2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A/* Return true if configuration demands that a keytab be present. (By default 2N/A * verification will be skipped if no keytab exists.) */ 2N/A * Solaris Kerberos: We differ in that verification will not be skipped if 2N/A * there is no keytab unless verify_ap_req_nofail is explicitly set to false. 2N/A /* Solaris Kerberos: we default to TRUE unlike MIT */ 2N/A flags = 0;
/* turns off OPENCLOSE mode */ 2N/A /* If the creds are for the server principal, we're set, just do a mk_req. 2N/A * Otherwise, do a get_credentials first. 2N/A /* make an ap_req */ 2N/A * Solaris Kerberos: being careful not to allow an attack where the 2N/A * default realm is coming from DNS. If this is the case then the 2N/A * client princ realm must be the same as the server princ's realm used 2N/A * to verify the client's TGT. Note that this attack can be thwarted 2N/A * when the default realm is explictly configured. 2N/A * If here then the default realm is not explicitly configured on 2N/A * the system. Need to verify the client's realm is the same as 2N/A /* Indicate a default realm needs to be configured */ 2N/A /* this is unclean, but it's the easiest way without ripping the 2N/A library into very small pieces. store the client's initial cred 2N/A in a memory ccache, then call the library. Later, we'll copy 2N/A everything except the initial cred into the ccache we return to 2N/A the user. A clean implementation would involve library 2N/A internals with a coherent idea of "in" and "out". */ 2N/A /* insert the initial cred into the ccache */ 2N/A /* set up for get_creds */ 2N/A /* make an ap_req */ 2N/A /* wipe the auth context for mk_req */ 2N/A /* verify the ap_req */ 2N/A /* if we get this far, then the verification succeeded. We can 2N/A still fail if the library stuff here fails, but that's it */ 2N/A /* if any of the above paths returned an errors, then ret is set accordingly. 2N/A * Either that, or it's zero, which is fine, too 2N/A/* Free the principals in plist and plist itself. */ 2N/A/* Add princ to plist if it isn't already there. */ 2N/A /* Check if princ is already in plist, and count the elements. */ 2N/A/* Return a list of all unique host service princs in keytab. */ 2N/A /* Check if server exists in keytab first. */ 2N/A /* Try using the host service principals from the keytab. */ 2N/A /* Try all host principals until one succeeds or they all fail. */ 2N/A /* If we have no key to verify with, pretend to succeed unless 2N/A * configuration directs otherwise. */