/* * next_closest_tgt() * * Using CUR_TGT, attempt to get the cross-realm TGT having its remote * realm closest to the target principal's. Update NXT_TGT, NXT_KDC * accordingly. */ static krb5_error_code next_closest_tgt(struct tr_state *ts, krb5_principal client) { krb5_error_code retval; krb5_creds tgtq; retval = 0; memset(&tgtq, 0, sizeof(tgtq)); for (ts->nxt_kdc = ts->lst_kdc; ts->nxt_kdc > ts->cur_kdc; ts->nxt_kdc--) { krb5_free_cred_contents(ts->ctx, &tgtq); retval = kdc_mcred(ts, client, &tgtq); if (retval) goto cleanup; /* Don't waste time retrying ccache for direct path. */ if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { retval = try_ccache(ts, &tgtq); if (!retval) break; if (HARD_CC_ERR(retval)) goto cleanup; } /* Not in the ccache, so talk to a KDC. */ retval = try_kdc(ts, &tgtq); if (!retval) { break; } /* * Because try_kdc() validates referral TGTs, it can return an * error indicating a bogus referral. The loop continues when * it gets a bogus referral, which is arguably the right * thing. (Previous implementation unconditionally failed.) */ } /* * If we have a non-zero retval, we either have a hard error or we * failed to find a closer TGT. */ cleanup: krb5_free_cred_contents(ts->ctx, &tgtq); return retval; }
/* * next_closest_tgt() * * Using CUR_TGT, attempt to get the cross-realm TGT having its remote * realm closest to the target principal's. Update NXT_TGT, NXT_KDC * accordingly. */ static krb5_error_code next_closest_tgt(struct tr_state *ts, krb5_principal client) { krb5_error_code retval; krb5_creds tgtq; retval = 0; memset(&tgtq, 0, sizeof(tgtq)); for (ts->nxt_kdc = ts->lst_kdc; ts->nxt_kdc > ts->cur_kdc; ts->nxt_kdc--) { krb5_free_cred_contents(ts->ctx, &tgtq); retval = kdc_mcred(ts, client, &tgtq); if (retval) goto cleanup; /* Don't waste time retrying ccache for direct path. */ if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { retval = try_ccache(ts, &tgtq); if (!retval) break; if (HARD_CC_ERR(retval)) goto cleanup; } /* Not in the ccache, so talk to a KDC. */ retval = try_kdc(ts, &tgtq); if (!retval) { break; } /* * In case of errors in try_kdc() or find_nxt_kdc(), continue * looping through the KDC list. */ } /* * If we have a non-zero retval, we either have a hard error or we * failed to find a closer TGT. */ cleanup: krb5_free_cred_contents(ts->ctx, &tgtq); return retval; }