verify_user.c revision 102644 
1169689Skan/*
290075Sobrien * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan
390075Sobrien * (Royal Institute of Technology, Stockholm, Sweden).
4169689Skan * All rights reserved.
590075Sobrien *
6169689Skan * Redistribution and use in source and binary forms, with or without
7169689Skan * modification, are permitted provided that the following conditions
8169689Skan * are met:
9169689Skan *
10169689Skan * 1. Redistributions of source code must retain the above copyright
11169689Skan *    notice, this list of conditions and the following disclaimer.
1290075Sobrien *
13169689Skan * 2. Redistributions in binary form must reproduce the above copyright
14169689Skan *    notice, this list of conditions and the following disclaimer in the
1590075Sobrien *    documentation and/or other materials provided with the distribution.
16169689Skan *
17169689Skan * 3. Neither the name of the Institute nor the names of its contributors
18169689Skan *    may be used to endorse or promote products derived from this software
19169689Skan *    without specific prior written permission.
2090075Sobrien *
21169689Skan * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22169689Skan * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23169689Skan * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24169689Skan * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25169689Skan * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26169689Skan * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27169689Skan * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28117395Skan * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29117395Skan * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3090075Sobrien * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3190075Sobrien * SUCH DAMAGE.
3290075Sobrien */
3390075Sobrien
3490075Sobrien#include "krb5_locl.h"
3590075Sobrien
3690075SobrienRCSID("$Id: verify_user.c,v 1.17 2002/08/20 14:48:31 joda Exp $");
3790075Sobrien
3890075Sobrienstatic krb5_error_code
3990075Sobrienverify_common (krb5_context context,
4090075Sobrien	       krb5_principal principal,
4190075Sobrien	       krb5_ccache ccache,
4290075Sobrien	       krb5_keytab keytab,
4390075Sobrien	       krb5_boolean secure,
4490075Sobrien	       const char *service,
45132718Skan	       krb5_creds cred)
46132718Skan{
4790075Sobrien    krb5_error_code ret;
48132718Skan    krb5_principal server;
4990075Sobrien    krb5_verify_init_creds_opt vopt;
5090075Sobrien    krb5_ccache id;
51132718Skan
52132718Skan    ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
53132718Skan				   &server);
5490075Sobrien    if(ret)
5590075Sobrien	return ret;
5690075Sobrien
57132718Skan    krb5_verify_init_creds_opt_init(&vopt);
5890075Sobrien    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
5990075Sobrien
60132718Skan    ret = krb5_verify_init_creds(context,
6190075Sobrien				 &cred,
62132718Skan				 server,
6390075Sobrien				 keytab,
64132718Skan				 NULL,
6590075Sobrien				 &vopt);
6690075Sobrien    krb5_free_principal(context, server);
67117395Skan    if(ret)
68117395Skan	return ret;
69132718Skan    if(ccache == NULL)
70117395Skan	ret = krb5_cc_default (context, &id);
71117395Skan    else
72132718Skan	id = ccache;
73117395Skan    if(ret == 0){
74117395Skan	ret = krb5_cc_initialize(context, id, principal);
75117395Skan	if(ret == 0){
76117395Skan	    ret = krb5_cc_store_cred(context, id, &cred);
7790075Sobrien	}
7890075Sobrien	if(ccache == NULL)
7990075Sobrien	    krb5_cc_close(context, id);
8090075Sobrien    }
8190075Sobrien    krb5_free_creds_contents(context, &cred);
8290075Sobrien    return ret;
8390075Sobrien}
8490075Sobrien
8590075Sobrien/*
8690075Sobrien * Verify user `principal' with `password'.
8790075Sobrien *
8890075Sobrien * If `secure', also verify against local service key for `service'.
8990075Sobrien *
9090075Sobrien * As a side effect, fresh tickets are obtained and stored in `ccache'.
9190075Sobrien */
92132718Skan
9390075Sobrienvoid
9490075Sobrienkrb5_verify_opt_init(krb5_verify_opt *opt)
9590075Sobrien{
9690075Sobrien    memset(opt, 0, sizeof(*opt));
9790075Sobrien    opt->secure = TRUE;
9890075Sobrien    opt->service = "host";
9990075Sobrien}
10090075Sobrien
101132718Skanvoid
10290075Sobrienkrb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
10390075Sobrien{
10490075Sobrien    opt->ccache = ccache;
10590075Sobrien}
10690075Sobrien
10790075Sobrienvoid
10890075Sobrienkrb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
10990075Sobrien{
110132718Skan    opt->keytab = keytab;
11190075Sobrien}
11290075Sobrien
11390075Sobrienvoid
11490075Sobrienkrb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
11590075Sobrien{
11690075Sobrien    opt->secure = secure;
11790075Sobrien}
11890075Sobrien
119132718Skanvoid
12090075Sobrienkrb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
12190075Sobrien{
12290075Sobrien    opt->service = service;
123117395Skan}
12490075Sobrien
12590075Sobrienvoid
126132718Skankrb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
127132718Skan{
12890075Sobrien    opt->flags |= flags;
129132718Skan}
13090075Sobrien
131132718Skanstatic krb5_error_code
132132718Skanverify_user_opt_int(krb5_context context,
133132718Skan		    krb5_principal principal,
134132718Skan		    const char *password,
135132718Skan		    krb5_verify_opt *vopt)
136132718Skan
137132718Skan{
138132718Skan    krb5_error_code ret;
139132718Skan    krb5_get_init_creds_opt opt;
140132718Skan    krb5_creds cred;
14190075Sobrien
14290075Sobrien    krb5_get_init_creds_opt_init (&opt);
14390075Sobrien    krb5_get_init_creds_opt_set_default_flags(context, NULL,
14490075Sobrien					      *krb5_princ_realm(context, principal),
14590075Sobrien					      &opt);
146132718Skan    ret = krb5_get_init_creds_password (context,
147132718Skan					&cred,
148132718Skan					principal,
149132718Skan					password,
150132718Skan					krb5_prompter_posix,
151132718Skan					NULL,
152132718Skan					0,
153132718Skan					NULL,
154132718Skan					&opt);
155132718Skan    if(ret)
156132718Skan	return ret;
157132718Skan#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
158132718Skan    return verify_common (context, principal, OPT(ccache, NULL),
159132718Skan			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
160132718Skan			  OPT(service, "host"), cred);
161132718Skan#undef OPT
162132718Skan}
163132718Skan
164132718Skankrb5_error_code
165132718Skankrb5_verify_user_opt(krb5_context context,
166132718Skan		     krb5_principal principal,
167132718Skan		     const char *password,
168132718Skan		     krb5_verify_opt *opt)
169132718Skan{
170132718Skan    krb5_error_code ret;
171132718Skan
172132718Skan    if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
173132718Skan	krb5_realm *realms, *r;
174132718Skan	ret = krb5_get_default_realms (context, &realms);
175132718Skan	if (ret)
176132718Skan	    return ret;
17790075Sobrien	ret = KRB5_CONFIG_NODEFREALM;
17890075Sobrien
17990075Sobrien	for (r = realms; *r != NULL && ret != 0; ++r) {
18090075Sobrien	    char *tmp = strdup (*r);
18190075Sobrien
18290075Sobrien	    if (tmp == NULL) {
18390075Sobrien		krb5_free_host_realm (context, realms);
184132718Skan		krb5_set_error_string (context, "malloc: out of memory");
185132718Skan		return ENOMEM;
186132718Skan	    }
187132718Skan	    free (*krb5_princ_realm (context, principal));
188132718Skan	    krb5_princ_set_realm (context, principal, &tmp);
18990075Sobrien
190132718Skan	    ret = verify_user_opt_int(context, principal, password, opt);
191132718Skan	}
192132718Skan	krb5_free_host_realm (context, realms);
193132718Skan	if(ret)
194132718Skan	    return ret;
195132718Skan    } else
196132718Skan	ret = verify_user_opt_int(context, principal, password, opt);
197132718Skan    return ret;
198132718Skan}
199132718Skan
200132718Skan/* compat function that calls above */
201132718Skan
202132718Skankrb5_error_code
203132718Skankrb5_verify_user(krb5_context context,
204132718Skan		 krb5_principal principal,
205132718Skan		 krb5_ccache ccache,
206132718Skan		 const char *password,
207132718Skan		 krb5_boolean secure,
208132718Skan		 const char *service)
209132718Skan{
210132718Skan    krb5_verify_opt opt;
211132718Skan
21290075Sobrien    krb5_verify_opt_init(&opt);
213132718Skan
214132718Skan    krb5_verify_opt_set_ccache(&opt, ccache);
215132718Skan    krb5_verify_opt_set_secure(&opt, secure);
216132718Skan    krb5_verify_opt_set_service(&opt, service);
217132718Skan
21890075Sobrien    return krb5_verify_user_opt(context, principal, password, &opt);
219132718Skan}
220132718Skan
221132718Skan/*
222132718Skan * A variant of `krb5_verify_user'.  The realm of `principal' is
223132718Skan * ignored and all the local realms are tried.
224132718Skan */
225132718Skan
226132718Skankrb5_error_code
227132718Skankrb5_verify_user_lrealm(krb5_context context,
228132718Skan			krb5_principal principal,
229132718Skan			krb5_ccache ccache,
230132718Skan			const char *password,
231132718Skan			krb5_boolean secure,
232132718Skan			const char *service)
233132718Skan{
234132718Skan    krb5_verify_opt opt;
235132718Skan
236132718Skan    krb5_verify_opt_init(&opt);
237132718Skan
238132718Skan    krb5_verify_opt_set_ccache(&opt, ccache);
239132718Skan    krb5_verify_opt_set_secure(&opt, secure);
240132718Skan    krb5_verify_opt_set_service(&opt, service);
241132718Skan    krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS);
242132718Skan
243132718Skan    return krb5_verify_user_opt(context, principal, password, &opt);
244132718Skan}
245132718Skan