[thirdparty/squid.git] / helpers / negotiate_auth / kerberos / negotiate_kerberos.h

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2013 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 *   As a special exemption, M Moeller gives permission to link this program
 *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
 *   the resulting executable, without including the source code for
 *   the Libraries in the source distribution.
 *
 * -----------------------------------------------------------------------------
 */

#include <cstring>
#include <ctime>
#if HAVE_NETDB_H
#include <netdb.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif

#include "base64.h"
#include "util.h"

#if HAVE_KRB5_H
#if HAVE_BROKEN_SOLARIS_KRB5_H
#warn "Warning! You have a broken Solaris <krb5.h> system header"
#warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
#if defined(__cplusplus)
#define KRB5INT_BEGIN_DECLS     extern "C" {
#define KRB5INT_END_DECLS
KRB5INT_BEGIN_DECLS
#endif
#endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
#if HAVE_BROKEN_HEIMDAL_KRB5_H
extern "C" {
#include <krb5.h>
}
#else
#include <krb5.h>
#endif
#endif /* HAVE_KRB5_H */

#if USE_HEIMDAL_KRB5
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
#endif
#elif USE_GNUGSS
#if HAVE_GSS_H
#include <gss.h>
#endif
#else
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
#endif
#if HAVE_GSSAPI_GSSAPI_GENERIC_H
#include <gssapi/gssapi_generic.h>
#endif
#if HAVE_GSSAPI_GSSAPI_EXT_H
#include <gssapi/gssapi_ext.h>
#endif
#endif

#ifndef gss_nt_service_name
#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
#endif

#define PROGRAM "negotiate_kerberos_auth"

#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN   65535
#endif
#ifndef SQUID_KERB_AUTH_VERSION
#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
#endif

char *gethost_name(void);

static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};

inline const char *
LogTime()
{
    struct tm *tm;
    struct timeval now;
    static time_t last_t = 0;
    static char buf[128];

    gettimeofday(&now, NULL);
    if (now.tv_sec != last_t) {
        tm = localtime((time_t *) & now.tv_sec);
        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
        last_t = now.tv_sec;
    }
    return buf;
}

int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
                  const char *function, int log, int sout);

char *gethost_name(void);

#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
#define HAVE_PAC_SUPPORT 1
#define MAX_PAC_GROUP_SIZE 200*60
typedef struct {
    uint16_t length;
    uint16_t maxlength;
    uint32_t pointer;
} RPC_UNICODE_STRING;

int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
void align(int n);
void getustr(RPC_UNICODE_STRING *string);
char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount);
char *getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t  GroupCount);
char *getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount);
uint64_t get6byt_be(void);
uint32_t get4byt(void);
uint16_t get2byt(void);
uint8_t get1byt(void);
char *xstrcpy( char *src, const char*dst);
char *xstrcat( char *src, const char*dst);
int checkustr(RPC_UNICODE_STRING *string);
char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
#else
#define HAVE_PAC_SUPPORT 0
#endif
Commit	Line	Data
ca02e0ec AJ	1	/*
	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
4ebcf1ce MM	9	/*
	10	* -----------------------------------------------------------------------------
	11	*
	12	* Author: Markus Moeller (markus_moeller at compuserve.com)
	13	*
	14	* Copyright (C) 2013 Markus Moeller. All rights reserved.
	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License as published by
	18	* the Free Software Foundation; either version 2 of the License, or
	19	* (at your option) any later version.
	20	*
	21	* This program is distributed in the hope that it will be useful,
	22	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	23	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	24	* GNU General Public License for more details.
	25	*
	26	* You should have received a copy of the GNU General Public License
	27	* along with this program; if not, write to the Free Software
	28	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	29	*
	30	* As a special exemption, M Moeller gives permission to link this program
	31	* with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
	32	* the resulting executable, without including the source code for
	33	* the Libraries in the source distribution.
	34	*
	35	* -----------------------------------------------------------------------------
	36	*/
	37
074d6a40 AJ	38	#include <cstring>
074d6a40 AJ	39	#include <ctime>
4ebcf1ce MM	40	#if HAVE_NETDB_H
	41	#include <netdb.h>
	42	#endif
	43	#if HAVE_UNISTD_H
	44	#include <unistd.h>
	45	#endif
4ebcf1ce	46
4ebcf1ce	47	#include "base64.h"
602d9612	48	#include "util.h"
4ebcf1ce MM	49
	50	#if HAVE_KRB5_H
	51	#if HAVE_BROKEN_SOLARIS_KRB5_H
	52	#warn "Warning! You have a broken Solaris <krb5.h> system header"
	53	#warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
	54	#if defined(__cplusplus)
	55	#define KRB5INT_BEGIN_DECLS extern "C" {
	56	#define KRB5INT_END_DECLS
	57	KRB5INT_BEGIN_DECLS
	58	#endif
	59	#endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
	60	#if HAVE_BROKEN_HEIMDAL_KRB5_H
	61	extern "C" {
	62	#include <krb5.h>
	63	}
	64	#else
	65	#include <krb5.h>
	66	#endif
	67	#endif /* HAVE_KRB5_H */
	68
1a22a39e MM	69	#if USE_HEIMDAL_KRB5
	70	#if HAVE_GSSAPI_GSSAPI_H
	71	#include <gssapi/gssapi.h>
	72	#elif HAVE_GSSAPI_H
	73	#include <gssapi.h>
	74	#endif
	75	#if HAVE_GSSAPI_GSSAPI_KRB5_H
	76	#include <gssapi/gssapi_krb5.h>
	77	#endif
	78	#elif USE_GNUGSS
	79	#if HAVE_GSS_H
	80	#include <gss.h>
	81	#endif
	82	#else
4ebcf1ce MM	83	#if HAVE_GSSAPI_GSSAPI_H
	84	#include <gssapi/gssapi.h>
	85	#elif HAVE_GSSAPI_H
	86	#include <gssapi.h>
	87	#endif
4ebcf1ce MM	88	#if HAVE_GSSAPI_GSSAPI_KRB5_H
	89	#include <gssapi/gssapi_krb5.h>
	90	#endif
	91	#if HAVE_GSSAPI_GSSAPI_GENERIC_H
	92	#include <gssapi/gssapi_generic.h>
	93	#endif
	94	#if HAVE_GSSAPI_GSSAPI_EXT_H
	95	#include <gssapi/gssapi_ext.h>
	96	#endif
4ebcf1ce MM	97	#endif
	98
	99	#ifndef gss_nt_service_name
	100	#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
	101	#endif
	102
	103	#define PROGRAM "negotiate_kerberos_auth"
	104
	105	#ifndef MAX_AUTHTOKEN_LEN
	106	#define MAX_AUTHTOKEN_LEN 65535
	107	#endif
	108	#ifndef SQUID_KERB_AUTH_VERSION
2eb6054f	109	#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
4ebcf1ce MM	110	#endif
	111
	112	char *gethost_name(void);
	113
4ebcf1ce MM	114	static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
4ebcf1ce MM	115
d779e711	116	inline const char *
4ebcf1ce MM	117	LogTime()
	118	{
	119	struct tm *tm;
	120	struct timeval now;
	121	static time_t last_t = 0;
	122	static char buf[128];
	123
	124	gettimeofday(&now, NULL);
	125	if (now.tv_sec != last_t) {
	126	tm = localtime((time_t *) & now.tv_sec);
	127	strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
	128	last_t = now.tv_sec;
	129	}
	130	return buf;
	131	}
	132
	133	int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
	134	const char *function, int log, int sout);
	135
	136	char *gethost_name(void);
	137
1a22a39e	138	#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT \|\| HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
4ebcf1ce MM	139	#define HAVE_PAC_SUPPORT 1
	140	#define MAX_PAC_GROUP_SIZE 200*60
	141	typedef struct {
	142	uint16_t length;
	143	uint16_t maxlength;
	144	uint32_t pointer;
	145	} RPC_UNICODE_STRING;
	146
	147	int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
	148	void align(int n);
	149	void getustr(RPC_UNICODE_STRING *string);
	150	char getgids(char Rids, uint32_t GroupIds, uint32_t GroupCount);
	151	char getdomaingids(char ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t GroupCount);
	152	char getextrasids(char ad_groups, uint32_t ExtraSids, uint32_t SidCount);
	153	uint64_t get6byt_be(void);
	154	uint32_t get4byt(void);
	155	uint16_t get2byt(void);
	156	uint8_t get1byt(void);
	157	char xstrcpy( char src, const char*dst);
	158	char xstrcat( char src, const char*dst);
	159	int checkustr(RPC_UNICODE_STRING *string);
	160	char get_ad_groups(char ad_groups, krb5_context context, krb5_pac pac);
	161	#else
	162	#define HAVE_PAC_SUPPORT 0
	163	#endif