]>
Commit | Line | Data |
---|---|---|
9ca29d23 AJ |
1 | /* |
2 | * ----------------------------------------------------------------------------- | |
3 | * | |
4 | * Author: Markus Moeller (markus_moeller at compuserve.com) | |
5 | * | |
6 | * Copyright (C) 2007 Markus Moeller. All rights reserved. | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. | |
21 | * | |
22 | * ----------------------------------------------------------------------------- | |
23 | */ | |
24 | /* | |
25 | * Hosted at http://sourceforge.net/projects/squidkerbauth | |
26 | */ | |
27 | ||
28 | #include <squid.h> | |
29 | ||
30 | #if HAVE_KRB5 && HAVE_GSSAPI | |
31 | #ifdef __cplusplus | |
32 | extern "C" | |
33 | { | |
34 | #endif | |
35 | ||
36 | #if HAVE_PROFILE_H | |
37 | #include <profile.h> | |
38 | #endif /* HAVE_PROFILE_H */ | |
39 | #if HAVE_KRB5_H | |
40 | #include <krb5.h> | |
41 | #endif /* HAVE_KRB5_H */ | |
42 | #if HAVE_COM_ERR_H | |
43 | #include <com_err.h> | |
44 | #endif /* HAVE_COM_ERR_H */ | |
45 | ||
46 | #if HAVE_GSSAPI_GSSAPI_H | |
47 | #include <gssapi/gssapi.h> | |
48 | #elif HAVE_GSSAPI_H | |
49 | #include <gssapi.h> | |
50 | #endif /* HAVE_GSSAPI_H */ | |
51 | #if HAVE_GSSAPI_GSSAPI_EXT_H | |
52 | #include <gssapi/gssapi_ext.h> | |
53 | #endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ | |
54 | #if HAVE_GSSAPI_GSSAPI_KRB5_H | |
55 | #include <gssapi/gssapi_krb5.h> | |
56 | #endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ | |
57 | #if HAVE_GSSAPI_GSSAPI_GENERIC_H | |
58 | #include <gssapi/gssapi_generic.h> | |
59 | #endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ | |
60 | ||
61 | #ifndef gss_nt_service_name | |
62 | #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE | |
63 | #endif | |
64 | ||
65 | #if HAVE_HEIMDAL_KERBEROS | |
66 | #define error_message(code) krb5_get_err_text(kparam.context,code) | |
67 | #endif | |
68 | ||
69 | #ifndef gss_mech_spnego | |
70 | static gss_OID_desc _gss_mech_spnego = | |
71 | { 6, (void *) "\x2b\x06\x01\x05\x05\x02" }; | |
72 | gss_OID gss_mech_spnego = &_gss_mech_spnego; | |
73 | #endif | |
74 | ||
75 | #if HAVE_NAS_KERBEROS | |
76 | #include <ibm_svc/krb5_svc.h> | |
77 | const char *KRB5_CALLCONV error_message(long code) | |
78 | { | |
79 | char *msg = NULL; | |
80 | krb5_svc_get_msg(code, &msg); | |
81 | return msg; | |
82 | } | |
83 | #endif | |
84 | ||
85 | /* | |
86 | * Kerberos context and cache structure | |
87 | * Caches authentication details to reduce | |
88 | * number of authentication requests to kdc | |
89 | */ | |
90 | static struct kstruct | |
91 | { | |
92 | krb5_context context; | |
93 | krb5_ccache cc; | |
94 | } kparam = { | |
95 | NULL, NULL}; | |
96 | ||
97 | /* | |
98 | * krb5_create_cache creates a Kerberos file credential cache or a memory | |
99 | * credential cache if supported. The initial key for the principal | |
100 | * principal_name is extracted from the keytab keytab_filename. | |
101 | * | |
102 | * If keytab_filename is NULL the default will be used. | |
103 | * If principal_name is NULL the first working entry of the keytab will be used. | |
104 | */ | |
105 | int krb5_create_cache(char *keytab_filename, char *principal_name); | |
106 | ||
107 | /* | |
108 | * krb5_cleanup clears used Keberos memory | |
109 | */ | |
110 | void krb5_cleanup(void); | |
111 | ||
112 | /* | |
113 | * check_gss_err checks for gssapi error codes, extracts the error message | |
114 | * and prints it. | |
115 | */ | |
116 | int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, | |
117 | const char *function); | |
118 | ||
119 | int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, | |
120 | const char *function) | |
121 | { | |
122 | if (GSS_ERROR(major_status)) { | |
123 | OM_uint32 maj_stat, min_stat; | |
124 | OM_uint32 msg_ctx = 0; | |
125 | gss_buffer_desc status_string; | |
126 | char buf[1024]; | |
127 | size_t len; | |
128 | ||
129 | len = 0; | |
130 | msg_ctx = 0; | |
131 | while (!msg_ctx) { | |
132 | /* convert major status code (GSS-API error) to text */ | |
133 | maj_stat = gss_display_status(&min_stat, major_status, | |
134 | GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); | |
135 | if (maj_stat == GSS_S_COMPLETE) { | |
136 | if (sizeof(buf) > len + status_string.length + 1) { | |
137 | memcpy(buf + len, status_string.value, | |
138 | status_string.length); | |
139 | len += status_string.length; | |
140 | } | |
141 | gss_release_buffer(&min_stat, &status_string); | |
142 | break; | |
143 | } | |
144 | gss_release_buffer(&min_stat, &status_string); | |
145 | } | |
146 | if (sizeof(buf) > len + 2) { | |
147 | strcpy(buf + len, ". "); | |
148 | len += 2; | |
149 | } | |
150 | msg_ctx = 0; | |
151 | while (!msg_ctx) { | |
152 | /* convert minor status code (underlying routine error) to text */ | |
153 | maj_stat = gss_display_status(&min_stat, minor_status, | |
154 | GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); | |
155 | if (maj_stat == GSS_S_COMPLETE) { | |
156 | if (sizeof(buf) > len + status_string.length) { | |
157 | memcpy(buf + len, status_string.value, | |
158 | status_string.length); | |
159 | len += status_string.length; | |
160 | } | |
161 | gss_release_buffer(&min_stat, &status_string); | |
162 | break; | |
163 | } | |
164 | gss_release_buffer(&min_stat, &status_string); | |
165 | } | |
166 | debugs(11, 5, HERE << function << "failed: " << buf); | |
167 | return (1); | |
168 | } | |
169 | return (0); | |
170 | } | |
171 | ||
172 | void krb5_cleanup() | |
173 | { | |
174 | debugs(11, 5, HERE << "Cleanup kerberos context"); | |
175 | if (kparam.context) { | |
176 | if (kparam.cc) | |
177 | krb5_cc_destroy(kparam.context, kparam.cc); | |
178 | kparam.cc = NULL; | |
179 | krb5_free_context(kparam.context); | |
180 | kparam.context = NULL; | |
181 | } | |
182 | } | |
183 | ||
184 | int krb5_create_cache(char *kf, char *pn) | |
185 | { | |
186 | ||
187 | #define KT_PATH_MAX 256 | |
188 | #define MAX_RENEW_TIME "365d" | |
189 | #define DEFAULT_SKEW (krb5_deltat) 600 | |
190 | ||
191 | static char *keytab_filename = NULL, *principal_name = NULL; | |
192 | static krb5_keytab keytab = 0; | |
193 | static krb5_keytab_entry entry; | |
194 | static krb5_kt_cursor cursor; | |
195 | static krb5_creds *creds = NULL; | |
196 | #if HAVE_HEIMDAL_KERBEROS | |
197 | static krb5_creds creds2; | |
198 | #endif | |
199 | static krb5_principal principal = NULL; | |
200 | static krb5_deltat skew; | |
201 | ||
202 | krb5_get_init_creds_opt options; | |
203 | krb5_error_code code = 0; | |
204 | krb5_deltat rlife; | |
205 | #if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE | |
206 | profile_t profile; | |
207 | #endif | |
208 | #if HAVE_HEIMDAL_KERBEROS | |
209 | krb5_kdc_flags flags; | |
210 | krb5_realm *client_realm; | |
211 | #endif | |
212 | char *mem_cache; | |
213 | ||
214 | restart: | |
215 | /* | |
216 | * Check if credentials need to be renewed | |
217 | */ | |
218 | if (creds && | |
219 | (creds->times.endtime - time(0) > skew) && | |
220 | (creds->times.renew_till - time(0) > 2 * skew)) { | |
221 | if (creds->times.endtime - time(0) < 2 * skew) { | |
222 | #if !HAVE_HEIMDAL_KERBEROS | |
223 | /* renew ticket */ | |
224 | code = | |
225 | krb5_get_renewed_creds(kparam.context, creds, principal, | |
226 | kparam.cc, NULL); | |
227 | #else | |
228 | /* renew ticket */ | |
229 | flags.i = 0; | |
230 | flags.b.renewable = flags.b.renew = 1; | |
231 | ||
232 | code = | |
233 | krb5_cc_get_principal(kparam.context, kparam.cc, | |
234 | &creds2.client); | |
235 | if (code) { | |
236 | debugs(11, 5, | |
237 | HERE << | |
238 | "Error while getting principal from credential cache : " | |
239 | << error_message(code)); | |
240 | return (1); | |
241 | } | |
242 | client_realm = krb5_princ_realm(kparam.context, creds2.client); | |
243 | code = | |
244 | krb5_make_principal(kparam.context, &creds2.server, | |
245 | *client_realm, KRB5_TGS_NAME, *client_realm, NULL); | |
246 | if (code) { | |
247 | debugs(11, 5, | |
248 | HERE << "Error while getting krbtgt principal : " << | |
249 | error_message(code)); | |
250 | return (1); | |
251 | } | |
252 | code = | |
253 | krb5_get_kdc_cred(kparam.context, kparam.cc, flags, NULL, | |
254 | NULL, &creds2, &creds); | |
255 | krb5_free_creds(kparam.context, &creds2); | |
256 | #endif | |
257 | if (code) { | |
258 | if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) { | |
259 | krb5_free_creds(kparam.context, creds); | |
260 | creds = NULL; | |
261 | /* this can happen because of clock skew */ | |
262 | goto restart; | |
263 | } | |
264 | debugs(11, 5, | |
265 | HERE << "Error while get credentials : " << | |
266 | error_message(code)); | |
267 | return (1); | |
268 | } | |
269 | } | |
270 | } else { | |
271 | /* reinit */ | |
272 | if (!kparam.context) { | |
273 | code = krb5_init_context(&kparam.context); | |
274 | if (code) { | |
275 | debugs(11, 5, | |
276 | HERE << "Error while initialising Kerberos library : " | |
277 | << error_message(code)); | |
278 | return (1); | |
279 | } | |
280 | } | |
281 | #if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE | |
282 | code = krb5_get_profile(kparam.context, &profile); | |
283 | if (code) { | |
284 | if (profile) | |
285 | profile_release(profile); | |
286 | debugs(11, 5, | |
287 | HERE << "Error while getting profile : " << | |
288 | error_message(code)); | |
289 | return (1); | |
290 | } | |
291 | code = | |
292 | profile_get_integer(profile, "libdefaults", "clockskew", 0, | |
293 | 5 * 60, &skew); | |
294 | if (profile) | |
295 | profile_release(profile); | |
296 | if (code) { | |
297 | debugs(11, 5, | |
298 | HERE << "Error while getting clockskew : " << | |
299 | error_message(code)); | |
300 | return (1); | |
301 | } | |
302 | #elif HAVE_KRB5_GET_MAX_TIME_SKEW && HAVE_HEIMDAL_KERBEROS | |
303 | skew = krb5_get_max_time_skew(kparam.context); | |
304 | #elif HAVE_MAX_SKEW_IN_KRB5_CONTEXT && HAVE_HEIMDAL_KERBEROS | |
305 | skew = kparam.context->max_skew; | |
306 | #else | |
307 | skew = DEFAULT_SKEW; | |
308 | #endif | |
309 | ||
310 | if (!kf) { | |
311 | char buf[KT_PATH_MAX], *p; | |
312 | ||
313 | krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); | |
314 | p = strchr(buf, ':'); | |
315 | if (p) | |
316 | p++; | |
317 | if (keytab_filename) | |
318 | xfree(keytab_filename); | |
319 | keytab_filename = xstrdup(p ? p : buf); | |
320 | } else { | |
321 | keytab_filename = xstrdup(kf); | |
322 | } | |
323 | ||
324 | code = krb5_kt_resolve(kparam.context, keytab_filename, &keytab); | |
325 | if (code) { | |
326 | debugs(11, 5, | |
327 | HERE << "Error while resolving keytab filename " << | |
328 | keytab_filename << " : " << error_message(code)); | |
329 | return (1); | |
330 | } | |
331 | ||
332 | if (!pn) { | |
333 | code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); | |
334 | if (code) { | |
335 | debugs(11, 5, | |
336 | HERE << "Error while starting keytab scan : " << | |
337 | error_message(code)); | |
338 | return (1); | |
339 | } | |
340 | code = | |
341 | krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor); | |
342 | krb5_copy_principal(kparam.context, entry.principal, | |
343 | &principal); | |
344 | if (code && code != KRB5_KT_END) { | |
345 | debugs(11, 5, | |
346 | HERE << "Error while scanning keytab : " << | |
347 | error_message(code)); | |
348 | return (1); | |
349 | } | |
350 | ||
351 | code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); | |
352 | if (code) { | |
353 | debugs(11, 5, | |
354 | HERE << "Error while ending keytab scan : " << | |
355 | error_message(code)); | |
356 | return (1); | |
357 | } | |
358 | #if HAVE_HEIMDAL_KERBEROS || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY) | |
359 | code = krb5_kt_free_entry(kparam.context, &entry); | |
360 | #else | |
361 | code = krb5_free_keytab_entry_contents(kparam.context, &entry); | |
362 | #endif | |
363 | if (code) { | |
364 | debugs(11, 5, | |
365 | HERE << "Error while freeing keytab entry : " << | |
366 | error_message(code)); | |
367 | return (1); | |
368 | } | |
369 | ||
370 | } else { | |
371 | principal_name = xstrdup(pn); | |
372 | } | |
373 | ||
374 | if (!principal) { | |
375 | code = | |
376 | krb5_parse_name(kparam.context, principal_name, &principal); | |
377 | if (code) { | |
378 | debugs(11, 5, | |
379 | HERE << "Error while parsing principal name " << | |
380 | principal_name << " : " << error_message(code)); | |
381 | return (1); | |
382 | } | |
383 | } | |
384 | ||
385 | creds = (krb5_creds *) xmalloc(sizeof(*creds)); | |
386 | memset(creds, 0, sizeof(*creds)); | |
387 | krb5_get_init_creds_opt_init(&options); | |
388 | code = krb5_string_to_deltat((char *) MAX_RENEW_TIME, &rlife); | |
389 | if (code != 0 || rlife == 0) { | |
390 | debugs(11, 5, | |
391 | HERE << "Error bad lifetime value " << MAX_RENEW_TIME << | |
392 | " : " << error_message(code)); | |
393 | return (1); | |
394 | } | |
395 | krb5_get_init_creds_opt_set_renew_life(&options, rlife); | |
396 | ||
397 | code = | |
398 | krb5_get_init_creds_keytab(kparam.context, creds, principal, | |
399 | keytab, 0, NULL, &options); | |
400 | if (code) { | |
401 | debugs(11, 5, | |
402 | HERE << | |
403 | "Error while initializing credentials from keytab : " << | |
404 | error_message(code)); | |
405 | return (1); | |
406 | } | |
407 | #if !HAVE_KRB5_MEMORY_CACHE | |
408 | mem_cache = | |
409 | (char *) xmalloc(strlen("FILE:/tmp/peer_proxy_negotiate_auth_") | |
410 | + 16); | |
411 | snprintf(mem_cache, | |
412 | strlen("FILE:/tmp/peer_proxy_negotiate_auth_") + 16, | |
413 | "FILE:/tmp/peer_proxy_negotiate_auth_%d", (int) getpid()); | |
414 | #else | |
415 | mem_cache = | |
416 | (char *) xmalloc(strlen("MEMORY:peer_proxy_negotiate_auth_") + | |
417 | 16); | |
418 | snprintf(mem_cache, | |
419 | strlen("MEMORY:peer_proxy_negotiate_auth_") + 16, | |
420 | "MEMORY:peer_proxy_negotiate_auth_%d", (int) getpid()); | |
421 | #endif | |
422 | ||
423 | setenv("KRB5CCNAME", mem_cache, 1); | |
424 | code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); | |
425 | if (mem_cache) | |
426 | xfree(mem_cache); | |
427 | if (code) { | |
428 | debugs(11, 5, | |
429 | HERE << "Error while resolving memory credential cache : " | |
430 | << error_message(code)); | |
431 | return (1); | |
432 | } | |
433 | code = krb5_cc_initialize(kparam.context, kparam.cc, principal); | |
434 | if (code) { | |
435 | debugs(11, 5, | |
436 | HERE << | |
437 | "Error while initializing memory credential cache : " << | |
438 | error_message(code)); | |
439 | return (1); | |
440 | } | |
441 | code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); | |
442 | if (code) { | |
443 | debugs(11, 5, | |
444 | HERE << "Error while storing credentials : " << | |
445 | error_message(code)); | |
446 | return (1); | |
447 | } | |
448 | ||
449 | if (!creds->times.starttime) | |
450 | creds->times.starttime = creds->times.authtime; | |
451 | } | |
452 | return (0); | |
453 | } | |
454 | ||
455 | /* | |
456 | * peer_proxy_negotiate_auth gets a GSSAPI token for principal_name | |
457 | * and base64 encodes it. | |
458 | */ | |
459 | char *peer_proxy_negotiate_auth(char *principal_name, char *proxy) | |
460 | { | |
461 | int rc = 0; | |
462 | OM_uint32 major_status, minor_status; | |
463 | gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; | |
464 | gss_name_t server_name = GSS_C_NO_NAME; | |
465 | gss_buffer_desc service = GSS_C_EMPTY_BUFFER; | |
466 | gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; | |
467 | gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; | |
468 | char *token = NULL; | |
469 | ||
470 | setbuf(stdout, NULL); | |
471 | setbuf(stdin, NULL); | |
472 | ||
473 | if (!proxy) { | |
474 | debugs(11, 5, HERE << "Error : No proxy server name"); | |
475 | return NULL; | |
476 | } | |
477 | ||
478 | if (principal_name) | |
479 | debugs(11, 5, | |
480 | HERE << "Creating credential cache for " << principal_name); | |
481 | else | |
482 | debugs(11, 5, HERE << "Creating credential cache"); | |
483 | rc = krb5_create_cache(NULL, principal_name); | |
484 | if (rc) { | |
485 | debugs(11, 5, HERE << "Error : Failed to create Kerberos cache"); | |
486 | krb5_cleanup(); | |
487 | return NULL; | |
488 | } | |
489 | ||
490 | service.value = (void *) xmalloc(strlen("HTTP") + strlen(proxy) + 2); | |
491 | snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, | |
492 | "%s@%s", "HTTP", proxy); | |
493 | service.length = strlen((char *) service.value); | |
494 | ||
495 | debugs(11, 5, HERE << "Import gss name"); | |
496 | major_status = gss_import_name(&minor_status, &service, | |
497 | gss_nt_service_name, &server_name); | |
498 | ||
499 | if (check_gss_err(major_status, minor_status, "gss_import_name()")) | |
500 | goto cleanup; | |
501 | ||
502 | debugs(11, 5, HERE << "Initialize gss security context"); | |
503 | major_status = gss_init_sec_context(&minor_status, | |
504 | GSS_C_NO_CREDENTIAL, | |
505 | &gss_context, | |
506 | server_name, | |
507 | gss_mech_spnego, | |
508 | 0, | |
509 | 0, | |
510 | GSS_C_NO_CHANNEL_BINDINGS, | |
511 | &input_token, NULL, &output_token, NULL, NULL); | |
512 | ||
513 | if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) | |
514 | goto cleanup; | |
515 | ||
516 | debugs(11, 5, HERE << "Got token with length " << output_token.length); | |
517 | if (output_token.length) { | |
518 | ||
519 | token = | |
520 | (char *) base64_encode_bin((const char *) output_token.value, | |
521 | output_token.length); | |
522 | } | |
523 | ||
524 | ||
525 | cleanup: | |
526 | gss_delete_sec_context(&minor_status, &gss_context, NULL); | |
527 | gss_release_buffer(&minor_status, &service); | |
528 | gss_release_buffer(&minor_status, &input_token); | |
529 | gss_release_buffer(&minor_status, &output_token); | |
530 | gss_release_name(&minor_status, &server_name); | |
531 | ||
532 | return token; | |
533 | } | |
534 | ||
535 | #ifdef __cplusplus | |
536 | } | |
537 | #endif | |
538 | #endif /* HAVE_KRB5 && HAVE_GSSAPI */ |