1 /*
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 1996, 1998-2005, 2010-2012, 2014-2015
5 * Todd C. Miller <Todd.Miller@sudo.ws>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 *
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22 */
23
24 /*
25 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
26 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
27 */
28 /*
29 * The code below basically comes from the examples supplied on
30 * the OSF DCE 1.0.3 manpages for the sec_login routines, with
31 * enough additional polishing to make the routine work with the
32 * rest of sudo.
33 *
34 * This code is known to work on HP 700 and 800 series systems
35 * running HP-UX 9.X and 10.X, with either HP's version 1.2.1 of DCE.
36 * (aka, OSF DCE 1.0.3) or with HP's version 1.4 of DCE (aka, OSF
37 * DCE 1.1).
38 */
39
40 #include <config.h>
41
42 #ifdef HAVE_DCE
43
44 #include <sys/types.h>
45 #include <stdio.h>
46 #include <stdlib.h>
47 #include <string.h>
48 #include <unistd.h>
49 #include <pwd.h>
50
51 #include <dce/rpc.h>
52 #include <dce/sec_login.h>
53 #include <dce/dce_error.h> /* required to call dce_error_inq_text routine */
54
55 #include "sudoers.h"
56 #include "sudo_auth.h"
57
58 static int check_dce_status(error_status_t, char *);
59
60 int
sudo_dce_verify(struct passwd * pw,char * plain_pw,sudo_auth * auth,struct sudo_conv_callback * callback)61 sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback)
62 {
63 struct passwd temp_pw;
64 sec_passwd_rec_t password_rec;
65 sec_login_handle_t login_context;
66 boolean32 reset_passwd;
67 sec_login_auth_src_t auth_src;
68 error_status_t status;
69 debug_decl(sudo_dce_verify, SUDOERS_DEBUG_AUTH);
70
71 /*
72 * Create the local context of the DCE principal necessary
73 * to perform authenticated network operations. The network
74 * identity set up by this operation cannot be used until it
75 * is validated via sec_login_validate_identity().
76 */
77 if (sec_login_setup_identity((unsigned_char_p_t) pw->pw_name,
78 sec_login_no_flags, &login_context, &status)) {
79
80 if (check_dce_status(status, "sec_login_setup_identity(1):"))
81 debug_return_int(AUTH_FAILURE);
82
83 password_rec.key.key_type = sec_passwd_plain;
84 password_rec.key.tagged_union.plain = (idl_char *) plain_pw;
85 password_rec.pepper = NULL;
86 password_rec.version_number = sec_passwd_c_version_none;
87
88 /* Validate the login context with the password */
89 if (sec_login_validate_identity(login_context, &password_rec,
90 &reset_passwd, &auth_src, &status)) {
91
92 if (check_dce_status(status, "sec_login_validate_identity(1):"))
93 debug_return_int(AUTH_FAILURE);
94
95 /*
96 * Certify that the DCE Security Server used to set
97 * up and validate a login context is legitimate. Makes
98 * sure that we didn't get spoofed by another DCE server.
99 */
100 if (!sec_login_certify_identity(login_context, &status)) {
101 sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
102 "Whoa! Bogus authentication server!\n");
103 (void) check_dce_status(status,"sec_login_certify_identity(1):");
104 debug_return_int(AUTH_FAILURE);
105 }
106 if (check_dce_status(status, "sec_login_certify_identity(2):"))
107 debug_return_int(AUTH_FAILURE);
108
109 /*
110 * Sets the network credentials to those specified
111 * by the now validated login context.
112 */
113 sec_login_set_context(login_context, &status);
114 if (check_dce_status(status, "sec_login_set_context:"))
115 debug_return_int(AUTH_FAILURE);
116
117 /*
118 * Oops, your credentials were no good. Possibly
119 * caused by clock times out of adjustment between
120 * DCE client and DCE security server...
121 */
122 if (auth_src != sec_login_auth_src_network) {
123 sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
124 "You have no network credentials.\n");
125 debug_return_int(AUTH_FAILURE);
126 }
127 /* Check if the password has aged and is thus no good */
128 if (reset_passwd) {
129 sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
130 "Your DCE password needs resetting.\n");
131 debug_return_int(AUTH_FAILURE);
132 }
133
134 /*
135 * We should be a valid user by this point. Pull the
136 * user's password structure from the DCE security
137 * server just to make sure. If we get it with no
138 * problems, then we really are legitimate...
139 */
140 sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw,
141 &status);
142 if (check_dce_status(status, "sec_login_get_pwent:"))
143 debug_return_int(AUTH_FAILURE);
144
145 /*
146 * If we get to here, then the pwent above properly fetched
147 * the password structure from the DCE registry, so the user
148 * must be valid. We don't really care what the user's
149 * registry password is, just that the user could be
150 * validated. In fact, if we tried to compare the local
151 * password to the DCE entry at this point, the operation
152 * would fail if the hidden password feature is turned on,
153 * because the password field would contain an asterisk.
154 * Also go ahead and destroy the user's DCE login context
155 * before we leave here (and don't bother checking the
156 * status), in order to clean up credentials files in
157 * /opt/dcelocal/var/security/creds. By doing this, we are
158 * assuming that the user will not need DCE authentication
159 * later in the program, only local authentication. If this
160 * is not true, then the login_context will have to be
161 * returned to the calling program, and the context purged
162 * somewhere later in the program.
163 */
164 sec_login_purge_context(&login_context, &status);
165 debug_return_int(AUTH_SUCCESS);
166 } else {
167 if(check_dce_status(status, "sec_login_validate_identity(2):"))
168 debug_return_int(AUTH_FAILURE);
169 sec_login_purge_context(&login_context, &status);
170 if(check_dce_status(status, "sec_login_purge_context:"))
171 debug_return_int(AUTH_FAILURE);
172 }
173 }
174 (void) check_dce_status(status, "sec_login_setup_identity(2):");
175 debug_return_int(AUTH_FAILURE);
176 }
177
178 /* Returns 0 for DCE "ok" status, 1 otherwise */
179 static int
check_dce_status(error_status_t input_status,char * comment)180 check_dce_status(error_status_t input_status, char *comment)
181 {
182 int error_stat;
183 unsigned char error_string[dce_c_error_string_len];
184 debug_decl(check_dce_status, SUDOERS_DEBUG_AUTH);
185
186 if (input_status == rpc_s_ok)
187 debug_return_int(0);
188 dce_error_inq_text(input_status, error_string, &error_stat);
189 sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
190 "%s %s\n", comment, error_string);
191 debug_return_int(1);
192 }
193
194 #endif /* HAVE_DCE */
195