AUTH *
authgss_create_default(CLIENT *clnt, char *service, struct rpc_gss_sec *sec)
{
AUTH *auth;
OM_uint32 maj_stat = 0, min_stat = 0;
gss_buffer_desc sname;
gss_name_t name;
log_debug("in authgss_create_default()");
sname.value = service;
sname.length = strlen(service);
maj_stat = gss_import_name(&min_stat, &sname,
(gss_OID)gss_nt_service_name,
&name);
if (maj_stat != GSS_S_COMPLETE) {
log_status("gss_import_name", maj_stat, min_stat);
rpc_createerr.cf_stat = RPC_AUTHERROR;
return (NULL);
}
auth = authgss_create(clnt, name, sec);
if (name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &name);
log_debug("authgss_create_default returning auth 0x%08x", auth);
return (auth);
}
static int
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
char name[NI_MAXHOST];
struct sockaddr *sa;
gss_buffer_desc name_token;
OM_uint32 min_stat, maj_stat;
sa = remote ? iph1->remote : iph1->local;
if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
return -1;
name_token.length = asprintf((char **)&name_token.value,
"%s@%s", GSSAPI_DEF_NAME, name);
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NT_HOSTBASED_SERVICE, service);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "import name\n");
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name_token");
return -1;
}
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name_token");
return 0;
}
OM_uint32
ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
{
gss_buffer_desc gssbuf;
gss_name_t gssname;
OM_uint32 status;
gss_OID_set oidset;
gssbuf.value = (void *) name;
gssbuf.length = strlen(gssbuf.value);
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
ctx->major = gss_import_name(&ctx->minor, &gssbuf,
GSS_C_NT_USER_NAME, &gssname);
if (!ctx->major)
ctx->major = gss_acquire_cred(&ctx->minor,
gssname, 0, oidset, GSS_C_INITIATE,
&ctx->client_creds, NULL, NULL);
gss_release_name(&status, &gssname);
gss_release_oid_set(&status, &oidset);
if (ctx->major)
ssh_gssapi_error(ctx);
return(ctx->major);
}
uint32_t NetSecurityNative_ImportTargetName(uint32_t* minorStatus,
char* inputName,
uint32_t inputNameLen,
uint32_t isNtlmTarget,
GssName** outputName)
{
assert(minorStatus != NULL);
assert(inputName != NULL);
assert(isNtlmTarget == 0 || isNtlmTarget == 1);
assert(outputName != NULL);
assert(*outputName == NULL);
gss_OID nameType;
if (isNtlmTarget)
{
nameType = GSS_C_NT_HOSTBASED_SERVICE;
}
else
{
nameType = GSS_KRB5_NT_PRINCIPAL_NAME;
}
GssBuffer inputNameBuffer = {.length = inputNameLen, .value = inputName};
return gss_import_name(minorStatus, &inputNameBuffer, nameType, outputName);
}
/*extern PyObject *GssException_class;
extern PyObject *KrbException_class;
char* server_principal_details(const char* service, const char* hostname)
{
char match[1024];
int match_len = 0;
char* result = NULL;
int code;
krb5_context kcontext;
krb5_keytab kt = NULL;
krb5_kt_cursor cursor = NULL;
krb5_keytab_entry entry;
char* pname = NULL;
// Generate the principal prefix we want to match
snprintf(match, 1024, "%s/%s@", service, hostname);
match_len = strlen(match);
code = krb5_init_context(&kcontext);
if (code)
{
PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
"Cannot initialize Kerberos5 context", code));
return NULL;
}
if ((code = krb5_kt_default(kcontext, &kt)))
{
PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
"Cannot get default keytab", code));
goto end;
}
if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor)))
{
PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
"Cannot get sequence cursor from keytab", code));
goto end;
}
while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0)
{
if ((code = krb5_unparse_name(kcontext, entry.principal, &pname)))
{
PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
"Cannot parse principal name from keytab", code));
goto end;
}
if (strncmp(pname, match, match_len) == 0)
{
result = malloc(strlen(pname) + 1);
strcpy(result, pname);
krb5_free_unparsed_name(kcontext, pname);
krb5_free_keytab_entry_contents(kcontext, &entry);
break;
}
krb5_free_unparsed_name(kcontext, pname);
krb5_free_keytab_entry_contents(kcontext, &entry);
}
if (result == NULL)
{
PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
"Principal not found in keytab", -1));
}
end:
if (cursor)
krb5_kt_end_seq_get(kcontext, kt, &cursor);
if (kt)
krb5_kt_close(kcontext, kt);
krb5_free_context(kcontext);
return result;
}
*/
gss_client_response *authenticate_gss_client_init(const char* service, long int gss_flags, gss_client_state* state) {
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
gss_client_response *response = NULL;
int ret = AUTH_GSS_COMPLETE;
state->server_name = GSS_C_NO_NAME;
state->context = GSS_C_NO_CONTEXT;
state->gss_flags = gss_flags;
state->username = NULL;
state->response = NULL;
// Import server name first
name_token.length = strlen(service);
name_token.value = (char *)service;
maj_stat = gss_import_name(&min_stat, &name_token, gss_krb5_nt_service_name, &state->server_name);
if (GSS_ERROR(maj_stat)) {
response = gss_error(maj_stat, min_stat);
response->return_code = AUTH_GSS_ERROR;
goto end;
}
end:
if(response == NULL) {
response = calloc(1, sizeof(gss_client_response));
response->return_code = ret;
}
return response;
}
static bool_t
svcauth_gss_import_name(char *service)
{
gss_name_t name;
gss_buffer_desc namebuf;
OM_uint32 maj_stat, min_stat;
log_debug("in svcauth_gss_import_name()");
namebuf.value = service;
namebuf.length = strlen(service);
maj_stat = gss_import_name(&min_stat, &namebuf,
(gss_OID)GSS_C_NT_HOSTBASED_SERVICE, &name);
if (maj_stat != GSS_S_COMPLETE) {
log_status("gss_import_name", maj_stat, min_stat);
return (FALSE);
}
if (svcauth_gss_set_svc_name(name) != TRUE) {
gss_release_name(&min_stat, &name);
return (FALSE);
}
return (TRUE);
}
static RD_BOOL
cssp_gss_get_service_name(char *server, gss_name_t * name)
{
gss_buffer_desc output;
OM_uint32 major_status, minor_status;
const char service_name[] = "TERMSRV";
gss_OID type = (gss_OID) GSS_C_NT_HOSTBASED_SERVICE;
int size = (strlen(service_name) + 1 + strlen(server) + 1);
output.value = malloc(size);
snprintf(output.value, size, "%s@%s", service_name, server);
output.length = strlen(output.value) + 1;
major_status = gss_import_name(&minor_status, &output, type, name);
if (GSS_ERROR(major_status))
{
cssp_gss_report_error(GSS_C_GSS_CODE, "Failed to create service principal name",
major_status, minor_status);
return False;
}
gss_release_buffer(&minor_status, &output);
return True;
}
static int
server_acquire_creds(char *service_name, gss_cred_id_t *server_creds)
{
gss_buffer_desc name_buf;
gss_name_t server_name;
OM_uint32 maj_stat, min_stat;
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
maj_stat = gss_import_name(&min_stat, &name_buf,
(gss_OID) gss_nt_service_name, &server_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("importing name", maj_stat, min_stat);
return -1;
}
maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
server_creds, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("acquiring credentials", maj_stat, min_stat);
return -1;
}
(void) gss_release_name(&min_stat, &server_name);
return 0;
}
bool
svcauth_gss_import_name(char *service)
{
gss_name_t name;
gss_buffer_desc namebuf;
OM_uint32 maj_stat, min_stat;
namebuf.value = service;
namebuf.length = strlen(service);
maj_stat =
gss_import_name(&min_stat, &namebuf,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &name);
if (maj_stat != GSS_S_COMPLETE)
return (false);
if (svcauth_gss_set_svc_name(name) != true) {
gss_release_name(&min_stat, &name);
return (false);
}
/* discard duplicate name */
gss_release_name(&min_stat, &name);
return (true);
}
static gboolean
soup_gss_client_init (SoupNegotiateConnectionState *conn, const gchar *host, GError **err)
{
OM_uint32 maj_stat, min_stat;
gchar *service = NULL;
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
gboolean ret = FALSE;
gchar *h;
conn->server_name = GSS_C_NO_NAME;
conn->context = GSS_C_NO_CONTEXT;
h = g_ascii_strdown (host, -1);
service = g_strconcat ("HTTP@", h, NULL);
token.length = strlen (service);
token.value = (gchar *) service;
maj_stat = gss_import_name (&min_stat,
&token,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&conn->server_name);
if (GSS_ERROR (maj_stat)) {
soup_gss_error (maj_stat, min_stat, err);
ret = FALSE;
goto out;
}
conn->initialized = TRUE;
ret = TRUE;
out:
g_free (h);
g_free (service);
return ret;
}
static int
get_gss_name(struct connectdata *conn, gss_name_t *server)
{
struct negotiatedata *neg_ctx = &conn->data->state.negotiate;
OM_uint32 major_status, minor_status;
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
char name[2048];
const char* service;
/* GSSAPI implementation by Globus (known as GSI) requires the name to be
of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead
of at-sign). Also GSI servers are often identified as 'host' not 'khttp'.
Change following lines if you want to use GSI */
/* IIS uses the <service>@<fqdn> form but uses 'http' as the service name */
if (neg_ctx->gss)
service = "KHTTP";
else
service = "HTTP";
token.length = strlen(service) + 1 + strlen(conn->host.name) + 1;
if (token.length + 1 > sizeof(name))
return EMSGSIZE;
snprintf(name, sizeof(name), "%s@%s", service, conn->host.name);
token.value = (void *) name;
major_status = gss_import_name(&minor_status,
&token,
GSS_C_NT_HOSTBASED_SERVICE,
server);
return GSS_ERROR(major_status) ? -1 : 0;
}
/*
* Function: auth_gssapi_create_default
*
* Purpose: Create a GSS-API style authenticator, with default
* options, and return the handle.
*
* Effects: See design document, section XXX.
*/
AUTH *auth_gssapi_create_default(CLIENT *clnt, char *service_name)
{
AUTH *auth;
OM_uint32 gssstat, minor_stat;
gss_buffer_desc input_name;
gss_name_t target_name;
input_name.value = service_name;
input_name.length = strlen(service_name) + 1;
gssstat = gss_import_name(&minor_stat, &input_name,
gss_nt_service_name, &target_name);
if (gssstat != GSS_S_COMPLETE) {
AUTH_GSSAPI_DISPLAY_STATUS(("parsing name", gssstat,
minor_stat));
rpc_createerr.cf_stat = RPC_SYSTEMERROR;
rpc_createerr.cf_error.re_errno = ENOMEM;
return NULL;
}
auth = auth_gssapi_create(clnt,
&gssstat,
&minor_stat,
GSS_C_NO_CREDENTIAL,
target_name,
GSS_C_NULL_OID,
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
0,
NULL,
NULL,
NULL);
gss_release_name(&minor_stat, &target_name);
return auth;
}
int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss_cred_id_t * cred_)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_name_t server_name;
gss_buffer_desc name_buf;
name_buf.value = service_name_;
name_buf.length = strlen ((char *) name_buf.value) + 1;
maj_stat = gss_import_name (&min_stat, &name_buf,
GSS_C_NT_HOSTBASED_SERVICE, &server_name);
if (maj_stat != GSS_S_COMPLETE)
return -1;
maj_stat = gss_acquire_cred (&min_stat, server_name, 0,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
cred_, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE)
return -1;
gss_release_name(&min_stat, &server_name);
return 0;
}
/* Create a service name for the given host */
OM_uint32
ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
{
gss_buffer_desc gssbuf;
char *xhost;
char *val;
/* Make a copy of the host name, in case it was returned by a
* previous call to gethostbyname(). */
xhost = xstrdup(host);
/* Make sure we have the FQDN. Some GSSAPI implementations don't do
* this for us themselves */
resolve_localhost(&xhost);
xasprintf(&val, "host@%s", xhost);
gssbuf.value = val;
gssbuf.length = strlen(gssbuf.value);
if ((ctx->major = gss_import_name(&ctx->minor,
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
ssh_gssapi_error(ctx);
free(xhost);
free(gssbuf.value);
return (ctx->major);
}
AUTH *
authgss_create_default(CLIENT *clnt, char *service, struct rpc_gss_sec *sec)
{
AUTH *auth;
OM_uint32 maj_stat = 0, min_stat = 0;
gss_buffer_desc sname;
gss_name_t name = GSS_C_NO_NAME;
log_debug("in authgss_create_default()");
sname.value = service;
sname.length = strlen(service);
maj_stat = gss_import_name(&min_stat, &sname,
(gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
&name);
if (maj_stat != GSS_S_COMPLETE) {
log_status("gss_import_name", maj_stat, min_stat);
rpc_createerr.cf_stat = RPC_AUTHERROR;
return (NULL);
}
auth = authgss_create(clnt, name, sec);
if (name != GSS_C_NO_NAME) {
#ifdef DEBUG
fprintf(stderr, "authgss_create_default: freeing name %p\n", name);
#endif
gss_release_name(&min_stat, &name);
}
return (auth);
}
uint32_t gp_conv_gssx_to_name(uint32_t *min, gssx_name *in, gss_name_t *out)
{
gss_buffer_t input_name = GSS_C_NO_BUFFER;
gss_OID name_type = GSS_C_NO_OID;
gss_buffer_desc name_buffer;
uint32_t ret_maj;
uint32_t ret_min;
int ret;
if (in->display_name.octet_string_len != 0) {
/* ok we have a display name.
* In this case always import and canonicalize it so we can
* safely export the name using the original form, even if we
* already have exported_name */
ret = gp_conv_gssx_to_buffer_alloc(&in->display_name, &input_name);
if (ret) {
ret_maj = GSS_S_FAILURE;
ret_min = ret;
goto done;
}
ret = gp_conv_gssx_to_oid_alloc(&in->name_type, &name_type);
if (ret) {
ret_maj = GSS_S_FAILURE;
ret_min = ret;
goto done;
}
ret_maj = gss_import_name(&ret_min, input_name, name_type, out);
if (ret_maj) {
goto done;
}
} else {
gp_conv_gssx_to_buffer(&in->exported_name, &name_buffer);
ret_maj = gss_import_name(&ret_min, &name_buffer,
GSS_C_NT_EXPORT_NAME, out);
if (ret_maj) {
goto done;
}
}
done:
*min = ret_min;
gss_release_buffer(&ret_min, input_name);
gss_release_oid(&ret_min, &name_type);
return ret_maj;
}
/*
* Send initial GSS authentication token
*/
static int
pg_GSS_startup(PGconn *conn, int payloadlen)
{
OM_uint32 maj_stat,
min_stat;
int maxlen;
gss_buffer_desc temp_gbuf;
char *host = PQhost(conn);
if (!(host && host[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return STATUS_ERROR;
}
if (conn->gctx)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("duplicate GSS authentication request\n"));
return STATUS_ERROR;
}
/*
* Import service principal name so the proper ticket can be acquired by
* the GSSAPI system.
*/
maxlen = NI_MAXHOST + strlen(conn->krbsrvname) + 2;
temp_gbuf.value = (char *) malloc(maxlen);
if (!temp_gbuf.value)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("out of memory\n"));
return STATUS_ERROR;
}
snprintf(temp_gbuf.value, maxlen, "%s@%s",
conn->krbsrvname, host);
temp_gbuf.length = strlen(temp_gbuf.value);
maj_stat = gss_import_name(&min_stat, &temp_gbuf,
GSS_C_NT_HOSTBASED_SERVICE, &conn->gtarg_nam);
free(temp_gbuf.value);
if (maj_stat != GSS_S_COMPLETE)
{
pg_GSS_error(libpq_gettext("GSSAPI name import error"),
conn,
maj_stat, min_stat);
return STATUS_ERROR;
}
/*
* Initial packet is the same as a continuation packet with no initial
* context.
*/
conn->gctx = GSS_C_NO_CONTEXT;
return pg_GSS_continue(conn, payloadlen);
}
int
gfarmGssImportName(gss_name_t *namePtr, void *nameValue, size_t nameLength,
gss_OID nameType, OM_uint32 *majStatPtr, OM_uint32 *minStatPtr)
{
OM_uint32 majStat = 0;
OM_uint32 minStat = 0;
int ret = -1;
gss_buffer_desc buf;
#if GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS
if (nameType == GSS_C_NT_USER_NAME) {
char *user;
gfarmAuthEntry *aePtr;
GFARM_MALLOC_ARRAY(user, nameLength + 1);
if (user == NULL) {
gflog_auth_error(GFARM_MSG_1000611,
"gfarmGssImportName(): no memory");
majStat = GSS_S_FAILURE;
minStat = GFSL_DEFAULT_MINOR_ERROR;
goto Done;
}
memcpy(user, nameValue, nameLength);
user[nameLength] = '\0';
aePtr = gfarmAuthGetLocalUserEntry(user);
if (aePtr == NULL) {
gflog_auth_error(GFARM_MSG_1000612, "%s: ERROR: cannot convert "
"this user name to X.509 Distinguish name", user);
free(user);
majStat = GSS_S_FAILURE;
minStat = GFSL_DEFAULT_MINOR_ERROR;
goto Done;
}
free(user);
assert(aePtr->authType == GFARM_AUTH_USER);
nameValue = aePtr->distName;
nameLength = strlen(aePtr->distName);
nameType = GSS_C_NO_OID; /* mechanism specific */
}
#endif /* GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS */
buf.length = nameLength;
buf.value = nameValue;
majStat = gss_import_name(&minStat, &buf, nameType, namePtr);
if (majStat == GSS_S_COMPLETE) {
ret = 1; /* OK */
}
#if GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS
Done:
#endif /* GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS */
if (majStatPtr != NULL) {
*majStatPtr = majStat;
}
if (minStatPtr != NULL) {
*minStatPtr = minStat;
}
return ret;
}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_OID mech = (gss_OID)gss_mech_krb5;
gss_name_t name, mechname, impname;
gss_buffer_desc buf, buf2;
const char *name_arg;
char opt;
/* Parse arguments. */
while (argc > 1 && argv[1][0] == '-') {
opt = argv[1][1];
argc--, argv++;
if (opt == 'k')
mech = &mech_krb5;
else if (opt == 's')
mech = &mech_spnego;
else
usage();
}
if (argc != 2)
usage();
name_arg = argv[1];
/* Import the name. */
name = import_name(name_arg);
/* Canonicalize and export the name. */
major = gss_canonicalize_name(&minor, name, mech, &mechname);
check_gsserr("gss_canonicalize_name", major, minor);
major = gss_export_name(&minor, mechname, &buf);
check_gsserr("gss_export_name", major, minor);
/* Import and re-export the name, and compare the results. */
major = gss_import_name(&minor, &buf, GSS_C_NT_EXPORT_NAME, &impname);
check_gsserr("gss_export_name", major, minor);
major = gss_export_name(&minor, impname, &buf2);
check_gsserr("gss_export_name", major, minor);
if (buf.length != buf2.length ||
memcmp(buf.value, buf2.value, buf.length) != 0) {
fprintf(stderr, "Mismatched results:\n");
print_hex(stderr, &buf);
print_hex(stderr, &buf2);
return 1;
}
print_hex(stdout, &buf);
(void)gss_release_name(&minor, &name);
(void)gss_release_name(&minor, &mechname);
(void)gss_release_buffer(&minor, &buf);
(void)gss_release_buffer(&minor, &buf2);
return 0;
}
static OM_uint32
compare_names(OM_uint32 *minor,
const gss_OID mech_type,
const gss_name_t name,
const char *user,
int *user_ok)
{
OM_uint32 status, tmpMinor;
gss_name_t imported_name;
gss_name_t canon_name;
gss_buffer_desc gss_user;
int match = 0;
*user_ok = 0;
gss_user.value = (void *)user;
if (!gss_user.value || !name || !mech_type)
return (GSS_S_BAD_NAME);
gss_user.length = strlen(gss_user.value);
status = gss_import_name(minor,
&gss_user,
GSS_C_NT_USER_NAME,
&imported_name);
if (status != GSS_S_COMPLETE) {
goto out;
}
status = gss_canonicalize_name(minor,
imported_name,
mech_type,
&canon_name);
if (status != GSS_S_COMPLETE) {
(void) gss_release_name(&tmpMinor, &imported_name);
goto out;
}
status = gss_compare_name(minor,
canon_name,
name,
&match);
(void) gss_release_name(&tmpMinor, &canon_name);
(void) gss_release_name(&tmpMinor, &imported_name);
if (status == GSS_S_COMPLETE) {
if (match)
*user_ok = 1; /* remote user is a-ok */
}
out:
return (status);
}
static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
const char *given_principal,
struct ads_service_principal *p)
{
ADS_STATUS status;
#ifdef HAVE_KRB5
gss_buffer_desc input_name;
/* GSS_KRB5_NT_PRINCIPAL_NAME */
gss_OID_desc nt_principal =
{10, discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
uint32 minor_status;
int gss_rc;
#endif
ZERO_STRUCTP(p);
/* I've seen a child Windows 2000 domain not send
the principal name back in the first round of
the SASL bind reply. So we guess based on server
name and realm. --jerry */
/* Also try best guess when we get the w2k8 ignore principal
back, or when we are configured to ignore it - gd,
abartlet */
if (!lp_client_use_spnego_principal() ||
!given_principal ||
strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
status = ads_guess_service_principal(ads, &p->string);
if (!ADS_ERR_OK(status)) {
return status;
}
} else {
p->string = SMB_STRDUP(given_principal);
if (!p->string) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
}
#ifdef HAVE_KRB5
input_name.value = p->string;
input_name.length = strlen(p->string);
gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
if (gss_rc) {
ads_free_service_principal(p);
return ADS_ERROR_GSS(gss_rc, minor_status);
}
#endif
return ADS_SUCCESS;
}
uint32_t NetSecurityNative_ImportTargetName(uint32_t* minorStatus,
char* inputName,
uint32_t inputNameLen,
GssName** outputName)
{
assert(minorStatus != NULL);
assert(inputName != NULL);
assert(outputName != NULL);
assert(*outputName == NULL);
GssBuffer inputNameBuffer = {.length = inputNameLen, .value = inputName};
return gss_import_name(minorStatus, &inputNameBuffer, GSS_C_NT_HOSTBASED_SERVICE, outputName);
}
int
main(int argc, char **argv)
{
struct gss_buffer_desc_struct name_buffer;
OM_uint32 maj_stat, min_stat;
gss_name_t name;
int optidx = 0;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc < 1)
errx(1, "argc < 1");
name_buffer.value = argv[0];
name_buffer.length = strlen(argv[0]);
maj_stat = gss_import_name(&min_stat, &name_buffer,
GSS_C_NT_HOSTBASED_SERVICE,
&name);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import name error");
acquire_release_loop(name, 100, GSS_C_ACCEPT);
acquire_release_loop(name, 100, GSS_C_INITIATE);
acquire_release_loop(name, 100, GSS_C_BOTH);
acquire_add_release_add(name, GSS_C_ACCEPT);
acquire_add_release_add(name, GSS_C_INITIATE);
acquire_add_release_add(name, GSS_C_BOTH);
add_add_release_add(name, GSS_C_ACCEPT);
add_add_release_add(name, GSS_C_INITIATE);
add_add_release_add(name, GSS_C_BOTH);
gss_release_name(&min_stat, &name);
return 0;
}
int authenticate_gss_server_init(const char *service, gss_server_state *state)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
size_t service_len;
gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
int ret = AUTH_GSS_COMPLETE;
state->context = GSS_C_NO_CONTEXT;
state->server_name = GSS_C_NO_NAME;
state->client_name = GSS_C_NO_NAME;
state->server_creds = GSS_C_NO_CREDENTIAL;
state->client_creds = GSS_C_NO_CREDENTIAL;
state->username = NULL;
state->targetname = NULL;
state->response = NULL;
state->gss_flags = 0;
// Server name may be empty which means we aren't going to create our own creds
service_len = strlen(service);
if (service_len != 0)
{
// Import server name first
name_token.length = strlen(service);
name_token.value = (char *)service;
maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &state->server_name);
if (GSS_ERROR(maj_stat))
{
set_gss_error(maj_stat, min_stat);
ret = AUTH_GSS_ERROR;
goto end;
}
// Get credentials
maj_stat = gss_acquire_cred(&min_stat, state->server_name, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_ACCEPT, &state->server_creds, NULL, NULL);
if (GSS_ERROR(maj_stat))
{
set_gss_error(maj_stat, min_stat);
ret = AUTH_GSS_ERROR;
goto end;
}
}
end:
return ret;
}
static gss_cred_id_t
acquire_cred_service(const char *service,
gss_OID nametype,
gss_OID_set oidset,
gss_cred_usage_t usage,
gss_const_key_value_set_t cred_store)
{
OM_uint32 major_status, minor_status;
gss_cred_id_t cred_handle;
OM_uint32 time_rec;
gss_buffer_desc name_buffer;
gss_name_t name = GSS_C_NO_NAME;
if (service) {
name_buffer.value = rk_UNCONST(service);
name_buffer.length = strlen(service);
major_status = gss_import_name(&minor_status,
&name_buffer,
nametype,
&name);
if (GSS_ERROR(major_status))
errx(1, "import_name failed");
}
major_status = gss_acquire_cred_from(&minor_status,
name,
0,
oidset,
usage,
cred_store,
&cred_handle,
NULL,
&time_rec);
if (GSS_ERROR(major_status)) {
warnx("acquire_cred failed: %s",
gssapi_err(major_status, minor_status, GSS_C_NO_OID));
} else {
print_time(time_rec);
gss_release_cred(&minor_status, &cred_handle);
}
if (name != GSS_C_NO_NAME)
gss_release_name(&minor_status, &name);
if (GSS_ERROR(major_status))
exit(1);
return cred_handle;
}
/* Get service, hostname and authorization identity from application,
import the GSS-API name, and initialize the channel binding data.
Return GSASL_OK on success or an error code. */
static int
prepare (Gsasl_session * sctx, _gsasl_gs2_client_state * state)
{
const char *service = gsasl_property_get (sctx, GSASL_SERVICE);
const char *hostname = gsasl_property_get (sctx, GSASL_HOSTNAME);
const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID);
gss_buffer_desc bufdesc;
OM_uint32 maj_stat, min_stat;
if (!service)
return GSASL_NO_SERVICE;
if (!hostname)
return GSASL_NO_HOSTNAME;
bufdesc.length = asprintf ((char **) &bufdesc.value, "%s@%s",
service, hostname);
if (bufdesc.length <= 0 || bufdesc.value == NULL)
return GSASL_MALLOC_ERROR;
maj_stat = gss_import_name (&min_stat, &bufdesc,
GSS_C_NT_HOSTBASED_SERVICE, &state->service);
free (bufdesc.value);
if (GSS_ERROR (maj_stat))
return GSASL_GSSAPI_IMPORT_NAME_ERROR;
if (authzid)
{
char *escaped_authzid = escape_authzid (authzid);
if (!escaped_authzid)
return GSASL_MALLOC_ERROR;
state->cb.application_data.length
= asprintf ((char **) &state->cb.application_data.value,
"n,a=%s,", escaped_authzid);
free (escaped_authzid);
}
else
{
state->cb.application_data.value = strdup ("n,,");
state->cb.application_data.length = 3;
}
if (state->cb.application_data.length <= 0
|| state->cb.application_data.value == NULL)
return GSASL_MALLOC_ERROR;
return GSASL_OK;
}
/* Create a service name for the given host */
OM_uint32
ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
{
gss_buffer_desc gssbuf;
gssbuf.length = sizeof("host@") + strlen(host);
gssbuf.value = xmalloc(gssbuf.length);
snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
if ((ctx->major = gss_import_name(&ctx->minor,
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
ssh_gssapi_error(ctx);
xfree(gssbuf.value);
return (ctx->major);
}
/*
* if return error, the lnd_rpc_err or lnd_gss_err is set.
*/
static int lgssc_init_nego_data(struct lgss_nego_data *lnd,
struct keyring_upcall_param *kup,
lgss_mech_t mech)
{
gss_buffer_desc sname;
OM_uint32 maj_stat, min_stat;
memset(lnd, 0, sizeof(*lnd));
lnd->lnd_secid = kup->kup_secid;
lnd->lnd_uid = kup->kup_uid;
lnd->lnd_lsvc = kup->kup_svc;
lnd->lnd_uuid = kup->kup_tgt;
lnd->lnd_established = 0;
lnd->lnd_svc_name = GSS_C_NO_NAME;
lnd->lnd_cred = GSS_C_NO_CREDENTIAL;
lnd->lnd_ctx = GSS_C_NO_CONTEXT;
lnd->lnd_rmt_ctx = (gss_buffer_desc) GSS_C_EMPTY_BUFFER;
lnd->lnd_seq_win = 0;
switch (mech) {
case LGSS_MECH_KRB5:
lnd->lnd_mech = (gss_OID) &krb5oid;
lnd->lnd_req_flags = GSS_C_MUTUAL_FLAG;
break;
default:
logmsg(LL_ERR, "invalid mech: %d\n", mech);
lnd->lnd_rpc_err = -EACCES;
return -1;
}
sname.value = g_service;
sname.length = strlen(g_service);
maj_stat = gss_import_name(&min_stat, &sname,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&lnd->lnd_svc_name);
if (maj_stat != GSS_S_COMPLETE) {
logmsg_gss(LL_ERR, lnd->lnd_mech, maj_stat, min_stat,
"can't import svc name");
lnd->lnd_gss_err = maj_stat;
return -1;
}
return 0;
}
/*ARGSUSED*/
OM_uint32
ntlm_gss_import_name(
OM_uint32 *minor_status,
gss_buffer_t input_name_buffer,
gss_OID input_name_type,
gss_name_t *output_name)
{
OM_uint32 status = 0;
dsyslog("Entering import_name\n");
status = gss_import_name(minor_status, input_name_buffer,
input_name_type, output_name);
dsyslog("Leaving import_name\n");
return (status);
}
/* Create an GSSAPI name for server HOSTNAME; returns non-zero on
* error. */
static void get_gss_name(gss_name_t *server, const char *hostname)
{
unsigned int major, minor;
gss_buffer_desc token;
token.value = ne_concat("HTTP@", hostname, NULL);
token.length = strlen(token.value);
major = gss_import_name(&minor, &token, GSS_C_NT_HOSTBASED_SERVICE,
server);
ne_free(token.value);
if (GSS_ERROR(major)) {
NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: gss_import_name failed.\n");
*server = GSS_C_NO_NAME;
}
}
