diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-04-12 03:40:25 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-04-12 03:40:25 +0000 |
| commit | 533ef6384b14e3e9309f1bd3cd71e290781b883e (patch) | |
| tree | b3773607ae23b09a6e8863ca87473fbe0b500daa /src/windows/identity/plugins | |
| parent | f5068b637639b6d7fff228b78f2d45baa4140ab0 (diff) | |
KFW 3.2 Beta 2 commits
NetIDMgr 1.2.0.2
================
nidmgr32.dll
- When the root credential set is touched, trigger an identity
refresh. This is necessary to ensure that the identity list
has a complete state of the world when the identity provider
attempts to initialize an initial default identity when none
previously existed. (see krb5cred.dll section)
- Don't set the enabled state for KHUI_ACTION_DESTROY_CRED and
KHUI_ACTION_RENEW_CRED actions. They are set elsewhere.
krb5common.obj
- Initialize variables to prevent uninitialized use.
krb4cred.dll
- Re-order controls and use CheckRadioButton() for manipulating the
radio buttons which select the ticket acquisition method.
- Use symbolic constants instead of numbers.
- If Kerberos 4 is enabled for a specific identity, then that setting
takes precedence over the global setting. The global setting is
merely a default if a per-identity setting is not specified.
However, a per-identity setting is only read for the default
identity.
- If the validity of an identity is not known, assume that it is still
being checked and don't display any credential text.
- When handling WM_COMMAND messages for the new credentials panel,
only update the data when a BN_CLICKED message is received and only
update the display if the IDC_NCK4_OBTAIN checkbox is toggled.
- Remove unused symbols from langres.h
krb5cred.dll
- When renewing an identity which was imported, first try to import it
again. If that fails to obtain newer tickets, then try initializing
the MSLSA cache and then importing again.
- Correct spelling: k5_ident_valiate_name() ->
k5_ident_validate_name().
- Refactor the code for setting an identity as the default so we can
call it internally.
- When setting the initial default identity, if there is no current
default ccache and no known last default identity, then look through
the list of ccaches with credentials and pick one with valid
tickets. If all else fails, then pick any of the ccaches.
netidmgr.exe
- Credentials Window
- Consistently use KHUI_CW_O_RELIDENT as a necessary and sufficient
indicator that the identity needs to be released when freeing an
outline node.
- Properly initialize an outline node.
- Don't group similar credentials if we aren't sorting/grouping by
any specific column.
- Use the KHUI_CW_O_EMPTY flag to indicate that an outline node
contains no children.
- Handle the case where we aren't sorting/grouping by any column.
- Make sure outline nodes have valid idx_start and idx_end values.
- Use consistent logic when painting and handling mouse hotspots.
- Don't use WS_EX_TRANSPARENT when creating the notification window.
- Use a fixed height for the notification window.
- Update the outline when the default identity changes.
- Hypertext Window
- Correctly handle the "center" attribute in the "p" element.
- Use a system brush for painting the background instead of creating
one of our own.
- Correct the handling of scroll_left and scroll_top when
calculating the coordinates for text.
- Don't check if the rectangle for the text is inside the visible
area of the window before drawing.
- Handle WM_ERASEBKGND and use a system color brush to erase the
background.
- When the size changes, force the extents to be recomputed. This
will also update the scroll bars.
- Use the proper return value after handling WM_PAINT.
- The scrollbar messages send the operation code in the low word of
wParam, not the high word.
- Use GetScrollInfo() with SIF_POS when the operation is
SB_ENDSCROLL or SB_THUMBPOSITION.
- When the hottracked link changes for a transparent window, don't
invalidate the entire parent window. Instead use
MapWindowPoints() to calculate the affected rectangle and
invalidate that.
- Misc
- Change the text of the IDS_NO_CREDS message so that it renders
better on a small window.
- Initialize COM when starting the GUI.
- When showing and hiding the main window and the new credentials
window, add a button to the task bar. This allows the user to
switch focus to the window if it's obstructed.
- Remove unused symbols from resource.h
- New Credentials Window
- Ignore the validity state of the identity when showing a password
change dialog. We don't expect the identity provider to validate
the identity when changing the password.
ticket: new
component: windows
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19426 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/windows/identity/plugins')
| -rw-r--r-- | src/windows/identity/plugins/common/krb5common.c | 4 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb4/krb4newcreds.c | 72 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb4/lang/en_us/langres.rc | 6 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb4/langres.h | 55 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5funcs.c | 80 | ||||
| -rw-r--r-- | src/windows/identity/plugins/krb5/krb5identpro.c | 319 |
6 files changed, 326 insertions, 210 deletions
diff --git a/src/windows/identity/plugins/common/krb5common.c b/src/windows/identity/plugins/common/krb5common.c index 759641ff7..6c3958694 100644 --- a/src/windows/identity/plugins/common/krb5common.c +++ b/src/windows/identity/plugins/common/krb5common.c @@ -90,8 +90,8 @@ khm_krb5_initialize(khm_handle ident, return(0);
#else
- LPCSTR functionName;
- int freeContextFlag;
+ LPCSTR functionName = NULL;
+ int freeContextFlag = 0;
krb5_error_code rc = 0;
krb5_flags flags = 0;
diff --git a/src/windows/identity/plugins/krb4/krb4newcreds.c b/src/windows/identity/plugins/krb4/krb4newcreds.c index 81c16162d..54feae5b3 100644 --- a/src/windows/identity/plugins/krb4/krb4newcreds.c +++ b/src/windows/identity/plugins/krb4/krb4newcreds.c @@ -55,33 +55,25 @@ typedef struct tag_k4_dlg_data { time_t lifetime;
} k4_dlg_data;
-void k4_update_display(k4_dlg_data * d) {
- int i;
-
+void k4_update_display(k4_dlg_data * d, BOOL update_methods) {
CheckDlgButton(d->hwnd, IDC_NCK4_OBTAIN,
(d->k4_enabled)?BST_CHECKED: BST_UNCHECKED);
if (d->k4_enabled) {
EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_AUTO), TRUE);
- EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_PWD ), TRUE);
EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_K524), TRUE);
+ EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_PWD ), TRUE);
} else {
EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_AUTO), FALSE);
- EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_PWD ), FALSE);
EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_K524), FALSE);
+ EnableWindow(GetDlgItem(d->hwnd, IDC_NCK4_PWD ), FALSE);
}
#ifdef DEBUG
assert(d->method >= 0 && d->method < ARRAYLENGTH(method_to_id));
#endif
- CheckDlgButton(d->hwnd, method_to_id[d->method], BST_CHECKED);
-
- for (i=0; i < ARRAYLENGTH(method_to_id); i++) {
- if (i != d->method && method_to_id[i] != 0)
- CheckDlgButton(d->hwnd, method_to_id[d->method],
- BST_UNCHECKED);
- }
+ CheckRadioButton(d->hwnd, IDC_NCK4_AUTO, IDC_NCK4_PWD, method_to_id[d->method]);
khui_cw_enable_type(d->nc, credtype_id_krb4, d->k4_enabled);
}
@@ -103,7 +95,7 @@ void k4_update_data(k4_dlg_data * d) { khui_cw_enable_type(d->nc, credtype_id_krb4, d->k4_enabled);
}
- d->method = 0;
+ d->method = K4_METHOD_AUTO;
for (i=K4_METHOD_AUTO; i<=K4_METHOD_K524; i++) {
if (IsDlgButtonChecked(d->hwnd, method_to_id[i]) == BST_CHECKED) {
@@ -119,19 +111,16 @@ khm_boolean k4_should_identity_get_k4(khm_handle ident) { khm_handle csp_ident = NULL;
khm_handle csp_k4 = NULL;
khm_boolean get_k4 = TRUE;
-
- if (KHM_SUCCEEDED(khc_read_int32(csp_params, L"Krb4NewCreds", &t)) &&
- !t)
- return FALSE;
+ khm_boolean id_spec = FALSE;
if (KHM_FAILED(kcdb_identity_get_flags(ident, &idflags)))
return FALSE;
if (!(idflags & KCDB_IDENT_FLAG_DEFAULT)) {
/* we only support k4 for one identity, and that is the
- default identity. If we are trying to get tickets for
- a non-default identity, then we start off as
- disabled. */
+ default identity. If we are trying to get tickets for a
+ non-default identity, then we start off as disabled unless
+ there is no default identity. */
khm_handle defident = NULL;
@@ -146,16 +135,27 @@ khm_boolean k4_should_identity_get_k4(khm_handle ident) { if (KHM_SUCCEEDED(khc_open_space(csp_ident, CSNAME_KRB4CRED, 0,
&csp_k4))) {
khm_int32 t = 0;
- if (KHM_SUCCEEDED(khc_read_int32(csp_k4, L"Krb4NewCreds", &t)) &&
- !t)
- get_k4 = FALSE;
+
+ if (KHM_SUCCEEDED(khc_read_int32(csp_k4, L"Krb4NewCreds", &t))) {
+ get_k4 = !!t;
+ id_spec = TRUE;
+ }
khc_close_space(csp_k4);
}
khc_close_space(csp_ident);
}
- return get_k4;
+ /* if there was a value specified for the identity, then that
+ takes precedence. */
+ if (id_spec || !get_k4)
+ return get_k4;
+
+ if (KHM_SUCCEEDED(khc_read_int32(csp_params, L"Krb4NewCreds", &t)) &&
+ !t)
+ return FALSE;
+
+ return TRUE;
}
void k4_read_identity_data(k4_dlg_data * d) {
@@ -257,8 +257,9 @@ void k4_handle_wmnc_notify(k4_dlg_data * d, kcdb_identity_get_flags(d->nc->identities[0], &flags);
- if (flags & KCDB_IDENT_FLAG_INVALID)
+ if (!(flags & KCDB_IDENT_FLAG_VALID)) {
break;
+ }
cb = sizeof(idname);
kcdb_identity_get_name(d->nc->identities[0], idname,
@@ -321,7 +322,7 @@ void k4_handle_wmnc_notify(k4_dlg_data * d, case WMNC_IDENTITY_CHANGE:
k4_read_identity_data(d);
- k4_update_display(d);
+ k4_update_display(d, TRUE);
break;
case WMNC_CREDTEXT_LINK:
@@ -343,7 +344,7 @@ void k4_handle_wmnc_notify(k4_dlg_data * d, if (!wcscmp(wids, L"Enable")) {
d->k4_enabled = TRUE;
- k4_update_display(d);
+ k4_update_display(d, TRUE);
khui_cw_enable_type(d->nc, credtype_id_krb4, TRUE);
}
}
@@ -378,17 +379,24 @@ INT_PTR CALLBACK k4_nc_dlg_proc(HWND hwnd, d->k4_enabled = TRUE;
d->method = K4_METHOD_AUTO;
- k4_update_display(d);
+ k4_update_display(d, TRUE);
}
break;
case WM_COMMAND:
{
- d = (k4_dlg_data *) (LONG_PTR)
- GetWindowLongPtr(hwnd, DWLP_USER);
+ if (HIWORD(wParam) == BN_CLICKED) {
+ d = (k4_dlg_data *) (LONG_PTR)
+ GetWindowLongPtr(hwnd, DWLP_USER);
+
+ k4_update_data(d);
- k4_update_data(d);
- k4_update_display(d);
+ if (LOWORD(wParam) == IDC_NCK4_OBTAIN) {
+ k4_update_display(d, TRUE);
+ }
+
+ return TRUE;
+ }
}
break;
diff --git a/src/windows/identity/plugins/krb4/lang/en_us/langres.rc b/src/windows/identity/plugins/krb4/lang/en_us/langres.rc index f7a849e24..12c3903f5 100644 --- a/src/windows/identity/plugins/krb4/lang/en_us/langres.rc +++ b/src/windows/identity/plugins/krb4/lang/en_us/langres.rc @@ -60,9 +60,9 @@ BEGIN CONTROL "Kerberos v4 Ticket Options",IDC_STATIC,"Static",SS_LEFTNOWORDWRAP | SS_SUNKEN | WS_GROUP,7,7,286,11
CONTROL "Obtain Kerberos v4 credentials",IDC_NCK4_OBTAIN,"Button",BS_AUTOCHECKBOX | BS_NOTIFY | WS_TABSTOP,7,26,128,10
GROUPBOX "Obtain Kerberos v4 credentials using",IDC_STATIC,7,43,286,72,WS_GROUP
- CONTROL "Automatically determine method",IDC_NCK4_AUTO,"Button",BS_AUTORADIOBUTTON | WS_GROUP | WS_TABSTOP,23,58,152,10
- CONTROL "Kerberos v5 to v4 translation",IDC_NCK4_K524,"Button",BS_AUTORADIOBUTTON,23,76,152,10
- CONTROL "Password",IDC_NCK4_PWD,"Button",BS_AUTORADIOBUTTON,23,94,152,10
+ CONTROL "Automatically determine method",IDC_NCK4_AUTO,"Button",BS_AUTORADIOBUTTON,22,59,119,10
+ CONTROL "Kerberos v5 to v4 translation",IDC_NCK4_K524,"Button",BS_AUTORADIOBUTTON,22,76,109,10
+ CONTROL "Password",IDC_NCK4_PWD,"Button",BS_AUTORADIOBUTTON,22,93,47,10
END
IDD_CFG_KRB4 DIALOGEX 0, 0, 255, 182
diff --git a/src/windows/identity/plugins/krb4/langres.h b/src/windows/identity/plugins/krb4/langres.h index 2cf0de137..c78ae4167 100644 --- a/src/windows/identity/plugins/krb4/langres.h +++ b/src/windows/identity/plugins/krb4/langres.h @@ -2,76 +2,27 @@ // Microsoft Visual C++ generated include file.
// Used by C:\work\pismere\athena\auth\krb5\src\windows\identity\plugins\krb4\lang\en_us\langres.rc
//
-#define IDS_UNK_ADDR_FMT 101
-#define IDS_KRB5_CREDTEXT_0 102
#define IDD_NC_KRB4 103
#define IDS_PLUGIN_DESC 103
-#define IDS_KEY_ENCTYPE_SHORT_DESC 104
#define IDD_CFG_KRB4 104
#define IDS_NC_K4_SHORT 104
-#define IDS_TKT_ENCTYPE_SHORT_DESC 105
#define IDS_ERR_REALM 105
#define IDD_CFG_IDS_KRB4 105
-#define IDS_KEY_ENCTYPE_LONG_DESC 106
#define IDS_ERR_PRINCIPAL 106
#define IDD_CFG_ID_KRB4 106
-#define IDS_TKT_ENCTYPE_LONG_DESC 107
#define IDS_ERR_INVINST 107
-#define IDI_ICON1 107
#define IDI_PLUGIN 107
-#define IDS_ADDR_LIST_SHORT_DESC 108
#define IDS_ERR_PWINTKT 108
-#define IDS_ADDR_LIST_LONG_DESC 109
#define IDS_CT_DISABLED 109
-#define IDS_ETYPE_NULL 110
#define IDS_CT_TGTFOR 110
-#define IDS_ETYPE_DES_CBC_CRC 111
#define IDS_METHOD_AUTO 111
-#define IDS_ETYPE_DES_CBC_MD4 112
#define IDS_METHOD_PWD 112
-#define IDS_ETYPE_DES_CBC_MD5 113
#define IDS_METHOD_K524 113
-#define IDS_ETYPE_DES_CBC_RAW 114
#define IDS_CFG_IDS_KRB4_SHORT 114
-#define IDS_ETYPE_DES3_CBC_SHA 115
-#define IDS_ETYPE_DES3_CBC_RAW 116
-#define IDS_ETYPE_DES_HMAC_SHA1 117
-#define IDS_ETYPE_DES3_CBC_SHA1 118
-#define IDS_ETYPE_AES128_CTS_HMAC_SHA1_96 119
-#define IDS_ETYPE_AES256_CTS_HMAC_SHA1_96 120
-#define IDS_ETYPE_ARCFOUR_HMAC 121
-#define IDS_ETYPE_ARCFOUR_HMAC_EXP 122
-#define IDS_ETYPE_UNKNOWN 123
-#define IDS_ETYPE_LOCAL_DES3_HMAC_SHA1 124
-#define IDS_ETYPE_LOCAL_RC4_MD4 125
-#define IDS_KRB5_SHORT_DESC 126
-#define IDS_KRB5_LONG_DESC 127
#define IDS_KRB4_SHORT_DESC 128
#define IDS_KRB4_LONG_DESC 129
-#define IDS_KRB5_FLAGS_SHORT_DESC 130
-#define IDS_RENEW_TILL_SHORT_DESC 131
-#define IDS_RENEW_TILL_LONG_DESC 132
-#define IDS_RENEW_FOR_SHORT_DESC 133
-#define IDS_RENEW_FOR_LONG_DESC 134
#define IDS_CFG_KRB4_LONG 135
#define IDS_CFG_KRB4_SHORT 136
-#define IDC_NCK5_RENEWABLE 1002
-#define IDC_NCK5_FORWARDABLE 1004
-#define IDC_NCK5_REALM 1005
-#define IDC_NCK5_ADD_REALMS 1006
-#define IDC_NCK5_LIFETIME_EDIT 1008
-#define IDC_NCK5_RENEW_EDIT 1009
-#define IDC_PPK5_CRENEW 1014
-#define IDC_PPK5_CFORWARD 1015
-#define IDC_PPK5_CPROXY 1016
-#define IDC_PPK5_NAME 1017
-#define IDC_PPK5_ISSUE 1018
-#define IDC_PPK5_VALID 1019
-#define IDC_PPK5_RENEW 1020
-#define IDC_CHECK2 1022
-#define IDC_CHECK4 1024
-#define IDC_PPK5_LIFETIME 1024
-#define IDC_CHECK5 1025
#define IDC_CFG_LBL_CACHE 1025
#define IDC_CFG_LBL_CFGFILE 1026
#define IDC_CFG_LBL_RLMPATH 1027
@@ -81,9 +32,9 @@ #define IDC_CFG_CFGBROW 1031
#define IDC_CFG_RLMBROW 1032
#define IDC_NCK4_OBTAIN 1033
-#define IDC_NCK4_PWD 1034
+#define IDC_NCK4_AUTO 1034
#define IDC_NCK4_K524 1035
-#define IDC_NCK4_AUTO 1036
+#define IDC_NCK4_PWD 1036
#define IDC_CFG_GETTIX 1037
// Next default values for new objects
@@ -92,7 +43,7 @@ #ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 108
#define _APS_NEXT_COMMAND_VALUE 40001
-#define _APS_NEXT_CONTROL_VALUE 1039
+#define _APS_NEXT_CONTROL_VALUE 1043
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c index b924c1f4c..e66e755a7 100644 --- a/src/windows/identity/plugins/krb5/krb5funcs.c +++ b/src/windows/identity/plugins/krb5/krb5funcs.c @@ -1157,21 +1157,93 @@ khm_krb5_renew_ident(khm_handle identity) kcdb_identity_get_name(identity, idname, &cb);
if (khm_krb5_get_identity_flags(identity) & K5IDFLAG_IMPORTED) {
-#ifdef REIMPORT_MSLSA_CREDS
+#ifndef NO_REIMPORT_MSLSA_CREDS
/* we are trying to renew the identity that was imported from
MSLSA: */
- BOOL imported;
- char cidname[KCDB_IDENT_MAXCCH_NAME];
+ BOOL imported;
+ BOOL retry_import = FALSE;
+ char cidname[KCDB_IDENT_MAXCCH_NAME];
+ khm_handle imported_id = NULL;
+ khm_size cb;
+ FILETIME ft_expire;
+ FILETIME ft_now;
+ FILETIME ft_threshold;
+ krb5_principal princ = NULL;
UnicodeStrToAnsi(cidname, sizeof(cidname), idname);
- imported = khm_krb5_ms2mit(cidname, FALSE, TRUE, NULL);
+ imported = khm_krb5_ms2mit(cidname, FALSE, TRUE, &imported_id);
+
+ if (imported == 0)
+ goto import_failed;
+
+ /* if the imported identity has already expired or will soon,
+ we clear the cache and try again. */
+ khm_krb5_list_tickets(&ctx);
+
+ cb = sizeof(ft_expire);
+ if (KHM_FAILED(kcdb_identity_get_attr(imported_id, KCDB_ATTR_EXPIRE,
+ NULL, &ft_expire, &cb)))
+ goto import_failed;
+
+ GetSystemTimeAsFileTime(&ft_now);
+ TimetToFileTimeInterval(5 * 60, &ft_threshold);
+
+ ft_now = FtAdd(&ft_now, &ft_threshold);
+
+ if (CompareFileTime(&ft_expire, &ft_now) < 0) {
+ /* the ticket lifetime is not long enough */
+
+ code = 0;
+
+ if (ctx == NULL)
+ code = pkrb5_init_context(&ctx);
+ if (code)
+ goto import_failed;
+
+ code = pkrb5_cc_resolve(ctx, "MSLSA:", &cc);
+ if (code)
+ goto import_failed;
+
+ code = pkrb5_cc_get_principal(ctx, cc, &princ);
+ if (code)
+ goto import_failed;
+
+ pkrb5_cc_initialize(ctx, cc, princ);
+
+ retry_import = TRUE;
+ }
+
+ import_failed:
+
+ if (imported_id) {
+ kcdb_identity_release(imported_id);
+ imported_id = NULL;
+ }
+
+ if (ctx) {
+ if (cc) {
+ pkrb5_cc_close(ctx, cc);
+ cc = NULL;
+ }
+
+ if (princ) {
+ pkrb5_free_principal(ctx, princ);
+ princ = NULL;
+ }
+
+ /* leave ctx so we can use it later */
+ }
+
+ if (retry_import)
+ imported = khm_krb5_ms2mit(cidname, FALSE, TRUE, NULL);
if (imported)
goto cleanup;
/* if the import failed, then we try to renew the identity via
the usual procedure. */
+
#else
/* if we are suppressing further imports from MSLSA, we just
skip renewing this identity. */
diff --git a/src/windows/identity/plugins/krb5/krb5identpro.c b/src/windows/identity/plugins/krb5/krb5identpro.c index bc77b26f0..834d94296 100644 --- a/src/windows/identity/plugins/krb5/krb5identpro.c +++ b/src/windows/identity/plugins/krb5/krb5identpro.c @@ -742,7 +742,7 @@ ui_cb(khui_new_creds * nc, }
static khm_int32
-k5_ident_valiate_name(khm_int32 msg_type,
+k5_ident_validate_name(khm_int32 msg_type,
khm_int32 msg_subtype,
khm_ui_4 uparam,
void * vparam) {
@@ -802,6 +802,107 @@ k5_update_last_default_identity(khm_handle ident) { }
static khm_int32
+k5_ident_set_default_int(khm_handle def_ident) {
+ wchar_t id_ccname[KRB5_MAXCCH_CCNAME];
+ khm_size cb;
+ DWORD dw;
+ LONG l;
+ HKEY hk_ccname;
+ DWORD dwType;
+ DWORD dwSize;
+ wchar_t reg_ccname[KRB5_MAXCCH_CCNAME];
+
+#ifdef DEBUG
+ assert(def_ident != NULL);
+#endif
+
+ cb = sizeof(id_ccname);
+ if (KHM_FAILED(kcdb_identity_get_attr(def_ident, attr_id_krb5_ccname, NULL,
+ id_ccname, &cb))) {
+ khm_handle csp_ident = NULL;
+ khm_handle csp_k5 = NULL;
+
+ _reportf(L"The specified identity does not have the Krb5CCName property");
+
+ cb = sizeof(id_ccname);
+ if (KHM_SUCCEEDED(kcdb_identity_get_config(def_ident, 0, &csp_ident)) &&
+ KHM_SUCCEEDED(khc_open_space(csp_ident, CSNAME_KRB5CRED, 0, &csp_k5)) &&
+ KHM_SUCCEEDED(khc_read_string(csp_k5, L"DefaultCCName",
+ id_ccname, &cb))) {
+
+ _reportf(L"Found CC name in configuration [%s]", id_ccname);
+ } else {
+ /* last resort, use the name of the identity as the cc
+ name */
+ cb = sizeof(id_ccname);
+ if (KHM_FAILED(kcdb_identity_get_name(def_ident, id_ccname, &cb))) {
+ _reportf(L"Can't use name of identity as CCName");
+ _end_task();
+
+ id_ccname[0] = L'\0';
+ }
+ }
+
+ if (csp_k5)
+ khc_close_space(csp_k5);
+ if (csp_ident)
+ khc_close_space(csp_ident);
+
+ if (id_ccname[0] == L'\0')
+ return KHM_ERROR_INVALID_PARAM;
+ }
+
+ khm_krb5_canon_cc_name(id_ccname, sizeof(id_ccname));
+
+ _reportf(L"Found Krb5CCName property : %s", id_ccname);
+
+ StringCbLength(id_ccname, sizeof(id_ccname), &cb);
+ cb += sizeof(wchar_t);
+
+ _reportf(L"Setting default CC name in the registry");
+
+ l = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\MIT\\kerberos5", 0,
+ KEY_READ | KEY_WRITE, &hk_ccname);
+
+ if (l != ERROR_SUCCESS)
+ l = RegCreateKeyEx(HKEY_CURRENT_USER, L"Software\\MIT\\kerberos5", 0,
+ NULL, REG_OPTION_NON_VOLATILE, KEY_READ | KEY_WRITE,
+ NULL, &hk_ccname, &dw);
+
+ if (l != ERROR_SUCCESS) {
+ _reportf(L"Can't create registry key : %d", l);
+ _end_task();
+ return KHM_ERROR_UNKNOWN;
+ }
+
+ dwSize = sizeof(reg_ccname);
+
+ l = RegQueryValueEx(hk_ccname, L"ccname", NULL, &dwType, (LPBYTE) reg_ccname,
+ &dwSize);
+
+ if (l != ERROR_SUCCESS ||
+ dwType != REG_SZ ||
+ khm_krb5_cc_name_cmp(reg_ccname, id_ccname)) {
+
+ /* we have to write the new value in */
+
+ l = RegSetValueEx(hk_ccname, L"ccname", 0, REG_SZ, (BYTE *) id_ccname,
+ (DWORD) cb);
+ }
+
+ RegCloseKey(hk_ccname);
+
+ if (l == ERROR_SUCCESS) {
+ _reportf(L"Successfully set the default ccache");
+ k5_update_last_default_identity(def_ident);
+ return KHM_ERROR_SUCCESS;
+ } else {
+ _reportf(L"Can't set the registry value : %d", l);
+ return KHM_ERROR_UNKNOWN;
+ }
+}
+
+static khm_int32
k5_ident_set_default(khm_int32 msg_type,
khm_int32 msg_subtype,
khm_ui_4 uparam,
@@ -815,14 +916,7 @@ k5_ident_set_default(khm_int32 msg_type, if (uparam) {
/* an identity is being made default */
khm_handle def_ident = (khm_handle) vparam;
- wchar_t id_ccname[KRB5_MAXCCH_CCNAME];
- khm_size cb;
- DWORD dw;
- LONG l;
- HKEY hk_ccname;
- DWORD dwType;
- DWORD dwSize;
- wchar_t reg_ccname[KRB5_MAXCCH_CCNAME];
+ khm_int32 rv;
#ifdef DEBUG
assert(def_ident != NULL);
@@ -840,112 +934,11 @@ k5_ident_set_default(khm_int32 msg_type, _describe();
}
- cb = sizeof(id_ccname);
- if (KHM_FAILED(kcdb_identity_get_attr(def_ident,
- attr_id_krb5_ccname,
- NULL,
- id_ccname,
- &cb))) {
- khm_handle csp_ident = NULL;
- khm_handle csp_k5 = NULL;
-
- _reportf(L"The specified identity does not have the Krb5CCName property");
-
- cb = sizeof(id_ccname);
- if (KHM_SUCCEEDED(kcdb_identity_get_config(def_ident, 0, &csp_ident)) &&
- KHM_SUCCEEDED(khc_open_space(csp_ident, CSNAME_KRB5CRED, 0, &csp_k5)) &&
- KHM_SUCCEEDED(khc_read_string(csp_k5, L"DefaultCCName",
- id_ccname, &cb))) {
-
- _reportf(L"Found CC name in configuration [%s]", id_ccname);
- } else {
- /* last resort, use the name of the identity as the cc
- name */
- cb = sizeof(id_ccname);
- if (KHM_FAILED(kcdb_identity_get_name(def_ident, id_ccname, &cb))) {
- _reportf(L"Can't use name of identity as CCName");
- _end_task();
-
- id_ccname[0] = L'\0';
- }
- }
-
- if (csp_k5)
- khc_close_space(csp_k5);
- if (csp_ident)
- khc_close_space(csp_ident);
-
- if (id_ccname[0] == L'\0')
- return KHM_ERROR_INVALID_PARAM;
- }
-
- khm_krb5_canon_cc_name(id_ccname, sizeof(id_ccname));
-
- _reportf(L"Found Krb5CCName property : %s", id_ccname);
-
- StringCbLength(id_ccname, sizeof(id_ccname), &cb);
- cb += sizeof(wchar_t);
-
- _reportf(L"Setting default CC name in the registry");
-
- l = RegOpenKeyEx(HKEY_CURRENT_USER,
- L"Software\\MIT\\kerberos5",
- 0,
- KEY_READ | KEY_WRITE,
- &hk_ccname);
-
- if (l != ERROR_SUCCESS)
- l = RegCreateKeyEx(HKEY_CURRENT_USER,
- L"Software\\MIT\\kerberos5",
- 0,
- NULL,
- REG_OPTION_NON_VOLATILE,
- KEY_READ | KEY_WRITE,
- NULL,
- &hk_ccname,
- &dw);
-
- if (l != ERROR_SUCCESS) {
- _reportf(L"Can't create registry key : %d", l);
- _end_task();
- return KHM_ERROR_UNKNOWN;
- }
-
- dwSize = sizeof(reg_ccname);
-
- l = RegQueryValueEx(hk_ccname,
- L"ccname",
- NULL,
- &dwType,
- (LPBYTE) reg_ccname,
- &dwSize);
-
- if (l != ERROR_SUCCESS ||
- dwType != REG_SZ ||
- khm_krb5_cc_name_cmp(reg_ccname, id_ccname)) {
-
- /* we have to write the new value in */
-
- l = RegSetValueEx(hk_ccname,
- L"ccname",
- 0,
- REG_SZ,
- (BYTE *) id_ccname,
- (DWORD) cb);
- }
+ rv = k5_ident_set_default_int(def_ident);
- RegCloseKey(hk_ccname);
+ _end_task();
- if (l == ERROR_SUCCESS) {
- _reportf(L"Successfully set the default ccache");
- k5_update_last_default_identity(def_ident);
- _end_task();
- return KHM_ERROR_SUCCESS;
- } else {
- _reportf(L"Can't set the registry value : %d", l);
- _end_task();
- return KHM_ERROR_UNKNOWN;
- }
+ return rv;
} else {
/* the default identity is being forgotten */
@@ -1382,7 +1375,99 @@ k5_ident_init(khm_int32 msg_type, if (ident) {
kcdb_identity_set_default_int(ident);
kcdb_identity_release(ident);
+
+ found_default = TRUE;
+ }
+ }
+ }
+
+ if (!found_default) {
+
+ /* There was no default ccache and we don't have a
+ "LastDefaultIdent" value. Next we see if there are any
+ identities that have credentials which have a Krb5CCName
+ property (i.e. an identity that has a Kerberos 5 TGT), and
+ make it the default.
+
+ Note that since the Krb5Ident plug-in has a dependency on
+ Krb5Cred, by the time this code runs, we already have a
+ listing of Kerberos 5 tickets and identities. */
+
+ wchar_t * idlist = NULL;
+ wchar_t * thisid;
+ khm_size cb = 0;
+ khm_size n_idents = 0;
+ khm_int32 rv;
+ wchar_t ccname[KRB5_MAXCCH_CCNAME];
+ FILETIME ft_expire;
+ FILETIME ft_now;
+ FILETIME ft_threshold;
+ BOOL match_all = FALSE;
+
+ rv = kcdb_identity_enum(0, 0, NULL, &cb, &n_idents);
+
+ TimetToFileTimeInterval(5 * 60, &ft_threshold);
+ GetSystemTimeAsFileTime(&ft_now);
+ ft_now = FtAdd(&ft_now, &ft_threshold);
+
+ while (rv == KHM_ERROR_TOO_LONG && n_idents > 0) {
+ if (idlist) {
+ PFREE(idlist);
+ idlist = NULL;
+ }
+
+ idlist = PMALLOC(cb);
+
+ if (idlist == NULL)
+ break;
+
+ rv = kcdb_identity_enum(0, 0, idlist, &cb, &n_idents);
+ }
+
+ if (KHM_SUCCEEDED(rv)) {
+
+ /* first we try to find an identity that has a valid TGT.
+ If that fails, then we try to find an identity with
+ *any* TGT. */
+
+ try_again:
+
+ for (thisid = idlist;
+ thisid && *thisid && !found_default;
+ thisid = multi_string_next(thisid)) {
+
+ if (KHM_SUCCEEDED(kcdb_identity_create(thisid, 0, &ident))) {
+ khm_size cb_ft = sizeof(FILETIME);
+ cb = sizeof(ccname);
+
+ if (KHM_SUCCEEDED(kcdb_identity_get_attr(ident, attr_id_krb5_ccname,
+ NULL, ccname, &cb)) &&
+ (match_all ||
+ (KHM_SUCCEEDED(kcdb_identity_get_attr(ident, KCDB_ATTR_EXPIRE,
+ NULL, &ft_expire, &cb_ft)) &&
+ CompareFileTime(&ft_expire, &ft_now) > 0))) {
+
+ /* found one */
+ k5_ident_set_default_int(ident);
+ kcdb_identity_set_default_int(ident);
+ found_default = TRUE;
+
+ }
+
+ kcdb_identity_release(ident);
+ ident = NULL;
+ }
}
+
+ if (!found_default && !match_all) {
+ match_all = TRUE;
+ goto try_again;
+ }
+ }
+
+ if (idlist) {
+ PFREE(idlist);
+ idlist = NULL;
}
}
@@ -1450,10 +1535,10 @@ k5_msg_ident(khm_int32 msg_type, vparam);
case KMSG_IDENT_VALIDATE_NAME:
- return k5_ident_valiate_name(msg_type,
- msg_subtype,
- uparam,
- vparam);
+ return k5_ident_validate_name(msg_type,
+ msg_subtype,
+ uparam,
+ vparam);
case KMSG_IDENT_VALIDATE_IDENTITY:
/* TODO: handle KMSG_IDENT_VALIDATE_IDENTITY */
|