1*0a6a1f1dSLionel Sambuc /* $NetBSD: rd_cred.c,v 1.1.1.2 2014/04/24 12:45:51 pettai Exp $ */
2ebfedea0SLionel Sambuc
3ebfedea0SLionel Sambuc /*
4ebfedea0SLionel Sambuc * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
5ebfedea0SLionel Sambuc * (Royal Institute of Technology, Stockholm, Sweden).
6ebfedea0SLionel Sambuc * All rights reserved.
7ebfedea0SLionel Sambuc *
8ebfedea0SLionel Sambuc * Redistribution and use in source and binary forms, with or without
9ebfedea0SLionel Sambuc * modification, are permitted provided that the following conditions
10ebfedea0SLionel Sambuc * are met:
11ebfedea0SLionel Sambuc *
12ebfedea0SLionel Sambuc * 1. Redistributions of source code must retain the above copyright
13ebfedea0SLionel Sambuc * notice, this list of conditions and the following disclaimer.
14ebfedea0SLionel Sambuc *
15ebfedea0SLionel Sambuc * 2. Redistributions in binary form must reproduce the above copyright
16ebfedea0SLionel Sambuc * notice, this list of conditions and the following disclaimer in the
17ebfedea0SLionel Sambuc * documentation and/or other materials provided with the distribution.
18ebfedea0SLionel Sambuc *
19ebfedea0SLionel Sambuc * 3. Neither the name of the Institute nor the names of its contributors
20ebfedea0SLionel Sambuc * may be used to endorse or promote products derived from this software
21ebfedea0SLionel Sambuc * without specific prior written permission.
22ebfedea0SLionel Sambuc *
23ebfedea0SLionel Sambuc * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24ebfedea0SLionel Sambuc * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25ebfedea0SLionel Sambuc * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ebfedea0SLionel Sambuc * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27ebfedea0SLionel Sambuc * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28ebfedea0SLionel Sambuc * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29ebfedea0SLionel Sambuc * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30ebfedea0SLionel Sambuc * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31ebfedea0SLionel Sambuc * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32ebfedea0SLionel Sambuc * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33ebfedea0SLionel Sambuc * SUCH DAMAGE.
34ebfedea0SLionel Sambuc */
35ebfedea0SLionel Sambuc
36ebfedea0SLionel Sambuc #include "krb5_locl.h"
37ebfedea0SLionel Sambuc
38ebfedea0SLionel Sambuc static krb5_error_code
compare_addrs(krb5_context context,krb5_address * a,krb5_address * b,const char * message)39ebfedea0SLionel Sambuc compare_addrs(krb5_context context,
40ebfedea0SLionel Sambuc krb5_address *a,
41ebfedea0SLionel Sambuc krb5_address *b,
42ebfedea0SLionel Sambuc const char *message)
43ebfedea0SLionel Sambuc {
44ebfedea0SLionel Sambuc char a_str[64], b_str[64];
45ebfedea0SLionel Sambuc size_t len;
46ebfedea0SLionel Sambuc
47ebfedea0SLionel Sambuc if(krb5_address_compare (context, a, b))
48ebfedea0SLionel Sambuc return 0;
49ebfedea0SLionel Sambuc
50ebfedea0SLionel Sambuc krb5_print_address (a, a_str, sizeof(a_str), &len);
51ebfedea0SLionel Sambuc krb5_print_address (b, b_str, sizeof(b_str), &len);
52ebfedea0SLionel Sambuc krb5_set_error_message(context, KRB5KRB_AP_ERR_BADADDR,
53ebfedea0SLionel Sambuc "%s: %s != %s", message, b_str, a_str);
54ebfedea0SLionel Sambuc return KRB5KRB_AP_ERR_BADADDR;
55ebfedea0SLionel Sambuc }
56ebfedea0SLionel Sambuc
57ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_cred(krb5_context context,krb5_auth_context auth_context,krb5_data * in_data,krb5_creds *** ret_creds,krb5_replay_data * outdata)58ebfedea0SLionel Sambuc krb5_rd_cred(krb5_context context,
59ebfedea0SLionel Sambuc krb5_auth_context auth_context,
60ebfedea0SLionel Sambuc krb5_data *in_data,
61ebfedea0SLionel Sambuc krb5_creds ***ret_creds,
62ebfedea0SLionel Sambuc krb5_replay_data *outdata)
63ebfedea0SLionel Sambuc {
64ebfedea0SLionel Sambuc krb5_error_code ret;
65ebfedea0SLionel Sambuc size_t len;
66ebfedea0SLionel Sambuc KRB_CRED cred;
67ebfedea0SLionel Sambuc EncKrbCredPart enc_krb_cred_part;
68ebfedea0SLionel Sambuc krb5_data enc_krb_cred_part_data;
69ebfedea0SLionel Sambuc krb5_crypto crypto;
70*0a6a1f1dSLionel Sambuc size_t i;
71ebfedea0SLionel Sambuc
72ebfedea0SLionel Sambuc memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
73*0a6a1f1dSLionel Sambuc krb5_data_zero(&enc_krb_cred_part_data);
74ebfedea0SLionel Sambuc
75ebfedea0SLionel Sambuc if ((auth_context->flags &
76ebfedea0SLionel Sambuc (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
77ebfedea0SLionel Sambuc outdata == NULL)
78ebfedea0SLionel Sambuc return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
79ebfedea0SLionel Sambuc
80ebfedea0SLionel Sambuc *ret_creds = NULL;
81ebfedea0SLionel Sambuc
82ebfedea0SLionel Sambuc ret = decode_KRB_CRED(in_data->data, in_data->length,
83ebfedea0SLionel Sambuc &cred, &len);
84ebfedea0SLionel Sambuc if(ret) {
85ebfedea0SLionel Sambuc krb5_clear_error_message(context);
86ebfedea0SLionel Sambuc return ret;
87ebfedea0SLionel Sambuc }
88ebfedea0SLionel Sambuc
89ebfedea0SLionel Sambuc if (cred.pvno != 5) {
90ebfedea0SLionel Sambuc ret = KRB5KRB_AP_ERR_BADVERSION;
91ebfedea0SLionel Sambuc krb5_clear_error_message (context);
92ebfedea0SLionel Sambuc goto out;
93ebfedea0SLionel Sambuc }
94ebfedea0SLionel Sambuc
95ebfedea0SLionel Sambuc if (cred.msg_type != krb_cred) {
96ebfedea0SLionel Sambuc ret = KRB5KRB_AP_ERR_MSG_TYPE;
97ebfedea0SLionel Sambuc krb5_clear_error_message (context);
98ebfedea0SLionel Sambuc goto out;
99ebfedea0SLionel Sambuc }
100ebfedea0SLionel Sambuc
101ebfedea0SLionel Sambuc if (cred.enc_part.etype == ETYPE_NULL) {
102ebfedea0SLionel Sambuc /* DK: MIT GSS-API Compatibility */
103ebfedea0SLionel Sambuc enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
104ebfedea0SLionel Sambuc enc_krb_cred_part_data.data = cred.enc_part.cipher.data;
105ebfedea0SLionel Sambuc } else {
106ebfedea0SLionel Sambuc /* Try both subkey and session key.
107ebfedea0SLionel Sambuc *
108ebfedea0SLionel Sambuc * RFC4120 claims we should use the session key, but Heimdal
109ebfedea0SLionel Sambuc * before 0.8 used the remote subkey if it was send in the
110ebfedea0SLionel Sambuc * auth_context.
111ebfedea0SLionel Sambuc */
112ebfedea0SLionel Sambuc
113ebfedea0SLionel Sambuc if (auth_context->remote_subkey) {
114ebfedea0SLionel Sambuc ret = krb5_crypto_init(context, auth_context->remote_subkey,
115ebfedea0SLionel Sambuc 0, &crypto);
116ebfedea0SLionel Sambuc if (ret)
117ebfedea0SLionel Sambuc goto out;
118ebfedea0SLionel Sambuc
119ebfedea0SLionel Sambuc ret = krb5_decrypt_EncryptedData(context,
120ebfedea0SLionel Sambuc crypto,
121ebfedea0SLionel Sambuc KRB5_KU_KRB_CRED,
122ebfedea0SLionel Sambuc &cred.enc_part,
123ebfedea0SLionel Sambuc &enc_krb_cred_part_data);
124ebfedea0SLionel Sambuc
125ebfedea0SLionel Sambuc krb5_crypto_destroy(context, crypto);
126ebfedea0SLionel Sambuc }
127ebfedea0SLionel Sambuc
128ebfedea0SLionel Sambuc /*
129ebfedea0SLionel Sambuc * If there was not subkey, or we failed using subkey,
130ebfedea0SLionel Sambuc * retry using the session key
131ebfedea0SLionel Sambuc */
132ebfedea0SLionel Sambuc if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
133ebfedea0SLionel Sambuc {
134ebfedea0SLionel Sambuc
135ebfedea0SLionel Sambuc ret = krb5_crypto_init(context, auth_context->keyblock,
136ebfedea0SLionel Sambuc 0, &crypto);
137ebfedea0SLionel Sambuc
138ebfedea0SLionel Sambuc if (ret)
139ebfedea0SLionel Sambuc goto out;
140ebfedea0SLionel Sambuc
141ebfedea0SLionel Sambuc ret = krb5_decrypt_EncryptedData(context,
142ebfedea0SLionel Sambuc crypto,
143ebfedea0SLionel Sambuc KRB5_KU_KRB_CRED,
144ebfedea0SLionel Sambuc &cred.enc_part,
145ebfedea0SLionel Sambuc &enc_krb_cred_part_data);
146ebfedea0SLionel Sambuc
147ebfedea0SLionel Sambuc krb5_crypto_destroy(context, crypto);
148ebfedea0SLionel Sambuc }
149ebfedea0SLionel Sambuc if (ret)
150ebfedea0SLionel Sambuc goto out;
151ebfedea0SLionel Sambuc }
152ebfedea0SLionel Sambuc
153ebfedea0SLionel Sambuc ret = decode_EncKrbCredPart(enc_krb_cred_part_data.data,
154ebfedea0SLionel Sambuc enc_krb_cred_part_data.length,
155ebfedea0SLionel Sambuc &enc_krb_cred_part,
156ebfedea0SLionel Sambuc &len);
157ebfedea0SLionel Sambuc if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data)
158ebfedea0SLionel Sambuc krb5_data_free(&enc_krb_cred_part_data);
159ebfedea0SLionel Sambuc if (ret) {
160ebfedea0SLionel Sambuc krb5_set_error_message(context, ret,
161ebfedea0SLionel Sambuc N_("Failed to decode "
162ebfedea0SLionel Sambuc "encrypte credential part", ""));
163ebfedea0SLionel Sambuc goto out;
164ebfedea0SLionel Sambuc }
165ebfedea0SLionel Sambuc
166ebfedea0SLionel Sambuc /* check sender address */
167ebfedea0SLionel Sambuc
168ebfedea0SLionel Sambuc if (enc_krb_cred_part.s_address
169ebfedea0SLionel Sambuc && auth_context->remote_address
170ebfedea0SLionel Sambuc && auth_context->remote_port) {
171ebfedea0SLionel Sambuc krb5_address *a;
172ebfedea0SLionel Sambuc
173ebfedea0SLionel Sambuc ret = krb5_make_addrport (context, &a,
174ebfedea0SLionel Sambuc auth_context->remote_address,
175ebfedea0SLionel Sambuc auth_context->remote_port);
176ebfedea0SLionel Sambuc if (ret)
177ebfedea0SLionel Sambuc goto out;
178ebfedea0SLionel Sambuc
179ebfedea0SLionel Sambuc
180ebfedea0SLionel Sambuc ret = compare_addrs(context, a, enc_krb_cred_part.s_address,
181ebfedea0SLionel Sambuc N_("sender address is wrong "
182ebfedea0SLionel Sambuc "in received creds", ""));
183ebfedea0SLionel Sambuc krb5_free_address(context, a);
184ebfedea0SLionel Sambuc free(a);
185ebfedea0SLionel Sambuc if(ret)
186ebfedea0SLionel Sambuc goto out;
187ebfedea0SLionel Sambuc }
188ebfedea0SLionel Sambuc
189ebfedea0SLionel Sambuc /* check receiver address */
190ebfedea0SLionel Sambuc
191ebfedea0SLionel Sambuc if (enc_krb_cred_part.r_address
192ebfedea0SLionel Sambuc && auth_context->local_address) {
193ebfedea0SLionel Sambuc if(auth_context->local_port &&
194ebfedea0SLionel Sambuc enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) {
195ebfedea0SLionel Sambuc krb5_address *a;
196ebfedea0SLionel Sambuc ret = krb5_make_addrport (context, &a,
197ebfedea0SLionel Sambuc auth_context->local_address,
198ebfedea0SLionel Sambuc auth_context->local_port);
199ebfedea0SLionel Sambuc if (ret)
200ebfedea0SLionel Sambuc goto out;
201ebfedea0SLionel Sambuc
202ebfedea0SLionel Sambuc ret = compare_addrs(context, a, enc_krb_cred_part.r_address,
203ebfedea0SLionel Sambuc N_("receiver address is wrong "
204ebfedea0SLionel Sambuc "in received creds", ""));
205ebfedea0SLionel Sambuc krb5_free_address(context, a);
206ebfedea0SLionel Sambuc free(a);
207ebfedea0SLionel Sambuc if(ret)
208ebfedea0SLionel Sambuc goto out;
209ebfedea0SLionel Sambuc } else {
210ebfedea0SLionel Sambuc ret = compare_addrs(context, auth_context->local_address,
211ebfedea0SLionel Sambuc enc_krb_cred_part.r_address,
212ebfedea0SLionel Sambuc N_("receiver address is wrong "
213ebfedea0SLionel Sambuc "in received creds", ""));
214ebfedea0SLionel Sambuc if(ret)
215ebfedea0SLionel Sambuc goto out;
216ebfedea0SLionel Sambuc }
217ebfedea0SLionel Sambuc }
218ebfedea0SLionel Sambuc
219ebfedea0SLionel Sambuc /* check timestamp */
220ebfedea0SLionel Sambuc if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
221ebfedea0SLionel Sambuc krb5_timestamp sec;
222ebfedea0SLionel Sambuc
223ebfedea0SLionel Sambuc krb5_timeofday (context, &sec);
224ebfedea0SLionel Sambuc
225ebfedea0SLionel Sambuc if (enc_krb_cred_part.timestamp == NULL ||
226ebfedea0SLionel Sambuc enc_krb_cred_part.usec == NULL ||
227ebfedea0SLionel Sambuc abs(*enc_krb_cred_part.timestamp - sec)
228ebfedea0SLionel Sambuc > context->max_skew) {
229ebfedea0SLionel Sambuc krb5_clear_error_message (context);
230ebfedea0SLionel Sambuc ret = KRB5KRB_AP_ERR_SKEW;
231ebfedea0SLionel Sambuc goto out;
232ebfedea0SLionel Sambuc }
233ebfedea0SLionel Sambuc }
234ebfedea0SLionel Sambuc
235ebfedea0SLionel Sambuc if ((auth_context->flags &
236ebfedea0SLionel Sambuc (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
237ebfedea0SLionel Sambuc /* if these fields are not present in the cred-part, silently
238ebfedea0SLionel Sambuc return zero */
239ebfedea0SLionel Sambuc memset(outdata, 0, sizeof(*outdata));
240ebfedea0SLionel Sambuc if(enc_krb_cred_part.timestamp)
241ebfedea0SLionel Sambuc outdata->timestamp = *enc_krb_cred_part.timestamp;
242ebfedea0SLionel Sambuc if(enc_krb_cred_part.usec)
243ebfedea0SLionel Sambuc outdata->usec = *enc_krb_cred_part.usec;
244ebfedea0SLionel Sambuc if(enc_krb_cred_part.nonce)
245ebfedea0SLionel Sambuc outdata->seq = *enc_krb_cred_part.nonce;
246ebfedea0SLionel Sambuc }
247ebfedea0SLionel Sambuc
248ebfedea0SLionel Sambuc /* Convert to NULL terminated list of creds */
249ebfedea0SLionel Sambuc
250ebfedea0SLionel Sambuc *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1,
251ebfedea0SLionel Sambuc sizeof(**ret_creds));
252ebfedea0SLionel Sambuc
253ebfedea0SLionel Sambuc if (*ret_creds == NULL) {
254ebfedea0SLionel Sambuc ret = ENOMEM;
255ebfedea0SLionel Sambuc krb5_set_error_message(context, ret,
256ebfedea0SLionel Sambuc N_("malloc: out of memory", ""));
257ebfedea0SLionel Sambuc goto out;
258ebfedea0SLionel Sambuc }
259ebfedea0SLionel Sambuc
260ebfedea0SLionel Sambuc for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
261ebfedea0SLionel Sambuc KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
262ebfedea0SLionel Sambuc krb5_creds *creds;
263ebfedea0SLionel Sambuc
264ebfedea0SLionel Sambuc creds = calloc(1, sizeof(*creds));
265ebfedea0SLionel Sambuc if(creds == NULL) {
266ebfedea0SLionel Sambuc ret = ENOMEM;
267ebfedea0SLionel Sambuc krb5_set_error_message(context, ret,
268ebfedea0SLionel Sambuc N_("malloc: out of memory", ""));
269ebfedea0SLionel Sambuc goto out;
270ebfedea0SLionel Sambuc }
271ebfedea0SLionel Sambuc
272ebfedea0SLionel Sambuc ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
273ebfedea0SLionel Sambuc &cred.tickets.val[i], &len, ret);
274ebfedea0SLionel Sambuc if (ret) {
275ebfedea0SLionel Sambuc free(creds);
276ebfedea0SLionel Sambuc goto out;
277ebfedea0SLionel Sambuc }
278ebfedea0SLionel Sambuc if(creds->ticket.length != len)
279ebfedea0SLionel Sambuc krb5_abortx(context, "internal error in ASN.1 encoder");
280ebfedea0SLionel Sambuc copy_EncryptionKey (&kci->key, &creds->session);
281ebfedea0SLionel Sambuc if (kci->prealm && kci->pname)
282ebfedea0SLionel Sambuc _krb5_principalname2krb5_principal (context,
283ebfedea0SLionel Sambuc &creds->client,
284ebfedea0SLionel Sambuc *kci->pname,
285ebfedea0SLionel Sambuc *kci->prealm);
286ebfedea0SLionel Sambuc if (kci->flags)
287ebfedea0SLionel Sambuc creds->flags.b = *kci->flags;
288ebfedea0SLionel Sambuc if (kci->authtime)
289ebfedea0SLionel Sambuc creds->times.authtime = *kci->authtime;
290ebfedea0SLionel Sambuc if (kci->starttime)
291ebfedea0SLionel Sambuc creds->times.starttime = *kci->starttime;
292ebfedea0SLionel Sambuc if (kci->endtime)
293ebfedea0SLionel Sambuc creds->times.endtime = *kci->endtime;
294ebfedea0SLionel Sambuc if (kci->renew_till)
295ebfedea0SLionel Sambuc creds->times.renew_till = *kci->renew_till;
296ebfedea0SLionel Sambuc if (kci->srealm && kci->sname)
297ebfedea0SLionel Sambuc _krb5_principalname2krb5_principal (context,
298ebfedea0SLionel Sambuc &creds->server,
299ebfedea0SLionel Sambuc *kci->sname,
300ebfedea0SLionel Sambuc *kci->srealm);
301ebfedea0SLionel Sambuc if (kci->caddr)
302ebfedea0SLionel Sambuc krb5_copy_addresses (context,
303ebfedea0SLionel Sambuc kci->caddr,
304ebfedea0SLionel Sambuc &creds->addresses);
305ebfedea0SLionel Sambuc
306ebfedea0SLionel Sambuc (*ret_creds)[i] = creds;
307ebfedea0SLionel Sambuc
308ebfedea0SLionel Sambuc }
309ebfedea0SLionel Sambuc (*ret_creds)[i] = NULL;
310ebfedea0SLionel Sambuc
311ebfedea0SLionel Sambuc free_KRB_CRED (&cred);
312ebfedea0SLionel Sambuc free_EncKrbCredPart(&enc_krb_cred_part);
313ebfedea0SLionel Sambuc
314ebfedea0SLionel Sambuc return 0;
315ebfedea0SLionel Sambuc
316ebfedea0SLionel Sambuc out:
317ebfedea0SLionel Sambuc free_EncKrbCredPart(&enc_krb_cred_part);
318ebfedea0SLionel Sambuc free_KRB_CRED (&cred);
319ebfedea0SLionel Sambuc if(*ret_creds) {
320ebfedea0SLionel Sambuc for(i = 0; (*ret_creds)[i]; i++)
321ebfedea0SLionel Sambuc krb5_free_creds(context, (*ret_creds)[i]);
322ebfedea0SLionel Sambuc free(*ret_creds);
323ebfedea0SLionel Sambuc *ret_creds = NULL;
324ebfedea0SLionel Sambuc }
325ebfedea0SLionel Sambuc return ret;
326ebfedea0SLionel Sambuc }
327ebfedea0SLionel Sambuc
328ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_cred2(krb5_context context,krb5_auth_context auth_context,krb5_ccache ccache,krb5_data * in_data)329ebfedea0SLionel Sambuc krb5_rd_cred2 (krb5_context context,
330ebfedea0SLionel Sambuc krb5_auth_context auth_context,
331ebfedea0SLionel Sambuc krb5_ccache ccache,
332ebfedea0SLionel Sambuc krb5_data *in_data)
333ebfedea0SLionel Sambuc {
334ebfedea0SLionel Sambuc krb5_error_code ret;
335ebfedea0SLionel Sambuc krb5_creds **creds;
336ebfedea0SLionel Sambuc int i;
337ebfedea0SLionel Sambuc
338ebfedea0SLionel Sambuc ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
339ebfedea0SLionel Sambuc if(ret)
340ebfedea0SLionel Sambuc return ret;
341ebfedea0SLionel Sambuc
342ebfedea0SLionel Sambuc /* Store the creds in the ccache */
343ebfedea0SLionel Sambuc
344ebfedea0SLionel Sambuc for(i = 0; creds && creds[i]; i++) {
345ebfedea0SLionel Sambuc krb5_cc_store_cred(context, ccache, creds[i]);
346ebfedea0SLionel Sambuc krb5_free_creds(context, creds[i]);
347ebfedea0SLionel Sambuc }
348ebfedea0SLionel Sambuc free(creds);
349ebfedea0SLionel Sambuc return 0;
350ebfedea0SLionel Sambuc }
351