/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include "k5-int.h"
#include "int-proto.h"
/* Solaris Kerberos */
extern krb5_error_code krb5_libdefault_boolean();
static krb5_error_code
krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ)
{
flags = 0; /* turns off OPENCLOSE mode */
/* Solaris Kerberos */
return(code);
/* Solaris Kerberos */
return(code);
/* Solaris Kerberos */
goto cleanup;
/* Solaris Kerberos */
continue;
if (code)
goto cleanup;
}
if (code != KRB5_CC_END)
goto cleanup;
code = 0;
/* Solaris Kerberos */
if (code)
else
/* Solaris Kerberos */
if (code)
else
return(code);
}
{
/* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */
/* Solaris Kerberos */
if (server_arg)
server = server_arg;
goto cleanup;
/* first, check if the server is in the keytab. If not, there's
no reason to continue. rd_req does all this, but there's
no way to know that a given error is caused by a missing
keytab or key, and not by some other problem. */
if (keytab_arg) {
keytab = keytab_arg;
} else {
/* Solaris Kerberos: ignore errors here, deal with below */
}
/*
* Solaris Kerberos:
* Warning: be very, very careful when modifying the logic here
*/
/* this means there is no keying material. This is ok, as long as
it is not prohibited by the configuration */
/* Solaris Kerberos */
if (options &&
/* first, if options are set then use the option value to set nofail */
} else {
/*
* Solaris Kerberos:
* Check verify_ap_req_nofail if set in config file. Note this logic
* assumes that krb5_libdefault_boolean will not set nofail to a
* default value if verify_ap_req_nofail is not explictly set in
* config file. Don't care about the return code.
*/
"verify_ap_req_nofail",
&nofail);
}
/* Solaris Kerberos: exit without an error ONLY if nofail is false */
if (!nofail)
ret = 0;
goto cleanup;
}
/* If the creds are for the server principal, we're set, just do
a mk_req. Otherwise, do a get_credentials first. */
/* make an ap_req */
&ap_req)))
goto cleanup;
} else {
/* this is unclean, but it's the easiest way without ripping the
library into very small pieces. store the client's initial cred
in a memory ccache, then call the library. Later, we'll copy
everything except the initial cred into the ccache we return to
the user. A clean implementation would involve library
internals with a coherent idea of "in" and "out". */
/* insert the initial cred into the ccache */
goto cleanup;
/* Solaris Kerberos */
goto cleanup;
/* Solaris Kerberos */
goto cleanup;
/* set up for get_creds */
goto cleanup;
&out_creds)))
goto cleanup;
/* make an ap_req */
&ap_req)))
goto cleanup;
}
/* wipe the auth context for mk_req */
if (authcon) {
}
/* verify the ap_req */
goto cleanup;
/* if we get this far, then the verification succeeded. We can
still fail if the library stuff here fails, but that's it */
if (ccache_arg && ccache) {
if (*ccache_arg == NULL) {
/* Solaris Kerberos */
/* Solaris Kerberos */
if (retcc)
} else {
*ccache_arg = retcc;
}
} else {
server);
}
}
/* if any of the above paths returned an errors, then ret is set
accordingly. either that, or it's zero, which is fine, too */
if (!server_arg && server)
/* Solaris Kerberos */
if (!keytab_arg && keytab)
/* Solaris Kerberos */
if (ccache)
if (out_creds)
if (authcon)
return(ret);
}