use "roken.h" consitantly

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21003 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-06-08 01:42:05 +00:00
parent fd9f438492
commit 12df8538af
46 changed files with 229 additions and 58 deletions
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -724,16 +724,41 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
 /*
 get_cred(server)
 	creds = cc_get_cred(server)
-	if(creds) return creds
-	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
-	if(tgt)
-		return get_cred_tgt(server, tgt)
-	if(client_realm == server_realm)
-		return NULL
-	tgt = get_cred(krbtgt/server_realm@client_realm)
-	while(tgt_inst != server_realm)
-		tgt = get_cred(krbtgt/server_realm@tgt_inst)
-	return get_cred_tgt(server, tgt)
+	if(creds)
+		return creds
+	# XXX check referrals cache
+	try-realm = ca-paths
+	if (try-realm == NULL)
+		try_realm = client.realm;
+	server-realm = server.realm
+	tgt = find_cred(krbtgt/{try-realm}@ANY)
+	while (num-referrals++ < max-num-referrals) {
+		req-server = server.service@server_realm
+		creds = get_cred(tgt, req-server)
+		if (creds == NULL)
+			break
+		add-traversed(server_realm)
+		if (referral?(creds, secure?, &referral)) {
+			if (referral && check-name(creds, req-server))
+				return NULL(bad-name)
+			if (tgt?(creds)) {
+				if (traversed-before(creds.realm))
+					return NULL(eloop)
+				server_realm = creds.realm
+				tgt = creds
+				if (referral && referral.true-name)
+					server = referral.true-name
+			} else {
+				return creds
+			}
+		} else if (match(server, creds)) {
+			return creds
+		} else {
+			break
+		}
+	}
+	return NULL(enotfound)
+
 	*/

 static krb5_error_code
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 - 2006 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 2003 - 2007 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -826,14 +826,15 @@ krb5_rd_req_ctx(krb5_context context,
 	    goto out;
    }

-    ret = krb5_verify_ap_req(context,
-			     auth_context,
-			     &ap_req,
-			     server,
-			     o->keyblock,
-			     0,
-			     &o->ap_req_options,
-			     &o->ticket);
+    ret = krb5_verify_ap_req2(context,
+			      auth_context,
+			      &ap_req,
+			      server,
+			      o->keyblock,
+			      0,
+			      &o->ap_req_options,
+			      &o->ticket,
+			      KRB5_KU_AP_REQ_AUTH);

    if (ret)
 	goto out;