root/source4/heimdal/lib/krb5/get_cred.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. make_pa_tgs_req
  2. set_auth_data
  3. init_tgs_req
  4. _krb5_get_krbtgt
  5. decrypt_tkt_with_subkey
  6. get_cred_kdc
  7. get_cred_kdc_address
  8. krb5_get_kdc_cred
  9. not_found
  10. find_cred
  11. add_cred
  12. get_cred_kdc_capath
  13. get_cred_kdc_referral
  14. get_cred_kdc_any
  15. krb5_get_cred_from_kdc_opt
  16. krb5_get_cred_from_kdc
  17. krb5_get_credentials_with_flags
  18. krb5_get_credentials
  19. krb5_get_creds_opt_alloc
  20. krb5_get_creds_opt_free
  21. krb5_get_creds_opt_set_options
  22. krb5_get_creds_opt_add_options
  23. krb5_get_creds_opt_set_enctype
  24. krb5_get_creds_opt_set_impersonate
  25. krb5_get_creds_opt_set_ticket
  26. krb5_get_creds
  27. krb5_get_renewed_creds

   1 /*
   2  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33 
  34 #include <krb5_locl.h>
  35 
  36 RCSID("$Id$");
  37 
  38 /*
  39  * Take the `body' and encode it into `padata' using the credentials
  40  * in `creds'.
  41  */
  42 
  43 static krb5_error_code
  44 make_pa_tgs_req(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  45                 krb5_auth_context ac,
  46                 KDC_REQ_BODY *body,
  47                 PA_DATA *padata,
  48                 krb5_creds *creds)
  49 {
  50     u_char *buf;
  51     size_t buf_size;
  52     size_t len;
  53     krb5_data in_data;
  54     krb5_error_code ret;
  55 
  56     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
  57     if (ret)
  58         goto out;
  59     if(buf_size != len)
  60         krb5_abortx(context, "internal error in ASN.1 encoder");
  61 
  62     in_data.length = len;
  63     in_data.data   = buf;
  64     ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
  65                                 &padata->padata_value,
  66                                 KRB5_KU_TGS_REQ_AUTH_CKSUM,
  67                                 KRB5_KU_TGS_REQ_AUTH);
  68  out:
  69     free (buf);
  70     if(ret)
  71         return ret;
  72     padata->padata_type = KRB5_PADATA_TGS_REQ;
  73     return 0;
  74 }
  75 
  76 /*
  77  * Set the `enc-authorization-data' in `req_body' based on `authdata'
  78  */
  79 
  80 static krb5_error_code
  81 set_auth_data (krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  82                KDC_REQ_BODY *req_body,
  83                krb5_authdata *authdata,
  84                krb5_keyblock *key)
  85 {
  86     if(authdata->len) {
  87         size_t len, buf_size;
  88         unsigned char *buf;
  89         krb5_crypto crypto;
  90         krb5_error_code ret;
  91 
  92         ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata,
  93                            &len, ret);
  94         if (ret)
  95             return ret;
  96         if (buf_size != len)
  97             krb5_abortx(context, "internal error in ASN.1 encoder");
  98 
  99         ALLOC(req_body->enc_authorization_data, 1);
 100         if (req_body->enc_authorization_data == NULL) {
 101             free (buf);
 102             krb5_set_error_message(context, ENOMEM,
 103                                    N_("malloc: out of memory", ""));
 104             return ENOMEM;
 105         }
 106         ret = krb5_crypto_init(context, key, 0, &crypto);
 107         if (ret) {
 108             free (buf);
 109             free (req_body->enc_authorization_data);
 110             req_body->enc_authorization_data = NULL;
 111             return ret;
 112         }
 113         krb5_encrypt_EncryptedData(context,
 114                                    crypto,
 115                                    KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
 116                                    /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */
 117                                    buf,
 118                                    len,
 119                                    0,
 120                                    req_body->enc_authorization_data);
 121         free (buf);
 122         krb5_crypto_destroy(context, crypto);
 123     } else {
 124         req_body->enc_authorization_data = NULL;
 125     }
 126     return 0;
 127 }
 128 
 129 /*
 130  * Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
 131  * (if not-NULL), `in_creds', `krbtgt', and returning the generated
 132  * subkey in `subkey'.
 133  */
 134 
 135 static krb5_error_code
 136 init_tgs_req (krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 137               krb5_ccache ccache,
 138               krb5_addresses *addresses,
 139               krb5_kdc_flags flags,
 140               Ticket *second_ticket,
 141               krb5_creds *in_creds,
 142               krb5_creds *krbtgt,
 143               unsigned nonce,
 144               const METHOD_DATA *padata,
 145               krb5_keyblock **subkey,
 146               TGS_REQ *t)
 147 {
 148     krb5_error_code ret = 0;
 149 
 150     memset(t, 0, sizeof(*t));
 151     t->pvno = 5;
 152     t->msg_type = krb_tgs_req;
 153     if (in_creds->session.keytype) {
 154         ALLOC_SEQ(&t->req_body.etype, 1);
 155         if(t->req_body.etype.val == NULL) {
 156             ret = ENOMEM;
 157             krb5_set_error_message(context, ret,
 158                                    N_("malloc: out of memory", ""));
 159             goto fail;
 160         }
 161         t->req_body.etype.val[0] = in_creds->session.keytype;
 162     } else {
 163         ret = krb5_init_etype(context,
 164                               &t->req_body.etype.len,
 165                               &t->req_body.etype.val,
 166                               NULL);
 167     }
 168     if (ret)
 169         goto fail;
 170     t->req_body.addresses = addresses;
 171     t->req_body.kdc_options = flags.b;
 172     ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
 173     if (ret)
 174         goto fail;
 175     ALLOC(t->req_body.sname, 1);
 176     if (t->req_body.sname == NULL) {
 177         ret = ENOMEM;
 178         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 179         goto fail;
 180     }
 181 
 182     /* some versions of some code might require that the client be
 183        present in TGS-REQs, but this is clearly against the spec */
 184 
 185     ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
 186     if (ret)
 187         goto fail;
 188 
 189     /* req_body.till should be NULL if there is no endtime specified,
 190        but old MIT code (like DCE secd) doesn't like that */
 191     ALLOC(t->req_body.till, 1);
 192     if(t->req_body.till == NULL){
 193         ret = ENOMEM;
 194         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 195         goto fail;
 196     }
 197     *t->req_body.till = in_creds->times.endtime;
 198 
 199     t->req_body.nonce = nonce;
 200     if(second_ticket){
 201         ALLOC(t->req_body.additional_tickets, 1);
 202         if (t->req_body.additional_tickets == NULL) {
 203             ret = ENOMEM;
 204             krb5_set_error_message(context, ret,
 205                                    N_("malloc: out of memory", ""));
 206             goto fail;
 207         }
 208         ALLOC_SEQ(t->req_body.additional_tickets, 1);
 209         if (t->req_body.additional_tickets->val == NULL) {
 210             ret = ENOMEM;
 211             krb5_set_error_message(context, ret,
 212                                    N_("malloc: out of memory", ""));
 213             goto fail;
 214         }
 215         ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
 216         if (ret)
 217             goto fail;
 218     }
 219     ALLOC(t->padata, 1);
 220     if (t->padata == NULL) {
 221         ret = ENOMEM;
 222         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 223         goto fail;
 224     }
 225     ALLOC_SEQ(t->padata, 1 + padata->len);
 226     if (t->padata->val == NULL) {
 227         ret = ENOMEM;
 228         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 229         goto fail;
 230     }
 231     {
 232         int i;
 233         for (i = 0; i < padata->len; i++) {
 234             ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
 235             if (ret) {
 236                 krb5_set_error_message(context, ret,
 237                                        N_("malloc: out of memory", ""));
 238                 goto fail;
 239             }
 240         }
 241     }
 242 
 243     {
 244         krb5_auth_context ac;
 245         krb5_keyblock *key = NULL;
 246 
 247         ret = krb5_auth_con_init(context, &ac);
 248         if(ret)
 249             goto fail;
 250 
 251         if (krb5_config_get_bool_default(context, NULL, FALSE,
 252                                          "realms",
 253                                          krbtgt->server->realm,
 254                                          "tgs_require_subkey",
 255                                          NULL))
 256         {
 257             ret = krb5_generate_subkey (context, &krbtgt->session, &key);
 258             if (ret) {
 259                 krb5_auth_con_free (context, ac);
 260                 goto fail;
 261             }
 262 
 263             ret = krb5_auth_con_setlocalsubkey(context, ac, key);
 264             if (ret) {
 265                 if (key)
 266                     krb5_free_keyblock (context, key);
 267                 krb5_auth_con_free (context, ac);
 268                 goto fail;
 269             }
 270         }
 271 
 272         ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
 273                              key ? key : &krbtgt->session);
 274         if (ret) {
 275             if (key)
 276                 krb5_free_keyblock (context, key);
 277             krb5_auth_con_free (context, ac);
 278             goto fail;
 279         }
 280 
 281         ret = make_pa_tgs_req(context,
 282                               ac,
 283                               &t->req_body,
 284                               &t->padata->val[0],
 285                               krbtgt);
 286         if(ret) {
 287             if (key)
 288                 krb5_free_keyblock (context, key);
 289             krb5_auth_con_free(context, ac);
 290             goto fail;
 291         }
 292         *subkey = key;
 293         
 294         krb5_auth_con_free(context, ac);
 295     }
 296 fail:
 297     if (ret) {
 298         t->req_body.addresses = NULL;
 299         free_TGS_REQ (t);
 300     }
 301     return ret;
 302 }
 303 
 304 krb5_error_code
 305 _krb5_get_krbtgt(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 306                  krb5_ccache  id,
 307                  krb5_realm realm,
 308                  krb5_creds **cred)
 309 {
 310     krb5_error_code ret;
 311     krb5_creds tmp_cred;
 312 
 313     memset(&tmp_cred, 0, sizeof(tmp_cred));
 314 
 315     ret = krb5_cc_get_principal(context, id, &tmp_cred.client);
 316     if (ret)
 317         return ret;
 318 
 319     ret = krb5_make_principal(context,
 320                               &tmp_cred.server,
 321                               realm,
 322                               KRB5_TGS_NAME,
 323                               realm,
 324                               NULL);
 325     if(ret) {
 326         krb5_free_principal(context, tmp_cred.client);
 327         return ret;
 328     }
 329     ret = krb5_get_credentials(context,
 330                                KRB5_GC_CACHED,
 331                                id,
 332                                &tmp_cred,
 333                                cred);
 334     krb5_free_principal(context, tmp_cred.client);
 335     krb5_free_principal(context, tmp_cred.server);
 336     if(ret)
 337         return ret;
 338     return 0;
 339 }
 340 
 341 /* DCE compatible decrypt proc */
 342 static krb5_error_code
 343 decrypt_tkt_with_subkey (krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 344                          krb5_keyblock *key,
 345                          krb5_key_usage usage,
 346                          krb5_const_pointer subkey,
 347                          krb5_kdc_rep *dec_rep)
 348 {
 349     krb5_error_code ret;
 350     krb5_data data;
 351     size_t size;
 352     krb5_crypto crypto;
 353 
 354     ret = krb5_crypto_init(context, key, 0, &crypto);
 355     if (ret)
 356         return ret;
 357     ret = krb5_decrypt_EncryptedData (context,
 358                                       crypto,
 359                                       usage,
 360                                       &dec_rep->kdc_rep.enc_part,
 361                                       &data);
 362     krb5_crypto_destroy(context, crypto);
 363     if(ret && subkey){
 364         /* DCE compat -- try to decrypt with subkey */
 365         ret = krb5_crypto_init(context, subkey, 0, &crypto);
 366         if (ret)
 367             return ret;
 368         ret = krb5_decrypt_EncryptedData (context,
 369                                           crypto,
 370                                           KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
 371                                           &dec_rep->kdc_rep.enc_part,
 372                                           &data);
 373         krb5_crypto_destroy(context, crypto);
 374     }
 375     if (ret)
 376         return ret;
 377 
 378     ret = krb5_decode_EncASRepPart(context,
 379                                    data.data,
 380                                    data.length,
 381                                    &dec_rep->enc_part,
 382                                    &size);
 383     if (ret)
 384         ret = krb5_decode_EncTGSRepPart(context,
 385                                         data.data,
 386                                         data.length,
 387                                         &dec_rep->enc_part,
 388                                         &size);
 389     krb5_data_free (&data);
 390     return ret;
 391 }
 392 
 393 static krb5_error_code
 394 get_cred_kdc(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 395              krb5_ccache id,
 396              krb5_kdc_flags flags,
 397              krb5_addresses *addresses,
 398              krb5_creds *in_creds,
 399              krb5_creds *krbtgt,
 400              krb5_principal impersonate_principal,
 401              Ticket *second_ticket,
 402              krb5_creds *out_creds)
 403 {
 404     TGS_REQ req;
 405     krb5_data enc;
 406     krb5_data resp;
 407     krb5_kdc_rep rep;
 408     KRB_ERROR error;
 409     krb5_error_code ret;
 410     unsigned nonce;
 411     krb5_keyblock *subkey = NULL;
 412     size_t len;
 413     Ticket second_ticket_data;
 414     METHOD_DATA padata;
 415 
 416     krb5_data_zero(&resp);
 417     krb5_data_zero(&enc);
 418     padata.val = NULL;
 419     padata.len = 0;
 420 
 421     krb5_generate_random_block(&nonce, sizeof(nonce));
 422     nonce &= 0xffffffff;
 423 
 424     if(flags.b.enc_tkt_in_skey && second_ticket == NULL){
 425         ret = decode_Ticket(in_creds->second_ticket.data,
 426                             in_creds->second_ticket.length,
 427                             &second_ticket_data, &len);
 428         if(ret)
 429             return ret;
 430         second_ticket = &second_ticket_data;
 431     }
 432 
 433 
 434     if (impersonate_principal) {
 435         krb5_crypto crypto;
 436         PA_S4U2Self self;
 437         krb5_data data;
 438         void *buf;
 439         size_t size;
 440 
 441         self.name = impersonate_principal->name;
 442         self.realm = impersonate_principal->realm;
 443         self.auth = estrdup("Kerberos");
 444         
 445         ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
 446         if (ret) {
 447             free(self.auth);
 448             goto out;
 449         }
 450 
 451         ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
 452         if (ret) {
 453             free(self.auth);
 454             krb5_data_free(&data);
 455             goto out;
 456         }
 457 
 458         ret = krb5_create_checksum(context,
 459                                    crypto,
 460                                    KRB5_KU_OTHER_CKSUM,
 461                                    0,
 462                                    data.data,
 463                                    data.length,
 464                                    &self.cksum);
 465         krb5_crypto_destroy(context, crypto);
 466         krb5_data_free(&data);
 467         if (ret) {
 468             free(self.auth);
 469             goto out;
 470         }
 471 
 472         ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
 473         free(self.auth);
 474         free_Checksum(&self.cksum);
 475         if (ret)
 476             goto out;
 477         if (len != size)
 478             krb5_abortx(context, "internal asn1 error");
 479         
 480         ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len);
 481         if (ret)
 482             goto out;
 483     }
 484 
 485     ret = init_tgs_req (context,
 486                         id,
 487                         addresses,
 488                         flags,
 489                         second_ticket,
 490                         in_creds,
 491                         krbtgt,
 492                         nonce,
 493                         &padata,
 494                         &subkey,
 495                         &req);
 496     if (ret)
 497         goto out;
 498 
 499     ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret);
 500     if (ret)
 501         goto out;
 502     if(enc.length != len)
 503         krb5_abortx(context, "internal error in ASN.1 encoder");
 504 
 505     /* don't free addresses */
 506     req.req_body.addresses = NULL;
 507     free_TGS_REQ(&req);
 508 
 509     /*
 510      * Send and receive
 511      */
 512     {
 513         krb5_sendto_ctx stctx;
 514         ret = krb5_sendto_ctx_alloc(context, &stctx);
 515         if (ret)
 516             return ret;
 517         krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
 518 
 519         ret = krb5_sendto_context (context, stctx, &enc,
 520                                    krbtgt->server->name.name_string.val[1],
 521                                    &resp);
 522         krb5_sendto_ctx_free(context, stctx);
 523     }
 524     if(ret)
 525         goto out;
 526 
 527     memset(&rep, 0, sizeof(rep));
 528     if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
 529         unsigned eflags = 0;
 530 
 531         ret = krb5_copy_principal(context,
 532                                   in_creds->client,
 533                                   &out_creds->client);
 534         if(ret)
 535             goto out2;
 536         ret = krb5_copy_principal(context,
 537                                   in_creds->server,
 538                                   &out_creds->server);
 539         if(ret)
 540             goto out2;
 541         /* this should go someplace else */
 542         out_creds->times.endtime = in_creds->times.endtime;
 543 
 544         /* XXX should do better testing */
 545         if (flags.b.constrained_delegation || impersonate_principal)
 546             eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
 547 
 548         ret = _krb5_extract_ticket(context,
 549                                    &rep,
 550                                    out_creds,
 551                                    &krbtgt->session,
 552                                    NULL,
 553                                    KRB5_KU_TGS_REP_ENC_PART_SESSION,
 554                                    &krbtgt->addresses,
 555                                    nonce,
 556                                    eflags,
 557                                    decrypt_tkt_with_subkey,
 558                                    subkey);
 559     out2:
 560         krb5_free_kdc_rep(context, &rep);
 561     } else if(krb5_rd_error(context, &resp, &error) == 0) {
 562         ret = krb5_error_from_rd_error(context, &error, in_creds);
 563         krb5_free_error_contents(context, &error);
 564     } else if(resp.data && ((char*)resp.data)[0] == 4) {
 565         ret = KRB5KRB_AP_ERR_V4_REPLY;
 566         krb5_clear_error_message(context);
 567     } else {
 568         ret = KRB5KRB_AP_ERR_MSG_TYPE;
 569         krb5_clear_error_message(context);
 570     }
 571 
 572 out:
 573     if (second_ticket == &second_ticket_data)
 574         free_Ticket(&second_ticket_data);
 575     free_METHOD_DATA(&padata);
 576     krb5_data_free(&resp);
 577     krb5_data_free(&enc);
 578     if(subkey){
 579         krb5_free_keyblock_contents(context, subkey);
 580         free(subkey);
 581     }
 582     return ret;
 583 
 584 }
 585 
 586 /*
 587  * same as above, just get local addresses first if the krbtgt have
 588  * them and the realm is not addressless
 589  */
 590 
 591 static krb5_error_code
 592 get_cred_kdc_address(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 593                      krb5_ccache id,
 594                      krb5_kdc_flags flags,
 595                      krb5_addresses *addrs,
 596                      krb5_creds *in_creds,
 597                      krb5_creds *krbtgt,
 598                      krb5_principal impersonate_principal,
 599                      Ticket *second_ticket,
 600                      krb5_creds *out_creds)
 601 {
 602     krb5_error_code ret;
 603     krb5_addresses addresses = { 0, NULL };
 604 
 605     /*
 606      * Inherit the address-ness of the krbtgt if the address is not
 607      * specified.
 608      */
 609 
 610     if (addrs == NULL && krbtgt->addresses.len != 0) {
 611         krb5_boolean noaddr;
 612 
 613         krb5_appdefault_boolean(context, NULL, krbtgt->server->realm,
 614                                 "no-addresses", FALSE, &noaddr);
 615         
 616         if (!noaddr) {
 617             krb5_get_all_client_addrs(context, &addresses);
 618             /* XXX this sucks. */
 619             addrs = &addresses;
 620             if(addresses.len == 0)
 621                 addrs = NULL;
 622         }
 623     }
 624     ret = get_cred_kdc(context, id, flags, addrs, in_creds,
 625                        krbtgt, impersonate_principal,
 626                        second_ticket, out_creds);
 627     krb5_free_addresses(context, &addresses);
 628     return ret;
 629 }
 630 
 631 krb5_error_code KRB5_LIB_FUNCTION
 632 krb5_get_kdc_cred(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 633                   krb5_ccache id,
 634                   krb5_kdc_flags flags,
 635                   krb5_addresses *addresses,
 636                   Ticket  *second_ticket,
 637                   krb5_creds *in_creds,
 638                   krb5_creds **out_creds
 639                   )
 640 {
 641     krb5_error_code ret;
 642     krb5_creds *krbtgt;
 643 
 644     *out_creds = calloc(1, sizeof(**out_creds));
 645     if(*out_creds == NULL) {
 646         krb5_set_error_message(context, ENOMEM,
 647                                N_("malloc: out of memory", ""));
 648         return ENOMEM;
 649     }
 650     ret = _krb5_get_krbtgt (context,
 651                             id,
 652                             in_creds->server->realm,
 653                             &krbtgt);
 654     if(ret) {
 655         free(*out_creds);
 656         return ret;
 657     }
 658     ret = get_cred_kdc(context, id, flags, addresses,
 659                        in_creds, krbtgt, NULL, NULL, *out_creds);
 660     krb5_free_creds (context, krbtgt);
 661     if(ret)
 662         free(*out_creds);
 663     return ret;
 664 }
 665 
 666 static int
 667 not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
     /* [<][>][^][v][top][bottom][index][help] */
 668 {
 669     krb5_error_code ret;
 670     char *str;
 671 
 672     ret = krb5_unparse_name(context, p, &str);
 673     if(ret) {
 674         krb5_clear_error_message(context);
 675         return code;
 676     }
 677     krb5_set_error_message(context, code,
 678                            N_("Matching credential (%s) not found", ""), str);
 679     free(str);
 680     return code;
 681 }
 682 
 683 static krb5_error_code
 684 find_cred(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 685           krb5_ccache id,
 686           krb5_principal server,
 687           krb5_creds **tgts,
 688           krb5_creds *out_creds)
 689 {
 690     krb5_error_code ret;
 691     krb5_creds mcreds;
 692 
 693     krb5_cc_clear_mcred(&mcreds);
 694     mcreds.server = server;
 695     ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM,
 696                                 &mcreds, out_creds);
 697     if(ret == 0)
 698         return 0;
 699     while(tgts && *tgts){
 700         if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM,
 701                               &mcreds, *tgts)){
 702             ret = krb5_copy_creds_contents(context, *tgts, out_creds);
 703             return ret;
 704         }
 705         tgts++;
 706     }
 707     return not_found(context, server, KRB5_CC_NOTFOUND);
 708 }
 709 
 710 static krb5_error_code
 711 add_cred(krb5_context context, krb5_creds const *tkt, krb5_creds ***tgts)
     /* [<][>][^][v][top][bottom][index][help] */
 712 {
 713     int i;
 714     krb5_error_code ret;
 715     krb5_creds **tmp = *tgts;
 716 
 717     for(i = 0; tmp && tmp[i]; i++); /* XXX */
 718     tmp = realloc(tmp, (i+2)*sizeof(*tmp));
 719     if(tmp == NULL) {
 720         krb5_set_error_message(context, ENOMEM,
 721                                N_("malloc: out of memory", ""));
 722         return ENOMEM;
 723     }
 724     *tgts = tmp;
 725     ret = krb5_copy_creds(context, tkt, &tmp[i]);
 726     tmp[i+1] = NULL;
 727     return ret;
 728 }
 729 
 730 /*
 731 get_cred(server)
 732         creds = cc_get_cred(server)
 733         if(creds) return creds
 734         tgt = cc_get_cred(krbtgt/server_realm@any_realm)
 735         if(tgt)
 736                 return get_cred_tgt(server, tgt)
 737         if(client_realm == server_realm)
 738                 return NULL
 739         tgt = get_cred(krbtgt/server_realm@client_realm)
 740         while(tgt_inst != server_realm)
 741                 tgt = get_cred(krbtgt/server_realm@tgt_inst)
 742         return get_cred_tgt(server, tgt)
 743         */
 744 
 745 static krb5_error_code
 746 get_cred_kdc_capath(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 747                     krb5_kdc_flags flags,
 748                     krb5_ccache ccache,
 749                     krb5_creds *in_creds,
 750                     krb5_principal impersonate_principal,
 751                     Ticket *second_ticket,                      
 752                     krb5_creds **out_creds,
 753                     krb5_creds ***ret_tgts)
 754 {
 755     krb5_error_code ret;
 756     krb5_creds *tgt, tmp_creds;
 757     krb5_const_realm client_realm, server_realm, try_realm;
 758     int ok_as_delegate = 1;
 759 
 760     *out_creds = NULL;
 761 
 762     client_realm = krb5_principal_get_realm(context, in_creds->client);
 763     server_realm = krb5_principal_get_realm(context, in_creds->server);
 764     memset(&tmp_creds, 0, sizeof(tmp_creds));
 765     ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
 766     if(ret)
 767         return ret;
 768 
 769     try_realm = krb5_config_get_string(context, NULL, "capaths",
 770                                        client_realm, server_realm, NULL);
 771     if (try_realm == NULL)
 772         try_realm = client_realm;
 773 
 774     ret = krb5_make_principal(context,
 775                               &tmp_creds.server,
 776                               try_realm,
 777                               KRB5_TGS_NAME,
 778                               server_realm,
 779                               NULL);
 780     if(ret){
 781         krb5_free_principal(context, tmp_creds.client);
 782         return ret;
 783     }
 784     {
 785         krb5_creds tgts;
 786 
 787         ret = find_cred(context, ccache, tmp_creds.server,
 788                         *ret_tgts, &tgts);
 789         if(ret == 0){
 790             if (try_realm != client_realm)
 791                 ok_as_delegate = tgts.flags.b.ok_as_delegate;
 792 
 793             *out_creds = calloc(1, sizeof(**out_creds));
 794             if(*out_creds == NULL) {
 795                 ret = ENOMEM;
 796                 krb5_set_error_message(context, ret,
 797                                        N_("malloc: out of memory", ""));
 798             } else {
 799                 ret = get_cred_kdc_address(context, ccache, flags, NULL,
 800                                            in_creds, &tgts,
 801                                            impersonate_principal,
 802                                            second_ticket,
 803                                            *out_creds);
 804                 if (ret) {
 805                     free (*out_creds);
 806                     *out_creds = NULL;
 807                 } else if (ok_as_delegate == 0)
 808                     (*out_creds)->flags.b.ok_as_delegate = 0;
 809             }
 810             krb5_free_cred_contents(context, &tgts);
 811             krb5_free_principal(context, tmp_creds.server);
 812             krb5_free_principal(context, tmp_creds.client);
 813             return ret;
 814         }
 815     }
 816     if(krb5_realm_compare(context, in_creds->client, in_creds->server))
 817         return not_found(context, in_creds->server, KRB5_CC_NOTFOUND);
 818 
 819     /* XXX this can loop forever */
 820     while(1){
 821         heim_general_string tgt_inst;
 822 
 823         ret = get_cred_kdc_capath(context, flags, ccache, &tmp_creds,
 824                                   NULL, NULL, &tgt, ret_tgts);
 825         if(ret) {
 826             krb5_free_principal(context, tmp_creds.server);
 827             krb5_free_principal(context, tmp_creds.client);
 828             return ret;
 829         }
 830         /* 
 831          * if either of the chain or the ok_as_delegate was stripped
 832          * by the kdc, make sure we strip it too.
 833          */
 834         if (ok_as_delegate == 0 || tgt->flags.b.ok_as_delegate == 0) {
 835             ok_as_delegate = 0;
 836             tgt->flags.b.ok_as_delegate = 0;
 837         }
 838 
 839         ret = add_cred(context, tgt, ret_tgts);
 840         if(ret) {
 841             krb5_free_principal(context, tmp_creds.server);
 842             krb5_free_principal(context, tmp_creds.client);
 843             return ret;
 844         }
 845         tgt_inst = tgt->server->name.name_string.val[1];
 846         if(strcmp(tgt_inst, server_realm) == 0)
 847             break;
 848         krb5_free_principal(context, tmp_creds.server);
 849         ret = krb5_make_principal(context, &tmp_creds.server,
 850                                   tgt_inst, KRB5_TGS_NAME, server_realm, NULL);
 851         if(ret) {
 852             krb5_free_principal(context, tmp_creds.server);
 853             krb5_free_principal(context, tmp_creds.client);
 854             return ret;
 855         }
 856         ret = krb5_free_creds(context, tgt);
 857         if(ret) {
 858             krb5_free_principal(context, tmp_creds.server);
 859             krb5_free_principal(context, tmp_creds.client);
 860             return ret;
 861         }
 862     }
 863         
 864     krb5_free_principal(context, tmp_creds.server);
 865     krb5_free_principal(context, tmp_creds.client);
 866     *out_creds = calloc(1, sizeof(**out_creds));
 867     if(*out_creds == NULL) {
 868         ret = ENOMEM;
 869         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 870     } else {
 871         ret = get_cred_kdc_address (context, ccache, flags, NULL,
 872                                     in_creds, tgt, impersonate_principal,
 873                                     second_ticket, *out_creds);
 874         if (ret) {
 875             free (*out_creds);
 876             *out_creds = NULL;
 877         }
 878     }
 879     krb5_free_creds(context, tgt);
 880     return ret;
 881 }
 882 
 883 static krb5_error_code
 884 get_cred_kdc_referral(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 885                       krb5_kdc_flags flags,
 886                       krb5_ccache ccache,
 887                       krb5_creds *in_creds,
 888                       krb5_principal impersonate_principal,
 889                       Ticket *second_ticket,                    
 890                       krb5_creds **out_creds,
 891                       krb5_creds ***ret_tgts)
 892 {
 893     krb5_const_realm client_realm;
 894     krb5_error_code ret;
 895     krb5_creds tgt, referral, ticket;
 896     int loop = 0;
 897     int ok_as_delegate = 1;
 898 
 899     memset(&tgt, 0, sizeof(tgt));
 900     memset(&ticket, 0, sizeof(ticket));
 901 
 902     flags.b.canonicalize = 1;
 903 
 904     *out_creds = NULL;
 905 
 906     client_realm = krb5_principal_get_realm(context, in_creds->client);
 907 
 908     /* find tgt for the clients base realm */
 909     {
 910         krb5_principal tgtname;
 911         
 912         ret = krb5_make_principal(context, &tgtname,
 913                                   client_realm,
 914                                   KRB5_TGS_NAME,
 915                                   client_realm,
 916                                   NULL);
 917         if(ret)
 918             return ret;
 919         
 920         ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
 921         krb5_free_principal(context, tgtname);
 922         if (ret)
 923             return ret;
 924     }
 925 
 926     referral = *in_creds;
 927     ret = krb5_copy_principal(context, in_creds->server, &referral.server);
 928     if (ret) {
 929         krb5_free_cred_contents(context, &tgt);
 930         return ret;
 931     }
 932     ret = krb5_principal_set_realm(context, referral.server, client_realm);
 933     if (ret) {
 934         krb5_free_cred_contents(context, &tgt);
 935         krb5_free_principal(context, referral.server);
 936         return ret;
 937     }
 938 
 939     while (loop++ < 17) {
 940         krb5_creds **tickets;
 941         krb5_creds mcreds;
 942         char *referral_realm;
 943 
 944         /* Use cache if we are not doing impersonation or contrainte deleg */
 945         if (impersonate_principal == NULL || flags.b.constrained_delegation) {
 946             krb5_cc_clear_mcred(&mcreds);
 947             mcreds.server = referral.server;
 948             ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket);
 949         } else
 950             ret = EINVAL;
 951 
 952         if (ret) {
 953             ret = get_cred_kdc_address (context, ccache, flags, NULL,
 954                                         &referral, &tgt, impersonate_principal,
 955                                         second_ticket, &ticket);
 956             if (ret)
 957                 goto out;
 958         }
 959 
 960         /* Did we get the right ticket ? */
 961         if (krb5_principal_compare_any_realm(context,
 962                                              referral.server,
 963                                              ticket.server))
 964             break;
 965 
 966         if (ticket.server->name.name_string.len != 2 &&
 967             strcmp(ticket.server->name.name_string.val[0], KRB5_TGS_NAME) != 0)
 968         {
 969             krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
 970                                    N_("Got back an non krbtgt "
 971                                       "ticket referrals", ""));
 972             krb5_free_cred_contents(context, &ticket);
 973             return KRB5KRB_AP_ERR_NOT_US;
 974         }
 975 
 976         referral_realm = ticket.server->name.name_string.val[1];
 977 
 978         /* check that there are no referrals loops */
 979         tickets = *ret_tgts;
 980 
 981         krb5_cc_clear_mcred(&mcreds);
 982         mcreds.server = ticket.server;
 983 
 984         while(tickets && *tickets){
 985             if(krb5_compare_creds(context,
 986                                   KRB5_TC_DONT_MATCH_REALM,
 987                                   &mcreds,
 988                                   *tickets))
 989             {
 990                 krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
 991                                        N_("Referral from %s "
 992                                           "loops back to realm %s", ""),
 993                                        tgt.server->realm,
 994                                        referral_realm);
 995                 krb5_free_cred_contents(context, &ticket);
 996                 return KRB5_GET_IN_TKT_LOOP;
 997             }
 998             tickets++;
 999         }       
1000 
1001         /* 
1002          * if either of the chain or the ok_as_delegate was stripped
1003          * by the kdc, make sure we strip it too.
1004          */
1005 
1006         if (ok_as_delegate == 0 || ticket.flags.b.ok_as_delegate == 0) {
1007             ok_as_delegate = 0;
1008             ticket.flags.b.ok_as_delegate = 0;
1009         }
1010 
1011         ret = add_cred(context, &ticket, ret_tgts);
1012         if (ret) {
1013             krb5_free_cred_contents(context, &ticket);
1014             goto out;
1015         }
1016 
1017         /* try realm in the referral */
1018         ret = krb5_principal_set_realm(context,
1019                                        referral.server,
1020                                        referral_realm);
1021         krb5_free_cred_contents(context, &tgt);
1022         tgt = ticket;
1023         memset(&ticket, 0, sizeof(ticket));
1024         if (ret)
1025             goto out;
1026     }
1027 
1028     ret = krb5_copy_creds(context, &ticket, out_creds);
1029 
1030 out:
1031     krb5_free_principal(context, referral.server);
1032     krb5_free_cred_contents(context, &tgt);
1033     return ret;
1034 }
1035 
1036 
1037 /*
1038  * Glue function between referrals version and old client chasing
1039  * codebase.
1040  */
1041 
1042 static krb5_error_code
1043 get_cred_kdc_any(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1044                  krb5_kdc_flags flags,
1045                  krb5_ccache ccache,
1046                  krb5_creds *in_creds,
1047                  krb5_principal impersonate_principal,
1048                  Ticket *second_ticket,                 
1049                  krb5_creds **out_creds,
1050                  krb5_creds ***ret_tgts)
1051 {
1052     krb5_error_code ret;
1053 
1054     ret = get_cred_kdc_referral(context,
1055                                 flags,
1056                                 ccache,
1057                                 in_creds,
1058                                 impersonate_principal,
1059                                 second_ticket,
1060                                 out_creds,
1061                                 ret_tgts);
1062     if (ret == 0 || flags.b.canonicalize)
1063         return ret;
1064     return get_cred_kdc_capath(context,
1065                                 flags,
1066                                 ccache,
1067                                 in_creds,
1068                                 impersonate_principal,
1069                                 second_ticket,
1070                                 out_creds,
1071                                 ret_tgts);
1072 }
1073 
1074 
1075 krb5_error_code KRB5_LIB_FUNCTION
1076 krb5_get_cred_from_kdc_opt(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1077                            krb5_ccache ccache,
1078                            krb5_creds *in_creds,
1079                            krb5_creds **out_creds,
1080                            krb5_creds ***ret_tgts,
1081                            krb5_flags flags)
1082 {
1083     krb5_kdc_flags f;
1084     f.i = flags;
1085     return get_cred_kdc_any(context, f, ccache,
1086                             in_creds, NULL, NULL,
1087                             out_creds, ret_tgts);
1088 }
1089 
1090 krb5_error_code KRB5_LIB_FUNCTION
1091 krb5_get_cred_from_kdc(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1092                        krb5_ccache ccache,
1093                        krb5_creds *in_creds,
1094                        krb5_creds **out_creds,
1095                        krb5_creds ***ret_tgts)
1096 {
1097     return krb5_get_cred_from_kdc_opt(context, ccache,
1098                                       in_creds, out_creds, ret_tgts, 0);
1099 }
1100 
1101 
1102 krb5_error_code KRB5_LIB_FUNCTION
1103 krb5_get_credentials_with_flags(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1104                                 krb5_flags options,
1105                                 krb5_kdc_flags flags,
1106                                 krb5_ccache ccache,
1107                                 krb5_creds *in_creds,
1108                                 krb5_creds **out_creds)
1109 {
1110     krb5_error_code ret;
1111     krb5_creds **tgts;
1112     krb5_creds *res_creds;
1113     int i;
1114 
1115     *out_creds = NULL;
1116     res_creds = calloc(1, sizeof(*res_creds));
1117     if (res_creds == NULL) {
1118         krb5_set_error_message(context, ENOMEM,
1119                                N_("malloc: out of memory", ""));
1120         return ENOMEM;
1121     }
1122 
1123     if (in_creds->session.keytype)
1124         options |= KRB5_TC_MATCH_KEYTYPE;
1125 
1126     /*
1127      * If we got a credential, check if credential is expired before
1128      * returning it.
1129      */
1130     ret = krb5_cc_retrieve_cred(context,
1131                                 ccache,
1132                                 in_creds->session.keytype ?
1133                                 KRB5_TC_MATCH_KEYTYPE : 0,
1134                                 in_creds, res_creds);
1135     /*
1136      * If we got a credential, check if credential is expired before
1137      * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
1138      */
1139     if (ret == 0) {
1140         krb5_timestamp timeret;
1141 
1142         /* If expired ok, don't bother checking */
1143         if(options & KRB5_GC_EXPIRED_OK) {
1144             *out_creds = res_creds;
1145             return 0;
1146         }
1147         
1148         krb5_timeofday(context, &timeret);
1149         if(res_creds->times.endtime > timeret) {
1150             *out_creds = res_creds;
1151             return 0;
1152         }
1153         if(options & KRB5_GC_CACHED)
1154             krb5_cc_remove_cred(context, ccache, 0, res_creds);
1155 
1156     } else if(ret != KRB5_CC_END) {
1157         free(res_creds);
1158         return ret;
1159     }
1160     free(res_creds);
1161     if(options & KRB5_GC_CACHED)
1162         return not_found(context, in_creds->server, KRB5_CC_NOTFOUND);
1163 
1164     if(options & KRB5_GC_USER_USER)
1165         flags.b.enc_tkt_in_skey = 1;
1166     if (flags.b.enc_tkt_in_skey)
1167         options |= KRB5_GC_NO_STORE;
1168 
1169     tgts = NULL;
1170     ret = get_cred_kdc_any(context, flags, ccache,
1171                            in_creds, NULL, NULL, out_creds, &tgts);
1172     for(i = 0; tgts && tgts[i]; i++) {
1173         krb5_cc_store_cred(context, ccache, tgts[i]);
1174         krb5_free_creds(context, tgts[i]);
1175     }
1176     free(tgts);
1177     if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
1178         krb5_cc_store_cred(context, ccache, *out_creds);
1179     return ret;
1180 }
1181 
1182 krb5_error_code KRB5_LIB_FUNCTION
1183 krb5_get_credentials(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1184                      krb5_flags options,
1185                      krb5_ccache ccache,
1186                      krb5_creds *in_creds,
1187                      krb5_creds **out_creds)
1188 {
1189     krb5_kdc_flags flags;
1190     flags.i = 0;
1191     return krb5_get_credentials_with_flags(context, options, flags,
1192                                            ccache, in_creds, out_creds);
1193 }
1194 
1195 struct krb5_get_creds_opt_data {
1196     krb5_principal self;
1197     krb5_flags options;
1198     krb5_enctype enctype;
1199     Ticket *ticket;
1200 };
1201 
1202 
1203 krb5_error_code KRB5_LIB_FUNCTION
1204 krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt)
     /* [<][>][^][v][top][bottom][index][help] */
1205 {
1206     *opt = calloc(1, sizeof(**opt));
1207     if (*opt == NULL) {
1208         krb5_set_error_message(context, ENOMEM,
1209                                N_("malloc: out of memory", ""));
1210         return ENOMEM;
1211     }
1212     return 0;
1213 }
1214 
1215 void KRB5_LIB_FUNCTION
1216 krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt)
     /* [<][>][^][v][top][bottom][index][help] */
1217 {
1218     if (opt->self)
1219         krb5_free_principal(context, opt->self);
1220     memset(opt, 0, sizeof(*opt));
1221     free(opt);
1222 }
1223 
1224 void KRB5_LIB_FUNCTION
1225 krb5_get_creds_opt_set_options(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1226                                krb5_get_creds_opt opt,
1227                                krb5_flags options)
1228 {
1229     opt->options = options;
1230 }
1231 
1232 void KRB5_LIB_FUNCTION
1233 krb5_get_creds_opt_add_options(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1234                                krb5_get_creds_opt opt,
1235                                krb5_flags options)
1236 {
1237     opt->options |= options;
1238 }
1239 
1240 void KRB5_LIB_FUNCTION
1241 krb5_get_creds_opt_set_enctype(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1242                                krb5_get_creds_opt opt,
1243                                krb5_enctype enctype)
1244 {
1245     opt->enctype = enctype;
1246 }
1247 
1248 krb5_error_code KRB5_LIB_FUNCTION
1249 krb5_get_creds_opt_set_impersonate(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1250                                    krb5_get_creds_opt opt,
1251                                    krb5_const_principal self)
1252 {
1253     if (opt->self)
1254         krb5_free_principal(context, opt->self);
1255     return krb5_copy_principal(context, self, &opt->self);
1256 }
1257 
1258 krb5_error_code KRB5_LIB_FUNCTION
1259 krb5_get_creds_opt_set_ticket(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1260                               krb5_get_creds_opt opt,
1261                               const Ticket *ticket)
1262 {
1263     if (opt->ticket) {
1264         free_Ticket(opt->ticket);
1265         free(opt->ticket);
1266         opt->ticket = NULL;
1267     }
1268     if (ticket) {
1269         krb5_error_code ret;
1270 
1271         opt->ticket = malloc(sizeof(*ticket));
1272         if (opt->ticket == NULL) {
1273             krb5_set_error_message(context, ENOMEM,
1274                                    N_("malloc: out of memory", ""));
1275             return ENOMEM;
1276         }
1277         ret = copy_Ticket(ticket, opt->ticket);
1278         if (ret) {
1279             free(opt->ticket);
1280             opt->ticket = NULL;
1281             krb5_set_error_message(context, ret,
1282                                    N_("malloc: out of memory", ""));
1283             return ret;
1284         }
1285     }
1286     return 0;
1287 }
1288 
1289 
1290 
1291 krb5_error_code KRB5_LIB_FUNCTION
1292 krb5_get_creds(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1293                krb5_get_creds_opt opt,
1294                krb5_ccache ccache,
1295                krb5_const_principal inprinc,
1296                krb5_creds **out_creds)
1297 {
1298     krb5_kdc_flags flags;
1299     krb5_flags options;
1300     krb5_creds in_creds;
1301     krb5_error_code ret;
1302     krb5_creds **tgts;
1303     krb5_creds *res_creds;
1304     int i;
1305 
1306     memset(&in_creds, 0, sizeof(in_creds));
1307     in_creds.server = rk_UNCONST(inprinc);
1308 
1309     ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
1310     if (ret)
1311         return ret;
1312 
1313     options = opt->options;
1314     flags.i = 0;
1315 
1316     *out_creds = NULL;
1317     res_creds = calloc(1, sizeof(*res_creds));
1318     if (res_creds == NULL) {
1319         krb5_free_principal(context, in_creds.client);
1320         krb5_set_error_message(context, ENOMEM,
1321                                N_("malloc: out of memory", ""));
1322         return ENOMEM;
1323     }
1324 
1325     if (opt->enctype) {
1326         in_creds.session.keytype = opt->enctype;
1327         options |= KRB5_TC_MATCH_KEYTYPE;
1328     }
1329 
1330     /*
1331      * If we got a credential, check if credential is expired before
1332      * returning it.
1333      */
1334     ret = krb5_cc_retrieve_cred(context,
1335                                 ccache,
1336                                 opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0,
1337                                 &in_creds, res_creds);
1338     /*
1339      * If we got a credential, check if credential is expired before
1340      * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
1341      */
1342     if (ret == 0) {
1343         krb5_timestamp timeret;
1344 
1345         /* If expired ok, don't bother checking */
1346         if(options & KRB5_GC_EXPIRED_OK) {
1347             *out_creds = res_creds;
1348             krb5_free_principal(context, in_creds.client);
1349             return 0;
1350         }
1351         
1352         krb5_timeofday(context, &timeret);
1353         if(res_creds->times.endtime > timeret) {
1354             *out_creds = res_creds;
1355             krb5_free_principal(context, in_creds.client);
1356             return 0;
1357         }
1358         if(options & KRB5_GC_CACHED)
1359             krb5_cc_remove_cred(context, ccache, 0, res_creds);
1360 
1361     } else if(ret != KRB5_CC_END) {
1362         free(res_creds);
1363         krb5_free_principal(context, in_creds.client);
1364         return ret;
1365     }
1366     free(res_creds);
1367     if(options & KRB5_GC_CACHED) {
1368         krb5_free_principal(context, in_creds.client);
1369         return not_found(context, in_creds.server, KRB5_CC_NOTFOUND);
1370     }
1371     if(options & KRB5_GC_USER_USER) {
1372         flags.b.enc_tkt_in_skey = 1;
1373         options |= KRB5_GC_NO_STORE;
1374     }
1375     if (options & KRB5_GC_FORWARDABLE)
1376         flags.b.forwardable = 1;
1377     if (options & KRB5_GC_NO_TRANSIT_CHECK)
1378         flags.b.disable_transited_check = 1;
1379     if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
1380         flags.b.request_anonymous = 1; /* XXX ARGH confusion */
1381         flags.b.constrained_delegation = 1;
1382     }
1383     if (options & KRB5_GC_CANONICALIZE)
1384         flags.b.canonicalize = 1;
1385 
1386     tgts = NULL;
1387     ret = get_cred_kdc_any(context, flags, ccache,
1388                            &in_creds, opt->self, opt->ticket,
1389                            out_creds, &tgts);
1390     krb5_free_principal(context, in_creds.client);
1391     for(i = 0; tgts && tgts[i]; i++) {
1392         krb5_cc_store_cred(context, ccache, tgts[i]);
1393         krb5_free_creds(context, tgts[i]);
1394     }
1395     free(tgts);
1396     if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
1397         krb5_cc_store_cred(context, ccache, *out_creds);
1398     return ret;
1399 }
1400 
1401 /*
1402  *
1403  */
1404 
1405 krb5_error_code KRB5_LIB_FUNCTION
1406 krb5_get_renewed_creds(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1407                        krb5_creds *creds,
1408                        krb5_const_principal client,
1409                        krb5_ccache ccache,
1410                        const char *in_tkt_service)
1411 {
1412     krb5_error_code ret;
1413     krb5_kdc_flags flags;
1414     krb5_creds in, *template, *out = NULL;
1415 
1416     memset(&in, 0, sizeof(in));
1417     memset(creds, 0, sizeof(*creds));
1418 
1419     ret = krb5_copy_principal(context, client, &in.client);
1420     if (ret)
1421         return ret;
1422 
1423     if (in_tkt_service) {
1424         ret = krb5_parse_name(context, in_tkt_service, &in.server);
1425         if (ret) {
1426             krb5_free_principal(context, in.client);
1427             return ret;
1428         }
1429     } else {
1430         const char *realm = krb5_principal_get_realm(context, client);
1431         
1432         ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
1433                                   realm, NULL);
1434         if (ret) {
1435             krb5_free_principal(context, in.client);
1436             return ret;
1437         }
1438     }
1439 
1440     flags.i = 0;
1441     flags.b.renewable = flags.b.renew = 1;
1442 
1443     /*
1444      * Get template from old credential cache for the same entry, if
1445      * this failes, no worries.
1446      */
1447     ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, &in, &template);
1448     if (ret == 0) {
1449         flags.b.forwardable = template->flags.b.forwardable;
1450         flags.b.proxiable = template->flags.b.proxiable;
1451         krb5_free_creds (context, template);
1452     }
1453 
1454     ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
1455     krb5_free_principal(context, in.client);
1456     krb5_free_principal(context, in.server);
1457     if (ret)
1458         return ret;
1459 
1460     ret = krb5_copy_creds_contents(context, out, creds);
1461     krb5_free_creds(context, out);
1462 
1463     return ret;
1464 }

/* [<][>][^][v][top][bottom][index][help] */