Lines Matching +full:- +full:t
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kdc/do_tgs_req.c - KDC Routines to deal with TGS_REQ's */
17 * the name of M.I.T. not be used in advertising or publicity pertaining
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
27 * Copyright (c) 2006-2008, Novell, Inc.
54 #include "k5-int.h"
79 * PA-TGS-REQ, the KDB entry for its server, its encryption key, the
80 * PA-TGS-REQ subkey if present, and the decoded and verified header ticket
97 /* For cross-realm S4U2Proxy requests, the client principal retrieved from
101 /* Storage for the local TGT KDB entry for the service realm if that isn't
108 * and alternate TGS replies this will be a cross-realm TGT entry. */
114 * NO_AUTH_DATA_REQUIRED is set on the server KDB entry and this isn't an
124 * non-S4U2Self requests. */
164 * (either header_tkt->enc_part2->client or s4u_cprinc). */
167 /* The client principal of the PA-TGS-REQ header ticket. On early failures
187 krb5_context context = state->realm_data->realm_context; in prepare_error_tgs()
200 errpkt.server = request->server; in prepare_error_tgs()
201 if (ticket && ticket->enc_part2) in prepare_error_tgs()
202 errpkt.client = ticket->enc_part2->client; in prepare_error_tgs()
252 * If req is a second-ticket request and a second ticket is present, decrypt
275 if (!(req->kdc_options & STKT_OPTIONS) || req->second_ticket == NULL || in decrypt_2ndtkt()
276 req->second_ticket[0] == NULL) in decrypt_2ndtkt()
279 stkt = req->second_ticket[0]; in decrypt_2ndtkt()
291 retval = get_verified_pac(context, stkt->enc_part2, server, key, local_tgt, in decrypt_2ndtkt()
314 krb5_ticket *stkt = req->second_ticket[0]; in get_2ndtkt_enctype()
317 etype = stkt->enc_part2->session->enctype; in get_2ndtkt_enctype()
322 for (i = 0; i < req->nktypes; i++) { in get_2ndtkt_enctype()
323 if (req->ktype[i] == etype) { in get_2ndtkt_enctype()
339 * Some special care needs to be taken in the user-to-user in gen_session_key()
340 * case, since we don't know what keytypes the application server in gen_session_key()
341 * which is doing user-to-user authentication can support. We in gen_session_key()
343 * type of the session key in the TGT, since otherwise it won't be in gen_session_key()
347 if (req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) { in gen_session_key()
354 req->nktypes, req->ktype); in gen_session_key()
366 * The request seems to be for a ticket-granting service somewhere else,
367 * but we don't have a ticket for the final TGS. Try to give the requestor
381 retval = krb5_walk_realm_tree(context, &princ->realm, &princ->data[1], in find_alternate_tgs()
390 while (--pl2 > plist) { in find_alternate_tgs()
392 krb5_princ_set_realm(context, *pl2, &princ->realm); in find_alternate_tgs()
400 log_tgs_alt_tgt(context, server->princ); in find_alternate_tgs()
416 /* Return true if item is an element of the space/comma-separated list. */
426 if ((p == list || isspace((unsigned char)p[-1]) || p[-1] == ',') && in in_list()
443 char *hostbased = realm->realm_hostbased; in is_referral_req()
444 char *no_referral = realm->realm_no_referral; in is_referral_req()
446 if (!(request->kdc_options & KDC_OPT_CANONICALIZE)) in is_referral_req()
449 if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) in is_referral_req()
452 if (request->server->length != 2) in is_referral_req()
455 stype = data2string(&request->server->data[0]); in is_referral_req()
458 switch (request->server->type) { in is_referral_req()
460 /* Allow referrals for NT-UNKNOWN principals, if configured. */ in is_referral_req()
480 * Find a remote realm TGS principal for an unknown host-based service
487 krb5_context context = realm->realm_context; in find_referral_tgs()
490 krb5_data srealm = request->server->realm; in find_referral_tgs()
495 hostname = data2string(&request->server->data[1]); in find_referral_tgs()
500 /* If the hostname doesn't contain a '.', it's not a FQDN. */ in find_referral_tgs()
509 /* Don't return a referral to the empty realm or the service realm. */ in find_referral_tgs()
545 krb5_context context = realm->realm_context; in search_sprinc()
547 krb5_principal princ = req->server; in search_sprinc()
552 * the server is supposed to match an already-issued ticket. */ in search_sprinc()
553 allow_referral = !(req->kdc_options & NO_REFERRAL_OPTION); in search_sprinc()
561 if (!is_cross_tgs_principal(req->server)) { in search_sprinc()
584 * Transfer ownership of *reqptr to *t and fill *t with information about the
585 * request. Decode the PA-TGS-REQ header ticket and the second ticket if
587 * the S4U2Self request pa-data if present. Extract authentication indicators
595 krb5_audit_state *au_state, struct tgs_req_info *t, in gather_tgs_req_info() argument
598 krb5_context context = realm->realm_context; in gather_tgs_req_info()
605 /* Transfer ownership of *reqptr to *t. */ in gather_tgs_req_info()
606 t->req = *reqptr; in gather_tgs_req_info()
609 if (t->req->msg_type != KRB5_TGS_REQ) in gather_tgs_req_info()
612 /* Initially set t->sprinc to the outer request server, for logging of in gather_tgs_req_info()
614 t->sprinc = t->req->server; in gather_tgs_req_info()
616 /* Read the PA-TGS-REQ authenticator and decrypt the header ticket. */ in gather_tgs_req_info()
617 ret = kdc_process_tgs_req(realm, t->req, from, pkt, &t->header_tkt, in gather_tgs_req_info()
618 &t->header_server, &t->header_key, &t->subkey, in gather_tgs_req_info()
620 if (t->header_tkt != NULL && t->header_tkt->enc_part2 != NULL) in gather_tgs_req_info()
621 t->cprinc = t->header_tkt->enc_part2->client; in gather_tgs_req_info()
626 ret = kau_make_tkt_id(context, t->header_tkt, &au_state->tkt_in_id); in gather_tgs_req_info()
629 header_enc = t->header_tkt->enc_part2; in gather_tgs_req_info()
631 /* If PA-FX-FAST-REQUEST padata is present, replace t->req with the inner in gather_tgs_req_info()
633 d = make_data(pa_tgs_req->contents, pa_tgs_req->length); in gather_tgs_req_info()
634 ret = kdc_find_fast(&t->req, &d, t->subkey, header_enc->session, in gather_tgs_req_info()
640 /* Reset t->sprinc for the inner body and check it. */ in gather_tgs_req_info()
641 t->sprinc = t->req->server; in gather_tgs_req_info()
642 if (t->sprinc == NULL) { in gather_tgs_req_info()
649 ret = get_local_tgt(context, &t->sprinc->realm, t->header_server, in gather_tgs_req_info()
650 &t->local_tgt, &t->local_tgt_storage, in gather_tgs_req_info()
651 &t->local_tgt_key); in gather_tgs_req_info()
658 ret = get_verified_pac(context, header_enc, t->header_server, in gather_tgs_req_info()
659 t->header_key, t->local_tgt, &t->local_tgt_key, in gather_tgs_req_info()
660 &t->header_pac); in gather_tgs_req_info()
666 au_state->request = t->req; in gather_tgs_req_info()
667 au_state->stage = SRVC_PRINC; in gather_tgs_req_info()
670 * t->sprinc to the canonical server name (its final value). */ in gather_tgs_req_info()
671 s_flags = (t->req->kdc_options & KDC_OPT_CANONICALIZE) ? in gather_tgs_req_info()
673 ret = search_sprinc(realm, t->req, s_flags, &t->server, status); in gather_tgs_req_info()
676 t->sprinc = t->server->princ; in gather_tgs_req_info()
678 /* If we got a cross-realm TGS which is not the requested server, we are in gather_tgs_req_info()
680 if (is_cross_tgs_principal(t->server->princ) && in gather_tgs_req_info()
681 !krb5_principal_compare(context, t->req->server, t->server->princ)) in gather_tgs_req_info()
682 t->flags |= KRB5_KDB_FLAG_ISSUING_REFERRAL; in gather_tgs_req_info()
684 /* Mark the request as cross-realm if the header ticket server is not from in gather_tgs_req_info()
686 if (!data_eq(t->header_server->princ->realm, t->sprinc->realm)) in gather_tgs_req_info()
687 t->flags |= KRB5_KDB_FLAG_CROSS_REALM; in gather_tgs_req_info()
689 t->is_referral = (t->flags & KRB5_KDB_FLAG_ISSUING_REFERRAL); in gather_tgs_req_info()
690 t->is_crossrealm = (t->flags & KRB5_KDB_FLAG_CROSS_REALM); in gather_tgs_req_info()
694 ret = kdc_process_s4u2self_req(context, t->req, t->server, t->subkey, in gather_tgs_req_info()
695 header_enc->session, &t->s4u2self, in gather_tgs_req_info()
696 &t->client, status); in gather_tgs_req_info()
697 if (t->s4u2self != NULL || ret) { in gather_tgs_req_info()
698 if (t->s4u2self != NULL) in gather_tgs_req_info()
699 au_state->s4u2self_user = t->s4u2self->user_id.user; in gather_tgs_req_info()
700 au_state->status = *status; in gather_tgs_req_info()
702 au_state->s4u2self_user = NULL; in gather_tgs_req_info()
706 if (t->s4u2self != NULL) { in gather_tgs_req_info()
707 t->flags |= KRB5_KDB_FLAG_PROTOCOL_TRANSITION; in gather_tgs_req_info()
708 t->s4u_cprinc = t->s4u2self->user_id.user; in gather_tgs_req_info()
711 * For consistency with Active Directory, don't allow authorization in gather_tgs_req_info()
714 * doesn't need authorization data in tickets received from clients. in gather_tgs_req_info()
716 t->server->attributes &= ~KRB5_KDB_NO_AUTH_DATA_REQUIRED; in gather_tgs_req_info()
721 ret = decrypt_2ndtkt(context, t->req, t->flags, t->local_tgt, in gather_tgs_req_info()
722 &t->local_tgt_key, &t->stkt, &t->stkt_pac, in gather_tgs_req_info()
723 &t->stkt_server, &t->stkt_server_key, status); in gather_tgs_req_info()
729 if (t->req->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT) { in gather_tgs_req_info()
730 t->flags |= KRB5_KDB_FLAG_CONSTRAINED_DELEGATION; in gather_tgs_req_info()
731 ret = kau_make_tkt_id(context, t->stkt, &au_state->evid_tkt_id); in gather_tgs_req_info()
734 if (t->is_crossrealm) { in gather_tgs_req_info()
735 /* For cross-realm S4U2PROXY requests, the second ticket is a in gather_tgs_req_info()
737 if (t->stkt_pac == NULL || in gather_tgs_req_info()
738 get_pac_princ_with_realm(context, t->stkt_pac, in gather_tgs_req_info()
739 &t->stkt_pac_client, NULL) != 0) { in gather_tgs_req_info()
740 au_state->status = *status = "RBCD_PAC_PRINC"; in gather_tgs_req_info()
741 au_state->violation = PROT_CONSTRAINT; in gather_tgs_req_info()
745 t->s4u_cprinc = t->stkt_pac_client; in gather_tgs_req_info()
748 t->s4u_cprinc = t->stkt->enc_part2->client; in gather_tgs_req_info()
750 t->subject_tkt = t->stkt->enc_part2; in gather_tgs_req_info()
752 t->subject_tkt = header_enc; in gather_tgs_req_info()
754 t->authtime = t->subject_tkt->times.authtime; in gather_tgs_req_info()
758 t->tkt_client = ((t->flags & KRB5_KDB_FLAGS_S4U) && !t->is_referral) ? in gather_tgs_req_info()
759 t->s4u_cprinc : header_enc->client; in gather_tgs_req_info()
761 if (t->s4u2self == NULL) { in gather_tgs_req_info()
763 * S4U2Self requests as the subject didn't authenticate. */ in gather_tgs_req_info()
764 ret = get_auth_indicators(context, t->subject_tkt, t->local_tgt, in gather_tgs_req_info()
765 &t->local_tgt_key, &t->auth_indicators); in gather_tgs_req_info()
771 if (!(t->server->attributes & KRB5_KDB_NO_AUTH_DATA_REQUIRED)) { in gather_tgs_req_info()
774 assert(t->client == NULL); in gather_tgs_req_info()
775 (void)krb5_db_get_principal(context, t->subject_tkt->client, in gather_tgs_req_info()
776 t->flags | KRB5_KDB_FLAG_CLIENT | in gather_tgs_req_info()
778 &t->client); in gather_tgs_req_info()
787 if (!t->is_crossrealm || in gather_tgs_req_info()
788 data_eq(t->header_tkt->server->realm, t->tkt_client->realm)) { in gather_tgs_req_info()
789 t->transited = header_enc->transited; in gather_tgs_req_info()
791 if (header_enc->transited.tr_type != KRB5_DOMAIN_X500_COMPRESS) { in gather_tgs_req_info()
795 ret = add_to_transited(&header_enc->transited.tr_contents, in gather_tgs_req_info()
796 &t->new_transited, t->header_tkt->server, in gather_tgs_req_info()
797 t->tkt_client, t->req->server); in gather_tgs_req_info()
802 t->transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; in gather_tgs_req_info()
803 t->transited.tr_contents = t->new_transited; in gather_tgs_req_info()
812 compute_ticket_times(kdc_realm_t *realm, struct tgs_req_info *t, in compute_ticket_times() argument
818 krb5_ticket_times *htimes = &t->header_tkt->enc_part2->times; in compute_ticket_times()
820 if (t->req->kdc_options & KDC_OPT_VALIDATE) { in compute_ticket_times()
827 times->authtime = t->authtime; in compute_ticket_times()
829 times->starttime = (t->req->kdc_options & KDC_OPT_POSTDATED) ? in compute_ticket_times()
830 t->req->from : kdc_time; in compute_ticket_times()
832 if (t->req->kdc_options & KDC_OPT_RENEW) { in compute_ticket_times()
835 hstarttime = htimes->starttime ? htimes->starttime : htimes->authtime; in compute_ticket_times()
836 hlife = ts_delta(htimes->endtime, hstarttime); in compute_ticket_times()
837 times->endtime = ts_min(htimes->renew_till, in compute_ticket_times()
838 ts_incr(times->starttime, hlife)); in compute_ticket_times()
840 kdc_get_ticket_endtime(realm, times->starttime, htimes->endtime, in compute_ticket_times()
841 t->req->till, t->client, t->server, in compute_ticket_times()
842 ×->endtime); in compute_ticket_times()
845 kdc_get_ticket_renewtime(realm, t->req, t->header_tkt->enc_part2, in compute_ticket_times()
846 t->client, t->server, tktflags, times); in compute_ticket_times()
850 if (times->starttime == times->authtime) in compute_ticket_times()
851 times->starttime = 0; in compute_ticket_times()
854 /* Check the request in *t against semantic protocol constraints and local
857 check_tgs_req(kdc_realm_t *realm, struct tgs_req_info *t, in check_tgs_req() argument
862 krb5_context context = realm->realm_context; in check_tgs_req()
866 au_state->stage = VALIDATE_POL; in check_tgs_req()
872 ret = check_tgs_constraints(realm, t->req, t->server, t->header_tkt, in check_tgs_req()
873 t->header_pac, t->stkt, t->stkt_pac, in check_tgs_req()
874 t->stkt_server, kdc_time, t->s4u2self, in check_tgs_req()
875 t->client, t->is_crossrealm, t->is_referral, in check_tgs_req()
878 au_state->violation = PROT_CONSTRAINT; in check_tgs_req()
882 ret = check_tgs_policy(realm, t->req, t->server, t->header_tkt, in check_tgs_req()
883 t->header_pac, t->stkt, t->stkt_pac, in check_tgs_req()
884 t->stkt_pac_client, t->stkt_server, kdc_time, in check_tgs_req()
885 t->is_crossrealm, t->is_referral, status, e_data); in check_tgs_req()
887 au_state->violation = LOCAL_POLICY; in check_tgs_req()
888 if (t->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { in check_tgs_req()
889 au_state->status = *status; in check_tgs_req()
896 * requests (where the client didn't authenticate). */ in check_tgs_req()
897 if (t->s4u2self == NULL) { in check_tgs_req()
898 ret = check_indicators(context, t->server, t->auth_indicators); in check_tgs_req()
905 *tktflags = get_ticket_flags(t->req->kdc_options, t->client, t->server, in check_tgs_req()
906 t->header_tkt->enc_part2); in check_tgs_req()
907 compute_ticket_times(realm, t, kdc_time, tktflags, times); in check_tgs_req()
911 if (t->s4u2self != NULL && !t->is_referral) { in check_tgs_req()
912 ret = s4u2self_forwardable(context, t->server, tktflags); in check_tgs_req()
919 ret = check_kdcpolicy_tgs(context, t->req, t->server, t->header_tkt, in check_tgs_req()
920 t->auth_indicators, kdc_time, times, status); in check_tgs_req()
924 if (!(t->req->kdc_options & KDC_OPT_DISABLE_TRANSITED_CHECK)) { in check_tgs_req()
926 * transited-policy-checked flag if successful. */ in check_tgs_req()
927 ret = kdc_check_transited_list(context, &t->transited.tr_contents, in check_tgs_req()
928 &t->subject_tkt->client->realm, in check_tgs_req()
929 &t->req->server->realm); in check_tgs_req()
931 /* Log the transited-check failure and continue. */ in check_tgs_req()
932 log_tgs_badtrans(context, t->cprinc, t->sprinc, in check_tgs_req()
933 &t->transited.tr_contents, ret); in check_tgs_req()
943 if (realm->realm_reject_bad_transit && in check_tgs_req()
946 au_state->violation = LOCAL_POLICY; in check_tgs_req()
953 /* Construct a response issuing a ticket for the request in *t, using tktflags
956 tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, in tgs_issue_ticket() argument
963 krb5_context context = realm->realm_context; in tgs_issue_ticket()
974 krb5_enc_tkt_part *header_enc_tkt = t->header_tkt->enc_part2; in tgs_issue_ticket()
978 au_state->stage = ISSUE_TKT; in tgs_issue_ticket()
980 ret = gen_session_key(context, t->req, t->server, &session_key, status); in tgs_issue_ticket()
984 if (t->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { in tgs_issue_ticket()
985 subject_pac = t->stkt_pac; in tgs_issue_ticket()
986 subject_server = t->stkt_server; in tgs_issue_ticket()
987 subject_key = t->stkt_server_key; in tgs_issue_ticket()
989 subject_pac = t->header_pac; in tgs_issue_ticket()
990 subject_server = t->header_server; in tgs_issue_ticket()
991 subject_key = t->header_key; in tgs_issue_ticket()
994 initial_reply_key = (t->subkey != NULL) ? t->subkey : in tgs_issue_ticket()
995 t->header_tkt->enc_part2->session; in tgs_issue_ticket()
997 if (t->req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) { in tgs_issue_ticket()
998 /* For user-to-user, encrypt the ticket with the second ticket's in tgs_issue_ticket()
1000 ticket_encrypting_key = t->stkt->enc_part2->session; in tgs_issue_ticket()
1002 /* Otherwise encrypt the ticket with the server entry's first long-term in tgs_issue_ticket()
1004 ret = get_first_current_key(context, t->server, &server_key); in tgs_issue_ticket()
1012 if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { in tgs_issue_ticket()
1013 /* Copy the header ticket server and all enc-part fields except for in tgs_issue_ticket()
1015 ticket_reply.server = t->header_tkt->server; in tgs_issue_ticket()
1016 enc_tkt_reply = *t->header_tkt->enc_part2; in tgs_issue_ticket()
1019 if (t->req->kdc_options & (KDC_OPT_FORWARDED | KDC_OPT_PROXY)) { in tgs_issue_ticket()
1021 enc_tkt_reply.caddrs = t->req->addresses; in tgs_issue_ticket()
1022 reply_encpart.caddrs = t->req->addresses; in tgs_issue_ticket()
1025 enc_tkt_reply.caddrs = header_enc_tkt->caddrs; in tgs_issue_ticket()
1029 ticket_reply.server = t->is_referral ? t->sprinc : t->req->server; in tgs_issue_ticket()
1034 enc_tkt_reply.client = t->tkt_client; in tgs_issue_ticket()
1036 enc_tkt_reply.transited = t->transited; in tgs_issue_ticket()
1038 ret = handle_authdata(realm, t->flags, t->client, t->server, in tgs_issue_ticket()
1039 subject_server, t->local_tgt, &t->local_tgt_key, in tgs_issue_ticket()
1041 subject_key, NULL, pkt, t->req, t->s4u_cprinc, in tgs_issue_ticket()
1042 subject_pac, t->subject_tkt, &t->auth_indicators, in tgs_issue_ticket()
1056 if (t->req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) { in tgs_issue_ticket()
1060 ticket_reply.enc_part.kvno = current_kvno(t->server); in tgs_issue_ticket()
1063 au_state->stage = ENCR_REP; in tgs_issue_ticket()
1065 if (t->s4u2self != NULL && in tgs_issue_ticket()
1066 krb5int_find_pa_data(context, t->req->padata, in tgs_issue_ticket()
1069 * request only included PA-FOR-USER padata). */ in tgs_issue_ticket()
1070 ret = kdc_make_s4u2self_rep(context, t->subkey, in tgs_issue_ticket()
1071 t->header_tkt->enc_part2->session, in tgs_issue_ticket()
1072 t->s4u2self, &reply, &reply_encpart); in tgs_issue_ticket()
1078 reply_encpart.nonce = t->req->nonce; in tgs_issue_ticket()
1089 reply.enc_part.enctype = initial_reply_key->enctype; in tgs_issue_ticket()
1090 ret = kdc_fast_response_handle_padata(fast_state, t->req, &reply, in tgs_issue_ticket()
1091 initial_reply_key->enctype); in tgs_issue_ticket()
1098 ret = return_enc_padata(context, pkt, t->req, fast_reply_key, t->server, in tgs_issue_ticket()
1100 t->is_referral && in tgs_issue_ticket()
1101 (t->req->kdc_options & KDC_OPT_CANONICALIZE)); in tgs_issue_ticket()
1107 ret = kau_make_tkt_id(context, &ticket_reply, &au_state->tkt_out_id); in tgs_issue_ticket()
1114 t->subkey != NULL, fast_reply_key, &reply, in tgs_issue_ticket()
1119 log_tgs_req(context, from, t->req, &reply, t->cprinc, t->sprinc, in tgs_issue_ticket()
1120 t->s4u_cprinc, t->authtime, t->flags, "ISSUE", 0, NULL); in tgs_issue_ticket()
1121 au_state->status = "ISSUE"; in tgs_issue_ticket()
1122 au_state->reply = &reply; in tgs_issue_ticket()
1123 if (t->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) in tgs_issue_ticket()
1126 au_state->reply = NULL; in tgs_issue_ticket()
1142 free_req_info(krb5_context context, struct tgs_req_info *t) in free_req_info() argument
1144 krb5_free_kdc_req(context, t->req); in free_req_info()
1145 krb5_free_ticket(context, t->header_tkt); in free_req_info()
1146 krb5_db_free_principal(context, t->header_server); in free_req_info()
1147 krb5_free_keyblock(context, t->header_key); in free_req_info()
1148 krb5_free_keyblock(context, t->subkey); in free_req_info()
1149 krb5_pac_free(context, t->header_pac); in free_req_info()
1150 krb5_pac_free(context, t->stkt_pac); in free_req_info()
1151 krb5_db_free_principal(context, t->stkt_server); in free_req_info()
1152 krb5_free_keyblock(context, t->stkt_server_key); in free_req_info()
1153 krb5_db_free_principal(context, t->local_tgt_storage); in free_req_info()
1154 krb5_free_keyblock_contents(context, &t->local_tgt_key); in free_req_info()
1155 krb5_db_free_principal(context, t->server); in free_req_info()
1156 krb5_db_free_principal(context, t->client); in free_req_info()
1157 krb5_free_pa_s4u_x509_user(context, t->s4u2self); in free_req_info()
1158 krb5_free_principal(context, t->stkt_pac_client); in free_req_info()
1159 k5_free_data_ptr_list(t->auth_indicators); in free_req_info()
1160 krb5_free_data_contents(context, &t->new_transited); in free_req_info()
1168 krb5_context context = realm->realm_context; in process_tgs_req()
1170 struct tgs_req_info t = { 0 }; in process_tgs_req() local
1187 &t, &status); in process_tgs_req()
1191 ret = check_tgs_req(realm, &t, au_state, &tktflags, ×, &status, in process_tgs_req()
1196 ret = tgs_issue_ticket(realm, &t, tktflags, ×, pkt, from, fast_state, in process_tgs_req()
1207 log_tgs_req(context, from, t.req, NULL, t.cprinc, t.sprinc, in process_tgs_req()
1208 t.s4u_cprinc, t.authtime, t.flags, status, ret, emsg); in process_tgs_req()
1212 au_state->status = status; in process_tgs_req()
1218 ret = prepare_error_tgs(fast_state, t.req, t.header_tkt, ret, in process_tgs_req()
1219 (t.server != NULL) ? t.server->princ : NULL, in process_tgs_req()
1226 free_req_info(context, &t); in process_tgs_req()