[thirdparty/squid.git] / src / auth / negotiate / kerberos / negotiate_kerberos.h

/*
 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2013 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 *   As a special exemption, M Moeller gives permission to link this program
 *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
 *   the resulting executable, without including the source code for
 *   the Libraries in the source distribution.
 *
 * -----------------------------------------------------------------------------
 */

#include <cstring>
#include <ctime>
#if HAVE_NETDB_H
#include <netdb.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif

#include "base64.h"
#include "util.h"

#if USE_APPLE_KRB5
#define KERBEROS_APPLE_DEPRECATED(x)
#define GSSKRB_APPLE_DEPRECATED(x)
#endif

#if HAVE_KRB5_H
#if HAVE_BROKEN_SOLARIS_KRB5_H
#warn "Warning! You have a broken Solaris <krb5.h> system header"
#warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
#if defined(__cplusplus)
#define KRB5INT_BEGIN_DECLS     extern "C" {
#define KRB5INT_END_DECLS
KRB5INT_BEGIN_DECLS
#endif
#endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
#if HAVE_BROKEN_HEIMDAL_KRB5_H
extern "C" {
#include <krb5.h>
}
#else
#include <krb5.h>
#endif
#endif /* HAVE_KRB5_H */

#if USE_HEIMDAL_KRB5
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
#endif
#elif USE_GNUGSS
#if HAVE_GSS_H
#include <gss.h>
#endif
#else
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
#endif
#if HAVE_GSSAPI_GSSAPI_GENERIC_H
#include <gssapi/gssapi_generic.h>
#endif
#if HAVE_GSSAPI_GSSAPI_EXT_H
#include <gssapi/gssapi_ext.h>
#endif
#endif

#ifndef gss_nt_service_name
#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
#endif

#define PROGRAM "negotiate_kerberos_auth"

#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN   65535
#endif
#ifndef SQUID_KERB_AUTH_VERSION
#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
#endif

char *gethost_name(void);

static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};

inline const char *
LogTime()
{
    struct timeval now;
    static time_t last_t = 0;
    static char buf[128];

    gettimeofday(&now, NULL);
    if (now.tv_sec != last_t) {
        struct tm *tm;
        tm = localtime((time_t *) & now.tv_sec);
        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
        last_t = now.tv_sec;
    }
    return buf;
}

int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
                  const char *function, int log, int sout);

char *gethost_name(void);

#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
#define HAVE_PAC_SUPPORT 1
#define MAX_PAC_GROUP_SIZE 200*60
typedef struct {
    uint16_t length;
    uint16_t maxlength;
    uint32_t pointer;
} RPC_UNICODE_STRING;

void align(int n);
void getustr(RPC_UNICODE_STRING *string);
char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount);
char *getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t  GroupCount);
char *getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount);
uint64_t get6byt_be(void);
uint32_t get4byt(void);
uint16_t get2byt(void);
uint8_t get1byt(void);
char *xstrcpy( char *src, const char*dst);
char *xstrcat( char *src, const char*dst);
int checkustr(RPC_UNICODE_STRING *string);
char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
#else
#define HAVE_PAC_SUPPORT 0
#endif
int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
Commit	Line	Data
ca02e0ec	1	/*
4ac4a490	2	* Copyright (C) 1996-2017 The Squid Software Foundation and contributors
ca02e0ec AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
4ebcf1ce MM	9	/*
	10	* -----------------------------------------------------------------------------
	11	*
	12	* Author: Markus Moeller (markus_moeller at compuserve.com)
	13	*
	14	* Copyright (C) 2013 Markus Moeller. All rights reserved.
	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License as published by
	18	* the Free Software Foundation; either version 2 of the License, or
	19	* (at your option) any later version.
	20	*
	21	* This program is distributed in the hope that it will be useful,
	22	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	23	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	24	* GNU General Public License for more details.
	25	*
	26	* You should have received a copy of the GNU General Public License
	27	* along with this program; if not, write to the Free Software
	28	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	29	*
	30	* As a special exemption, M Moeller gives permission to link this program
	31	* with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
	32	* the resulting executable, without including the source code for
	33	* the Libraries in the source distribution.
	34	*
	35	* -----------------------------------------------------------------------------
	36	*/
	37
074d6a40 AJ	38	#include <cstring>
074d6a40 AJ	39	#include <ctime>
4ebcf1ce MM	40	#if HAVE_NETDB_H
	41	#include <netdb.h>
	42	#endif
	43	#if HAVE_UNISTD_H
	44	#include <unistd.h>
	45	#endif
4ebcf1ce	46
4ebcf1ce	47	#include "base64.h"
602d9612	48	#include "util.h"
4ebcf1ce	49
75f3c557 MM	50	#if USE_APPLE_KRB5
	51	#define KERBEROS_APPLE_DEPRECATED(x)
	52	#define GSSKRB_APPLE_DEPRECATED(x)
	53	#endif
	54
4ebcf1ce MM	55	#if HAVE_KRB5_H
	56	#if HAVE_BROKEN_SOLARIS_KRB5_H
	57	#warn "Warning! You have a broken Solaris <krb5.h> system header"
	58	#warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
	59	#if defined(__cplusplus)
	60	#define KRB5INT_BEGIN_DECLS extern "C" {
	61	#define KRB5INT_END_DECLS
	62	KRB5INT_BEGIN_DECLS
	63	#endif
	64	#endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
	65	#if HAVE_BROKEN_HEIMDAL_KRB5_H
	66	extern "C" {
	67	#include <krb5.h>
	68	}
	69	#else
	70	#include <krb5.h>
	71	#endif
	72	#endif /* HAVE_KRB5_H */
	73
1a22a39e MM	74	#if USE_HEIMDAL_KRB5
	75	#if HAVE_GSSAPI_GSSAPI_H
	76	#include <gssapi/gssapi.h>
	77	#elif HAVE_GSSAPI_H
	78	#include <gssapi.h>
	79	#endif
	80	#if HAVE_GSSAPI_GSSAPI_KRB5_H
	81	#include <gssapi/gssapi_krb5.h>
	82	#endif
	83	#elif USE_GNUGSS
	84	#if HAVE_GSS_H
	85	#include <gss.h>
	86	#endif
	87	#else
4ebcf1ce MM	88	#if HAVE_GSSAPI_GSSAPI_H
	89	#include <gssapi/gssapi.h>
	90	#elif HAVE_GSSAPI_H
	91	#include <gssapi.h>
	92	#endif
4ebcf1ce MM	93	#if HAVE_GSSAPI_GSSAPI_KRB5_H
	94	#include <gssapi/gssapi_krb5.h>
	95	#endif
	96	#if HAVE_GSSAPI_GSSAPI_GENERIC_H
	97	#include <gssapi/gssapi_generic.h>
	98	#endif
	99	#if HAVE_GSSAPI_GSSAPI_EXT_H
	100	#include <gssapi/gssapi_ext.h>
	101	#endif
4ebcf1ce MM	102	#endif
	103
	104	#ifndef gss_nt_service_name
	105	#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
	106	#endif
	107
	108	#define PROGRAM "negotiate_kerberos_auth"
	109
	110	#ifndef MAX_AUTHTOKEN_LEN
	111	#define MAX_AUTHTOKEN_LEN 65535
	112	#endif
	113	#ifndef SQUID_KERB_AUTH_VERSION
2eb6054f	114	#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
4ebcf1ce MM	115	#endif
	116
	117	char *gethost_name(void);
	118
4ebcf1ce MM	119	static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
4ebcf1ce MM	120
d779e711	121	inline const char *
4ebcf1ce MM	122	LogTime()
4ebcf1ce MM	123	{
4ebcf1ce MM	124	struct timeval now;
	125	static time_t last_t = 0;
	126	static char buf[128];
	127
	128	gettimeofday(&now, NULL);
	129	if (now.tv_sec != last_t) {
685277d8	130	struct tm *tm;
4ebcf1ce MM	131	tm = localtime((time_t *) & now.tv_sec);
	132	strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
	133	last_t = now.tv_sec;
	134	}
	135	return buf;
	136	}
	137
	138	int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
	139	const char *function, int log, int sout);
	140
	141	char *gethost_name(void);
	142
1a22a39e	143	#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT \|\| HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
4ebcf1ce MM	144	#define HAVE_PAC_SUPPORT 1
	145	#define MAX_PAC_GROUP_SIZE 200*60
	146	typedef struct {
	147	uint16_t length;
	148	uint16_t maxlength;
	149	uint32_t pointer;
	150	} RPC_UNICODE_STRING;
	151
4ebcf1ce MM	152	void align(int n);
	153	void getustr(RPC_UNICODE_STRING *string);
	154	char getgids(char Rids, uint32_t GroupIds, uint32_t GroupCount);
	155	char getdomaingids(char ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t GroupCount);
	156	char getextrasids(char ad_groups, uint32_t ExtraSids, uint32_t SidCount);
	157	uint64_t get6byt_be(void);
	158	uint32_t get4byt(void);
	159	uint16_t get2byt(void);
	160	uint8_t get1byt(void);
	161	char xstrcpy( char src, const char*dst);
	162	char xstrcat( char src, const char*dst);
	163	int checkustr(RPC_UNICODE_STRING *string);
	164	char get_ad_groups(char ad_groups, krb5_context context, krb5_pac pac);
	165	#else
	166	#define HAVE_PAC_SUPPORT 0
	167	#endif
75f3c557	168	int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
5f4daa47	169