xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/krb5/verify_user.c (revision d3273b5b76f5afaafe308cead5511dbb8df8c5e9) 
1 /*	$NetBSD: verify_user.c,v 1.2 2017/01/28 21:31:49 christos Exp $	*/
2 
3 /*
4  * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 
38 static krb5_error_code
verify_common(krb5_context context,krb5_principal principal,krb5_ccache ccache,krb5_keytab keytab,krb5_boolean secure,const char * service,krb5_creds cred)39 verify_common (krb5_context context,
40 	       krb5_principal principal,
41 	       krb5_ccache ccache,
42 	       krb5_keytab keytab,
43 	       krb5_boolean secure,
44 	       const char *service,
45 	       krb5_creds cred)
46 {
47     krb5_error_code ret;
48     krb5_principal server;
49     krb5_verify_init_creds_opt vopt;
50     krb5_ccache id;
51 
52     ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
53 				   &server);
54     if(ret)
55 	return ret;
56 
57     krb5_verify_init_creds_opt_init(&vopt);
58     krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
59 
60     ret = krb5_verify_init_creds(context,
61 				 &cred,
62 				 server,
63 				 keytab,
64 				 NULL,
65 				 &vopt);
66     krb5_free_principal(context, server);
67     if(ret)
68 	return ret;
69     if(ccache == NULL)
70 	ret = krb5_cc_default (context, &id);
71     else
72 	id = ccache;
73     if(ret == 0){
74 	ret = krb5_cc_initialize(context, id, principal);
75 	if(ret == 0){
76 	    ret = krb5_cc_store_cred(context, id, &cred);
77 	}
78 	if(ccache == NULL)
79 	    krb5_cc_close(context, id);
80     }
81     krb5_free_cred_contents(context, &cred);
82     return ret;
83 }
84 
85 /*
86  * Verify user `principal' with `password'.
87  *
88  * If `secure', also verify against local service key for `service'.
89  *
90  * As a side effect, fresh tickets are obtained and stored in `ccache'.
91  */
92 
93 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_init(krb5_verify_opt * opt)94 krb5_verify_opt_init(krb5_verify_opt *opt)
95 {
96     memset(opt, 0, sizeof(*opt));
97     opt->secure = TRUE;
98     opt->service = "host";
99 }
100 
101 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
krb5_verify_opt_alloc(krb5_context context,krb5_verify_opt ** opt)102 krb5_verify_opt_alloc(krb5_context context, krb5_verify_opt **opt)
103 {
104     *opt = calloc(1, sizeof(**opt));
105     if ((*opt) == NULL)
106 	return krb5_enomem(context);
107     krb5_verify_opt_init(*opt);
108     return 0;
109 }
110 
111 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_free(krb5_verify_opt * opt)112 krb5_verify_opt_free(krb5_verify_opt *opt)
113 {
114     free(opt);
115 }
116 
117 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_set_ccache(krb5_verify_opt * opt,krb5_ccache ccache)118 krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
119 {
120     opt->ccache = ccache;
121 }
122 
123 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_set_keytab(krb5_verify_opt * opt,krb5_keytab keytab)124 krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
125 {
126     opt->keytab = keytab;
127 }
128 
129 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_set_secure(krb5_verify_opt * opt,krb5_boolean secure)130 krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
131 {
132     opt->secure = secure;
133 }
134 
135 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_set_service(krb5_verify_opt * opt,const char * service)136 krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
137 {
138     opt->service = service;
139 }
140 
141 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_verify_opt_set_flags(krb5_verify_opt * opt,unsigned int flags)142 krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
143 {
144     opt->flags |= flags;
145 }
146 
147 static krb5_error_code
verify_user_opt_int(krb5_context context,krb5_principal principal,const char * password,krb5_verify_opt * vopt)148 verify_user_opt_int(krb5_context context,
149 		    krb5_principal principal,
150 		    const char *password,
151 		    krb5_verify_opt *vopt)
152 
153 {
154     krb5_error_code ret;
155     krb5_get_init_creds_opt *opt;
156     krb5_creds cred;
157 
158     ret = krb5_get_init_creds_opt_alloc (context, &opt);
159     if (ret)
160 	return ret;
161     krb5_get_init_creds_opt_set_default_flags(context, NULL,
162 					      krb5_principal_get_realm(context, principal),
163 					      opt);
164     ret = krb5_get_init_creds_password (context,
165 					&cred,
166 					principal,
167 					password,
168 					krb5_prompter_posix,
169 					NULL,
170 					0,
171 					NULL,
172 					opt);
173     krb5_get_init_creds_opt_free(context, opt);
174     if(ret)
175 	return ret;
176 #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
177     return verify_common (context, principal, OPT(ccache, NULL),
178 			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
179 			  OPT(service, "host"), cred);
180 #undef OPT
181 }
182 
183 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_user_opt(krb5_context context,krb5_principal principal,const char * password,krb5_verify_opt * opt)184 krb5_verify_user_opt(krb5_context context,
185 		     krb5_principal principal,
186 		     const char *password,
187 		     krb5_verify_opt *opt)
188 {
189     krb5_error_code ret;
190 
191     if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
192 	krb5_realm *realms, *r;
193 	ret = krb5_get_default_realms (context, &realms);
194 	if (ret)
195 	    return ret;
196 	ret = KRB5_CONFIG_NODEFREALM;
197 
198 	for (r = realms; *r != NULL && ret != 0; ++r) {
199 	    ret = krb5_principal_set_realm(context, principal, *r);
200 	    if (ret) {
201 		krb5_free_host_realm (context, realms);
202 		return ret;
203 	    }
204 
205 	    ret = verify_user_opt_int(context, principal, password, opt);
206 	}
207 	krb5_free_host_realm (context, realms);
208 	if(ret)
209 	    return ret;
210     } else
211 	ret = verify_user_opt_int(context, principal, password, opt);
212     return ret;
213 }
214 
215 /* compat function that calls above */
216 
217 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_user(krb5_context context,krb5_principal principal,krb5_ccache ccache,const char * password,krb5_boolean secure,const char * service)218 krb5_verify_user(krb5_context context,
219 		 krb5_principal principal,
220 		 krb5_ccache ccache,
221 		 const char *password,
222 		 krb5_boolean secure,
223 		 const char *service)
224 {
225     krb5_verify_opt opt;
226 
227     krb5_verify_opt_init(&opt);
228 
229     krb5_verify_opt_set_ccache(&opt, ccache);
230     krb5_verify_opt_set_secure(&opt, secure);
231     krb5_verify_opt_set_service(&opt, service);
232 
233     return krb5_verify_user_opt(context, principal, password, &opt);
234 }
235 
236 /*
237  * A variant of `krb5_verify_user'.  The realm of `principal' is
238  * ignored and all the local realms are tried.
239  */
240 
241 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_user_lrealm(krb5_context context,krb5_principal principal,krb5_ccache ccache,const char * password,krb5_boolean secure,const char * service)242 krb5_verify_user_lrealm(krb5_context context,
243 			krb5_principal principal,
244 			krb5_ccache ccache,
245 			const char *password,
246 			krb5_boolean secure,
247 			const char *service)
248 {
249     krb5_verify_opt opt;
250 
251     krb5_verify_opt_init(&opt);
252 
253     krb5_verify_opt_set_ccache(&opt, ccache);
254     krb5_verify_opt_set_secure(&opt, secure);
255     krb5_verify_opt_set_service(&opt, service);
256     krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS);
257 
258     return krb5_verify_user_opt(context, principal, password, &opt);
259 }
260