xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/passwd/kerberos.c (revision b7b7574d3bf8eeb51a1fa3977b59142ec6434a55) 
1 /*	$NetBSD: kerberos.c,v 1.1.1.4 2014/05/28 09:58:28 tron Exp $	*/
2 
3 /* $OpenLDAP$ */
4 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5  *
6  * Copyright 1998-2014 The OpenLDAP Foundation.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted only as authorized by the OpenLDAP
11  * Public License.
12  *
13  * A copy of this license is available in the file LICENSE in the
14  * top-level directory of the distribution or, alternatively, at
15  * <http://www.OpenLDAP.org/license.html>.
16  */
17 
18 #include <unistd.h>
19 
20 #include <lber.h>
21 #include <lber_pvt.h>	/* BER_BVC definition */
22 #include "lutil.h"
23 #include <ac/string.h>
24 
25 #ifdef HAVE_KRB5
26 #include <krb5.h>
27 #elif defined(HAVE_KRB4)
28 #include <krb.h>
29 #endif
30 
31 /* From <ldap_pvt.h> */
32 LDAP_F( char *) ldap_pvt_get_fqdn LDAP_P(( char * ));
33 
34 static LUTIL_PASSWD_CHK_FUNC chk_kerberos;
35 static const struct berval scheme = BER_BVC("{KERBEROS}");
36 
37 static int chk_kerberos(
38 	const struct berval *sc,
39 	const struct berval * passwd,
40 	const struct berval * cred,
41 	const char **text )
42 {
43 	unsigned int i;
44 	int rtn;
45 
46 	for( i=0; i<cred->bv_len; i++) {
47 		if(cred->bv_val[i] == '\0') {
48 			return LUTIL_PASSWD_ERR;	/* NUL character in password */
49 		}
50 	}
51 
52 	if( cred->bv_val[i] != '\0' ) {
53 		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
54 	}
55 
56 	for( i=0; i<passwd->bv_len; i++) {
57 		if(passwd->bv_val[i] == '\0') {
58 			return LUTIL_PASSWD_ERR;	/* NUL character in password */
59 		}
60 	}
61 
62 	if( passwd->bv_val[i] != '\0' ) {
63 		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
64 	}
65 
66 	rtn = LUTIL_PASSWD_ERR;
67 
68 #ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */
69 	{
70 /* Portions:
71  * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan
72  * (Royal Institute of Technology, Stockholm, Sweden).
73  * All rights reserved.
74  *
75  * Redistribution and use in source and binary forms, with or without
76  * modification, are permitted provided that the following conditions
77  * are met:
78  *
79  * 1. Redistributions of source code must retain the above copyright
80  *    notice, this list of conditions and the following disclaimer.
81  *
82  * 2. Redistributions in binary form must reproduce the above copyright
83  *    notice, this list of conditions and the following disclaimer in the
84  *    documentation and/or other materials provided with the distribution.
85  *
86  * 3. Neither the name of the Institute nor the names of its contributors
87  *    may be used to endorse or promote products derived from this software
88  *    without specific prior written permission.
89  *
90  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
91  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
92  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
93  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
94  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
95  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
97  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
98  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
99  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
100  * SUCH DAMAGE.
101  */
102 
103 		krb5_context context;
104    		krb5_error_code ret;
105    		krb5_creds creds;
106    		krb5_get_init_creds_opt get_options;
107    		krb5_verify_init_creds_opt verify_options;
108 		krb5_principal client, server;
109 #ifdef notdef
110 		krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
111 #endif
112 
113 		ret = krb5_init_context( &context );
114 		if (ret) {
115 			return LUTIL_PASSWD_ERR;
116 		}
117 
118 #ifdef notdef
119 		krb5_get_init_creds_opt_set_preauth_list(&get_options,
120 			pre_auth_types, 1);
121 #endif
122 
123    		krb5_get_init_creds_opt_init( &get_options );
124 
125 		krb5_verify_init_creds_opt_init( &verify_options );
126 
127 		ret = krb5_parse_name( context, passwd->bv_val, &client );
128 
129 		if (ret) {
130 			krb5_free_context( context );
131 			return LUTIL_PASSWD_ERR;
132 		}
133 
134 		ret = krb5_get_init_creds_password( context,
135 			&creds, client, cred->bv_val, NULL,
136 			NULL, 0, NULL, &get_options );
137 
138 		if (ret) {
139 			krb5_free_principal( context, client );
140 			krb5_free_context( context );
141 			return LUTIL_PASSWD_ERR;
142 		}
143 
144 		{
145 			char *host = ldap_pvt_get_fqdn( NULL );
146 
147 			if( host == NULL ) {
148 				krb5_free_principal( context, client );
149 				krb5_free_context( context );
150 				return LUTIL_PASSWD_ERR;
151 			}
152 
153 			ret = krb5_sname_to_principal( context,
154 				host, "ldap", KRB5_NT_SRV_HST, &server );
155 
156 			ber_memfree( host );
157 		}
158 
159 		if (ret) {
160 			krb5_free_principal( context, client );
161 			krb5_free_context( context );
162 			return LUTIL_PASSWD_ERR;
163 		}
164 
165 		ret = krb5_verify_init_creds( context,
166 			&creds, server, NULL, NULL, &verify_options );
167 
168 		krb5_free_principal( context, client );
169 		krb5_free_principal( context, server );
170 		krb5_free_cred_contents( context, &creds );
171 		krb5_free_context( context );
172 
173 		rtn = ret ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
174 	}
175 #elif	defined(HAVE_KRB4)
176 	{
177 		/* Borrowed from Heimdal kpopper */
178 /* Portions:
179  * Copyright (c) 1989 Regents of the University of California.
180  * All rights reserved.  The Berkeley software License Agreement
181  * specifies the terms and conditions for redistribution.
182  */
183 
184 		int status;
185 		char lrealm[REALM_SZ];
186 		char tkt[MAXHOSTNAMELEN];
187 
188 		status = krb_get_lrealm(lrealm,1);
189 		if (status == KFAILURE) {
190 			return LUTIL_PASSWD_ERR;
191 		}
192 
193 		snprintf(tkt, sizeof(tkt), "%s_slapd.%u",
194 			TKT_ROOT, (unsigned)getpid());
195 		krb_set_tkt_string (tkt);
196 
197 		status = krb_verify_user( passwd->bv_val, "", lrealm,
198 			cred->bv_val, 1, "ldap");
199 
200 		dest_tkt(); /* no point in keeping the tickets */
201 
202 		return status == KFAILURE ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
203 	}
204 #endif
205 
206 	return rtn;
207 }
208 
209 int init_module(int argc, char *argv[]) {
210 	return lutil_passwd_add( (struct berval *)&scheme, chk_kerberos, NULL );
211 }
212