/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright 1990, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* krb5_get_credentials()
*/
/*
*/
/*
Attempts to use the credentials cache or TGS exchange to get an additional
ticket for the
client identified by in_creds->client, the server identified by
in_creds->server, with options options, expiration date specified in
in_creds->times.endtime (0 means as long as possible), session key type
specified in in_creds->keyblock.enctype (if non-zero)
Any returned ticket and intermediate ticket-granting tickets are
stored in ccache.
returns errors from encryption routines, system errors
*/
#include "k5-int.h"
#include "int-proto.h"
/*
* Set *mcreds and *fields to a matching credential and field set for
* use with krb5_cc_retrieve_cred, based on a set of input credentials
* and options. The fields of *mcreds will be aliased to the fields
* of in_creds, so the contents of *mcreds should not be freed.
*/
{
return EINVAL;
} else {
/* Solaris Kerberos: change retval to ret */
}
/* Solaris Kerberos: our keyblock needs different handling */
if (ret != 0)
return (ret);
int i;
for (i = 0; ktypes[i]; i++)
break;
if (ktypes[i] == 0)
if (ret) {
/* Solaris Kerberos: our keyblock needs different handling */
return ret;
}
}
/* also match on identical 2nd tkt and tkt encrypted in a
session key */
if (options & KRB5_GC_USER_USER) {
}
/* Solaris Kerberos: our keyblock needs different handling */
return KRB5_NO_2ND_TKT;
}
}
return 0;
}
{
/* Solaris Kerberos set tgts = NULL */
int kdcopt = 0;
/*
* See if we already have the ticket cached. To do this usefully
* for constrained delegation, we would need to look inside
* second_ticket, which we can't do.
*/
if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
if (retval)
return retval;
if (!ncreds) {
/* Solaris Kerberos: our keyblock needs different handling */
return ENOMEM;
}
ncreds);
/*
* Solaris Kerberos: our keyblock needs different handling, at this
* point mcreds.keyblock isn't needed.
*/
if (retval == 0) {
return 0;
}
|| options & KRB5_GC_CACHED)
return retval;
} else if (options & KRB5_GC_CACHED)
return KRB5_CC_NOTFOUND;
if (options & KRB5_GC_CANONICALIZE)
if (options & KRB5_GC_FORWARDABLE)
if (options & KRB5_GC_NO_TRANSIT_CHECK)
if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
if (options & KRB5_GC_USER_USER)
return EINVAL;
}
if (tgts) {
/* Attempt to cache intermediate ticket-granting tickets. */
}
/*
* Translate KRB5_CC_NOTFOUND if we previously got
* KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to
* handle the case where there is no TGT in the ccache and the
* input enctype didn't match. This handling is necessary because
* some callers, such as GSSAPI, iterate through enctypes and
* KRB5_CC_NOTFOUND passed through from the
* krb5_get_cred_from_kdc() is semantically incorrect, since the
* actual failure was the non-existence of a ticket of the correct
* enctype rather than the missing TGT.
*/
&& not_ktype)
return KRB5_CC_NOT_KTYPE;
else if (retval)
return retval;
/* This ticket won't work for constrained delegation. */
return KRB5_TKT_NOT_FORWARDABLE;
}
/* Attempt to cache the returned ticket. */
if (!(options & KRB5_GC_NO_STORE))
return 0;
}
static krb5_error_code
{
switch(which) {
case INT_GC_VALIDATE:
break;
case INT_GC_RENEW:
break;
default:
/* Should never happen */
retval = 255;
break;
}
/*
* Callers to krb5_get_cred_blah... must free up tgts even in
* error cases.
*/
/* Solaris Kerberos */
if (retval) {
return retval;
}
return retval;
}
{
}
{
INT_GC_RENEW));
}
static krb5_error_code
char *in_tkt_service, int validate)
{
if (in_tkt_service) {
/* this is ugly, because so are the data structures involved. I'm
in the library, so I'm going to manipulate the data structures
directly, otherwise, it will be worse. */
goto cleanup;
/* stuff the client realm into the server principal.
realloc if necessary */
goto cleanup;
}
} else {
0)))
goto cleanup;
}
if (validate)
else
/* ick. copy the struct contents, free the container */
if (out_creds) {
}
if (tgts)
return(ret);
}
krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service)
{
in_tkt_service, 1));
}
krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service)
{
in_tkt_service, 0));
}