Branch data Line data Source code
1 : : /* realm.c --- Realm related functions.
2 : : * Copyright (C) 2002, 2003, 2004, 2007, 2008, 2010 Simon Josefsson
3 : : *
4 : : * This file is part of Shishi.
5 : : *
6 : : * Shishi is free software; you can redistribute it and/or modify it
7 : : * under the terms of the GNU General Public License as published by
8 : : * the Free Software Foundation; either version 3 of the License, or
9 : : * (at your option) any later version.
10 : : *
11 : : * Shishi is distributed in the hope that it will be useful, but
12 : : * WITHOUT ANY WARRANTY; without even the implied warranty of
13 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : : * GNU General Public License for more details.
15 : : *
16 : : * You should have received a copy of the GNU General Public License
17 : : * along with Shishi; if not, see http://www.gnu.org/licenses or write
18 : : * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 : : * Floor, Boston, MA 02110-1301, USA
20 : : *
21 : : */
22 : :
23 : : #include "internal.h"
24 : :
25 : : /**
26 : : * shishi_realm_default_guess:
27 : : *
28 : : * Guesses a realm based on getdomainname() (which really is NIS/YP
29 : : * domain, but if it is set it might be a good guess), or if it fails,
30 : : * based on gethostname(), or if it fails, the string
31 : : * "could-not-guess-default-realm". Note that the hostname is not
32 : : * trimmed off of the data returned by gethostname() to get the domain
33 : : * name and use that as the realm.
34 : : *
35 : : * Return value: Returns guessed realm for host as a string that has
36 : : * to be deallocated with free() by the caller.
37 : : **/
38 : : char *
39 : 1 : shishi_realm_default_guess (void)
40 : : {
41 : : char *realm;
42 : :
43 : 1 : realm = xgetdomainname ();
44 [ + - + - ]: 1 : if (realm && strlen (realm) > 0 && strcmp (realm, "(none)") != 0)
[ - + ]
45 : 0 : return realm;
46 : :
47 : 1 : free (realm);
48 : :
49 : 1 : realm = xgethostname ();
50 [ + - + - ]: 1 : if (realm && strlen (realm) > 0 && strcmp (realm, "(none)") != 0)
[ + - ]
51 : 1 : return realm;
52 : :
53 : 0 : free (realm);
54 : :
55 : 0 : realm = strdup ("could-not-guess-default-realm");
56 : :
57 : 1 : return realm;
58 : : }
59 : :
60 : : /**
61 : : * shishi_realm_default:
62 : : * @handle: Shishi library handle create by shishi_init().
63 : : *
64 : : * Get name of default realm.
65 : : *
66 : : * Return value: Returns the default realm used in the library. (Not
67 : : * a copy of it, so don't modify or deallocate it.)
68 : : **/
69 : : const char *
70 : 1 : shishi_realm_default (Shishi * handle)
71 : : {
72 [ + - ]: 1 : if (!handle->default_realm)
73 : : {
74 : : char *p;
75 : 1 : p = shishi_realm_default_guess ();
76 : 1 : shishi_realm_default_set (handle, p);
77 : 1 : free (p);
78 : : }
79 : :
80 : 1 : return handle->default_realm;
81 : : }
82 : :
83 : : /**
84 : : * shishi_realm_default_set:
85 : : * @handle: Shishi library handle create by shishi_init().
86 : : * @realm: string with new default realm name, or NULL to reset to default.
87 : : *
88 : : * Set the default realm used in the library. The string is copied
89 : : * into the library, so you can dispose of the variable immediately
90 : : * after calling this function.
91 : : **/
92 : : void
93 : 1 : shishi_realm_default_set (Shishi * handle, const char *realm)
94 : : {
95 : 1 : free (handle->default_realm);
96 [ + - ]: 1 : if (realm)
97 : 1 : handle->default_realm = xstrdup (realm);
98 : : else
99 : 0 : handle->default_realm = NULL;
100 : 1 : }
101 : :
102 : : /**
103 : : * shishi_realm_for_server_file:
104 : : * @handle: Shishi library handle create by shishi_init().
105 : : * @server: hostname to find realm for.
106 : : *
107 : : * Find realm for a host using configuration file.
108 : : *
109 : : * Return value: Returns realm for host, or NULL if not found.
110 : : **/
111 : : char *
112 : 0 : shishi_realm_for_server_file (Shishi * handle, char *server)
113 : : {
114 : 0 : return NULL;
115 : : }
116 : :
117 : : /**
118 : : * shishi_realm_for_server_dns:
119 : : * @handle: Shishi library handle create by shishi_init().
120 : : * @server: hostname to find realm for.
121 : : *
122 : : * Find realm for a host using DNS lookups, according to
123 : : * draft-ietf-krb-wg-krb-dns-locate-03.txt. Since DNS lookups may be
124 : : * spoofed, relying on the realm information may result in a
125 : : * redirection attack. In a single-realm scenario, this only achieves
126 : : * a denial of service, but with cross-realm trust it may redirect you
127 : : * to a compromised realm. For this reason, Shishi prints a warning,
128 : : * suggesting that the user should add the proper 'server-realm'
129 : : * configuration tokens instead.
130 : : *
131 : : * To illustrate the DNS information used, here is an extract from a
132 : : * zone file for the domain ASDF.COM:
133 : : *
134 : : * _kerberos.asdf.com. IN TXT "ASDF.COM"
135 : : * _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM"
136 : : * _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM"
137 : : *
138 : : * Let us suppose that in this case, a client wishes to use a service
139 : : * on the host foo.asdf.com. It would first query:
140 : : *
141 : : * _kerberos.foo.asdf.com. IN TXT
142 : : *
143 : : * Finding no match, it would then query:
144 : : *
145 : : * _kerberos.asdf.com. IN TXT
146 : : *
147 : : * Return value: Returns realm for host, or NULL if not found.
148 : : **/
149 : : char *
150 : 0 : shishi_realm_for_server_dns (Shishi * handle, char *server)
151 : : {
152 : : Shishi_dns rrs;
153 : 0 : char *tmp = NULL;
154 : 0 : char *p = server;
155 : :
156 : : do
157 : : {
158 : 0 : asprintf (&tmp, "_kerberos.%s", p);
159 : 0 : rrs = shishi_resolv (tmp, SHISHI_DNS_TXT);
160 : 0 : free (tmp);
161 : 0 : p = strchr (p, '.');
162 [ # # ]: 0 : if (p)
163 : 0 : p++;
164 : : }
165 [ # # ][ # # ]: 0 : while (!rrs && p && *p);
[ # # ]
166 : :
167 [ # # ]: 0 : if (!rrs)
168 : 0 : return NULL;
169 : :
170 [ # # ][ # # ]: 0 : if (rrs->class != SHISHI_DNS_IN || rrs->type != SHISHI_DNS_TXT)
171 : : {
172 : 0 : shishi_warn (handle, "Got non-TXT response to TXT query from DNS?");
173 : 0 : return NULL;
174 : : }
175 : :
176 : 0 : shishi_warn (handle, "DNS maps '%s' to '%s'.", server, (char *) rrs->rr);
177 : 0 : shishi_warn (handle,
178 : : "Consider using a 'server-realm' configuration token.");
179 : :
180 : 0 : return rrs->rr;
181 : : }
182 : :
183 : : /**
184 : : * shishi_realm_for_server:
185 : : * @handle: Shishi library handle create by shishi_init().
186 : : * @server: hostname to find realm for.
187 : : *
188 : : * Find realm for a host, using various methods. Currently this
189 : : * includes static configuration files (see
190 : : * shishi_realm_for_server_file()) and DNS (see
191 : : * shishi_realm_for_server_dns()).
192 : : *
193 : : * Return value: Returns realm for host, or NULL if not found.
194 : : **/
195 : : char *
196 : 0 : shishi_realm_for_server (Shishi * handle, char *server)
197 : : {
198 : : char *p;
199 : :
200 : 0 : p = shishi_realm_for_server_file (handle, server);
201 [ # # ]: 0 : if (!p)
202 : 0 : p = shishi_realm_for_server_dns (handle, server);
203 : :
204 : 0 : return p;
205 : : }
|
