static int
has_unexpired_creds(krb5_gss_cred_id_t kcred,
const gss_OID desired_mech,
int default_cred)
{
OM_uint32 major_status, minor;
gss_name_t cred_name;
gss_OID_set_desc desired_mechs;
gss_cred_id_t tmp_cred = GSS_C_NO_CREDENTIAL;
OM_uint32 time_rec;
desired_mechs.count = 1;
desired_mechs.elements = (gss_OID)desired_mech;
if (default_cred)
cred_name = GSS_C_NO_NAME;
else
cred_name = (gss_name_t)kcred->name;
major_status = krb5_gss_acquire_cred(&minor, cred_name, 0,
&desired_mechs, GSS_C_INITIATE,
&tmp_cred, NULL, &time_rec);
krb5_gss_release_cred(&minor, &tmp_cred);
return (GSS_ERROR(major_status) || time_rec);
}
/*
* Release an IAKERB context
*/
static void
iakerb_release_context(iakerb_ctx_id_t ctx)
{
OM_uint32 tmp;
if (ctx == NULL)
return;
krb5_gss_release_cred(&tmp, &ctx->defcred);
krb5_init_creds_free(ctx->k5c, ctx->icc);
krb5_tkt_creds_free(ctx->k5c, ctx->tcc);
krb5_gss_delete_sec_context(&tmp, &ctx->gssc, NULL);
krb5_free_data_contents(ctx->k5c, &ctx->conv);
krb5_get_init_creds_opt_free(ctx->k5c, ctx->gic_opts);
krb5_free_context(ctx->k5c);
free(ctx);
}
/* Convert a JSON array value to a krb5 GSS credential. */
static int
json_to_kgcred(krb5_context context, k5_json_array array,
krb5_gss_cred_id_t *cred_out)
{
krb5_gss_cred_id_t cred;
k5_json_number n;
k5_json_bool b;
krb5_boolean is_new;
OM_uint32 tmp;
*cred_out = NULL;
if (k5_json_array_length(array) != 14)
return -1;
cred = calloc(1, sizeof(*cred));
if (cred == NULL)
return -1;
if (k5_mutex_init(&cred->lock)) {
free(cred);
return -1;
}
n = check_element(array, 0, K5_JSON_TID_NUMBER);
if (n == NULL)
goto invalid;
cred->usage = k5_json_number_value(n);
if (json_to_kgname(context, k5_json_array_get(array, 1), &cred->name))
goto invalid;
if (json_to_principal(context, k5_json_array_get(array, 2),
&cred->impersonator))
goto invalid;
b = check_element(array, 3, K5_JSON_TID_BOOL);
if (b == NULL)
goto invalid;
cred->default_identity = k5_json_bool_value(b);
b = check_element(array, 4, K5_JSON_TID_BOOL);
if (b == NULL)
goto invalid;
cred->iakerb_mech = k5_json_bool_value(b);
if (json_to_keytab(context, k5_json_array_get(array, 5), &cred->keytab))
goto invalid;
if (json_to_rcache(context, k5_json_array_get(array, 6), &cred->rcache))
goto invalid;
if (json_to_ccache(context, k5_json_array_get(array, 7), &cred->ccache,
&is_new))
goto invalid;
cred->destroy_ccache = is_new;
if (json_to_keytab(context, k5_json_array_get(array, 8),
&cred->client_keytab))
goto invalid;
b = check_element(array, 9, K5_JSON_TID_BOOL);
if (b == NULL)
goto invalid;
cred->have_tgt = k5_json_bool_value(b);
n = check_element(array, 10, K5_JSON_TID_NUMBER);
if (n == NULL)
goto invalid;
cred->expire = k5_json_number_value(n);
n = check_element(array, 11, K5_JSON_TID_NUMBER);
if (n == NULL)
goto invalid;
cred->refresh_time = k5_json_number_value(n);
if (json_to_etypes(k5_json_array_get(array, 12), &cred->req_enctypes))
goto invalid;
if (json_to_optional_string(k5_json_array_get(array, 13), &cred->password))
goto invalid;
*cred_out = cred;
return 0;
invalid:
(void)krb5_gss_release_cred(&tmp, (gss_cred_id_t *)&cred);
return -1;
}
