xref: /netbsd-src/external/mpl/dhcp/dist/server/ldap_krb_helper.c (revision ce893c7eea48d62b6f0d8ef9958789ad27d03f6f) 
1*ce893c7eSchristos /*	$NetBSD: ldap_krb_helper.c,v 1.2 2018/04/07 22:37:30 christos Exp $	*/
26fb29d29Schristos 
36fb29d29Schristos /* ldap_krb_helper.c
46fb29d29Schristos 
56fb29d29Schristos    Helper routings for allowing LDAP to read configuration with GSSAPI/krb auth */
66fb29d29Schristos 
76fb29d29Schristos /*
86fb29d29Schristos  * Copyright (c) 2015-2017 by Internet Systems Consortium, Inc. ("ISC")
96fb29d29Schristos  * Copyright (c) 2014 William B.
106fb29d29Schristos  * All rights reserved.
116fb29d29Schristos  *
126fb29d29Schristos  * Redistribution and use in source and binary forms, with or without
136fb29d29Schristos  * modification, are permitted provided that the following conditions
146fb29d29Schristos  * are met:
156fb29d29Schristos  *
166fb29d29Schristos  * 1. Redistributions of source code must retain the above copyright
176fb29d29Schristos  *    notice, this list of conditions and the following disclaimer.
186fb29d29Schristos  * 2. Redistributions in binary form must reproduce the above copyright
196fb29d29Schristos  *    notice, this list of conditions and the following disclaimer in the
206fb29d29Schristos  *    documentation and/or other materials provided with the distribution.
216fb29d29Schristos  * 3. Neither the name of The Internet Software Consortium nor the names
226fb29d29Schristos  *    of its contributors may be used to endorse or promote products derived
236fb29d29Schristos  *    from this software without specific prior written permission.
246fb29d29Schristos  *
256fb29d29Schristos  * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
266fb29d29Schristos  * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
276fb29d29Schristos  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
286fb29d29Schristos  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
296fb29d29Schristos  * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
306fb29d29Schristos  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
316fb29d29Schristos  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
326fb29d29Schristos  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
336fb29d29Schristos  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
346fb29d29Schristos  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
356fb29d29Schristos  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
366fb29d29Schristos  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
376fb29d29Schristos  * SUCH DAMAGE.
386fb29d29Schristos  *
396fb29d29Schristos  * This helper was written by William Brown <william@adelaide.edu.au>,
406fb29d29Schristos  * inspired by krb5_helper.c from bind-dyndb-ldap by Simo Sorce (Redhat)
416fb29d29Schristos  */
426fb29d29Schristos #if defined(LDAP_USE_GSSAPI)
436fb29d29Schristos 
446fb29d29Schristos #include "dhcpd.h"
456fb29d29Schristos #include "ldap_krb_helper.h"
466fb29d29Schristos 
476fb29d29Schristos #include <string.h>
486fb29d29Schristos #include <stdio.h>
496fb29d29Schristos #include <unistd.h>
506fb29d29Schristos #include <time.h>
516fb29d29Schristos 
526fb29d29Schristos #define KRB_DEFAULT_KEYTAB "FILE:/etc/dhcp/dhcp.keytab"
536fb29d29Schristos #define KRB_MIN_TIME 300
546fb29d29Schristos 
556fb29d29Schristos #define CHECK_KRB5(ctx, err, msg, ...) \
566fb29d29Schristos     do { \
576fb29d29Schristos         if (err) { \
586fb29d29Schristos             const char * errmsg = krb5_get_error_message(ctx, err); \
596fb29d29Schristos             log_error("Err: %s -> %s\n", msg, errmsg); \
606fb29d29Schristos             result = ISC_R_FAILURE; \
616fb29d29Schristos             goto cleanup; \
626fb29d29Schristos         } \
636fb29d29Schristos     } while (0)
646fb29d29Schristos 
656fb29d29Schristos #define CHECK(ret_code, msg) \
666fb29d29Schristos     if (ret_code != 0) { \
676fb29d29Schristos         log_error("Error, %i %s\n", ret_code, msg); \
686fb29d29Schristos         goto cleanup; \
696fb29d29Schristos     }
706fb29d29Schristos 
716fb29d29Schristos static isc_result_t
check_credentials(krb5_context context,krb5_ccache ccache,krb5_principal service)726fb29d29Schristos check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service)
736fb29d29Schristos {
746fb29d29Schristos     char *realm = NULL;
756fb29d29Schristos     krb5_creds creds;
766fb29d29Schristos     krb5_creds mcreds;
776fb29d29Schristos     krb5_error_code krberr;
786fb29d29Schristos     krb5_timestamp now;
796fb29d29Schristos     isc_result_t result = ISC_R_FAILURE;
806fb29d29Schristos 
816fb29d29Schristos     memset(&mcreds, 0, sizeof(mcreds));
826fb29d29Schristos     memset(&creds, 0, sizeof(creds));
836fb29d29Schristos 
846fb29d29Schristos     krberr = krb5_get_default_realm(context, &realm);
856fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to retrieve default realm");
866fb29d29Schristos 
876fb29d29Schristos     krberr = krb5_build_principal(context, &mcreds.server,
886fb29d29Schristos                     strlen(realm), realm,
896fb29d29Schristos                     "krbtgt", realm, NULL);
906fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal");
916fb29d29Schristos 
926fb29d29Schristos     mcreds.client = service;
936fb29d29Schristos 
946fb29d29Schristos     krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
956fb29d29Schristos 
966fb29d29Schristos     if (krberr) {
976fb29d29Schristos         const char * errmsg = krb5_get_error_message(context, krberr);
986fb29d29Schristos         log_error("Credentials are not present in cache (%s)\n", errmsg);
996fb29d29Schristos         krb5_free_error_message(context, errmsg);
1006fb29d29Schristos         result = ISC_R_FAILURE;
1016fb29d29Schristos         goto cleanup;
1026fb29d29Schristos     }
1036fb29d29Schristos     CHECK_KRB5(context, krberr, "Credentials are not present in cache ");
1046fb29d29Schristos 
1056fb29d29Schristos     krberr = krb5_timeofday(context, &now);
1066fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to get time of day");
1076fb29d29Schristos 
1086fb29d29Schristos 
1096fb29d29Schristos     if (now > (creds.times.endtime + KRB_MIN_TIME)) {
1106fb29d29Schristos         log_error("Credentials cache expired");
1116fb29d29Schristos         result = ISC_R_FAILURE;
1126fb29d29Schristos         goto cleanup;
1136fb29d29Schristos     } else {
1146fb29d29Schristos         char buf[255];
1156fb29d29Schristos         char fill = ' ';
1166fb29d29Schristos         krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill);
1176fb29d29Schristos         log_info("Credentials valid til %s\n", buf);
1186fb29d29Schristos     }
1196fb29d29Schristos 
1206fb29d29Schristos     result = ISC_R_SUCCESS;
1216fb29d29Schristos 
1226fb29d29Schristos cleanup:
1236fb29d29Schristos     krb5_free_cred_contents(context, &creds);
1246fb29d29Schristos     if (mcreds.server) krb5_free_principal(context, mcreds.server);
1256fb29d29Schristos     if (realm) krb5_free_default_realm(context, realm);
1266fb29d29Schristos     return result;
1276fb29d29Schristos }
1286fb29d29Schristos 
1296fb29d29Schristos isc_result_t
krb5_get_tgt(const char * principal,const char * keyfile)1306fb29d29Schristos krb5_get_tgt(const char *principal, const char *keyfile)
1316fb29d29Schristos {
1326fb29d29Schristos     isc_result_t result = ISC_R_FAILURE;
1336fb29d29Schristos     char *ccname = NULL;
1346fb29d29Schristos     krb5_context context = NULL;
1356fb29d29Schristos     krb5_error_code krberr;
1366fb29d29Schristos     krb5_ccache ccache = NULL;
1376fb29d29Schristos     krb5_principal kprincpw = NULL;
1386fb29d29Schristos     krb5_creds my_creds;
1396fb29d29Schristos     krb5_creds * my_creds_ptr = NULL;
1406fb29d29Schristos     krb5_get_init_creds_opt options;
1416fb29d29Schristos     krb5_keytab keytab = NULL;
1426fb29d29Schristos     int ret;
1436fb29d29Schristos 
1446fb29d29Schristos     if (keyfile == NULL || keyfile[0] == '\0') {
1456fb29d29Schristos         keyfile = KRB_DEFAULT_KEYTAB;
1466fb29d29Schristos         log_info("Using default keytab %s\n", keyfile);
1476fb29d29Schristos     } else {
1486fb29d29Schristos         if (strncmp(keyfile, "FILE:", 5) != 0) {
1496fb29d29Schristos             log_error("Unknown keytab path format: Does it start with FILE:?\n");
1506fb29d29Schristos             return ISC_R_FAILURE;
1516fb29d29Schristos         }
1526fb29d29Schristos     }
1536fb29d29Schristos 
1546fb29d29Schristos     krberr = krb5_init_context(&context);
1556fb29d29Schristos     CHECK_KRB5(NULL, krberr, "Kerberos context initialization failed");
1566fb29d29Schristos 
1576fb29d29Schristos     result = ISC_R_SUCCESS;
1586fb29d29Schristos 
1596fb29d29Schristos     ccname = "MEMORY:dhcp_ld_krb5_cc";
1606fb29d29Schristos     log_info("Using ccache %s\n" , ccname);
1616fb29d29Schristos 
1626fb29d29Schristos     ret = setenv("KRB5CCNAME", ccname, 1);
1636fb29d29Schristos     if (ret == -1) {
1646fb29d29Schristos         log_error("Failed to setup environment\n");
1656fb29d29Schristos         result = ISC_R_FAILURE;
1666fb29d29Schristos         goto cleanup;
1676fb29d29Schristos     }
1686fb29d29Schristos 
1696fb29d29Schristos     krberr = krb5_cc_resolve(context, ccname, &ccache);
1706fb29d29Schristos     CHECK_KRB5(context, krberr, "Couldnt resolve ccache '%s'", ccname);
1716fb29d29Schristos 
1726fb29d29Schristos     krberr = krb5_parse_name(context, principal, &kprincpw);
1736fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to parse princ '%s'", princpal);
1746fb29d29Schristos 
1756fb29d29Schristos     result = check_credentials(context, ccache, kprincpw);
1766fb29d29Schristos     if (result == ISC_R_SUCCESS) {
1776fb29d29Schristos         log_info("Found valid kerberos credentials\n");
1786fb29d29Schristos         goto cleanup;
1796fb29d29Schristos     } else {
1806fb29d29Schristos         log_error("No valid krb5 credentials\n");
1816fb29d29Schristos     }
1826fb29d29Schristos 
1836fb29d29Schristos     krberr = krb5_kt_resolve(context, keyfile, &keytab);
1846fb29d29Schristos     CHECK_KRB5(context, krberr,
1856fb29d29Schristos             "Failed to resolve kt files '%s'\n", keyfile);
1866fb29d29Schristos 
1876fb29d29Schristos     memset(&my_creds, 0, sizeof(my_creds));
1886fb29d29Schristos     memset(&options, 0, sizeof(options));
1896fb29d29Schristos 
1906fb29d29Schristos     krb5_get_init_creds_opt_set_tkt_life(&options, KRB_MIN_TIME * 2);
1916fb29d29Schristos     krb5_get_init_creds_opt_set_address_list(&options, NULL);
1926fb29d29Schristos     krb5_get_init_creds_opt_set_forwardable(&options, 0);
1936fb29d29Schristos     krb5_get_init_creds_opt_set_proxiable(&options, 0);
1946fb29d29Schristos 
1956fb29d29Schristos     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprincpw,
1966fb29d29Schristos                 keytab, 0, NULL, &options);
1976fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to get initial credentials TGT\n");
1986fb29d29Schristos 
1996fb29d29Schristos     my_creds_ptr = &my_creds;
2006fb29d29Schristos 
2016fb29d29Schristos     krberr = krb5_cc_initialize(context, ccache, kprincpw);
2026fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to init ccache\n");
2036fb29d29Schristos 
2046fb29d29Schristos     krberr = krb5_cc_store_cred(context, ccache, &my_creds);
2056fb29d29Schristos     CHECK_KRB5(context, krberr, "Failed to store credentials\n");
2066fb29d29Schristos 
2076fb29d29Schristos     result = ISC_R_SUCCESS;
2086fb29d29Schristos     log_info("Successfully init krb tgt %s", principal);
2096fb29d29Schristos 
2106fb29d29Schristos cleanup:
2116fb29d29Schristos     if (ccache) krb5_cc_close(context, ccache);
2126fb29d29Schristos     if (keytab) krb5_kt_close(context, keytab);
2136fb29d29Schristos     if (kprincpw) krb5_free_principal(context, kprincpw);
2146fb29d29Schristos     if (my_creds_ptr) krb5_free_cred_contents(context, &my_creds);
2156fb29d29Schristos     if (context) krb5_free_context(context);
2166fb29d29Schristos     return result;
2176fb29d29Schristos }
2186fb29d29Schristos 
2196fb29d29Schristos #endif /* defined(LDAP_USE_GSSAPI) */
220