1 /* $NetBSD: windc.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */
2
3 /*
4 * Copyright (c) 2007 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kdc_locl.h"
37
38 static int have_plugin = 0;
39
40 /*
41 * Pick the first WINDC module that we find.
42 */
43
44 static krb5_error_code KRB5_LIB_CALL
load(krb5_context context,const void * plug,void * plugctx,void * userctx)45 load(krb5_context context, const void *plug, void *plugctx, void *userctx)
46 {
47 have_plugin = 1;
48 return KRB5_PLUGIN_NO_HANDLE;
49 }
50
51 krb5_error_code
krb5_kdc_windc_init(krb5_context context)52 krb5_kdc_windc_init(krb5_context context)
53 {
54 (void)_krb5_plugin_run_f(context, "krb5", "windc",
55 KRB5_WINDC_PLUGIN_MINOR, 0, NULL, load);
56 return 0;
57 }
58
59 struct generate_uc {
60 hdb_entry_ex *client;
61 krb5_pac *pac;
62 };
63
64 static krb5_error_code KRB5_LIB_CALL
generate(krb5_context context,const void * plug,void * plugctx,void * userctx)65 generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
66 {
67 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
68 struct generate_uc *uc = (struct generate_uc *)userctx;
69
70 if (ft->pac_generate == NULL)
71 return KRB5_PLUGIN_NO_HANDLE;
72 return ft->pac_generate((void *)plug, context, uc->client, uc->pac);
73 }
74
75
76 krb5_error_code
_kdc_pac_generate(krb5_context context,hdb_entry_ex * client,krb5_pac * pac)77 _kdc_pac_generate(krb5_context context,
78 hdb_entry_ex *client,
79 krb5_pac *pac)
80 {
81 struct generate_uc uc;
82
83 if (!have_plugin)
84 return 0;
85
86 uc.client = client;
87 uc.pac = pac;
88
89 (void)_krb5_plugin_run_f(context, "krb5", "windc",
90 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, generate);
91 return 0;
92 }
93
94 struct verify_uc {
95 krb5_principal client_principal;
96 krb5_principal delegated_proxy_principal;
97 hdb_entry_ex *client;
98 hdb_entry_ex *server;
99 hdb_entry_ex *krbtgt;
100 krb5_pac *pac;
101 int *verified;
102 };
103
104 static krb5_error_code KRB5_LIB_CALL
verify(krb5_context context,const void * plug,void * plugctx,void * userctx)105 verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
106 {
107 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
108 struct verify_uc *uc = (struct verify_uc *)userctx;
109 krb5_error_code ret;
110
111 if (ft->pac_verify == NULL)
112 return KRB5_PLUGIN_NO_HANDLE;
113 ret = ft->pac_verify((void *)plug, context,
114 uc->client_principal,
115 uc->delegated_proxy_principal,
116 uc->client, uc->server, uc->krbtgt, uc->pac);
117 if (ret == 0)
118 (*uc->verified) = 1;
119
120 return 0;
121 }
122
123 krb5_error_code
_kdc_pac_verify(krb5_context context,const krb5_principal client_principal,const krb5_principal delegated_proxy_principal,hdb_entry_ex * client,hdb_entry_ex * server,hdb_entry_ex * krbtgt,krb5_pac * pac,int * verified)124 _kdc_pac_verify(krb5_context context,
125 const krb5_principal client_principal,
126 const krb5_principal delegated_proxy_principal,
127 hdb_entry_ex *client,
128 hdb_entry_ex *server,
129 hdb_entry_ex *krbtgt,
130 krb5_pac *pac,
131 int *verified)
132 {
133 struct verify_uc uc;
134
135 if (!have_plugin)
136 return 0;
137
138 uc.client_principal = client_principal;
139 uc.delegated_proxy_principal = delegated_proxy_principal;
140 uc.client = client;
141 uc.server = server;
142 uc.krbtgt = krbtgt;
143 uc.pac = pac;
144 uc.verified = verified;
145
146 (void)_krb5_plugin_run_f(context, "krb5", "windc",
147 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, verify);
148 return 0;
149 }
150
151 struct check_uc {
152 krb5_kdc_configuration *config;
153 hdb_entry_ex *client_ex;
154 const char *client_name;
155 hdb_entry_ex *server_ex;
156 const char *server_name;
157 KDC_REQ *req;
158 METHOD_DATA *method_data;
159 };
160
161 static krb5_error_code KRB5_LIB_CALL
check(krb5_context context,const void * plug,void * plugctx,void * userctx)162 check(krb5_context context, const void *plug, void *plugctx, void *userctx)
163 {
164 krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
165 struct check_uc *uc = (struct check_uc *)userctx;
166
167 if (ft->client_access == NULL)
168 return KRB5_PLUGIN_NO_HANDLE;
169 return ft->client_access((void *)plug, context, uc->config,
170 uc->client_ex, uc->client_name,
171 uc->server_ex, uc->server_name,
172 uc->req, uc->method_data);
173 }
174
175
176 krb5_error_code
_kdc_check_access(krb5_context context,krb5_kdc_configuration * config,hdb_entry_ex * client_ex,const char * client_name,hdb_entry_ex * server_ex,const char * server_name,KDC_REQ * req,METHOD_DATA * method_data)177 _kdc_check_access(krb5_context context,
178 krb5_kdc_configuration *config,
179 hdb_entry_ex *client_ex, const char *client_name,
180 hdb_entry_ex *server_ex, const char *server_name,
181 KDC_REQ *req,
182 METHOD_DATA *method_data)
183 {
184 krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
185 struct check_uc uc;
186
187 if (have_plugin) {
188 uc.config = config;
189 uc.client_ex = client_ex;
190 uc.client_name = client_name;
191 uc.server_ex = server_ex;
192 uc.server_name = server_name;
193 uc.req = req;
194 uc.method_data = method_data;
195
196 ret = _krb5_plugin_run_f(context, "krb5", "windc",
197 KRB5_WINDC_PLUGIN_MINOR, 0, &uc, check);
198 }
199
200 if (ret == KRB5_PLUGIN_NO_HANDLE)
201 return kdc_check_flags(context, config,
202 client_ex, client_name,
203 server_ex, server_name,
204 req->msg_type == krb_as_req);
205 return ret;
206 }
207