Add

krb5_get_init_creds_opt_{set_fast_flags|get_fast_flags|set_out_ccache}

git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23333 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 85 insertions, 6 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 70e80c7..0773e64 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1158,6 +1158,8 @@ typedef struct _krb5_gic_opt_private {
     int num_preauth_data;
     krb5_gic_opt_pa_data *preauth_data;
     char * fast_ccache_name;
+    krb5_ccache out_ccache;
+    krb5_flags fast_flags;
 } krb5_gic_opt_private;
 
 /*
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d569bcd..24e7173 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2261,15 +2261,34 @@ krb5_get_init_creds_opt_set_pa(krb5_context context,
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
+/**This API sets a ccache name that will contain some TGT on calls to
+     get_init_creds functions.  If set, this ccache will be used for FAST
+     (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from
+     observation and active attack.  If the fast_ccache_name is set, then FAST
+     may be required by the client library.  In this and future versions, FAST
+     will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be
+     used to require that the request fail is FAST is unavailable.  In MIT
+     Kerberos 1.7 setting the fast ccache at all required that FAST be present
+     or the request would fail.*/
                                              krb5_get_init_creds_opt *opt,
                                              const char *fast_ccache_name);
 
-/*   This API sets a ccache name that will contain some TGT on
-     calls to get_init_creds functions.   If set, this ccache will
-     be used for FAST (draft-ietf-krb-wg-preauth-framework) to
-     protect the AS-REQ from observation and active attack.  If
-     the fast_ccache_name is set, then FAST may be required by the
-     client library.  In this version FAST is required.*/
+/**Set a ccache where resulting credentials will be stored.  If set, then the
+ * krb5_get_init_creds family of APIs will write out credentials to the given
+ * ccache.  Setting an output ccache is desirable both because it simplifies
+ * calling code and because it permits the krb5_get_init_creds APIs to write
+ * out configuration information about the realm to the ccache.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_out_ccache
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache);
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags);
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags);
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
                              krb5_principal client, char *password,
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index bff4539..f1d9479 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -149,6 +149,8 @@ krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte)
         free_gic_opt_ext_preauth_data(context, opte);
     if (opte->opt_private->fast_ccache_name)
         free(opte->opt_private->fast_ccache_name);
+    if (opte->opt_private->out_ccache)
+        krb5_cc_close(context, opte->opt_private->out_ccache);
     free(opte->opt_private);
     opte->opt_private = NULL;
     return 0;
@@ -486,3 +488,56 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name
         retval = ENOMEM;
     return retval;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_out_ccache
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_set_out_ccache");
+    if (retval)
+        return retval;
+    if (opte->opt_private->out_ccache) {
+        krb5_cc_close(context,  opte->opt_private->out_ccache);
+        opte->opt_private->out_ccache = NULL;
+    }
+    retval = krb5_cc_resolve(context, krb5_cc_get_name(context, ccache),
+                            &opte->opt_private->out_ccache);
+        return retval;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_set_fast_flags");
+    if (retval)
+        return retval;
+    opte->opt_private->fast_flags = flags;
+        return retval;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+    if (out_flags == NULL)
+        return EINVAL;
+    *out_flags = 0;
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_get_fast_flags");
+    if (retval)
+        return retval;
+    *out_flags = opte->opt_private->fast_flags;
+        return retval;
+}
+
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index f27a86e..9f26150 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -331,6 +331,7 @@ krb5_get_init_creds_keytab
 krb5_get_init_creds_opt_alloc
 krb5_get_init_creds_opt_free
 krb5_get_init_creds_opt_free_pa
+krb5_get_init_creds_opt_get_fast_flags
 krb5_get_init_creds_opt_get_pa
 krb5_get_init_creds_opt_init
 krb5_get_init_creds_opt_set_address_list
@@ -338,7 +339,9 @@ krb5_get_init_creds_opt_set_canonicalize
 krb5_get_init_creds_opt_set_change_password_prompt
 krb5_get_init_creds_opt_set_etype_list
 krb5_get_init_creds_opt_set_fast_ccache_name
+krb5_get_init_creds_opt_set_fast_flags
 krb5_get_init_creds_opt_set_forwardable
+krb5_get_init_creds_opt_set_out_ccache
 krb5_get_init_creds_opt_set_pa
 krb5_get_init_creds_opt_set_preauth_list
 krb5_get_init_creds_opt_set_proxiable