/* TODO callers seem to set always connection info... change it */ struct tds_addrinfo * tds_lookup_host(const char *servername) /* (I) name of the server */ { struct tds_addrinfo hints, *addr = NULL; assert(servername != NULL); memset(&hints, '\0', sizeof(hints)); hints.ai_family = AF_UNSPEC; #ifdef AI_ADDRCONFIG hints.ai_flags |= AI_ADDRCONFIG; #endif if (tds_getaddrinfo(servername, NULL, &hints, &addr)) return NULL; return addr; }
/** * Build a GSSAPI packet to send to server * @param tds A pointer to the TDSSOCKET structure managing a client/server operation. * @param packet GSSAPI packet build from function * @return size of packet */ TDSAUTHENTICATION * tds_gss_get_auth(TDSSOCKET * tds) { /* * TODO * There are some differences between this implementation and MS on * - MS use SPNEGO with 3 mechnisms (MS KRB5, KRB5, NTLMSSP) * - MS seems to use MUTUAL flag * - name type is "Service and Instance (2)" and not "Principal (1)" * check for memory leaks * check for errors in many functions * a bit more verbose * dinamically load library ?? */ gss_buffer_desc send_tok; OM_uint32 maj_stat, min_stat; /* same as GSS_KRB5_NT_PRINCIPAL_NAME but do not require .so library */ static gss_OID_desc nt_principal = { 10, (void*) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01" }; const char *server_name; /* Storage for getaddrinfo calls */ struct tds_addrinfo *addrs = NULL; struct tds_gss_auth *auth = (struct tds_gss_auth *) calloc(1, sizeof(struct tds_gss_auth)); if (!auth || !tds->login) return NULL; auth->tds_auth.free = tds_gss_free; auth->tds_auth.handle_next = tds_gss_handle_next; auth->gss_context = GSS_C_NO_CONTEXT; auth->last_stat = GSS_S_COMPLETE; server_name = tds_dstr_cstr(&tds->login->server_host_name); if (strchr(server_name, '.') == NULL) { struct tds_addrinfo hints; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_flags = AI_V4MAPPED|AI_ADDRCONFIG|AI_CANONNAME|AI_FQDN; if (!tds_getaddrinfo(server_name, NULL, &hints, &addrs) && addrs->ai_canonname && strchr(addrs->ai_canonname, '.') != NULL) server_name = addrs->ai_canonname; } if (!tds_dstr_isempty(&tds->login->server_spn)) { auth->sname = strdup(tds_dstr_cstr(&tds->login->server_spn)); } else if (tds_dstr_isempty(&tds->login->server_realm_name)) { if (asprintf(&auth->sname, "MSSQLSvc/%s:%d", server_name, tds->login->port) < 0) auth->sname = NULL; } else { if (asprintf(&auth->sname, "MSSQLSvc/%s:%d@%s", server_name, tds->login->port, tds_dstr_cstr(&tds->login->server_realm_name)) < 0) auth->sname = NULL; } if (addrs) tds_freeaddrinfo(addrs); if (auth->sname == NULL) { tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth); return NULL; } tdsdump_log(TDS_DBG_NETWORK, "using kerberos name %s\n", auth->sname); /* * Import the name into target_name. Use send_tok to save * local variable space. */ send_tok.value = auth->sname; send_tok.length = strlen(auth->sname); maj_stat = gss_import_name(&min_stat, &send_tok, &nt_principal, &auth->target_name); switch (maj_stat) { case GSS_S_COMPLETE: tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_COMPLETE: gss_import_name completed successfully.\n"); if (TDS_FAILED(tds_gss_continue(tds, auth, GSS_C_NO_BUFFER))) { tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth); return NULL; } break; case GSS_S_BAD_NAMETYPE: tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_NAMETYPE: The input_name_type was unrecognized.\n"); break; case GSS_S_BAD_NAME: tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_NAME: The input_name parameter could not be interpreted as a name of the specified type.\n"); break; case GSS_S_BAD_MECH: tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: GSS_S_BAD_MECH: The input name-type was GSS_C_NT_EXPORT_NAME, but the mechanism contained within the input-name is not supported.\n"); break; default: tdsdump_log(TDS_DBG_NETWORK, "gss_import_name: unexpected error %d.\n", maj_stat); break; } if (GSS_ERROR(maj_stat)) { tds_gss_free(tds->conn, (TDSAUTHENTICATION *) auth); return NULL; } return (TDSAUTHENTICATION *) auth; }