xref: /freebsd/crypto/heimdal/lib/krb5/verify_user.c (revision 2b743a9e9ddc6736208dc8ca1ce06ce64ad20a19)
1 /*
2  * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 
36 RCSID("$Id: verify_user.c,v 1.17 2002/08/20 14:48:31 joda Exp $");
37 
38 static krb5_error_code
39 verify_common (krb5_context context,
40 	       krb5_principal principal,
41 	       krb5_ccache ccache,
42 	       krb5_keytab keytab,
43 	       krb5_boolean secure,
44 	       const char *service,
45 	       krb5_creds cred)
46 {
47     krb5_error_code ret;
48     krb5_principal server;
49     krb5_verify_init_creds_opt vopt;
50     krb5_ccache id;
51 
52     ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
53 				   &server);
54     if(ret)
55 	return ret;
56 
57     krb5_verify_init_creds_opt_init(&vopt);
58     krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
59 
60     ret = krb5_verify_init_creds(context,
61 				 &cred,
62 				 server,
63 				 keytab,
64 				 NULL,
65 				 &vopt);
66     krb5_free_principal(context, server);
67     if(ret)
68 	return ret;
69     if(ccache == NULL)
70 	ret = krb5_cc_default (context, &id);
71     else
72 	id = ccache;
73     if(ret == 0){
74 	ret = krb5_cc_initialize(context, id, principal);
75 	if(ret == 0){
76 	    ret = krb5_cc_store_cred(context, id, &cred);
77 	}
78 	if(ccache == NULL)
79 	    krb5_cc_close(context, id);
80     }
81     krb5_free_creds_contents(context, &cred);
82     return ret;
83 }
84 
85 /*
86  * Verify user `principal' with `password'.
87  *
88  * If `secure', also verify against local service key for `service'.
89  *
90  * As a side effect, fresh tickets are obtained and stored in `ccache'.
91  */
92 
93 void
94 krb5_verify_opt_init(krb5_verify_opt *opt)
95 {
96     memset(opt, 0, sizeof(*opt));
97     opt->secure = TRUE;
98     opt->service = "host";
99 }
100 
101 void
102 krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
103 {
104     opt->ccache = ccache;
105 }
106 
107 void
108 krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
109 {
110     opt->keytab = keytab;
111 }
112 
113 void
114 krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
115 {
116     opt->secure = secure;
117 }
118 
119 void
120 krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
121 {
122     opt->service = service;
123 }
124 
125 void
126 krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
127 {
128     opt->flags |= flags;
129 }
130 
131 static krb5_error_code
132 verify_user_opt_int(krb5_context context,
133 		    krb5_principal principal,
134 		    const char *password,
135 		    krb5_verify_opt *vopt)
136 
137 {
138     krb5_error_code ret;
139     krb5_get_init_creds_opt opt;
140     krb5_creds cred;
141 
142     krb5_get_init_creds_opt_init (&opt);
143     krb5_get_init_creds_opt_set_default_flags(context, NULL,
144 					      *krb5_princ_realm(context, principal),
145 					      &opt);
146     ret = krb5_get_init_creds_password (context,
147 					&cred,
148 					principal,
149 					password,
150 					krb5_prompter_posix,
151 					NULL,
152 					0,
153 					NULL,
154 					&opt);
155     if(ret)
156 	return ret;
157 #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
158     return verify_common (context, principal, OPT(ccache, NULL),
159 			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
160 			  OPT(service, "host"), cred);
161 #undef OPT
162 }
163 
164 krb5_error_code
165 krb5_verify_user_opt(krb5_context context,
166 		     krb5_principal principal,
167 		     const char *password,
168 		     krb5_verify_opt *opt)
169 {
170     krb5_error_code ret;
171 
172     if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
173 	krb5_realm *realms, *r;
174 	ret = krb5_get_default_realms (context, &realms);
175 	if (ret)
176 	    return ret;
177 	ret = KRB5_CONFIG_NODEFREALM;
178 
179 	for (r = realms; *r != NULL && ret != 0; ++r) {
180 	    char *tmp = strdup (*r);
181 
182 	    if (tmp == NULL) {
183 		krb5_free_host_realm (context, realms);
184 		krb5_set_error_string (context, "malloc: out of memory");
185 		return ENOMEM;
186 	    }
187 	    free (*krb5_princ_realm (context, principal));
188 	    krb5_princ_set_realm (context, principal, &tmp);
189 
190 	    ret = verify_user_opt_int(context, principal, password, opt);
191 	}
192 	krb5_free_host_realm (context, realms);
193 	if(ret)
194 	    return ret;
195     } else
196 	ret = verify_user_opt_int(context, principal, password, opt);
197     return ret;
198 }
199 
200 /* compat function that calls above */
201 
202 krb5_error_code
203 krb5_verify_user(krb5_context context,
204 		 krb5_principal principal,
205 		 krb5_ccache ccache,
206 		 const char *password,
207 		 krb5_boolean secure,
208 		 const char *service)
209 {
210     krb5_verify_opt opt;
211 
212     krb5_verify_opt_init(&opt);
213 
214     krb5_verify_opt_set_ccache(&opt, ccache);
215     krb5_verify_opt_set_secure(&opt, secure);
216     krb5_verify_opt_set_service(&opt, service);
217 
218     return krb5_verify_user_opt(context, principal, password, &opt);
219 }
220 
221 /*
222  * A variant of `krb5_verify_user'.  The realm of `principal' is
223  * ignored and all the local realms are tried.
224  */
225 
226 krb5_error_code
227 krb5_verify_user_lrealm(krb5_context context,
228 			krb5_principal principal,
229 			krb5_ccache ccache,
230 			const char *password,
231 			krb5_boolean secure,
232 			const char *service)
233 {
234     krb5_verify_opt opt;
235 
236     krb5_verify_opt_init(&opt);
237 
238     krb5_verify_opt_set_ccache(&opt, ccache);
239     krb5_verify_opt_set_secure(&opt, secure);
240     krb5_verify_opt_set_service(&opt, service);
241     krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS);
242 
243     return krb5_verify_user_opt(context, principal, password, &opt);
244 }
245