xref: /freebsd/crypto/krb5/src/clients/ksu/heuristic.c (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9)

/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
 * Copyright (c) 1994 by the University of Southern California
 *
 * EXPORT OF THIS SOFTWARE from the United States of America may
 *     require a specific license from the United States Government.
 *     It is the responsibility of any person or organization contemplating
 *     export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
 *     this software and its documentation in source and binary forms is
 *     hereby granted, provided that any documentation or other materials
 *     related to such distribution or use acknowledge that the software
 *     was developed by the University of Southern California.
 *
 * DISCLAIMER OF WARRANTY.  THIS SOFTWARE IS PROVIDED "AS IS".  The
 *     University of Southern California MAKES NO REPRESENTATIONS OR
 *     WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
 *     limitation, the University of Southern California MAKES NO
 *     REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
 *     PARTICULAR PURPOSE. The University of Southern
 *     California shall not be held liable for any liability nor for any
 *     direct, indirect, or consequential damages with respect to any
 *     claim by the user or distributor of the ksu software.
 *
 * KSU was written by:  Ari Medvinsky, ari@isi.edu
 */

#include "ksu.h"

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif


/*******************************************************************
get_all_princ_from_file - retrieves all principal names
                        from file pointed to by fp.

*******************************************************************/
static void close_time (int, FILE *, int, FILE *);
static krb5_boolean find_str_in_list (char **, char *);

krb5_error_code get_all_princ_from_file (fp, plist)
    FILE *fp;
    char ***plist;
{

    krb5_error_code retval;
    char * line, * fprinc, * lp, ** temp_list = NULL;
    int count = 0, chunk_count = 1;

    if (!(temp_list = (char **) malloc( CHUNK * sizeof(char *))))
        return ENOMEM;

    retval = get_line(fp, &line);
    if (retval)
        return retval;

    while (line){
        fprinc = get_first_token (line, &lp);

        if (fprinc ){
            temp_list[count] = xstrdup(fprinc);
            count ++;
        }

        if(count == (chunk_count * CHUNK -1)){
            chunk_count ++;
            if (!(temp_list = (char **) realloc(temp_list,
                                                chunk_count * CHUNK * sizeof(char *)))){
                return ENOMEM;
            }
        }


        free (line);
        retval = get_line(fp, &line);
        if (retval)
            return retval;
    }

    temp_list[count] = NULL;

    *plist = temp_list;
    return 0;
}

/*************************************************************
list_union - combines list1 and list2 into combined_list.
             the  space for list1 and list2 is either freed
             or used by combined_list.
**************************************************************/

krb5_error_code list_union(list1, list2, combined_list)
    char **list1;
    char **list2;
    char ***combined_list;
{

    unsigned int c1 =0, c2 = 0, i=0, j=0;
    char ** tlist;

    if (! list1){
        *combined_list = list2;
        return 0;
    }

    if (! list2){
        *combined_list = list1;
        return 0;
    }

    while (list1[c1]) c1++;
    while (list2[c2]) c2++;

    if (!(tlist = (char **) calloc( c1 + c2 + 1, sizeof ( char *))))
        return ENOMEM;

    i = 0;
    while(list1[i]) {
        tlist[i] = list1[i];
        i++;
    }
    j = 0;
    while(list2[j]){
        if(find_str_in_list(list1, list2[j])==FALSE){
            tlist[i] = list2[j];
            i++;
        }
        j++;
    }

    free (list1);
    free (list2);

    tlist[i]= NULL;

    *combined_list = tlist;
    return 0;
}

krb5_error_code
filter(fp, cmd, k5users_list, k5users_filt_list)
    FILE *fp;
    char *cmd;
    char **k5users_list;
    char ***k5users_filt_list;
{

    krb5_error_code retval =0;
    krb5_boolean found = FALSE;
    char * out_cmd = NULL;
    unsigned int i=0, j=0, found_count = 0, k=0;
    char ** temp_filt_list;

    *k5users_filt_list = NULL;

    if (! k5users_list){
        return 0;
    }

    while(k5users_list[i]){

        retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd);
        if (retval)
            return retval;

        if (found == FALSE){
            free (k5users_list[i]);
            k5users_list[i] = NULL;
            if (out_cmd) gb_err = out_cmd;
        } else
            found_count ++;

        i++;
    }

    if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*))))
        return ENOMEM;

    for(j= 0, k=0; j < i; j++ ) {
        if (k5users_list[j]){
            temp_filt_list[k] = k5users_list[j];
            k++;
        }
    }

    temp_filt_list[k] = NULL;

    free (k5users_list);

    *k5users_filt_list = temp_filt_list;
    return 0;
}

krb5_error_code
get_authorized_princ_names(luser, cmd, princ_list)
    const char *luser;
    char *cmd;
    char ***princ_list;
{

    struct passwd *pwd;
    int k5login_flag =0;
    int k5users_flag =0;
    FILE * login_fp = NULL , * users_fp = NULL;
    char **  k5login_list = NULL, ** k5users_list = NULL;
    char ** k5users_filt_list = NULL;
    char ** combined_list = NULL;
    struct stat tb;
    krb5_error_code retval;

    *princ_list = NULL;

    /* no account => no access */

    if ((pwd = getpwnam(luser)) == NULL)
        return 0;

    k5login_flag = stat(k5login_path, &tb);
    k5users_flag = stat(k5users_path, &tb);

    if (!k5login_flag){
        if ((login_fp = fopen(k5login_path, "r")) == NULL)
            return 0;
        if ( fowner(login_fp, pwd->pw_uid) == FALSE){
            close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/,
                       k5login_flag,login_fp);
            return 0;
        }
    }
    if (!k5users_flag){
        if ((users_fp = fopen(k5users_path, "r")) == NULL)
            return 0;

        if ( fowner(users_fp, pwd->pw_uid) == FALSE){
            close_time(k5users_flag,users_fp, k5login_flag,login_fp);
            return 0;
        }

        retval = get_all_princ_from_file (users_fp, &k5users_list);
        if(retval) {
            close_time(k5users_flag,users_fp, k5login_flag,login_fp);
            return retval;
        }

        rewind(users_fp);

        retval = filter(users_fp,cmd, k5users_list, &k5users_filt_list);
        if(retval) {
            close_time(k5users_flag,users_fp, k5login_flag, login_fp);
            return retval;
        }
    }

    if (!k5login_flag){
        retval = get_all_princ_from_file (login_fp, &k5login_list);
        if(retval) {
            close_time(k5users_flag,users_fp, k5login_flag,login_fp);
            return retval;
        }
    }

    close_time(k5users_flag,users_fp, k5login_flag, login_fp);

    retval = list_union(k5login_list, k5users_filt_list, &combined_list);
    if (retval){
        return retval;
    }
    *princ_list = combined_list;
    return 0;
}

static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)
    int k5users_flag;
    FILE *users_fp;
    int k5login_flag;
    FILE *login_fp;
{

    if (!k5users_flag) fclose(users_fp);
    if (!k5login_flag) fclose(login_fp);

}

static krb5_boolean find_str_in_list(list , elm)
    char **list;
    char *elm;
{

    int i=0;
    krb5_boolean found = FALSE;

    if (!list) return found;

    while (list[i] ){
        if (!strcmp(list[i], elm)){
            found = TRUE;
            break;
        }
        i++;
    }

    return found;
}

/**********************************************************************
returns the principal that is closes to client (can be the the client
himself). plist contains
a principal list obtained from .k5login and .k5users file.
A principal is picked that has the best chance of getting in.

**********************************************************************/


krb5_error_code get_closest_principal(context, plist, client, found)
    krb5_context context;
    char **plist;
    krb5_principal *client;
    krb5_boolean *found;
{
    krb5_error_code retval =0;
    krb5_principal temp_client, best_client = NULL;
    int i = 0, j=0, cnelem, pnelem;
    krb5_boolean got_one;

    *found = FALSE;

    if (! plist ) return 0;

    cnelem = krb5_princ_size(context, *client);

    while(plist[i]){

        retval = krb5_parse_name(context, plist[i], &temp_client);
        if (retval)
            return retval;

        pnelem = krb5_princ_size(context, temp_client);

        if ( cnelem > pnelem){
            i++;
            continue;
        }

        if (data_eq(*krb5_princ_realm(context, *client),
                    *krb5_princ_realm(context, temp_client))) {

            got_one = TRUE;
            for(j =0; j < cnelem; j ++){
                krb5_data *p1 =
                    krb5_princ_component(context, *client, j);
                krb5_data *p2 =
                    krb5_princ_component(context, temp_client, j);

                if (!p1 || !p2 || !data_eq(*p1, *p2)) {
                    got_one = FALSE;
                    break;
                }
            }
            if (got_one == TRUE){
                if(best_client){
                    if(krb5_princ_size(context, best_client) >
                       krb5_princ_size(context, temp_client)){
                        best_client = temp_client;
                    }
                }else
                    best_client = temp_client;
            }
        }
        i++;
    }

    if (best_client) {
        *found = TRUE;
        *client = best_client;
    }

    return 0;
}

/****************************************************************
find_either_ticket checks to see whether there is a ticket for the
   end server or tgt, if neither is there the return FALSE,
*****************************************************************/

krb5_error_code find_either_ticket (context, cc, client, end_server, found)
    krb5_context context;
    krb5_ccache cc;
    krb5_principal client;
    krb5_principal end_server;
    krb5_boolean *found;
{

    krb5_principal kdc_server;
    krb5_error_code retval;
    krb5_boolean temp_found = FALSE;

    if (ks_ccache_is_initialized(context, cc)) {

        retval = find_ticket(context, cc, client, end_server, &temp_found);
        if (retval)
            return retval;

        if (temp_found == FALSE){
            retval = ksu_tgtname(context,
                                 krb5_princ_realm(context, client),
                                 krb5_princ_realm(context, client),
                                 &kdc_server);
            if (retval)
                return retval;

            retval = find_ticket(context, cc,client, kdc_server, &temp_found);
            if(retval)
                return retval;
        }
        else if (auth_debug)
            printf("find_either_ticket: found end server ticket\n");
    }

    *found = temp_found;

    return 0;
}


krb5_error_code find_ticket (context, cc, client, server, found)
    krb5_context context;
    krb5_ccache cc;
    krb5_principal client;
    krb5_principal server;
    krb5_boolean *found;
{

    krb5_creds tgt, tgtq;
    krb5_error_code retval;

    *found = FALSE;

    memset(&tgtq, 0, sizeof(tgtq));
    memset(&tgt, 0, sizeof(tgt));

    retval= krb5_copy_principal(context,  client, &tgtq.client);
    if (retval)
        return retval;

    retval= krb5_copy_principal(context,  server, &tgtq.server);
    if (retval)
        return retval ;

    retval = krb5_cc_retrieve_cred(context, cc, KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
                                   &tgtq, &tgt);

    if (! retval) retval = krb5_check_exp(context, tgt.times);

    if (retval){
        if ((retval != KRB5_CC_NOTFOUND) &&
            (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
            return retval ;
        }
    } else{
        *found = TRUE;
        return 0;
    }

    free(tgtq.server);
    free(tgtq.client);

    return 0;
}



krb5_error_code find_princ_in_list (context, princ, plist, found)
    krb5_context context;
    krb5_principal princ;
    char **plist;
    krb5_boolean *found;
{

    int i=0;
    char * princname;
    krb5_error_code retval;

    *found = FALSE;

    if (!plist) return 0;

    retval = krb5_unparse_name(context, princ, &princname);
    if (retval)
        return retval;

    while (plist[i] ){
        if (!strcmp(plist[i], princname)){
            *found = TRUE;
            break;
        }
        i++;
    }

    return 0;

}

typedef struct princ_info {
    krb5_principal p;
    krb5_boolean found;
}princ_info;

/**********************************************************************
get_best_princ_for_target -

sets the client name, path_out gets set, if authorization is not possible
path_out gets set to ...

***********************************************************************/

krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
                                          source_user, target_user,
                                          cc_source, options, cmd,
                                          hostname, client, path_out)
    krb5_context context;
    uid_t source_uid;
    uid_t target_uid;
    char *source_user;
    char *target_user;
    krb5_ccache cc_source;
    krb5_get_init_creds_opt *options;
    char *cmd;
    char *hostname;
    krb5_principal *client;
    int *path_out;
{

    princ_info princ_trials[10];
    krb5_principal cc_def_princ = NULL;
    krb5_principal temp_client;
    krb5_principal target_client;
    krb5_principal source_client;
    krb5_principal end_server;
    krb5_error_code retval;
    char ** aplist =NULL;
    krb5_boolean found = FALSE;
    struct stat tb;
    int count =0;
    int i;

    *path_out = 0;

    /* -n option was specified client is set we are done */
    if (*client != NULL)
        return 0;

    if (ks_ccache_is_initialized(context, cc_source)) {
        retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
        if (retval)
            return retval;
    }

    retval=krb5_parse_name(context, target_user, &target_client);
    if (retval)
        return retval;

    retval=krb5_parse_name(context, source_user, &source_client);
    if (retval)
        return retval;

    if (source_uid == 0){
        if (target_uid != 0)
            *client = target_client; /* this will be used to restrict
                                        the cache copty */
        else {
            if(cc_def_princ)
                *client = cc_def_princ;
            else
                *client = target_client;
        }

        if (auth_debug)
            printf(" GET_best_princ_for_target: via source_uid == 0\n");

        return 0;
    }

    /* from here on, the code is for source_uid !=  0 */

    if (source_uid && (source_uid == target_uid)){
        if(cc_def_princ)
            *client = cc_def_princ;
        else
            *client = target_client;
        if (auth_debug)
            printf("GET_best_princ_for_target: via source_uid == target_uid\n");
        return 0;
    }

    /* Become root, then target for looking at .k5login.*/
    if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) {
        return errno;
    }

    /* if .k5users and .k5login do not exist */
    if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){
        *client = target_client;

        if (cmd)
            *path_out = NOT_AUTHORIZED;

        if (auth_debug)
            printf(" GET_best_princ_for_target: via no auth files path\n");

        return 0;
    }else{
        retval = get_authorized_princ_names(target_user, cmd, &aplist);
        if (retval)
            return retval;

        /* .k5users or .k5login exist, but no authorization */
        if ((!aplist) || (!aplist[0])) {
            *path_out = NOT_AUTHORIZED;
            if (auth_debug)
                printf("GET_best_princ_for_target: via empty auth files path\n");
            return 0;
        }
    }

    retval = krb5_sname_to_principal(context, hostname, NULL,
                                     KRB5_NT_SRV_HST, &end_server);
    if (retval)
        return retval;


    /* first see if default principal of the source cache
     * can get us in, then the target_user@realm, then the
     * source_user@realm. If all of them fail, try any
     * other ticket in the cache. */

    if (cc_def_princ)
        princ_trials[count ++].p = cc_def_princ;
    else
        princ_trials[count ++].p = NULL;

    princ_trials[count ++].p = target_client;
    princ_trials[count ++].p = source_client;

    for (i= 0; i < count; i ++)
        princ_trials[i].found = FALSE;

    for (i= 0; i < count; i ++){
        if(princ_trials[i].p) {
            retval= find_princ_in_list(context, princ_trials[i].p, aplist,
                                       &found);
            if (retval)
                return retval;

            if (found == TRUE){
                princ_trials[i].found = TRUE;

                retval = find_either_ticket (context, cc_source,
                                             princ_trials[i].p,
                                             end_server, &found);
                if (retval)
                    return retval;
                if (found == TRUE){
                    *client = princ_trials[i].p;
                    if (auth_debug)
                        printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i);
                    return 0;
                }
            }
        }
    }

    /* out of preferred principals, see if there is any ticket that will
       get us in */

    i=0;
    while (aplist[i]){
        retval = krb5_parse_name(context, aplist[i], &temp_client);
        if (retval)
            return retval;

        retval = find_either_ticket (context, cc_source, temp_client,
                                     end_server, &found);
        if (retval)
            return retval;

        if (found == TRUE){
            if (auth_debug)
                printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" );
            *client = temp_client;
            return 0;
        }

        krb5_free_principal(context, temp_client);

        i++;
    }

    /* no tickets qualified, select a principal, that may be used
       for password promting */


    for (i=0; i < count; i ++){
        if (princ_trials[i].found == TRUE){
            *client = princ_trials[i].p;

            if (auth_debug)
                printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i);
            return  0;
        }
    }

#ifdef PRINC_LOOK_AHEAD
    for (i=0; i < count; i ++){
        if (princ_trials[i].p){
            retval=krb5_copy_principal(context, princ_trials[i].p,
                                       &temp_client);
            if(retval)
                return retval;

            /* get the client name that is the closest
               to the three princ in trials */

            retval=get_closest_principal(context, aplist, &temp_client,
                                         &found);
            if(retval)
                return retval;

            if (found == TRUE){
                *client = temp_client;
                if (auth_debug)
                    printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i);
                return 0;
            }
            krb5_free_principal(context, temp_client);
        }
    }

#endif /* PRINC_LOOK_AHEAD */


    if(auth_debug)
        printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");

    *path_out = NOT_AUTHORIZED;
    return 0;
}