1998-08-09 08:43:13 +08:00
|
|
|
/*
|
|
|
|
* Copyright (c) 1990 Regents of the University of Michigan.
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms are permitted
|
|
|
|
* provided that this notice is preserved and that due credit is given
|
|
|
|
* to the University of Michigan at Ann Arbor. The name of the University
|
|
|
|
* may not be used to endorse or promote products derived from this
|
|
|
|
* software without specific prior written permission. This software
|
|
|
|
* is provided ``as is'' without express or implied warranty.
|
|
|
|
*/
|
|
|
|
|
1998-10-25 09:41:42 +08:00
|
|
|
#include "portable.h"
|
|
|
|
|
|
|
|
#ifdef HAVE_KERBEROS
|
1998-08-09 08:43:13 +08:00
|
|
|
|
|
|
|
#include <stdio.h>
|
1998-10-25 09:41:42 +08:00
|
|
|
|
|
|
|
#include <ac/krb.h>
|
|
|
|
#include <ac/socket.h>
|
|
|
|
|
1998-08-09 08:43:13 +08:00
|
|
|
#include <quipu/bind.h>
|
|
|
|
#if ISODEPACKAGE == IC
|
|
|
|
#include <quipu/DAS-types.h>
|
|
|
|
#else
|
|
|
|
#include <pepsy/DAS-types.h>
|
|
|
|
#endif
|
1998-10-25 09:41:42 +08:00
|
|
|
|
1998-08-09 08:43:13 +08:00
|
|
|
#include "lber.h"
|
|
|
|
#include "ldap.h"
|
|
|
|
#include "common.h"
|
|
|
|
|
|
|
|
int
|
|
|
|
kerberosv4_ldap_auth( char *cred, long len )
|
|
|
|
{
|
|
|
|
KTEXT_ST k;
|
|
|
|
KTEXT ktxt = &k;
|
|
|
|
char instance[INST_SZ];
|
|
|
|
int err;
|
|
|
|
AUTH_DAT ad;
|
|
|
|
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "kerberosv4_ldap_auth\n", 0, 0, 0 );
|
|
|
|
|
|
|
|
SAFEMEMCPY( ktxt->dat, cred, len );
|
|
|
|
ktxt->length = len;
|
|
|
|
|
|
|
|
strcpy( instance, "*" );
|
|
|
|
if ( (err = krb_rd_req( ktxt, krb_ldap_service, instance, 0L,
|
|
|
|
&ad, kerberos_keyfile )) != KSUCCESS ) {
|
|
|
|
Debug( LDAP_DEBUG_ANY, "krb_rd_req failed (%s)\n",
|
|
|
|
krb_err_txt[err], 0, 0 );
|
|
|
|
return( LDAP_INVALID_CREDENTIALS );
|
|
|
|
}
|
|
|
|
|
|
|
|
return( LDAP_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kerberosv4_bindarg(
|
|
|
|
struct ds_bind_arg *ba,
|
|
|
|
DN dn,
|
|
|
|
char *cred,
|
|
|
|
long len,
|
|
|
|
u_long *nonce
|
|
|
|
)
|
|
|
|
{
|
|
|
|
struct type_UNIV_EXTERNAL *e;
|
|
|
|
struct kerberos_parms kp;
|
|
|
|
PE pe;
|
|
|
|
struct timeval tv;
|
|
|
|
char realm[REALM_SZ];
|
|
|
|
int err;
|
|
|
|
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "kerberosv4_bindarg\n", 0, 0, 0 );
|
|
|
|
|
|
|
|
e = (struct type_UNIV_EXTERNAL *) calloc( 1,
|
|
|
|
sizeof(struct type_UNIV_EXTERNAL) );
|
|
|
|
e->encoding = (struct choice_UNIV_0 *) calloc( 1,
|
|
|
|
sizeof(struct choice_UNIV_0) );
|
|
|
|
ba->dba_external = e;
|
|
|
|
ba->dba_version = DBA_VERSION_V1988;
|
|
|
|
ba->dba_auth_type = DBA_AUTH_EXTERNAL;
|
|
|
|
|
|
|
|
e->indirect__reference = AUTH_TYPE_KERBEROS_V4;
|
|
|
|
e->direct__reference = NULLOID;
|
|
|
|
e->data__value__descriptor = str2qb( "KRBv4 client credentials",
|
|
|
|
24, 1 );
|
|
|
|
|
|
|
|
kp.kp_dn = dn;
|
|
|
|
kp.kp_version = AUTH_TYPE_KERBEROS_V4;
|
|
|
|
|
|
|
|
if ( (err = krb_get_lrealm( realm, 1 )) != KSUCCESS ) {
|
|
|
|
Debug( LDAP_DEBUG_ANY, "krb_get_lrealm failed (%s)\n",
|
|
|
|
krb_err_txt[err], 0, 0 );
|
|
|
|
return( LDAP_OPERATIONS_ERROR );
|
|
|
|
}
|
|
|
|
|
|
|
|
gettimeofday( &tv, NULL );
|
|
|
|
*nonce = tv.tv_sec;
|
|
|
|
SAFEMEMCPY( kp.kp_ktxt.dat, cred, len );
|
|
|
|
kp.kp_ktxt.length = len;
|
|
|
|
if ( encode_kerberos_parms( &pe, &kp ) == NOTOK ) {
|
|
|
|
Debug( LDAP_DEBUG_ANY, "kerberos parms encoding failed\n", 0,
|
|
|
|
0, 0 );
|
|
|
|
return( LDAP_OPERATIONS_ERROR );
|
|
|
|
}
|
|
|
|
|
|
|
|
e->encoding->offset = choice_UNIV_0_single__ASN1__type;
|
|
|
|
e->encoding->un.single__ASN1__type = pe;
|
|
|
|
|
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kerberos_check_mutual(
|
|
|
|
struct ds_bind_arg *res,
|
|
|
|
u_long nonce
|
|
|
|
)
|
|
|
|
{
|
|
|
|
struct type_UNIV_EXTERNAL *e = res->dba_external;
|
|
|
|
struct kerberos_parms *kp;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "kerberos_check_mutual\n", 0, 0, 0 );
|
|
|
|
|
|
|
|
if ( decode_kerberos_parms( e->encoding->un.single__ASN1__type, &kp )
|
|
|
|
== NOTOK )
|
|
|
|
return( NOTOK );
|
|
|
|
ret = ((kp->kp_nonce == (nonce + 1)) ? OK : NOTOK );
|
|
|
|
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "expecting %d got %d\n", nonce, kp->kp_nonce,
|
|
|
|
0 );
|
|
|
|
|
|
|
|
pe_free( e->encoding->un.single__ASN1__type );
|
|
|
|
dn_free( kp->kp_dn );
|
|
|
|
free( (char *) kp );
|
|
|
|
|
|
|
|
return( ret );
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|