155682Smarkm/* 2233294Sstas * Copyright (c) 1997-2004 Kungliga Tekniska H��gskolan 3233294Sstas * (Royal Institute of Technology, Stockholm, Sweden). 4233294Sstas * All rights reserved. 555682Smarkm * 6233294Sstas * Redistribution and use in source and binary forms, with or without 7233294Sstas * modification, are permitted provided that the following conditions 8233294Sstas * are met: 955682Smarkm * 10233294Sstas * 1. Redistributions of source code must retain the above copyright 11233294Sstas * notice, this list of conditions and the following disclaimer. 1255682Smarkm * 13233294Sstas * 2. Redistributions in binary form must reproduce the above copyright 14233294Sstas * notice, this list of conditions and the following disclaimer in the 15233294Sstas * documentation and/or other materials provided with the distribution. 1655682Smarkm * 17233294Sstas * 3. Neither the name of the Institute nor the names of its contributors 18233294Sstas * may be used to endorse or promote products derived from this software 19233294Sstas * without specific prior written permission. 2055682Smarkm * 21233294Sstas * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22233294Sstas * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23233294Sstas * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24233294Sstas * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25233294Sstas * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26233294Sstas * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27233294Sstas * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28233294Sstas * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29233294Sstas * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30233294Sstas * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31233294Sstas * SUCH DAMAGE. 3255682Smarkm */ 3355682Smarkm 3455682Smarkm#include "krb5_locl.h" 3555682Smarkm 3655682Smarkmstatic krb5_error_code 3755682Smarkmverify_common (krb5_context context, 3855682Smarkm krb5_principal principal, 3955682Smarkm krb5_ccache ccache, 4078527Sassar krb5_keytab keytab, 4155682Smarkm krb5_boolean secure, 4255682Smarkm const char *service, 4355682Smarkm krb5_creds cred) 4455682Smarkm{ 4555682Smarkm krb5_error_code ret; 4655682Smarkm krb5_principal server; 4755682Smarkm krb5_verify_init_creds_opt vopt; 4855682Smarkm krb5_ccache id; 4955682Smarkm 5055682Smarkm ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST, 5155682Smarkm &server); 5278527Sassar if(ret) 5378527Sassar return ret; 5455682Smarkm 5555682Smarkm krb5_verify_init_creds_opt_init(&vopt); 5655682Smarkm krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure); 5755682Smarkm 5855682Smarkm ret = krb5_verify_init_creds(context, 5955682Smarkm &cred, 6055682Smarkm server, 6178527Sassar keytab, 6255682Smarkm NULL, 6355682Smarkm &vopt); 6455682Smarkm krb5_free_principal(context, server); 6578527Sassar if(ret) 6678527Sassar return ret; 6755682Smarkm if(ccache == NULL) 6855682Smarkm ret = krb5_cc_default (context, &id); 6955682Smarkm else 7055682Smarkm id = ccache; 7155682Smarkm if(ret == 0){ 7255682Smarkm ret = krb5_cc_initialize(context, id, principal); 7355682Smarkm if(ret == 0){ 7455682Smarkm ret = krb5_cc_store_cred(context, id, &cred); 7555682Smarkm } 7655682Smarkm if(ccache == NULL) 7755682Smarkm krb5_cc_close(context, id); 7855682Smarkm } 79178825Sdfr krb5_free_cred_contents(context, &cred); 8055682Smarkm return ret; 8155682Smarkm} 8255682Smarkm 8355682Smarkm/* 8455682Smarkm * Verify user `principal' with `password'. 8555682Smarkm * 8655682Smarkm * If `secure', also verify against local service key for `service'. 8755682Smarkm * 8855682Smarkm * As a side effect, fresh tickets are obtained and stored in `ccache'. 8955682Smarkm */ 9055682Smarkm 91233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 9278527Sassarkrb5_verify_opt_init(krb5_verify_opt *opt) 9355682Smarkm{ 9478527Sassar memset(opt, 0, sizeof(*opt)); 9578527Sassar opt->secure = TRUE; 9678527Sassar opt->service = "host"; 9778527Sassar} 9855682Smarkm 99233294SstasKRB5_LIB_FUNCTION int KRB5_LIB_CALL 100178825Sdfrkrb5_verify_opt_alloc(krb5_context context, krb5_verify_opt **opt) 101178825Sdfr{ 102178825Sdfr *opt = calloc(1, sizeof(**opt)); 103178825Sdfr if ((*opt) == NULL) { 104233294Sstas krb5_set_error_message(context, ENOMEM, 105233294Sstas N_("malloc: out of memory", "")); 106178825Sdfr return ENOMEM; 107178825Sdfr } 108178825Sdfr krb5_verify_opt_init(*opt); 109178825Sdfr return 0; 110178825Sdfr} 111178825Sdfr 112233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 113178825Sdfrkrb5_verify_opt_free(krb5_verify_opt *opt) 114178825Sdfr{ 115178825Sdfr free(opt); 116178825Sdfr} 117178825Sdfr 118233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 11978527Sassarkrb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache) 12078527Sassar{ 12178527Sassar opt->ccache = ccache; 12278527Sassar} 12378527Sassar 124233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 12578527Sassarkrb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab) 12678527Sassar{ 12778527Sassar opt->keytab = keytab; 12878527Sassar} 12978527Sassar 130233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 13178527Sassarkrb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure) 13278527Sassar{ 13378527Sassar opt->secure = secure; 13478527Sassar} 13578527Sassar 136233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 13778527Sassarkrb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service) 13878527Sassar{ 13978527Sassar opt->service = service; 14078527Sassar} 14178527Sassar 142233294SstasKRB5_LIB_FUNCTION void KRB5_LIB_CALL 14378527Sassarkrb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags) 14478527Sassar{ 14578527Sassar opt->flags |= flags; 14678527Sassar} 14778527Sassar 14878527Sassarstatic krb5_error_code 14978527Sassarverify_user_opt_int(krb5_context context, 15078527Sassar krb5_principal principal, 15178527Sassar const char *password, 15278527Sassar krb5_verify_opt *vopt) 15378527Sassar 15478527Sassar{ 15555682Smarkm krb5_error_code ret; 156178825Sdfr krb5_get_init_creds_opt *opt; 15755682Smarkm krb5_creds cred; 15878527Sassar 159178825Sdfr ret = krb5_get_init_creds_opt_alloc (context, &opt); 160178825Sdfr if (ret) 161178825Sdfr return ret; 162233294Sstas krb5_get_init_creds_opt_set_default_flags(context, NULL, 163233294Sstas krb5_principal_get_realm(context, principal), 164178825Sdfr opt); 16555682Smarkm ret = krb5_get_init_creds_password (context, 16655682Smarkm &cred, 16755682Smarkm principal, 168102644Snectar password, 16955682Smarkm krb5_prompter_posix, 17055682Smarkm NULL, 17155682Smarkm 0, 17255682Smarkm NULL, 173178825Sdfr opt); 174178825Sdfr krb5_get_init_creds_opt_free(context, opt); 17555682Smarkm if(ret) 17655682Smarkm return ret; 17778527Sassar#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D)) 178233294Sstas return verify_common (context, principal, OPT(ccache, NULL), 179233294Sstas OPT(keytab, NULL), vopt ? vopt->secure : TRUE, 18078527Sassar OPT(service, "host"), cred); 18178527Sassar#undef OPT 18255682Smarkm} 18355682Smarkm 184233294SstasKRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 18578527Sassarkrb5_verify_user_opt(krb5_context context, 18678527Sassar krb5_principal principal, 18778527Sassar const char *password, 18878527Sassar krb5_verify_opt *opt) 18978527Sassar{ 19078527Sassar krb5_error_code ret; 19178527Sassar 19278527Sassar if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) { 19378527Sassar krb5_realm *realms, *r; 19478527Sassar ret = krb5_get_default_realms (context, &realms); 19578527Sassar if (ret) 19678527Sassar return ret; 19778527Sassar ret = KRB5_CONFIG_NODEFREALM; 198233294Sstas 19978527Sassar for (r = realms; *r != NULL && ret != 0; ++r) { 200233294Sstas ret = krb5_principal_set_realm(context, principal, *r); 201233294Sstas if (ret) { 20278527Sassar krb5_free_host_realm (context, realms); 203233294Sstas return ret; 20478527Sassar } 205233294Sstas 20678527Sassar ret = verify_user_opt_int(context, principal, password, opt); 20778527Sassar } 20878527Sassar krb5_free_host_realm (context, realms); 20978527Sassar if(ret) 21078527Sassar return ret; 21178527Sassar } else 21278527Sassar ret = verify_user_opt_int(context, principal, password, opt); 21378527Sassar return ret; 21478527Sassar} 21578527Sassar 21678527Sassar/* compat function that calls above */ 21778527Sassar 218233294SstasKRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 219233294Sstaskrb5_verify_user(krb5_context context, 22078527Sassar krb5_principal principal, 22178527Sassar krb5_ccache ccache, 22278527Sassar const char *password, 22378527Sassar krb5_boolean secure, 22478527Sassar const char *service) 22578527Sassar{ 22678527Sassar krb5_verify_opt opt; 227233294Sstas 22878527Sassar krb5_verify_opt_init(&opt); 229233294Sstas 23078527Sassar krb5_verify_opt_set_ccache(&opt, ccache); 23178527Sassar krb5_verify_opt_set_secure(&opt, secure); 23278527Sassar krb5_verify_opt_set_service(&opt, service); 233233294Sstas 23478527Sassar return krb5_verify_user_opt(context, principal, password, &opt); 23578527Sassar} 23678527Sassar 23755682Smarkm/* 23855682Smarkm * A variant of `krb5_verify_user'. The realm of `principal' is 23955682Smarkm * ignored and all the local realms are tried. 24055682Smarkm */ 24155682Smarkm 242233294SstasKRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 243233294Sstaskrb5_verify_user_lrealm(krb5_context context, 24455682Smarkm krb5_principal principal, 24555682Smarkm krb5_ccache ccache, 24655682Smarkm const char *password, 24755682Smarkm krb5_boolean secure, 24855682Smarkm const char *service) 24955682Smarkm{ 25078527Sassar krb5_verify_opt opt; 251233294Sstas 25278527Sassar krb5_verify_opt_init(&opt); 253233294Sstas 25478527Sassar krb5_verify_opt_set_ccache(&opt, ccache); 25578527Sassar krb5_verify_opt_set_secure(&opt, secure); 25678527Sassar krb5_verify_opt_set_service(&opt, service); 25778527Sassar krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS); 258233294Sstas 25978527Sassar return krb5_verify_user_opt(context, principal, password, &opt); 26055682Smarkm} 261