2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 #include "k5-int.h"
7 #include "int-proto.h"
8
9 /* Solaris Kerberos */
10 extern krb5_error_code krb5_libdefault_boolean();
11
12 static krb5_error_code
13 krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ)
14 {
15 krb5_error_code code;
16 krb5_flags flags;
17 krb5_cc_cursor cur;
18 krb5_creds creds;
19
20 flags = 0; /* turns off OPENCLOSE mode */
21 /* Solaris Kerberos */
22 if ((code = krb5_cc_set_flags(context, incc, flags)) != NULL)
23 return(code);
24 /* Solaris Kerberos */
25 if ((code = krb5_cc_set_flags(context, outcc, flags)) != NULL)
26 return(code);
27
28 /* Solaris Kerberos */
29 if ((code = krb5_cc_start_seq_get(context, incc, &cur)) != NULL)
30 goto cleanup;
31
32 /* Solaris Kerberos */
33 while ((code = krb5_cc_next_cred(context, incc, &cur, &creds)) == NULL) {
34 if (krb5_principal_compare(context, princ, creds.server))
35 continue;
36
37 code = krb5_cc_store_cred(context, outcc, &creds);
38 krb5_free_cred_contents(context, &creds);
39 if (code)
40 goto cleanup;
41 }
42
43 if (code != KRB5_CC_END)
44 goto cleanup;
45
46 code = 0;
47
48 cleanup:
49 flags = KRB5_TC_OPENCLOSE;
50
51 /* Solaris Kerberos */
52 if (code)
53 (void) krb5_cc_set_flags(context, incc, flags);
148 a mk_req. Otherwise, do a get_credentials first. */
149
150 if (krb5_principal_compare(context, server, creds->server)) {
151 /* make an ap_req */
152 if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds,
153 &ap_req)))
154 goto cleanup;
155 } else {
156 /* this is unclean, but it's the easiest way without ripping the
157 library into very small pieces. store the client's initial cred
158 in a memory ccache, then call the library. Later, we'll copy
159 everything except the initial cred into the ccache we return to
160 the user. A clean implementation would involve library
161 internals with a coherent idea of "in" and "out". */
162
163 /* insert the initial cred into the ccache */
164
165 if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req", &ccache)))
166 goto cleanup;
167 /* Solaris Kerberos */
168 if ((ret = krb5_cc_initialize(context, ccache, creds->client)) != NULL)
169 goto cleanup;
170
171 /* Solaris Kerberos */
172 if ((ret = krb5_cc_store_cred(context, ccache, creds)) != NULL)
173 goto cleanup;
174
175 /* set up for get_creds */
176 memset(&in_creds, 0, sizeof(in_creds));
177 in_creds.client = creds->client;
178 in_creds.server = server;
179 if ((ret = krb5_timeofday(context, &in_creds.times.endtime)))
180 goto cleanup;
181 in_creds.times.endtime += 5*60;
182
183 if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds,
184 &out_creds)))
185 goto cleanup;
186
187 /* make an ap_req */
188 if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds,
189 &ap_req)))
190 goto cleanup;
191 }
192
195 krb5_auth_con_free(context, authcon);
196 authcon = NULL;
197 }
198
199 /* verify the ap_req */
200
201 if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
202 NULL, NULL)))
203 goto cleanup;
204
205 /* if we get this far, then the verification succeeded. We can
206 still fail if the library stuff here fails, but that's it */
207
208 if (ccache_arg && ccache) {
209 if (*ccache_arg == NULL) {
210 krb5_ccache retcc;
211
212 retcc = NULL;
213
214 /* Solaris Kerberos */
215 if (((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) != NULL) ||
216 ((ret = krb5_cc_initialize(context, retcc, creds->client)) != NULL) ||
217 ((ret = krb5_cc_copy_creds_except(context, ccache, retcc,
218 creds->server)) != NULL)) {
219 /* Solaris Kerberos */
220 if (retcc)
221 (void) krb5_cc_destroy(context, retcc);
222 } else {
223 *ccache_arg = retcc;
224 }
225 } else {
226 ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg,
227 server);
228 }
229 }
230
231 /* if any of the above paths returned an errors, then ret is set
232 accordingly. either that, or it's zero, which is fine, too */
233
234 cleanup:
235 if (!server_arg && server)
236 krb5_free_principal(context, server);
237 /* Solaris Kerberos */
238 if (!keytab_arg && keytab)
|
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 #include "k5-int.h"
7 #include "int-proto.h"
8
9 /* Solaris Kerberos */
10 extern krb5_error_code krb5_libdefault_boolean();
11
12 static krb5_error_code
13 krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ)
14 {
15 krb5_error_code code;
16 krb5_flags flags;
17 krb5_cc_cursor cur;
18 krb5_creds creds;
19
20 flags = 0; /* turns off OPENCLOSE mode */
21 /* Solaris Kerberos */
22 if ((code = krb5_cc_set_flags(context, incc, flags)) != 0)
23 return(code);
24 /* Solaris Kerberos */
25 if ((code = krb5_cc_set_flags(context, outcc, flags)) != 0)
26 return(code);
27
28 /* Solaris Kerberos */
29 if ((code = krb5_cc_start_seq_get(context, incc, &cur)) != 0)
30 goto cleanup;
31
32 /* Solaris Kerberos */
33 while ((code = krb5_cc_next_cred(context, incc, &cur, &creds)) == 0) {
34 if (krb5_principal_compare(context, princ, creds.server))
35 continue;
36
37 code = krb5_cc_store_cred(context, outcc, &creds);
38 krb5_free_cred_contents(context, &creds);
39 if (code)
40 goto cleanup;
41 }
42
43 if (code != KRB5_CC_END)
44 goto cleanup;
45
46 code = 0;
47
48 cleanup:
49 flags = KRB5_TC_OPENCLOSE;
50
51 /* Solaris Kerberos */
52 if (code)
53 (void) krb5_cc_set_flags(context, incc, flags);
148 a mk_req. Otherwise, do a get_credentials first. */
149
150 if (krb5_principal_compare(context, server, creds->server)) {
151 /* make an ap_req */
152 if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds,
153 &ap_req)))
154 goto cleanup;
155 } else {
156 /* this is unclean, but it's the easiest way without ripping the
157 library into very small pieces. store the client's initial cred
158 in a memory ccache, then call the library. Later, we'll copy
159 everything except the initial cred into the ccache we return to
160 the user. A clean implementation would involve library
161 internals with a coherent idea of "in" and "out". */
162
163 /* insert the initial cred into the ccache */
164
165 if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req", &ccache)))
166 goto cleanup;
167 /* Solaris Kerberos */
168 if ((ret = krb5_cc_initialize(context, ccache, creds->client)) != 0)
169 goto cleanup;
170
171 /* Solaris Kerberos */
172 if ((ret = krb5_cc_store_cred(context, ccache, creds)) != 0)
173 goto cleanup;
174
175 /* set up for get_creds */
176 memset(&in_creds, 0, sizeof(in_creds));
177 in_creds.client = creds->client;
178 in_creds.server = server;
179 if ((ret = krb5_timeofday(context, &in_creds.times.endtime)))
180 goto cleanup;
181 in_creds.times.endtime += 5*60;
182
183 if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds,
184 &out_creds)))
185 goto cleanup;
186
187 /* make an ap_req */
188 if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds,
189 &ap_req)))
190 goto cleanup;
191 }
192
195 krb5_auth_con_free(context, authcon);
196 authcon = NULL;
197 }
198
199 /* verify the ap_req */
200
201 if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
202 NULL, NULL)))
203 goto cleanup;
204
205 /* if we get this far, then the verification succeeded. We can
206 still fail if the library stuff here fails, but that's it */
207
208 if (ccache_arg && ccache) {
209 if (*ccache_arg == NULL) {
210 krb5_ccache retcc;
211
212 retcc = NULL;
213
214 /* Solaris Kerberos */
215 if (((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) != 0) ||
216 ((ret = krb5_cc_initialize(context, retcc, creds->client)) != 0) ||
217 ((ret = krb5_cc_copy_creds_except(context, ccache, retcc,
218 creds->server)) != 0)) {
219 /* Solaris Kerberos */
220 if (retcc)
221 (void) krb5_cc_destroy(context, retcc);
222 } else {
223 *ccache_arg = retcc;
224 }
225 } else {
226 ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg,
227 server);
228 }
229 }
230
231 /* if any of the above paths returned an errors, then ret is set
232 accordingly. either that, or it's zero, which is fine, too */
233
234 cleanup:
235 if (!server_arg && server)
236 krb5_free_principal(context, server);
237 /* Solaris Kerberos */
238 if (!keytab_arg && keytab)
|