imapext-2007: src/osdep/unix/ckp

imapext-2007

annotate src/osdep/unix/ckp_gss.c @ 0:ada5e610ab86

imap-2007e

author	yuuji@gentei.org
date	Mon, 14 Sep 2009 15:17:45 +0900
parents
children

rev	line source
yuuji@0	1 /* ========================================================================
yuuji@0	2 * Copyright 1988-2007 University of Washington
yuuji@0	3 *
yuuji@0	4 * Licensed under the Apache License, Version 2.0 (the "License");
yuuji@0	5 * you may not use this file except in compliance with the License.
yuuji@0	6 * You may obtain a copy of the License at
yuuji@0	7 *
yuuji@0	8 * http://www.apache.org/licenses/LICENSE-2.0
yuuji@0	9 *
yuuji@0	10 *
yuuji@0	11 * ========================================================================
yuuji@0	12 */
yuuji@0	13
yuuji@0	14 /*
yuuji@0	15 * Program: Kerberos 5 check password
yuuji@0	16 *
yuuji@0	17 * Author: Mark Crispin
yuuji@0	18 * Networks and Distributed Computing
yuuji@0	19 * Computing & Communications
yuuji@0	20 * University of Washington
yuuji@0	21 * Administration Building, AG-44
yuuji@0	22 * Seattle, WA 98195
yuuji@0	23 * Internet: MRC@CAC.Washington.EDU
yuuji@0	24 *
yuuji@0	25 * Date: 1 August 1988
yuuji@0	26 * Last Edited: 11 October 2007
yuuji@0	27 */
yuuji@0	28
yuuji@0	29 /* Check password
yuuji@0	30 * Accepts: login passwd struct
yuuji@0	31 * password string
yuuji@0	32 * argument count
yuuji@0	33 * argument vector
yuuji@0	34 * Returns: passwd struct if password validated, NIL otherwise
yuuji@0	35 */
yuuji@0	36
yuuji@0	37 struct passwd checkpw (struct passwd pw,char pass,int argc,char argv[])
yuuji@0	38 {
yuuji@0	39 char svrnam[MAILTMPLEN],cltnam[MAILTMPLEN];
yuuji@0	40 krb5_context ctx;
yuuji@0	41 krb5_timestamp now;
yuuji@0	42 krb5_principal service;
yuuji@0	43 krb5_ccache ccache;
yuuji@0	44 krb5_error_code code;
yuuji@0	45 krb5_creds crd = (krb5_creds ) memset (fs_get (sizeof (krb5_creds)),0,
yuuji@0	46 sizeof (krb5_creds));
yuuji@0	47 struct passwd *ret = NIL;
yuuji@0	48 if (pass) { / only if password non-empty */
yuuji@0	49 /* make service name */
yuuji@0	50 sprintf (svrnam,"%.80s@%.512s",
yuuji@0	51 (char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
yuuji@0	52 tcp_serverhost ());
yuuji@0	53 /* make client name with principal */
yuuji@0	54 sprintf (cltnam,"%.80s/%.80s",pw->pw_name,
yuuji@0	55 (char *) mail_parameters (NIL,GET_SERVICENAME,NIL));
yuuji@0	56 /* get a context */
yuuji@0	57 if (!krb5_init_context (&ctx)) {
yuuji@0	58 /* get time, client and server principals */
yuuji@0	59 if (!krb5_timeofday (ctx,&now) &&
yuuji@0	60 /* Normally, kerb_cp_svr_name (defined/set in env_unix.c) is NIL, so
yuuji@0	61 * only the user name is used as a client principal. A few sites want
yuuji@0	62 * to have separate client principals for different services, but many
yuuji@0	63 * other sites vehemently object...
yuuji@0	64 */
yuuji@0	65 !krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->pw_name,
yuuji@0	66 &crd->client) &&
yuuji@0	67 !krb5_parse_name (ctx,svrnam,&service) &&
yuuji@0	68 !krb5_build_principal_ext(ctx,&crd->server,
yuuji@0	69 krb5_princ_realm (ctx,crd->client)->length,
yuuji@0	70 krb5_princ_realm (ctx,crd->client)->data,
yuuji@0	71 KRB5_TGS_NAME_SIZE,KRB5_TGS_NAME,
yuuji@0	72 krb5_princ_realm (ctx,crd->client)->length,
yuuji@0	73 krb5_princ_realm (ctx,crd->client)->data,
yuuji@0	74 0)) {
yuuji@0	75 /* expire in 3 minutes */
yuuji@0	76 crd->times.endtime = now + (3 * 60);
yuuji@0	77 if (krb5_cc_resolve (ctx,"MEMORY:pwk",&ccache) \|\|
yuuji@0	78 krb5_cc_initialize (ctx,ccache,crd->client)) ccache = 0;
yuuji@0	79 if (!krb5_get_in_tkt_with_password (ctx,NIL,NIL,NIL,NIL,pass,ccache,
yuuji@0	80 crd,0) &&
yuuji@0	81 !krb5_verify_init_creds (ctx,crd,service,0,ccache ? &ccache : 0,0))
yuuji@0	82 ret = pw;
yuuji@0	83 krb5_free_creds (ctx,crd);/* flush creds and service principal */
yuuji@0	84 krb5_free_principal (ctx,service);
yuuji@0	85 }
yuuji@0	86 krb5_free_context (ctx); /* don't need context any more */
yuuji@0	87 }
yuuji@0	88 }
yuuji@0	89 return ret;
yuuji@0	90 }