Imported Upstream version 1.8.1p2

[debian/sudo] / plugins / sudoers / auth / dce.c

/*
 * Copyright (c) 1996, 1998-2005, 2010-2011
 *      Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Sponsored in part by the Defense Advanced Research Projects
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */
/*
 *  The code below basically comes from the examples supplied on
 *  the OSF DCE 1.0.3 manpages for the sec_login routines, with
 *  enough additional polishing to make the routine work with the
 *  rest of sudo.
 *
 *  This code is known to work on HP 700 and 800 series systems
 *  running HP-UX 9.X and 10.X, with either HP's version 1.2.1 of DCE.
 *  (aka, OSF DCE 1.0.3) or with HP's version 1.4 of DCE (aka, OSF
 *  DCE 1.1).
 */

#include <config.h>

#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
#  include <stdlib.h>
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
# include <string.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <pwd.h>

#include <dce/rpc.h>
#include <dce/sec_login.h>
#include <dce/dce_error.h> /* required to call dce_error_inq_text routine */

#include "sudoers.h"
#include "sudo_auth.h"

static int check_dce_status(error_status_t, char *);

int
dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth)
{
    struct passwd               temp_pw;
    sec_passwd_rec_t            password_rec;
    sec_login_handle_t          login_context;
    boolean32                   reset_passwd;
    sec_login_auth_src_t        auth_src;
    error_status_t              status;

    /*
     * Create the local context of the DCE principal necessary
     * to perform authenticated network operations.  The network
     * identity set up by this operation cannot be used until it
     * is validated via sec_login_validate_identity().
     */
    if (sec_login_setup_identity((unsigned_char_p_t) pw->pw_name,
        sec_login_no_flags, &login_context, &status)) {

        if (check_dce_status(status, "sec_login_setup_identity(1):"))
            return AUTH_FAILURE;

        password_rec.key.key_type = sec_passwd_plain;
        password_rec.key.tagged_union.plain = (idl_char *) plain_pw;
        password_rec.pepper = NULL;
        password_rec.version_number = sec_passwd_c_version_none;

        /* Validate the login context with the password */
        if (sec_login_validate_identity(login_context, &password_rec,
            &reset_passwd, &auth_src, &status)) {

            if (check_dce_status(status, "sec_login_validate_identity(1):"))
                return AUTH_FAILURE;

            /*
             * Certify that the DCE Security Server used to set
             * up and validate a login context is legitimate.  Makes
             * sure that we didn't get spoofed by another DCE server.
             */
            if (!sec_login_certify_identity(login_context, &status)) {
                (void) fprintf(stderr, "Whoa! Bogus authentication server!\n");
                (void) check_dce_status(status,"sec_login_certify_identity(1):");
                return AUTH_FAILURE;
            }
            if (check_dce_status(status, "sec_login_certify_identity(2):"))
                return AUTH_FAILURE;

            /*
             * Sets the network credentials to those specified
             * by the now validated login context.
             */
            sec_login_set_context(login_context, &status);
            if (check_dce_status(status, "sec_login_set_context:"))
                return AUTH_FAILURE;

            /*
             * Oops, your credentials were no good. Possibly
             * caused by clock times out of adjustment between
             * DCE client and DCE security server...
             */
            if (auth_src != sec_login_auth_src_network) {
                    (void) fprintf(stderr,
                        "You have no network credentials.\n");
                    return AUTH_FAILURE;
            }
            /* Check if the password has aged and is thus no good */
            if (reset_passwd) {
                    (void) fprintf(stderr,
                        "Your DCE password needs resetting.\n");
                    return AUTH_FAILURE;
            }

            /*
             * We should be a valid user by this point.  Pull the
             * user's password structure from the DCE security
             * server just to make sure.  If we get it with no
             * problems, then we really are legitimate...
             */
            sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw,
                &status);
            if (check_dce_status(status, "sec_login_get_pwent:"))
                return AUTH_FAILURE;

            /*
             * If we get to here, then the pwent above properly fetched
             * the password structure from the DCE registry, so the user
             * must be valid.  We don't really care what the user's
             * registry password is, just that the user could be
             * validated.  In fact, if we tried to compare the local
             * password to the DCE entry at this point, the operation
             * would fail if the hidden password feature is turned on,
             * because the password field would contain an asterisk.
             * Also go ahead and destroy the user's DCE login context
             * before we leave here (and don't bother checking the
             * status), in order to clean up credentials files in
             * /opt/dcelocal/var/security/creds.  By doing this, we are
             * assuming that the user will not need DCE authentication
             * later in the program, only local authentication.  If this
             * is not true, then the login_context will have to be
             * returned to the calling program, and the context purged
             * somewhere later in the program.
             */
            sec_login_purge_context(&login_context, &status);
            return AUTH_SUCCESS;
        } else {
            if(check_dce_status(status, "sec_login_validate_identity(2):"))
                return AUTH_FAILURE;
            sec_login_purge_context(&login_context, &status);
            if(check_dce_status(status, "sec_login_purge_context:"))
                return AUTH_FAILURE;
        }
    }
    (void) check_dce_status(status, "sec_login_setup_identity(2):");
    return AUTH_FAILURE;
}

/* Returns 0 for DCE "ok" status, 1 otherwise */
static int
check_dce_status(error_status_t input_status, char *comment)
{
    int error_stat;
    unsigned char error_string[dce_c_error_string_len];

    if (input_status == rpc_s_ok)
        return 0;
    dce_error_inq_text(input_status, error_string, &error_stat);
    (void) fprintf(stderr, "%s %s\n", comment, error_string);
    return 1;
}