[thirdparty/squid.git] / helpers / negotiate_auth / squid_kerb_auth / squid_kerb_auth.c

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2007 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 * -----------------------------------------------------------------------------
 */
/*
 * Hosted at http://sourceforge.net/projects/squidkerbauth
 */
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <unistd.h>
#include <time.h>
#include <sys/time.h>

#include "base64.h"
#ifndef HAVE_SPNEGO
#include "spnegohelp.h"
#endif

#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN HOST_NAME_MAX
#endif

#define PROGRAM "squid_kerb_auth"

#ifdef HEIMDAL
#include <gssapi.h>
#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
#else
#include <gssapi/gssapi.h>
#ifndef SOLARIS_11
#include <gssapi/gssapi_generic.h>
#else
#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
#endif
#endif

#include <krb5.h>
int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function, int debug, int loging);
char *gethost_name(void);
static const char *LogTime(void);

static const unsigned char ntlmProtocol [] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};

static const char *LogTime()
{
    struct tm *tm;
    struct timeval now;
    static time_t last_t = 0;
    static char buf[128];

    gettimeofday(&now, NULL);
    if (now.tv_sec != last_t) {
        tm = localtime(&now.tv_sec);
        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
        last_t = now.tv_sec;
    }
    return buf;
}

char *gethost_name(void) {
  char      hostname[MAXHOSTNAMELEN];
  struct addrinfo *hres=NULL, *hres_list;
  int rc,count;

  rc = gethostname(hostname,MAXHOSTNAMELEN);
  if (rc)
    {
      fprintf(stderr, "%s| %s: error while resolving hostname '%s'\n", LogTime(), PROGRAM, hostname);
      return NULL;
    }
  rc = getaddrinfo(hostname,NULL,NULL,&hres);
  if (rc != 0) {
    fprintf(stderr, "%s| %s: error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
    return NULL;
  }
  hres_list=hres;
  count=0;
  while (hres_list) {
    count++;
    hres_list=hres_list->ai_next;
  }
  rc = getnameinfo (hres->ai_addr, hres->ai_addrlen,hostname, sizeof (hostname), NULL, 0, 0);
  if (rc != 0) {
    fprintf(stderr, "%s| %s: error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
    freeaddrinfo(hres);
    return NULL ;
  }

  freeaddrinfo(hres);
  hostname[MAXHOSTNAMELEN]='\0';
  return(strdup(hostname));
}

int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function, int debug, int loging) {
  if (GSS_ERROR(major_status)) {
    OM_uint32 maj_stat,min_stat;
    OM_uint32 msg_ctx = 0;
    gss_buffer_desc status_string;
    char buf[1024];
    size_t len;

    len = 0;
    msg_ctx = 0;
    while (!msg_ctx) {
      /* convert major status code (GSS-API error) to text */
      maj_stat = gss_display_status(&min_stat, major_status,
				    GSS_C_GSS_CODE,
				    GSS_C_NULL_OID,
				    &msg_ctx, &status_string);
      if (maj_stat == GSS_S_COMPLETE) {
	if (sizeof(buf) > len + status_string.length + 1) {
	  sprintf(buf+len, "%s", (char*) status_string.value);
	  len += status_string.length;
	}
	gss_release_buffer(&min_stat, &status_string);
	break;
      }
      gss_release_buffer(&min_stat, &status_string);
    }
    if (sizeof(buf) > len + 2) {
      sprintf(buf+len, "%s", ". ");
      len += 2;
    }
    msg_ctx = 0;
    while (!msg_ctx) {
      /* convert minor status code (underlying routine error) to text */
      maj_stat = gss_display_status(&min_stat, minor_status,
				    GSS_C_MECH_CODE,
				    GSS_C_NULL_OID,
				    &msg_ctx, &status_string);
      if (maj_stat == GSS_S_COMPLETE) {
	if (sizeof(buf) > len + status_string.length ) {
	  sprintf(buf+len, "%s", (char*) status_string.value);
	  len += status_string.length;
	}
	gss_release_buffer(&min_stat, &status_string);
	break;
      }
      gss_release_buffer(&min_stat, &status_string);
    }
    if (debug)
      fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
    fprintf(stdout, "NA %s failed: %s\n",function, buf);
    if (loging)
      fprintf(stderr, "%s| %s: User not authenticated\n", LogTime(), PROGRAM);
    return(1);
  }
  return(0);
}


int main(int argc, char * const argv[])
{
  char buf[6400];
  char *c;
  int length=0;
  static int err=0;
  int opt, rc, debug=0, loging=0;
  OM_uint32 ret_flags=0, spnego_flag=0;
  char *service_name=(char *)"HTTP",*host_name=NULL;
  char *token = NULL;
  char *service_principal = NULL;
  OM_uint32 major_status, minor_status;
  gss_ctx_id_t 		gss_context = GSS_C_NO_CONTEXT;
  gss_name_t 		client_name = GSS_C_NO_NAME;
  gss_name_t 		server_name = GSS_C_NO_NAME;
  gss_cred_id_t 	server_creds = GSS_C_NO_CREDENTIAL;
  gss_cred_id_t 	delegated_cred = GSS_C_NO_CREDENTIAL;
  gss_buffer_desc 	service = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc 	input_token = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc 	output_token = GSS_C_EMPTY_BUFFER;
  const unsigned char	*kerberosToken       = NULL;
  size_t		kerberosTokenLength = 0;
  const unsigned char	*spnegoToken         = NULL ;
  size_t		spnegoTokenLength   = 0;

  setbuf(stdout,NULL);
  setbuf(stdin,NULL);

  while (-1 != (opt = getopt(argc, argv, "dis:h"))) {
    switch (opt) {
    case 'd':
      debug = 1;
      break;              
    case 'i':
      loging = 1;
      break;              
    case 's':
      service_principal = strdup(optarg);
      break;
    case 'h':
      fprintf(stdout, "Usage: \n");
      fprintf(stdout, "squid_kerb_auth -d [-s SPN]\n");
      fprintf(stdout, "SPN = service principal name\n");
      fprintf(stdout, "Can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
      fprintf(stdout, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
      break;
    default:
      fprintf(stderr, "%s| %s: unknown option: -%c.\n", LogTime(), PROGRAM, opt);
    }
  }

  if (service_principal && strcasecmp(service_principal,"GSS_C_NO_NAME") ) {
    service.value = service_principal;
    service.length = strlen((char *)service.value);
  } else {
    host_name=gethost_name();
    if ( !host_name ) {
      fprintf(stderr, "%s| %s: Local hostname could not be determined. Please specify the service principal\n", LogTime(), PROGRAM);
      exit(-1);
    }
    service.value = malloc(strlen(service_name)+strlen(host_name)+2);
    snprintf(service.value,strlen(service_name)+strlen(host_name)+2,"%s@%s",service_name,host_name);
    service.length = strlen((char *)service.value);
  }

  while (1) {
    if (fgets(buf, sizeof(buf)-1, stdin) == NULL) {
      if (ferror(stdin)) {
	if (debug)
	  fprintf(stderr, "%s| %s: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin),
		 strerror(ferror(stdin)));

	exit(1);    /* BIIG buffer */
      }
      exit(0);
    }

    c=memchr(buf,'\n',sizeof(buf)-1);
    if (c) {
      *c = '\0';
      length = c-buf;
    } else {
      err = 1;
    }
    if (err) {
      if (debug)
	fprintf(stderr, "%s| %s: Oversized message\n", LogTime(), PROGRAM);
      fprintf(stdout, "NA Oversized message\n");
      err = 0;
      continue;
    }

    if (debug)
      fprintf(stderr, "%s| %s: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf?buf:"NULL",length);

    if (buf[0] == '\0') {
      if (debug)
	fprintf(stderr, "%s| %s: Invalid request\n", LogTime(), PROGRAM);
      fprintf(stdout, "NA Invalid request\n");
      continue;
    }

    if (strlen(buf) < 2) {
      if (debug)
	fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
      fprintf(stdout, "NA Invalid request\n");
      continue;
    }

    if ( !strncmp(buf, "QQ", 2) ) {
      gss_release_buffer(&minor_status, &input_token);
      gss_release_buffer(&minor_status, &output_token);
      gss_release_buffer(&minor_status, &service);
      gss_release_cred(&minor_status, &server_creds);
      gss_release_cred(&minor_status, &delegated_cred);
      gss_release_name(&minor_status, &server_name);
      gss_release_name(&minor_status, &client_name);
      gss_delete_sec_context(&minor_status, &gss_context, NULL);
      if (kerberosToken) {
	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
        if (!spnego_flag)
          free((char *)kerberosToken);
        kerberosToken=NULL;
      }
      if (spnego_flag) {
	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
        if (spnegoToken) 
	  free((char *)spnegoToken);
      	spnegoToken=NULL;
      }
      if (token) {
        free(token);
        token=NULL;
      }
      if (host_name) {
        free(host_name);
        host_name=NULL;
      }
      exit(0);
    }

    if ( !strncmp(buf, "YR", 2) && !strncmp(buf, "KK", 2) ) {
      if (debug)
	fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
      fprintf(stdout, "NA Invalid request\n");
      continue;
    }
    if ( !strncmp(buf, "YR", 2) ){
      if (gss_context != GSS_C_NO_CONTEXT )
        gss_delete_sec_context(&minor_status, &gss_context, NULL);
      gss_context = GSS_C_NO_CONTEXT;
    }

    if (strlen(buf) <= 3) {
      if (debug)
	fprintf(stderr, "%s| %s: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
      fprintf(stdout, "NA Invalid negotiate request\n");
      continue;
    }
        
    input_token.length = base64_decode_len(buf+3);
    input_token.value = malloc(input_token.length);

    base64_decode(input_token.value,buf+3,input_token.length);

 
#ifndef HAVE_SPNEGO
    if (( rc=parseNegTokenInit (input_token.value,
				input_token.length,
				&kerberosToken,
				&kerberosTokenLength))!=0 ){
      if (debug)
	fprintf(stderr, "%s| %s: parseNegTokenInit failed with rc=%d\n", LogTime(), PROGRAM, rc);
        
      /* if between 100 and 200 it might be a GSSAPI token and not a SPNEGO token */    
      if ( rc < 100 || rc > 199 ) {
	if (debug)
	  fprintf(stderr, "%s| %s: Invalid GSS-SPNEGO query [%s]\n", LogTime(), PROGRAM, buf);
	fprintf(stdout, "NA Invalid GSS-SPNEGO query\n");
	goto cleanup;
      } 
      if ((input_token.length >= sizeof ntlmProtocol + 1) &&
	  (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
	if (debug)
	  fprintf(stderr, "%s| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol));
	fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol));
	goto cleanup;
      } 
      spnego_flag=0;
    } else {
      gss_release_buffer(&minor_status, &input_token);
      input_token.length=kerberosTokenLength;
      input_token.value=(void *)kerberosToken;
      spnego_flag=1;
    }
#else
    if ((input_token.length >= sizeof ntlmProtocol + 1) &&
	(!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
      if (debug)
	fprintf(stderr, "%s| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol));
      fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol));
      goto cleanup;
    } 
#endif
     
    if ( service_principal ) {
      if ( strcasecmp(service_principal,"GSS_C_NO_NAME") ){
        major_status = gss_import_name(&minor_status, &service,
  				       (gss_OID) GSS_C_NULL_OID, &server_name);
       
      } else {
        server_name = GSS_C_NO_NAME;
        major_status = GSS_S_COMPLETE;
      }
    } else {
      major_status = gss_import_name(&minor_status, &service,
  				     gss_nt_service_name, &server_name);
    }

    if ( check_gss_err(major_status,minor_status,"gss_import_name()",debug,loging) )
      goto cleanup;

    major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
				    GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds,
				    NULL, NULL);
    if (check_gss_err(major_status,minor_status,"gss_acquire_cred()",debug,loging) )
      goto cleanup;

    major_status = gss_accept_sec_context(&minor_status,
					  &gss_context,
					  server_creds,
					  &input_token,
					  GSS_C_NO_CHANNEL_BINDINGS,
					  &client_name,
					  NULL,
					  &output_token,
					  &ret_flags,
					  NULL,
					  &delegated_cred);


    if (output_token.length) {
#ifndef HAVE_SPNEGO
      if (spnego_flag) {
	if ((rc=makeNegTokenTarg (output_token.value,
				  output_token.length,
				  &spnegoToken,
				  &spnegoTokenLength))!=0 ) {
	  if (debug)
	    fprintf(stderr, "%s| %s: makeNegTokenTarg failed with rc=%d\n", LogTime(), PROGRAM, rc);
	  fprintf(stdout, "NA makeNegTokenTarg failed with rc=%d\n",rc);
	  goto cleanup;
	}
      } else {
	spnegoToken = output_token.value;
	spnegoTokenLength = output_token.length;
      }
#else
      spnegoToken = output_token.value;
      spnegoTokenLength = output_token.length;
#endif
      token = malloc(base64_encode_len(spnegoTokenLength));
      if (token == NULL) {
	if (debug)
	  fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM);
	fprintf(stdout, "NA Not enough memory\n");
        goto cleanup;
      }

      base64_encode(token,(const char *)spnegoToken,base64_encode_len(spnegoTokenLength),spnegoTokenLength);

      if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) )
	goto cleanup;
      if (major_status & GSS_S_CONTINUE_NEEDED) {
	if (debug)
	  fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), PROGRAM);
	fprintf(stdout, "TT %s\n",token);
        goto cleanup;
      }
      gss_release_buffer(&minor_status, &output_token);
      major_status = gss_display_name(&minor_status, client_name, &output_token,
				      NULL);

      if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) )
	goto cleanup;
      fprintf(stdout, "AF %s %s\n",token,(char *)output_token.value);
      if (debug)
	fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,(char *)output_token.value); 
      if (loging)
	fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
      goto cleanup;
    } else {
      if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) )
	goto cleanup;
      if (major_status & GSS_S_CONTINUE_NEEDED) {
	if (debug)
	  fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), PROGRAM);
	fprintf(stdout, "NA No token to return to continue\n");
	goto cleanup;
      }
      gss_release_buffer(&minor_status, &output_token);
      major_status = gss_display_name(&minor_status, client_name, &output_token,
				      NULL);

      if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) )
	goto cleanup;
      /* 
       *  Return dummy token AA. May need an extra return tag then AF
       */
      fprintf(stdout, "AF %s %s\n","AA==",(char *)output_token.value);
      if (debug)
	fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", (char *)output_token.value);
      if (loging)
	fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);

cleanup:
      gss_release_buffer(&minor_status, &input_token);
      gss_release_buffer(&minor_status, &output_token);
      gss_release_cred(&minor_status, &server_creds);
      gss_release_cred(&minor_status, &delegated_cred);
      gss_release_name(&minor_status, &server_name);
      gss_release_name(&minor_status, &client_name);
      if (kerberosToken) {
	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
	if (!spnego_flag)
           free((char *)kerberosToken);
      	kerberosToken=NULL;
      }
      if (spnego_flag) {
	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
        if (spnegoToken)
	  free((char *)spnegoToken);
      	spnegoToken=NULL;
      }
      if (token) {
        free(token);
      	token=NULL;
      }
      continue;            
    }
  }
}
Commit	Line	Data
3e5d7cdf	1	/*
	2	* -----------------------------------------------------------------------------
	3	*
	4	* Author: Markus Moeller (markus_moeller at compuserve.com)
	5	*
	6	* Copyright (C) 2007 Markus Moeller. All rights reserved.
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	21	*
	22	* -----------------------------------------------------------------------------
	23	*/
	24	/*
	25	* Hosted at http://sourceforge.net/projects/squidkerbauth
	26	*/
	27	#include <string.h>
	28	#include <stdio.h>
	29	#include <stdlib.h>
	30	#include <netdb.h>
	31	#include <unistd.h>
	32	#include <time.h>
	33	#include <sys/time.h>
	34
	35	#include "base64.h"
	36	#ifndef HAVE_SPNEGO
	37	#include "spnegohelp.h"
	38	#endif
	39
	40	#ifndef MAXHOSTNAMELEN
	41	#define MAXHOSTNAMELEN HOST_NAME_MAX
	42	#endif
	43
	44	#define PROGRAM "squid_kerb_auth"
	45
	46	#ifdef HEIMDAL
	47	#include <gssapi.h>
	48	#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
	49	#else
	50	#include <gssapi/gssapi.h>
	51	#ifndef SOLARIS_11
	52	#include <gssapi/gssapi_generic.h>
	53	#else
	54	#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
	55	#endif
	56	#endif
	57
	58	#include <krb5.h>
	59	int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function, int debug, int loging);
	60	char *gethost_name(void);
	61	static const char *LogTime(void);
	62
	63	static const unsigned char ntlmProtocol [] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
	64
65	static const char *LogTime()
66	{
67	struct tm *tm;
68	struct timeval now;
69	static time_t last_t = 0;
70	static char buf[128];
71
72	gettimeofday(&now, NULL);
73	if (now.tv_sec != last_t) {
74	tm = localtime(&now.tv_sec);
75	strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
76	last_t = now.tv_sec;
77	}
78	return buf;
79	}
80
81	char *gethost_name(void) {
82	char hostname[MAXHOSTNAMELEN];
83	struct addrinfo hres=NULL, hres_list;
84	int rc,count;
85
86	rc = gethostname(hostname,MAXHOSTNAMELEN);
87	if (rc)
88	{
89	fprintf(stderr, "%s\| %s: error while resolving hostname '%s'\n", LogTime(), PROGRAM, hostname);
90	return NULL;
91	}
92	rc = getaddrinfo(hostname,NULL,NULL,&hres);
93	if (rc != 0) {
94	fprintf(stderr, "%s\| %s: error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
95	return NULL;
96	}
97	hres_list=hres;
98	count=0;
99	while (hres_list) {
100	count++;
101	hres_list=hres_list->ai_next;
102	}
103	rc = getnameinfo (hres->ai_addr, hres->ai_addrlen,hostname, sizeof (hostname), NULL, 0, 0);
104	if (rc != 0) {
105	fprintf(stderr, "%s\| %s: error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
106	freeaddrinfo(hres);
107	return NULL ;
108	}
109
110	freeaddrinfo(hres);
111	hostname[MAXHOSTNAMELEN]='\0';
112	return(strdup(hostname));
113	}
114
115	int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const char* function, int debug, int loging) {
116	if (GSS_ERROR(major_status)) {
117	OM_uint32 maj_stat,min_stat;
118	OM_uint32 msg_ctx = 0;
119	gss_buffer_desc status_string;
120	char buf[1024];
121	size_t len;
122
123	len = 0;
124	msg_ctx = 0;
125	while (!msg_ctx) {
126	/* convert major status code (GSS-API error) to text */
127	maj_stat = gss_display_status(&min_stat, major_status,
128	GSS_C_GSS_CODE,
129	GSS_C_NULL_OID,
130	&msg_ctx, &status_string);
131	if (maj_stat == GSS_S_COMPLETE) {
132	if (sizeof(buf) > len + status_string.length + 1) {
133	sprintf(buf+len, "%s", (char*) status_string.value);
134	len += status_string.length;
135	}
136	gss_release_buffer(&min_stat, &status_string);
137	break;
138	}
139	gss_release_buffer(&min_stat, &status_string);
140	}
141	if (sizeof(buf) > len + 2) {
142	sprintf(buf+len, "%s", ". ");
143	len += 2;
144	}
145	msg_ctx = 0;
146	while (!msg_ctx) {
147	/* convert minor status code (underlying routine error) to text */
148	maj_stat = gss_display_status(&min_stat, minor_status,
149	GSS_C_MECH_CODE,
150	GSS_C_NULL_OID,
151	&msg_ctx, &status_string);
152	if (maj_stat == GSS_S_COMPLETE) {
153	if (sizeof(buf) > len + status_string.length ) {
154	sprintf(buf+len, "%s", (char*) status_string.value);
155	len += status_string.length;
156	}
157	gss_release_buffer(&min_stat, &status_string);
158	break;
159	}
160	gss_release_buffer(&min_stat, &status_string);
161	}
162	if (debug)
163	fprintf(stderr, "%s\| %s: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
164	fprintf(stdout, "NA %s failed: %s\n",function, buf);
165	if (loging)
166	fprintf(stderr, "%s\| %s: User not authenticated\n", LogTime(), PROGRAM);
167	return(1);
168	}
169	return(0);
170	}
171
172
173
174	int main(int argc, char * const argv[])
175	{
176	char buf[6400];
177	char *c;
178	int length=0;
179	static int err=0;
180	int opt, rc, debug=0, loging=0;
181	OM_uint32 ret_flags=0, spnego_flag=0;
182	char service_name=(char )"HTTP",*host_name=NULL;
183	char *token = NULL;
184	char *service_principal = NULL;
185	OM_uint32 major_status, minor_status;
186	gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
187	gss_name_t client_name = GSS_C_NO_NAME;
188	gss_name_t server_name = GSS_C_NO_NAME;
189	gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
190	gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
191	gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
192	gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
193	gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
194	const unsigned char *kerberosToken = NULL;
195	size_t kerberosTokenLength = 0;
196	const unsigned char *spnegoToken = NULL ;
197	size_t spnegoTokenLength = 0;
198
199	setbuf(stdout,NULL);
200	setbuf(stdin,NULL);
201
202	while (-1 != (opt = getopt(argc, argv, "dis:h"))) {
203	switch (opt) {
204	case 'd':
205	debug = 1;
206	break;
207	case 'i':
208	loging = 1;
209	break;
210	case 's':
211	service_principal = strdup(optarg);
212	break;
213	case 'h':
214	fprintf(stdout, "Usage: \n");
215	fprintf(stdout, "squid_kerb_auth -d [-s SPN]\n");
216	fprintf(stdout, "SPN = service principal name\n");
217	fprintf(stdout, "Can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
218	fprintf(stdout, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
219	break;
220	default:
221	fprintf(stderr, "%s\| %s: unknown option: -%c.\n", LogTime(), PROGRAM, opt);
222	}
223	}
224
225	if (service_principal && strcasecmp(service_principal,"GSS_C_NO_NAME") ) {
226	service.value = service_principal;
227	service.length = strlen((char *)service.value);
228	} else {
229	host_name=gethost_name();
230	if ( !host_name ) {
231	fprintf(stderr, "%s\| %s: Local hostname could not be determined. Please specify the service principal\n", LogTime(), PROGRAM);
232	exit(-1);
233	}
234	service.value = malloc(strlen(service_name)+strlen(host_name)+2);
235	snprintf(service.value,strlen(service_name)+strlen(host_name)+2,"%s@%s",service_name,host_name);
236	service.length = strlen((char *)service.value);
237	}
238
239	while (1) {
240	if (fgets(buf, sizeof(buf)-1, stdin) == NULL) {
241	if (ferror(stdin)) {
242	if (debug)
243	fprintf(stderr, "%s\| %s: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin),
244	strerror(ferror(stdin)));
245
246	exit(1); /* BIIG buffer */
247	}
248	exit(0);
249	}
250
251	c=memchr(buf,'\n',sizeof(buf)-1);
252	if (c) {
253	*c = '\0';
254	length = c-buf;
255	} else {
256	err = 1;
257	}
258	if (err) {
259	if (debug)
260	fprintf(stderr, "%s\| %s: Oversized message\n", LogTime(), PROGRAM);
261	fprintf(stdout, "NA Oversized message\n");
262	err = 0;
263	continue;
264	}
265
266	if (debug)
267	fprintf(stderr, "%s\| %s: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf?buf:"NULL",length);
268
269	if (buf[0] == '\0') {
270	if (debug)
271	fprintf(stderr, "%s\| %s: Invalid request\n", LogTime(), PROGRAM);
272	fprintf(stdout, "NA Invalid request\n");
273	continue;
274	}
275
276	if (strlen(buf) < 2) {
277	if (debug)
278	fprintf(stderr, "%s\| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
279	fprintf(stdout, "NA Invalid request\n");
280	continue;
281	}
282
283	if ( !strncmp(buf, "QQ", 2) ) {
284	gss_release_buffer(&minor_status, &input_token);
285	gss_release_buffer(&minor_status, &output_token);
286	gss_release_buffer(&minor_status, &service);
287	gss_release_cred(&minor_status, &server_creds);
288	gss_release_cred(&minor_status, &delegated_cred);
289	gss_release_name(&minor_status, &server_name);
290	gss_release_name(&minor_status, &client_name);
291	gss_delete_sec_context(&minor_status, &gss_context, NULL);
292	if (kerberosToken) {
293	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
294	if (!spnego_flag)
295	free((char *)kerberosToken);
296	kerberosToken=NULL;
297	}
298	if (spnego_flag) {
299	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
300	if (spnegoToken)
301	free((char *)spnegoToken);
302	spnegoToken=NULL;
303	}
304	if (token) {
305	free(token);
306	token=NULL;
307	}
308	if (host_name) {
309	free(host_name);
310	host_name=NULL;
311	}
312	exit(0);
313	}
314
315	if ( !strncmp(buf, "YR", 2) && !strncmp(buf, "KK", 2) ) {
316	if (debug)
317	fprintf(stderr, "%s\| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
318	fprintf(stdout, "NA Invalid request\n");
319	continue;
320	}
321	if ( !strncmp(buf, "YR", 2) ){
322	if (gss_context != GSS_C_NO_CONTEXT )
323	gss_delete_sec_context(&minor_status, &gss_context, NULL);
324	gss_context = GSS_C_NO_CONTEXT;
325	}
326
327	if (strlen(buf) <= 3) {
328	if (debug)
329	fprintf(stderr, "%s\| %s: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
330	fprintf(stdout, "NA Invalid negotiate request\n");
331	continue;
332	}
333
334	input_token.length = base64_decode_len(buf+3);
335	input_token.value = malloc(input_token.length);
336
337	base64_decode(input_token.value,buf+3,input_token.length);
338
339
340	#ifndef HAVE_SPNEGO
341	if (( rc=parseNegTokenInit (input_token.value,
342	input_token.length,
343	&kerberosToken,
344	&kerberosTokenLength))!=0 ){
345	if (debug)
346	fprintf(stderr, "%s\| %s: parseNegTokenInit failed with rc=%d\n", LogTime(), PROGRAM, rc);
347
348	/* if between 100 and 200 it might be a GSSAPI token and not a SPNEGO token */
349	if ( rc < 100 \|\| rc > 199 ) {
350	if (debug)
351	fprintf(stderr, "%s\| %s: Invalid GSS-SPNEGO query [%s]\n", LogTime(), PROGRAM, buf);
352	fprintf(stdout, "NA Invalid GSS-SPNEGO query\n");
353	goto cleanup;
354	}
355	if ((input_token.length >= sizeof ntlmProtocol + 1) &&
356	(!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
357	if (debug)
358	fprintf(stderr, "%s\| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) ((unsigned char )input_token.value + sizeof ntlmProtocol));
359	fprintf(stdout, "NA received type %d NTLM token\n",(int) ((unsigned char )input_token.value + sizeof ntlmProtocol));
360	goto cleanup;
361	}
362	spnego_flag=0;
363	} else {
364	gss_release_buffer(&minor_status, &input_token);
365	input_token.length=kerberosTokenLength;
366	input_token.value=(void *)kerberosToken;
367	spnego_flag=1;
368	}
369	#else
370	if ((input_token.length >= sizeof ntlmProtocol + 1) &&
371	(!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
372	if (debug)
373	fprintf(stderr, "%s\| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) ((unsigned char )input_token.value + sizeof ntlmProtocol));
374	fprintf(stdout, "NA received type %d NTLM token\n",(int) ((unsigned char )input_token.value + sizeof ntlmProtocol));
375	goto cleanup;
376	}
377	#endif
378
379	if ( service_principal ) {
380	if ( strcasecmp(service_principal,"GSS_C_NO_NAME") ){
381	major_status = gss_import_name(&minor_status, &service,
382	(gss_OID) GSS_C_NULL_OID, &server_name);
383
384	} else {
385	server_name = GSS_C_NO_NAME;
386	major_status = GSS_S_COMPLETE;
387	}
388	} else {
389	major_status = gss_import_name(&minor_status, &service,
390	gss_nt_service_name, &server_name);
391	}
392
393	if ( check_gss_err(major_status,minor_status,"gss_import_name()",debug,loging) )
394	goto cleanup;
395
396	major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
397	GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds,
398	NULL, NULL);
399	if (check_gss_err(major_status,minor_status,"gss_acquire_cred()",debug,loging) )
400	goto cleanup;
401
402	major_status = gss_accept_sec_context(&minor_status,
403	&gss_context,
404	server_creds,
405	&input_token,
406	GSS_C_NO_CHANNEL_BINDINGS,
407	&client_name,
408	NULL,
409	&output_token,
410	&ret_flags,
411	NULL,
412	&delegated_cred);
413
414
415	if (output_token.length) {
416	#ifndef HAVE_SPNEGO
417	if (spnego_flag) {
418	if ((rc=makeNegTokenTarg (output_token.value,
419	output_token.length,
420	&spnegoToken,
421	&spnegoTokenLength))!=0 ) {
422	if (debug)
423	fprintf(stderr, "%s\| %s: makeNegTokenTarg failed with rc=%d\n", LogTime(), PROGRAM, rc);
424	fprintf(stdout, "NA makeNegTokenTarg failed with rc=%d\n",rc);
425	goto cleanup;
426	}
427	} else {
428	spnegoToken = output_token.value;
429	spnegoTokenLength = output_token.length;
430	}
431	#else
432	spnegoToken = output_token.value;
433	spnegoTokenLength = output_token.length;
434	#endif
435	token = malloc(base64_encode_len(spnegoTokenLength));
436	if (token == NULL) {
437	if (debug)
438	fprintf(stderr, "%s\| %s: Not enough memory\n", LogTime(), PROGRAM);
439	fprintf(stdout, "NA Not enough memory\n");
440	goto cleanup;
441	}
442
443	base64_encode(token,(const char *)spnegoToken,base64_encode_len(spnegoTokenLength),spnegoTokenLength);
444
445	if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) )
446	goto cleanup;
447	if (major_status & GSS_S_CONTINUE_NEEDED) {
448	if (debug)
449	fprintf(stderr, "%s\| %s: continuation needed\n", LogTime(), PROGRAM);
450	fprintf(stdout, "TT %s\n",token);
451	goto cleanup;
452	}
453	gss_release_buffer(&minor_status, &output_token);
454	major_status = gss_display_name(&minor_status, client_name, &output_token,
455	NULL);
456
457	if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) )
458	goto cleanup;
459	fprintf(stdout, "AF %s %s\n",token,(char *)output_token.value);
460	if (debug)
461	fprintf(stderr, "%s\| %s: AF %s %s\n", LogTime(), PROGRAM, token,(char *)output_token.value);
462	if (loging)
463	fprintf(stderr, "%s\| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
464	goto cleanup;
465	} else {
466	if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) )
467	goto cleanup;
468	if (major_status & GSS_S_CONTINUE_NEEDED) {
469	if (debug)
470	fprintf(stderr, "%s\| %s: continuation needed\n", LogTime(), PROGRAM);
471	fprintf(stdout, "NA No token to return to continue\n");
472	goto cleanup;
473	}
474	gss_release_buffer(&minor_status, &output_token);
475	major_status = gss_display_name(&minor_status, client_name, &output_token,
476	NULL);
477
478	if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) )
479	goto cleanup;
480	/*
481	* Return dummy token AA. May need an extra return tag then AF
482	*/
483	fprintf(stdout, "AF %s %s\n","AA==",(char *)output_token.value);
484	if (debug)
485	fprintf(stderr, "%s\| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", (char *)output_token.value);
486	if (loging)
487	fprintf(stderr, "%s\| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
488
489	cleanup:
490	gss_release_buffer(&minor_status, &input_token);
491	gss_release_buffer(&minor_status, &output_token);
492	gss_release_cred(&minor_status, &server_creds);
493	gss_release_cred(&minor_status, &delegated_cred);
494	gss_release_name(&minor_status, &server_name);
495	gss_release_name(&minor_status, &client_name);
496	if (kerberosToken) {
497	/* Allocated by parseNegTokenInit, but no matching free function exists.. */
498	if (!spnego_flag)
499	free((char *)kerberosToken);
500	kerberosToken=NULL;
501	}
502	if (spnego_flag) {
503	/* Allocated by makeNegTokenTarg, but no matching free function exists.. */
504	if (spnegoToken)
505	free((char *)spnegoToken);
506	spnegoToken=NULL;
507	}
508	if (token) {
509	free(token);
510	token=NULL;
511	}
512	continue;
513	}
514	}
515	}