krb5_error_code KRB5_CALLCONV
krb5_encode_authdata_container(krb5_context context,
krb5_authdatatype type,
krb5_authdata *const*authdata,
krb5_authdata ***container)
{
krb5_error_code code;
krb5_data *data;
krb5_authdata ad_datum;
krb5_authdata *ad_data[2];
*container = NULL;
code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data);
if (code)
return code;
ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK;
ad_datum.length = data->length;
ad_datum.contents = (unsigned char *)data->data;
ad_data[0] = &ad_datum;
ad_data[1] = NULL;
code = krb5_copy_authdata(context, ad_data, container);
krb5_free_data(context, data);
return code;
}
krb5_error_code KRB5_CALLCONV
krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred)
{
krb5_creds *tempcred;
krb5_error_code retval;
krb5_data *scratch;
if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred))))
return ENOMEM;
*tempcred = *incred;
retval = krb5_copy_principal(context, incred->client, &tempcred->client);
if (retval)
goto cleanlast;
retval = krb5_copy_principal(context, incred->server, &tempcred->server);
if (retval)
goto cleanclient;
retval = krb5_copy_keyblock_contents(context, &incred->keyblock,
&tempcred->keyblock);
if (retval)
goto cleanserver;
retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses);
if (retval)
goto cleanblock;
retval = krb5_copy_data(context, &incred->ticket, &scratch);
if (retval)
goto cleanaddrs;
tempcred->ticket = *scratch;
krb5_xfree(scratch);
retval = krb5_copy_data(context, &incred->second_ticket, &scratch);
if (retval)
goto cleanticket;
tempcred->second_ticket = *scratch;
krb5_xfree(scratch);
retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata);
if (retval)
goto clearticket;
*outcred = tempcred;
return 0;
clearticket:
memset(tempcred->ticket.data,0,tempcred->ticket.length);
cleanticket:
free(tempcred->ticket.data);
cleanaddrs:
krb5_free_addresses(context, tempcred->addresses);
cleanblock:
krb5_xfree(tempcred->keyblock.contents);
cleanserver:
krb5_free_principal(context, tempcred->server);
cleanclient:
krb5_free_principal(context, tempcred->client);
cleanlast:
krb5_xfree(tempcred);
return retval;
}
/*
* Copy contents of input credentials structure to supplied
* destination, allocating storage for indirect fields as needed. On
* success, the output is a deep copy of the input. On error, the
* output structure is garbage and its contents should be ignored.
*/
krb5_error_code
k5_copy_creds_contents(krb5_context context, const krb5_creds *incred,
krb5_creds *tempcred)
{
krb5_error_code retval;
krb5_data *scratch;
*tempcred = *incred;
retval = krb5_copy_principal(context, incred->client, &tempcred->client);
if (retval)
goto cleanlast;
retval = krb5_copy_principal(context, incred->server, &tempcred->server);
if (retval)
goto cleanclient;
retval = krb5_copy_keyblock_contents(context, &incred->keyblock,
&tempcred->keyblock);
if (retval)
goto cleanserver;
retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses);
if (retval)
goto cleanblock;
retval = krb5_copy_data(context, &incred->ticket, &scratch);
if (retval)
goto cleanaddrs;
tempcred->ticket = *scratch;
free(scratch);
retval = krb5_copy_data(context, &incred->second_ticket, &scratch);
if (retval)
goto clearticket;
tempcred->second_ticket = *scratch;
free(scratch);
retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata);
if (retval)
goto clearsecondticket;
return 0;
clearsecondticket:
memset(tempcred->second_ticket.data,0,tempcred->second_ticket.length);
free(tempcred->second_ticket.data);
clearticket:
memset(tempcred->ticket.data,0,tempcred->ticket.length);
free(tempcred->ticket.data);
cleanaddrs:
krb5_free_addresses(context, tempcred->addresses);
cleanblock:
free(tempcred->keyblock.contents);
cleanserver:
krb5_free_principal(context, tempcred->server);
cleanclient:
krb5_free_principal(context, tempcred->client);
cleanlast:
/* Do not free tempcred - we did not allocate it - its contents are
garbage - but we should not free it */
return retval;
}
/*
* Merge authdata.
*
* If copy is FALSE, in_authdata is invalid on successful return.
* If ignore_kdc_issued is TRUE, KDC-issued authdata is not copied.
*/
static krb5_error_code
merge_authdata (krb5_context context,
krb5_authdata **in_authdata,
krb5_authdata ***out_authdata,
krb5_boolean copy,
krb5_boolean ignore_kdc_issued)
{
size_t i, j, nadata = 0;
krb5_authdata **in_copy = NULL, **authdata = *out_authdata;
krb5_error_code code;
if (in_authdata == NULL || in_authdata[0] == NULL)
return 0;
if (authdata != NULL) {
for (nadata = 0; authdata[nadata] != NULL; nadata++)
;
}
for (i = 0; in_authdata[i] != NULL; i++)
;
if (copy) {
code = krb5_copy_authdata(context, in_authdata, &in_copy);
if (code != 0)
return code;
in_authdata = in_copy;
}
authdata = realloc(authdata, (nadata + i + 1) * sizeof(krb5_authdata *));
if (authdata == NULL) {
krb5_free_authdata(context, in_copy);
return ENOMEM;
}
for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
if (ignore_kdc_issued &&
is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
free(in_authdata[i]->contents);
free(in_authdata[i]);
} else
authdata[nadata + j++] = in_authdata[i];
}
authdata[nadata + j] = NULL;
free(in_authdata);
if (authdata[0] == NULL) {
free(authdata);
authdata = NULL;
}
*out_authdata = authdata;
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache,
krb5_creds *in_creds, krb5_flags options,
krb5_tkt_creds_context *pctx)
{
krb5_error_code code;
krb5_tkt_creds_context ctx = NULL;
TRACE_TKT_CREDS(context, in_creds, ccache);
ctx = k5alloc(sizeof(*ctx), &code);
if (ctx == NULL)
goto cleanup;
ctx->req_options = options;
ctx->req_kdcopt = 0;
if (options & KRB5_GC_CANONICALIZE)
ctx->req_kdcopt |= KDC_OPT_CANONICALIZE;
if (options & KRB5_GC_FORWARDABLE)
ctx->req_kdcopt |= KDC_OPT_FORWARDABLE;
if (options & KRB5_GC_NO_TRANSIT_CHECK)
ctx->req_kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK;
if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
if (options & KRB5_GC_USER_USER) {
code = EINVAL;
goto cleanup;
}
ctx->req_kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT;
}
ctx->state = STATE_BEGIN;
ctx->cache_code = KRB5_CC_NOTFOUND;
code = krb5_copy_creds(context, in_creds, &ctx->in_creds);
if (code != 0)
goto cleanup;
ctx->client = ctx->in_creds->client;
ctx->server = ctx->in_creds->server;
code = krb5_copy_principal(context, ctx->server, &ctx->req_server);
if (code != 0)
goto cleanup;
code = krb5_cc_dup(context, ccache, &ctx->ccache);
if (code != 0)
goto cleanup;
code = krb5_copy_authdata(context, in_creds->authdata, &ctx->authdata);
if (code != 0)
goto cleanup;
*pctx = ctx;
ctx = NULL;
cleanup:
krb5_tkt_creds_free(context, ctx);
return code;
}
krb5_error_code KRB5_CALLCONV
krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto)
{
krb5_error_code retval;
krb5_authenticator *tempto;
if (!(tempto = (krb5_authenticator *)MALLOC(sizeof(*tempto))))
return ENOMEM;
#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
*tempto = *authfrom;
#else
(void) memcpy(tempto, authfrom, sizeof(krb5_authenticator));
#endif
retval = krb5_copy_principal(context, authfrom->client, &tempto->client);
if (retval) {
krb5_xfree_wrap(tempto, sizeof(*tempto));
return retval;
}
if (authfrom->checksum &&
(retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) {
krb5_free_principal(context, tempto->client);
krb5_xfree_wrap(tempto, sizeof(*tempto));
return retval;
}
if (authfrom->subkey) {
retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey);
if (retval) {
krb5_xfree_wrap(tempto->subkey, sizeof(krb5_keyblock));
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
krb5_xfree_wrap(tempto, sizeof(*tempto));
return retval;
}
}
if (authfrom->authorization_data) {
retval = krb5_copy_authdata(context, authfrom->authorization_data,
&tempto->authorization_data);
if (retval) {
krb5_xfree_wrap(tempto->subkey, sizeof(krb5_keyblock));
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
krb5_free_authdata(context, tempto->authorization_data);
krb5_xfree_wrap(tempto, sizeof(*tempto));
return retval;
}
}
*authto = tempto;
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom,
krb5_authenticator **authto)
{
krb5_error_code retval;
krb5_authenticator *tempto;
if (!(tempto = (krb5_authenticator *)malloc(sizeof(*tempto))))
return ENOMEM;
*tempto = *authfrom;
retval = krb5_copy_principal(context, authfrom->client, &tempto->client);
if (retval) {
free(tempto);
return retval;
}
if (authfrom->checksum &&
(retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) {
krb5_free_principal(context, tempto->client);
free(tempto);
return retval;
}
if (authfrom->subkey) {
retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey);
if (retval) {
free(tempto->subkey);
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
free(tempto);
return retval;
}
}
if (authfrom->authorization_data) {
retval = krb5_copy_authdata(context, authfrom->authorization_data,
&tempto->authorization_data);
if (retval) {
free(tempto->subkey);
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
krb5_free_authdata(context, tempto->authorization_data);
free(tempto);
return retval;
}
}
*authto = tempto;
return 0;
}
/* Advance the referral request loop. */
static krb5_error_code
step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
const krb5_data *referral_realm;
/* Possibly retry with the fallback realm on error. */
if (ctx->reply_code != 0)
return try_fallback_realm(context, ctx);
if (krb5_principal_compare(context, ctx->reply_creds->server,
ctx->server)) {
/* We got the ticket we asked for... but we didn't necessarily ask for
* it with the right enctypes. Try a non-referral request if so. */
if (wrong_enctype(context, ctx->reply_creds->keyblock.enctype)) {
TRACE_TKT_CREDS_WRONG_ENCTYPE(context);
return begin_non_referral(context, ctx);
}
return complete(context, ctx);
}
/* Old versions of Active Directory can rewrite the server name instead of
* returning a referral. Try a non-referral query if we see this. */
if (!IS_TGS_PRINC(context, ctx->reply_creds->server)) {
TRACE_TKT_CREDS_NON_TGT(context, ctx->reply_creds->server);
return begin_non_referral(context, ctx);
}
if (ctx->referral_count == 1) {
/* Cache the referral TGT only if it's from the local realm.
* Make sure to note the associated authdata, if any. */
code = krb5_copy_authdata(context, ctx->authdata,
&ctx->reply_creds->authdata);
if (code != 0)
return code;
(void) krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds);
/* The authdata in this TGT will be copied into subsequent TGTs or the
* final credentials, so we don't need to request it again. */
krb5_free_authdata(context, ctx->in_creds->authdata);
ctx->in_creds->authdata = NULL;
}
/* Give up if we've gotten too many referral TGTs. */
if (ctx->referral_count++ >= KRB5_REFERRAL_MAXHOPS)
return KRB5_KDC_UNREACH;
/* Check for referral loops. */
referral_realm = &ctx->reply_creds->server->data[1];
if (seen_realm_before(context, ctx, referral_realm))
return KRB5_KDC_UNREACH;
code = remember_realm(context, ctx, referral_realm);
if (code != 0)
return code;
/* Use the referral TGT for the next request. */
krb5_free_creds(context, ctx->cur_tgt);
ctx->cur_tgt = ctx->reply_creds;
ctx->reply_creds = NULL;
TRACE_TKT_CREDS_REFERRAL(context, ctx->cur_tgt->server);
/* Rewrite the server realm to be the referral realm. */
krb5_free_data_contents(context, &ctx->server->realm);
code = krb5int_copy_data_contents(context, referral_realm,
&ctx->server->realm);
if (code != 0)
return code;
/* Generate the next referral request. */
return make_request_for_service(context, ctx, TRUE);
}
krb5_error_code
krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
krb5_creds *in_cred, krb5_creds **out_cred,
krb5_creds ***tgts, int kdcopt)
{
krb5_error_code retval, subretval;
krb5_principal client, server, supplied_server, out_supplied_server;
krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS];
krb5_creds *otgtptr = NULL;
int tgtptr_isoffpath = 0;
krb5_boolean old_use_conf_ktypes;
char **hrealms;
unsigned int referral_count, i;
krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL;
/*
* Set up client and server pointers. Make a fresh and modifyable
* copy of the in_cred server and save the supplied version.
*/
client = in_cred->client;
if ((retval=krb5_copy_principal(context, in_cred->server, &server)))
return retval;
/* We need a second copy for the output creds. */
if ((retval = krb5_copy_principal(context, server,
&out_supplied_server)) != 0 ) {
krb5_free_principal(context, server);
return retval;
}
if (in_cred->authdata != NULL) {
if ((retval = krb5_copy_authdata(context, in_cred->authdata,
&out_supplied_authdata)) != 0) {
krb5_free_principal(context, out_supplied_server);
krb5_free_principal(context, server);
return retval;
}
}
supplied_server = in_cred->server;
in_cred->server=server;
supplied_authdata = in_cred->authdata;
DUMP_PRINC("gc_from_kdc initial client", client);
DUMP_PRINC("gc_from_kdc initial server", server);
memset(&cc_tgt, 0, sizeof(cc_tgt));
memset(&tgtq, 0, sizeof(tgtq));
memset(&referral_tgts, 0, sizeof(referral_tgts));
tgtptr = NULL;
*tgts = NULL;
*out_cred=NULL;
old_use_conf_ktypes = context->use_conf_ktypes;
/* Copy client realm to server if no hint. */
if (krb5_is_referral_realm(&server->realm)) {
/* Use the client realm. */
DPRINTF(("gc_from_kdc: no server realm supplied, "
"using client realm.\n"));
krb5_free_data_contents(context, &server->realm);
if (!( server->realm.data = (char *)malloc(client->realm.length+1)))
return ENOMEM;
memcpy(server->realm.data, client->realm.data, client->realm.length);
server->realm.length = client->realm.length;
server->realm.data[server->realm.length] = 0;
}
/*
* Retreive initial TGT to match the specified server, either for the
* local realm in the default (referral) case or for the remote
* realm if we're starting someplace non-local.
*/
retval = tgt_mcred(context, client, server, client, &tgtq);
if (retval)
goto cleanup;
/* Fast path: Is it in the ccache? */
context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
&tgtq, &cc_tgt);
if (!retval) {
tgtptr = &cc_tgt;
} else if (!HARD_CC_ERR(retval)) {
DPRINTF(("gc_from_kdc: starting do_traversal to find "
"initial TGT for referral\n"));
tgtptr_isoffpath = 0;
otgtptr = NULL;
retval = do_traversal(context, ccache, client, server,
&cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath);
}
if (retval) {
DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n"));
goto cleanup;
}
DUMP_PRINC("gc_from_kdc: server as requested", supplied_server);
if (in_cred->second_ticket.length != 0 &&
(kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) {
kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY;
}
/*
* Try requesting a service ticket from our local KDC with referrals
* turned on. If the first referral succeeds, follow a referral-only
* path, otherwise fall back to old-style assumptions.
*/
/*
* Save TGTPTR because we rewrite it in the referral loop, and
* we might need to explicitly free it later.
*/
otgtptr = tgtptr;
for (referral_count = 0;
referral_count < KRB5_REFERRAL_MAXHOPS;
referral_count++) {
#if 0
DUMP_PRINC("gc_from_kdc: referral loop: tgt in use", tgtptr->server);
DUMP_PRINC("gc_from_kdc: referral loop: request is for", server);
#endif
retval = krb5_get_cred_via_tkt(context, tgtptr,
KDC_OPT_CANONICALIZE |
FLAGS2OPTS(tgtptr->ticket_flags) |
kdcopt,
tgtptr->addresses, in_cred, out_cred);
if (retval) {
DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n",
error_message(retval)));
/* If we haven't gone anywhere yet, fail through to the
non-referral case. */
if (referral_count==0) {
DPRINTF(("gc_from_kdc: initial referral failed; "
"punting to fallback.\n"));
break;
}
/* Otherwise, try the same query without canonicalization
set, and fail hard if that doesn't work. */
DPRINTF(("gc_from_kdc: referral #%d failed; "
"retrying without option.\n", referral_count + 1));
retval = krb5_get_cred_via_tkt(context, tgtptr,
FLAGS2OPTS(tgtptr->ticket_flags) |
kdcopt,
tgtptr->addresses,
in_cred, out_cred);
/* Whether or not that succeeded, we're done. */
goto cleanup;
}
/* Referral request succeeded; let's see what it is. */
if (krb5_principal_compare(context, in_cred->server,
(*out_cred)->server)) {
DPRINTF(("gc_from_kdc: request generated ticket "
"for requested server principal\n"));
DUMP_PRINC("gc_from_kdc final referred reply",
in_cred->server);
/*
* Check if the return enctype is one that we requested if
* needed.
*/
if (old_use_conf_ktypes || context->tgs_ktype_count == 0)
goto cleanup;
for (i = 0; i < context->tgs_ktype_count; i++) {
if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) {
/* Found an allowable etype, so we're done */
goto cleanup;
}
}
/*
* We need to try again, but this time use the
* tgs_ktypes in the context. At this point we should
* have all the tgts to succeed.
*/
/* Free "wrong" credential */
krb5_free_creds(context, *out_cred);
*out_cred = NULL;
/* Re-establish tgs etypes */
context->use_conf_ktypes = old_use_conf_ktypes;
retval = krb5_get_cred_via_tkt(context, tgtptr,
KDC_OPT_CANONICALIZE |
FLAGS2OPTS(tgtptr->ticket_flags) |
kdcopt,
tgtptr->addresses,
in_cred, out_cred);
goto cleanup;
}
else if (IS_TGS_PRINC(context, (*out_cred)->server)) {
krb5_data *r1, *r2;
DPRINTF(("gc_from_kdc: request generated referral tgt\n"));
DUMP_PRINC("gc_from_kdc credential received",
(*out_cred)->server);
if (referral_count == 0)
r1 = &tgtptr->server->data[1];
else
r1 = &referral_tgts[referral_count-1]->server->data[1];
r2 = &(*out_cred)->server->data[1];
if (data_eq(*r1, *r2)) {
DPRINTF(("gc_from_kdc: referred back to "
"previous realm; fall back\n"));
krb5_free_creds(context, *out_cred);
*out_cred = NULL;
break;
}
/* Check for referral routing loop. */
for (i=0;i<referral_count;i++) {
#if 0
DUMP_PRINC("gc_from_kdc: loop compare #1",
(*out_cred)->server);
DUMP_PRINC("gc_from_kdc: loop compare #2",
referral_tgts[i]->server);
#endif
if (krb5_principal_compare(context,
(*out_cred)->server,
referral_tgts[i]->server)) {
DFPRINTF((stderr,
"krb5_get_cred_from_kdc_opt: "
"referral routing loop - "
"got referral back to hop #%d\n", i));
retval=KRB5_KDC_UNREACH;
goto cleanup;
}
}
/* Point current tgt pointer at newly-received TGT. */
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
tgtptr=*out_cred;
/* Save requested auth data with TGT in case it ends up stored */
if (supplied_authdata != NULL) {
/* Ensure we note TGT contains authorization data */
retval = krb5_copy_authdata(context,
supplied_authdata,
&(*out_cred)->authdata);
if (retval)
goto cleanup;
}
/* Save pointer to tgt in referral_tgts. */
referral_tgts[referral_count]=*out_cred;
*out_cred = NULL;
/* Copy krbtgt realm to server principal. */
krb5_free_data_contents(context, &server->realm);
retval = krb5int_copy_data_contents(context,
&tgtptr->server->data[1],
&server->realm);
if (retval)
return retval;
/* Don't ask for KDC to add auth data multiple times */
in_cred->authdata = NULL;
/*
* Future work: rewrite server principal per any
* supplied padata.
*/
} else {
/* Not a TGT; punt to fallback. */
krb5_free_creds(context, *out_cred);
*out_cred = NULL;
break;
}
}
DUMP_PRINC("gc_from_kdc client at fallback", client);
DUMP_PRINC("gc_from_kdc server at fallback", server);
/*
* At this point referrals have been tried and have failed. Go
* back to the server principal as originally issued and try the
* conventional path.
*/
/*
* Referrals have failed. Look up fallback realm if not
* originally provided.
*/
if (krb5_is_referral_realm(&supplied_server->realm)) {
if (server->length >= 2) {
retval=krb5_get_fallback_host_realm(context, &server->data[1],
&hrealms);
if (retval) goto cleanup;
#if 0
DPRINTF(("gc_from_kdc: using fallback realm of %s\n",
hrealms[0]));
#endif
krb5_free_data_contents(context,&in_cred->server->realm);
server->realm.data=hrealms[0];
server->realm.length=strlen(hrealms[0]);
free(hrealms);
}
else {
/*
* Problem case: Realm tagged for referral but apparently not
* in a <type>/<host> format that
* krb5_get_fallback_host_realm can deal with.
*/
DPRINTF(("gc_from_kdc: referral specified "
"but no fallback realm avaiable!\n"));
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
}
DUMP_PRINC("gc_from_kdc server at fallback after fallback rewrite",
server);
/*
* Get a TGT for the target realm.
*/
krb5_free_cred_contents(context, &tgtq);
retval = tgt_mcred(context, client, server, client, &tgtq);
if (retval)
goto cleanup;
/* Fast path: Is it in the ccache? */
/* Free tgtptr data if reused from above. */
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
tgtptr = NULL;
/* Free saved TGT in OTGTPTR if it was off-path. */
if (tgtptr_isoffpath)
krb5_free_creds(context, otgtptr);
otgtptr = NULL;
/* Free TGTS if previously filled by do_traversal() */
if (*tgts != NULL) {
for (i = 0; (*tgts)[i] != NULL; i++) {
krb5_free_creds(context, (*tgts)[i]);
}
free(*tgts);
*tgts = NULL;
}
context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS,
&tgtq, &cc_tgt);
if (!retval) {
tgtptr = &cc_tgt;
} else if (!HARD_CC_ERR(retval)) {
tgtptr_isoffpath = 0;
retval = do_traversal(context, ccache, client, server,
&cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath);
}
if (retval)
goto cleanup;
otgtptr = tgtptr;
/*
* Finally have TGT for target realm! Try using it to get creds.
*/
if (!krb5_c_valid_enctype(tgtptr->keyblock.enctype)) {
retval = KRB5_PROG_ETYPE_NOSUPP;
goto cleanup;
}
context->use_conf_ktypes = old_use_conf_ktypes;
retval = krb5_get_cred_via_tkt(context, tgtptr,
FLAGS2OPTS(tgtptr->ticket_flags) |
kdcopt,
tgtptr->addresses, in_cred, out_cred);
cleanup:
krb5_free_cred_contents(context, &tgtq);
if (tgtptr == &cc_tgt)
krb5_free_cred_contents(context, tgtptr);
if (tgtptr_isoffpath)
krb5_free_creds(context, otgtptr);
context->use_conf_ktypes = old_use_conf_ktypes;
/* Drop the original principal back into in_cred so that it's cached
in the expected format. */
DUMP_PRINC("gc_from_kdc: final hacked server principal at cleanup",
server);
krb5_free_principal(context, server);
in_cred->server = supplied_server;
in_cred->authdata = supplied_authdata;
if (*out_cred && !retval) {
/* Success: free server, swap supplied server back in. */
krb5_free_principal (context, (*out_cred)->server);
(*out_cred)->server = out_supplied_server;
assert((*out_cred)->authdata == NULL);
(*out_cred)->authdata = out_supplied_authdata;
}
else {
/*
* Failure: free out_supplied_server. Don't free out_cred here
* since it's either null or a referral TGT that we free below,
* and we may need it to return.
*/
krb5_free_principal(context, out_supplied_server);
krb5_free_authdata(context, out_supplied_authdata);
}
DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server);
/*
* Deal with ccache TGT management: If tgts has been set from
* initial non-referral TGT discovery, leave it alone. Otherwise, if
* referral_tgts[0] exists return it as the only entry in tgts.
* (Further referrals are never cached, only the referral from the
* local KDC.) This is part of cleanup because useful received TGTs
* should be cached even if the main request resulted in failure.
*/
if (*tgts == NULL) {
if (referral_tgts[0]) {
#if 0
/*
* This should possibly be a check on the candidate return
* credential against the cache, in the circumstance where we
* don't want to clutter the cache with near-duplicate
* credentials on subsequent iterations. For now, it is
* disabled.
*/
subretval=...?;
if (subretval) {
#endif
/* Allocate returnable TGT list. */
if (!(*tgts=calloc(sizeof (krb5_creds *), 2)))
return ENOMEM;
subretval=krb5_copy_creds(context, referral_tgts[0], &((*tgts)[0]));
if(subretval)
return subretval;
(*tgts)[1]=NULL;
DUMP_PRINC("gc_from_kdc: returning referral TGT for ccache",
(*tgts)[0]->server);
#if 0
}
#endif
}
}
/* Free referral TGTs list. */
for (i=0;i<KRB5_REFERRAL_MAXHOPS;i++) {
if(referral_tgts[i]) {
krb5_free_creds(context, referral_tgts[i]);
}
}
DPRINTF(("gc_from_kdc finishing with %s\n",
retval ? error_message(retval) : "no error"));
return retval;
}
