apr_status_t
serf__kerb_create_sec_context(serf__kerb_context_t **ctx_p,
apr_pool_t *scratch_pool,
apr_pool_t *result_pool)
{
SECURITY_STATUS sspi_status;
serf__kerb_context_t *ctx;
ctx = apr_pcalloc(result_pool, sizeof(*ctx));
SecInvalidateHandle(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_credentials);
ctx->initalized = FALSE;
apr_pool_cleanup_register(result_pool, ctx,
cleanup_ctx,
apr_pool_cleanup_null);
sspi_status = AcquireCredentialsHandle(
NULL, "Negotiate", SECPKG_CRED_OUTBOUND,
NULL, NULL, NULL, NULL,
&ctx->sspi_credentials, NULL);
if (FAILED(sspi_status)) {
return map_sspi_status(sspi_status);
}
*ctx_p = ctx;
return APR_SUCCESS;
}
apr_status_t
serf__spnego_create_sec_context(serf__spnego_context_t **ctx_p,
const serf__authn_scheme_t *scheme,
apr_pool_t *result_pool,
apr_pool_t *scratch_pool)
{
SECURITY_STATUS sspi_status;
serf__spnego_context_t *ctx;
const char *sspi_package;
ctx = apr_pcalloc(result_pool, sizeof(*ctx));
SecInvalidateHandle(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_credentials);
ctx->initalized = FALSE;
ctx->pool = result_pool;
ctx->target_name = NULL;
ctx->authn_type = scheme->type;
apr_pool_cleanup_register(result_pool, ctx,
cleanup_ctx,
apr_pool_cleanup_null);
if (ctx->authn_type == SERF_AUTHN_NEGOTIATE)
sspi_package = "Negotiate";
else
sspi_package = "NTLM";
sspi_status = AcquireCredentialsHandle(
NULL, sspi_package, SECPKG_CRED_OUTBOUND,
NULL, NULL, NULL, NULL,
&ctx->sspi_credentials, NULL);
if (FAILED(sspi_status)) {
return map_sspi_status(sspi_status);
}
*ctx_p = ctx;
return APR_SUCCESS;
}
apr_status_t
serf__kerb_init_sec_context(serf__kerb_context_t *ctx,
const char *service,
const char *hostname,
serf__kerb_buffer_t *input_buf,
serf__kerb_buffer_t *output_buf,
apr_pool_t *scratch_pool,
apr_pool_t *result_pool
)
{
SECURITY_STATUS status;
ULONG actual_attr;
SecBuffer sspi_in_buffer;
SecBufferDesc sspi_in_buffer_desc;
SecBuffer sspi_out_buffer;
SecBufferDesc sspi_out_buffer_desc;
char *target_name;
apr_status_t apr_status;
const char *canonname;
apr_status = get_canonical_hostname(&canonname, hostname, scratch_pool);
if (apr_status) {
return apr_status;
}
target_name = apr_pstrcat(scratch_pool, service, "/", canonname, NULL);
/* Prepare input buffer description. */
sspi_in_buffer.BufferType = SECBUFFER_TOKEN;
sspi_in_buffer.pvBuffer = input_buf->value;
sspi_in_buffer.cbBuffer = input_buf->length;
sspi_in_buffer_desc.cBuffers = 1;
sspi_in_buffer_desc.pBuffers = &sspi_in_buffer;
sspi_in_buffer_desc.ulVersion = SECBUFFER_VERSION;
/* Output buffers. Output buffer will be allocated by system. */
sspi_out_buffer.BufferType = SECBUFFER_TOKEN;
sspi_out_buffer.pvBuffer = NULL;
sspi_out_buffer.cbBuffer = 0;
sspi_out_buffer_desc.cBuffers = 1;
sspi_out_buffer_desc.pBuffers = &sspi_out_buffer;
sspi_out_buffer_desc.ulVersion = SECBUFFER_VERSION;
status = InitializeSecurityContext(
&ctx->sspi_credentials,
ctx->initalized ? &ctx->sspi_context : NULL,
target_name,
ISC_REQ_ALLOCATE_MEMORY
| ISC_REQ_MUTUAL_AUTH
| ISC_REQ_CONFIDENTIALITY,
0, /* Reserved1 */
SECURITY_NETWORK_DREP,
&sspi_in_buffer_desc,
0, /* Reserved2 */
&ctx->sspi_context,
&sspi_out_buffer_desc,
&actual_attr,
NULL);
if (sspi_out_buffer.cbBuffer > 0) {
apr_pool_cleanup_register(result_pool, sspi_out_buffer.pvBuffer,
cleanup_sec_buffer,
apr_pool_cleanup_null);
}
ctx->initalized = TRUE;
/* Finish authentication if SSPI requires so. */
if (status == SEC_I_COMPLETE_NEEDED
|| status == SEC_I_COMPLETE_AND_CONTINUE)
{
CompleteAuthToken(&ctx->sspi_context, &sspi_out_buffer_desc);
}
output_buf->value = sspi_out_buffer.pvBuffer;
output_buf->length = sspi_out_buffer.cbBuffer;
switch(status) {
case SEC_I_COMPLETE_AND_CONTINUE:
case SEC_I_CONTINUE_NEEDED:
return APR_EAGAIN;
case SEC_I_COMPLETE_NEEDED:
case SEC_E_OK:
return APR_SUCCESS;
default:
return map_sspi_status(status);
}
}
