1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kdc/policy.c - Policy decision routines for KDC */
4 * Copyright (C) 2017 by Red Hat, Inc.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include "adm_proto.h"
38 #include <krb5/kdcpolicy_plugin.h>
41 typedef struct kdcpolicy_handle_st {
42 struct krb5_kdcpolicy_vtable_st vt;
43 krb5_kdcpolicy_moddata moddata;
46 static kdcpolicy_handle *handles;
49 free_indicators(char **ais)
55 for (i = 0; ais[i] != NULL; i++)
60 /* Convert inds to a null-terminated list of C strings. */
61 static krb5_error_code
62 authind_strings(krb5_data *const *inds, char ***strs_out)
70 for (count = 0; inds != NULL && inds[count] != NULL; count++);
71 list = k5calloc(count + 1, sizeof(*list), &ret);
75 for (i = 0; i < count; i++) {
76 list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret);
85 free_indicators(list);
89 /* Constrain times->endtime to life and times->renew_till to rlife, relative to
92 update_ticket_times(krb5_ticket_times *times, krb5_timestamp now,
93 krb5_deltat life, krb5_deltat rlife)
96 times->endtime = ts_min(ts_incr(now, life), times->endtime);
98 times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till);
101 /* Check an AS request against kdcpolicy modules, updating times with any
102 * module endtime constraints. Set an appropriate status string on error. */
104 check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
105 const krb5_db_entry *client, const krb5_db_entry *server,
106 krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
107 krb5_ticket_times *times, const char **status)
109 krb5_deltat life, rlife;
111 kdcpolicy_handle *hp, h;
116 ret = authind_strings(auth_indicators, &ais);
120 for (hp = handles; *hp != NULL; hp++) {
122 if (h->vt.check_as == NULL)
125 ret = h->vt.check_as(context, h->moddata, request, client, server,
126 (const char **)ais, status, &life, &rlife);
130 update_ticket_times(times, kdc_time, life, rlife);
134 free_indicators(ais);
139 * Check the TGS request against the local TGS policy. Accepts an
140 * authentication indicator for the module policy decisions. Returns 0 and a
141 * NULL status string on success.
144 check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
145 const krb5_db_entry *server, const krb5_ticket *ticket,
146 krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
147 krb5_ticket_times *times, const char **status)
149 krb5_deltat life, rlife;
151 kdcpolicy_handle *hp, h;
156 ret = authind_strings(auth_indicators, &ais);
160 for (hp = handles; *hp != NULL; hp++) {
162 if (h->vt.check_tgs == NULL)
165 ret = h->vt.check_tgs(context, h->moddata, request, server, ticket,
166 (const char **)ais, status, &life, &rlife);
170 update_ticket_times(times, kdc_time, life, rlife);
174 free_indicators(ais);
179 unload_kdcpolicy_plugins(krb5_context context)
181 kdcpolicy_handle *hp, h;
183 for (hp = handles; *hp != NULL; hp++) {
185 if (h->vt.fini != NULL)
186 h->vt.fini(context, h->moddata);
194 load_kdcpolicy_plugins(krb5_context context)
197 krb5_plugin_initvt_fn *modules = NULL, *mod;
201 ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules);
205 for (count = 0; modules[count] != NULL; count++);
206 handles = k5calloc(count + 1, sizeof(*handles), &ret);
211 for (mod = modules; *mod != NULL; mod++) {
212 h = k5calloc(1, sizeof(*h), &ret);
216 ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
217 if (ret) { /* Version mismatch. */
218 TRACE_KDCPOLICY_VTINIT_FAIL(context, ret);
222 if (h->vt.init != NULL) {
223 ret = h->vt.init(context, &h->moddata);
224 if (ret == KRB5_PLUGIN_NO_HANDLE) {
225 TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
230 kdc_err(context, ret, _("while loading policy module %s"),
236 handles[count++] = h;
243 unload_kdcpolicy_plugins(context);
244 k5_plugin_free_modules(context, modules);