[thirdparty/squid.git] / helpers / negotiate_auth / kerberos / negotiate_kerberos_auth.cc

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2007 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 *   As a special exemption, M Moeller gives permission to link this program
 *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
 *   the resulting executable, without including the source code for
 *   the Libraries in the source distribution.
 *
 * -----------------------------------------------------------------------------
 */
/*
 * Hosted at http://sourceforge.net/projects/squidkerbauth
 */
#include "squid.h"
#include "compat/getaddrinfo.h"
#include "compat/getnameinfo.h"

#if HAVE_GSSAPI

#if HAVE_STRING_H
#include <string.h>
#endif
#if HAVE_STDOI_H
#include <stdio.h>
#endif
#if HAVE_NETDB_H
#include <netdb.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if HAVE_TIME_H
#include <time.h>
#endif

#include "util.h"
#include "base64.h"

#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif

#if !HAVE_HEIMDAL_KERBEROS
#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
#endif
#if HAVE_GSSAPI_GSSAPI_GENERIC_H
#include <gssapi/gssapi_generic.h>
#endif
#if HAVE_GSSAPI_GSSAPI_EXT_H
#include <gssapi/gssapi_ext.h>
#endif
#endif

#ifndef gss_nt_service_name
#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
#endif

#define PROGRAM "negotiate_kerberos_auth"

#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN   65535
#endif
#ifndef SQUID_KERB_AUTH_VERSION
#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
#endif

int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
                  const char *function, int log);
char *gethost_name(void);
static const char *LogTime(void);

static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};

static const char *
LogTime()
{
    struct tm *tm;
    struct timeval now;
    static time_t last_t = 0;
    static char buf[128];

    gettimeofday(&now, NULL);
    if (now.tv_sec != last_t) {
        tm = localtime((time_t *) & now.tv_sec);
        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
        last_t = now.tv_sec;
    }
    return buf;
}

char *
gethost_name(void)
{
    /*
     * char hostname[sysconf(_SC_HOST_NAME_MAX)];
     */
    char hostname[1024];
    struct addrinfo *hres = NULL, *hres_list;
    int rc, count;

    rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX));
    if (rc) {
        fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n",
                LogTime(), PROGRAM, hostname);
        return NULL;
    }
    rc = getaddrinfo(hostname, NULL, NULL, &hres);
    if (rc != 0) {
        fprintf(stderr,
                "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n",
                LogTime(), PROGRAM, gai_strerror(rc));
        return NULL;
    }
    hres_list = hres;
    count = 0;
    while (hres_list) {
        ++count;
        hres_list = hres_list->ai_next;
    }
    rc = getnameinfo(hres->ai_addr, hres->ai_addrlen, hostname,
                     sizeof(hostname), NULL, 0, 0);
    if (rc != 0) {
        fprintf(stderr,
                "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n",
                LogTime(), PROGRAM, gai_strerror(rc));
        freeaddrinfo(hres);
        return NULL;
    }
    freeaddrinfo(hres);
    hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0';
    return (xstrdup(hostname));
}

int
check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
              const char *function, int log)
{
    if (GSS_ERROR(major_status)) {
        OM_uint32 maj_stat, min_stat;
        OM_uint32 msg_ctx = 0;
        gss_buffer_desc status_string;
        char buf[1024];
        size_t len;

        len = 0;
        msg_ctx = 0;
        do {
            /* convert major status code (GSS-API error) to text */
            maj_stat = gss_display_status(&min_stat, major_status,
                                          GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
            if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) {
                if (sizeof(buf) > len + status_string.length + 1) {
                    snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
                    len += status_string.length;
                }
            } else
                msg_ctx = 0;
            gss_release_buffer(&min_stat, &status_string);
        } while (msg_ctx);
        if (sizeof(buf) > len + 2) {
            snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
            len += 2;
        }
        msg_ctx = 0;
        do {
            /* convert minor status code (underlying routine error) to text */
            maj_stat = gss_display_status(&min_stat, minor_status,
                                          GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
            if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) {
                if (sizeof(buf) > len + status_string.length) {
                    snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
                    len += status_string.length;
                }
            } else
                msg_ctx = 0;
            gss_release_buffer(&min_stat, &status_string);
        } while (msg_ctx);
        debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
        fprintf(stdout, "BH %s failed: %s\n", function, buf);
        if (log)
            fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(),
                    PROGRAM);
        return (1);
    }
    return (0);
}

int
main(int argc, char *const argv[])
{
    char buf[MAX_AUTHTOKEN_LEN];
    char *c, *p;
    char *user = NULL;
    int length = 0;
    static int err = 0;
    int opt, log = 0, norealm = 0;
    OM_uint32 ret_flags = 0, spnego_flag = 0;
    char *service_name = (char *) "HTTP", *host_name = NULL;
    char *token = NULL;
    char *service_principal = NULL;
    OM_uint32 major_status, minor_status;
    gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_name_t server_name = GSS_C_NO_NAME;
    gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
    gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
    gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
    gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
    const unsigned char *kerberosToken = NULL;
    const unsigned char *spnegoToken = NULL;
    size_t spnegoTokenLength = 0;

    setbuf(stdout, NULL);
    setbuf(stdin, NULL);

    while (-1 != (opt = getopt(argc, argv, "dirs:h"))) {
        switch (opt) {
        case 'd':
            debug_enabled = 1;
            break;
        case 'i':
            log = 1;
            break;
        case 'r':
            norealm = 1;
            break;
        case 's':
            service_principal = xstrdup(optarg);
            break;
        case 'h':
            fprintf(stderr, "Usage: \n");
            fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n");
            fprintf(stderr, "-d full debug\n");
            fprintf(stderr, "-i informational messages\n");
            fprintf(stderr, "-r remove realm from username\n");
            fprintf(stderr, "-s service principal name\n");
            fprintf(stderr, "-h help\n");
            fprintf(stderr,
                    "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
            fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
            exit(0);
        default:
            fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(),
                    PROGRAM, opt);
        }
    }

    debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, SQUID_KERB_AUTH_VERSION);
    if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) {
        service.value = service_principal;
        service.length = strlen((char *) service.value);
    } else {
        host_name = gethost_name();
        if (!host_name) {
            fprintf(stderr,
                    "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n",
                    LogTime(), PROGRAM);
            fprintf(stdout, "BH hostname error\n");
            exit(-1);
        }
        service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2);
        snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2,
                 "%s@%s", service_name, host_name);
        service.length = strlen((char *) service.value);
    }

    while (1) {
        if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
            if (ferror(stdin)) {
                debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n",
                      LogTime(), PROGRAM, ferror(stdin),
                      strerror(ferror(stdin)));

                fprintf(stdout, "BH input error\n");
                exit(1);	/* BIIG buffer */
            }
            fprintf(stdout, "BH input error\n");
            exit(0);
        }
        c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
        if (c) {
            *c = '\0';
            length = c - buf;
        } else {
            err = 1;
        }
        if (err) {
            debug((char *) "%s| %s: ERROR: Oversized message\n", LogTime(), PROGRAM);
            fprintf(stdout, "BH Oversized message\n");
            err = 0;
            continue;
        }
        debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length);

        if (buf[0] == '\0') {
            debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM);
            fprintf(stdout, "BH Invalid request\n");
            continue;
        }
        if (strlen(buf) < 2) {
            debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
            fprintf(stdout, "BH Invalid request\n");
            continue;
        }
        if (!strncmp(buf, "QQ", 2)) {
            gss_release_buffer(&minor_status, &input_token);
            gss_release_buffer(&minor_status, &output_token);
            gss_release_buffer(&minor_status, &service);
            gss_release_cred(&minor_status, &server_creds);
            if (server_name)
                gss_release_name(&minor_status, &server_name);
            if (client_name)
                gss_release_name(&minor_status, &client_name);
            if (gss_context != GSS_C_NO_CONTEXT)
                gss_delete_sec_context(&minor_status, &gss_context, NULL);
            if (kerberosToken) {
                /* Allocated by parseNegTokenInit, but no matching free function exists.. */
                if (!spnego_flag)
                    xfree((char *) kerberosToken);
                kerberosToken = NULL;
            }
            if (spnego_flag) {
                /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
                if (spnegoToken)
                    xfree((char *) spnegoToken);
                spnegoToken = NULL;
            }
            if (token) {
                xfree(token);
                token = NULL;
            }
            if (host_name) {
                xfree(host_name);
                host_name = NULL;
            }
            fprintf(stdout, "BH quit command\n");
            exit(0);
        }
        if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) {
            debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
            fprintf(stdout, "BH Invalid request\n");
            continue;
        }
        if (!strncmp(buf, "YR", 2)) {
            if (gss_context != GSS_C_NO_CONTEXT)
                gss_delete_sec_context(&minor_status, &gss_context, NULL);
            gss_context = GSS_C_NO_CONTEXT;
        }
        if (strlen(buf) <= 3) {
            debug((char *) "%s| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
            fprintf(stdout, "BH Invalid negotiate request\n");
            continue;
        }
        input_token.length = base64_decode_len(buf+3);
        debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n",
              LogTime(), PROGRAM, buf + 3, (int) input_token.length);
        input_token.value = xmalloc(input_token.length);

        input_token.length = base64_decode((char *) input_token.value, input_token.length, buf+3);

        if ((input_token.length >= sizeof ntlmProtocol + 1) &&
                (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
            debug((char *) "%s| %s: WARNING: received type %d NTLM token\n",
                  LogTime(), PROGRAM,
                  (int) *((unsigned char *) input_token.value +
                          sizeof ntlmProtocol));
            fprintf(stdout, "BH received type %d NTLM token\n",
                    (int) *((unsigned char *) input_token.value +
                            sizeof ntlmProtocol));
            goto cleanup;
        }
        if (service_principal) {
            if (strcasecmp(service_principal, "GSS_C_NO_NAME")) {
                major_status = gss_import_name(&minor_status, &service,
                                               (gss_OID) GSS_C_NULL_OID, &server_name);

            } else {
                server_name = GSS_C_NO_NAME;
                major_status = GSS_S_COMPLETE;
            }
        } else {
            major_status = gss_import_name(&minor_status, &service,
                                           gss_nt_service_name, &server_name);
        }

        if (check_gss_err(major_status, minor_status, "gss_import_name()", log))
            goto cleanup;

        major_status =
            gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
                             GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
        if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log))
            goto cleanup;

        major_status = gss_accept_sec_context(&minor_status,
                                              &gss_context,
                                              server_creds,
                                              &input_token,
                                              GSS_C_NO_CHANNEL_BINDINGS,
                                              &client_name, NULL, &output_token, &ret_flags, NULL, NULL);

        if (output_token.length) {
            spnegoToken = (const unsigned char *) output_token.value;
            spnegoTokenLength = output_token.length;
            token = (char *) xmalloc(base64_encode_len(spnegoTokenLength));
            if (token == NULL) {
                debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
                fprintf(stdout, "BH Not enough memory\n");
                goto cleanup;
            }
            base64_encode_str(token, base64_encode_len(spnegoTokenLength),
                              (const char *) spnegoToken, spnegoTokenLength);

            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
                goto cleanup;
            if (major_status & GSS_S_CONTINUE_NEEDED) {
                debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
                fprintf(stdout, "TT %s\n", token);
                goto cleanup;
            }
            gss_release_buffer(&minor_status, &output_token);
            major_status =
                gss_display_name(&minor_status, client_name, &output_token,
                                 NULL);

            if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
                goto cleanup;
            user = (char *) xmalloc(output_token.length + 1);
            if (user == NULL) {
                debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
                fprintf(stdout, "BH Not enough memory\n");
                goto cleanup;
            }
            memcpy(user, output_token.value, output_token.length);
            user[output_token.length] = '\0';
            if (norealm && (p = strchr(user, '@')) != NULL) {
                *p = '\0';
            }
            fprintf(stdout, "AF %s %s\n", token, user);
            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user);
            if (log)
                fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
                        PROGRAM, user);
            goto cleanup;
        } else {
            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
                goto cleanup;
            if (major_status & GSS_S_CONTINUE_NEEDED) {
                debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
                fprintf(stdout, "NA %s\n", token);
                goto cleanup;
            }
            gss_release_buffer(&minor_status, &output_token);
            major_status =
                gss_display_name(&minor_status, client_name, &output_token,
                                 NULL);

            if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
                goto cleanup;
            /*
             *  Return dummy token AA. May need an extra return tag then AF
             */
            user = (char *) xmalloc(output_token.length + 1);
            if (user == NULL) {
                debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
                fprintf(stdout, "BH Not enough memory\n");
                goto cleanup;
            }
            memcpy(user, output_token.value, output_token.length);
            user[output_token.length] = '\0';
            if (norealm && (p = strchr(user, '@')) != NULL) {
                *p = '\0';
            }
            fprintf(stdout, "AF %s %s\n", "AA==", user);
            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
            if (log)
                fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
                        PROGRAM, user);

        }
cleanup:
        gss_release_buffer(&minor_status, &input_token);
        gss_release_buffer(&minor_status, &output_token);
        gss_release_cred(&minor_status, &server_creds);
        if (server_name)
            gss_release_name(&minor_status, &server_name);
        if (client_name)
            gss_release_name(&minor_status, &client_name);
        if (kerberosToken) {
            /* Allocated by parseNegTokenInit, but no matching free function exists.. */
            if (!spnego_flag)
                xfree((char *) kerberosToken);
            kerberosToken = NULL;
        }
        if (spnego_flag) {
            /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
            if (spnegoToken)
                xfree((char *) spnegoToken);
            spnegoToken = NULL;
        }
        if (token) {
            xfree(token);
            token = NULL;
        }
        if (user) {
            xfree(user);
            user = NULL;
        }
        continue;
    }
}
#else
#include <stdio.h>
#include <stdlib.h>
#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN   65535
#endif
int
main(int argc, char *const argv[])
{
    setbuf(stdout, NULL);
    setbuf(stdin, NULL);
    char buf[MAX_AUTHTOKEN_LEN];
    while (1) {
        if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
            fprintf(stdout, "BH input error\n");
            exit(0);
        }
        fprintf(stdout, "BH Kerberos authentication not supported\n");
    }
}
#endif /* HAVE_GSSAPI */
Commit	Line	Data
3e5d7cdf	1	/*
	2	* -----------------------------------------------------------------------------
	3	*
	4	* Author: Markus Moeller (markus_moeller at compuserve.com)
	5	*
	6	* Copyright (C) 2007 Markus Moeller. All rights reserved.
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	21	*
ba4fe07c AJ	22	* As a special exemption, M Moeller gives permission to link this program
	23	* with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
	24	* the resulting executable, without including the source code for
	25	* the Libraries in the source distribution.
	26	*
3e5d7cdf	27	* -----------------------------------------------------------------------------
	28	*/
	29	/*
	30	* Hosted at http://sourceforge.net/projects/squidkerbauth
	31	*/
f7f3304a	32	#include "squid.h"
27bc2077 AJ	33	#include "compat/getaddrinfo.h"
27bc2077 AJ	34	#include "compat/getnameinfo.h"
d1f95b42	35
3ad12bda	36	#if HAVE_GSSAPI
e9658d82 AJ	37
e9658d82 AJ	38	#if HAVE_STRING_H
3e5d7cdf	39	#include <string.h>
e9658d82 AJ	40	#endif
e9658d82 AJ	41	#if HAVE_STDOI_H
3e5d7cdf	42	#include <stdio.h>
e9658d82	43	#endif
e9658d82	44	#if HAVE_NETDB_H
3e5d7cdf	45	#include <netdb.h>
e9658d82 AJ	46	#endif
e9658d82 AJ	47	#if HAVE_UNISTD_H
3e5d7cdf	48	#include <unistd.h>
e9658d82 AJ	49	#endif
e9658d82 AJ	50	#if HAVE_TIME_H
3e5d7cdf	51	#include <time.h>
e9658d82	52	#endif
3e5d7cdf	53
3ad12bda	54	#include "util.h"
3e5d7cdf	55	#include "base64.h"
3e5d7cdf	56
3ad12bda AJ	57	#if HAVE_GSSAPI_GSSAPI_H
	58	#include <gssapi/gssapi.h>
	59	#elif HAVE_GSSAPI_H
	60	#include <gssapi.h>
3a665e67	61	#endif
75a8c92e AJ	62
75a8c92e AJ	63	#if !HAVE_HEIMDAL_KERBEROS
3ad12bda AJ	64	#if HAVE_GSSAPI_GSSAPI_KRB5_H
3ad12bda AJ	65	#include <gssapi/gssapi_krb5.h>
75a8c92e	66	#endif
3ad12bda AJ	67	#if HAVE_GSSAPI_GSSAPI_GENERIC_H
3ad12bda AJ	68	#include <gssapi/gssapi_generic.h>
75a8c92e AJ	69	#endif
	70	#if HAVE_GSSAPI_GSSAPI_EXT_H
	71	#include <gssapi/gssapi_ext.h>
	72	#endif
	73	#endif
	74
6989c6dc AJ	75	#ifndef gss_nt_service_name
	76	#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
	77	#endif
3e5d7cdf	78
e9658d82	79	#define PROGRAM "negotiate_kerberos_auth"
ba4fe07c AJ	80
	81	#ifndef MAX_AUTHTOKEN_LEN
	82	#define MAX_AUTHTOKEN_LEN 65535
3e5d7cdf	83	#endif
3ad12bda	84	#ifndef SQUID_KERB_AUTH_VERSION
08885c7f	85	#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
3ad12bda	86	#endif
3e5d7cdf	87
3ad12bda	88	int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
2e881a6f	89	const char *function, int log);
3e5d7cdf	90	char *gethost_name(void);
	91	static const char *LogTime(void);
	92
2e881a6f	93	static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
3e5d7cdf	94
3ad12bda AJ	95	static const char *
3ad12bda AJ	96	LogTime()
3e5d7cdf	97	{
	98	struct tm *tm;
	99	struct timeval now;
	100	static time_t last_t = 0;
	101	static char buf[128];
	102
	103	gettimeofday(&now, NULL);
	104	if (now.tv_sec != last_t) {
2e881a6f A	105	tm = localtime((time_t *) & now.tv_sec);
	106	strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
	107	last_t = now.tv_sec;
3e5d7cdf	108	}
	109	return buf;
	110	}
	111
3ad12bda AJ	112	char *
3ad12bda AJ	113	gethost_name(void)
26ac0430	114	{
e6aa9181	115	/*
b1218840 AJ	116	* char hostname[sysconf(_SC_HOST_NAME_MAX)];
b1218840 AJ	117	*/
3d62cc61	118	char hostname[1024];
3ad12bda AJ	119	struct addrinfo hres = NULL, hres_list;
3ad12bda AJ	120	int rc, count;
26ac0430	121
3ad12bda	122	rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX));
26ac0430	123	if (rc) {
2e881a6f A	124	fprintf(stderr, "%s\| %s: ERROR: resolving hostname '%s' failed\n",
	125	LogTime(), PROGRAM, hostname);
	126	return NULL;
26ac0430	127	}
27bc2077	128	rc = getaddrinfo(hostname, NULL, NULL, &hres);
26ac0430	129	if (rc != 0) {
2e881a6f A	130	fprintf(stderr,
	131	"%s\| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n",
	132	LogTime(), PROGRAM, gai_strerror(rc));
	133	return NULL;
26ac0430	134	}
3ad12bda AJ	135	hres_list = hres;
3ad12bda AJ	136	count = 0;
26ac0430	137	while (hres_list) {
755494da	138	++count;
2e881a6f	139	hres_list = hres_list->ai_next;
26ac0430	140	}
27bc2077	141	rc = getnameinfo(hres->ai_addr, hres->ai_addrlen, hostname,
2e881a6f	142	sizeof(hostname), NULL, 0, 0);
26ac0430	143	if (rc != 0) {
2e881a6f A	144	fprintf(stderr,
	145	"%s\| %s: ERROR: resolving ip address with getnameinfo: %s failed\n",
	146	LogTime(), PROGRAM, gai_strerror(rc));
	147	freeaddrinfo(hres);
	148	return NULL;
3e5d7cdf	149	}
27bc2077	150	freeaddrinfo(hres);
3ad12bda AJ	151	hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0';
3ad12bda AJ	152	return (xstrdup(hostname));
3e5d7cdf	153	}
3e5d7cdf	154
3ad12bda AJ	155	int
3ad12bda AJ	156	check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
2e881a6f	157	const char *function, int log)
26ac0430 AJ	158	{
26ac0430 AJ	159	if (GSS_ERROR(major_status)) {
2e881a6f A	160	OM_uint32 maj_stat, min_stat;
	161	OM_uint32 msg_ctx = 0;
	162	gss_buffer_desc status_string;
	163	char buf[1024];
	164	size_t len;
	165
	166	len = 0;
	167	msg_ctx = 0;
08885c7f	168	do {
2e881a6f A	169	/* convert major status code (GSS-API error) to text */
	170	maj_stat = gss_display_status(&min_stat, major_status,
	171	GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
08885c7f	172	if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) {
2e881a6f A	173	if (sizeof(buf) > len + status_string.length + 1) {
	174	snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
	175	len += status_string.length;
	176	}
08885c7f MM	177	} else
08885c7f MM	178	msg_ctx = 0;
2e881a6f	179	gss_release_buffer(&min_stat, &status_string);
08885c7f	180	} while (msg_ctx);
2e881a6f A	181	if (sizeof(buf) > len + 2) {
	182	snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
	183	len += 2;
	184	}
	185	msg_ctx = 0;
08885c7f	186	do {
2e881a6f A	187	/* convert minor status code (underlying routine error) to text */
	188	maj_stat = gss_display_status(&min_stat, minor_status,
	189	GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
08885c7f	190	if (maj_stat == GSS_S_COMPLETE && status_string.length > 0) {
2e881a6f A	191	if (sizeof(buf) > len + status_string.length) {
	192	snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
	193	len += status_string.length;
	194	}
08885c7f MM	195	} else
08885c7f MM	196	msg_ctx = 0;
2e881a6f	197	gss_release_buffer(&min_stat, &status_string);
08885c7f	198	} while (msg_ctx);
2e881a6f A	199	debug((char *) "%s\| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
	200	fprintf(stdout, "BH %s failed: %s\n", function, buf);
	201	if (log)
	202	fprintf(stderr, "%s\| %s: INFO: User not authenticated\n", LogTime(),
	203	PROGRAM);
	204	return (1);
3e5d7cdf	205	}
3ad12bda	206	return (0);
3e5d7cdf	207	}
3e5d7cdf	208
3ad12bda AJ	209	int
3ad12bda AJ	210	main(int argc, char *const argv[])
3e5d7cdf	211	{
26ac0430	212	char buf[MAX_AUTHTOKEN_LEN];
3ad12bda AJ	213	char c, p;
	214	char *user = NULL;
	215	int length = 0;
	216	static int err = 0;
e673ba3a	217	int opt, log = 0, norealm = 0;
3ad12bda AJ	218	OM_uint32 ret_flags = 0, spnego_flag = 0;
3ad12bda AJ	219	char service_name = (char ) "HTTP", *host_name = NULL;
26ac0430 AJ	220	char *token = NULL;
	221	char *service_principal = NULL;
	222	OM_uint32 major_status, minor_status;
3ad12bda AJ	223	gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
	224	gss_name_t client_name = GSS_C_NO_NAME;
	225	gss_name_t server_name = GSS_C_NO_NAME;
	226	gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
	227	gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
	228	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
	229	gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
	230	const unsigned char *kerberosToken = NULL;
3ad12bda AJ	231	const unsigned char *spnegoToken = NULL;
3ad12bda AJ	232	size_t spnegoTokenLength = 0;
26ac0430	233
3ad12bda AJ	234	setbuf(stdout, NULL);
3ad12bda AJ	235	setbuf(stdin, NULL);
26ac0430	236
6989c6dc	237	while (-1 != (opt = getopt(argc, argv, "dirs:h"))) {
2e881a6f A	238	switch (opt) {
	239	case 'd':
	240	debug_enabled = 1;
	241	break;
	242	case 'i':
	243	log = 1;
	244	break;
	245	case 'r':
	246	norealm = 1;
	247	break;
	248	case 's':
	249	service_principal = xstrdup(optarg);
	250	break;
	251	case 'h':
	252	fprintf(stderr, "Usage: \n");
	253	fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n");
	254	fprintf(stderr, "-d full debug\n");
	255	fprintf(stderr, "-i informational messages\n");
	256	fprintf(stderr, "-r remove realm from username\n");
	257	fprintf(stderr, "-s service principal name\n");
	258	fprintf(stderr, "-h help\n");
	259	fprintf(stderr,
	260	"The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
	261	fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
	262	exit(0);
	263	default:
	264	fprintf(stderr, "%s\| %s: WARNING: unknown option: -%c.\n", LogTime(),
	265	PROGRAM, opt);
	266	}
3e5d7cdf	267	}
3e5d7cdf	268
b1218840	269	debug((char *) "%s\| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, SQUID_KERB_AUTH_VERSION);
3ad12bda	270	if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) {
2e881a6f A	271	service.value = service_principal;
2e881a6f A	272	service.length = strlen((char *) service.value);
26ac0430	273	} else {
2e881a6f A	274	host_name = gethost_name();
	275	if (!host_name) {
	276	fprintf(stderr,
	277	"%s\| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n",
	278	LogTime(), PROGRAM);
	279	fprintf(stdout, "BH hostname error\n");
	280	exit(-1);
	281	}
	282	service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2);
	283	snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2,
	284	"%s@%s", service_name, host_name);
	285	service.length = strlen((char *) service.value);
3e5d7cdf	286	}
3e5d7cdf	287
26ac0430	288	while (1) {
2e881a6f A	289	if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
	290	if (ferror(stdin)) {
	291	debug((char *) "%s\| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n",
	292	LogTime(), PROGRAM, ferror(stdin),
	293	strerror(ferror(stdin)));
	294
	295	fprintf(stdout, "BH input error\n");
	296	exit(1); /* BIIG buffer */
	297	}
	298	fprintf(stdout, "BH input error\n");
	299	exit(0);
	300	}
	301	c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
	302	if (c) {
	303	*c = '\0';
	304	length = c - buf;
	305	} else {
	306	err = 1;
	307	}
	308	if (err) {
	309	debug((char *) "%s\| %s: ERROR: Oversized message\n", LogTime(), PROGRAM);
	310	fprintf(stdout, "BH Oversized message\n");
	311	err = 0;
	312	continue;
	313	}
	314	debug((char *) "%s\| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length);
	315
	316	if (buf[0] == '\0') {
	317	debug((char *) "%s\| %s: ERROR: Invalid request\n", LogTime(), PROGRAM);
	318	fprintf(stdout, "BH Invalid request\n");
	319	continue;
	320	}
	321	if (strlen(buf) < 2) {
	322	debug((char *) "%s\| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
	323	fprintf(stdout, "BH Invalid request\n");
	324	continue;
	325	}
	326	if (!strncmp(buf, "QQ", 2)) {
	327	gss_release_buffer(&minor_status, &input_token);
	328	gss_release_buffer(&minor_status, &output_token);
	329	gss_release_buffer(&minor_status, &service);
	330	gss_release_cred(&minor_status, &server_creds);
	331	if (server_name)
	332	gss_release_name(&minor_status, &server_name);
	333	if (client_name)
	334	gss_release_name(&minor_status, &client_name);
	335	if (gss_context != GSS_C_NO_CONTEXT)
	336	gss_delete_sec_context(&minor_status, &gss_context, NULL);
	337	if (kerberosToken) {
	338	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
	339	if (!spnego_flag)
	340	xfree((char *) kerberosToken);
	341	kerberosToken = NULL;
	342	}
	343	if (spnego_flag) {
	344	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
	345	if (spnegoToken)
	346	xfree((char *) spnegoToken);
	347	spnegoToken = NULL;
	348	}
	349	if (token) {
	350	xfree(token);
	351	token = NULL;
	352	}
353	if (host_name) {
354	xfree(host_name);
355	host_name = NULL;
356	}
357	fprintf(stdout, "BH quit command\n");
358	exit(0);
359	}
360	if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) {
361	debug((char *) "%s\| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
362	fprintf(stdout, "BH Invalid request\n");
363	continue;
364	}
365	if (!strncmp(buf, "YR", 2)) {
366	if (gss_context != GSS_C_NO_CONTEXT)
367	gss_delete_sec_context(&minor_status, &gss_context, NULL);
368	gss_context = GSS_C_NO_CONTEXT;
369	}
370	if (strlen(buf) <= 3) {
371	debug((char *) "%s\| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
372	fprintf(stdout, "BH Invalid negotiate request\n");
373	continue;
374	}
8bdd0cec	375	input_token.length = base64_decode_len(buf+3);
2e881a6f A	376	debug((char *) "%s\| %s: DEBUG: Decode '%s' (decoded length: %d).\n",
	377	LogTime(), PROGRAM, buf + 3, (int) input_token.length);
	378	input_token.value = xmalloc(input_token.length);
	379
8bdd0cec	380	input_token.length = base64_decode((char *) input_token.value, input_token.length, buf+3);
2e881a6f A	381
	382	if ((input_token.length >= sizeof ntlmProtocol + 1) &&
	383	(!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
	384	debug((char *) "%s\| %s: WARNING: received type %d NTLM token\n",
	385	LogTime(), PROGRAM,
	386	(int) ((unsigned char ) input_token.value +
	387	sizeof ntlmProtocol));
	388	fprintf(stdout, "BH received type %d NTLM token\n",
	389	(int) ((unsigned char ) input_token.value +
	390	sizeof ntlmProtocol));
	391	goto cleanup;
	392	}
	393	if (service_principal) {
	394	if (strcasecmp(service_principal, "GSS_C_NO_NAME")) {
	395	major_status = gss_import_name(&minor_status, &service,
	396	(gss_OID) GSS_C_NULL_OID, &server_name);
	397
	398	} else {
	399	server_name = GSS_C_NO_NAME;
	400	major_status = GSS_S_COMPLETE;
	401	}
	402	} else {
	403	major_status = gss_import_name(&minor_status, &service,
	404	gss_nt_service_name, &server_name);
	405	}
	406
	407	if (check_gss_err(major_status, minor_status, "gss_import_name()", log))
	408	goto cleanup;
	409
	410	major_status =
	411	gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
	412	GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
	413	if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log))
	414	goto cleanup;
	415
	416	major_status = gss_accept_sec_context(&minor_status,
	417	&gss_context,
	418	server_creds,
	419	&input_token,
	420	GSS_C_NO_CHANNEL_BINDINGS,
	421	&client_name, NULL, &output_token, &ret_flags, NULL, NULL);
	422
2e881a6f A	423	if (output_token.length) {
	424	spnegoToken = (const unsigned char *) output_token.value;
	425	spnegoTokenLength = output_token.length;
8bdd0cec	426	token = (char *) xmalloc(base64_encode_len(spnegoTokenLength));
2e881a6f A	427	if (token == NULL) {
	428	debug((char *) "%s\| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
	429	fprintf(stdout, "BH Not enough memory\n");
	430	goto cleanup;
	431	}
8bdd0cec AJ	432	base64_encode_str(token, base64_encode_len(spnegoTokenLength),
8bdd0cec AJ	433	(const char *) spnegoToken, spnegoTokenLength);
2e881a6f A	434
	435	if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
	436	goto cleanup;
	437	if (major_status & GSS_S_CONTINUE_NEEDED) {
	438	debug((char *) "%s\| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
	439	fprintf(stdout, "TT %s\n", token);
	440	goto cleanup;
	441	}
	442	gss_release_buffer(&minor_status, &output_token);
	443	major_status =
	444	gss_display_name(&minor_status, client_name, &output_token,
	445	NULL);
	446
	447	if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
	448	goto cleanup;
	449	user = (char *) xmalloc(output_token.length + 1);
	450	if (user == NULL) {
	451	debug((char *) "%s\| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
	452	fprintf(stdout, "BH Not enough memory\n");
	453	goto cleanup;
	454	}
	455	memcpy(user, output_token.value, output_token.length);
	456	user[output_token.length] = '\0';
	457	if (norealm && (p = strchr(user, '@')) != NULL) {
	458	*p = '\0';
	459	}
	460	fprintf(stdout, "AF %s %s\n", token, user);
	461	debug((char *) "%s\| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user);
	462	if (log)
	463	fprintf(stderr, "%s\| %s: INFO: User %s authenticated\n", LogTime(),
	464	PROGRAM, user);
	465	goto cleanup;
	466	} else {
	467	if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
	468	goto cleanup;
	469	if (major_status & GSS_S_CONTINUE_NEEDED) {
	470	debug((char *) "%s\| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
	471	fprintf(stdout, "NA %s\n", token);
	472	goto cleanup;
	473	}
	474	gss_release_buffer(&minor_status, &output_token);
	475	major_status =
	476	gss_display_name(&minor_status, client_name, &output_token,
	477	NULL);
	478
	479	if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
	480	goto cleanup;
	481	/*
	482	* Return dummy token AA. May need an extra return tag then AF
	483	*/
	484	user = (char *) xmalloc(output_token.length + 1);
	485	if (user == NULL) {
	486	debug((char *) "%s\| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
	487	fprintf(stdout, "BH Not enough memory\n");
	488	goto cleanup;
	489	}
	490	memcpy(user, output_token.value, output_token.length);
	491	user[output_token.length] = '\0';
	492	if (norealm && (p = strchr(user, '@')) != NULL) {
	493	*p = '\0';
	494	}
	495	fprintf(stdout, "AF %s %s\n", "AA==", user);
	496	debug((char *) "%s\| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
	497	if (log)
498	fprintf(stderr, "%s\| %s: INFO: User %s authenticated\n", LogTime(),
499	PROGRAM, user);
500
501	}
502	cleanup:
503	gss_release_buffer(&minor_status, &input_token);
504	gss_release_buffer(&minor_status, &output_token);
505	gss_release_cred(&minor_status, &server_creds);
506	if (server_name)
507	gss_release_name(&minor_status, &server_name);
508	if (client_name)
509	gss_release_name(&minor_status, &client_name);
510	if (kerberosToken) {
511	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
512	if (!spnego_flag)
513	xfree((char *) kerberosToken);
514	kerberosToken = NULL;
515	}
516	if (spnego_flag) {
517	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
518	if (spnegoToken)
519	xfree((char *) spnegoToken);
520	spnegoToken = NULL;
521	}
522	if (token) {
523	xfree(token);
524	token = NULL;
525	}
526	if (user) {
527	xfree(user);
528	user = NULL;
529	}
530	continue;
3e5d7cdf	531	}
3e5d7cdf	532	}
6989c6dc AJ	533	#else
	534	#include <stdio.h>
	535	#include <stdlib.h>
	536	#ifndef MAX_AUTHTOKEN_LEN
	537	#define MAX_AUTHTOKEN_LEN 65535
	538	#endif
	539	int
	540	main(int argc, char *const argv[])
	541	{
	542	setbuf(stdout, NULL);
	543	setbuf(stdin, NULL);
	544	char buf[MAX_AUTHTOKEN_LEN];
	545	while (1) {
2e881a6f A	546	if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
	547	fprintf(stdout, "BH input error\n");
	548	exit(0);
	549	}
	550	fprintf(stdout, "BH Kerberos authentication not supported\n");
6989c6dc AJ	551	}
6989c6dc AJ	552	}
3ad12bda	553	#endif /* HAVE_GSSAPI */