Exemplo n.º 1
0
JNIEXPORT jboolean JNICALL Java_com_cenqua_shaj_Win32Authenticator_checkGroupMembershipImpl
  (JNIEnv * jvm, jclass jThisClass, jstring aDomain, jstring aUsername, jstring aGroup, jobject jLog)
{
    const jchar* wc_domain;
    const jchar* wc_username;
    const jchar* wc_group;
    loginfo_t loginfo;
    jboolean result;

    HANDLE token = NULL;
    BOOL status = 1;

    loginfo = shaj_init_logger(jvm, jLog);

    wc_domain = (aDomain == NULL) ? NULL : (*jvm)->GetStringChars(jvm, aDomain, NULL);
    wc_username = (*jvm)->GetStringChars(jvm, aUsername, NULL);
    wc_group = (*jvm)->GetStringChars(jvm, aGroup, NULL);

    status = shaj_memberOfGroup(wc_domain, wc_username, wc_group, TRUE, TRUE, TRUE, &loginfo);
    result =  status ? JNI_TRUE : JNI_FALSE;

    shaj_log_debug(&loginfo, "checking group for domain=%ws user=%ws group=%ws => %d",
                      (wc_domain==NULL)? L"(NULL)" : wc_domain, wc_username, wc_group, (int) result);
    
    if (aDomain != NULL) {
        (*jvm)->ReleaseStringChars(jvm, aDomain, wc_domain);
    }
    
    (*jvm)->ReleaseStringChars(jvm, aUsername, wc_username);
    (*jvm)->ReleaseStringChars(jvm, aGroup, wc_group);
    
    return result;
}
Exemplo n.º 2
0
JNIEXPORT jboolean JNICALL Java_com_cenqua_shaj_Win32Authenticator_checkPasswordImpl
  (JNIEnv * jvm, jclass jThisClass, jstring aDomain, jstring aUsername, jstring aPassword, jobject jLog)
{
    const char* c_domain;
    const char* c_username;
    const char* c_password;
    loginfo_t loginfo;
    jboolean result;

    HANDLE token = NULL;
    BOOL status = 1;

    loginfo = shaj_init_logger(jvm, jLog);

    c_domain = (aDomain == NULL) ? NULL : (*jvm)->GetStringUTFChars(jvm, aDomain, NULL);
    c_username = (*jvm)->GetStringUTFChars(jvm, aUsername, NULL);
    c_password = (*jvm)->GetStringUTFChars(jvm, aPassword, NULL);

    status = SSPLogonUser((char*)c_domain, (char*)c_username, (char*)c_password, &loginfo);
    result =  status ? JNI_TRUE : JNI_FALSE;

    shaj_log_debug(&loginfo, "checking password for domain=%s user=%s => %d",
                      (c_domain==NULL)? "(NULL)" : c_domain, c_username, (int) result);
    
    if (aDomain != NULL) {
        (*jvm)->ReleaseStringUTFChars(jvm, aDomain, c_domain);
    }
    
    (*jvm)->ReleaseStringUTFChars(jvm, aUsername, c_username);
    (*jvm)->ReleaseStringUTFChars(jvm, aPassword, c_password);
    
    return result;
}
Exemplo n.º 3
0
jboolean
shaj_chkpasswd_pam(const char* service, const char *user, const char *password, loginfo_t* logger){
  
  pam_handle_t *pamh = 0;
  int status = -1;
  struct pam_conv pc;
  struct ourpam_authdata c;
  
  c.user = user;
  c.password = password;
  c.logger = logger;
  
  pc.conv = &ourpam_conversation;
  pc.appdata_ptr = (void *) &c;
  
  
  status = mypam_start(service, c.user, &pc, &pamh);
  shaj_log_debug(logger, "pam_start (\"%s\", \"%s\", ...) ==> %d (%s)",
                    service, c.user,
                    status, PAM_STRERROR (pamh, status));
  
  if (status != PAM_SUCCESS) goto DONE;
  
  status = mypam_authenticate(pamh, 0);
  
  shaj_log_debug(logger, " pam_authenticate (...) ==> %d (%s)",
                    status, PAM_STRERROR(pamh, status));
  
  if (status == PAM_SUCCESS) {
    /* be nice to Kerberos and refresh credentials */
    int status2 = mypam_setcred(pamh, PAM_REINITIALIZE_CRED);
    shaj_log_debug(logger, " pam_setcred (...) ==> %d (%s)",
                      status2, PAM_STRERROR(pamh, status2));
    goto DONE;
  }

 DONE:
  if (pamh) {
    int status2 = mypam_end(pamh, status);
    pamh = 0;
    shaj_log_debug(logger, "pam_end (...) ==> %d (%s)",
                      status2,
                      (status2 == PAM_SUCCESS ? "Success" : "Failure"));
  }
  return (status == PAM_SUCCESS ? JNI_TRUE : JNI_FALSE);
}
Exemplo n.º 4
0
/* return 1 on success */
static jboolean mypam__init(loginfo_t* logger) {

    if (logger->isdebug) {
        shaj_log_debug(logger, "attempting to load libpam.so");
    }
    
    libpam = dlopen ("libpam.so", RTLD_NOW | RTLD_GLOBAL);
    if (libpam == NULL) {
        shaj_log_error(logger, "Could not dlopen libpam.so with RTLD_NOW|RTLD_GLOBAL: %s\n", dlerror());;
        return JNI_FALSE;
    }

    
    real_pam_start = (FUNC_pam_start*) mydlsym(libpam, "pam_start", logger);
    if (real_pam_start == NULL) {
        return JNI_FALSE;
    }

    real_pam_end = (FUNC_pam_end*) mydlsym(libpam, "pam_end", logger);
    if (real_pam_end == NULL) {
        return JNI_FALSE;
    }

    real_pam_authenticate =  (FUNC_pam_authenticate*) mydlsym(libpam, "pam_authenticate", logger);
    if (real_pam_authenticate == NULL) {
        return JNI_FALSE;
    }
    
    real_pam_strerror =  (FUNC_pam_strerror*) mydlsym(libpam, "pam_strerror", logger);
    if (real_pam_strerror == NULL) {
        return JNI_FALSE;
    }
    
    real_pam_setcred = (FUNC_pam_setcred*) mydlsym(libpam, "pam_setcred", logger);
    if (real_pam_setcred == NULL) {
        return JNI_FALSE;
    }

    return JNI_TRUE;
}
Exemplo n.º 5
0
static int
ourpam_conversation(int nmsgs,
#ifndef OS_IS_SOLARIS
                    const 
#endif
                    struct pam_message **msg,
                    struct pam_response **resp,
                    void *authdatap)
{
  /*
   * strings we pass to PAM in the reply objects are freed by
   * PAM as described here
   * http://www.opengroup.org/onlinepubs/8329799/chap5.htm
   */
  int replies = 0;
  struct pam_response *reply = 0;
  struct ourpam_authdata *authdata = (struct ourpam_authdata *) authdatap;
  loginfo_t* logger = authdata->logger;

  reply = (struct pam_response *) calloc(nmsgs, sizeof(*reply));
  if (!reply) return PAM_CONV_ERR;
	
  for (replies = 0; replies < nmsgs; replies++) {
    switch (msg[replies]->msg_style) {
    case PAM_PROMPT_ECHO_ON:
      reply[replies].resp_retcode = PAM_SUCCESS;
      reply[replies].resp = strdup(authdata->user);
      shaj_log_debug(logger, "  PAM ECHO_ON(\"%s\") ==> \"%s\"",
                        msg[replies]->msg,
                        reply[replies].resp);
      break;
    case PAM_PROMPT_ECHO_OFF:
      reply[replies].resp_retcode = PAM_SUCCESS;
      reply[replies].resp = strdup(authdata->password);
      shaj_log_debug(logger, "  PAM ECHO_OFF(\"%s\") ==> password",
                        /*msg[replies]->msg*/ "(masked)");
      break;
    case PAM_TEXT_INFO:
      /* ignore */
      reply[replies].resp_retcode = PAM_SUCCESS;
      reply[replies].resp = 0;
      shaj_log_debug(logger, "  PAM TEXT_INFO(\"%s\") ==> ignored",
                        msg[replies]->msg);
      break;
    case PAM_ERROR_MSG:
      /* ignore it */
      reply[replies].resp_retcode = PAM_SUCCESS;
      reply[replies].resp = 0;
      shaj_log_debug(logger, "  PAM ERROR_MSG(\"%s\") ==> ignored",
                        msg[replies]->msg);
      break;
    default:
      /* fail at this point */
      free (reply);
      shaj_log_error(logger, "  PAM unknown %d(\"%s\") ==> ignored",
                        msg[replies]->msg_style, msg[replies]->msg);
      return PAM_CONV_ERR;
    }
  }
  *resp = reply;
  return PAM_SUCCESS;
}
Exemplo n.º 6
0
BOOL GenServerContext(PAUTH_SEQ pAS, PVOID pIn, DWORD cbIn, PVOID pOut,
      PDWORD pcbOut, PBOOL pfDone, loginfo_t* logger) {

/*++

 Routine Description:

    Takes an input buffer coming from the client and returns a buffer
    to be sent to the client.  Also returns an indication of whether or
    not the context is complete.

 Return Value:

    Returns TRUE if successful; otherwise FALSE.

--*/

   SECURITY_STATUS ss;
   TimeStamp       tsExpiry;
   SecBufferDesc   sbdOut;
   SecBuffer       sbOut;
   SecBufferDesc   sbdIn;
   SecBuffer       sbIn;
   ULONG           fContextAttr;

   if (!pAS->fInitialized)  {

      ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
            SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &pAS->hcred,
            &tsExpiry);
      if (ss < 0) {
         shaj_log_error(logger, "AcquireCredentialsHandle failed with %08X\n", ss);
         return FALSE;
      }

      pAS->fHaveCredHandle = TRUE;
   }

   // Prepare output buffer
   sbdOut.ulVersion = 0;
   sbdOut.cBuffers = 1;
   sbdOut.pBuffers = &sbOut;

   sbOut.cbBuffer = *pcbOut;
   sbOut.BufferType = SECBUFFER_TOKEN;
   sbOut.pvBuffer = pOut;

   // Prepare input buffer
   sbdIn.ulVersion = 0;
   sbdIn.cBuffers = 1;
   sbdIn.pBuffers = &sbIn;

   sbIn.cbBuffer = cbIn;
   sbIn.BufferType = SECBUFFER_TOKEN;
   sbIn.pvBuffer = pIn;

   ss = _AcceptSecurityContext(&pAS->hcred,
         pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, 0,
         SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr,
         &tsExpiry);
   if (ss < 0)  {
      shaj_log_debug(logger, "AcceptSecurityContext failed with %08X\n", ss);
      return FALSE;
   }

   pAS->fHaveCtxtHandle = TRUE;

   // If necessary, complete token
   if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE) {

      if (_CompleteAuthToken) {
         ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
         if (ss < 0)  {
            shaj_log_debug(logger, "CompleteAuthToken failed with %08X\n", ss);
            return FALSE;
         }
      }
      else {
         shaj_log_debug(logger, "CompleteAuthToken not supported.\n");
         return FALSE;
      }
   }

   *pcbOut = sbOut.cbBuffer;

   if (!pAS->fInitialized)
      pAS->fInitialized = TRUE;

   *pfDone = !(ss = SEC_I_CONTINUE_NEEDED
         || ss == SEC_I_COMPLETE_AND_CONTINUE);

   return TRUE;
}