helpers/negotiate_auth/kerberos/negotiate_kerberos.h

   1 /*
   2  * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /*
  10  * -----------------------------------------------------------------------------
  11  *
  12  * Author: Markus Moeller (markus_moeller at compuserve.com)
  13  *
  14  * Copyright (C) 2013 Markus Moeller. All rights reserved.
  15  *
  16  *   This program is free software; you can redistribute it and/or modify
  17  *   it under the terms of the GNU General Public License as published by
  18  *   the Free Software Foundation; either version 2 of the License, or
  19  *   (at your option) any later version.
  20  *
  21  *   This program is distributed in the hope that it will be useful,
  22  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  23  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  24  *   GNU General Public License for more details.
  25  *
  26  *   You should have received a copy of the GNU General Public License
  27  *   along with this program; if not, write to the Free Software
  28  *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
  29  *
  30  *   As a special exemption, M Moeller gives permission to link this program
  31  *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
  32  *   the resulting executable, without including the source code for
  33  *   the Libraries in the source distribution.
  34  *
  35  * -----------------------------------------------------------------------------
  36  */
  37
  38 #include <cstring>
  39 #include <ctime>
  40 #if HAVE_NETDB_H
  41 #include <netdb.h>
  42 #endif
  43 #if HAVE_UNISTD_H
  44 #include <unistd.h>
  45 #endif
  46
  47 #include "base64.h"
  48 #include "util.h"
  49
  50 #if HAVE_KRB5_H
  51 #if HAVE_BROKEN_SOLARIS_KRB5_H
  52 #warn "Warning! You have a broken Solaris <krb5.h> system header"
  53 #warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
  54 #if defined(__cplusplus)
  55 #define KRB5INT_BEGIN_DECLS     extern "C" {
  56 #define KRB5INT_END_DECLS
  57 KRB5INT_BEGIN_DECLS
  58 #endif
  59 #endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
  60 #if HAVE_BROKEN_HEIMDAL_KRB5_H
  61 extern "C" {
  62 #include <krb5.h>
  63 }
  64 #else
  65 #include <krb5.h>
  66 #endif
  67 #endif /* HAVE_KRB5_H */
  68
  69 #if USE_HEIMDAL_KRB5
  70 #if HAVE_GSSAPI_GSSAPI_H
  71 #include <gssapi/gssapi.h>
  72 #elif HAVE_GSSAPI_H
  73 #include <gssapi.h>
  74 #endif
  75 #if HAVE_GSSAPI_GSSAPI_KRB5_H
  76 #include <gssapi/gssapi_krb5.h>
  77 #endif
  78 #elif USE_GNUGSS
  79 #if HAVE_GSS_H
  80 #include <gss.h>
  81 #endif
  82 #else
  83 #if HAVE_GSSAPI_GSSAPI_H
  84 #include <gssapi/gssapi.h>
  85 #elif HAVE_GSSAPI_H
  86 #include <gssapi.h>
  87 #endif
  88 #if HAVE_GSSAPI_GSSAPI_KRB5_H
  89 #include <gssapi/gssapi_krb5.h>
  90 #endif
  91 #if HAVE_GSSAPI_GSSAPI_GENERIC_H
  92 #include <gssapi/gssapi_generic.h>
  93 #endif
  94 #if HAVE_GSSAPI_GSSAPI_EXT_H
  95 #include <gssapi/gssapi_ext.h>
  96 #endif
  97 #endif
  98
  99 #ifndef gss_nt_service_name
 100 #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
 101 #endif
 102
 103 #define PROGRAM "negotiate_kerberos_auth"
 104
 105 #ifndef MAX_AUTHTOKEN_LEN
 106 #define MAX_AUTHTOKEN_LEN   65535
 107 #endif
 108 #ifndef SQUID_KERB_AUTH_VERSION
 109 #define SQUID_KERB_AUTH_VERSION "3.0.4sq"
 110 #endif
 111
 112 char *gethost_name(void);
 113
 114 static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
 115
 116 inline const char *
 117 LogTime()
 118 {
 119     struct tm *tm;
 120     struct timeval now;
 121     static time_t last_t = 0;
 122     static char buf[128];
 123
 124     gettimeofday(&now, NULL);
 125     if (now.tv_sec != last_t) {
 126         tm = localtime((time_t *) & now.tv_sec);
 127         strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
 128         last_t = now.tv_sec;
 129     }
 130     return buf;
 131 }
 132
 133 int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
 134                   const char *function, int log, int sout);
 135
 136 char *gethost_name(void);
 137
 138 #if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
 139 #define HAVE_PAC_SUPPORT 1
 140 #define MAX_PAC_GROUP_SIZE 200*60
 141 typedef struct {
 142     uint16_t length;
 143     uint16_t maxlength;
 144     uint32_t pointer;
 145 } RPC_UNICODE_STRING;
 146
 147 int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
 148 void align(int n);
 149 void getustr(RPC_UNICODE_STRING *string);
 150 char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount);
 151 char *getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t  GroupCount);
 152 char *getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount);
 153 uint64_t get6byt_be(void);
 154 uint32_t get4byt(void);
 155 uint16_t get2byt(void);
 156 uint8_t get1byt(void);
 157 char *xstrcpy( char *src, const char*dst);
 158 char *xstrcat( char *src, const char*dst);
 159 int checkustr(RPC_UNICODE_STRING *string);
 160 char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
 161 #else
 162 #define HAVE_PAC_SUPPORT 0
 163 #endif