static int
pamGssAcquireCred(pam_handle_t *pamh,
int confFlags,
gss_name_t userName,
gss_buffer_t passwordBuf,
gss_OID mech,
gss_cred_id_t *cred)
{
int status;
OM_uint32 major, minor;
gss_OID_set_desc mechOids;
#ifdef __APPLE__
CFDictionaryRef attributes = NULL;
status = pam_get_data(pamh, CREDUI_ATTR_DATA, (const void **)&attributes);
if (status == PAM_SUCCESS)
return pamGssAcquireAaplInitialCred(pamh, userName, mech, attributes, cred);
#endif /* __APPLE__ */
mechOids.count = 1;
mechOids.elements = mech;
major = gss_acquire_cred_with_password(&minor, userName, passwordBuf,
GSS_C_INDEFINITE, &mechOids,
GSS_C_INITIATE, cred, NULL, NULL);
BAIL_ON_GSS_ERROR(major, minor);
status = PAM_SUCCESS;
cleanup:
return status;
}
/*
* Function: client_establish_context
*
* Purpose: establishes a GSS-API context with a specified service and
* returns the context handle
*
* Arguments:
*
* s (r) an established TCP connection to the service
* service_name(r) the ASCII service name of the service
* gss_flags (r) GSS-API delegation flag (if any)
* auth_flag (r) whether to actually do authentication
* v1_format (r) whether the v1 sample protocol should be used
* oid (r) OID of the mechanism to use
* context (w) the established GSS-API context
* ret_flags (w) the returned flags from init_sec_context
*
* Returns: 0 on success, -1 on failure
*
* Effects:
*
* service_name is imported as a GSS-API name and a GSS-API context is
* established with the corresponding service; the service should be
* listening on the TCP connection s. The default GSS-API mechanism
* is used, and mutual authentication and replay detection are
* requested.
*
* If successful, the context handle is returned in context. If
* unsuccessful, the GSS-API error messages are displayed on stderr
* and -1 is returned.
*/
static int
client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
int auth_flag, int v1_format, gss_OID oid,
char *username, char *password,
gss_ctx_id_t *gss_context, OM_uint32 *ret_flags)
{
if (auth_flag) {
gss_buffer_desc send_tok, recv_tok, *token_ptr;
gss_name_t target_name;
OM_uint32 maj_stat, min_stat, init_sec_min_stat;
int token_flags;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_name_t gss_username = GSS_C_NO_NAME;
gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET;
#ifndef MECH_EAP
struct gss_channel_bindings_struct cb = {GSS_C_AF_NULLADDR, {0, NULL},
GSS_C_AF_NULLADDR, {0, NULL},
{strlen("HLJHLJHLJHLJHJKLHLJHLJH"), "HLJHLJHLJHLJHJKLHLJHLJH"}};
#endif
if (spnego) {
mechs.elements = &gss_spnego_mechanism_oid_desc;
mechs.count = 1;
mechsp = &mechs;
} else if (oid != GSS_C_NO_OID) {
mechs.elements = oid;
mechs.count = 1;
mechsp = &mechs;
} else {
mechs.elements = NULL;
mechs.count = 0;
}
if (username != NULL) {
send_tok.value = username;
send_tok.length = strlen(username);
maj_stat = gss_import_name(&min_stat, &send_tok,
(gss_OID) gss_nt_user_name,
&gss_username);
if (maj_stat != GSS_S_COMPLETE) {
display_status("parsing client name", maj_stat, min_stat);
return -1;
}
}
if (password != NULL) {
gss_buffer_desc pwbuf;
pwbuf.value = password;
pwbuf.length = strlen(password);
maj_stat = gss_acquire_cred_with_password(&min_stat,
gss_username,
&pwbuf, 0,
mechsp, GSS_C_INITIATE,
&cred, NULL, NULL);
} else if (gss_username != GSS_C_NO_NAME) {
maj_stat = gss_acquire_cred(&min_stat,
gss_username, 0,
mechsp, GSS_C_INITIATE,
&cred, NULL, NULL);
} else
maj_stat = GSS_S_COMPLETE;
if (maj_stat != GSS_S_COMPLETE) {
display_status("acquiring creds", maj_stat, min_stat);
gss_release_name(&min_stat, &gss_username);
return -1;
}
if (spnego && oid != GSS_C_NO_OID) {
gss_OID_set_desc neg_mechs;
neg_mechs.elements = oid;
neg_mechs.count = 1;
maj_stat = gss_set_neg_mechs(&min_stat, cred, &neg_mechs);
if (maj_stat != GSS_S_COMPLETE) {
display_status("setting neg mechs", maj_stat, min_stat);
gss_release_name(&min_stat, &gss_username);
gss_release_cred(&min_stat, &cred);
return -1;
}
}
gss_release_name(&min_stat, &gss_username);
/*
* Import the name into target_name. Use send_tok to save
* local variable space.
*/
send_tok.value = service_name;
send_tok.length = strlen(service_name);
maj_stat = gss_import_name(&min_stat, &send_tok,
(gss_OID) gss_nt_service_name,
&target_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("parsing name", maj_stat, min_stat);
return -1;
}
if (!v1_format) {
if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT, empty_token) <
0) {
(void) gss_release_name(&min_stat, &target_name);
return -1;
}
}
/*
* Perform the context-establishement loop.
*
* On each pass through the loop, token_ptr points to the token
* to send to the server (or GSS_C_NO_BUFFER on the first pass).
* Every generated token is stored in send_tok which is then
* transmitted to the server; every received token is stored in
* recv_tok, which token_ptr is then set to, to be processed by
* the next call to gss_init_sec_context.
*
* GSS-API guarantees that send_tok's length will be non-zero
* if and only if the server is expecting another token from us,
* and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if
* and only if the server has another token to send us.
*/
token_ptr = GSS_C_NO_BUFFER;
*gss_context = GSS_C_NO_CONTEXT;
do {
maj_stat = gss_init_sec_context(&init_sec_min_stat,
cred, gss_context,
target_name, mechs.elements,
gss_flags, 0,
#ifdef MECH_EAP
NULL, /* channel bindings */
#else
&cb,
#endif
token_ptr, NULL, /* mech type */
&send_tok, ret_flags,
NULL); /* time_rec */
if (token_ptr != GSS_C_NO_BUFFER)
free(recv_tok.value);
if (send_tok.length != 0) {
if (verbose)
printf("Sending init_sec_context token (size=%d)...",
(int) send_tok.length);
if (send_token(s, v1_format ? 0 : TOKEN_CONTEXT, &send_tok) <
0) {
(void) gss_release_buffer(&min_stat, &send_tok);
(void) gss_release_name(&min_stat, &target_name);
return -1;
}
}
(void) gss_release_buffer(&min_stat, &send_tok);
if (maj_stat != GSS_S_COMPLETE
&& maj_stat != GSS_S_CONTINUE_NEEDED) {
display_status("initializing context", maj_stat,
init_sec_min_stat);
(void) gss_release_name(&min_stat, &target_name);
if (*gss_context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat, gss_context,
GSS_C_NO_BUFFER);
return -1;
}
if (maj_stat == GSS_S_CONTINUE_NEEDED) {
if (verbose)
printf("continue needed...");
if (recv_token(s, &token_flags, &recv_tok) < 0) {
(void) gss_release_name(&min_stat, &target_name);
return -1;
}
token_ptr = &recv_tok;
}
if (verbose)
printf("\n");
} while (maj_stat == GSS_S_CONTINUE_NEEDED);
(void) gss_release_cred(&min_stat, &cred);
(void) gss_release_name(&min_stat, &target_name);
} else {
if (send_token(s, TOKEN_NOOP, empty_token) < 0)
return -1;
}
return 0;
}
uint32_t NetSecurityNative_Wrap(uint32_t* minorStatus,
GssCtxId* contextHandle,
int32_t isEncrypt,
uint8_t* inputBytes,
int32_t offset,
int32_t count,
PAL_GssBuffer* outBuffer)
{
assert(minorStatus != NULL);
assert(contextHandle != NULL);
assert(isEncrypt == 1 || isEncrypt == 0);
assert(inputBytes != NULL);
assert(offset >= 0);
assert(count >= 0);
assert(outBuffer != NULL);
// count refers to the length of the input message. That is, number of bytes of inputBytes
// starting at offset that need to be wrapped.
int confState;
GssBuffer inputMessageBuffer = {.length = (size_t)count, .value = inputBytes + offset};
GssBuffer gssBuffer;
uint32_t majorStatus =
gss_wrap(minorStatus, contextHandle, isEncrypt, GSS_C_QOP_DEFAULT, &inputMessageBuffer, &confState, &gssBuffer);
NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer);
return majorStatus;
}
uint32_t NetSecurityNative_Unwrap(uint32_t* minorStatus,
GssCtxId* contextHandle,
uint8_t* inputBytes,
int32_t offset,
int32_t count,
PAL_GssBuffer* outBuffer)
{
assert(minorStatus != NULL);
assert(contextHandle != NULL);
assert(inputBytes != NULL);
assert(offset >= 0);
assert(count >= 0);
assert(outBuffer != NULL);
// count refers to the length of the input message. That is, the number of bytes of inputBytes
// starting at offset that need to be wrapped.
GssBuffer inputMessageBuffer = {.length = (size_t)count, .value = inputBytes + offset};
GssBuffer gssBuffer = {.length = 0, .value = NULL};
uint32_t majorStatus = gss_unwrap(minorStatus, contextHandle, &inputMessageBuffer, &gssBuffer, NULL, NULL);
NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer);
return majorStatus;
}
static uint32_t NetSecurityNative_AcquireCredWithPassword(uint32_t* minorStatus,
int32_t isNtlm,
GssName* desiredName,
char* password,
uint32_t passwdLen,
gss_cred_usage_t credUsage,
GssCredId** outputCredHandle)
{
assert(minorStatus != NULL);
assert(isNtlm == 1 || isNtlm == 0);
assert(desiredName != NULL);
assert(password != NULL);
assert(outputCredHandle != NULL);
assert(*outputCredHandle == NULL);
#if HAVE_GSS_SPNEGO_MECHANISM
(void)isNtlm; // unused
// Specifying GSS_SPNEGO_MECHANISM as a desiredMech on OSX fails.
gss_OID_set desiredMech = GSS_C_NO_OID_SET;
#else
gss_OID_desc gss_mech_OID_desc;
if (isNtlm)
{
gss_mech_OID_desc = gss_mech_ntlm_OID_desc;
}
else
{
gss_mech_OID_desc = gss_mech_spnego_OID_desc;
}
gss_OID_set_desc gss_mech_OID_set_desc = {.count = 1, .elements = &gss_mech_OID_desc};
gss_OID_set desiredMech = &gss_mech_OID_set_desc;
#endif
GssBuffer passwordBuffer = {.length = passwdLen, .value = password};
uint32_t majorStatus = gss_acquire_cred_with_password(
minorStatus, desiredName, &passwordBuffer, 0, desiredMech, credUsage, outputCredHandle, NULL, NULL);
// call gss_set_cred_option with GSS_KRB5_CRED_NO_CI_FLAGS_X to support Kerberos Sign Only option from *nix client against a windows server
#if HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
if (majorStatus == GSS_S_COMPLETE)
{
GssBuffer emptyBuffer = GSS_C_EMPTY_BUFFER;
majorStatus = gss_set_cred_option(minorStatus, outputCredHandle, GSS_KRB5_CRED_NO_CI_FLAGS_X, &emptyBuffer);
}
#endif
return majorStatus;
}
uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus,
int32_t isNtlm,
GssName* desiredName,
char* password,
uint32_t passwdLen,
GssCredId** outputCredHandle)
{
return NetSecurityNative_AcquireCredWithPassword(
minorStatus, isNtlm, desiredName, password, passwdLen, GSS_C_INITIATE, outputCredHandle);
}
uint32_t NetSecurityNative_IsNtlmInstalled()
{
#if HAVE_GSS_SPNEGO_MECHANISM
gss_OID ntlmOid = GSS_NTLM_MECHANISM;
#else
gss_OID ntlmOid = &gss_mech_ntlm_OID_desc;
#endif
uint32_t majorStatus;
uint32_t minorStatus;
gss_OID_set mechSet;
gss_OID_desc oid;
uint32_t foundNtlm = 0;
majorStatus = gss_indicate_mechs(&minorStatus, &mechSet);
if (majorStatus == GSS_S_COMPLETE)
{
for (size_t i = 0; i < mechSet->count; i++)
{
oid = mechSet->elements[i];
if ((oid.length == ntlmOid->length) && (memcmp(oid.elements, ntlmOid->elements, oid.length) == 0))
{
foundNtlm = 1;
break;
}
}
gss_release_oid_set(&minorStatus, &mechSet);
}
return foundNtlm;
}
int
main(int argc, char **argv)
{
int optind = 0;
OM_uint32 min_stat, maj_stat;
gss_ctx_id_t cctx, sctx;
void *ctx;
gss_OID nameoid, mechoid, actual_mech, actual_mech2;
gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
gss_name_t cname = GSS_C_NO_NAME;
gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
setprogname(argv[0]);
init_o2n();
if (krb5_init_context(&context))
errx(1, "krb5_init_context");
cctx = sctx = GSS_C_NO_CONTEXT;
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 1)
usage(1);
if (dns_canon_flag != -1)
gsskrb5_set_dns_canonicalize(dns_canon_flag);
if (type_string == NULL)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "hostbased-service") == 0)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "krb5-principal-name") == 0)
nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
else
errx(1, "%s not suppported", type_string);
if (mech_string == NULL)
mechoid = GSS_KRB5_MECHANISM;
else
mechoid = string_to_oid(mech_string);
if (gsskrb5_acceptor_identity) {
maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
if (maj_stat)
errx(1, "gsskrb5_acceptor_identity: %s",
gssapi_err(maj_stat, 0, GSS_C_NO_OID));
}
if (client_password) {
credential_data.value = client_password;
credential_data.length = strlen(client_password);
}
if (client_name) {
gss_buffer_desc cn;
cn.value = client_name;
cn.length = strlen(client_name);
maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
if (maj_stat)
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (client_password) {
maj_stat = gss_acquire_cred_with_password(&min_stat,
cname,
&credential_data,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred_with_password: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
} else {
maj_stat = gss_acquire_cred(&min_stat,
cname,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (limit_enctype_string) {
krb5_error_code ret;
ret = krb5_string_to_enctype(context,
limit_enctype_string,
&limit_enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
}
if (limit_enctype) {
if (client_cred == NULL)
errx(1, "client_cred missing");
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
1, &limit_enctype);
if (maj_stat)
errx(1, "gss_krb5_set_allowable_enctypes: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
loop(mechoid, nameoid, argv[0], client_cred,
&sctx, &cctx, &actual_mech, &deleg_cred);
if (verbose_flag)
printf("resulting mech: %s\n", oid_to_string(actual_mech));
if (ret_mech_string) {
gss_OID retoid;
retoid = string_to_oid(ret_mech_string);
if (gss_oid_equal(retoid, actual_mech) == 0)
errx(1, "actual_mech mech is not the expected type %s",
ret_mech_string);
}
/* XXX should be actual_mech */
if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
time_t time;
gss_buffer_desc authz_data;
gss_buffer_desc in, out1, out2;
krb5_keyblock *keyblock, *keyblock2;
krb5_timestamp now;
krb5_error_code ret;
ret = krb5_timeofday(context, &now);
if (ret)
errx(1, "krb5_timeofday failed");
/* client */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&cctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
/* server */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&sctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
sctx,
&time);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (time > now)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
"time authtime is before now: %ld %ld",
(long)time, (long)now);
maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_export_service_keyblock failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
krb5_free_keyblock(context, keyblock);
maj_stat = gsskrb5_get_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey server failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
maj_stat = gsskrb5_get_subkey(&min_stat,
cctx,
&keyblock2);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey client failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock2 = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
if (keyblock || keyblock2) {
if (keyblock == NULL)
errx(1, "server missing token keyblock");
if (keyblock2 == NULL)
errx(1, "client missing token keyblock");
if (keyblock->keytype != keyblock2->keytype)
errx(1, "enctype mismatch");
if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
errx(1, "key length mismatch");
if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
keyblock2->keyvalue.length) != 0)
errx(1, "key data mismatch");
}
if (session_enctype_string) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context,
session_enctype_string,
&enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
if (enctype != keyblock->keytype)
errx(1, "keytype is not the expected %d != %d",
(int)enctype, (int)keyblock2->keytype);
}
if (keyblock)
krb5_free_keyblock(context, keyblock);
if (keyblock2)
krb5_free_keyblock(context, keyblock2);
maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_initiator_subkey failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat == GSS_S_COMPLETE) {
if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
krb5_free_keyblock(context, keyblock);
}
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
sctx,
128,
&authz_data);
if (maj_stat == GSS_S_COMPLETE)
gss_release_buffer(&min_stat, &authz_data);
memset(&out1, 0, sizeof(out1));
memset(&out2, 0, sizeof(out2));
in.value = "foo";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
in.value = "bar";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
wrapunwrap_flag = 1;
getverifymic_flag = 1;
}
if (wrapunwrap_flag) {
wrapunwrap(cctx, sctx, 0, actual_mech);
wrapunwrap(cctx, sctx, 1, actual_mech);
wrapunwrap(sctx, cctx, 0, actual_mech);
wrapunwrap(sctx, cctx, 1, actual_mech);
}
if (iov_flag) {
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
/* works */
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
}
if (getverifymic_flag) {
getverifymic(cctx, sctx, actual_mech);
getverifymic(cctx, sctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
}
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
if (deleg_cred != GSS_C_NO_CREDENTIAL) {
gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
gss_buffer_desc cb;
if (verbose_flag)
printf("checking actual mech (%s) on delegated cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking spnego on delegated cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
&actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* check export/import */
if (ei_flag) {
maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &cb);
gss_release_cred(&min_stat, &deleg_cred);
if (verbose_flag)
printf("checking actual mech (%s) on export/imported cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking SPNEGO on export/imported cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
} else {
gss_release_cred(&min_stat, &deleg_cred);
}
}
empty_release();
krb5_free_context(context);
return 0;
}
static bool mag_auth_basic(request_rec *req,
struct mag_config *cfg,
gss_buffer_desc ba_user,
gss_buffer_desc ba_pwd,
gss_name_t *client,
gss_OID *mech_type,
gss_cred_id_t *delegated_cred,
uint32_t *vtime)
{
#ifdef HAVE_GSS_KRB5_CCACHE_NAME
const char *user_ccache = NULL;
const char *orig_ccache = NULL;
long long unsigned int rndname;
apr_status_t rs;
#endif
gss_name_t user = GSS_C_NO_NAME;
gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT;
gss_name_t server = GSS_C_NO_NAME;
gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
gss_OID_set allowed_mechs;
gss_OID_set filtered_mechs;
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
uint32_t init_flags = 0;
uint32_t maj, min;
int present = 0;
bool ret = false;
maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"In Basic Auth, %s",
mag_error(req, "gss_import_name() failed",
maj, min));
goto done;
}
if (cfg->basic_mechs) {
allowed_mechs = cfg->basic_mechs;
} else if (cfg->allowed_mechs) {
allowed_mechs = cfg->allowed_mechs;
} else {
struct mag_server_config *scfg;
/* Try to fetch the default set if not explicitly configured,
* We need to do this because gss_acquire_cred_with_password()
* is currently limited to acquire creds for a single "default"
* mechanism if no desired mechanisms are passed in. This causes
* authentication to fail for secondary mechanisms as no user
* credentials are generated for those. */
scfg = ap_get_module_config(req->server->module_config,
&auth_gssapi_module);
/* In the worst case scenario default_mechs equals to GSS_C_NO_OID_SET.
* This generally causes only the krb5 mechanism to be tried due
* to implementation constraints, but may change in future. */
allowed_mechs = scfg->default_mechs;
}
/* Remove Spnego if present, or we'd repeat failed authentiations
* multiple times, one within Spnego and then again with an explicit
* mechanism. We would normally just force Spnego and use
* gss_set_neg_mechs, but due to the way we source the server name
* and the fact MIT up to 1.14 at least does no handle union names,
* we can't provide spnego with a server name that can be used by
* multiple mechanisms, causing any but the first mechanism to fail.
* Also remove unwanted krb mechs, or AS requests will be repeated
* multiple times uselessly.
*/
filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs);
if (filtered_mechs == allowed_mechs) {
/* in case filtered_mechs was not allocated here don't free it */
filtered_mechs = GSS_C_NO_OID_SET;
} else if (filtered_mechs == GSS_C_NO_OID_SET) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Fatal "
"failure while filtering mechs, aborting");
goto done;
} else {
/* use the filtered list */
allowed_mechs = filtered_mechs;
}
#ifdef HAVE_GSS_KRB5_CCACHE_NAME
/* If we are using the krb5 mechanism make sure to set a per thread
* memory ccache so that there can't be interferences between threads.
* Also make sure we have new cache so no cached results end up being
* used. Some implementations of gss_acquire_cred_with_password() do
* not reacquire creds if cached ones are around, failing to check
* again for the password. */
maj = gss_test_oid_set_member(&min, discard_const(gss_mech_krb5),
allowed_mechs, &present);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"In Basic Auth, %s",
mag_error(req, "gss_test_oid_set_member() failed",
maj, min));
goto done;
}
if (present) {
rs = apr_generate_random_bytes((unsigned char *)(&rndname),
sizeof(long long unsigned int));
if (rs != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"Failed to generate random ccache name");
goto done;
}
user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname);
maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"In Basic Auth, %s",
mag_error(req, "gss_krb5_ccache_name() "
"failed", maj, min));
goto done;
}
}
#endif
maj = gss_acquire_cred_with_password(&min, user, &ba_pwd,
GSS_C_INDEFINITE,
allowed_mechs,
GSS_C_INITIATE,
&user_cred, &actual_mechs, NULL);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"In Basic Auth, %s",
mag_error(req, "gss_acquire_cred_with_password() "
"failed", maj, min));
goto done;
}
/* must acquire creds based on the actual mechs we want to try */
if (!mag_acquire_creds(req, cfg, actual_mechs,
GSS_C_ACCEPT, &server_cred, NULL)) {
goto done;
}
#ifdef HAVE_CRED_STORE
if (cfg->deleg_ccache_dir) {
/* delegate ourselves credentials so we store them as requested */
init_flags |= GSS_C_DELEG_FLAG;
}
#endif
for (int i = 0; i < actual_mechs->count; i++) {
/* free these if looping */
gss_release_buffer(&min, &output);
gss_release_buffer(&min, &input);
gss_release_name(&min, &server);
maj = gss_inquire_cred_by_mech(&min, server_cred,
&actual_mechs->elements[i],
&server, NULL, NULL, NULL);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"%s", mag_error(req, "gss_inquired_cred_by_mech() "
"failed", maj, min));
continue;
}
do {
/* output and input are inverted here, this is intentional */
maj = gss_init_sec_context(&min, user_cred, &user_ctx, server,
&actual_mechs->elements[i], init_flags,
300, GSS_C_NO_CHANNEL_BINDINGS, &output,
NULL, &input, NULL, NULL);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"%s", mag_error(req, "gss_init_sec_context() "
"failed", maj, min));
break;
}
gss_release_buffer(&min, &output);
maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
&input, GSS_C_NO_CHANNEL_BINDINGS,
client, mech_type, &output, NULL,
vtime, delegated_cred);
if (GSS_ERROR(maj)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"%s", mag_error(req, "gss_accept_sec_context()"
" failed", maj, min));
break;
}
gss_release_buffer(&min, &input);
} while (maj == GSS_S_CONTINUE_NEEDED);
if (maj == GSS_S_COMPLETE) {
ret = true;
break;
}
}
done:
gss_release_buffer(&min, &output);
gss_release_buffer(&min, &input);
gss_release_name(&min, &server);
gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
gss_release_oid_set(&min, &actual_mechs);
gss_release_oid_set(&min, &filtered_mechs);
#ifdef HAVE_GSS_KRB5_CCACHE_NAME
if (user_ccache != NULL) {
maj = gss_krb5_ccache_name(&min, orig_ccache, NULL);
if (maj != GSS_S_COMPLETE) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
"Failed to restore per-thread ccache, %s",
mag_error(req, "gss_krb5_ccache_name() "
"failed", maj, min));
}
}
#endif
return ret;
}
