/* Handler for KMSG_CRED_END */
khm_int32
handle_kmsg_cred_end(khui_new_creds * nc) {
struct nc_dialog_data * d;
/* TODO: Perform any additional uninitialization as needed. */
khui_cw_find_type(nc, credtype_id, (khui_new_creds_by_type **) &d);
if (d) {
khui_cw_del_type(nc, credtype_id);
if (d->nct.name)
free(d->nct.name);
free(d);
}
return KHM_ERROR_SUCCESS;
}
/* Handler for KMSG_CRED_END */
khm_int32
handle_kmsg_cred_end(khui_new_creds * nc) {
khui_new_creds_by_type * nct = NULL;
/* TODO: Perform any additional uninitialization as needed. */
khui_cw_find_type(nc, credtype_id, &nct);
if (nct) {
khui_cw_del_type(nc, credtype_id);
if (nct->name)
free(nct->name);
if (nct->credtext)
free(nct->credtext);
free(nct);
}
return KHM_ERROR_SUCCESS;
}
khm_int32
krb4_msg_newcred(khm_int32 msg_type, khm_int32 msg_subtype,
khm_ui_4 uparam, void * vparam) {
switch(msg_subtype) {
case KMSG_CRED_NEW_CREDS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct;
khm_size cbsize;
wchar_t wbuf[256];
nc = (khui_new_creds *) vparam;
nct = PMALLOC(sizeof(*nct));
#ifdef DEBUG
assert(nct);
#endif
ZeroMemory(nct, sizeof(*nct));
nct->type = credtype_id_krb4;
nct->ordinal = 3;
LoadString(hResModule, IDS_NC_K4_SHORT,
wbuf, ARRAYLENGTH(wbuf));
StringCbLength(wbuf, sizeof(wbuf), &cbsize);
cbsize += sizeof(wchar_t);
nct->name = PMALLOC(cbsize);
StringCbCopy(nct->name, cbsize, wbuf);
nct->type_deps[nct->n_type_deps++] = credtype_id_krb5;
nct->h_module = hResModule;
nct->dlg_proc = k4_nc_dlg_proc;
nct->dlg_template = MAKEINTRESOURCE(IDD_NC_KRB4);
khui_cw_add_type(nc, nct);
}
break;
case KMSG_CRED_RENEW_CREDS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct;
khm_size cbsize;
wchar_t wbuf[256];
khui_action_context * pctx = NULL;
nc = (khui_new_creds *) vparam;
pctx = khui_cw_get_ctx(nc);
if (!pctx->identity)
break;
nct = PMALLOC(sizeof(*nct));
#ifdef DEBUG
assert(nct);
#endif
ZeroMemory(nct, sizeof(*nct));
nct->type = credtype_id_krb4;
nct->ordinal = 3;
LoadString(hResModule, IDS_NC_K4_SHORT,
wbuf, ARRAYLENGTH(wbuf));
StringCbLength(wbuf, sizeof(wbuf), &cbsize);
cbsize += sizeof(wchar_t);
nct->name = PMALLOC(cbsize);
StringCbCopy(nct->name, cbsize, wbuf);
nct->type_deps[nct->n_type_deps++] = credtype_id_krb5;
khui_cw_add_type(nc, nct);
}
break;
case KMSG_CRED_DIALOG_SETUP:
break;
case KMSG_CRED_PROCESS:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct = NULL;
khm_handle ident = NULL;
khui_action_context * pctx = NULL;
k4_dlg_data * d = NULL;
long code = 0;
wchar_t idname[KCDB_IDENT_MAXCCH_NAME];
khm_size cb;
khm_int32 subtype;
nc = (khui_new_creds *) vparam;
if (KHM_FAILED(khui_cw_find_type(nc, credtype_id_krb4, &nct)))
break;
subtype = khui_cw_get_subtype(nc);
if (subtype == KMSG_CRED_NEW_CREDS ||
subtype == KMSG_CRED_RENEW_CREDS) {
khm_int32 method;
if (subtype == KMSG_CRED_NEW_CREDS) {
d = (k4_dlg_data *) nct->aux;
if (KHM_FAILED(khui_cw_get_primary_id(nc, &ident)))
break;
if (!d ||
khui_cw_get_result(nc) != KHUI_NC_RESULT_PROCESS) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
if (!d->k4_enabled) {
k4_write_identity_data(d);
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
method = d->method;
cb = sizeof(idname);
kcdb_identity_get_name(ident, idname, &cb);
_begin_task(0);
_report_sr0(KHERR_NONE, IDS_MSG_K4NEW);
_resolve();
_describe();
} else if (subtype == KMSG_CRED_RENEW_CREDS) {
pctx = khui_cw_get_ctx(nc);
if ((pctx->scope == KHUI_SCOPE_IDENT &&
pctx->identity != NULL) ||
(pctx->scope == KHUI_SCOPE_CREDTYPE &&
pctx->cred_type == credtype_id_krb4 &&
pctx->identity != NULL) ||
(pctx->scope == KHUI_SCOPE_CRED &&
pctx->cred_type == credtype_id_krb4 &&
pctx->identity != NULL &&
pctx->cred != NULL)) {
ident = pctx->identity;
kcdb_identity_hold(ident);
if (!k4_should_identity_get_k4(ident)) {
_reportf(L"Kerberos 4 is not enabled for this identity. Skipping");
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
kcdb_identity_release(ident);
break;
}
} else {
_reportf(L"Kerberos 4 is not within renewal scope. Skipping");
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
break;
}
method = K4_METHOD_K524; /* only k524 is supported
for renewals */
_begin_task(0);
cb = sizeof(idname);
kcdb_identity_get_name(ident, idname, &cb);
_report_sr0(KHERR_NONE, IDS_MSG_K4RENEW);
_resolve();
_describe();
} else {
assert(FALSE);
break;
}
_progress(0,1);
if ((method == K4_METHOD_AUTO ||
method == K4_METHOD_K524) &&
khui_cw_type_succeeded(nc, credtype_id_krb5)) {
khm_handle tgt;
FILETIME ft_prev;
FILETIME ft_new;
khm_size cb;
_report_cs0(KHERR_INFO, L"Trying K524...");
tgt = khm_krb4_find_tgt(NULL, ident);
_progress(1,3);
if (tgt) {
cb = sizeof(ft_prev);
if (KHM_FAILED(kcdb_cred_get_attr(tgt,
KCDB_ATTR_EXPIRE,
NULL,
&ft_prev,
&cb)))
ZeroMemory(&ft_prev, sizeof(ft_prev));
kcdb_cred_release(tgt);
}
code = khm_convert524(ident);
_progress(2,3);
_reportf(L"khm_convert524 returns code %d", code);
if (code == 0) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_SUCCESS |
KHUI_NC_RESPONSE_EXIT);
if (subtype == KMSG_CRED_NEW_CREDS) {
assert(d != NULL);
k4_write_identity_data(d);
} else if (subtype == KMSG_CRED_RENEW_CREDS &&
(pctx->scope == KHUI_SCOPE_CREDTYPE ||
pctx->scope == KHUI_SCOPE_CRED)) {
khm_krb4_list_tickets();
tgt = khm_krb4_find_tgt(NULL, ident);
if (tgt) {
cb = sizeof(ft_new);
ZeroMemory(&ft_new, sizeof(ft_new));
kcdb_cred_get_attr(tgt, KCDB_ATTR_EXPIRE,
NULL, &ft_new, &cb);
kcdb_cred_release(tgt);
}
if (!tgt ||
CompareFileTime(&ft_new, &ft_prev) <= 0) {
/* The new TGT wasn't much of an
improvement over what we already
had. We should go out and try to
renew the identity now. */
khui_action_context ctx;
_reportf(L"Renewal of Krb4 creds failed to get a longer TGT. Triggering identity renewal");
khui_context_create(&ctx,
KHUI_SCOPE_IDENT,
pctx->identity,
KCDB_CREDTYPE_INVALID,
NULL);
khui_action_trigger(KHUI_ACTION_RENEW_CRED,
&ctx);
khui_context_release(&ctx);
}
}
_progress(1,1);
_end_task();
if (ident)
kcdb_identity_release(ident);
break;
} else if (method == K4_METHOD_K524) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_FAILED |
KHUI_NC_RESPONSE_EXIT);
if (subtype == KMSG_CRED_RENEW_CREDS &&
(pctx->scope == KHUI_SCOPE_CREDTYPE ||
pctx->scope == KHUI_SCOPE_CRED)) {
/* We were trying to get a new Krb4 TGT
for this identity. Sometimes this
fails because of restrictions placed on
K524d regarding the lifetime of the
issued K4 TGT. In this case, we
trigger a renewal of the identity in
the hope that the new K5 TGT will allow
us to successfully get a new K4 TGT
next time over using the new K5 TGT. */
khui_action_context ctx;
_reportf(L"Renewal of Krb4 creds failed using k524. Triggerring identity renewal.");
khui_context_create(&ctx,
KHUI_SCOPE_IDENT,
pctx->identity,
KCDB_CREDTYPE_INVALID,
NULL);
khui_action_trigger(KHUI_ACTION_RENEW_CRED,
&ctx);
khui_context_release(&ctx);
}
_progress(1,1);
_end_task();
if (ident)
kcdb_identity_release(ident);
break;
}
}
/* only supported for new credentials */
if (method == K4_METHOD_AUTO ||
method == K4_METHOD_PASSWORD) {
khm_size n_prompts = 0;
khm_size idx;
khm_size cb;
wchar_t wpwd[KHUI_MAXCCH_PROMPT_VALUE];
char pwd[KHUI_MAXCCH_PROMPT_VALUE];
wchar_t widname[KCDB_IDENT_MAXCCH_NAME];
char idname[KCDB_IDENT_MAXCCH_NAME];
char * aname = NULL;
char * inst = NULL;
char * realm = NULL;
assert(subtype == KMSG_CRED_NEW_CREDS);
_report_cs0(KHERR_INFO, L"Trying password ...");
code = TRUE; /* just has to be non-zero */
khui_cw_get_prompt_count(nc, &n_prompts);
if (n_prompts == 0)
goto _skip_pwd;
for (idx = 0; idx < n_prompts; idx++) {
khui_new_creds_prompt * p;
if (KHM_FAILED(khui_cw_get_prompt(nc, idx, &p)))
continue;
if (p->type == KHUI_NCPROMPT_TYPE_PASSWORD)
break;
}
if (idx >= n_prompts) {
_reportf(L"Password prompt not found");
goto _skip_pwd;
}
khui_cw_sync_prompt_values(nc);
cb = sizeof(wpwd);
if (KHM_FAILED(khui_cw_get_prompt_value(nc, idx,
wpwd,
&cb))) {
_reportf(L"Failed to obtain password value");
goto _skip_pwd;
}
UnicodeStrToAnsi(pwd, sizeof(pwd), wpwd);
cb = sizeof(widname);
kcdb_identity_get_name(ident,
widname,
&cb);
UnicodeStrToAnsi(idname, sizeof(idname), widname);
{
char * atsign;
atsign = strchr(idname, '@');
if (atsign == NULL) {
_reportf(L"Identity name does not contain an '@'");
goto _skip_pwd;
}
*atsign++ = 0;
realm = atsign;
}
{
char * slash;
slash = strchr(idname, '/');
if (slash != NULL) {
*slash++ = 0;
inst = slash;
} else {
inst = "";
}
}
aname = idname;
code = khm_krb4_kinit(aname, inst, realm,
(long) d->lifetime, pwd);
_progress(2,3);
_reportf(L"khm_krb4_kinit returns code %d", code);
_skip_pwd:
if (code) {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_EXIT |
KHUI_NC_RESPONSE_FAILED);
} else {
khui_cw_set_response(nc, credtype_id_krb4,
KHUI_NC_RESPONSE_EXIT |
KHUI_NC_RESPONSE_SUCCESS);
if (subtype == KMSG_CRED_NEW_CREDS) {
assert(d != NULL);
k4_write_identity_data(d);
}
}
}
_progress(1,1);
_end_task();
}
if (ident)
kcdb_identity_release(ident);
}
break;
case KMSG_CRED_END:
{
khui_new_creds * nc;
khui_new_creds_by_type * nct = NULL;
nc = (khui_new_creds *) vparam;
if (KHM_FAILED(khui_cw_find_type(nc, credtype_id_krb4, &nct)))
break;
khui_cw_del_type(nc, credtype_id_krb4);
if (nct->name)
PFREE(nct->name);
if (nct->credtext)
PFREE(nct->credtext);
PFREE(nct);
}
break;
}
return KHM_ERROR_SUCCESS;
}
