void
k5_kinit_task_abort_and_release(k5_kinit_task * kt)
{
EnterCriticalSection(&kt->cs);
if (kt->state < K5_KINIT_STATE_ABORTED) {
_reportf(L"Aborting k5_kinit_task [%p] for principal [%S]", kt, kt->principal);
kt->state = K5_KINIT_STATE_ABORTED;
SetEvent(kt->h_task_wait);
} /* else, the task is in state DONE */
LeaveCriticalSection(&kt->cs);
k5_kinit_task_release(kt);
}
khm_int32
k5_kinit_task_confirm_and_wait(k5_kinit_task * kt)
{
retry:
EnterCriticalSection(&kt->cs);
switch (kt->state) {
case K5_KINIT_STATE_ABORTED:
case K5_KINIT_STATE_DONE:
/* The task is not running. */
LeaveCriticalSection(&kt->cs);
return KHM_ERROR_SUCCESS;
case K5_KINIT_STATE_PREP:
case K5_KINIT_STATE_INCALL:
case K5_KINIT_STATE_RETRY:
/* The task hasn't reached a wait state yet. We should wait
for one and retry. */
ResetEvent(kt->h_parent_wait);
LeaveCriticalSection(&kt->cs);
if (!wait_for_parent_or_until_aborted(kt))
return KHM_ERROR_ABORTED;
goto retry;
case K5_KINIT_STATE_WAIT:
_reportf(L"Confirming k5_kinit_task [%p] for principal [%S]", kt, kt->principal);
kt->state = K5_KINIT_STATE_CONFIRM;
ResetEvent(kt->h_parent_wait);
SetEvent(kt->h_task_wait);
break;
case K5_KINIT_STATE_CONFIRM:
assert(FALSE);
break;
default:
assert(FALSE);
}
LeaveCriticalSection(&kt->cs);
if (!wait_for_parent_or_until_aborted(kt))
return KHM_ERROR_ABORTED;
return KHM_ERROR_SUCCESS;
}
khm_int32
krb4_msg_newcred(khm_int32 msg_type, khm_int32 msg_subtype,
khm_ui_4 uparam, void * vparam) {
switch(msg_subtype) {
case KMSG_CRED_NEW_CREDS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct;
khm_size cbsize;
wchar_t wbuf[256];
nc = (khui_new_creds *) vparam;
nct = PMALLOC(sizeof(*nct));
#ifdef DEBUG
assert(nct);
#endif
ZeroMemory(nct, sizeof(*nct));
nct->type = credtype_id_krb4;
nct->ordinal = 3;
LoadString(hResModule, IDS_NC_K4_SHORT,
wbuf, ARRAYLENGTH(wbuf));
StringCbLength(wbuf, sizeof(wbuf), &cbsize);
cbsize += sizeof(wchar_t);
nct->name = PMALLOC(cbsize);
StringCbCopy(nct->name, cbsize, wbuf);
nct->type_deps[nct->n_type_deps++] = credtype_id_krb5;
nct->h_module = hResModule;
nct->dlg_proc = k4_nc_dlg_proc;
nct->dlg_template = MAKEINTRESOURCE(IDD_NC_KRB4);
khui_cw_add_type(nc, nct);
}
break;
case KMSG_CRED_RENEW_CREDS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct;
khm_size cbsize;
wchar_t wbuf[256];
khui_action_context * pctx = NULL;
nc = (khui_new_creds *) vparam;
pctx = khui_cw_get_ctx(nc);
if (!pctx->identity)
break;
nct = PMALLOC(sizeof(*nct));
#ifdef DEBUG
assert(nct);
#endif
ZeroMemory(nct, sizeof(*nct));
nct->type = credtype_id_krb4;
nct->ordinal = 3;
LoadString(hResModule, IDS_NC_K4_SHORT,
wbuf, ARRAYLENGTH(wbuf));
StringCbLength(wbuf, sizeof(wbuf), &cbsize);
cbsize += sizeof(wchar_t);
nct->name = PMALLOC(cbsize);
StringCbCopy(nct->name, cbsize, wbuf);
nct->type_deps[nct->n_type_deps++] = credtype_id_krb5;
khui_cw_add_type(nc, nct);
}
break;
case KMSG_CRED_DIALOG_SETUP:
break;
case KMSG_CRED_PROCESS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct = NULL;
khm_handle ident = NULL;
khui_action_context * pctx = NULL;
k4_dlg_data * d = NULL;
long code = 0;
wchar_t idname[KCDB_IDENT_MAXCCH_NAME];
khm_size cb;
khm_int32 subtype;
nc = (khui_new_creds *) vparam;
if (KHM_FAILED(khui_cw_find_type(nc, credtype_id_krb4, &nct)))
break;
subtype = khui_cw_get_subtype(nc);
if (subtype == KMSG_CRED_NEW_CREDS ||
subtype == KMSG_CRED_RENEW_CREDS) {
khm_int32 method;
if (subtype == KMSG_CRED_NEW_CREDS) {
d = (k4_dlg_data *) nct->aux;
if (KHM_FAILED(khui_cw_get_primary_id(nc, &ident)))
break;
if (!d ||
khui_cw_get_result(nc) != KHUI_NC_RESULT_PROCESS) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
if (!d->k4_enabled) {
k4_write_identity_data(d);
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
method = d->method;
cb = sizeof(idname);
kcdb_identity_get_name(ident, idname, &cb);
_begin_task(0);
_report_sr0(KHERR_NONE, IDS_MSG_K4NEW);
_resolve();
_describe();
} else if (subtype == KMSG_CRED_RENEW_CREDS) {
pctx = khui_cw_get_ctx(nc);
if ((pctx->scope == KHUI_SCOPE_IDENT &&
pctx->identity != NULL) ||
(pctx->scope == KHUI_SCOPE_CREDTYPE &&
pctx->cred_type == credtype_id_krb4 &&
pctx->identity != NULL) ||
(pctx->scope == KHUI_SCOPE_CRED &&
pctx->cred_type == credtype_id_krb4 &&
pctx->identity != NULL &&
pctx->cred != NULL)) {
ident = pctx->identity;
kcdb_identity_hold(ident);
if (!k4_should_identity_get_k4(ident)) {
_reportf(L"Kerberos 4 is not enabled for this identity. Skipping");
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
} else {
_reportf(L"Kerberos 4 is not within renewal scope. Skipping");
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
break;
}
method = K4_METHOD_K524; /* only k524 is supported
for renewals */
_begin_task(0);
cb = sizeof(idname);
kcdb_identity_get_name(ident, idname, &cb);
_report_sr0(KHERR_NONE, IDS_MSG_K4RENEW);
_resolve();
_describe();
} else {
assert(FALSE);
break;
}
_progress(0,1);
if ((method == K4_METHOD_AUTO ||
method == K4_METHOD_K524) &&
khui_cw_type_succeeded(nc, credtype_id_krb5)) {
khm_handle tgt;
FILETIME ft_prev;
FILETIME ft_new;
khm_size cb;
_report_cs0(KHERR_INFO, L"Trying K524...");
tgt = khm_krb4_find_tgt(NULL, ident);
_progress(1,3);
if (tgt) {
cb = sizeof(ft_prev);
if (KHM_FAILED(kcdb_cred_get_attr(tgt,
KCDB_ATTR_EXPIRE,
NULL,
&ft_prev,
&cb)))
ZeroMemory(&ft_prev, sizeof(ft_prev));
kcdb_cred_release(tgt);
}
code = khm_convert524(ident);
_progress(2,3);
_reportf(L"khm_convert524 returns code %d", code);
if (code == 0) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
if (subtype == KMSG_CRED_NEW_CREDS) {
assert(d != NULL);
k4_write_identity_data(d);
} else if (subtype == KMSG_CRED_RENEW_CREDS &&
(pctx->scope == KHUI_SCOPE_CREDTYPE ||
pctx->scope == KHUI_SCOPE_CRED)) {
khm_krb4_list_tickets();
tgt = khm_krb4_find_tgt(NULL, ident);
if (tgt) {
cb = sizeof(ft_new);
ZeroMemory(&ft_new, sizeof(ft_new));
kcdb_cred_get_attr(tgt, KCDB_ATTR_EXPIRE,
NULL, &ft_new, &cb);
kcdb_cred_release(tgt);
}
if (!tgt ||
CompareFileTime(&ft_new, &ft_prev) <= 0) {
/* The new TGT wasn't much of an
improvement over what we already
had. We should go out and try to
renew the identity now. */
khui_action_context ctx;
_reportf(L"Renewal of Krb4 creds failed to get a longer TGT. Triggering identity renewal");
khui_context_create(&ctx,
KHUI_SCOPE_IDENT,
pctx->identity,
KCDB_CREDTYPE_INVALID,
NULL);
khui_action_trigger(KHUI_ACTION_RENEW_CRED,
&ctx);
khui_context_release(&ctx);
}
}
_progress(1,1);
_end_task();
if (ident)
kcdb_identity_release(ident);
break;
} else if (method == K4_METHOD_K524) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
if (subtype == KMSG_CRED_RENEW_CREDS &&
(pctx->scope == KHUI_SCOPE_CREDTYPE ||
pctx->scope == KHUI_SCOPE_CRED)) {
/* We were trying to get a new Krb4 TGT
for this identity. Sometimes this
fails because of restrictions placed on
K524d regarding the lifetime of the
issued K4 TGT. In this case, we
trigger a renewal of the identity in
the hope that the new K5 TGT will allow
us to successfully get a new K4 TGT
next time over using the new K5 TGT. */
khui_action_context ctx;
_reportf(L"Renewal of Krb4 creds failed using k524. Triggerring identity renewal.");
khui_context_create(&ctx,
KHUI_SCOPE_IDENT,
pctx->identity,
KCDB_CREDTYPE_INVALID,
NULL);
khui_action_trigger(KHUI_ACTION_RENEW_CRED,
&ctx);
khui_context_release(&ctx);
}
_progress(1,1);
_end_task();
if (ident)
kcdb_identity_release(ident);
break;
}
}
/* only supported for new credentials */
if (method == K4_METHOD_AUTO ||
method == K4_METHOD_PASSWORD) {
khm_size n_prompts = 0;
khm_size idx;
khm_size cb;
wchar_t wpwd[KHUI_MAXCCH_PROMPT_VALUE];
char pwd[KHUI_MAXCCH_PROMPT_VALUE];
wchar_t widname[KCDB_IDENT_MAXCCH_NAME];
char idname[KCDB_IDENT_MAXCCH_NAME];
char * aname = NULL;
char * inst = NULL;
char * realm = NULL;
assert(subtype == KMSG_CRED_NEW_CREDS);
_report_cs0(KHERR_INFO, L"Trying password ...");
code = TRUE; /* just has to be non-zero */
khui_cw_get_prompt_count(nc, &n_prompts);
if (n_prompts == 0)
goto _skip_pwd;
for (idx = 0; idx < n_prompts; idx++) {
khui_new_creds_prompt * p;
if (KHM_FAILED(khui_cw_get_prompt(nc, idx, &p)))
continue;
if (p->type == KHUI_NCPROMPT_TYPE_PASSWORD)
break;
}
if (idx >= n_prompts) {
_reportf(L"Password prompt not found");
goto _skip_pwd;
}
khui_cw_sync_prompt_values(nc);
cb = sizeof(wpwd);
if (KHM_FAILED(khui_cw_get_prompt_value(nc, idx,
wpwd,
&cb))) {
_reportf(L"Failed to obtain password value");
goto _skip_pwd;
}
UnicodeStrToAnsi(pwd, sizeof(pwd), wpwd);
cb = sizeof(widname);
kcdb_identity_get_name(ident,
widname,
&cb);
UnicodeStrToAnsi(idname, sizeof(idname), widname);
{
char * atsign;
atsign = strchr(idname, '@');
if (atsign == NULL) {
_reportf(L"Identity name does not contain an '@'");
goto _skip_pwd;
}
*atsign++ = 0;
realm = atsign;
}
{
char * slash;
slash = strchr(idname, '/');
if (slash != NULL) {
*slash++ = 0;
inst = slash;
} else {
inst = "";
}
}
aname = idname;
code = khm_krb4_kinit(aname, inst, realm,
(long) d->lifetime, pwd);
_progress(2,3);
_reportf(L"khm_krb4_kinit returns code %d", code);
_skip_pwd:
if (code) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_EXIT |
KHUI_NC_RESPONSE_FAILED);
} else {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_EXIT |
KHUI_NC_RESPONSE_SUCCESS);
if (subtype == KMSG_CRED_NEW_CREDS) {
assert(d != NULL);
k4_write_identity_data(d);
}
}
}
_progress(1,1);
_end_task();
}
if (ident)
kcdb_identity_release(ident);
}
break;
case KMSG_CRED_END:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct = NULL;
nc = (khui_new_creds *) vparam;
if (KHM_FAILED(khui_cw_find_type(nc, credtype_id_krb4, &nct)))
break;
khui_cw_del_type(nc, credtype_id_krb4);
if (nct->name)
PFREE(nct->name);
if (nct->credtext)
PFREE(nct->credtext);
PFREE(nct);
}
break;
}
return KHM_ERROR_SUCCESS;
}
/* Executed inside a task object */
static khm_int32 __stdcall
kinit_task_proc(void * vparam)
{
k5_kinit_task * kt;
long l;
kt = (k5_kinit_task *) vparam;
if (kt == NULL || kt->magic != K5_KINIT_TASK_MAGIC) {
assert(FALSE);
return KHM_ERROR_INVALID_PARAM;
}
EnterCriticalSection(&kt->cs);
if (kt->state == K5_KINIT_STATE_ABORTED) {
LeaveCriticalSection(&kt->cs);
return KHM_ERROR_SUCCESS;
}
if (kt->state != K5_KINIT_STATE_PREP) {
LeaveCriticalSection(&kt->cs);
assert(FALSE);
return KHM_ERROR_INVALID_OPERATION;
}
kt->prompt_set_index = 0;
if (cached_kinit_prompter(kt)) {
kt->state = K5_KINIT_STATE_WAIT;
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT);
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel, L"",
KHUI_CWNIS_VALIDATED |
KHUI_CWNIS_READY, 0);
SetEvent(kt->h_parent_wait);
LeaveCriticalSection(&kt->cs);
WaitForSingleObject(kt->h_task_wait, INFINITE);
EnterCriticalSection(&kt->cs);
assert(kt->state == K5_KINIT_STATE_CONFIRM ||
kt->state == K5_KINIT_STATE_ABORTED);
if (kt->state != K5_KINIT_STATE_CONFIRM)
goto done;
if (!cp_check_continue(kt)) {
kt->kinit_code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto done;
}
} else {
kt->state = K5_KINIT_STATE_INCALL;
}
call_kinit:
#ifdef DEBUG
_reportf(L"kinit task state prior to calling khm_krb5_kinit() :");
_reportf(L" kt->principal = [%S]", kt->principal);
_reportf(L" kt->kinit_code = %d", kt->kinit_code);
_reportf(L" kt->state = %d", kt->state);
_reportf(L" kt->prompt_set_index = %d", kt->prompt_set_index);
_reportf(L" kt->is_valid_principal = %d", (int) kt->is_valid_principal);
_reportf(L" kt->ccache = [%s]", kt->ccache);
#endif
LeaveCriticalSection(&kt->cs);
if (kt->context == 0)
krb5_init_context(&kt->context);
l = khm_krb5_kinit
(kt->context,
kt->principal,
kt->password,
kt->ccache,
kt->params.lifetime,
(kt->is_valid_principal) ? kt->params.forwardable : 0,
(kt->is_valid_principal) ? kt->params.proxiable : 0,
(kt->is_valid_principal && kt->params.renewable) ? kt->params.renew_life : 0,
kt->params.addressless,
kt->params.publicIP,
kt->params.allow_weak_crypto,
kinit_prompter,
kt);
EnterCriticalSection(&kt->cs);
kt->kinit_code = l;
_reportf(L" kinit return code = %d", (int) l);
if (kt->state == K5_KINIT_STATE_RETRY) {
/* If the principal was found to be valid, and if we
restricted the options that were being passed to kinit,
then we need to retry the kinit call. This time we use the
real options. */
assert(kt->is_valid_principal);
kt->state = K5_KINIT_STATE_INCALL;
goto call_kinit;
}
assert(kt->state == K5_KINIT_STATE_INCALL ||
kt->state == K5_KINIT_STATE_CONFIRM ||
kt->state == K5_KINIT_STATE_ABORTED);
if (kt->state == K5_KINIT_STATE_ABORTED) {
goto done;
}
if (kt->state == K5_KINIT_STATE_CONFIRM) {
goto done;
}
/* The call completed without any prompting. We haven't had a
chance to update the identity state. */
if (kt->state == K5_KINIT_STATE_INCALL) {
wchar_t msg[KHUI_MAXCCH_BANNER];
switch (kt->kinit_code) {
case 0:
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT);
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel, L"",
KHUI_CWNIS_READY |
KHUI_CWNIS_VALIDATED, 0);
khui_cw_clear_prompts(kt->nc);
break;
case KRB5KDC_ERR_KEY_EXP:
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT);
k5_force_password_change(kt->dlg_data);
LoadString(hResModule, IDS_K5ERR_KEY_EXPIRED, msg, ARRAYLENGTH(msg));
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel, msg,
KHUI_CWNIS_READY |
KHUI_CWNIS_VALIDATED, 0);
break;
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_INVALID,
KCDB_IDENT_FLAG_INVALID);
khui_cw_clear_prompts(kt->nc);
khm_err_describe(kt->context, kt->kinit_code, msg, sizeof(msg), NULL, NULL);
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel,
msg, KHUI_CWNIS_VALIDATED, 0);
break;
default:
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_UNKNOWN,
KCDB_IDENT_FLAG_UNKNOWN);
khui_cw_clear_prompts(kt->nc);
khm_err_describe(kt->context, kt->kinit_code, msg, sizeof(msg), NULL, NULL);
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel,
msg, KHUI_CWNIS_VALIDATED, 0);
}
}
done:
kt->state = K5_KINIT_STATE_DONE;
LeaveCriticalSection(&kt->cs);
SetEvent(kt->h_parent_wait);
k5_kinit_task_release(kt);
return KHM_ERROR_SUCCESS;
}
static krb5_error_code KRB5_CALLCONV
kinit_prompter(krb5_context context,
void *data,
const char *name,
const char *banner,
int num_prompts,
krb5_prompt prompts[])
{
int i;
k5_kinit_task * kt;
khm_size ncp;
krb5_error_code code = 0;
BOOL new_prompts = TRUE;
khm_handle csp_prcache = NULL;
kt = (k5_kinit_task *) data;
assert(kt && kt->magic == K5_KINIT_TASK_MAGIC);
EnterCriticalSection(&kt->cs);
if (kt->state == K5_KINIT_STATE_ABORTED) {
LeaveCriticalSection(&kt->cs);
return KRB5_LIBOS_PWDINTR;
}
#ifdef DEBUG
assert(kt->state == K5_KINIT_STATE_INCALL ||
kt->state == K5_KINIT_STATE_CONFIRM);
_reportf(L"k5_kinit_prompter() received %d prompts with name=[%S] banner=[%S]",
num_prompts,
name, banner);
for (i=0; i < num_prompts; i++) {
_reportf(L"Prompt[%d]: string[%S]", i, prompts[i].prompt);
}
#endif
/* we got prompts? Then we assume that the principal is valid */
if (!kt->is_valid_principal) {
kt->is_valid_principal = TRUE;
/* if the flags that were used to call kinit were restricted
because we didn't know the validity of the principal, then
we need to go back and retry the call with the correct
flags. */
if (kt->params.forwardable ||
kt->params.proxiable ||
kt->params.renewable) {
_reportf(L"Retrying kinit call due to restricted flags on first call.");
kt->state = K5_KINIT_STATE_RETRY;
LeaveCriticalSection(&kt->cs);
return KRB5_LIBOS_PWDINTR;
}
}
/* check if we are already showing the right prompts */
khui_cw_get_prompt_count(kt->nc, &ncp);
if (num_prompts != (int) ncp && num_prompts != 0)
goto _show_new_prompts;
for (i=0; i < num_prompts; i++) {
wchar_t wprompt[KHUI_MAXCCH_PROMPT];
khui_new_creds_prompt * p;
if(prompts[i].prompt) {
AnsiStrToUnicode(wprompt, sizeof(wprompt),
prompts[i].prompt);
} else {
wprompt[0] = L'\0';
}
if (KHM_FAILED(khui_cw_get_prompt(kt->nc, i, &p)))
break;
if ( /* if we received a prompt string,
then it should be the same as the
one that is displayed */
(wprompt[0] != L'\0' &&
(p->prompt == NULL ||
wcscmp(wprompt, p->prompt))) ||
/* if we didn't receive one, then
there shouldn't be one displayed.
This case really shouldn't happen
in reality, but we check anyway. */
(wprompt[0] == L'\0' &&
p->prompt != NULL) ||
/* the type should match */
(prompts[i].type != p->type) ||
/* if this prompt should be hidden,
then it must also be so */
(prompts[i].hidden &&
!(p->flags & KHUI_NCPROMPT_FLAG_HIDDEN)) ||
(!prompts[i].hidden &&
(p->flags & KHUI_NCPROMPT_FLAG_HIDDEN))
)
break;
}
if (i >= num_prompts) {
new_prompts = FALSE;
/* ok. looks like we are already showing the same set of
prompts that we were supposed to show. Sync up the values
and go ahead. */
goto _process_prompts;
}
_show_new_prompts:
if (num_prompts == 0) {
assert(FALSE);
khui_cw_notify_identity_state(kt->nc,
kt->nct->hwnd_panel,
NULL,
KHUI_CWNIS_READY |
KHUI_CWNIS_NOPROGRESS |
KHUI_CWNIS_VALIDATED, 0);
code = 0;
kt->is_null_password = TRUE;
goto _process_prompts;
}
/* in addition to showing new prompts, we also cache the first set
of prompts. */
if (kt->prompt_set_index == 0) {
khm_handle csp_idconfig = NULL;
khm_handle csp_idk5 = NULL;
kcdb_identity_get_config(kt->identity,
KHM_FLAG_CREATE,
&csp_idconfig);
if (csp_idconfig != NULL)
khc_open_space(csp_idconfig,
CSNAME_KRB5CRED,
KHM_FLAG_CREATE,
&csp_idk5);
if (csp_idk5 != NULL)
khc_open_space(csp_idk5,
CSNAME_PROMPTCACHE,
KHM_FLAG_CREATE,
&csp_prcache);
khc_close_space(csp_idconfig);
khc_close_space(csp_idk5);
}
{
wchar_t wbanner[KHUI_MAXCCH_BANNER];
wchar_t wname[KHUI_MAXCCH_PNAME];
if(banner)
AnsiStrToUnicode(wbanner, sizeof(wbanner), banner);
else
wbanner[0] = L'\0';
if(name)
AnsiStrToUnicode(wname, sizeof(wname), name);
else
LoadString(hResModule, IDS_PNAME_PW, wname, ARRAYLENGTH(wname));
khui_cw_clear_prompts(kt->nc);
khui_cw_begin_custom_prompts(kt->nc, num_prompts, wbanner, wname);
if (csp_prcache) {
FILETIME current;
FILETIME lifetime;
FILETIME expiry;
khm_int64 iexpiry;
khm_int32 t = 0;
khc_write_string(csp_prcache, L"Banner", wbanner);
khc_write_string(csp_prcache, L"Name", (name)? wname: L"");
khc_write_int32(csp_prcache, L"PromptCount", (khm_int32) num_prompts);
GetSystemTimeAsFileTime(¤t);
#ifdef USE_PROMPT_CACHE_LIFETIME
khc_read_int32(csp_params, L"PromptCacheLifetime", &t);
if (t == 0)
t = 172800; /* 48 hours */
#else
khc_read_int32(csp_params, L"MaxRenewLifetime", &t);
if (t == 0)
t = 2592000; /* 30 days */
t += 604800; /* + 7 days */
#endif
TimetToFileTimeInterval(t, &lifetime);
expiry = FtAdd(¤t, &lifetime);
iexpiry = FtToInt(&expiry);
khc_write_int64(csp_prcache, L"ExpiresOn", iexpiry);
}
}
for(i=0; i < num_prompts; i++) {
wchar_t wprompt[KHUI_MAXCCH_PROMPT];
if(prompts[i].prompt) {
AnsiStrToUnicode(wprompt, sizeof(wprompt),
prompts[i].prompt);
} else {
wprompt[0] = 0;
}
khui_cw_add_prompt(kt->nc, prompts[i].type,
wprompt, NULL,
(prompts[i].hidden?KHUI_NCPROMPT_FLAG_HIDDEN:0));
if (csp_prcache) {
khm_handle csp_p = NULL;
wchar_t wnum[8]; /* should be enough for 10
million prompts */
wnum[0] = 0;
StringCbPrintf(wnum, sizeof(wnum), L"%d", i);
khc_open_space(csp_prcache, wnum, KHM_FLAG_CREATE, &csp_p);
if (csp_p) {
khc_write_string(csp_p, L"Prompt", wprompt);
khc_write_int32(csp_p, L"Type", prompts[i].type);
khc_write_int32(csp_p, L"Flags",
(prompts[i].hidden?
KHUI_NCPROMPT_FLAG_HIDDEN:0));
khc_close_space(csp_p);
}
}
}
if (csp_prcache) {
khc_close_space(csp_prcache);
csp_prcache = NULL;
}
_process_prompts:
if (new_prompts) {
kt->state = K5_KINIT_STATE_WAIT;
kcdb_identity_set_flags(kt->identity,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT,
KCDB_IDENT_FLAG_VALID | KCDB_IDENT_FLAG_KEY_EXPORT);
khui_cw_notify_identity_state(kt->nc, kt->nct->hwnd_panel, L"",
KHUI_CWNIS_VALIDATED |
KHUI_CWNIS_READY, 0);
SetEvent(kt->h_parent_wait);
LeaveCriticalSection(&kt->cs);
WaitForSingleObject(kt->h_task_wait, INFINITE);
EnterCriticalSection(&kt->cs);
}
/* we get here after the user selects an action that either
cancels the credentials acquisition operation or triggers the
actual acquisition of credentials. */
if (kt->state != K5_KINIT_STATE_INCALL &&
kt->state != K5_KINIT_STATE_CONFIRM) {
code = KRB5_LIBOS_PWDINTR;
goto _exit;
}
kt->is_null_password = FALSE;
/* otherwise, we need to get the data back from the UI and return
0 */
khui_cw_sync_prompt_values(kt->nc);
for(i=0; i<num_prompts; i++) {
krb5_data * d;
wchar_t wbuf[512];
khm_size cbbuf;
size_t cch;
d = prompts[i].reply;
cbbuf = sizeof(wbuf);
if(KHM_SUCCEEDED(khui_cw_get_prompt_value(kt->nc, i, wbuf, &cbbuf))) {
UnicodeStrToAnsi(d->data, d->length, wbuf);
if(SUCCEEDED(StringCchLengthA(d->data, d->length, &cch)))
d->length = (unsigned int) cch;
else
d->length = 0;
} else {
assert(FALSE);
d->length = 0;
}
if (prompts[i].type == KRB5_PROMPT_TYPE_PASSWORD &&
d->length == 0)
kt->is_null_password = TRUE;
}
if (khui_cw_get_persist_private_data(kt->nc) &&
num_prompts == 1 &&
prompts[0].type == KRB5_PROMPT_TYPE_PASSWORD &&
prompts[0].reply->length != 0) {
k5_reply_to_acqpriv_id_request(kt->nc, prompts[0].reply);
}
_exit:
kt->prompt_set_index++;
LeaveCriticalSection(&kt->cs);
/* entering a NULL password is equivalent to cancelling out */
if (kt->is_null_password)
return KRB5_LIBOS_PWDINTR;
else
return code;
}
/* Handler for system messages. The only two we handle are
KMSG_SYSTEM_INIT and KMSG_SYSTEM_EXIT. */
khm_int32 KHMAPI
handle_kmsg_system(khm_int32 msg_type,
khm_int32 msg_subtype,
khm_ui_4 uparam,
void * vparam) {
khm_int32 rv = KHM_ERROR_SUCCESS;
switch (msg_subtype) {
/* This is the first message that will be received by a
plugin. We use it to perform initialization operations
such as registering any credential types, data types and
attributes. */
case KMSG_SYSTEM_INIT:
{
kcdb_credtype ct;
wchar_t short_desc[KCDB_MAXCCH_SHORT_DESC];
wchar_t long_desc[KCDB_MAXCCH_LONG_DESC];
khui_config_node cnode;
khui_config_node_reg creg;
kcdb_attrib attr;
khm_handle csp_plugin = NULL;
khm_handle csp_plugins = NULL;
#ifdef BUILD_KRBCOMPAT
/* If we don't have a Kerberos backend, then we can't
* function. */
if (!DelayLoadHeimdal()) {
_reportf("Can't initialize a Kerberos backend. LastError=%d", GetLastError());
return KHM_ERROR_NOT_FOUND;
}
#endif
#if KH_VERSION_API < 12
do {
khm_version libver;
khm_ui_4 apiver;
khm_get_lib_version(&libver, &apiver);
if (apiver < 7)
break;
hm_netidmgr = LoadLibrary(NIMDLLNAME);
if (hm_netidmgr == NULL)
break;
#if KH_VERSION_API < 7
pkhui_action_lock = (void (KHMAPI *)(void))
GetProcAddress(hm_netidmgr, API_khui_action_lock);
pkhui_action_unlock = (void (KHMAPI *)(void))
GetProcAddress(hm_netidmgr, API_khui_action_unlock);
pkhui_refresh_actions = (void (KHMAPI *)(void))
GetProcAddress(hm_netidmgr, API_khui_refresh_actions);
pkhui_request_UI_callback = (khm_int32 (KHMAPI *)(khm_ui_callback, void *))
GetProcAddress(hm_netidmgr, API_khui_request_UI_callback);
#endif
pkhui_cw_get_primary_id = (khm_int32 (KHMAPI *)(khui_new_creds *, khm_handle *))
GetProcAddress(hm_netidmgr, API_khui_cw_get_primary_id);
pkhui_cw_get_result = (khm_int32 (KHMAPI *)(khui_new_creds *))
GetProcAddress(hm_netidmgr, API_khui_cw_get_result);
pkhui_cw_get_subtype = (khui_nc_subtype (KHMAPI *)(khui_new_creds *))
GetProcAddress(hm_netidmgr, API_khui_cw_get_subtype);
pkhui_cw_get_ctx = (khui_action_context * (KHMAPI *)(khui_new_creds *))
GetProcAddress(hm_netidmgr, API_khui_cw_get_ctx);
pkcdb_get_resource = (khm_int32 (KHMAPI *)(khm_handle, kcdb_resource_id,
khm_int32, khm_int32 *,
void *, void *, khm_size *))
GetProcAddress(hm_netidmgr, API_kcdb_get_resource);
} while (FALSE);
if (pkhui_cw_get_primary_id == NULL)
pkhui_cw_get_primary_id = int_khui_cw_get_primary_id;
if (pkhui_cw_get_result == NULL)
pkhui_cw_get_result = int_khui_cw_get_result;
if (pkhui_cw_get_subtype == NULL)
pkhui_cw_get_subtype = int_khui_cw_get_subtype;
if (pkhui_cw_get_ctx == NULL)
pkhui_cw_get_ctx = int_khui_cw_get_ctx;
if (pkcdb_get_resource == NULL)
pkcdb_get_resource = int_kcdb_get_resource;
#endif
/* Add the icon now. On NIM v2.x, doing so after tokens
were reported may result in a deadlock as we try to
switch to the UI thread and the UI thread is blocked on
a resource request to this plug-in. */
kca_icon_set_state(NULL);
/* First and foremost, we need to register a credential
type. */
ZeroMemory(&ct, sizeof(ct));
ct.id = KCDB_CREDTYPE_AUTO;
ct.name = MYCREDTYPE_NAMEW;
ct.short_desc = short_desc;
ct.long_desc = long_desc;
short_desc[0] = L'\0';
LoadString(hResModule, IDS_CT_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
long_desc[0] = L'\0';
LoadString(hResModule, IDS_CT_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
ct.icon = NULL; /* We skip the icon for now, but you
can assign a handle to an icon
here. The icon will be used to
represent the credentials type.*/
kmq_create_subscription(plugin_msg_proc, &ct.sub);
ct.is_equal = cred_is_equal;
rv = kcdb_credtype_register(&ct, &credtype_id);
/* We create a global credential set that we use in the
plug-in thread. This alleviates the need to create one
everytime we need one. Keep in mind that this should
only be used in the plug-in thread and should not be
touched from the UI thread or any other thread. */
kcdb_credset_create(&g_credset);
/* TODO: Perform additional initialization operations. */
/* Register our attributes */
ZeroMemory(&attr, sizeof(attr));
attr.name = ATTRNAME_KCA_AUTHREALM;
attr.id = KCDB_ATTR_INVALID;
attr.alt_id = KCDB_ATTR_INVALID;
attr.flags = 0;
attr.type = KCDB_TYPE_STRING;
attr.short_desc = short_desc;
attr.long_desc = long_desc;
attr.compute_cb = NULL;
attr.compute_min_cbsize = 0;
attr.compute_max_cbsize = 0;
LoadString(hResModule, IDS_ATTR_REALM_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
LoadString(hResModule, IDS_ATTR_REALM_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
rv = kcdb_attrib_register(&attr, &attr_id_auth_realm);
if (KHM_FAILED(rv))
break;
attr.name = ATTRNAME_SUBJECT_EMAIL;
LoadString(hResModule, IDS_ATTR_SUBJECT_EMAIL_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
LoadString(hResModule, IDS_ATTR_SUBJECT_EMAIL_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
rv = kcdb_attrib_register(&attr, &attr_id_subj_email);
if (KHM_FAILED(rv))
break;
attr.name = ATTRNAME_SUBJECT_DISPLAY;
LoadString(hResModule, IDS_ATTR_SUBJECT_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
LoadString(hResModule, IDS_ATTR_SUBJECT_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
rv = kcdb_attrib_register(&attr, &attr_id_subj_display);
if (KHM_FAILED(rv))
break;
attr.name = ATTRNAME_ISSUER_DISPLAY;
LoadString(hResModule, IDS_ATTR_ISSUER_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
LoadString(hResModule, IDS_ATTR_ISSUER_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
rv = kcdb_attrib_register(&attr, &attr_id_issuer_display);
if (KHM_FAILED(rv))
break;
attr.name = ATTRNAME_ISSUER_NAME;
attr.flags = KCDB_ATTR_FLAG_HIDDEN;
attr.type = KCDB_TYPE_DATA;
attr.short_desc = NULL;
attr.long_desc = NULL;
rv = kcdb_attrib_register(&attr, &attr_id_issuer_name);
if (KHM_FAILED(rv))
break;
attr.name = ATTRNAME_SERIAL;
rv = kcdb_attrib_register(&attr, &attr_id_serial_number);
if (KHM_FAILED(rv))
break;
/* List the credentials that are already here */
kca_list_creds();
/* Now we register our configuration panels. */
#ifdef GENERAL_CONFIG_PANEL
/* This configuration panel is the one that controls
general options. We leave the identity specific and
identity defaults for other configuration panels. */
ZeroMemory(&creg, sizeof(creg));
short_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
long_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
creg.name = CONFIGNODE_MAIN;
creg.short_desc = short_desc;
creg.long_desc = long_desc;
creg.h_module = hResModule;
creg.dlg_template = MAKEINTRESOURCE(IDD_CONFIG);
creg.dlg_proc = config_dlgproc;
creg.flags = 0;
khui_cfg_register(NULL, &creg);
#endif
/* Now we do the identity specific and identity default
configuration panels. "KhmIdentities" is a predefined
configuration node under which all the identity spcific
configuration is managed. */
if (KHM_FAILED(khui_cfg_open(NULL, L"KhmIdentities", &cnode))) {
/* this should always work */
assert(FALSE);
rv = KHM_ERROR_NOT_FOUND;
break;
}
/* First the tab panel for defaults for all identities */
ZeroMemory(&creg, sizeof(creg));
short_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_IDS_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
long_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_IDS_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
creg.name = CONFIGNODE_ALL_ID;
creg.short_desc = short_desc;
creg.long_desc = long_desc;
creg.h_module = hResModule;
creg.dlg_template = MAKEINTRESOURCE(IDD_CONFIG_IDS);
creg.dlg_proc = config_ids_dlgproc;
creg.flags = KHUI_CNFLAG_SUBPANEL;
khui_cfg_register(cnode, &creg);
/* Now the panel for per identity configuration */
ZeroMemory(&creg, sizeof(creg));
short_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_ID_SHORT_DESC,
short_desc, ARRAYLENGTH(short_desc));
long_desc[0] = L'\0';
LoadString(hResModule, IDS_CFG_ID_LONG_DESC,
long_desc, ARRAYLENGTH(long_desc));
creg.name = CONFIGNODE_PER_ID;
creg.short_desc = short_desc;
creg.long_desc = long_desc;
creg.h_module = hResModule;
creg.dlg_template = MAKEINTRESOURCE(IDD_CONFIG_ID);
creg.dlg_proc = config_id_dlgproc;
creg.flags = KHUI_CNFLAG_SUBPANEL | KHUI_CNFLAG_INSTANCE;
khui_cfg_register(cnode, &creg);
khui_cfg_release(cnode);
/* load the schema */
if (KHM_SUCCEEDED(kmm_get_plugins_config(0, &csp_plugins))) {
khc_load_schema(csp_plugins, plugin_schema);
khc_close_space(csp_plugins);
}
/* open the plug-in and parameter configuration spaces */
if (KHM_SUCCEEDED(kmm_get_plugin_config(MYPLUGIN_NAMEW,
KHM_FLAG_CREATE,
&csp_plugin))) {
khc_open_space(csp_plugin, L"Parameters", KHM_FLAG_CREATE,
&csp_params);
khc_close_space(csp_plugin);
}
/* try to install the kpkcs11 plugin now */
install_kpkcs11_plugin();
/* register the "KCA Help" menu item, so that we can add
the plug-in menu item to the Help menu. */
{
khm_handle h_sub = NULL;
#if KH_VERSION_API < 7
if (pkhui_action_lock == NULL ||
pkhui_action_unlock == NULL ||
pkhui_refresh_actions == NULL ||
pkhui_request_UI_callback == NULL)
goto no_custom_help;
#endif
kmq_create_subscription(plugin_msg_proc, &h_sub);
LoadString(hResModule, IDS_ACTION_KCA_HELP,
short_desc, ARRAYLENGTH(short_desc));
LoadString(hResModule, IDS_ACTION_KCA_HELP_TT,
long_desc, ARRAYLENGTH(long_desc));
action_id_kca_help = khui_action_create(NULL,
short_desc,
long_desc,
NULL,
KHUI_ACTIONTYPE_TRIGGER,
h_sub);
if (action_id_kca_help != 0) {
khm_size s;
khm_size i;
khui_menu_def * help_menu;
khm_boolean refresh = FALSE;
khui_action_lock();
help_menu = khui_find_menu(KHUI_MENU_HELP);
if (help_menu) {
s = khui_menu_get_size(help_menu);
for (i=0; i < s; i++) {
khui_action_ref * aref;
aref = khui_menu_get_action(help_menu, i);
if (aref && !(aref->flags & KHUI_ACTIONREF_PACTION) &&
aref->action == KHUI_ACTION_HELP_INDEX) {
khui_menu_insert_action(help_menu,
i + 1,
action_id_kca_help,
0);
refresh = TRUE;
break;
}
}
}
khui_action_unlock();
if (refresh)
khui_refresh_actions();
}
#if KH_VERSION_API < 7
no_custom_help:
;
#endif
}
}
break;
/* This is the last message that will be received by the
plugin. */
case KMSG_SYSTEM_EXIT:
{
khui_config_node cnode;
khui_config_node cn_idents;
khm_int32 attr_id;
kca_remove_icon();
/* It should not be assumed that initialization of the
plugin went well at this point since we receive a
KMSG_SYSTEM_EXIT even if the initialization failed. */
/* Try to remove the KCA plug-in action from Help menu if
it was successfully registered. Also, delete the
action. */
if (action_id_kca_help != 0) {
khui_menu_def * help_menu;
khm_boolean menu_changed = FALSE;
khui_action_lock();
help_menu = khui_find_menu(KHUI_MENU_HELP);
if (help_menu) {
khm_size s;
khm_size i;
s = khui_menu_get_size(help_menu);
for (i=0; i < s; i++) {
khui_action_ref * aref = khui_menu_get_action(help_menu, i);
if (aref && !(aref->flags & KHUI_ACTIONREF_PACTION) &&
aref->action == action_id_kca_help) {
khui_menu_remove_action(help_menu, i);
menu_changed = TRUE;
break;
}
}
}
khui_action_delete(action_id_kca_help);
khui_action_unlock();
if (menu_changed)
khui_refresh_actions();
action_id_kca_help = 0;
}
if (credtype_id != KCDB_CREDTYPE_INVALID) {
kcdb_credtype_unregister(credtype_id);
credtype_id = KCDB_CREDTYPE_INVALID;
}
if (g_credset) {
kcdb_credset_delete(g_credset);
g_credset = NULL;
}
/* Now unregister any configuration nodes we registered. */
if (KHM_SUCCEEDED(khui_cfg_open(NULL, CONFIGNODE_MAIN, &cnode))) {
khui_cfg_remove(cnode);
khui_cfg_release(cnode);
}
if (KHM_SUCCEEDED(khui_cfg_open(NULL, L"KhmIdentities", &cn_idents))) {
if (KHM_SUCCEEDED(khui_cfg_open(cn_idents,
CONFIGNODE_ALL_ID,
&cnode))) {
khui_cfg_remove(cnode);
khui_cfg_release(cnode);
}
if (KHM_SUCCEEDED(khui_cfg_open(cn_idents,
CONFIGNODE_PER_ID,
&cnode))) {
khui_cfg_remove(cnode);
khui_cfg_release(cnode);
}
khui_cfg_release(cn_idents);
}
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_KCA_AUTHREALM,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_SUBJECT_EMAIL,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_SUBJECT_DISPLAY,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_ISSUER_DISPLAY,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_ISSUER_NAME,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (KHM_SUCCEEDED(kcdb_attrib_get_id(ATTRNAME_SERIAL,
&attr_id)))
kcdb_attrib_unregister(attr_id);
if (csp_params) {
khc_close_space(csp_params);
csp_params = NULL;
}
#if KH_VERSION_API < 12
if (hm_netidmgr)
FreeLibrary(hm_netidmgr);
pkhui_cw_get_primary_id = NULL;
#endif
#if KH_VERSION_API < 7
pkhui_action_lock = NULL;
pkhui_action_unlock = NULL;
pkhui_refresh_actions = NULL;
pkhui_request_UI_callback = NULL;
#endif
/* TODO: Perform additional uninitialization
operations. */
}
break;
}
return rv;
}
