verify_user.c revision 78527 
155682Smarkm/*
272445Sassar * Copyright (c) 1997-2001 Kungliga Tekniska H�gskolan
355682Smarkm * (Royal Institute of Technology, Stockholm, Sweden).
455682Smarkm * All rights reserved.
555682Smarkm *
655682Smarkm * Redistribution and use in source and binary forms, with or without
755682Smarkm * modification, are permitted provided that the following conditions
855682Smarkm * are met:
955682Smarkm *
1055682Smarkm * 1. Redistributions of source code must retain the above copyright
1155682Smarkm *    notice, this list of conditions and the following disclaimer.
1255682Smarkm *
1355682Smarkm * 2. Redistributions in binary form must reproduce the above copyright
1455682Smarkm *    notice, this list of conditions and the following disclaimer in the
1555682Smarkm *    documentation and/or other materials provided with the distribution.
1655682Smarkm *
1755682Smarkm * 3. Neither the name of the Institute nor the names of its contributors
1855682Smarkm *    may be used to endorse or promote products derived from this software
1955682Smarkm *    without specific prior written permission.
2055682Smarkm *
2155682Smarkm * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
2255682Smarkm * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2355682Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2455682Smarkm * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
2555682Smarkm * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2655682Smarkm * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2755682Smarkm * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2855682Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2955682Smarkm * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3055682Smarkm * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3155682Smarkm * SUCH DAMAGE.
3255682Smarkm */
3355682Smarkm
3455682Smarkm#include "krb5_locl.h"
3555682Smarkm
3678527SassarRCSID("$Id: verify_user.c,v 1.14 2001/05/14 09:06:53 joda Exp $");
3755682Smarkm
3855682Smarkmstatic krb5_error_code
3955682Smarkmverify_common (krb5_context context,
4055682Smarkm	       krb5_principal principal,
4155682Smarkm	       krb5_ccache ccache,
4278527Sassar	       krb5_keytab keytab,
4355682Smarkm	       krb5_boolean secure,
4455682Smarkm	       const char *service,
4555682Smarkm	       krb5_creds cred)
4655682Smarkm{
4755682Smarkm    krb5_error_code ret;
4855682Smarkm    krb5_principal server;
4955682Smarkm    krb5_verify_init_creds_opt vopt;
5055682Smarkm    krb5_ccache id;
5155682Smarkm
5255682Smarkm    ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
5355682Smarkm				   &server);
5478527Sassar    if(ret)
5578527Sassar	return ret;
5655682Smarkm
5755682Smarkm    krb5_verify_init_creds_opt_init(&vopt);
5855682Smarkm    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
5955682Smarkm
6055682Smarkm    ret = krb5_verify_init_creds(context,
6155682Smarkm				 &cred,
6255682Smarkm				 server,
6378527Sassar				 keytab,
6455682Smarkm				 NULL,
6555682Smarkm				 &vopt);
6655682Smarkm    krb5_free_principal(context, server);
6778527Sassar    if(ret)
6878527Sassar	return ret;
6955682Smarkm    if(ccache == NULL)
7055682Smarkm	ret = krb5_cc_default (context, &id);
7155682Smarkm    else
7255682Smarkm	id = ccache;
7355682Smarkm    if(ret == 0){
7455682Smarkm	ret = krb5_cc_initialize(context, id, principal);
7555682Smarkm	if(ret == 0){
7655682Smarkm	    ret = krb5_cc_store_cred(context, id, &cred);
7755682Smarkm	}
7855682Smarkm	if(ccache == NULL)
7955682Smarkm	    krb5_cc_close(context, id);
8055682Smarkm    }
8155682Smarkm    krb5_free_creds_contents(context, &cred);
8255682Smarkm    return ret;
8355682Smarkm}
8455682Smarkm
8555682Smarkm/*
8655682Smarkm * Verify user `principal' with `password'.
8755682Smarkm *
8855682Smarkm * If `secure', also verify against local service key for `service'.
8955682Smarkm *
9055682Smarkm * As a side effect, fresh tickets are obtained and stored in `ccache'.
9155682Smarkm */
9255682Smarkm
9378527Sassarvoid
9478527Sassarkrb5_verify_opt_init(krb5_verify_opt *opt)
9555682Smarkm{
9678527Sassar    memset(opt, 0, sizeof(*opt));
9778527Sassar    opt->secure = TRUE;
9878527Sassar    opt->service = "host";
9978527Sassar}
10055682Smarkm
10178527Sassarvoid
10278527Sassarkrb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
10378527Sassar{
10478527Sassar    opt->ccache = ccache;
10578527Sassar}
10678527Sassar
10778527Sassarvoid
10878527Sassarkrb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
10978527Sassar{
11078527Sassar    opt->keytab = keytab;
11178527Sassar}
11278527Sassar
11378527Sassarvoid
11478527Sassarkrb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
11578527Sassar{
11678527Sassar    opt->secure = secure;
11778527Sassar}
11878527Sassar
11978527Sassarvoid
12078527Sassarkrb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
12178527Sassar{
12278527Sassar    opt->service = service;
12378527Sassar}
12478527Sassar
12578527Sassarvoid
12678527Sassarkrb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
12778527Sassar{
12878527Sassar    opt->flags |= flags;
12978527Sassar}
13078527Sassar
13178527Sassarstatic krb5_error_code
13278527Sassarverify_user_opt_int(krb5_context context,
13378527Sassar		    krb5_principal principal,
13478527Sassar		    const char *password,
13578527Sassar		    krb5_verify_opt *vopt)
13678527Sassar
13778527Sassar{
13855682Smarkm    krb5_error_code ret;
13955682Smarkm    krb5_get_init_creds_opt opt;
14055682Smarkm    krb5_creds cred;
14178527Sassar
14255682Smarkm    krb5_get_init_creds_opt_init (&opt);
14372445Sassar    krb5_get_init_creds_opt_set_default_flags(context, NULL,
14472445Sassar					      *krb5_princ_realm(context, principal),
14572445Sassar					      &opt);
14655682Smarkm    ret = krb5_get_init_creds_password (context,
14755682Smarkm					&cred,
14855682Smarkm					principal,
14955682Smarkm					(char*)password,
15055682Smarkm					krb5_prompter_posix,
15155682Smarkm					NULL,
15255682Smarkm					0,
15355682Smarkm					NULL,
15455682Smarkm					&opt);
15555682Smarkm    if(ret)
15655682Smarkm	return ret;
15778527Sassar#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
15878527Sassar    return verify_common (context, principal, OPT(ccache, NULL),
15978527Sassar			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
16078527Sassar			  OPT(service, "host"), cred);
16178527Sassar#undef OPT
16255682Smarkm}
16355682Smarkm
16478527Sassarkrb5_error_code
16578527Sassarkrb5_verify_user_opt(krb5_context context,
16678527Sassar		     krb5_principal principal,
16778527Sassar		     const char *password,
16878527Sassar		     krb5_verify_opt *opt)
16978527Sassar{
17078527Sassar    krb5_error_code ret;
17178527Sassar
17278527Sassar    if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
17378527Sassar	krb5_realm *realms, *r;
17478527Sassar	ret = krb5_get_default_realms (context, &realms);
17578527Sassar	if (ret)
17678527Sassar	    return ret;
17778527Sassar	ret = KRB5_CONFIG_NODEFREALM;
17878527Sassar
17978527Sassar	for (r = realms; *r != NULL && ret != 0; ++r) {
18078527Sassar	    char *tmp = strdup (*r);
18178527Sassar
18278527Sassar	    if (tmp == NULL) {
18378527Sassar		krb5_free_host_realm (context, realms);
18478527Sassar		krb5_set_error_string (context, "malloc: out of memory");
18578527Sassar		return ENOMEM;
18678527Sassar	    }
18778527Sassar	    free (*krb5_princ_realm (context, principal));
18878527Sassar	    krb5_princ_set_realm (context, principal, &tmp);
18978527Sassar
19078527Sassar	    ret = verify_user_opt_int(context, principal, password, opt);
19178527Sassar	}
19278527Sassar	krb5_free_host_realm (context, realms);
19378527Sassar	if(ret)
19478527Sassar	    return ret;
19578527Sassar    } else
19678527Sassar	ret = verify_user_opt_int(context, principal, password, opt);
19778527Sassar    return ret;
19878527Sassar}
19978527Sassar
20078527Sassar/* compat function that calls above */
20178527Sassar
20278527Sassarkrb5_error_code
20378527Sassarkrb5_verify_user(krb5_context context,
20478527Sassar		 krb5_principal principal,
20578527Sassar		 krb5_ccache ccache,
20678527Sassar		 const char *password,
20778527Sassar		 krb5_boolean secure,
20878527Sassar		 const char *service)
20978527Sassar{
21078527Sassar    krb5_verify_opt opt;
21178527Sassar
21278527Sassar    krb5_verify_opt_init(&opt);
21378527Sassar
21478527Sassar    krb5_verify_opt_set_ccache(&opt, ccache);
21578527Sassar    krb5_verify_opt_set_secure(&opt, secure);
21678527Sassar    krb5_verify_opt_set_service(&opt, service);
21778527Sassar
21878527Sassar    return krb5_verify_user_opt(context, principal, password, &opt);
21978527Sassar}
22078527Sassar
22155682Smarkm/*
22255682Smarkm * A variant of `krb5_verify_user'.  The realm of `principal' is
22355682Smarkm * ignored and all the local realms are tried.
22455682Smarkm */
22555682Smarkm
22655682Smarkmkrb5_error_code
22755682Smarkmkrb5_verify_user_lrealm(krb5_context context,
22855682Smarkm			krb5_principal principal,
22955682Smarkm			krb5_ccache ccache,
23055682Smarkm			const char *password,
23155682Smarkm			krb5_boolean secure,
23255682Smarkm			const char *service)
23355682Smarkm{
23478527Sassar    krb5_verify_opt opt;
23555682Smarkm
23678527Sassar    krb5_verify_opt_init(&opt);
23778527Sassar
23878527Sassar    krb5_verify_opt_set_ccache(&opt, ccache);
23978527Sassar    krb5_verify_opt_set_secure(&opt, secure);
24078527Sassar    krb5_verify_opt_set_service(&opt, service);
24178527Sassar    krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS);
24278527Sassar
24378527Sassar    return krb5_verify_user_opt(context, principal, password, &opt);
24455682Smarkm}
245