169  *   1. Get a TGT for the service principal's realm (STATE_GET_TGT).
171  *   3. In some cases, get a TGT for the fallback realm (STATE_GET_TGT again).
185     STATE_GET_TGT,              /* Getting TGT for service realm */
202     krb5_data start_realm;      /* Realm of starting TGT in ccache */
207     krb5_boolean referral_req;  /* Server initially contained referral realm */
225     krb5_data *realm_path;      /* Path from client to server realm */
226     const krb5_data *last_realm;/* Last realm in realm_path */
228     const krb5_data *next_realm;/* Current target realm in realm_path */
239     krb5_data *caller_realm;    /* Caller's realm parameter */
250  * Fill in the caller out, realm, and flags output variables.  out is filled in
251  * with ctx->previous_request, which the caller should set, and realm is filled
252  * in with the realm of ctx->cur_tgt.
259     const krb5_data *realm = &ctx->cur_tgt->server->data[1];  in set_caller_request()  local
265     code = krb5int_copy_data_contents(context, realm, &realm_copy);  in set_caller_request()
319 /* Set up a request for a TGT for realm, using ctx->cur_tgt. */
322                      const krb5_data *realm)  in make_request_for_tgt()  argument
326     /* Construct the principal krbtgt/<realm>@<cur-tgt-realm>. */  in make_request_for_tgt()
329     code = krb5int_tgtname(context, realm, &ctx->cur_tgt->server->data[1],  in make_request_for_tgt()
414 /* Add realm to ctx->realms_seen so that we can avoid revisiting it later. */
417                const krb5_data *realm)  in remember_realm()  argument
431     return krb5int_copy_data_contents(context, realm, &new_list[len]);  in remember_realm()
434 /* Return TRUE if realm appears to ctx->realms_seen. */
437                   const krb5_data *realm)  in seen_realm_before()  argument
443             if (data_eq(ctx->realms_seen[i], *realm))  in seen_realm_before()
512     /* If the request used a specified realm, make a non-referral request to  in try_fallback()
513      * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */  in try_fallback()
518         /* We need a type/host format principal to find a fallback realm. */  in try_fallback()
528     /* If the fallback realm isn't any different, use the existing TGT. */  in try_fallback()
529     if (data_eq_string(ctx->server->realm, hrealms[0])) {  in try_fallback()
534     /* Rewrite server->realm to be the fallback realm. */  in try_fallback()
535     krb5_free_data_contents(context, &ctx->server->realm);  in try_fallback()
536     ctx->server->realm = string2data(hrealms[0]);  in try_fallback()
538     TRACE_TKT_CREDS_FALLBACK(context, &ctx->server->realm);  in try_fallback()
540     /* Obtain a TGT for the new service realm. */  in try_fallback()
573      * the realm. */  in step_referrals()
593     /* Active Directory may return a TGT to the local realm.  Try a  in step_referrals()
625     /* Rewrite the server realm to be the referral realm. */  in step_referrals()
626     krb5_free_data_contents(context, &ctx->server->realm);  in step_referrals()
628                                       &ctx->server->realm);  in step_referrals()
638  * ctx->realm->server.
658  * service principal had an explicitly specified foreign realm, or after it
659  * fails, if we wind up using the fallback realm.  end_get_tgt() advances to
673  * the KDCs in the expected path, a TGT for a realm not in the path.  This may
676  * realm TGT, until we get it, fail, or give up.
699     /* Check if we've seen this realm before, and remember it. */  in step_get_tgt_offpath()
707     if (data_eq(*tgt_realm, ctx->server->realm)) {  in step_get_tgt_offpath()
708         /* We received the server realm TGT we asked for. */  in step_get_tgt_offpath()
716     return make_request_for_tgt(context, ctx, &ctx->server->realm);  in step_get_tgt_offpath()
725     return make_request_for_tgt(context, ctx, &ctx->server->realm);  in begin_get_tgt_offpath()
732  * the local realm and the target realm, using k5_client_realm_path().  Usually
736  * We begin with cur_realm set to the local realm (R1) and next_realm set to
737  * the target realm (Rn).  At each step, we check to see if we have a cached
742  * for the realm we asked for, so we search for it in the path.  The realm of
744  * realm.  Overall, this is an O(n^2) process in the length of the path, but
748  * In some cases we may get back a TGT for a realm not in the path.  In that
754  * cross-realm TGT for realm retrieved from ctx->ccache.  Accept any issuing
755  * realm (i.e. match only the service principal name).  If the TGT is not found
760                const krb5_data *realm, krb5_creds **tgt_out)  in get_cached_tgt()  argument
775     /* Construct the TGT principal name (the realm part doesn't matter). */  in get_cached_tgt()
776     code = krb5int_tgtname(context, realm, realm, &tgtname);  in get_cached_tgt()
843 /* Initialize the realm path fields for getting a TGT for
844  * ctx->server->realm. */
852     /* Get the client realm path and count its length. */  in init_realm_path()
854                                 &ctx->server->realm, &realm_path);  in init_realm_path()
860     /* Initialize the realm path fields in ctx. */  in init_realm_path()
869 /* Find realm within the portion of ctx->realm_path following
873                    const krb5_data *realm)  in find_realm_in_path()  argument
878         if (data_eq(*r, *realm))  in find_realm_in_path()
886  * target realm appeared in the ccache since we started the TGT acquisition
896         /* Check if we have a cached TGT for the target realm. */  in get_tgt_request()
901             /* Advance the current realm and keep going. */  in get_tgt_request()
924         /* The last request failed.  Try the next-closest realm to  in step_get_tgt()
943         /* Remember that we saw this realm. */  in step_get_tgt()
956                 /* We received a TGT for the target realm. */  in step_get_tgt()
966             /* We were referred back to the local realm, which is bad. */  in step_get_tgt()
981  * specified server realm or for the fallback realm.  Expects that
982  * ctx->server->realm is the realm of the desired TGT, and that
995     is_local_service = data_eq(ctx->start_realm, ctx->server->realm);  in begin_get_tgt()
997         /* See if we have a cached TGT for the server realm. */  in begin_get_tgt()
998         code = get_cached_tgt(context, ctx, &ctx->server->realm, &cached_tgt);  in begin_get_tgt()
1020     /* Initialize the realm path. */  in begin_get_tgt()
1074     /* If the server realm is unspecified, start with the TGT realm. */  in begin()
1075     ctx->referral_req = krb5_is_referral_realm(&ctx->server->realm);  in begin()
1077         krb5_free_data_contents(context, &ctx->server->realm);  in begin()
1079                                           &ctx->server->realm);  in begin()
1085     /* Obtain a TGT for the service realm. */  in begin()
1143     /* Get the start realm from the cache config, defaulting to the client  in krb5_tkt_creds_init()
1144      * realm. */  in krb5_tkt_creds_init()
1148         code = krb5int_copy_data_contents(context, &ctx->client->realm,  in krb5_tkt_creds_init()
1212     krb5_data realm = empty_data();  in krb5_tkt_creds_get()  local
1217         /* Get the next request and realm.  Turn on TCP if necessary. */  in krb5_tkt_creds_get()
1218         code = krb5_tkt_creds_step(context, ctx, &reply, &request, &realm,  in krb5_tkt_creds_get()
1227         /* Send it to a KDC for the appropriate realm. */  in krb5_tkt_creds_get()
1228         code = k5_sendto_kdc(context, &request, &realm, FALSE, no_udp,  in krb5_tkt_creds_get()
1234         krb5_free_data_contents(context, &realm);  in krb5_tkt_creds_get()
1239     krb5_free_data_contents(context, &realm);  in krb5_tkt_creds_get()
1245                     krb5_data *in, krb5_data *out, krb5_data *realm,  in krb5_tkt_creds_step()  argument
1253     *realm = empty_data();  in krb5_tkt_creds_step()
1269     ctx->caller_realm = realm;  in krb5_tkt_creds_step()