svn rev #23859: branches/iakerb/src/lib/krb5/krb/

ghudson@MIT.EDU ghudson at MIT.EDU
Sun Apr 4 16:54:42 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23859
Commit By: ghudson
Log Message:
Make krb5_get_credentials use the krb5_tkt_creds interface instead of
krb5_get_cred_from_kdc_opt.



Changed Files:
U   branches/iakerb/src/lib/krb5/krb/get_creds.c
Modified: branches/iakerb/src/lib/krb5/krb/get_creds.c
===================================================================
--- branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-04 20:46:02 UTC (rev 23858)
+++ branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-04 20:54:42 UTC (rev 23859)
@@ -116,13 +116,18 @@
                      krb5_creds **out_creds)
 {
     krb5_error_code retval;
-    krb5_creds mcreds, *ncreds, **tgts, **tgts_iter;
+    krb5_tkt_creds_context ctx = NULL;
+    krb5_creds mcreds, *ncreds = NULL;
     krb5_flags fields;
     krb5_boolean not_ktype = FALSE;
     int kdcopt = 0;
 
     *out_creds = NULL;
 
+    ncreds = k5alloc(sizeof(*ncreds), &retval);
+    if (ncreds == NULL)
+        goto cleanup;
+
     /*
      * See if we already have the ticket cached. To do this usefully
      * for constrained delegation, we would need to look inside
@@ -133,29 +138,22 @@
                                                   &mcreds, &fields);
 
         if (retval)
-            return retval;
+            goto cleanup;
 
-        ncreds = malloc(sizeof(krb5_creds));
-        if (!ncreds)
-            return ENOMEM;
-
-        memset(ncreds, 0, sizeof(krb5_creds));
-        ncreds->magic = KV5M_CREDS;
-
         retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
                                        ncreds);
         if (retval == 0) {
             *out_creds = ncreds;
             return 0;
         }
-        free(ncreds);
-        ncreds = NULL;
         if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
             || options & KRB5_GC_CACHED)
-            return retval;
+            goto cleanup;
         not_ktype = (retval == KRB5_CC_NOT_KTYPE);
-    } else if (options & KRB5_GC_CACHED)
-        return KRB5_CC_NOTFOUND;
+    } else if (options & KRB5_GC_CACHED) {
+        retval = KRB5_CC_NOTFOUND;
+        goto cleanup;
+    }
 
     if (options & KRB5_GC_CANONICALIZE)
         kdcopt |= KDC_OPT_CANONICALIZE;
@@ -164,18 +162,34 @@
     if (options & KRB5_GC_NO_TRANSIT_CHECK)
         kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK;
     if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
-        if (options & KRB5_GC_USER_USER)
-            return EINVAL;
+        if (options & KRB5_GC_USER_USER) {
+            retval = EINVAL;
+            goto cleanup;
+
+        }
         kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT;
     }
 
-    retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds,
-                                        &ncreds, &tgts, kdcopt);
-    if (tgts) {
-        /* Attempt to cache intermediate ticket-granting tickets. */
-        for (tgts_iter = tgts; *tgts_iter; tgts_iter++)
-            (void) krb5_cc_store_cred(context, ccache, *tgts_iter);
-        krb5_free_tgt_creds(context, tgts);
+    /* Get the credential from the KDC. */
+    retval = krb5_tkt_creds_init(context, ccache, in_creds, kdcopt, &ctx);
+    if (retval != 0)
+        goto cleanup;
+    retval = krb5_tkt_creds_get(context, ctx);
+    if (retval != 0)
+        goto cleanup;
+    retval = krb5_tkt_creds_get_creds(context, ctx, ncreds);
+    if (retval != 0)
+        goto cleanup;
+
+    /* Attempt to cache the returned ticket. */
+    if (!(options & KRB5_GC_NO_STORE))
+        (void) krb5_cc_store_cred(context, ccache, ncreds);
+
+    if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
+        && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
+        /* This ticket won't work for constrained delegation. */
+        retval = KRB5_TKT_NOT_FORWARDABLE;
+        goto cleanup;
     }
 
     /*
@@ -189,25 +203,16 @@
      * actual failure was the non-existence of a ticket of the correct
      * enctype rather than the missing TGT.
      */
-    if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE)
-        && not_ktype)
-        return KRB5_CC_NOT_KTYPE;
-    else if (retval)
-        return retval;
+    if (retval == KRB5_CC_NOTFOUND && not_ktype)
+        retval = KRB5_CC_NOT_KTYPE;
 
-    if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
-        && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
-        /* This ticket won't work for constrained delegation. */
-        krb5_free_creds(context, ncreds);
-        return KRB5_TKT_NOT_FORWARDABLE;
-    }
+    *out_creds = ncreds;
+    ncreds = NULL;
 
-    /* Attempt to cache the returned ticket. */
-    if (!(options & KRB5_GC_NO_STORE))
-        (void) krb5_cc_store_cred(context, ccache, ncreds);
-
-    *out_creds = ncreds;
-    return 0;
+cleanup:
+    krb5_free_creds(context, ncreds);
+    krb5_tkt_creds_free(context, ctx);
+    return retval;
 }
 
 #define INT_GC_VALIDATE 1

More information about the cvs-krb5 mailing list