BOOL
Leash_ms2mit(BOOL save_creds)
{
#ifdef NO_KRB5
return(FALSE);
#else /* NO_KRB5 */
krb5_context kcontext = 0;
krb5_error_code code;
krb5_ccache ccache=0;
krb5_ccache mslsa_ccache=0;
krb5_creds creds;
krb5_cc_cursor cursor=0;
krb5_principal princ = 0;
BOOL rc = FALSE;
if ( !pkrb5_init_context )
goto cleanup;
if (code = pkrb5_init_context(&kcontext))
goto cleanup;
if (code = pkrb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache))
goto cleanup;
if ( save_creds ) {
if (code = pkrb5_cc_get_principal(kcontext, mslsa_ccache, &princ))
goto cleanup;
if (code = pkrb5_cc_default(kcontext, &ccache))
goto cleanup;
if (code = pkrb5_cc_initialize(kcontext, ccache, princ))
goto cleanup;
if (code = pkrb5_cc_copy_creds(kcontext, mslsa_ccache, ccache))
goto cleanup;
rc = TRUE;
} else {
/* Enumerate tickets from cache looking for an initial ticket */
if ((code = pkrb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor)))
goto cleanup;
while (!(code = pkrb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds)))
{
if ( creds.ticket_flags & TKT_FLG_INITIAL ) {
rc = TRUE;
pkrb5_free_cred_contents(kcontext, &creds);
break;
}
pkrb5_free_cred_contents(kcontext, &creds);
}
pkrb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
}
cleanup:
if (princ)
pkrb5_free_principal(kcontext, princ);
if (ccache)
pkrb5_cc_close(kcontext, ccache);
if (mslsa_ccache)
pkrb5_cc_close(kcontext, mslsa_ccache);
if (kcontext)
pkrb5_free_context(kcontext);
return(rc);
#endif /* NO_KRB5 */
}
int
do_ccache(krb5_context ctx,
krb5_ccache cache,
TICKETINFO ***ticketInfoTail)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ = NULL;
krb5_flags flags;
krb5_error_code code;
char *defname = NULL;
char *functionName = NULL;
TicketList **ticketListTail;
TICKETINFO *ticketinfo;
flags = 0; /* turns off OPENCLOSE mode */
code = pkrb5_cc_set_flags(ctx, cache, flags);
if (code) {
functionName = "krb5_cc_set_flags";
goto cleanup;
}
code = pkrb5_cc_get_principal(ctx, cache, &princ);
if (code) {
functionName = "krb5_cc_get_principal";
goto cleanup;
}
code = pkrb5_unparse_name(ctx, princ, &defname);
if (code) {
functionName = "krb5_unparse_name";
goto cleanup;
}
code = pkrb5_cc_start_seq_get(ctx, cache, &cur);
if (code) {
functionName = "krb5_cc_start_seq_get";
goto cleanup;
}
ticketinfo = calloc(1, sizeof(TICKETINFO));
if (ticketinfo == NULL) {
functionName = "calloc";
code = ENOMEM;
goto cleanup;
}
ticketinfo->next = NULL;
ticketinfo->ticket_list = NULL;
ticketinfo->principal = strdup(defname);
if (ticketinfo->principal == NULL) {
functionName = "strdup";
code = ENOMEM;
goto cleanup;
}
ticketinfo->ccache_name = strdup(pkrb5_cc_get_name(ctx, cache));
if (ticketinfo->ccache_name == NULL) {
functionName = "strdup";
code = ENOMEM;
goto cleanup;
}
**ticketInfoTail = ticketinfo;
*ticketInfoTail = &ticketinfo->next;
ticketListTail = &ticketinfo->ticket_list;
while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) {
if (pkrb5_is_config_principal(ctx, creds.server))
continue;
CredToTicketList(ctx, creds, defname, &ticketListTail);
CredToTicketInfo(creds, ticketinfo);
pkrb5_free_cred_contents(ctx, &creds);
}
if (code == KRB5_CC_END) {
code = pkrb5_cc_end_seq_get(ctx, cache, &cur);
if (code) {
functionName = "krb5_cc_end_seq_get";
goto cleanup;
}
flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
code = pkrb5_cc_set_flags(ctx, cache, flags);
if (code) {
functionName = "krb5_cc_set_flags";
goto cleanup;
}
} else {
functionName = "krb5_cc_next_cred";
goto cleanup;
}
cleanup:
if (code) {
Leash_krb5_error(code, functionName, 0, NULL, NULL);
}
if (princ)
pkrb5_free_principal(ctx, princ);
if (defname)
pkrb5_free_unparsed_name(ctx, defname);
return code ? 1 : 0;
}
khm_int32 KHMAPI
khm_get_identity_expiration_time(krb5_context ctx, krb5_ccache cc,
khm_handle ident,
krb5_timestamp * pexpiration)
{
krb5_principal principal = 0;
char * princ_name = NULL;
krb5_creds creds;
krb5_error_code code;
krb5_error_code cc_code;
krb5_cc_cursor cur;
krb5_timestamp now, expiration = 0;
wchar_t w_ident_name[KCDB_IDENT_MAXCCH_NAME];
char ident_name[KCDB_IDENT_MAXCCH_NAME];
khm_size cb;
khm_int32 rv = KHM_ERROR_NOT_FOUND;
if (!ctx || !cc || !ident || !pexpiration)
return KHM_ERROR_GENERAL;
code = pkrb5_cc_get_principal(ctx, cc, &principal);
if ( code )
return KHM_ERROR_INVALID_PARAM;
cb = sizeof(w_ident_name);
kcdb_identity_get_name(ident, w_ident_name, &cb);
UnicodeStrToAnsi(ident_name, sizeof(ident_name), w_ident_name);
code = pkrb5_unparse_name(ctx, principal, &princ_name);
/* compare principal to ident. */
if ( code || !princ_name ||
strcmp(princ_name, ident_name) ) {
if (princ_name)
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
return KHM_ERROR_UNKNOWN;
}
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
code = pkrb5_timeofday(ctx, &now);
if (code)
return KHM_ERROR_UNKNOWN;
cc_code = pkrb5_cc_start_seq_get(ctx, cc, &cur);
while (!(cc_code = pkrb5_cc_next_cred(ctx, cc, &cur, &creds))) {
krb5_data * c0 = krb5_princ_name(ctx, creds.server);
krb5_data * c1 = krb5_princ_component(ctx, creds.server, 1);
krb5_data * r = krb5_princ_realm(ctx, creds.server);
if ( c0 && c1 && r && c1->length == r->length &&
!strncmp(c1->data,r->data,r->length) &&
!strncmp("krbtgt",c0->data,c0->length) ) {
/* we have a TGT, check for the expiration time.
* if it is valid and renewable, use the renew time
*/
if (!(creds.ticket_flags & TKT_FLG_INVALID) &&
creds.times.starttime < (now + TIMET_TOLERANCE) &&
(creds.times.endtime + TIMET_TOLERANCE) > now) {
expiration = creds.times.endtime;
if ((creds.ticket_flags & TKT_FLG_RENEWABLE) &&
(creds.times.renew_till > creds.times.endtime)) {
expiration = creds.times.renew_till;
}
}
}
}
if (cc_code == KRB5_CC_END) {
cc_code = pkrb5_cc_end_seq_get(ctx, cc, &cur);
rv = KHM_ERROR_SUCCESS;
*pexpiration = expiration;
}
return rv;
}
