* kinit.c (krb5_validate_tgt): new function, takes a credential cache with an

tgt with the "invalid flag" set, and asks the kdc to validate it. Wipes cache
and stores only the newly validated credential. (After all, there won't be any
others, because the invalid krbtgt couldn't have gotten them.) Most of the code
is taken from krb5_mk_req, since it did the right thing.
(main): add -v option, validates the ticket already in the selected cache.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7894 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 64 insertions, 1 deletions

diff --git a/src/clients/kinit/ChangeLog b/src/clients/kinit/ChangeLog
index b4e064f3d..85330fb88 100644
--- a/src/clients/kinit/ChangeLog
+++ b/src/clients/kinit/ChangeLog
@@ -1,3 +1,14 @@
+Fri May  3 00:28:10 1996  Mark Eichin  <eichin@cygnus.com>
+
+	* kinit.c (krb5_validate_tgt): new function, takes a credential
+	cache with an tgt with the "invalid flag" set, and asks the kdc to
+	validate it. Wipes cache and stores only the newly validated
+	credential. (After all, there won't be any others, because the
+	invalid krbtgt couldn't have gotten them.) Most of the code is
+	taken from krb5_mk_req, since it did the right thing.
+	(main): add -v option, validates the ticket already in the
+	selected cache.
+
 Wed May  1 02:37:17 1996  Mark Eichin  <eichin@cygnus.com>
 
 	* kinit.c (main): add -s starttime option. Have it accept a delta
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 6c24adfd1..bb2109e0b 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -90,7 +90,7 @@ main(argc, argv)
     if (strrchr(argv[0], '/'))
 	argv[0] = strrchr(argv[0], '/')+1;
 
-    while ((option = getopt(argc, argv, "r:fpl:s:c:kt:")) != EOF) {
+    while ((option = getopt(argc, argv, "r:fpl:s:c:kt:v")) != EOF) {
 	switch (option) {
 	case 'r':
 	    options |= KDC_OPT_RENEWABLE;
@@ -100,6 +100,10 @@ main(argc, argv)
 		errflg++;
 	    }
 	    break;
+	case 'v':
+	    /* validate the ticket */
+	    options |= KDC_OPT_VALIDATE;
+	    break;
 	case 'p':
 	    options |= KDC_OPT_PROXIABLE;
 	    break;
@@ -268,6 +272,18 @@ main(argc, argv)
     } else
 	my_creds.times.renew_till = 0;
 
+    if (options & KDC_OPT_VALIDATE) {
+        /* don't use get_in_tkt, just use mk_req... */
+        krb5_data outbuf;
+
+        code = krb5_validate_tgt(kcontext, ccache, server, &outbuf);
+	if (code) {
+	  com_err (argv[0], code, "validating tgt");
+	  exit(1);
+	}
+	/* should be done... */
+	exit(0);
+    }
 #ifndef NO_KEYTAB
     if (!use_keytab)
 #endif
@@ -324,3 +340,39 @@ main(argc, argv)
     
     exit(0);
 }
+
+/* stripped down version of krb5_mk_req */
+krb5_error_code krb5_validate_tgt(context, ccache, server, outbuf)
+     krb5_context context;
+     krb5_ccache ccache;
+     krb5_principal	  server; /* tgtname */
+     krb5_data *outbuf;
+{
+    krb5_auth_context   * auth_context = 0;
+    const krb5_flags      ap_req_options;
+    krb5_data           * in_data;
+
+    krb5_error_code 	  retval;
+    krb5_creds 		* credsp;
+    krb5_creds 		  creds;
+
+    /* obtain ticket & session key */
+    memset((char *)&creds, 0, sizeof(creds));
+    if ((retval = krb5_copy_principal(context, server, &creds.server)))
+	goto cleanup;
+
+    if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)))
+	goto cleanup_creds;
+
+    if ((retval = krb5_get_credentials_validate(context, 0,
+						ccache, &creds, &credsp)))
+	goto cleanup_creds;
+
+    /* we don't actually need to do the mk_req, just get the creds. */
+cleanup_creds:
+    krb5_free_cred_contents(context, &creds);
+
+cleanup:
+
+    return retval;
+}