version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 1996, 1998-2005, 2010-2011 | * Copyright (c) 1996, 1998-2005, 2010-2012 |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
Line 36
|
Line 36
|
#include <config.h> |
#include <config.h> |
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> |
|
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
# include <stdlib.h> |
# include <stdlib.h> |
Line 67
|
Line 66
|
static int check_dce_status(error_status_t, char *); |
static int check_dce_status(error_status_t, char *); |
|
|
int |
int |
dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth) | sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth) |
{ |
{ |
struct passwd temp_pw; |
struct passwd temp_pw; |
sec_passwd_rec_t password_rec; |
sec_passwd_rec_t password_rec; |
Line 75 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 74 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
boolean32 reset_passwd; |
boolean32 reset_passwd; |
sec_login_auth_src_t auth_src; |
sec_login_auth_src_t auth_src; |
error_status_t status; |
error_status_t status; |
|
debug_decl(sudo_dce_verify, SUDO_DEBUG_AUTH) |
|
|
/* |
/* |
* Create the local context of the DCE principal necessary |
* Create the local context of the DCE principal necessary |
Line 86 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 86 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
sec_login_no_flags, &login_context, &status)) { |
sec_login_no_flags, &login_context, &status)) { |
|
|
if (check_dce_status(status, "sec_login_setup_identity(1):")) |
if (check_dce_status(status, "sec_login_setup_identity(1):")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
|
|
password_rec.key.key_type = sec_passwd_plain; |
password_rec.key.key_type = sec_passwd_plain; |
password_rec.key.tagged_union.plain = (idl_char *) plain_pw; |
password_rec.key.tagged_union.plain = (idl_char *) plain_pw; |
Line 98 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 98 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
&reset_passwd, &auth_src, &status)) { |
&reset_passwd, &auth_src, &status)) { |
|
|
if (check_dce_status(status, "sec_login_validate_identity(1):")) |
if (check_dce_status(status, "sec_login_validate_identity(1):")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
|
|
/* |
/* |
* Certify that the DCE Security Server used to set |
* Certify that the DCE Security Server used to set |
Line 108 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 108 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
if (!sec_login_certify_identity(login_context, &status)) { |
if (!sec_login_certify_identity(login_context, &status)) { |
(void) fprintf(stderr, "Whoa! Bogus authentication server!\n"); |
(void) fprintf(stderr, "Whoa! Bogus authentication server!\n"); |
(void) check_dce_status(status,"sec_login_certify_identity(1):"); |
(void) check_dce_status(status,"sec_login_certify_identity(1):"); |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
if (check_dce_status(status, "sec_login_certify_identity(2):")) |
if (check_dce_status(status, "sec_login_certify_identity(2):")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
|
|
/* |
/* |
* Sets the network credentials to those specified |
* Sets the network credentials to those specified |
Line 119 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 119 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
*/ |
*/ |
sec_login_set_context(login_context, &status); |
sec_login_set_context(login_context, &status); |
if (check_dce_status(status, "sec_login_set_context:")) |
if (check_dce_status(status, "sec_login_set_context:")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
|
|
/* |
/* |
* Oops, your credentials were no good. Possibly |
* Oops, your credentials were no good. Possibly |
Line 129 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 129 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
if (auth_src != sec_login_auth_src_network) { |
if (auth_src != sec_login_auth_src_network) { |
(void) fprintf(stderr, |
(void) fprintf(stderr, |
"You have no network credentials.\n"); |
"You have no network credentials.\n"); |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
/* Check if the password has aged and is thus no good */ |
/* Check if the password has aged and is thus no good */ |
if (reset_passwd) { |
if (reset_passwd) { |
(void) fprintf(stderr, |
(void) fprintf(stderr, |
"Your DCE password needs resetting.\n"); |
"Your DCE password needs resetting.\n"); |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
|
|
/* |
/* |
Line 147 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 147 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw, |
sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw, |
&status); |
&status); |
if (check_dce_status(status, "sec_login_get_pwent:")) |
if (check_dce_status(status, "sec_login_get_pwent:")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
|
|
/* |
/* |
* If we get to here, then the pwent above properly fetched |
* If we get to here, then the pwent above properly fetched |
Line 169 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
Line 169 dce_verify(struct passwd *pw, char *plain_pw, sudo_aut
|
* somewhere later in the program. |
* somewhere later in the program. |
*/ |
*/ |
sec_login_purge_context(&login_context, &status); |
sec_login_purge_context(&login_context, &status); |
return AUTH_SUCCESS; | debug_return_int(AUTH_SUCCESS); |
} else { |
} else { |
if(check_dce_status(status, "sec_login_validate_identity(2):")) |
if(check_dce_status(status, "sec_login_validate_identity(2):")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
sec_login_purge_context(&login_context, &status); |
sec_login_purge_context(&login_context, &status); |
if(check_dce_status(status, "sec_login_purge_context:")) |
if(check_dce_status(status, "sec_login_purge_context:")) |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
} |
} |
(void) check_dce_status(status, "sec_login_setup_identity(2):"); |
(void) check_dce_status(status, "sec_login_setup_identity(2):"); |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
|
|
/* Returns 0 for DCE "ok" status, 1 otherwise */ |
/* Returns 0 for DCE "ok" status, 1 otherwise */ |
Line 188 check_dce_status(error_status_t input_status, char *co
|
Line 188 check_dce_status(error_status_t input_status, char *co
|
{ |
{ |
int error_stat; |
int error_stat; |
unsigned char error_string[dce_c_error_string_len]; |
unsigned char error_string[dce_c_error_string_len]; |
|
debug_decl(check_dce_status, SUDO_DEBUG_AUTH) |
|
|
if (input_status == rpc_s_ok) |
if (input_status == rpc_s_ok) |
return 0; | debug_return_bool(0); |
dce_error_inq_text(input_status, error_string, &error_stat); |
dce_error_inq_text(input_status, error_string, &error_stat); |
(void) fprintf(stderr, "%s %s\n", comment, error_string); |
(void) fprintf(stderr, "%s %s\n", comment, error_string); |
return 1; | debug_return_bool(1); |
} |
} |