diff options
| author | Sumit Bose <sbose@redhat.com> | 2009-12-17 13:18:05 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-12-18 09:46:25 -0500 |
| commit | f4284f4791e5f84193d70d82eaa7465a26813731 (patch) | |
| tree | 1ad3ed165982fb2c2e9884348e345cf5df7bb4db /server/util | |
| parent | 23dc20cd69cfbb2731c36e1610536ba190bbd459 (diff) | |
| download | sssd-f4284f4791e5f84193d70d82eaa7465a26813731.tar.gz sssd-f4284f4791e5f84193d70d82eaa7465a26813731.tar.bz2 sssd-f4284f4791e5f84193d70d82eaa7465a26813731.zip | |
Do not overwrite valid TGTs when offline
Diffstat (limited to 'server/util')
| -rw-r--r-- | server/util/sss_krb5.c | 92 | ||||
| -rw-r--r-- | server/util/sss_krb5.h | 3 |
2 files changed, 95 insertions, 0 deletions
diff --git a/server/util/sss_krb5.c b/server/util/sss_krb5.c index e96e1ba4..0bc25df1 100644 --- a/server/util/sss_krb5.c +++ b/server/util/sss_krb5.c @@ -19,9 +19,11 @@ */ #include <stdio.h> #include <errno.h> +#include <talloc.h> #include "config.h" +#include "util/util.h" #include "util/sss_krb5.h" @@ -102,3 +104,93 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name) } #endif } + + +krb5_error_code check_for_valid_tgt(const char *ccname, const char *realm, + const char *client_princ_str, bool *result) +{ + krb5_context context = NULL; + krb5_ccache ccache = NULL; + krb5_error_code krberr; + TALLOC_CTX *tmp_ctx = NULL; + krb5_creds mcred; + krb5_creds cred; + char *server_name = NULL; + krb5_principal client_principal = NULL; + krb5_principal server_principal = NULL; + + *result = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(1, ("talloc_new failed.\n")); + return ENOMEM; + } + + krberr = krb5_init_context(&context); + if (krberr) { + DEBUG(1, ("Failed to init kerberos context\n")); + goto done; + } + + krberr = krb5_cc_resolve(context, ccname, &ccache); + if (krberr != 0) { + DEBUG(1, ("krb5_cc_resolve failed.\n")); + goto done; + } + + server_name = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", realm, realm); + if (server_name == NULL) { + DEBUG(1, ("talloc_asprintf failed.\n")); + goto done; + } + + krberr = krb5_parse_name(context, server_name, &server_principal); + if (krberr != 0) { + DEBUG(1, ("krb5_parse_name failed.\n")); + goto done; + } + + krberr = krb5_parse_name(context, client_princ_str, &client_principal); + if (krberr != 0) { + DEBUG(1, ("krb5_parse_name failed.\n")); + goto done; + } + + memset(&mcred, 0, sizeof(mcred)); + memset(&cred, 0, sizeof(mcred)); + mcred.client = client_principal; + mcred.server = server_principal; + + krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); + if (krberr != 0) { + DEBUG(1, ("krb5_cc_retrieve_cred failed.\n")); + krberr = 0; + goto done; + } + + DEBUG(7, ("TGT end time [%d].\n", cred.times.endtime)); + + if (cred.times.endtime > time(NULL)) { + DEBUG(3, ("TGT is valid.\n")); + *result = true; + } + krb5_free_cred_contents(context, &cred); + + krberr = 0; + +done: + if (client_principal != NULL) { + krb5_free_principal(context, client_principal); + } + if (server_principal != NULL) { + krb5_free_principal(context, server_principal); + } + if (ccache != NULL) { + krb5_cc_close(context, ccache); + } + if (context != NULL) krb5_free_context(context); + talloc_free(tmp_ctx); + return krberr; +} + diff --git a/server/util/sss_krb5.h b/server/util/sss_krb5.h index 342196d3..60994e12 100644 --- a/server/util/sss_krb5.h +++ b/server/util/sss_krb5.h @@ -44,4 +44,7 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context, krb5_get_init_creds_opt *opt); void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name); + +krb5_error_code check_for_valid_tgt(const char *ccname, const char *realm, + const char *client_princ_str, bool *result); #endif /* __SSS_KRB5_H__ */ |