/* TODO callers seem to set always connection info... change it */
struct tds_addrinfo *
tds_lookup_host(const char *servername) /* (I) name of the server */
{
struct tds_addrinfo hints, *addr = NULL;
assert(servername != NULL);
memset(&hints, '\0', sizeof(hints));
hints.ai_family = AF_UNSPEC;
#ifdef AI_ADDRCONFIG
hints.ai_flags |= AI_ADDRCONFIG;
#endif
if (tds_getaddrinfo(servername, NULL, &hints, &addr))
return NULL;
return addr;
}
/**
* Build a GSSAPI packet to send to server
* @param tds A pointer to the TDSSOCKET structure managing a client/server operation.
* @param packet GSSAPI packet build from function
* @return size of packet
*/
TDSAUTHENTICATION *
tds_gss_get_auth(TDSSOCKET * tds)
{
/*
* TODO
* There are some differences between this implementation and MS on
* - MS use SPNEGO with 3 mechnisms (MS KRB5, KRB5, NTLMSSP)
* - MS seems to use MUTUAL flag
* - name type is "Service and Instance (2)" and not "Principal (1)"
* check for memory leaks
* check for errors in many functions
* a bit more verbose
* dinamically load library ??
*/
gss_buffer_desc send_tok;
OM_uint32 maj_stat, min_stat;
/* same as GSS_KRB5_NT_PRINCIPAL_NAME but do not require .so library */
static gss_OID_desc nt_principal = { 10, (void*) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01" };
const char *server_name;
/* Storage for getaddrinfo calls */
struct tds_addrinfo *addrs = NULL;
struct tds_gss_auth *auth = (struct tds_gss_auth *) calloc(1, sizeof(struct tds_gss_auth));
if (!auth || !tds->login)
return NULL;
auth->tds_auth.free = tds_gss_free;
auth->tds_auth.handle_next = tds_gss_handle_next;
auth->gss_context = GSS_C_NO_CONTEXT;
auth->last_stat = GSS_S_COMPLETE;
server_name = tds_dstr_cstr(&tds->login->server_host_name);
if (strchr(server_name, '.') == NULL) {
struct tds_addrinfo hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_flags = AI_V4MAPPED|AI_ADDRCONFIG|AI_CANONNAME|AI_FQDN;
if (!tds_getaddrinfo(server_name, NULL, &hints, &addrs) && addrs->ai_canonname
&& strchr(addrs->ai_canonname, '.') != NULL)
server_name = addrs->ai_canonname;
}
if (!tds_dstr_isempty(&tds->login->server_spn)) {
auth->sname = strdup(tds_dstr_cstr(&tds->login->server_spn));
} else if (tds_dstr_isempty(&tds->login->server_realm_name)) {
if (asprintf(&auth->sname, "MSSQLSvc/%s:%d", server_name, tds->login->port) < 0)
auth->sname = NULL;
} else {
if (asprintf(&auth->sname, "MSSQLSvc/%s:%d@%s", server_name, tds->login->port,
tds_dstr_cstr(&tds->login->server_realm_name)) < 0)
auth->sname = NULL;
}
if (addrs)
tds_freeaddrinfo(addrs);
if (auth->sname == NULL) {
tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth);
return NULL;
}
tdsdump_log(TDS_DBG_NETWORK, "using kerberos name %s\n", auth->sname);
/*
* Import the name into target_name. Use send_tok to save
* local variable space.
*/
send_tok.value = auth->sname;
send_tok.length = strlen(auth->sname);
maj_stat = gss_import_name(&min_stat, &send_tok, &nt_principal, &auth->target_name);
switch (maj_stat) {
case GSS_S_COMPLETE:
tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_COMPLETE: gss_import_name completed successfully.\n");
if (TDS_FAILED(tds_gss_continue(tds, auth, GSS_C_NO_BUFFER))) {
tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth);
return NULL;
}
break;
case GSS_S_BAD_NAMETYPE:
tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_NAMETYPE: The input_name_type was unrecognized.\n");
break;
case GSS_S_BAD_NAME:
tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_NAME: The input_name parameter could not be interpreted as a name of the specified type.\n");
break;
case GSS_S_BAD_MECH:
tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_MECH: The input name-type was GSS_C_NT_EXPORT_NAME, but the mechanism contained within the input-name is not supported.\n");
break;
default:
tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: unexpected error %d.\n", maj_stat);
break;
}
if (GSS_ERROR(maj_stat)) {
tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth);
return NULL;
}
return (TDSAUTHENTICATION *) auth;
}
