Implement krb5_get_cred_from_kdc.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3897 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/get_cred.c

@@ -404,6 +404,45 @@ krb5_get_kdc_cred(krb5_context context,
 }
 
 
+static krb5_error_code
+find_cred(krb5_context context,
+	  krb5_ccache id,
+	  krb5_principal server,
+	  krb5_creds **tgts,
+	  krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds mcreds;
+    mcreds.server = server;
+    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, 
+				&mcreds, out_creds);
+    if(ret == 0)
+	return 0;
+    while(*tgts){
+	if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, 
+			      &mcreds, *tgts)){
+	    ret = krb5_copy_creds_contents(context, *tgts, out_creds);
+	    return ret;
+	}
+	tgts++;
+    }
+    return KRB5_CC_NOTFOUND;
+}
+
+static krb5_error_code
+add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_creds **tmp = *tgts;
+    for(i = 0; tmp && tmp[i]; i++); /* XXX */
+    tmp = realloc(tmp, (i+2)*sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    *tgts = tmp;
+    ret = krb5_copy_creds(context, tkt, &tmp[i]);
+    return ret;
+}
 
 /*
 get_cred(server)
@@ -420,33 +459,19 @@ get_cred(server)
 	return get_cred_tgt(server, tgt)
 	*/
 
-krb5_error_code
+static krb5_error_code
-krb5_get_credentials_with_flags(krb5_context context,
+get_cred_from_kdc_flags(krb5_context context,
-				krb5_flags options,
 			krb5_kdc_flags flags,
 			krb5_ccache ccache,
 			krb5_creds *in_creds,
-				krb5_creds **out_creds)
+			krb5_creds **out_creds,
+			krb5_creds ***ret_tgts)
 {
     krb5_error_code ret;
-    krb5_creds *tgt;
+    krb5_creds *tgt, tmp_creds;
-    *out_creds = calloc(1, sizeof(**out_creds));
-    ret = krb5_cc_retrieve_cred(context, ccache, 0, in_creds, *out_creds);
-    if(ret == 0)
-	return 0;
-    else if(ret != KRB5_CC_END){
-	free(*out_creds);
-	return ret;
-    }
-    if(options & KRB5_GC_CACHED)
-	return KRB5_CC_NOTFOUND;
-    if(options & KRB5_GC_USER_USER)
-	flags.b.enc_tkt_in_skey = 1;
-    memset(*out_creds, 0, sizeof(**out_creds));
-    {
-	krb5_creds tmp_creds;
-	general_string tgt_inst;
     krb5_realm client_realm, server_realm;
+
+    *out_creds = calloc(1, sizeof(**out_creds));
     client_realm = *krb5_princ_realm(context, in_creds->client);
     server_realm = *krb5_princ_realm(context, in_creds->server);
     memset(&tmp_creds, 0, sizeof(tmp_creds));
@@ -466,50 +491,96 @@ krb5_get_credentials_with_flags(krb5_context context,
     {
 	krb5_creds tgts;
 	/* XXX try krb5_cc_retrieve_cred first? */
-	    ret = krb5_cc_retrieve_cred_any_realm(context, ccache, 0, 
+	ret = find_cred(context, ccache, tmp_creds.server, 
-						  &tmp_creds, &tgts);
+			*ret_tgts, &tgts);
 	if(ret == 0){
 	    ret = get_cred_kdc_la(context, ccache, flags, 
 				  in_creds, &tgts, out_creds);
 	    krb5_free_creds_contents(context, &tgts);
 	    krb5_free_principal(context, tmp_creds.server);
 	    krb5_free_principal(context, tmp_creds.client);
-		if(ret)
 	    return ret;
-		return krb5_cc_store_cred (context, ccache, *out_creds);
 	}
     }
-	if(strcmp(client_realm, server_realm) == 0)
+    if(krb5_realm_compare(context, in_creds->client, in_creds->server))
-	    return -1;
+	return -1; /* XXX */
-	ret = krb5_get_credentials(context, 0, ccache, &tmp_creds, &tgt);
+    /* XXX this can loop forever */
+    while(1){
+	general_string tgt_inst;
+	krb5_kdc_flags f;
+	f.i = 0;
+	ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, 
+				      &tgt, ret_tgts);
+	if(ret) return ret;
+	ret = add_cred(context, ret_tgts, tgt);
 	if(ret)
 	    return ret;
 	tgt_inst = tgt->server->name.name_string.val[1];
-	/* XXX this can loop forever */
+	if(strcmp(tgt_inst, server_realm) == 0)
-	while(strcmp(tgt_inst, server_realm)){
+	    break;
 	krb5_free_principal(context, tmp_creds.server);
 	ret = krb5_make_principal(context, &tmp_creds.server, 
 				  tgt_inst, "krbtgt", server_realm, NULL);
 	if(ret) return ret;
-	    ret = krb5_free_creds_contents(context, tgt);
+	ret = krb5_free_creds(context, tgt);
 	if(ret) return ret;
-	    free(tgt);
-	    /* XXX which kdc-flags should be used here? */
-	    ret = krb5_get_credentials(context, 0, ccache, &tmp_creds, &tgt);
-	    if(ret) return ret;
-	    tgt_inst = tgt->server->name.name_string.val[1];
     }
 	
-
     krb5_free_principal(context, tmp_creds.server);
     krb5_free_principal(context, tmp_creds.client);
     ret = get_cred_kdc_la(context, ccache, flags, in_creds, tgt, out_creds);
-	krb5_free_creds_contents(context, tgt);
+    krb5_free_creds(context, tgt);
-	free(tgt);
-	if(ret)
     return ret;
-	return krb5_cc_store_cred (context, ccache, *out_creds);
+}
+
+krb5_error_code
+krb5_get_cred_from_kdc(krb5_context context,
+		       krb5_ccache ccache,
+		       krb5_creds *in_creds,
+		       krb5_creds **out_creds,
+		       krb5_creds ***ret_tgts)
+{
+    krb5_kdc_flags f;
+    f.i = 0;
+    return get_cred_from_kdc_flags(context, f, ccache, 
+				   in_creds, out_creds, ret_tgts);
+}
+     
+
+krb5_error_code
+krb5_get_credentials_with_flags(krb5_context context,
+				krb5_flags options,
+				krb5_kdc_flags flags,
+				krb5_ccache ccache,
+				krb5_creds *in_creds,
+				krb5_creds **out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds *tgt, **tgts;
+    int i;
+    
+    *out_creds = calloc(1, sizeof(**out_creds));
+    ret = krb5_cc_retrieve_cred(context, ccache, 0, in_creds, *out_creds);
+    if(ret == 0)
+	return 0;
+    free(*out_creds);
+    if(ret != KRB5_CC_END)
+	return ret;
+    if(options & KRB5_GC_CACHED)
+	return KRB5_CC_NOTFOUND;
+    if(options & KRB5_GC_USER_USER)
+	flags.b.enc_tkt_in_skey = 1;
+    tgts = NULL;
+    ret = get_cred_from_kdc_flags(context, flags, ccache, 
+				  in_creds, out_creds, &tgts);
+    for(i = 0; tgts && tgts[i]; i++){
+	krb5_cc_store_cred(context, ccache, tgts[i]);
+	krb5_free_creds(context, tgts[i]);
     }
+    free(tgts);
+    if(ret == 0)
+	krb5_cc_store_cred(context, ccache, *out_creds);
+    return ret;
 }
 
 krb5_error_code