krb5_error_code KRB5_CALLCONV krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const*authdata, krb5_authdata ***container) { krb5_error_code code; krb5_data *data; krb5_authdata ad_datum; krb5_authdata *ad_data[2]; *container = NULL; code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data); if (code) return code; ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK; ad_datum.length = data->length; ad_datum.contents = (unsigned char *)data->data; ad_data[0] = &ad_datum; ad_data[1] = NULL; code = krb5_copy_authdata(context, ad_data, container); krb5_free_data(context, data); return code; }
krb5_error_code KRB5_CALLCONV krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred) { krb5_creds *tempcred; krb5_error_code retval; krb5_data *scratch; if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred)))) return ENOMEM; *tempcred = *incred; retval = krb5_copy_principal(context, incred->client, &tempcred->client); if (retval) goto cleanlast; retval = krb5_copy_principal(context, incred->server, &tempcred->server); if (retval) goto cleanclient; retval = krb5_copy_keyblock_contents(context, &incred->keyblock, &tempcred->keyblock); if (retval) goto cleanserver; retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses); if (retval) goto cleanblock; retval = krb5_copy_data(context, &incred->ticket, &scratch); if (retval) goto cleanaddrs; tempcred->ticket = *scratch; krb5_xfree(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) goto cleanticket; tempcred->second_ticket = *scratch; krb5_xfree(scratch); retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata); if (retval) goto clearticket; *outcred = tempcred; return 0; clearticket: memset(tempcred->ticket.data,0,tempcred->ticket.length); cleanticket: free(tempcred->ticket.data); cleanaddrs: krb5_free_addresses(context, tempcred->addresses); cleanblock: krb5_xfree(tempcred->keyblock.contents); cleanserver: krb5_free_principal(context, tempcred->server); cleanclient: krb5_free_principal(context, tempcred->client); cleanlast: krb5_xfree(tempcred); return retval; }
/* * Copy contents of input credentials structure to supplied * destination, allocating storage for indirect fields as needed. On * success, the output is a deep copy of the input. On error, the * output structure is garbage and its contents should be ignored. */ krb5_error_code k5_copy_creds_contents(krb5_context context, const krb5_creds *incred, krb5_creds *tempcred) { krb5_error_code retval; krb5_data *scratch; *tempcred = *incred; retval = krb5_copy_principal(context, incred->client, &tempcred->client); if (retval) goto cleanlast; retval = krb5_copy_principal(context, incred->server, &tempcred->server); if (retval) goto cleanclient; retval = krb5_copy_keyblock_contents(context, &incred->keyblock, &tempcred->keyblock); if (retval) goto cleanserver; retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses); if (retval) goto cleanblock; retval = krb5_copy_data(context, &incred->ticket, &scratch); if (retval) goto cleanaddrs; tempcred->ticket = *scratch; free(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) goto clearticket; tempcred->second_ticket = *scratch; free(scratch); retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata); if (retval) goto clearsecondticket; return 0; clearsecondticket: memset(tempcred->second_ticket.data,0,tempcred->second_ticket.length); free(tempcred->second_ticket.data); clearticket: memset(tempcred->ticket.data,0,tempcred->ticket.length); free(tempcred->ticket.data); cleanaddrs: krb5_free_addresses(context, tempcred->addresses); cleanblock: free(tempcred->keyblock.contents); cleanserver: krb5_free_principal(context, tempcred->server); cleanclient: krb5_free_principal(context, tempcred->client); cleanlast: /* Do not free tempcred - we did not allocate it - its contents are garbage - but we should not free it */ return retval; }
/* * Merge authdata. * * If copy is FALSE, in_authdata is invalid on successful return. * If ignore_kdc_issued is TRUE, KDC-issued authdata is not copied. */ static krb5_error_code merge_authdata (krb5_context context, krb5_authdata **in_authdata, krb5_authdata ***out_authdata, krb5_boolean copy, krb5_boolean ignore_kdc_issued) { size_t i, j, nadata = 0; krb5_authdata **in_copy = NULL, **authdata = *out_authdata; krb5_error_code code; if (in_authdata == NULL || in_authdata[0] == NULL) return 0; if (authdata != NULL) { for (nadata = 0; authdata[nadata] != NULL; nadata++) ; } for (i = 0; in_authdata[i] != NULL; i++) ; if (copy) { code = krb5_copy_authdata(context, in_authdata, &in_copy); if (code != 0) return code; in_authdata = in_copy; } authdata = realloc(authdata, (nadata + i + 1) * sizeof(krb5_authdata *)); if (authdata == NULL) { krb5_free_authdata(context, in_copy); return ENOMEM; } for (i = 0, j = 0; in_authdata[i] != NULL; i++) { if (ignore_kdc_issued && is_kdc_issued_authdatum(context, in_authdata[i], 0)) { free(in_authdata[i]->contents); free(in_authdata[i]); } else authdata[nadata + j++] = in_authdata[i]; } authdata[nadata + j] = NULL; free(in_authdata); if (authdata[0] == NULL) { free(authdata); authdata = NULL; } *out_authdata = authdata; return 0; }
krb5_error_code KRB5_CALLCONV krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, krb5_flags options, krb5_tkt_creds_context *pctx) { krb5_error_code code; krb5_tkt_creds_context ctx = NULL; TRACE_TKT_CREDS(context, in_creds, ccache); ctx = k5alloc(sizeof(*ctx), &code); if (ctx == NULL) goto cleanup; ctx->req_options = options; ctx->req_kdcopt = 0; if (options & KRB5_GC_CANONICALIZE) ctx->req_kdcopt |= KDC_OPT_CANONICALIZE; if (options & KRB5_GC_FORWARDABLE) ctx->req_kdcopt |= KDC_OPT_FORWARDABLE; if (options & KRB5_GC_NO_TRANSIT_CHECK) ctx->req_kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; if (options & KRB5_GC_CONSTRAINED_DELEGATION) { if (options & KRB5_GC_USER_USER) { code = EINVAL; goto cleanup; } ctx->req_kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; } ctx->state = STATE_BEGIN; ctx->cache_code = KRB5_CC_NOTFOUND; code = krb5_copy_creds(context, in_creds, &ctx->in_creds); if (code != 0) goto cleanup; ctx->client = ctx->in_creds->client; ctx->server = ctx->in_creds->server; code = krb5_copy_principal(context, ctx->server, &ctx->req_server); if (code != 0) goto cleanup; code = krb5_cc_dup(context, ccache, &ctx->ccache); if (code != 0) goto cleanup; code = krb5_copy_authdata(context, in_creds->authdata, &ctx->authdata); if (code != 0) goto cleanup; *pctx = ctx; ctx = NULL; cleanup: krb5_tkt_creds_free(context, ctx); return code; }
krb5_error_code KRB5_CALLCONV krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto) { krb5_error_code retval; krb5_authenticator *tempto; if (!(tempto = (krb5_authenticator *)MALLOC(sizeof(*tempto)))) return ENOMEM; #ifdef HAVE_C_STRUCTURE_ASSIGNMENT *tempto = *authfrom; #else (void) memcpy(tempto, authfrom, sizeof(krb5_authenticator)); #endif retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { krb5_xfree_wrap(tempto, sizeof(*tempto)); return retval; } if (authfrom->checksum && (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { krb5_free_principal(context, tempto->client); krb5_xfree_wrap(tempto, sizeof(*tempto)); return retval; } if (authfrom->subkey) { retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); if (retval) { krb5_xfree_wrap(tempto->subkey, sizeof(krb5_keyblock)); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); krb5_xfree_wrap(tempto, sizeof(*tempto)); return retval; } } if (authfrom->authorization_data) { retval = krb5_copy_authdata(context, authfrom->authorization_data, &tempto->authorization_data); if (retval) { krb5_xfree_wrap(tempto->subkey, sizeof(krb5_keyblock)); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); krb5_free_authdata(context, tempto->authorization_data); krb5_xfree_wrap(tempto, sizeof(*tempto)); return retval; } } *authto = tempto; return 0; }
krb5_error_code KRB5_CALLCONV krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto) { krb5_error_code retval; krb5_authenticator *tempto; if (!(tempto = (krb5_authenticator *)malloc(sizeof(*tempto)))) return ENOMEM; *tempto = *authfrom; retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { free(tempto); return retval; } if (authfrom->checksum && (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { krb5_free_principal(context, tempto->client); free(tempto); return retval; } if (authfrom->subkey) { retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); if (retval) { free(tempto->subkey); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); free(tempto); return retval; } } if (authfrom->authorization_data) { retval = krb5_copy_authdata(context, authfrom->authorization_data, &tempto->authorization_data); if (retval) { free(tempto->subkey); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); krb5_free_authdata(context, tempto->authorization_data); free(tempto); return retval; } } *authto = tempto; return 0; }
/* Advance the referral request loop. */ static krb5_error_code step_referrals(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; const krb5_data *referral_realm; /* Possibly retry with the fallback realm on error. */ if (ctx->reply_code != 0) return try_fallback_realm(context, ctx); if (krb5_principal_compare(context, ctx->reply_creds->server, ctx->server)) { /* We got the ticket we asked for... but we didn't necessarily ask for * it with the right enctypes. Try a non-referral request if so. */ if (wrong_enctype(context, ctx->reply_creds->keyblock.enctype)) { TRACE_TKT_CREDS_WRONG_ENCTYPE(context); return begin_non_referral(context, ctx); } return complete(context, ctx); } /* Old versions of Active Directory can rewrite the server name instead of * returning a referral. Try a non-referral query if we see this. */ if (!IS_TGS_PRINC(context, ctx->reply_creds->server)) { TRACE_TKT_CREDS_NON_TGT(context, ctx->reply_creds->server); return begin_non_referral(context, ctx); } if (ctx->referral_count == 1) { /* Cache the referral TGT only if it's from the local realm. * Make sure to note the associated authdata, if any. */ code = krb5_copy_authdata(context, ctx->authdata, &ctx->reply_creds->authdata); if (code != 0) return code; (void) krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds); /* The authdata in this TGT will be copied into subsequent TGTs or the * final credentials, so we don't need to request it again. */ krb5_free_authdata(context, ctx->in_creds->authdata); ctx->in_creds->authdata = NULL; } /* Give up if we've gotten too many referral TGTs. */ if (ctx->referral_count++ >= KRB5_REFERRAL_MAXHOPS) return KRB5_KDC_UNREACH; /* Check for referral loops. */ referral_realm = &ctx->reply_creds->server->data[1]; if (seen_realm_before(context, ctx, referral_realm)) return KRB5_KDC_UNREACH; code = remember_realm(context, ctx, referral_realm); if (code != 0) return code; /* Use the referral TGT for the next request. */ krb5_free_creds(context, ctx->cur_tgt); ctx->cur_tgt = ctx->reply_creds; ctx->reply_creds = NULL; TRACE_TKT_CREDS_REFERRAL(context, ctx->cur_tgt->server); /* Rewrite the server realm to be the referral realm. */ krb5_free_data_contents(context, &ctx->server->realm); code = krb5int_copy_data_contents(context, referral_realm, &ctx->server->realm); if (code != 0) return code; /* Generate the next referral request. */ return make_request_for_service(context, ctx, TRUE); }
krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts, int kdcopt) { krb5_error_code retval, subretval; krb5_principal client, server, supplied_server, out_supplied_server; krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS]; krb5_creds *otgtptr = NULL; int tgtptr_isoffpath = 0; krb5_boolean old_use_conf_ktypes; char **hrealms; unsigned int referral_count, i; krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL; /* * Set up client and server pointers. Make a fresh and modifyable * copy of the in_cred server and save the supplied version. */ client = in_cred->client; if ((retval=krb5_copy_principal(context, in_cred->server, &server))) return retval; /* We need a second copy for the output creds. */ if ((retval = krb5_copy_principal(context, server, &out_supplied_server)) != 0 ) { krb5_free_principal(context, server); return retval; } if (in_cred->authdata != NULL) { if ((retval = krb5_copy_authdata(context, in_cred->authdata, &out_supplied_authdata)) != 0) { krb5_free_principal(context, out_supplied_server); krb5_free_principal(context, server); return retval; } } supplied_server = in_cred->server; in_cred->server=server; supplied_authdata = in_cred->authdata; DUMP_PRINC("gc_from_kdc initial client", client); DUMP_PRINC("gc_from_kdc initial server", server); memset(&cc_tgt, 0, sizeof(cc_tgt)); memset(&tgtq, 0, sizeof(tgtq)); memset(&referral_tgts, 0, sizeof(referral_tgts)); tgtptr = NULL; *tgts = NULL; *out_cred=NULL; old_use_conf_ktypes = context->use_conf_ktypes; /* Copy client realm to server if no hint. */ if (krb5_is_referral_realm(&server->realm)) { /* Use the client realm. */ DPRINTF(("gc_from_kdc: no server realm supplied, " "using client realm.\n")); krb5_free_data_contents(context, &server->realm); if (!( server->realm.data = (char *)malloc(client->realm.length+1))) return ENOMEM; memcpy(server->realm.data, client->realm.data, client->realm.length); server->realm.length = client->realm.length; server->realm.data[server->realm.length] = 0; } /* * Retreive initial TGT to match the specified server, either for the * local realm in the default (referral) case or for the remote * realm if we're starting someplace non-local. */ retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) goto cleanup; /* Fast path: Is it in the ccache? */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, &tgtq, &cc_tgt); if (!retval) { tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { DPRINTF(("gc_from_kdc: starting do_traversal to find " "initial TGT for referral\n")); tgtptr_isoffpath = 0; otgtptr = NULL; retval = do_traversal(context, ccache, client, server, &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) { DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n")); goto cleanup; } DUMP_PRINC("gc_from_kdc: server as requested", supplied_server); if (in_cred->second_ticket.length != 0 && (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; } /* * Try requesting a service ticket from our local KDC with referrals * turned on. If the first referral succeeds, follow a referral-only * path, otherwise fall back to old-style assumptions. */ /* * Save TGTPTR because we rewrite it in the referral loop, and * we might need to explicitly free it later. */ otgtptr = tgtptr; for (referral_count = 0; referral_count < KRB5_REFERRAL_MAXHOPS; referral_count++) { #if 0 DUMP_PRINC("gc_from_kdc: referral loop: tgt in use", tgtptr->server); DUMP_PRINC("gc_from_kdc: referral loop: request is for", server); #endif retval = krb5_get_cred_via_tkt(context, tgtptr, KDC_OPT_CANONICALIZE | FLAGS2OPTS(tgtptr->ticket_flags) | kdcopt, tgtptr->addresses, in_cred, out_cred); if (retval) { DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", error_message(retval))); /* If we haven't gone anywhere yet, fail through to the non-referral case. */ if (referral_count==0) { DPRINTF(("gc_from_kdc: initial referral failed; " "punting to fallback.\n")); break; } /* Otherwise, try the same query without canonicalization set, and fail hard if that doesn't work. */ DPRINTF(("gc_from_kdc: referral #%d failed; " "retrying without option.\n", referral_count + 1)); retval = krb5_get_cred_via_tkt(context, tgtptr, FLAGS2OPTS(tgtptr->ticket_flags) | kdcopt, tgtptr->addresses, in_cred, out_cred); /* Whether or not that succeeded, we're done. */ goto cleanup; } /* Referral request succeeded; let's see what it is. */ if (krb5_principal_compare(context, in_cred->server, (*out_cred)->server)) { DPRINTF(("gc_from_kdc: request generated ticket " "for requested server principal\n")); DUMP_PRINC("gc_from_kdc final referred reply", in_cred->server); /* * Check if the return enctype is one that we requested if * needed. */ if (old_use_conf_ktypes || context->tgs_ktype_count == 0) goto cleanup; for (i = 0; i < context->tgs_ktype_count; i++) { if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) { /* Found an allowable etype, so we're done */ goto cleanup; } } /* * We need to try again, but this time use the * tgs_ktypes in the context. At this point we should * have all the tgts to succeed. */ /* Free "wrong" credential */ krb5_free_creds(context, *out_cred); *out_cred = NULL; /* Re-establish tgs etypes */ context->use_conf_ktypes = old_use_conf_ktypes; retval = krb5_get_cred_via_tkt(context, tgtptr, KDC_OPT_CANONICALIZE | FLAGS2OPTS(tgtptr->ticket_flags) | kdcopt, tgtptr->addresses, in_cred, out_cred); goto cleanup; } else if (IS_TGS_PRINC(context, (*out_cred)->server)) { krb5_data *r1, *r2; DPRINTF(("gc_from_kdc: request generated referral tgt\n")); DUMP_PRINC("gc_from_kdc credential received", (*out_cred)->server); if (referral_count == 0) r1 = &tgtptr->server->data[1]; else r1 = &referral_tgts[referral_count-1]->server->data[1]; r2 = &(*out_cred)->server->data[1]; if (data_eq(*r1, *r2)) { DPRINTF(("gc_from_kdc: referred back to " "previous realm; fall back\n")); krb5_free_creds(context, *out_cred); *out_cred = NULL; break; } /* Check for referral routing loop. */ for (i=0;i<referral_count;i++) { #if 0 DUMP_PRINC("gc_from_kdc: loop compare #1", (*out_cred)->server); DUMP_PRINC("gc_from_kdc: loop compare #2", referral_tgts[i]->server); #endif if (krb5_principal_compare(context, (*out_cred)->server, referral_tgts[i]->server)) { DFPRINTF((stderr, "krb5_get_cred_from_kdc_opt: " "referral routing loop - " "got referral back to hop #%d\n", i)); retval=KRB5_KDC_UNREACH; goto cleanup; } } /* Point current tgt pointer at newly-received TGT. */ if (tgtptr == &cc_tgt) krb5_free_cred_contents(context, tgtptr); tgtptr=*out_cred; /* Save requested auth data with TGT in case it ends up stored */ if (supplied_authdata != NULL) { /* Ensure we note TGT contains authorization data */ retval = krb5_copy_authdata(context, supplied_authdata, &(*out_cred)->authdata); if (retval) goto cleanup; } /* Save pointer to tgt in referral_tgts. */ referral_tgts[referral_count]=*out_cred; *out_cred = NULL; /* Copy krbtgt realm to server principal. */ krb5_free_data_contents(context, &server->realm); retval = krb5int_copy_data_contents(context, &tgtptr->server->data[1], &server->realm); if (retval) return retval; /* Don't ask for KDC to add auth data multiple times */ in_cred->authdata = NULL; /* * Future work: rewrite server principal per any * supplied padata. */ } else { /* Not a TGT; punt to fallback. */ krb5_free_creds(context, *out_cred); *out_cred = NULL; break; } } DUMP_PRINC("gc_from_kdc client at fallback", client); DUMP_PRINC("gc_from_kdc server at fallback", server); /* * At this point referrals have been tried and have failed. Go * back to the server principal as originally issued and try the * conventional path. */ /* * Referrals have failed. Look up fallback realm if not * originally provided. */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { retval=krb5_get_fallback_host_realm(context, &server->data[1], &hrealms); if (retval) goto cleanup; #if 0 DPRINTF(("gc_from_kdc: using fallback realm of %s\n", hrealms[0])); #endif krb5_free_data_contents(context,&in_cred->server->realm); server->realm.data=hrealms[0]; server->realm.length=strlen(hrealms[0]); free(hrealms); } else { /* * Problem case: Realm tagged for referral but apparently not * in a <type>/<host> format that * krb5_get_fallback_host_realm can deal with. */ DPRINTF(("gc_from_kdc: referral specified " "but no fallback realm avaiable!\n")); return KRB5_ERR_HOST_REALM_UNKNOWN; } } DUMP_PRINC("gc_from_kdc server at fallback after fallback rewrite", server); /* * Get a TGT for the target realm. */ krb5_free_cred_contents(context, &tgtq); retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) goto cleanup; /* Fast path: Is it in the ccache? */ /* Free tgtptr data if reused from above. */ if (tgtptr == &cc_tgt) krb5_free_cred_contents(context, tgtptr); tgtptr = NULL; /* Free saved TGT in OTGTPTR if it was off-path. */ if (tgtptr_isoffpath) krb5_free_creds(context, otgtptr); otgtptr = NULL; /* Free TGTS if previously filled by do_traversal() */ if (*tgts != NULL) { for (i = 0; (*tgts)[i] != NULL; i++) { krb5_free_creds(context, (*tgts)[i]); } free(*tgts); *tgts = NULL; } context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, &tgtq, &cc_tgt); if (!retval) { tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { tgtptr_isoffpath = 0; retval = do_traversal(context, ccache, client, server, &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) goto cleanup; otgtptr = tgtptr; /* * Finally have TGT for target realm! Try using it to get creds. */ if (!krb5_c_valid_enctype(tgtptr->keyblock.enctype)) { retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; } context->use_conf_ktypes = old_use_conf_ktypes; retval = krb5_get_cred_via_tkt(context, tgtptr, FLAGS2OPTS(tgtptr->ticket_flags) | kdcopt, tgtptr->addresses, in_cred, out_cred); cleanup: krb5_free_cred_contents(context, &tgtq); if (tgtptr == &cc_tgt) krb5_free_cred_contents(context, tgtptr); if (tgtptr_isoffpath) krb5_free_creds(context, otgtptr); context->use_conf_ktypes = old_use_conf_ktypes; /* Drop the original principal back into in_cred so that it's cached in the expected format. */ DUMP_PRINC("gc_from_kdc: final hacked server principal at cleanup", server); krb5_free_principal(context, server); in_cred->server = supplied_server; in_cred->authdata = supplied_authdata; if (*out_cred && !retval) { /* Success: free server, swap supplied server back in. */ krb5_free_principal (context, (*out_cred)->server); (*out_cred)->server = out_supplied_server; assert((*out_cred)->authdata == NULL); (*out_cred)->authdata = out_supplied_authdata; } else { /* * Failure: free out_supplied_server. Don't free out_cred here * since it's either null or a referral TGT that we free below, * and we may need it to return. */ krb5_free_principal(context, out_supplied_server); krb5_free_authdata(context, out_supplied_authdata); } DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server); /* * Deal with ccache TGT management: If tgts has been set from * initial non-referral TGT discovery, leave it alone. Otherwise, if * referral_tgts[0] exists return it as the only entry in tgts. * (Further referrals are never cached, only the referral from the * local KDC.) This is part of cleanup because useful received TGTs * should be cached even if the main request resulted in failure. */ if (*tgts == NULL) { if (referral_tgts[0]) { #if 0 /* * This should possibly be a check on the candidate return * credential against the cache, in the circumstance where we * don't want to clutter the cache with near-duplicate * credentials on subsequent iterations. For now, it is * disabled. */ subretval=...?; if (subretval) { #endif /* Allocate returnable TGT list. */ if (!(*tgts=calloc(sizeof (krb5_creds *), 2))) return ENOMEM; subretval=krb5_copy_creds(context, referral_tgts[0], &((*tgts)[0])); if(subretval) return subretval; (*tgts)[1]=NULL; DUMP_PRINC("gc_from_kdc: returning referral TGT for ccache", (*tgts)[0]->server); #if 0 } #endif } } /* Free referral TGTs list. */ for (i=0;i<KRB5_REFERRAL_MAXHOPS;i++) { if(referral_tgts[i]) { krb5_free_creds(context, referral_tgts[i]); } } DPRINTF(("gc_from_kdc finishing with %s\n", retval ? error_message(retval) : "no error")); return retval; }