1 /*
2  * Copyright (c) 1996, 1998, 1999, 2001, 2002
3  *	Todd C. Miller <Todd.Miller@courtesan.com>.
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19  *
20  * Sponsored in part by the Defense Advanced Research Projects
21  * Agency (DARPA) and Air Force Research Laboratory, Air Force
22  * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23  */
24 /*
25  *  The code below basically comes from the examples supplied on
26  *  the OSF DCE 1.0.3 manpages for the sec_login routines, with
27  *  enough additional polishing to make the routine work with the
28  *  rest of sudo.
29  *
30  *  This code is known to work on HP 700 and 800 series systems
31  *  running HP-UX 9.X and 10.X, with either HP's version 1.2.1 of DCE.
32  *  (aka, OSF DCE 1.0.3) or with HP's version 1.4 of DCE (aka, OSF
33  *  DCE 1.1).
34  */
35 
36 #include "config.h"
37 
38 #include <sys/types.h>
39 #include <sys/param.h>
40 #include <stdio.h>
41 #ifdef STDC_HEADERS
42 # include <stdlib.h>
43 # include <stddef.h>
44 #else
45 # ifdef HAVE_STDLIB_H
46 #  include <stdlib.h>
47 # endif
48 #endif /* STDC_HEADERS */
49 #ifdef HAVE_STRING_H
50 # include <string.h>
51 #else
52 # ifdef HAVE_STRINGS_H
53 #  include <strings.h>
54 # endif
55 #endif /* HAVE_STRING_H */
56 #ifdef HAVE_UNISTD_H
57 # include <unistd.h>
58 #endif /* HAVE_UNISTD_H */
59 #include <pwd.h>
60 
61 #include <dce/rpc.h>
62 #include <dce/sec_login.h>
63 #include <dce/dce_error.h> /* required to call dce_error_inq_text routine */
64 
65 #include "sudo.h"
66 #include "sudo_auth.h"
67 
68 #ifndef lint
69 static const char rcsid[] = "$Sudo: dce.c,v 1.11 2004/02/13 21:36:47 millert Exp $";
70 #endif /* lint */
71 
72 static int check_dce_status __P((error_status_t, char *));
73 
74 int
dce_verify(pw,plain_pw,auth)75 dce_verify(pw, plain_pw, auth)
76     struct passwd *pw;
77     char *plain_pw;
78     sudo_auth *auth;
79 {
80     struct passwd		temp_pw;
81     sec_passwd_rec_t		password_rec;
82     sec_login_handle_t		login_context;
83     boolean32			reset_passwd;
84     sec_login_auth_src_t	auth_src;
85     error_status_t		status;
86 
87     /*
88      * Create the local context of the DCE principal necessary
89      * to perform authenticated network operations.  The network
90      * identity set up by this operation cannot be used until it
91      * is validated via sec_login_validate_identity().
92      */
93     if (sec_login_setup_identity((unsigned_char_p_t) pw->pw_name,
94 	sec_login_no_flags, &login_context, &status)) {
95 
96 	if (check_dce_status(status, "sec_login_setup_identity(1):"))
97 	    return(AUTH_FAILURE);
98 
99 	password_rec.key.key_type = sec_passwd_plain;
100 	password_rec.key.tagged_union.plain = (idl_char *) plain_pw;
101 	password_rec.pepper = NULL;
102 	password_rec.version_number = sec_passwd_c_version_none;
103 
104 	/* Validate the login context with the password */
105 	if (sec_login_validate_identity(login_context, &password_rec,
106 	    &reset_passwd, &auth_src, &status)) {
107 
108 	    if (check_dce_status(status, "sec_login_validate_identity(1):"))
109 		return(AUTH_FAILURE);
110 
111 	    /*
112 	     * Certify that the DCE Security Server used to set
113 	     * up and validate a login context is legitimate.  Makes
114 	     * sure that we didn't get spoofed by another DCE server.
115 	     */
116 	    if (!sec_login_certify_identity(login_context, &status)) {
117 		(void) fprintf(stderr, "Whoa! Bogus authentication server!\n");
118 		(void) check_dce_status(status,"sec_login_certify_identity(1):");
119 		return(AUTH_FAILURE);
120 	    }
121 	    if (check_dce_status(status, "sec_login_certify_identity(2):"))
122 		return(AUTH_FAILURE);
123 
124 	    /*
125 	     * Sets the network credentials to those specified
126 	     * by the now validated login context.
127 	     */
128 	    sec_login_set_context(login_context, &status);
129 	    if (check_dce_status(status, "sec_login_set_context:"))
130 		return(AUTH_FAILURE);
131 
132 	    /*
133 	     * Oops, your credentials were no good. Possibly
134 	     * caused by clock times out of adjustment between
135 	     * DCE client and DCE security server...
136 	     */
137 	    if (auth_src != sec_login_auth_src_network) {
138 		    (void) fprintf(stderr,
139 			"You have no network credentials.\n");
140 		    return(AUTH_FAILURE);
141 	    }
142 	    /* Check if the password has aged and is thus no good */
143 	    if (reset_passwd) {
144 		    (void) fprintf(stderr,
145 			"Your DCE password needs resetting.\n");
146 		    return(AUTH_FAILURE);
147 	    }
148 
149 	    /*
150 	     * We should be a valid user by this point.  Pull the
151 	     * user's password structure from the DCE security
152 	     * server just to make sure.  If we get it with no
153 	     * problems, then we really are legitimate...
154 	     */
155 	    sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw,
156 		&status);
157 	    if (check_dce_status(status, "sec_login_get_pwent:"))
158 		return(AUTH_FAILURE);
159 
160 	    /*
161 	     * If we get to here, then the pwent above properly fetched
162 	     * the password structure from the DCE registry, so the user
163 	     * must be valid.  We don't really care what the user's
164 	     * registry password is, just that the user could be
165 	     * validated.  In fact, if we tried to compare the local
166 	     * password to the DCE entry at this point, the operation
167 	     * would fail if the hidden password feature is turned on,
168 	     * because the password field would contain an asterisk.
169 	     * Also go ahead and destroy the user's DCE login context
170 	     * before we leave here (and don't bother checking the
171 	     * status), in order to clean up credentials files in
172 	     * /opt/dcelocal/var/security/creds.  By doing this, we are
173 	     * assuming that the user will not need DCE authentication
174 	     * later in the program, only local authentication.  If this
175 	     * is not true, then the login_context will have to be
176 	     * returned to the calling program, and the context purged
177 	     * somewhere later in the program.
178 	     */
179 	    sec_login_purge_context(&login_context, &status);
180 	    return(AUTH_SUCCESS);
181 	} else {
182 	    if(check_dce_status(status, "sec_login_validate_identity(2):"))
183 		return(AUTH_FAILURE);
184 	    sec_login_purge_context(&login_context, &status);
185 	    if(check_dce_status(status, "sec_login_purge_context:"))
186 		return(AUTH_FAILURE);
187 	}
188     }
189     (void) check_dce_status(status, "sec_login_setup_identity(2):");
190     return(AUTH_FAILURE);
191 }
192 
193 /* Returns 0 for DCE "ok" status, 1 otherwise */
194 static int
check_dce_status(input_status,comment)195 check_dce_status(input_status, comment)
196     error_status_t input_status;
197     char *comment;
198 {
199     int error_stat;
200     unsigned char error_string[dce_c_error_string_len];
201 
202     if (input_status == rpc_s_ok)
203 	return(0);
204     dce_error_inq_text(input_status, error_string, &error_stat);
205     (void) fprintf(stderr, "%s %s\n", comment, error_string);
206     return(1);
207 }
208