long
not_an_API_LeashKRB5GetTickets(TICKETINFO *ticketinfo,
krb5_context *krbv5Context)
{
krb5_error_code code;
krb5_principal me = 0;
krb5_context ctx = 0;
krb5_ccache cache = 0;
char *PrincipalName = NULL;
code = Leash_krb5_initialize(krbv5Context);
if (code)
return code;
ctx = *krbv5Context;
// @TEMP fixme; shouldn't be necessary
// save default principal name in ticketinfo
if (ticketinfo != NULL) {
ticketinfo->btickets = NO_TICKETS;
ticketinfo->principal = NULL;
ticketinfo->ccache_name = NULL;
ticketinfo->next = NULL;
ticketinfo->ticket_list = NULL;
code = pkrb5_cc_default(ctx, &cache);
if (code)
goto cleanup;
ticketinfo->ccache_name = strdup(pkrb5_cc_get_name(ctx, cache));
if (ticketinfo->ccache_name == NULL) {
code = ENOMEM;
goto cleanup;
}
if (!pkrb5_cc_get_principal(ctx, cache, &me)) {
code = (*pkrb5_unparse_name)(ctx, me, &PrincipalName);
if (code)
goto cleanup;
if (PrincipalName) {
ticketinfo->principal = strdup(PrincipalName);
pkrb5_free_unparsed_name(ctx, PrincipalName);
}
}
}
do_all_ccaches(*krbv5Context, &ticketinfo->next);
// @TEMP aggregate ticket info here?
cleanup:
if (code)
not_an_API_LeashKRB5FreeTickets(ticketinfo);
if (cache)
pkrb5_cc_close(ctx, cache);
if (me)
pkrb5_free_principal(ctx, me);
return code;
}
long
Leash_convert524(
krb5_context alt_ctx
)
{
#if defined(NO_KRB5) || defined(NO_KRB4)
return(0);
#else
krb5_context ctx = 0;
krb5_error_code code = 0;
int icode = 0;
krb5_principal me = 0;
krb5_principal server = 0;
krb5_creds *v5creds = 0;
krb5_creds increds;
krb5_ccache cc = 0;
CREDENTIALS * v4creds = NULL;
static int init_ets = 1;
if (!pkrb5_init_context ||
!pkrb_in_tkt ||
!pkrb524_init_ets ||
!pkrb524_convert_creds_kdc)
return 0;
v4creds = (CREDENTIALS *) malloc(sizeof(CREDENTIALS));
memset((char *) v4creds, 0, sizeof(CREDENTIALS));
memset((char *) &increds, 0, sizeof(increds));
/*
From this point on, we can goto cleanup because increds is
initialized.
*/
if (alt_ctx)
{
ctx = alt_ctx;
}
else
{
code = pkrb5_init_context(&ctx);
if (code) goto cleanup;
}
code = pkrb5_cc_default(ctx, &cc);
if (code) goto cleanup;
if ( init_ets ) {
pkrb524_init_ets(ctx);
init_ets = 0;
}
if (code = pkrb5_cc_get_principal(ctx, cc, &me))
goto cleanup;
if ((code = pkrb5_build_principal(ctx,
&server,
krb5_princ_realm(ctx, me)->length,
krb5_princ_realm(ctx, me)->data,
"krbtgt",
krb5_princ_realm(ctx, me)->data,
NULL))) {
goto cleanup;
}
increds.client = me;
increds.server = server;
increds.times.endtime = 0;
increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
if ((code = pkrb5_get_credentials(ctx, 0,
cc,
&increds,
&v5creds))) {
goto cleanup;
}
if ((icode = pkrb524_convert_creds_kdc(ctx,
v5creds,
v4creds))) {
goto cleanup;
}
/* initialize ticket cache */
if ((icode = pkrb_in_tkt(v4creds->pname, v4creds->pinst, v4creds->realm)
!= KSUCCESS)) {
goto cleanup;
}
/* stash ticket, session key, etc. for future use */
if ((icode = pkrb_save_credentials(v4creds->service,
v4creds->instance,
v4creds->realm,
v4creds->session,
v4creds->lifetime,
v4creds->kvno,
&(v4creds->ticket_st),
v4creds->issue_date))) {
goto cleanup;
}
cleanup:
memset(v4creds, 0, sizeof(v4creds));
free(v4creds);
if (v5creds) {
pkrb5_free_creds(ctx, v5creds);
}
if (increds.client == me)
me = 0;
if (increds.server == server)
server = 0;
pkrb5_free_cred_contents(ctx, &increds);
if (server) {
pkrb5_free_principal(ctx, server);
}
if (me) {
pkrb5_free_principal(ctx, me);
}
pkrb5_cc_close(ctx, cc);
if (ctx && (ctx != alt_ctx)) {
pkrb5_free_context(ctx);
}
return !(code || icode);
#endif /* NO_KRB5 */
}
int
LeashKRB5_renew(void)
{
#ifdef NO_KRB5
return(0);
#else
krb5_error_code code = 0;
krb5_context ctx = 0;
krb5_ccache cc = 0;
krb5_principal me = 0;
krb5_principal server = 0;
krb5_creds my_creds;
krb5_data *realm = 0;
if ( !pkrb5_init_context )
goto cleanup;
memset(&my_creds, 0, sizeof(krb5_creds));
code = pkrb5_init_context(&ctx);
if (code) goto cleanup;
code = pkrb5_cc_default(ctx, &cc);
if (code) goto cleanup;
code = pkrb5_cc_get_principal(ctx, cc, &me);
if (code) goto cleanup;
realm = krb5_princ_realm(ctx, me);
code = pkrb5_build_principal_ext(ctx, &server,
realm->length,realm->data,
KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
realm->length,realm->data,
0);
if ( code ) goto cleanup;
my_creds.client = me;
my_creds.server = server;
#ifdef KRB5_TC_NOTICKET
pkrb5_cc_set_flags(ctx, cc, 0);
#endif
code = pkrb5_get_renewed_creds(ctx, &my_creds, me, cc, NULL);
#ifdef KRB5_TC_NOTICKET
pkrb5_cc_set_flags(ctx, cc, KRB5_TC_NOTICKET);
#endif
if (code) {
if ( code != KRB5KDC_ERR_ETYPE_NOSUPP ||
code != KRB5_KDC_UNREACH)
Leash_krb5_error(code, "krb5_get_renewed_creds()", 0, &ctx, &cc);
goto cleanup;
}
code = pkrb5_cc_initialize(ctx, cc, me);
if (code) goto cleanup;
code = pkrb5_cc_store_cred(ctx, cc, &my_creds);
if (code) goto cleanup;
cleanup:
if (my_creds.client == me)
my_creds.client = 0;
if (my_creds.server == server)
my_creds.server = 0;
pkrb5_free_cred_contents(ctx, &my_creds);
if (me)
pkrb5_free_principal(ctx, me);
if (server)
pkrb5_free_principal(ctx, server);
if (cc)
pkrb5_cc_close(ctx, cc);
if (ctx)
pkrb5_free_context(ctx);
return(code);
#endif /* NO_KRB5 */
}
int
do_ccache(krb5_context ctx,
krb5_ccache cache,
TICKETINFO ***ticketInfoTail)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ = NULL;
krb5_flags flags;
krb5_error_code code;
char *defname = NULL;
char *functionName = NULL;
TicketList **ticketListTail;
TICKETINFO *ticketinfo;
flags = 0; /* turns off OPENCLOSE mode */
code = pkrb5_cc_set_flags(ctx, cache, flags);
if (code) {
functionName = "krb5_cc_set_flags";
goto cleanup;
}
code = pkrb5_cc_get_principal(ctx, cache, &princ);
if (code) {
functionName = "krb5_cc_get_principal";
goto cleanup;
}
code = pkrb5_unparse_name(ctx, princ, &defname);
if (code) {
functionName = "krb5_unparse_name";
goto cleanup;
}
code = pkrb5_cc_start_seq_get(ctx, cache, &cur);
if (code) {
functionName = "krb5_cc_start_seq_get";
goto cleanup;
}
ticketinfo = calloc(1, sizeof(TICKETINFO));
if (ticketinfo == NULL) {
functionName = "calloc";
code = ENOMEM;
goto cleanup;
}
ticketinfo->next = NULL;
ticketinfo->ticket_list = NULL;
ticketinfo->principal = strdup(defname);
if (ticketinfo->principal == NULL) {
functionName = "strdup";
code = ENOMEM;
goto cleanup;
}
ticketinfo->ccache_name = strdup(pkrb5_cc_get_name(ctx, cache));
if (ticketinfo->ccache_name == NULL) {
functionName = "strdup";
code = ENOMEM;
goto cleanup;
}
**ticketInfoTail = ticketinfo;
*ticketInfoTail = &ticketinfo->next;
ticketListTail = &ticketinfo->ticket_list;
while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) {
if (pkrb5_is_config_principal(ctx, creds.server))
continue;
CredToTicketList(ctx, creds, defname, &ticketListTail);
CredToTicketInfo(creds, ticketinfo);
pkrb5_free_cred_contents(ctx, &creds);
}
if (code == KRB5_CC_END) {
code = pkrb5_cc_end_seq_get(ctx, cache, &cur);
if (code) {
functionName = "krb5_cc_end_seq_get";
goto cleanup;
}
flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
code = pkrb5_cc_set_flags(ctx, cache, flags);
if (code) {
functionName = "krb5_cc_set_flags";
goto cleanup;
}
} else {
functionName = "krb5_cc_next_cred";
goto cleanup;
}
cleanup:
if (code) {
Leash_krb5_error(code, functionName, 0, NULL, NULL);
}
if (princ)
pkrb5_free_principal(ctx, princ);
if (defname)
pkrb5_free_unparsed_name(ctx, defname);
return code ? 1 : 0;
}
BOOL
Leash_ms2mit(BOOL save_creds)
{
#ifdef NO_KRB5
return(FALSE);
#else /* NO_KRB5 */
krb5_context kcontext = 0;
krb5_error_code code;
krb5_ccache ccache=0;
krb5_ccache mslsa_ccache=0;
krb5_creds creds;
krb5_cc_cursor cursor=0;
krb5_principal princ = 0;
BOOL rc = FALSE;
if ( !pkrb5_init_context )
goto cleanup;
if (code = pkrb5_init_context(&kcontext))
goto cleanup;
if (code = pkrb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache))
goto cleanup;
if ( save_creds ) {
if (code = pkrb5_cc_get_principal(kcontext, mslsa_ccache, &princ))
goto cleanup;
if (code = pkrb5_cc_default(kcontext, &ccache))
goto cleanup;
if (code = pkrb5_cc_initialize(kcontext, ccache, princ))
goto cleanup;
if (code = pkrb5_cc_copy_creds(kcontext, mslsa_ccache, ccache))
goto cleanup;
rc = TRUE;
} else {
/* Enumerate tickets from cache looking for an initial ticket */
if ((code = pkrb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor)))
goto cleanup;
while (!(code = pkrb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds)))
{
if ( creds.ticket_flags & TKT_FLG_INITIAL ) {
rc = TRUE;
pkrb5_free_cred_contents(kcontext, &creds);
break;
}
pkrb5_free_cred_contents(kcontext, &creds);
}
pkrb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
}
cleanup:
if (princ)
pkrb5_free_principal(kcontext, princ);
if (ccache)
pkrb5_cc_close(kcontext, ccache);
if (mslsa_ccache)
pkrb5_cc_close(kcontext, mslsa_ccache);
if (kcontext)
pkrb5_free_context(kcontext);
return(rc);
#endif /* NO_KRB5 */
}
khm_int32 KHMAPI
khm_get_identity_expiration_time(krb5_context ctx, krb5_ccache cc,
khm_handle ident,
krb5_timestamp * pexpiration)
{
krb5_principal principal = 0;
char * princ_name = NULL;
krb5_creds creds;
krb5_error_code code;
krb5_error_code cc_code;
krb5_cc_cursor cur;
krb5_timestamp now, expiration = 0;
wchar_t w_ident_name[KCDB_IDENT_MAXCCH_NAME];
char ident_name[KCDB_IDENT_MAXCCH_NAME];
khm_size cb;
khm_int32 rv = KHM_ERROR_NOT_FOUND;
if (!ctx || !cc || !ident || !pexpiration)
return KHM_ERROR_GENERAL;
code = pkrb5_cc_get_principal(ctx, cc, &principal);
if ( code )
return KHM_ERROR_INVALID_PARAM;
cb = sizeof(w_ident_name);
kcdb_identity_get_name(ident, w_ident_name, &cb);
UnicodeStrToAnsi(ident_name, sizeof(ident_name), w_ident_name);
code = pkrb5_unparse_name(ctx, principal, &princ_name);
/* compare principal to ident. */
if ( code || !princ_name ||
strcmp(princ_name, ident_name) ) {
if (princ_name)
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
return KHM_ERROR_UNKNOWN;
}
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
code = pkrb5_timeofday(ctx, &now);
if (code)
return KHM_ERROR_UNKNOWN;
cc_code = pkrb5_cc_start_seq_get(ctx, cc, &cur);
while (!(cc_code = pkrb5_cc_next_cred(ctx, cc, &cur, &creds))) {
krb5_data * c0 = krb5_princ_name(ctx, creds.server);
krb5_data * c1 = krb5_princ_component(ctx, creds.server, 1);
krb5_data * r = krb5_princ_realm(ctx, creds.server);
if ( c0 && c1 && r && c1->length == r->length &&
!strncmp(c1->data,r->data,r->length) &&
!strncmp("krbtgt",c0->data,c0->length) ) {
/* we have a TGT, check for the expiration time.
* if it is valid and renewable, use the renew time
*/
if (!(creds.ticket_flags & TKT_FLG_INVALID) &&
creds.times.starttime < (now + TIMET_TOLERANCE) &&
(creds.times.endtime + TIMET_TOLERANCE) > now) {
expiration = creds.times.endtime;
if ((creds.ticket_flags & TKT_FLG_RENEWABLE) &&
(creds.times.renew_till > creds.times.endtime)) {
expiration = creds.times.renew_till;
}
}
}
}
if (cc_code == KRB5_CC_END) {
cc_code = pkrb5_cc_end_seq_get(ctx, cc, &cur);
rv = KHM_ERROR_SUCCESS;
*pexpiration = expiration;
}
return rv;
}
