|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/* plugins/kdb/lmdb/lockout.c */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright (C) 2009, 2018 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All rights reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Export of this software from the United States of America may
|
|
Packit |
fd8b60 |
* require a specific license from the United States Government.
|
|
Packit |
fd8b60 |
* It is the responsibility of any person or organization contemplating
|
|
Packit |
fd8b60 |
* export to obtain such a license before exporting.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
Packit |
fd8b60 |
* distribute this software and its documentation for any purpose and
|
|
Packit |
fd8b60 |
* without fee is hereby granted, provided that the above copyright
|
|
Packit |
fd8b60 |
* notice appear in all copies and that both that copyright notice and
|
|
Packit |
fd8b60 |
* this permission notice appear in supporting documentation, and that
|
|
Packit |
fd8b60 |
* the name of M.I.T. not be used in advertising or publicity pertaining
|
|
Packit |
fd8b60 |
* to distribution of the software without specific, written prior
|
|
Packit |
fd8b60 |
* permission. Furthermore if you modify this software you must label
|
|
Packit |
fd8b60 |
* your software as modified software and not distribute it in such a
|
|
Packit |
fd8b60 |
* fashion that it might be confused with the original M.I.T. software.
|
|
Packit |
fd8b60 |
* M.I.T. makes no representations about the suitability of
|
|
Packit |
fd8b60 |
* this software for any purpose. It is provided "as is" without express
|
|
Packit |
fd8b60 |
* or implied warranty.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include "k5-int.h"
|
|
Packit |
fd8b60 |
#include "kdb.h"
|
|
Packit |
fd8b60 |
#include <kadm5/server_internal.h>
|
|
Packit |
fd8b60 |
#include "kdb5.h"
|
|
Packit |
fd8b60 |
#include "klmdb-int.h"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static krb5_error_code
|
|
Packit |
fd8b60 |
lookup_lockout_policy(krb5_context context, krb5_db_entry *entry,
|
|
Packit |
fd8b60 |
krb5_kvno *pw_max_fail, krb5_deltat *pw_failcnt_interval,
|
|
Packit |
fd8b60 |
krb5_deltat *pw_lockout_duration)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_tl_data tl_data;
|
|
Packit |
fd8b60 |
krb5_error_code code;
|
|
Packit |
fd8b60 |
osa_princ_ent_rec adb;
|
|
Packit |
fd8b60 |
XDR xdrs;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*pw_max_fail = 0;
|
|
Packit |
fd8b60 |
*pw_failcnt_interval = 0;
|
|
Packit |
fd8b60 |
*pw_lockout_duration = 0;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
tl_data.tl_data_type = KRB5_TL_KADM_DATA;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
code = krb5_dbe_lookup_tl_data(context, entry, &tl_data);
|
|
Packit |
fd8b60 |
if (code != 0 || tl_data.tl_data_length == 0)
|
|
Packit |
fd8b60 |
return code;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
memset(&adb, 0, sizeof(adb));
|
|
Packit |
fd8b60 |
xdrmem_create(&xdrs, (char *)tl_data.tl_data_contents,
|
|
Packit |
fd8b60 |
tl_data.tl_data_length, XDR_DECODE);
|
|
Packit |
fd8b60 |
if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) {
|
|
Packit |
fd8b60 |
xdr_destroy(&xdrs);
|
|
Packit |
fd8b60 |
return KADM5_XDR_FAILURE;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (adb.policy != NULL) {
|
|
Packit |
fd8b60 |
osa_policy_ent_t policy = NULL;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
code = klmdb_get_policy(context, adb.policy, &policy);
|
|
Packit |
fd8b60 |
if (code == 0) {
|
|
Packit |
fd8b60 |
*pw_max_fail = policy->pw_max_fail;
|
|
Packit |
fd8b60 |
*pw_failcnt_interval = policy->pw_failcnt_interval;
|
|
Packit |
fd8b60 |
*pw_lockout_duration = policy->pw_lockout_duration;
|
|
Packit |
fd8b60 |
krb5_db_free_policy(context, policy);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
xdr_destroy(&xdrs);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
|
|
Packit |
fd8b60 |
xdr_osa_princ_ent_rec(&xdrs, &adb);
|
|
Packit |
fd8b60 |
xdr_destroy(&xdrs);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* draft-behera-ldap-password-policy-10.txt 7.1 */
|
|
Packit |
fd8b60 |
static krb5_boolean
|
|
Packit |
fd8b60 |
locked_check_p(krb5_context context, krb5_timestamp stamp, krb5_kvno max_fail,
|
|
Packit |
fd8b60 |
krb5_timestamp lockout_duration, krb5_db_entry *entry)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_timestamp unlock_time;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* If the entry was unlocked since the last failure, it's not locked. */
|
|
Packit |
fd8b60 |
if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
|
|
Packit |
fd8b60 |
!ts_after(entry->last_failed, unlock_time))
|
|
Packit |
fd8b60 |
return FALSE;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (max_fail == 0 || entry->fail_auth_count < max_fail)
|
|
Packit |
fd8b60 |
return FALSE;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (lockout_duration == 0)
|
|
Packit |
fd8b60 |
return TRUE; /* principal permanently locked */
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5_error_code
|
|
Packit |
fd8b60 |
klmdb_lockout_check_policy(krb5_context context, krb5_db_entry *entry,
|
|
Packit |
fd8b60 |
krb5_timestamp stamp)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_error_code code;
|
|
Packit |
fd8b60 |
krb5_kvno max_fail = 0;
|
|
Packit |
fd8b60 |
krb5_deltat failcnt_interval = 0;
|
|
Packit |
fd8b60 |
krb5_deltat lockout_duration = 0;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval,
|
|
Packit |
fd8b60 |
&lockout_duration);
|
|
Packit |
fd8b60 |
if (code != 0)
|
|
Packit |
fd8b60 |
return code;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
|
Packit |
fd8b60 |
return KRB5KDC_ERR_CLIENT_REVOKED;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5_error_code
|
|
Packit |
fd8b60 |
klmdb_lockout_audit(krb5_context context, krb5_db_entry *entry,
|
|
Packit |
fd8b60 |
krb5_timestamp stamp, krb5_error_code status,
|
|
Packit |
fd8b60 |
krb5_boolean disable_last_success,
|
|
Packit |
fd8b60 |
krb5_boolean disable_lockout)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_error_code ret;
|
|
Packit |
fd8b60 |
krb5_kvno max_fail = 0;
|
|
Packit |
fd8b60 |
krb5_deltat failcnt_interval = 0, lockout_duration = 0;
|
|
Packit |
fd8b60 |
krb5_boolean zero_fail_count = FALSE;
|
|
Packit |
fd8b60 |
krb5_boolean set_last_success = FALSE, set_last_failure = FALSE;
|
|
Packit |
fd8b60 |
krb5_timestamp unlock_time;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (status != 0 && status != KRB5KDC_ERR_PREAUTH_FAILED &&
|
|
Packit |
fd8b60 |
status != KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (!disable_lockout) {
|
|
Packit |
fd8b60 |
ret = lookup_lockout_policy(context, entry, &max_fail,
|
|
Packit |
fd8b60 |
&failcnt_interval, &lockout_duration);
|
|
Packit |
fd8b60 |
if (ret)
|
|
Packit |
fd8b60 |
return ret;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Don't continue to modify the DB for an already locked account.
|
|
Packit |
fd8b60 |
* (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
|
|
Packit |
fd8b60 |
* this check is unneeded, but in rare cases, we can fail with an
|
|
Packit |
fd8b60 |
* integrity error or preauth failure before a policy check.)
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Only mark the authentication as successful if the entry
|
|
Packit |
fd8b60 |
* required preauthentication; otherwise we have no idea. */
|
|
Packit |
fd8b60 |
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
|
|
Packit |
fd8b60 |
if (!disable_lockout && entry->fail_auth_count != 0)
|
|
Packit |
fd8b60 |
zero_fail_count = TRUE;
|
|
Packit |
fd8b60 |
if (!disable_last_success)
|
|
Packit |
fd8b60 |
set_last_success = TRUE;
|
|
Packit |
fd8b60 |
} else if (status != 0 && !disable_lockout) {
|
|
Packit |
fd8b60 |
/* Reset the failure counter after an administrative unlock. */
|
|
Packit |
fd8b60 |
if (krb5_dbe_lookup_last_admin_unlock(context, entry,
|
|
Packit |
fd8b60 |
&unlock_time) == 0 &&
|
|
Packit |
fd8b60 |
!ts_after(entry->last_failed, unlock_time))
|
|
Packit |
fd8b60 |
zero_fail_count = TRUE;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Reset the failure counter after failcnt_interval. */
|
|
Packit |
fd8b60 |
if (failcnt_interval != 0 &&
|
|
Packit |
fd8b60 |
ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval)))
|
|
Packit |
fd8b60 |
zero_fail_count = TRUE;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set_last_failure = TRUE;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
return klmdb_update_lockout(context, entry, stamp, zero_fail_count,
|
|
Packit |
fd8b60 |
set_last_success, set_last_failure);
|
|
Packit |
fd8b60 |
}
|