示例#1
0
/*
 * next_closest_tgt()
 *
 * Using CUR_TGT, attempt to get the cross-realm TGT having its remote
 * realm closest to the target principal's.  Update NXT_TGT, NXT_KDC
 * accordingly.
 */
static krb5_error_code
next_closest_tgt(struct tr_state *ts, krb5_principal client)
{
    krb5_error_code retval;
    krb5_creds tgtq;

    retval = 0;
    memset(&tgtq, 0, sizeof(tgtq));

    for (ts->nxt_kdc = ts->lst_kdc;
	 ts->nxt_kdc > ts->cur_kdc;
	 ts->nxt_kdc--) {

	krb5_free_cred_contents(ts->ctx, &tgtq);
	retval = kdc_mcred(ts, client, &tgtq);
	if (retval)
	    goto cleanup;
	/* Don't waste time retrying ccache for direct path. */
	if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) {
	    retval = try_ccache(ts, &tgtq);
	    if (!retval)
		break;
	    if (HARD_CC_ERR(retval))
		goto cleanup;
	}
	/* Not in the ccache, so talk to a KDC. */
	retval = try_kdc(ts, &tgtq);
	if (!retval) {
	    break;
	}
	/*
	 * Because try_kdc() validates referral TGTs, it can return an
	 * error indicating a bogus referral.  The loop continues when
	 * it gets a bogus referral, which is arguably the right
	 * thing.  (Previous implementation unconditionally failed.)
	 */
    }
    /*
     * If we have a non-zero retval, we either have a hard error or we
     * failed to find a closer TGT.
     */
cleanup:
    krb5_free_cred_contents(ts->ctx, &tgtq);
    return retval;
}
示例#2
0
/*
 * next_closest_tgt()
 *
 * Using CUR_TGT, attempt to get the cross-realm TGT having its remote
 * realm closest to the target principal's.  Update NXT_TGT, NXT_KDC
 * accordingly.
 */
static krb5_error_code
next_closest_tgt(struct tr_state *ts, krb5_principal client)
{
    krb5_error_code retval;
    krb5_creds tgtq;

    retval = 0;
    memset(&tgtq, 0, sizeof(tgtq));

    for (ts->nxt_kdc = ts->lst_kdc;
	 ts->nxt_kdc > ts->cur_kdc;
	 ts->nxt_kdc--) {

	krb5_free_cred_contents(ts->ctx, &tgtq);
	retval = kdc_mcred(ts, client, &tgtq);
	if (retval)
	    goto cleanup;
	/* Don't waste time retrying ccache for direct path. */
	if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) {
	    retval = try_ccache(ts, &tgtq);
	    if (!retval)
		break;
	    if (HARD_CC_ERR(retval))
		goto cleanup;
	}
	/* Not in the ccache, so talk to a KDC. */
	retval = try_kdc(ts, &tgtq);
	if (!retval) {
	    break;
	}
	/*
	 * In case of errors in try_kdc() or find_nxt_kdc(), continue
	 * looping through the KDC list.
	 */
    }
    /*
     * If we have a non-zero retval, we either have a hard error or we
     * failed to find a closer TGT.
     */
cleanup:
    krb5_free_cred_contents(ts->ctx, &tgtq);
    return retval;
}