get_creds.c revision 2
2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright 1990, 2008 by the Massachusetts Institute of Technology. 2N/A * All Rights Reserved. 2N/A * Export of this software from the United States of America may 2N/A * require a specific license from the United States Government. 2N/A * It is the responsibility of any person or organization contemplating 2N/A * export to obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of M.I.T. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. Furthermore if you modify this software you must label 2N/A * your software as modified software and not distribute it in such a 2N/A * fashion that it might be confused with the original M.I.T. software. 2N/A * M.I.T. makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * krb5_get_credentials() 2N/A * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A Attempts to use the credentials cache or TGS exchange to get an additional 2N/A client identified by in_creds->client, the server identified by 2N/A in_creds->server, with options options, expiration date specified in 2N/A in_creds->times.endtime (0 means as long as possible), session key type 2N/A specified in in_creds->keyblock.enctype (if non-zero) 2N/A Any returned ticket and intermediate ticket-granting tickets are 2N/A returns errors from encryption routines, system errors 2N/A * Set *mcreds and *fields to a matching credential and field set for 2N/A * use with krb5_cc_retrieve_cred, based on a set of input credentials 2N/A * and options. The fields of *mcreds will be aliased to the fields 2N/A * of in_creds, so the contents of *mcreds should not be freed. 2N/A /* Solaris Kerberos: change retval to ret */ 2N/A /* Solaris Kerberos: our keyblock needs different handling */ 2N/A /* Solaris Kerberos: our keyblock needs different handling */ 2N/A /* also match on identical 2nd tkt and tkt encrypted in a 2N/A /* Solaris Kerberos: our keyblock needs different handling */ 2N/A /* Solaris Kerberos set tgts = NULL */ 2N/A * See if we already have the ticket cached. To do this usefully 2N/A * for constrained delegation, we would need to look inside 2N/A * second_ticket, which we can't do. 2N/A /* Solaris Kerberos: our keyblock needs different handling */ 2N/A * Solaris Kerberos: our keyblock needs different handling, at this 2N/A * point mcreds.keyblock isn't needed. 2N/A /* Attempt to cache intermediate ticket-granting tickets. */ 2N/A * Translate KRB5_CC_NOTFOUND if we previously got 2N/A * KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to 2N/A * handle the case where there is no TGT in the ccache and the 2N/A * input enctype didn't match. This handling is necessary because 2N/A * some callers, such as GSSAPI, iterate through enctypes and 2N/A * KRB5_CC_NOTFOUND passed through from the 2N/A * krb5_get_cred_from_kdc() is semantically incorrect, since the 2N/A * actual failure was the non-existence of a ticket of the correct 2N/A * enctype rather than the missing TGT. 2N/A /* This ticket won't work for constrained delegation. */ 2N/A /* Attempt to cache the returned ticket. */ 2N/A /* Should never happen */ 2N/A * Callers to krb5_get_cred_blah... must free up tgts even in 2N/A /* Solaris Kerberos */ 2N/A /* this is ugly, because so are the data structures involved. I'm 2N/A in the library, so I'm going to manipulate the data structures 2N/A directly, otherwise, it will be worse. */ 2N/A /* stuff the client realm into the server principal. 2N/A realloc if necessary */ 2N/A /* ick. copy the struct contents, free the container */