(context, &ticket, out_creds);
1087
1088	out:
1089	krb5_free_principal(context, referral.server);
1090	krb5_free_cred_contents(context, &tgt);
1091	krb5_free_cred_contents(context, &ticket);
1092	return ret;
1093	}
1094
1095
1096	/*
1097	* Glue function between referrals version and old client chasing
1098	* codebase.
1099	*/
1100
1101	krb5_error_code
1102	_krb5_get_cred_kdc_any(krb5_context context,
1103	krb5_kdc_flags flags,
1104	krb5_ccache ccache,
1105	krb5_creds *in_creds,
1106	krb5_principal impersonate_principal,
1107	Ticket *second_ticket,
1108	krb5_creds **out_creds,
1109	krb5_creds ***ret_tgts)
1110	{
1111	krb5_error_code ret;
1112	krb5_deltat offset;
1113
1114	ret = krb5_cc_get_kdc_offset(context, ccache, &offset);
1115	if (ret) {
1116	context->kdc_sec_offset = offset;
1117	context->kdc_usec_offset = 0;
1118	}
1119
1120	ret = get_cred_kdc_referral(context,
1121	flags,
1122	ccache,
1123	in_creds,
1124	impersonate_principal,
1125	second_ticket,
1126	out_creds,
1127	ret_tgts);
1128	if (ret == 0 \|\| flags.b.canonicalize)
1129	return ret;
1130	return get_cred_kdc_capath(context,
1131	flags,
1132	ccache,
1133	in_creds,
1134	impersonate_principal,
1135	second_ticket,
1136	out_creds,
1137	ret_tgts);
1138	}
1139
1140
1141	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1142	krb5_get_credentials_with_flags(krb5_context context,
1143	krb5_flags options,
1144	krb5_kdc_flags flags,
1145	krb5_ccache ccache,
1146	krb5_creds *in_creds,
1147	krb5_creds **out_creds)
1148	{
1149	krb5_error_code ret;
1150	krb5_creds **tgts;
1151	krb5_creds *res_creds;
1152	int i;
1153
1154	if (in_creds->session.keytype) {
1155	ret = krb5_enctype_valid(context, in_creds->session.keytype);
1156	if (ret)
1157	return ret;
1158	}
1159
1160	*out_creds = NULL;
1161	res_creds = calloc(1, sizeof(*res_creds));
1162	if (res_creds == NULL) {
1163	krb5_set_error_message(context, ENOMEM,
1164	N_("malloc: out of memory", ""));
1165	return ENOMEM;
1166	}
1167
1168	if (in_creds->session.keytype)
1169	options \|= KRB5_TC_MATCH_KEYTYPE;
1170
1171	/*
1172	* If we got a credential, check if credential is expired before
1173	* returning it.
1174	*/
1175	ret = krb5_cc_retrieve_cred(context,
1176	ccache,
1177	in_creds->session.keytype ?
1178	KRB5_TC_MATCH_KEYTYPE : 0,
1179	in_creds, res_creds);
1180	/*
1181	* If we got a credential, check if credential is expired before
1182	* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
1183	*/
1184	if (ret == 0) {
1185	krb5_timestamp timeret;
1186
1187	/* If expired ok, don't bother checking */
1188	if(options & KRB5_GC_EXPIRED_OK) {
1189	*out_creds = res_creds;
1190	return 0;
1191	}
1192
1193	krb5_timeofday(context, &timeret);
1194	if(res_creds->times.endtime > timeret) {
1195	*out_creds = res_creds;
1196	return 0;
1197	}
1198	if(options & KRB5_GC_CACHED)
1199	krb5_cc_remove_cred(context, ccache, 0, res_creds);
1200
1201	} else if(ret != KRB5_CC_END) {
1202	free(res_creds);
1203	return ret;
1204	}
1205	free(res_creds);
1206	if(options & KRB5_GC_CACHED)
1207	return not_found(context, in_creds->server, KRB5_CC_NOTFOUND);
1208
1209	if(options & KRB5_GC_USER_USER)
1210	flags.b.enc_tkt_in_skey = 1;
1211	if (flags.b.enc_tkt_in_skey)
1212	options \|= KRB5_GC_NO_STORE;
1213
1214	tgts = NULL;
1215	ret = _krb5_get_cred_kdc_any(context, flags, ccache,
1216	in_creds, NULL, NULL, out_creds, &tgts);
1217	for(i = 0; tgts && tgts[i]; i++) {
1218	krb5_cc_store_cred(context, ccache, tgts[i]);
1219	krb5_free_creds(context, tgts[i]);
1220	}
1221	free(tgts);
1222	if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
1223	krb5_cc_store_cred(context, ccache, *out_creds);
1224	return ret;
1225	}
1226
1227	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1228	krb5_get_credentials(krb5_context context,
1229	krb5_flags options,
1230	krb5_ccache ccache,
1231	krb5_creds *in_creds,
1232	krb5_creds **out_creds)
1233	{
1234	krb5_kdc_flags flags;
1235	flags.i = 0;
1236	return krb5_get_credentials_with_flags(context, options, flags,
1237	ccache, in_creds, out_creds);
1238	}
1239
1240	struct krb5_get_creds_opt_data {
1241	krb5_principal self;
1242	krb5_flags options;
1243	krb5_enctype enctype;
1244	Ticket *ticket;
1245	};
1246
1247
1248	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1249	krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt)
1250	{
1251	opt = calloc(1, sizeof(*opt));
1252	if (*opt == NULL) {
1253	krb5_set_error_message(context, ENOMEM,
1254	N_("malloc: out of memory", ""));
1255	return ENOMEM;
1256	}
1257	return 0;
1258	}
1259
1260	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1261	krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt)
1262	{
1263	if (opt->self)
1264	krb5_free_principal(context, opt->self);
1265	if (opt->ticket) {
1266	free_Ticket(opt->ticket);
1267	free(opt->ticket);
1268	}
1269	memset(opt, 0, sizeof(*opt));
1270	free(opt);
1271	}
1272
1273	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1274	krb5_get_creds_opt_set_options(krb5_context context,
1275	krb5_get_creds_opt opt,
1276	krb5_flags options)
1277	{
1278	opt->options = options;
1279	}
1280
1281	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1282	krb5_get_creds_opt_add_options(krb5_context context,
1283	krb5_get_creds_opt opt,
1284	krb5_flags options)
1285	{
1286	opt->options \|= options;
1287	}
1288
1289	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1290	krb5_get_creds_opt_set_enctype(krb5_context context,
1291	krb5_get_creds_opt opt,
1292	krb5_enctype enctype)
1293	{
1294	opt->enctype = enctype;
1295	}
1296
1297	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1298	krb5_get_creds_opt_set_impersonate(krb5_context context,
1299	krb5_get_creds_opt opt,
1300	krb5_const_principal self)
1301	{
1302	if (opt->self)
1303	krb5_free_principal(context, opt->self);
1304	return krb5_copy_principal(context, self, &opt->self);
1305	}
1306
1307	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1308	krb5_get_creds_opt_set_ticket(krb5_context context,
1309	krb5_get_creds_opt opt,
1310	const Ticket *ticket)
1311	{
1312	if (opt->ticket) {
1313	free_Ticket(opt->ticket);
1314	free(opt->ticket);
1315	opt->ticket = NULL;
1316	}
1317	if (ticket) {
1318	krb5_error_code ret;
1319
1320	opt->ticket = malloc(sizeof(*ticket));
1321	if (opt->ticket == NULL) {
1322	krb5_set_error_message(context, ENOMEM,
1323	N_("malloc: out of memory", ""));
1324	return ENOMEM;
1325	}
1326	ret = copy_Ticket(ticket, opt->ticket);
1327	if (ret) {
1328	free(opt->ticket);
1329	opt->ticket = NULL;
1330	krb5_set_error_message(context, ret,
1331	N_("malloc: out of memory", ""));
1332	return ret;
1333	}
1334	}
1335	return 0;
1336	}
1337
1338
1339
1340	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1341	krb5_get_creds(krb5_context context,
1342	krb5_get_creds_opt opt,
1343	krb5_ccache ccache,
1344	krb5_const_principal inprinc,
1345	krb5_creds **out_creds)
1346	{
1347	krb5_kdc_flags flags;
1348	krb5_flags options;
1349	krb5_creds in_creds;
1350	krb5_error_code ret;
1351	krb5_creds **tgts;
1352	krb5_creds *res_creds;
1353	int i;
1354
1355	if (opt && opt->enctype) {
1356	ret = krb5_enctype_valid(context, opt->enctype);
1357	if (ret)
1358	return ret;
1359	}
1360
1361	memset(&in_creds, 0, sizeof(in_creds));
1362	in_creds.server = rk_UNCONST(inprinc);
1363
1364	ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
1365	if (ret)
1366	return ret;
1367
1368	if (opt)
1369	options = opt->options;
1370	else
1371	options = 0;
1372	flags.i = 0;
1373
1374	*out_creds = NULL;
1375	res_creds = calloc(1, sizeof(*res_creds));
1376	if (res_creds == NULL) {
1377	krb5_free_principal(context, in_creds.client);
1378	krb5_set_error_message(context, ENOMEM,
1379	N_("malloc: out of memory", ""));
1380	return ENOMEM;
1381	}
1382
1383	if (opt && opt->enctype) {
1384	in_creds.session.keytype = opt->enctype;
1385	options \|= KRB5_TC_MATCH_KEYTYPE;
1386	}
1387
1388	/*
1389	* If we got a credential, check if credential is expired before
1390	* returning it.
1391	*/
1392	ret = krb5_cc_retrieve_cred(context,
1393	ccache,
1394	options & KRB5_TC_MATCH_KEYTYPE,
1395	&in_creds, res_creds);
1396	/*
1397	* If we got a credential, check if credential is expired before
1398	* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
1399	*/
1400	if (ret == 0) {
1401	krb5_timestamp timeret;
1402
1403	/* If expired ok, don't bother checking */
1404	if(options & KRB5_GC_EXPIRED_OK) {
1405	*out_creds = res_creds;
1406	krb5_free_principal(context, in_creds.client);
1407	goto out;
1408	}
1409
1410	krb5_timeofday(context, &timeret);
1411	if(res_creds->times.endtime > timeret) {
1412	*out_creds = res_creds;
1413	krb5_free_principal(context, in_creds.client);
1414	goto out;
1415	}
1416	if(options & KRB5_GC_CACHED)
1417	krb5_cc_remove_cred(context, ccache, 0, res_creds);
1418
1419	} else if(ret != KRB5_CC_END) {
1420	free(res_creds);
1421	krb5_free_principal(context, in_creds.client);
1422	goto out;
1423	}
1424	free(res_creds);
1425	if(options & KRB5_GC_CACHED) {
1426	krb5_free_principal(context, in_creds.client);
1427	ret = not_found(context, in_creds.server, KRB5_CC_NOTFOUND);
1428	goto out;
1429	}
1430	if(options & KRB5_GC_USER_USER) {
1431	flags.b.enc_tkt_in_skey = 1;
1432	options \|= KRB5_GC_NO_STORE;
1433	}
1434	if (options & KRB5_GC_FORWARDABLE)
1435	flags.b.forwardable = 1;
1436	if (options & KRB5_GC_NO_TRANSIT_CHECK)
1437	flags.b.disable_transited_check = 1;
1438	if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
1439	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
1440	flags.b.constrained_delegation = 1;
1441	}
1442	if (options & KRB5_GC_CANONICALIZE)
1443	flags.b.canonicalize = 1;
1444
1445	tgts = NULL;
1446	ret = _krb5_get_cred_kdc_any(context, flags, ccache,
1447	&in_creds, opt->self, opt->ticket,
1448	out_creds, &tgts);
1449	krb5_free_principal(context, in_creds.client);
1450	for(i = 0; tgts && tgts[i]; i++) {
1451	krb5_cc_store_cred(context, ccache, tgts[i]);
1452	krb5_free_creds(context, tgts[i]);
1453	}
1454	free(tgts);
1455	if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
1456	krb5_cc_store_cred(context, ccache, *out_creds);
1457
1458	out:
1459	_krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret);
1460
1461	return ret;
1462	}
1463
1464	/*
1465	*
1466	*/
1467
1468	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1469	krb5_get_renewed_creds(krb5_context context,
1470	krb5_creds *creds,
1471	krb5_const_principal client,
1472	krb5_ccache ccache,
1473	const char *in_tkt_service)
1474	{
1475	krb5_error_code ret;
1476	krb5_kdc_flags flags;
1477	krb5_creds in, template, out = NULL;
1478
1479	memset(&in, 0, sizeof(in));
1480	memset(creds, 0, sizeof(*creds));
1481
1482	ret = krb5_copy_principal(context, client, &in.client);
1483	if (ret)
1484	return ret;
1485
1486	if (in_tkt_service) {
1487	ret = krb5_parse_name(context, in_tkt_service, &in.server);
1488	if (ret) {
1489	krb5_free_principal(context, in.client);
1490	return ret;
1491	}
1492	} else {
1493	const char *realm = krb5_principal_get_realm(context, client);
1494
1495	ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
1496	realm, NULL);
1497	if (ret) {
1498	krb5_free_principal(context, in.client);
1499	return ret;
1500	}
1501	}
1502
1503	flags.i = 0;
1504	flags.b.renewable = flags.b.renew = 1;
1505
1506	/*
1507	* Get template from old credential cache for the same entry, if
1508	* this failes, no worries.
1509	*/
1510	ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, &in, &template);
1511	if (ret == 0) {
1512	flags.b.forwardable = template->flags.b.forwardable;
1513	flags.b.proxiable = template->flags.b.proxiable;
1514	krb5_free_creds (context, template);
1515	}
1516
1517	ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
1518	krb5_free_principal(context, in.client);
1519	krb5_free_principal(context, in.server);
1520	if (ret)
1521	return ret;
1522
1523	ret = krb5_copy_creds_contents(context, out, creds);
1524	krb5_free_creds(context, out);
1525
1526	return ret;
1527	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: heimdal/trunk/lib/krb5/get_cred.c

Download in other formats: