1/* $NetBSD: windc.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */ 2 3/* 4 * Copyright (c) 2007 Kungliga Tekniska H��gskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "kdc_locl.h" 37 38static int have_plugin = 0; 39 40/* 41 * Pick the first WINDC module that we find. 42 */ 43 44static krb5_error_code KRB5_LIB_CALL 45load(krb5_context context, const void *plug, void *plugctx, void *userctx) 46{ 47 have_plugin = 1; 48 return KRB5_PLUGIN_NO_HANDLE; 49} 50 51krb5_error_code 52krb5_kdc_windc_init(krb5_context context) 53{ 54 (void)_krb5_plugin_run_f(context, "krb5", "windc", 55 KRB5_WINDC_PLUGIN_MINOR, 0, NULL, load); 56 return 0; 57} 58 59struct generate_uc { 60 hdb_entry_ex *client; 61 krb5_pac *pac; 62}; 63 64static krb5_error_code KRB5_LIB_CALL 65generate(krb5_context context, const void *plug, void *plugctx, void *userctx) 66{ 67 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; 68 struct generate_uc *uc = (struct generate_uc *)userctx; 69 70 if (ft->pac_generate == NULL) 71 return KRB5_PLUGIN_NO_HANDLE; 72 return ft->pac_generate((void *)plug, context, uc->client, uc->pac); 73} 74 75 76krb5_error_code 77_kdc_pac_generate(krb5_context context, 78 hdb_entry_ex *client, 79 krb5_pac *pac) 80{ 81 struct generate_uc uc; 82 83 if (!have_plugin) 84 return 0; 85 86 uc.client = client; 87 uc.pac = pac; 88 89 (void)_krb5_plugin_run_f(context, "krb5", "windc", 90 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, generate); 91 return 0; 92} 93 94struct verify_uc { 95 krb5_principal client_principal; 96 krb5_principal delegated_proxy_principal; 97 hdb_entry_ex *client; 98 hdb_entry_ex *server; 99 hdb_entry_ex *krbtgt; 100 krb5_pac *pac; 101 int *verified; 102}; 103 104static krb5_error_code KRB5_LIB_CALL 105verify(krb5_context context, const void *plug, void *plugctx, void *userctx) 106{ 107 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; 108 struct verify_uc *uc = (struct verify_uc *)userctx; 109 krb5_error_code ret; 110 111 if (ft->pac_verify == NULL) 112 return KRB5_PLUGIN_NO_HANDLE; 113 ret = ft->pac_verify((void *)plug, context, 114 uc->client_principal, 115 uc->delegated_proxy_principal, 116 uc->client, uc->server, uc->krbtgt, uc->pac); 117 if (ret == 0) 118 (*uc->verified) = 1; 119 120 return 0; 121} 122 123krb5_error_code 124_kdc_pac_verify(krb5_context context, 125 const krb5_principal client_principal, 126 const krb5_principal delegated_proxy_principal, 127 hdb_entry_ex *client, 128 hdb_entry_ex *server, 129 hdb_entry_ex *krbtgt, 130 krb5_pac *pac, 131 int *verified) 132{ 133 struct verify_uc uc; 134 135 if (!have_plugin) 136 return 0; 137 138 uc.client_principal = client_principal; 139 uc.delegated_proxy_principal = delegated_proxy_principal; 140 uc.client = client; 141 uc.server = server; 142 uc.krbtgt = krbtgt; 143 uc.pac = pac; 144 uc.verified = verified; 145 146 (void)_krb5_plugin_run_f(context, "krb5", "windc", 147 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, verify); 148 return 0; 149} 150 151struct check_uc { 152 krb5_kdc_configuration *config; 153 hdb_entry_ex *client_ex; 154 const char *client_name; 155 hdb_entry_ex *server_ex; 156 const char *server_name; 157 KDC_REQ *req; 158 METHOD_DATA *method_data; 159}; 160 161static krb5_error_code KRB5_LIB_CALL 162check(krb5_context context, const void *plug, void *plugctx, void *userctx) 163{ 164 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug; 165 struct check_uc *uc = (struct check_uc *)userctx; 166 167 if (ft->client_access == NULL) 168 return KRB5_PLUGIN_NO_HANDLE; 169 return ft->client_access((void *)plug, context, uc->config, 170 uc->client_ex, uc->client_name, 171 uc->server_ex, uc->server_name, 172 uc->req, uc->method_data); 173} 174 175 176krb5_error_code 177_kdc_check_access(krb5_context context, 178 krb5_kdc_configuration *config, 179 hdb_entry_ex *client_ex, const char *client_name, 180 hdb_entry_ex *server_ex, const char *server_name, 181 KDC_REQ *req, 182 METHOD_DATA *method_data) 183{ 184 krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE; 185 struct check_uc uc; 186 187 if (have_plugin) { 188 uc.config = config; 189 uc.client_ex = client_ex; 190 uc.client_name = client_name; 191 uc.server_ex = server_ex; 192 uc.server_name = server_name; 193 uc.req = req; 194 uc.method_data = method_data; 195 196 ret = _krb5_plugin_run_f(context, "krb5", "windc", 197 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, check); 198 } 199 200 if (ret == KRB5_PLUGIN_NO_HANDLE) 201 return kdc_check_flags(context, config, 202 client_ex, client_name, 203 server_ex, server_name, 204 req->msg_type == krb_as_req); 205 return ret; 206} 207