1/* $NetBSD: verify_init.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 2 3/* 4 * Copyright (c) 1997 - 2008 Kungliga Tekniska H��gskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "krb5_locl.h" 37 38KRB5_LIB_FUNCTION void KRB5_LIB_CALL 39krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options) 40{ 41 memset (options, 0, sizeof(*options)); 42} 43 44KRB5_LIB_FUNCTION void KRB5_LIB_CALL 45krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, 46 int ap_req_nofail) 47{ 48 options->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; 49 options->ap_req_nofail = ap_req_nofail; 50} 51 52/* 53 * 54 */ 55 56static krb5_boolean 57fail_verify_is_ok (krb5_context context, 58 krb5_verify_init_creds_opt *options) 59{ 60 61 if (options && (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL) 62 && options->ap_req_nofail != 0) 63 return FALSE; 64 65 if (krb5_config_get_bool(context, 66 NULL, 67 "libdefaults", 68 "verify_ap_req_nofail", 69 NULL)) 70 return FALSE; 71 72 return TRUE; 73} 74 75KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 76krb5_verify_init_creds(krb5_context context, 77 krb5_creds *creds, 78 krb5_principal ap_req_server, 79 krb5_keytab ap_req_keytab, 80 krb5_ccache *ccache, 81 krb5_verify_init_creds_opt *options) 82{ 83 krb5_error_code ret; 84 krb5_data req; 85 krb5_ccache local_ccache = NULL; 86 krb5_creds *new_creds = NULL; 87 krb5_auth_context auth_context = NULL; 88 krb5_principal server = NULL; 89 krb5_keytab keytab = NULL; 90 91 krb5_data_zero (&req); 92 93 if (ap_req_server == NULL) { 94 char local_hostname[MAXHOSTNAMELEN]; 95 96 if (gethostname (local_hostname, sizeof(local_hostname)) < 0) { 97 ret = errno; 98 krb5_set_error_message (context, ret, "gethostname: %s", 99 strerror(ret)); 100 return ret; 101 } 102 103 ret = krb5_sname_to_principal (context, 104 local_hostname, 105 "host", 106 KRB5_NT_SRV_HST, 107 &server); 108 if (ret) 109 goto cleanup; 110 } else 111 server = ap_req_server; 112 113 if (ap_req_keytab == NULL) { 114 ret = krb5_kt_default (context, &keytab); 115 if (ret) 116 goto cleanup; 117 } else 118 keytab = ap_req_keytab; 119 120 if (ccache && *ccache) 121 local_ccache = *ccache; 122 else { 123 ret = krb5_cc_new_unique(context, krb5_cc_type_memory, 124 NULL, &local_ccache); 125 if (ret) 126 goto cleanup; 127 ret = krb5_cc_initialize (context, 128 local_ccache, 129 creds->client); 130 if (ret) 131 goto cleanup; 132 ret = krb5_cc_store_cred (context, 133 local_ccache, 134 creds); 135 if (ret) 136 goto cleanup; 137 } 138 139 if (!krb5_principal_compare (context, server, creds->server)) { 140 krb5_creds match_cred; 141 142 memset (&match_cred, 0, sizeof(match_cred)); 143 144 match_cred.client = creds->client; 145 match_cred.server = server; 146 147 ret = krb5_get_credentials (context, 148 0, 149 local_ccache, 150 &match_cred, 151 &new_creds); 152 if (ret) { 153 if (fail_verify_is_ok (context, options)) 154 ret = 0; 155 goto cleanup; 156 } 157 creds = new_creds; 158 } 159 160 ret = krb5_mk_req_extended (context, 161 &auth_context, 162 0, 163 NULL, 164 creds, 165 &req); 166 167 krb5_auth_con_free (context, auth_context); 168 auth_context = NULL; 169 170 if (ret) 171 goto cleanup; 172 173 ret = krb5_rd_req (context, 174 &auth_context, 175 &req, 176 server, 177 keytab, 178 0, 179 NULL); 180 181 if (ret == KRB5_KT_NOTFOUND && fail_verify_is_ok (context, options)) 182 ret = 0; 183cleanup: 184 if (auth_context) 185 krb5_auth_con_free (context, auth_context); 186 krb5_data_free (&req); 187 if (new_creds != NULL) 188 krb5_free_creds (context, new_creds); 189 if (ap_req_server == NULL && server) 190 krb5_free_principal (context, server); 191 if (ap_req_keytab == NULL && keytab) 192 krb5_kt_close (context, keytab); 193 if (local_ccache != NULL 194 && 195 (ccache == NULL 196 || (ret != 0 && *ccache == NULL))) 197 krb5_cc_destroy (context, local_ccache); 198 199 if (ret == 0 && ccache != NULL && *ccache == NULL) 200 *ccache = local_ccache; 201 202 return ret; 203} 204 205/** 206 * Validate the newly fetch credential, see also krb5_verify_init_creds(). 207 * 208 * @param context a Kerberos 5 context 209 * @param creds the credentials to verify 210 * @param client the client name to match up 211 * @param ccache the credential cache to use 212 * @param service a service name to use, used with 213 * krb5_sname_to_principal() to build a hostname to use to 214 * verify. 215 * 216 * @ingroup krb5_ccache 217 */ 218 219KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 220krb5_get_validated_creds(krb5_context context, 221 krb5_creds *creds, 222 krb5_principal client, 223 krb5_ccache ccache, 224 char *service) 225{ 226 krb5_verify_init_creds_opt vopt; 227 krb5_principal server; 228 krb5_error_code ret; 229 230 if (krb5_principal_compare(context, creds->client, client) != TRUE) { 231 krb5_set_error_message(context, KRB5_PRINC_NOMATCH, 232 N_("Validation credentials and client " 233 "doesn't match", "")); 234 return KRB5_PRINC_NOMATCH; 235 } 236 237 ret = krb5_sname_to_principal (context, NULL, service, 238 KRB5_NT_SRV_HST, &server); 239 if(ret) 240 return ret; 241 242 krb5_verify_init_creds_opt_init(&vopt); 243 244 ret = krb5_verify_init_creds(context, creds, server, NULL, NULL, &vopt); 245 krb5_free_principal(context, server); 246 247 return ret; 248} 249