/***** STATE_BEGIN *****/
+/*
+ * Look for the desired credentials in the cache, if possible. If we find
+ * them, put them in ctx->reply_creds and advance the state to STATE_COMPLETE.
+ * Return successfully even if creds are not found, unless the caller only
+ * wanted cached creds.
+ */
+static krb5_error_code
+check_cache(krb5_context context, krb5_tkt_creds_context ctx)
+{
+ krb5_error_code code;
+ krb5_creds mcreds;
+ krb5_flags fields;
+
+ /* For constrained delegation, the expected result is in second_ticket, so
+ * we can't really do a cache check here. */
+ if (ctx->req_options & KRB5_GC_CONSTRAINED_DELEGATION)
+ return (ctx->req_options & KRB5_GC_CACHED) ? KRB5_CC_NOTFOUND : 0;
+
+ /* Perform the cache lookup. */
+ code = krb5int_construct_matching_creds(context, ctx->req_options,
+ ctx->in_creds, &mcreds, &fields);
+ if (code)
+ return code;
+ code = cache_get(context, ctx->ccache, fields, &mcreds, &ctx->reply_creds);
+ if (code == 0) {
+ ctx->state = STATE_COMPLETE;
+ return 0;
+ }
+
+ /* Stop on unexpected cache errors. */
+ if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
+ return code;
+
+ /* Stop if the caller only wanted cached creds. */
+ if (ctx->req_options & KRB5_GC_CACHED)
+ return code;
+
+ /* Remember whether the cache lookup failed due to enctypes or not. */
+ ctx->cache_code = code;
+ return 0;
+}
+
+/* Decide where to begin the acquisition process. */
static krb5_error_code
begin(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
+ code = check_cache(context, ctx);
+ if (code != 0 || ctx->state == STATE_COMPLETE)
+ return code;
+
/* If the server realm is unspecified, start with the client realm. */
if (krb5_is_referral_realm(&ctx->server->realm)) {
krb5_free_data_contents(context, &ctx->server->realm);
krb5_creds **out_creds)
{
krb5_error_code retval;
- krb5_creds mcreds, *ncreds = NULL;
- krb5_flags fields;
- krb5_boolean not_ktype = FALSE;
+ krb5_creds *ncreds = NULL;
*out_creds = NULL;
if (ncreds == NULL)
goto cleanup;
- /*
- * See if we already have the ticket cached. To do this usefully
- * for constrained delegation, we would need to look inside
- * second_ticket, which we can't do.
- */
- if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
- retval = krb5int_construct_matching_creds(context, options, in_creds,
- &mcreds, &fields);
-
- if (retval)
- goto cleanup;
-
- retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
- ncreds);
- if (retval == 0) {
- *out_creds = ncreds;
- return 0;
- }
- if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
- || options & KRB5_GC_CACHED)
- goto cleanup;
- not_ktype = (retval == KRB5_CC_NOT_KTYPE);
- } else if (options & KRB5_GC_CACHED) {
- retval = KRB5_CC_NOTFOUND;
- goto cleanup;
- }
-
- /* Get the credential from the KDC. */
+ /* Get the credential. */
retval = get_tkt_creds(context, ccache, in_creds, options, ncreds);
if (retval != 0)
goto cleanup;
goto cleanup;
}
- /*
- * Translate KRB5_CC_NOTFOUND if we previously got KRB5_CC_NOT_KTYPE from
- * krb5_cc_retrieve_cred(), in order to handle the case where there is no
- * TGT in the ccache and the input enctype didn't match. This handling is
- * necessary because some callers, such as GSSAPI, iterate through enctypes
- * and KRB5_CC_NOTFOUND passed through from get_tkt_creds() is semantically
- * incorrect, since the actual failure was the non-existence of a ticket of
- * the correct enctype rather than the missing TGT.
- */
- if (retval == KRB5_CC_NOTFOUND && not_ktype)
- retval = KRB5_CC_NOT_KTYPE;
-
*out_creds = ncreds;
ncreds = NULL;
projects / thirdparty / krb5.git / commitdiff
