/*
* Create a new client struct from a file descriptor and establish a GSS-API
* context as a specified service with an incoming client and fills out the
* client struct. Returns a new client struct on success and NULL on failure,
* logging an appropriate error message.
*/
struct client *
server_new_client(int fd, gss_cred_id_t creds)
{
struct client *client;
struct sockaddr_storage ss;
socklen_t socklen;
size_t length;
char *buffer;
gss_buffer_desc send_tok, recv_tok, name_buf;
gss_name_t name = GSS_C_NO_NAME;
gss_OID doid;
OM_uint32 major = 0;
OM_uint32 minor = 0;
OM_uint32 acc_minor, time_rec;
int flags, status;
static const OM_uint32 req_gss_flags
= (GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG);
/* Create and initialize a new client struct. */
client = xcalloc(1, sizeof(struct client));
client->fd = fd;
client->context = GSS_C_NO_CONTEXT;
/* Fill in hostname and IP address. */
socklen = sizeof(ss);
if (getpeername(fd, (struct sockaddr *) &ss, &socklen) != 0) {
syswarn("cannot get peer address");
goto fail;
}
length = INET6_ADDRSTRLEN;
buffer = xmalloc(length);
client->ipaddress = buffer;
status = getnameinfo((struct sockaddr *) &ss, socklen, buffer, length,
NULL, 0, NI_NUMERICHOST);
if (status != 0) {
syswarn("cannot translate IP address of client: %s",
gai_strerror(status));
goto fail;
}
length = NI_MAXHOST;
buffer = xmalloc(length);
status = getnameinfo((struct sockaddr *) &ss, socklen, buffer, length,
NULL, 0, NI_NAMEREQD);
if (status == 0)
client->hostname = buffer;
else
free(buffer);
/* Accept the initial (worthless) token. */
status = token_recv(client->fd, &flags, &recv_tok, TOKEN_MAX_LENGTH,
TIMEOUT);
if (status != TOKEN_OK) {
warn_token("receiving initial token", status, major, minor);
goto fail;
}
free(recv_tok.value);
if (flags == (TOKEN_NOOP | TOKEN_CONTEXT_NEXT | TOKEN_PROTOCOL))
client->protocol = 2;
else if (flags == (TOKEN_NOOP | TOKEN_CONTEXT_NEXT))
client->protocol = 1;
else {
warn("bad token flags %d in initial token", flags);
goto fail;
}
/* Now, do the real work of negotiating the context. */
do {
status = token_recv(client->fd, &flags, &recv_tok, TOKEN_MAX_LENGTH,
TIMEOUT);
if (status != TOKEN_OK) {
warn_token("receiving context token", status, major, minor);
goto fail;
}
if (flags == TOKEN_CONTEXT)
client->protocol = 1;
else if (flags != (TOKEN_CONTEXT | TOKEN_PROTOCOL)) {
warn("bad token flags %d in context token", flags);
free(recv_tok.value);
goto fail;
}
debug("received context token (size=%lu)",
(unsigned long) recv_tok.length);
major = gss_accept_sec_context(&acc_minor, &client->context, creds,
&recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &name, &doid,
&send_tok, &client->flags, &time_rec, NULL);
free(recv_tok.value);
/* Send back a token if we need to. */
if (send_tok.length != 0) {
debug("sending context token (size=%lu)",
(unsigned long) send_tok.length);
flags = TOKEN_CONTEXT;
if (client->protocol > 1)
flags |= TOKEN_PROTOCOL;
status = token_send(client->fd, flags, &send_tok, TIMEOUT);
if (status != TOKEN_OK) {
warn_token("sending context token", status, major, minor);
gss_release_buffer(&minor, &send_tok);
goto fail;
}
gss_release_buffer(&minor, &send_tok);
}
/* Bail out if we lose. */
if (major != GSS_S_COMPLETE && major != GSS_S_CONTINUE_NEEDED) {
warn_gssapi("while accepting context", major, acc_minor);
goto fail;
}
if (major == GSS_S_CONTINUE_NEEDED)
debug("continue needed while accepting context");
} while (major == GSS_S_CONTINUE_NEEDED);
/* Make sure that the appropriate context flags are set. */
if (client->protocol > 1) {
if ((client->flags & req_gss_flags) != req_gss_flags) {
warn("client did not negotiate appropriate GSS-API flags");
goto fail;
}
}
/* Based on the protocol, set up the callbacks. */
if (client->protocol == 1) {
client->setup = server_v1_command_setup;
client->finish = server_v1_send_output;
client->error = server_v1_send_error;
} else {
client->setup = server_v2_command_setup;
client->finish = server_v2_command_finish;
client->error = server_v2_send_error;
}
/* Get the display version of the client name and store it. */
major = gss_display_name(&minor, name, &name_buf, &doid);
if (major != GSS_S_COMPLETE) {
warn_gssapi("while displaying client name", major, minor);
goto fail;
}
gss_release_name(&minor, &name);
if (gss_oid_equal(doid, GSS_C_NT_ANONYMOUS))
client->anonymous = true;
client->user = xstrndup(name_buf.value, name_buf.length);
client->expires = time(NULL) + time_rec;
gss_release_buffer(&minor, &name_buf);
return client;
fail:
if (client->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor, &client->context, GSS_C_NO_BUFFER);
if (name != GSS_C_NO_NAME)
gss_release_name(&minor, &name);
free(client->ipaddress);
free(client->hostname);
free(client);
return NULL;
}
/** @brief returns the OIDs of the mechs that work with both
* hostname and username
*/
static int ssh_gssapi_match(ssh_session session, char *hostname, char *username, gss_OID_set *valid_oids, int deleg){
gss_buffer_desc host_namebuf, user_namebuf;
gss_name_t host_name, user_name;
OM_uint32 maj_stat, min_stat;
gss_OID_set supported;
gss_OID oid;
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
unsigned int i;
char *ptr;
char hostname_buf[256];
gss_create_empty_oid_set(&min_stat, valid_oids);
maj_stat = gss_indicate_mechs(&min_stat, &supported);
for (i=0; i < supported->count; ++i){
ptr=ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length);
SSH_LOG(SSH_LOG_DEBUG, "GSSAPI oid supported %d : %s\n",i, ptr);
SAFE_FREE(ptr);
}
user_namebuf.value = username;
user_namebuf.length = strlen(username) + 1;
maj_stat = gss_import_name(&min_stat, &user_namebuf,
(gss_OID) GSS_C_NT_USER_NAME, &user_name);
if (maj_stat != GSS_S_COMPLETE) {
SSH_LOG(SSH_LOG_DEBUG, "importing name %d, %d", maj_stat, min_stat);
ssh_gssapi_log_error(SSH_LOG_DEBUG, "importing name", maj_stat);
return -1;
}
snprintf(hostname_buf, sizeof(hostname_buf),"host@%s", hostname);
host_namebuf.value = hostname_buf;
host_namebuf.length = strlen(hostname_buf) + 1;
maj_stat = gss_import_name(&min_stat, &host_namebuf,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &host_name);
if (maj_stat != GSS_S_COMPLETE) {
SSH_LOG(0, "importing name %d, %d", maj_stat, min_stat);
ssh_gssapi_log_error(0, "importing name", maj_stat);
return -1;
}
ssh_gssapi_init(session);
session->gssapi->client_name = user_name;
session->gssapi->client.server_name = host_name;
session->gssapi->user = strdup(username);
for (i=0; i<supported->count; ++i){
oid = &supported->elements[i];
maj_stat = gss_init_sec_context(&min_stat,
session->gssapi->client.client_deleg_creds, &ctx, host_name, oid,
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | (deleg ? GSS_C_DELEG_FLAG : 0),
0, NULL, &input_token, NULL, &output_token, NULL, NULL);
if (!GSS_ERROR(maj_stat)){
gss_OID_set tmp;
if (session->gssapi->client.client_deleg_creds != GSS_C_NO_CREDENTIAL){
/* we know the oid is ok since init_sec_context worked */
gss_add_oid_set_member(&min_stat, oid, valid_oids);
SSH_LOG(SSH_LOG_PROTOCOL, "Matched oid %u for server (with forwarding)", i);
} else {
gss_create_empty_oid_set(&min_stat, &tmp);
gss_add_oid_set_member(&min_stat, oid, &tmp);
maj_stat = gss_acquire_cred(&min_stat, user_name, 0,
tmp, GSS_C_INITIATE,
&client_creds, NULL, NULL);
gss_release_oid_set(&min_stat, &tmp);
if (!GSS_ERROR(maj_stat)){
gss_release_cred(&min_stat, &client_creds);
gss_add_oid_set_member(&min_stat,oid,valid_oids);
SSH_LOG(SSH_LOG_PROTOCOL, "Matched oid %u for server", i);
}
}
}
gss_delete_sec_context(&min_stat,&ctx, &output_token);
ctx = GSS_C_NO_CONTEXT;
}
return SSH_OK;
}
CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
struct connectdata *conn)
{
struct SessionHandle *data = conn->data;
curl_socket_t sock = conn->sock[sockindex];
CURLcode code;
ssize_t actualread;
ssize_t written;
int result;
long timeout;
OM_uint32 gss_major_status, gss_minor_status, gss_status;
OM_uint32 gss_ret_flags;
int gss_conf_state, gss_enc;
gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gss_send_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gss_recv_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gss_w_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc* gss_token = GSS_C_NO_BUFFER;
gss_name_t server = GSS_C_NO_NAME;
gss_name_t gss_client_name = GSS_C_NO_NAME;
u_short us_length;
char *user=NULL;
unsigned char socksreq[4]; /* room for gssapi exchange header only */
char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE];
/* get timeout */
timeout = Curl_timeleft(conn, NULL, TRUE);
/* GSSAPI request looks like
* +----+------+-----+----------------+
* |VER | MTYP | LEN | TOKEN |
* +----+------+----------------------+
* | 1 | 1 | 2 | up to 2^16 - 1 |
* +----+------+-----+----------------+
*/
/* prepare service name */
if (strchr(serviceptr,'/')) {
service.value = malloc(strlen(serviceptr));
if(!service.value)
return CURLE_OUT_OF_MEMORY;
service.length = strlen(serviceptr);
memcpy(service.value, serviceptr, service.length);
gss_major_status = gss_import_name(&gss_minor_status, &service,
(gss_OID) GSS_C_NULL_OID, &server);
}
else {
service.value = malloc(strlen(serviceptr) +strlen(conn->proxy.name)+2);
if(!service.value)
return CURLE_OUT_OF_MEMORY;
service.length = strlen(serviceptr) +strlen(conn->proxy.name)+1;
snprintf(service.value, service.length+1, "%s@%s",
serviceptr, conn->proxy.name);
gss_major_status = gss_import_name(&gss_minor_status, &service,
gss_nt_service_name, &server);
}
gss_release_buffer(&gss_status, &service); /* clear allocated memory */
if(check_gss_err(data,gss_major_status,
gss_minor_status,"gss_import_name()")) {
failf(data, "Failed to create service name.");
gss_release_name(&gss_status, &server);
return CURLE_COULDNT_CONNECT;
}
/* As long as we need to keep sending some context info, and there's no */
/* errors, keep sending it... */
for(;;) {
gss_major_status = gss_init_sec_context(&gss_minor_status,
GSS_C_NO_CREDENTIAL,
&gss_context, server,
GSS_C_NULL_OID,
GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG,
0,
NULL,
gss_token,
NULL,
&gss_send_token,
&gss_ret_flags,
NULL);
if(gss_token != GSS_C_NO_BUFFER)
gss_release_buffer(&gss_status, &gss_recv_token);
if(check_gss_err(data,gss_major_status,
gss_minor_status,"gss_init_sec_context")) {
gss_release_name(&gss_status, &server);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_release_buffer(&gss_status, &gss_send_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
failf(data, "Failed to initial GSSAPI token.");
return CURLE_COULDNT_CONNECT;
}
if(gss_send_token.length != 0) {
socksreq[0] = 1; /* gssapi subnegotiation version */
socksreq[1] = 1; /* authentication message type */
us_length = htons((short)gss_send_token.length);
memcpy(socksreq+2,&us_length,sizeof(short));
code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
if((code != CURLE_OK) || (4 != written)) {
failf(data, "Failed to send GSSAPI authentication request.");
gss_release_name(&gss_status, &server);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_release_buffer(&gss_status, &gss_send_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
code = Curl_write_plain(conn, sock, (char *)gss_send_token.value,
gss_send_token.length, &written);
if((code != CURLE_OK) || ((ssize_t)gss_send_token.length != written)) {
failf(data, "Failed to send GSSAPI authentication token.");
gss_release_name(&gss_status, &server);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_release_buffer(&gss_status, &gss_send_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
}
gss_release_buffer(&gss_status, &gss_send_token);
gss_release_buffer(&gss_status, &gss_recv_token);
if(gss_major_status != GSS_S_CONTINUE_NEEDED) break;
/* analyse response */
/* GSSAPI response looks like
* +----+------+-----+----------------+
* |VER | MTYP | LEN | TOKEN |
* +----+------+----------------------+
* | 1 | 1 | 2 | up to 2^16 - 1 |
* +----+------+-----+----------------+
*/
result=Curl_blockread_all(conn, sock, (char *)socksreq, 4,
&actualread, timeout);
if(result != CURLE_OK || actualread != 4) {
failf(data, "Failed to receive GSSAPI authentication response.");
gss_release_name(&gss_status, &server);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
/* ignore the first (VER) byte */
if(socksreq[1] == 255) { /* status / message type */
failf(data, "User was rejected by the SOCKS5 server (%d %d).",
socksreq[0], socksreq[1]);
gss_release_name(&gss_status, &server);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
if(socksreq[1] != 1) { /* status / messgae type */
failf(data, "Invalid GSSAPI authentication response type (%d %d).",
socksreq[0], socksreq[1]);
gss_release_name(&gss_status, &server);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
memcpy(&us_length, socksreq+2, sizeof(short));
us_length = ntohs(us_length);
gss_recv_token.length=us_length;
gss_recv_token.value=malloc(us_length);
if(!gss_recv_token.value) {
failf(data,
"Could not allocate memory for GSSAPI authentication "
"response token.");
gss_release_name(&gss_status, &server);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_OUT_OF_MEMORY;
}
result=Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
gss_recv_token.length,
&actualread, timeout);
if(result != CURLE_OK || actualread != us_length) {
failf(data, "Failed to receive GSSAPI authentication token.");
gss_release_name(&gss_status, &server);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
gss_token = &gss_recv_token;
}
gss_release_name(&gss_status, &server);
/* Everything is good so far, user was authenticated! */
gss_major_status = gss_inquire_context (&gss_minor_status, gss_context,
&gss_client_name, NULL, NULL, NULL,
NULL, NULL, NULL);
if(check_gss_err(data,gss_major_status,
gss_minor_status,"gss_inquire_context")) {
gss_delete_sec_context(&gss_status, &gss_context, NULL);
gss_release_name(&gss_status, &gss_client_name);
failf(data, "Failed to determine user name.");
return CURLE_COULDNT_CONNECT;
}
gss_major_status = gss_display_name(&gss_minor_status, gss_client_name,
&gss_send_token, NULL);
if(check_gss_err(data,gss_major_status,
gss_minor_status,"gss_display_name")) {
gss_delete_sec_context(&gss_status, &gss_context, NULL);
gss_release_name(&gss_status, &gss_client_name);
gss_release_buffer(&gss_status, &gss_send_token);
failf(data, "Failed to determine user name.");
return CURLE_COULDNT_CONNECT;
}
user=malloc(gss_send_token.length+1);
if(!user) {
gss_delete_sec_context(&gss_status, &gss_context, NULL);
gss_release_name(&gss_status, &gss_client_name);
gss_release_buffer(&gss_status, &gss_send_token);
return CURLE_OUT_OF_MEMORY;
}
memcpy(user, gss_send_token.value, gss_send_token.length);
user[gss_send_token.length] = '\0';
gss_release_name(&gss_status, &gss_client_name);
gss_release_buffer(&gss_status, &gss_send_token);
infof(data, "SOCKS5 server authencticated user %s with gssapi.\n",user);
free(user);
user=NULL;
/* Do encryption */
socksreq[0] = 1; /* gssapi subnegotiation version */
socksreq[1] = 2; /* encryption message type */
gss_enc = 0; /* no data protection */
/* do confidentiality protection if supported */
if(gss_ret_flags & GSS_C_CONF_FLAG)
gss_enc = 2;
/* else do integrity protection */
else if(gss_ret_flags & GSS_C_INTEG_FLAG)
gss_enc = 1;
infof(data, "SOCKS5 server supports gssapi %s data protection.\n",
(gss_enc==0)?"no":((gss_enc==1)?"integrity":"confidentiality"));
/* force for the moment to no data protection */
gss_enc = 0;
/*
* Sending the encryption type in clear seems wrong. It should be
* protected with gss_seal()/gss_wrap(). See RFC1961 extract below
* The NEC reference implementations on which this is based is
* therefore at fault
*
* +------+------+------+.......................+
* + ver | mtyp | len | token |
* +------+------+------+.......................+
* + 0x01 | 0x02 | 0x02 | up to 2^16 - 1 octets |
* +------+------+------+.......................+
*
* Where:
*
* - "ver" is the protocol version number, here 1 to represent the
* first version of the SOCKS/GSS-API protocol
*
* - "mtyp" is the message type, here 2 to represent a protection
* -level negotiation message
*
* - "len" is the length of the "token" field in octets
*
* - "token" is the GSS-API encapsulated protection level
*
* The token is produced by encapsulating an octet containing the
* required protection level using gss_seal()/gss_wrap() with conf_req
* set to FALSE. The token is verified using gss_unseal()/
* gss_unwrap().
*
*/
if(data->set.socks5_gssapi_nec) {
us_length = htons((short)1);
memcpy(socksreq+2,&us_length,sizeof(short));
}
else {
gss_send_token.length = 1;
gss_send_token.value = malloc(1);
if(!gss_send_token.value) {
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_OUT_OF_MEMORY;
}
memcpy(gss_send_token.value, &gss_enc, 1);
gss_major_status = gss_wrap(&gss_minor_status, gss_context, 0,
GSS_C_QOP_DEFAULT, &gss_send_token,
&gss_conf_state, &gss_w_token);
if(check_gss_err(data,gss_major_status,gss_minor_status,"gss_wrap")) {
gss_release_buffer(&gss_status, &gss_send_token);
gss_release_buffer(&gss_status, &gss_w_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
failf(data, "Failed to wrap GSSAPI encryption value into token.");
return CURLE_COULDNT_CONNECT;
}
gss_release_buffer(&gss_status, &gss_send_token);
us_length = htons((short)gss_w_token.length);
memcpy(socksreq+2,&us_length,sizeof(short));
}
code = Curl_write_plain(conn, sock, (char *)socksreq, 4, &written);
if((code != CURLE_OK) || (4 != written)) {
failf(data, "Failed to send GSSAPI encryption request.");
gss_release_buffer(&gss_status, &gss_w_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
if(data->set.socks5_gssapi_nec) {
memcpy(socksreq, &gss_enc, 1);
code = Curl_write_plain(conn, sock, socksreq, 1, &written);
if((code != CURLE_OK) || ( 1 != written)) {
failf(data, "Failed to send GSSAPI encryption type.");
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
} else {
code = Curl_write_plain(conn, sock, (char *)gss_w_token.value,
gss_w_token.length, &written);
if((code != CURLE_OK) || ((ssize_t)gss_w_token.length != written)) {
failf(data, "Failed to send GSSAPI encryption type.");
gss_release_buffer(&gss_status, &gss_w_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
gss_release_buffer(&gss_status, &gss_w_token);
}
result=Curl_blockread_all(conn, sock, (char *)socksreq, 4,
&actualread, timeout);
if(result != CURLE_OK || actualread != 4) {
failf(data, "Failed to receive GSSAPI encryption response.");
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
/* ignore the first (VER) byte */
if(socksreq[1] == 255) { /* status / message type */
failf(data, "User was rejected by the SOCKS5 server (%d %d).",
socksreq[0], socksreq[1]);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
if(socksreq[1] != 2) { /* status / messgae type */
failf(data, "Invalid GSSAPI encryption response type (%d %d).",
socksreq[0], socksreq[1]);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
memcpy(&us_length, socksreq+2, sizeof(short));
us_length = ntohs(us_length);
gss_recv_token.length= us_length;
gss_recv_token.value=malloc(gss_recv_token.length);
if(!gss_recv_token.value) {
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_OUT_OF_MEMORY;
}
result=Curl_blockread_all(conn, sock, (char *)gss_recv_token.value,
gss_recv_token.length,
&actualread, timeout);
if(result != CURLE_OK || actualread != us_length) {
failf(data, "Failed to receive GSSAPI encryptrion type.");
gss_release_buffer(&gss_status, &gss_recv_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
if(!data->set.socks5_gssapi_nec) {
gss_major_status = gss_unwrap(&gss_minor_status, gss_context,
&gss_recv_token, &gss_w_token,
0, GSS_C_QOP_DEFAULT);
if(check_gss_err(data,gss_major_status,gss_minor_status,"gss_unwrap")) {
gss_release_buffer(&gss_status, &gss_recv_token);
gss_release_buffer(&gss_status, &gss_w_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
failf(data, "Failed to unwrap GSSAPI encryption value into token.");
return CURLE_COULDNT_CONNECT;
}
gss_release_buffer(&gss_status, &gss_recv_token);
if(gss_w_token.length != 1) {
failf(data, "Invalid GSSAPI encryption response length (%d).",
gss_w_token.length);
gss_release_buffer(&gss_status, &gss_w_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
memcpy(socksreq,gss_w_token.value,gss_w_token.length);
gss_release_buffer(&gss_status, &gss_w_token);
}
else {
if(gss_recv_token.length != 1) {
failf(data, "Invalid GSSAPI encryption response length (%d).",
gss_recv_token.length);
gss_release_buffer(&gss_status, &gss_recv_token);
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_COULDNT_CONNECT;
}
memcpy(socksreq,gss_recv_token.value,gss_recv_token.length);
gss_release_buffer(&gss_status, &gss_recv_token);
}
infof(data, "SOCKS5 access with%s protection granted.\n",
(socksreq[0]==0)?"out gssapi data":
((socksreq[0]==1)?" gssapi integrity":" gssapi confidentiality"));
conn->socks5_gssapi_enctype = socksreq[0];
if(socksreq[0] == 0)
gss_delete_sec_context(&gss_status, &gss_context, NULL);
return CURLE_OK;
}
int /* O - 0 on success, -1 on error */
_cupsSetNegotiateAuthString(
http_t *http, /* I - Connection to server */
const char *method, /* I - Request method ("GET", "POST", "PUT") */
const char *resource) /* I - Resource path */
{
OM_uint32 minor_status, /* Minor status code */
major_status; /* Major status code */
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
/* Output token */
(void)method;
(void)resource;
# ifdef __APPLE__
/*
* If the weak-linked GSSAPI/Kerberos library is not present, don't try
* to use it...
*/
if (&gss_init_sec_context == NULL)
{
DEBUG_puts("1_cupsSetNegotiateAuthString: Weak-linked GSSAPI/Kerberos "
"framework is not present");
return (-1);
}
# endif /* __APPLE__ */
if (http->gssname == GSS_C_NO_NAME)
{
http->gssname = cups_gss_getname(http, _cupsGSSServiceName());
}
if (http->gssctx != GSS_C_NO_CONTEXT)
{
gss_delete_sec_context(&minor_status, &http->gssctx, GSS_C_NO_BUFFER);
http->gssctx = GSS_C_NO_CONTEXT;
}
major_status = gss_init_sec_context(&minor_status, GSS_C_NO_CREDENTIAL,
&http->gssctx,
http->gssname, http->gssmech,
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG,
GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS,
GSS_C_NO_BUFFER, &http->gssmech,
&output_token, NULL, NULL);
#ifdef HAVE_GSS_ACQUIRE_CRED_EX_F
if (major_status == GSS_S_NO_CRED)
{
/*
* Ask the user for credentials...
*/
char prompt[1024], /* Prompt for user */
userbuf[256]; /* Kerberos username */
const char *username, /* Username string */
*password; /* Password string */
_cups_gss_acquire_t data; /* Callback data */
gss_auth_identity_desc identity; /* Kerberos user identity */
_cups_globals_t *cg = _cupsGlobals();
/* Per-thread global data */
if (!cg->lang_default)
cg->lang_default = cupsLangDefault();
snprintf(prompt, sizeof(prompt),
_cupsLangString(cg->lang_default, _("Password for %s on %s? ")),
cupsUser(), http->gsshost);
if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL)
return (-1);
/*
* Try to acquire credentials...
*/
username = cupsUser();
if (!strchr(username, '@'))
{
snprintf(userbuf, sizeof(userbuf), "%s@%s", username, http->gsshost);
username = userbuf;
}
identity.type = GSS_AUTH_IDENTITY_TYPE_1;
identity.flags = 0;
identity.username = (char *)username;
identity.realm = (char *)"";
identity.password = (char *)password;
identity.credentialsRef = NULL;
data.sem = dispatch_semaphore_create(0);
data.major = 0;
data.creds = NULL;
if (data.sem)
{
major_status = gss_acquire_cred_ex_f(NULL, GSS_C_NO_NAME, 0, GSS_C_INDEFINITE, GSS_KRB5_MECHANISM, GSS_C_INITIATE, (gss_auth_identity_t)&identity, &data, cups_gss_acquire);
if (major_status == GSS_S_COMPLETE)
{
dispatch_semaphore_wait(data.sem, DISPATCH_TIME_FOREVER);
major_status = data.major;
}
dispatch_release(data.sem);
if (major_status == GSS_S_COMPLETE)
{
OM_uint32 release_minor; /* Minor status from releasing creds */
major_status = gss_init_sec_context(&minor_status, data.creds,
&http->gssctx,
http->gssname, http->gssmech,
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG,
GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS,
GSS_C_NO_BUFFER, &http->gssmech,
&output_token, NULL, NULL);
gss_release_cred(&release_minor, &data.creds);
}
}
}
#endif /* HAVE_GSS_ACQUIRED_CRED_EX_F */
if (GSS_ERROR(major_status))
{
cups_gss_printf(major_status, minor_status,
"_cupsSetNegotiateAuthString: Unable to initialize "
"security context");
return (-1);
}
#ifdef DEBUG
else if (major_status == GSS_S_CONTINUE_NEEDED)
cups_gss_printf(major_status, minor_status,
"_cupsSetNegotiateAuthString: Continuation needed!");
#endif /* DEBUG */
if (output_token.length > 0 && output_token.length <= 65536)
{
/*
* Allocate the authorization string since Windows KDCs can have
* arbitrarily large credentials...
*/
int authsize = 10 + /* "Negotiate " */
(int)output_token.length * 4 / 3 + 1 + 1;
/* Base64 + nul */
httpSetAuthString(http, NULL, NULL);
if ((http->authstring = malloc((size_t)authsize)) == NULL)
{
http->authstring = http->_authstring;
authsize = sizeof(http->_authstring);
}
strlcpy(http->authstring, "Negotiate ", (size_t)authsize);
httpEncode64_2(http->authstring + 10, authsize - 10, output_token.value,
(int)output_token.length);
gss_release_buffer(&minor_status, &output_token);
}
else
{
DEBUG_printf(("1_cupsSetNegotiateAuthString: Kerberos credentials too "
"large - %d bytes!", (int)output_token.length));
gss_release_buffer(&minor_status, &output_token);
return (-1);
}
return (0);
}