From: Automatic source maintenance Date: Sat, 14 Aug 2010 00:12:49 +0000 (-0600) Subject: SourceFormat Enforcement X-Git-Tag: take1~386 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e881a6fe555b4e1ab23c9a16684a1591af0cbe2;p=thirdparty%2Fsquid.git SourceFormat Enforcement --- diff --git a/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc b/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc index ef167cf628..7019bcb45d 100644 --- a/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc +++ b/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc @@ -68,29 +68,29 @@ clean_gd(struct gdstruct *gdsp) { struct gdstruct *p = NULL, *pp = NULL; - start: +start: p = gdsp; if (!p) - return; + return; while (p->next) { - pp = p; - p = p->next; + pp = p; + p = p->next; } if (p->group) { - xfree(p->group); - p->group = NULL; + xfree(p->group); + p->group = NULL; } if (p->domain) { - xfree(p->domain); - p->domain = NULL; + xfree(p->domain); + p->domain = NULL; } if (pp && pp->next) { - xfree(pp->next); - pp->next = NULL; + xfree(pp->next); + pp->next = NULL; } if (p == gdsp) { - xfree(gdsp); - gdsp = NULL; + xfree(gdsp); + gdsp = NULL; } goto start; } @@ -100,29 +100,29 @@ clean_nd(struct ndstruct *ndsp) { struct ndstruct *p = NULL, *pp = NULL; - start: +start: p = ndsp; if (!p) - return; + return; while (p->next) { - pp = p; - p = p->next; + pp = p; + p = p->next; } if (p->netbios) { - xfree(p->netbios); - p->netbios = NULL; + xfree(p->netbios); + p->netbios = NULL; } if (p->domain) { - xfree(p->domain); - p->domain = NULL; + xfree(p->domain); + p->domain = NULL; } if (pp && pp->next) { - xfree(pp->next); - pp->next = NULL; + xfree(pp->next); + pp->next = NULL; } if (p == ndsp) { - xfree(ndsp); - ndsp = NULL; + xfree(ndsp); + ndsp = NULL; } goto start; } @@ -131,52 +131,52 @@ void clean_args(struct main_args *margs) { if (margs->glist) { - xfree(margs->glist); - margs->glist = NULL; + xfree(margs->glist); + margs->glist = NULL; } if (margs->ulist) { - xfree(margs->ulist); - margs->ulist = NULL; + xfree(margs->ulist); + margs->ulist = NULL; } if (margs->tlist) { - xfree(margs->tlist); - margs->tlist = NULL; + xfree(margs->tlist); + margs->tlist = NULL; } if (margs->nlist) { - xfree(margs->nlist); - margs->nlist = NULL; + xfree(margs->nlist); + margs->nlist = NULL; } if (margs->luser) { - xfree(margs->luser); - margs->luser = NULL; + xfree(margs->luser); + margs->luser = NULL; } if (margs->lpass) { - xfree(margs->lpass); - margs->lpass = NULL; + xfree(margs->lpass); + margs->lpass = NULL; } if (margs->lbind) { - xfree(margs->lbind); - margs->lbind = NULL; + xfree(margs->lbind); + margs->lbind = NULL; } if (margs->lurl) { - xfree(margs->lurl); - margs->lurl = NULL; + xfree(margs->lurl); + margs->lurl = NULL; } if (margs->ssl) { - xfree(margs->ssl); - margs->ssl = NULL; + xfree(margs->ssl); + margs->ssl = NULL; } if (margs->ddomain) { - xfree(margs->ddomain); - margs->ddomain = NULL; + xfree(margs->ddomain); + margs->ddomain = NULL; } if (margs->groups) { - clean_gd(margs->groups); - margs->groups = NULL; + clean_gd(margs->groups); + margs->groups = NULL; } if (margs->ndoms) { - clean_nd(margs->ndoms); - margs->ndoms = NULL; + clean_nd(margs->ndoms); + margs->ndoms = NULL; } } @@ -199,179 +199,179 @@ main(int argc, char *const argv[]) init_args(&margs); while (-1 != (opt = getopt(argc, argv, "diasg:D:N:u:U:t:T:p:l:b:m:h"))) { - switch (opt) { - case 'd': - debug_enabled = 1; - break; - case 'i': - log_enabled = 1; - break; - case 'a': - margs.rc_allow = 1; - break; - case 's': - margs.ssl = (char *) "yes"; - break; - case 'g': - margs.glist = xstrdup(optarg); - break; - case 'D': - margs.ddomain = xstrdup(optarg); - break; - case 'N': - margs.nlist = xstrdup(optarg); - break; - case 'u': - margs.luser = xstrdup(optarg); - break; - case 'U': - margs.ulist = xstrdup(optarg); - break; - case 't': - margs.ulist = xstrdup(optarg); - break; - case 'T': - margs.tlist = xstrdup(optarg); - break; - case 'p': - margs.lpass = xstrdup(optarg); - /* Hide Password */ - memset(optarg, 'X', strlen(optarg)); - break; - case 'l': - margs.lurl = xstrdup(optarg); - break; - case 'b': - margs.lbind = xstrdup(optarg); - break; - case 'm': - margs.mdepth = atoi(optarg); - break; - case 'h': - fprintf(stderr, "Usage: \n"); - fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n"); - fprintf(stderr, "-d full debug\n"); - fprintf(stderr, "-i informational messages\n"); - fprintf(stderr, "-g group list\n"); - fprintf(stderr, "-t group list (only group name hex UTF-8 format)\n"); - fprintf(stderr, "-T group list (all in hex UTF-8 format - except seperator @)\n"); - fprintf(stderr, "-D default domain\n"); - fprintf(stderr, "-N netbios to dns domain map\n"); - fprintf(stderr, "-u ldap user\n"); - fprintf(stderr, "-p ldap user password\n"); - fprintf(stderr, "-l ldap url\n"); - fprintf(stderr, "-b ldap bind path\n"); - fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); - fprintf(stderr, "-a allow SSL without cert verification\n"); - fprintf(stderr, "-m maximal depth for recursive searches\n"); - fprintf(stderr, "-h help\n"); - fprintf(stderr, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n"); - fprintf(stderr, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n"); - fprintf(stderr, "and no default domain is provided.\n"); - fprintf(stderr, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n"); - fprintf(stderr, "The group list can be:\n"); - fprintf(stderr, "group - In this case group can be used for all keberised and non kerberised ldap servers\n"); - fprintf(stderr, "group@ - In this case group can be used for all keberised ldap servers\n"); - fprintf(stderr, "group@domain - In this case group can be used for ldap servers of domain domain\n"); - fprintf(stderr, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n"); - fprintf(stderr, "Group membership is determined with AD servers through the users memberof attribute which\n"); - fprintf(stderr, "is followed to the top (e.g. if the group is a member of a group)\n"); - fprintf(stderr, "Group membership is determined with non AD servers through the users memberuid (assuming\n"); - fprintf(stderr, "PosixGroup) or primary group membership (assuming PosixAccount)\n"); - clean_args(&margs); - exit(0); - default: - warn((char *) "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM, opt); - } + switch (opt) { + case 'd': + debug_enabled = 1; + break; + case 'i': + log_enabled = 1; + break; + case 'a': + margs.rc_allow = 1; + break; + case 's': + margs.ssl = (char *) "yes"; + break; + case 'g': + margs.glist = xstrdup(optarg); + break; + case 'D': + margs.ddomain = xstrdup(optarg); + break; + case 'N': + margs.nlist = xstrdup(optarg); + break; + case 'u': + margs.luser = xstrdup(optarg); + break; + case 'U': + margs.ulist = xstrdup(optarg); + break; + case 't': + margs.ulist = xstrdup(optarg); + break; + case 'T': + margs.tlist = xstrdup(optarg); + break; + case 'p': + margs.lpass = xstrdup(optarg); + /* Hide Password */ + memset(optarg, 'X', strlen(optarg)); + break; + case 'l': + margs.lurl = xstrdup(optarg); + break; + case 'b': + margs.lbind = xstrdup(optarg); + break; + case 'm': + margs.mdepth = atoi(optarg); + break; + case 'h': + fprintf(stderr, "Usage: \n"); + fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n"); + fprintf(stderr, "-d full debug\n"); + fprintf(stderr, "-i informational messages\n"); + fprintf(stderr, "-g group list\n"); + fprintf(stderr, "-t group list (only group name hex UTF-8 format)\n"); + fprintf(stderr, "-T group list (all in hex UTF-8 format - except seperator @)\n"); + fprintf(stderr, "-D default domain\n"); + fprintf(stderr, "-N netbios to dns domain map\n"); + fprintf(stderr, "-u ldap user\n"); + fprintf(stderr, "-p ldap user password\n"); + fprintf(stderr, "-l ldap url\n"); + fprintf(stderr, "-b ldap bind path\n"); + fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); + fprintf(stderr, "-a allow SSL without cert verification\n"); + fprintf(stderr, "-m maximal depth for recursive searches\n"); + fprintf(stderr, "-h help\n"); + fprintf(stderr, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n"); + fprintf(stderr, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n"); + fprintf(stderr, "and no default domain is provided.\n"); + fprintf(stderr, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n"); + fprintf(stderr, "The group list can be:\n"); + fprintf(stderr, "group - In this case group can be used for all keberised and non kerberised ldap servers\n"); + fprintf(stderr, "group@ - In this case group can be used for all keberised ldap servers\n"); + fprintf(stderr, "group@domain - In this case group can be used for ldap servers of domain domain\n"); + fprintf(stderr, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n"); + fprintf(stderr, "Group membership is determined with AD servers through the users memberof attribute which\n"); + fprintf(stderr, "is followed to the top (e.g. if the group is a member of a group)\n"); + fprintf(stderr, "Group membership is determined with non AD servers through the users memberuid (assuming\n"); + fprintf(stderr, "PosixGroup) or primary group membership (assuming PosixAccount)\n"); + clean_args(&margs); + exit(0); + default: + warn((char *) "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM, opt); + } } debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, KERBEROS_LDAP_GROUP_VERSION); if (create_gd(&margs)) { - debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); - SEND_ERR(""); - clean_args(&margs); - exit(1); + debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL"); + SEND_ERR(""); + clean_args(&margs); + exit(1); } if (create_nd(&margs)) { - debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL"); - SEND_ERR(""); - clean_args(&margs); - exit(1); + debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL"); + SEND_ERR(""); + clean_args(&margs); + exit(1); } while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - if (ferror(stdin)) { - debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin), - strerror(ferror(stdin))); + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + if (ferror(stdin)) { + debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin), + strerror(ferror(stdin))); - SEND_ERR(""); - clean_args(&margs); - exit(1); /* BIIG buffer */ - } - SEND_ERR(""); - clean_args(&margs); - exit(0); - } - c = (char *) memchr(buf, '\n', sizeof(buf) - 1); - if (c) { - *c = '\0'; - length = c - buf; - } else { - SEND_ERR(""); - debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM); - continue; - } + SEND_ERR(""); + clean_args(&margs); + exit(1); /* BIIG buffer */ + } + SEND_ERR(""); + clean_args(&margs); + exit(0); + } + c = (char *) memchr(buf, '\n', sizeof(buf) - 1); + if (c) { + *c = '\0'; + length = c - buf; + } else { + SEND_ERR(""); + debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM); + continue; + } - user = buf; - nuser = strchr(user, '\\'); - if (!nuser) - nuser8 = strstr(user, "%5C"); - if (!nuser && !nuser8) - nuser8 = strstr(user, "%5c"); - domain = strrchr(user, '@'); - if (nuser || nuser8) { - if (nuser) { - *nuser = '\0'; - nuser++; - } else { - *nuser8 = '\0'; - nuser = nuser8 + 3; - } - netbios = user; - if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); - else - log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); - domain = get_netbios_name(&margs, netbios); - user = nuser; - } else if (domain) { - strup(domain); - *domain = '\0'; - domain++; - } - if (!domain && margs.ddomain) { - domain = xstrdup(margs.ddomain); - if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); - else - log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); - } - if (debug_enabled) - debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); - else - log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); + user = buf; + nuser = strchr(user, '\\'); + if (!nuser) + nuser8 = strstr(user, "%5C"); + if (!nuser && !nuser8) + nuser8 = strstr(user, "%5c"); + domain = strrchr(user, '@'); + if (nuser || nuser8) { + if (nuser) { + *nuser = '\0'; + nuser++; + } else { + *nuser8 = '\0'; + nuser = nuser8 + 3; + } + netbios = user; + if (debug_enabled) + debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); + else + log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios); + domain = get_netbios_name(&margs, netbios); + user = nuser; + } else if (domain) { + strup(domain); + *domain = '\0'; + domain++; + } + if (!domain && margs.ddomain) { + domain = xstrdup(margs.ddomain); + if (debug_enabled) + debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); + else + log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain); + } + if (debug_enabled) + debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); + else + log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL"); - if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) { - clean_args(&margs); - exit(-1); - } - if (check_memberof(&margs, user, domain)) { - SEND_OK(""); - debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM); - } else { - SEND_ERR(""); - debug((char *) "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM); - } + if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) { + clean_args(&margs); + exit(-1); + } + if (check_memberof(&margs, user, domain)) { + SEND_OK(""); + debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM); + } else { + SEND_ERR(""); + debug((char *) "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM); + } } @@ -381,8 +381,8 @@ void strup(char *s) { while (*s) { - *s = toupper((unsigned char) *s); - s++; + *s = toupper((unsigned char) *s); + s++; } } @@ -396,10 +396,10 @@ main(int argc, char *const argv[]) setbuf(stdin, NULL); char buf[6400]; while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - } - fprintf(stdout, "ERR\n"); - fprintf(stderr, "LDAP group authorisation not supported\n"); + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + } + fprintf(stdout, "ERR\n"); + fprintf(stderr, "LDAP group authorisation not supported\n"); } } #endif diff --git a/helpers/external_acl/kerberos_ldap_group/support.h b/helpers/external_acl/kerberos_ldap_group/support.h index 4ea3faccae..b6fd582ac6 100644 --- a/helpers/external_acl/kerberos_ldap_group/support.h +++ b/helpers/external_acl/kerberos_ldap_group/support.h @@ -133,11 +133,11 @@ SQUIDCEXTERN int log_enabled; #define error(X...) \ fprintf(stderr, "%s(%d): pid=%ld :", __FILE__, __LINE__, (long)getpid() ); \ fprintf(stderr,X); \ - + #define warn(X...) \ fprintf(stderr, "%s(%d): pid=%ld :", __FILE__, __LINE__, (long)getpid() ); \ fprintf(stderr,X); \ - + #else /* __GNUC__ */ /* non-GCC compilers can't do the above macro define yet. */ diff --git a/helpers/external_acl/kerberos_ldap_group/support_group.cc b/helpers/external_acl/kerberos_ldap_group/support_group.cc index 60b2509093..e0568824eb 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_group.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_group.cc @@ -33,8 +33,7 @@ struct gdstruct *init_gd(void); struct gdstruct * -init_gd(void) -{ +init_gd(void) { struct gdstruct *gdsp; gdsp = (struct gdstruct *) xmalloc(sizeof(struct gdstruct)); gdsp->group = NULL; @@ -55,39 +54,39 @@ utf8dup(struct main_args *margs) src = margs->glist; if (!src) - return NULL; + return NULL; for (n = 0; n < strlen(src); n++) - if ((unsigned char) src[n] > 127) - c++; + if ((unsigned char) src[n] > 127) + c++; if (c != 0) { - p = (unsigned char *) xmalloc(strlen(src) + c); - dup = p; - for (n = 0; n < strlen(src); n++) { - s = (unsigned char) src[n]; - if (s > 127 && s < 192) { - *p = 194; - p++; - *p = s; - } else if (s > 191 && s < 256) { - *p = 195; - p++; - *p = s - 64; - } else - *p = s; - p++; - } - *p = '\0'; - debug((char *) "%s| %s: INFO: Group %s as UTF-8: %s\n", LogTime(), PROGRAM, src, dup); - return (char *) dup; + p = (unsigned char *) xmalloc(strlen(src) + c); + dup = p; + for (n = 0; n < strlen(src); n++) { + s = (unsigned char) src[n]; + if (s > 127 && s < 192) { + *p = 194; + p++; + *p = s; + } else if (s > 191 && s < 256) { + *p = 195; + p++; + *p = s - 64; + } else + *p = s; + p++; + } + *p = '\0'; + debug((char *) "%s| %s: INFO: Group %s as UTF-8: %s\n", LogTime(), PROGRAM, src, dup); + return (char *) dup; } else - return xstrdup(src); + return xstrdup(src); } char *hex_utf_char(struct main_args *margs, int flag); /* * UTF8 = UTF1 / UTFMB * UTFMB = UTF2 / UTF3 / UTF4 - * + * * UTF0 = %x80-BF * UTF1 = %x00-7F * UTF2 = %xC2-DF UTF0 @@ -95,7 +94,7 @@ char *hex_utf_char(struct main_args *margs, int flag); * %xED %x80-9F UTF0 / %xEE-EF 2(UTF0) * UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) / * %xF4 %x80-8F 2(UTF0) - * + * * http://www.utf8-chartable.de/unicode-utf8-table.pl */ @@ -109,19 +108,19 @@ hex_utf_char(struct main_args *margs, int flag) int iUTF2, iUTF3, iUTF4; if (flag) { - up = margs->ulist; + up = margs->ulist; } else { - up = margs->tlist; + up = margs->tlist; } if (!up) - return NULL; + return NULL; upd = strrchr(up, '@'); if (upd) - a = upd - up; + a = upd - up; else - a = strlen(up); + a = strlen(up); ul = (char *) xmalloc(strlen(up)); n = 0; @@ -131,169 +130,169 @@ hex_utf_char(struct main_args *margs, int flag) iUTF4 = 0; while (n < (int) strlen(up)) { - if (flag && n == a) - break; - if (up[n] == '@') { - ul[nl] = '@'; - nl++; - n++; - continue; - } - ival = up[n]; - if (ival > 64 && ival < 71) - ichar = (ival - 55) * 16; - else if (ival > 96 && ival < 103) - ichar = (ival - 87) * 16; - else if (ival > 47 && ival < 58) - ichar = (ival - 48) * 16; - else { - debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); - if (ul) - xfree(ul); - return NULL; - } + if (flag && n == a) + break; + if (up[n] == '@') { + ul[nl] = '@'; + nl++; + n++; + continue; + } + ival = up[n]; + if (ival > 64 && ival < 71) + ichar = (ival - 55) * 16; + else if (ival > 96 && ival < 103) + ichar = (ival - 87) * 16; + else if (ival > 47 && ival < 58) + ichar = (ival - 48) * 16; + else { + debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); + if (ul) + xfree(ul); + return NULL; + } - if (n == a - 1) { - debug((char *) "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up); - if (ul) - xfree(ul); - return NULL; - } - n++; - ival = up[n]; - if (ival > 64 && ival < 71) - ichar = ichar + ival - 55; - else if (ival > 96 && ival < 103) - ichar = ichar + ival - 87; - else if (ival > 47 && ival < 58) - ichar = ichar + ival - 48; - else { - debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); - if (ul) - xfree(ul); - return NULL; - } + if (n == a - 1) { + debug((char *) "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up); + if (ul) + xfree(ul); + return NULL; + } + n++; + ival = up[n]; + if (ival > 64 && ival < 71) + ichar = ichar + ival - 55; + else if (ival > 96 && ival < 103) + ichar = ichar + ival - 87; + else if (ival > 47 && ival < 58) + ichar = ichar + ival - 48; + else { + debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival); + if (ul) + xfree(ul); + return NULL; + } - if (iUTF2) { - if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) { - iUTF2 = 0; - ul[nl - 1] = ichar; - } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) { - iUTF2 = 0; - ul[nl - 1] = ichar + 64; - } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) { - iUTF2 = 0; - ul[nl] = ichar; - nl++; - } else { - iUTF2 = 0; - ul[nl] = ichar; - ul[nl + 1] = '\0'; - debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); - return NULL; - } - } else if (iUTF3) { - if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) { - iUTF3 = 1; - ul[nl] = ichar; - nl++; - } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) { - iUTF3 = 2; - ul[nl] = ichar; - nl++; - } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) { - iUTF3 = 3; - ul[nl] = ichar; - nl++; - } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) { - iUTF3 = 4; - ul[nl] = ichar; - nl++; - } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) { - iUTF3 = 0; - ul[nl] = ichar; - nl++; - } else { - iUTF3 = 0; - ul[nl] = ichar; - ul[nl + 1] = '\0'; - debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); - return NULL; - } - } else if (iUTF4) { - if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) { - iUTF4 = 1; - ul[nl] = ichar; - nl++; - } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) { - iUTF4 = 2; - ul[nl] = ichar; - nl++; - } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) { - iUTF4 = 3; - ul[nl] = ichar; - nl++; - } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) { - if (iUTF4 == 4) - iUTF4 = 0; - else - iUTF4 = 4; - ul[nl] = ichar; - nl++; - } else { - iUTF4 = 0; - ul[nl] = ichar; - ul[nl + 1] = '\0'; - debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); - return NULL; - } - } else if (ichar < 0x80) { - /* UTF1 */ - ul[nl] = ichar; - nl++; - } else if (ichar > 0xC1 && ichar < 0xE0) { - /* UTF2 (Latin) */ - iUTF2 = ichar; - ul[nl] = ichar; - nl++; - } else if (ichar > 0xDF && ichar < 0xF0) { - /* UTF3 */ - iUTF3 = ichar; - ul[nl] = ichar; - nl++; - } else if (ichar > 0xEF && ichar < 0xF5) { - /* UTF4 */ - iUTF4 = ichar; - ul[nl] = ichar; - nl++; - } else { - ul[nl] = ichar; - ul[nl + 1] = '\0'; - debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); - return NULL; - } - n++; + if (iUTF2) { + if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl - 1] = ichar; + } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl - 1] = ichar + 64; + } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) { + iUTF2 = 0; + ul[nl] = ichar; + nl++; + } else { + iUTF2 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (iUTF3) { + if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) { + iUTF3 = 1; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 2; + ul[nl] = ichar; + nl++; + } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) { + iUTF3 = 3; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 4; + ul[nl] = ichar; + nl++; + } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) { + iUTF3 = 0; + ul[nl] = ichar; + nl++; + } else { + iUTF3 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (iUTF4) { + if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) { + iUTF4 = 1; + ul[nl] = ichar; + nl++; + } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) { + iUTF4 = 2; + ul[nl] = ichar; + nl++; + } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) { + iUTF4 = 3; + ul[nl] = ichar; + nl++; + } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) { + if (iUTF4 == 4) + iUTF4 = 0; + else + iUTF4 = 4; + ul[nl] = ichar; + nl++; + } else { + iUTF4 = 0; + ul[nl] = ichar; + ul[nl + 1] = '\0'; + debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + } else if (ichar < 0x80) { + /* UTF1 */ + ul[nl] = ichar; + nl++; + } else if (ichar > 0xC1 && ichar < 0xE0) { + /* UTF2 (Latin) */ + iUTF2 = ichar; + ul[nl] = ichar; + nl++; + } else if (ichar > 0xDF && ichar < 0xF0) { + /* UTF3 */ + iUTF3 = ichar; + ul[nl] = ichar; + nl++; + } else if (ichar > 0xEF && ichar < 0xF5) { + /* UTF4 */ + iUTF4 = ichar; + ul[nl] = ichar; + nl++; + } else { + ul[nl] = ichar; + ul[nl + 1] = '\0'; + debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; + } + n++; } ul[nl] = '\0'; if (iUTF2 || iUTF3 || iUTF4) { - debug((char *) "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4); - debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); - if (ul) - xfree(ul); - return NULL; + debug((char *) "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4); + debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul); + if (ul) + xfree(ul); + return NULL; } if (flag && upd) - ul = strcat(ul, upd); + ul = strcat(ul, upd); return ul; } @@ -310,13 +309,13 @@ create_gd(struct main_args *margs) * * glist=Pattern1[:Pattern2] * - * Pattern=Group Group for all domains(including non Kerberos domains using ldap url options) if no - * other group definition for domain exists or users without + * Pattern=Group Group for all domains(including non Kerberos domains using ldap url options) if no + * other group definition for domain exists or users without * domain information. * gdstruct.domain=NULL, gdstruct.group=Group - * + * * or Pattern=Group@ Group for all Kerberos domains if no other group definition - * exists + * exists * gdstruct.domain="", gdstruct.group=Group * * or Pattern=Group@Domain Group for a specific Kerberos domain @@ -329,99 +328,99 @@ create_gd(struct main_args *margs) up = utf8dup(margs); p = up; if (hp1) { - if (hp2) { - if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2); - strcpy(p, up); - strcat(p, ":"); - strcat(p, hp1); - strcat(p, ":"); - strcat(p, hp2); - } else { - p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1); - strcpy(p, hp1); - strcat(p, ":"); - strcat(p, hp2); - } - } else { - if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1); - strcpy(p, up); - strcat(p, ":"); - strcat(p, hp1); - } else - p = hp1; - } + if (hp2) { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp1); + strcat(p, ":"); + strcat(p, hp2); + } else { + p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1); + strcpy(p, hp1); + strcat(p, ":"); + strcat(p, hp2); + } + } else { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp1); + } else + p = hp1; + } } else { - if (hp2) { - if (up) { - p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1); - strcpy(p, up); - strcat(p, ":"); - strcat(p, hp2); - } else - p = hp2; - } else - p = up; + if (hp2) { + if (up) { + p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1); + strcpy(p, up); + strcat(p, ":"); + strcat(p, hp2); + } else + p = hp2; + } else + p = up; } gp = p; debug((char *) "%s| %s: INFO: Group list %s\n", LogTime(), PROGRAM, p ? p : "NULL"); dp = NULL; if (!p) { - debug((char *) "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM); - return (1); + debug((char *) "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM); + return (1); } while (*p) { /* loop over group list */ - if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ - p++; - continue; - } - if (*p == '@') { /* end of group name - start of domain name */ - if (p == gp) { /* empty group name not allowed */ - debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); - } - *p = '\0'; - p++; - gdsp = init_gd(); - gdsp->group = gp; - if (gdspn) /* Have already an existing structure */ - gdsp->next = gdspn; - dp = p; /* after @ starts new domain name */ - } else if (*p == ':') { /* end of group name or end of domain name */ - if (p == gp) { /* empty group name not allowed */ - debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); - } - *p = '\0'; - p++; - if (dp) { /* end of domain name */ - gdsp->domain = xstrdup(dp); - dp = NULL; - } else { /* end of group name and no domain name */ - gdsp = init_gd(); - gdsp->group = gp; - if (gdspn) /* Have already an existing structure */ - gdsp->next = gdspn; - } - gdspn = gdsp; - gp = p; /* after : starts new group name */ - debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); - } else - p++; + if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ + p++; + continue; + } + if (*p == '@') { /* end of group name - start of domain name */ + if (p == gp) { /* empty group name not allowed */ + debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; + dp = p; /* after @ starts new domain name */ + } else if (*p == ':') { /* end of group name or end of domain name */ + if (p == gp) { /* empty group name not allowed */ + debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + if (dp) { /* end of domain name */ + gdsp->domain = xstrdup(dp); + dp = NULL; + } else { /* end of group name and no domain name */ + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; + } + gdspn = gdsp; + gp = p; /* after : starts new group name */ + debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); + } else + p++; } if (p == gp) { /* empty group name not allowed */ - debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); + debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); } if (dp) { /* end of domain name */ - gdsp->domain = xstrdup(dp); + gdsp->domain = xstrdup(dp); } else { /* end of group name and no domain name */ - gdsp = init_gd(); - gdsp->group = gp; - if (gdspn) /* Have already an existing structure */ - gdsp->next = gdspn; + gdsp = init_gd(); + gdsp->group = gp; + if (gdspn) /* Have already an existing structure */ + gdsp->next = gdspn; } debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL"); diff --git a/helpers/external_acl/kerberos_ldap_group/support_krb5.cc b/helpers/external_acl/kerberos_ldap_group/support_krb5.cc index 1091c474f5..51865bb527 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_krb5.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_krb5.cc @@ -41,9 +41,9 @@ void krb5_cleanup() { if (kparam.context) { - if (kparam.cc) - krb5_cc_destroy(kparam.context, kparam.cc); - krb5_free_context(kparam.context); + if (kparam.cc) + krb5_cc_destroy(kparam.context, kparam.cc); + krb5_free_context(kparam.context); } } /* @@ -72,7 +72,7 @@ krb5_create_cache(struct main_args *margs, char *domain) kparam.context = NULL; if (!domain || !strcmp(domain, "")) - return (1); + return (1); /* * Initialise Kerberos @@ -80,9 +80,9 @@ krb5_create_cache(struct main_args *margs, char *domain) code = krb5_init_context(&kparam.context); if (code) { - error((char *) "%s| %s: ERROR: Error while initialising Kerberos library : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while initialising Kerberos library : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; } /* * getting default keytab name @@ -92,72 +92,72 @@ krb5_create_cache(struct main_args *margs, char *domain) krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX); p = strchr(buf, ':'); /* Find the end if "FILE:" */ if (p) - p++; /* step past : */ + p++; /* step past : */ keytab_name = xstrdup(p ? p : buf); debug((char *) "%s| %s: DEBUG: Got default keytab file name %s\n", LogTime(), PROGRAM, keytab_name); code = krb5_kt_resolve(kparam.context, keytab_name, &keytab); if (code) { - error((char *) "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code)); + retval = 1; + goto cleanup; } code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor); if (code) { - error((char *) "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; } debug((char *) "%s| %s: DEBUG: Get principal name from keytab %s\n", LogTime(), PROGRAM, keytab_name); nprinc = 0; while ((code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor)) == 0) { - principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1)); - krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]); + principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1)); + krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]); #ifdef HAVE_HEIMDAL_KERBEROS - debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm); + debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm); #else - debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data); + debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data); #endif #ifdef HAVE_HEIMDAL_KERBEROS - if (!strcasecmp(domain, entry.principal->realm)) + if (!strcasecmp(domain, entry.principal->realm)) #else - if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data)) + if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data)) #endif - { - code = krb5_unparse_name(kparam.context, entry.principal, &principal_name); - if (code) { - error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); - } else { - debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); - found = 1; - } - } + { + code = krb5_unparse_name(kparam.context, entry.principal, &principal_name); + if (code) { + error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); + } else { + debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } + } #if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1) - code = krb5_kt_free_entry(kparam.context, &entry); + code = krb5_kt_free_entry(kparam.context, &entry); #else - code = krb5_free_keytab_entry_contents(kparam.context, &entry); + code = krb5_free_keytab_entry_contents(kparam.context, &entry); #endif - if (code) { - error((char *) "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - break; - } - if (found) - break; + if (code) { + error((char *) "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + break; + } + if (found) + break; } if (code && code != KRB5_KT_END) { - error((char *) "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; } code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor); if (code) { - error((char *) "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; } /* * prepare memory credential cache @@ -174,164 +174,164 @@ krb5_create_cache(struct main_args *margs, char *domain) debug((char *) "%s| %s: DEBUG: Set credential cache to %s\n", LogTime(), PROGRAM, mem_cache); code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc); if (code) { - error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; + error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; } /* * if no principal name found in keytab for domain use the prinipal name which can get a TGT */ if (!principal_name) { - debug((char *) "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain); - debug((char *) "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM); - creds = (krb5_creds *) xmalloc(sizeof(*creds)); - memset(creds, 0, sizeof(*creds)); + debug((char *) "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain); + debug((char *) "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM); + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); - for (i = 0; i < nprinc; i++) { - /* - * get credentials - */ - code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name); - if (code) { - debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } - debug((char *) "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name); + for (i = 0; i < nprinc; i++) { + /* + * get credentials + */ + code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name); + if (code) { + debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + debug((char *) "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name); #if HAVE_GET_INIT_CREDS_KEYTAB - code = krb5_get_init_creds_keytab(kparam.context, creds, principal_list[i], keytab, 0, NULL, NULL); + code = krb5_get_init_creds_keytab(kparam.context, creds, principal_list[i], keytab, 0, NULL, NULL); #else - service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); - snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); - creds->client = principal_list[i]; - code = krb5_parse_name(kparam.context, service, &creds->server); - if (service) - xfree(service); - code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); + service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); + snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); + creds->client = principal_list[i]; + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); #endif - if (code) { - debug((char *) "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } - code = krb5_cc_initialize(kparam.context, kparam.cc, principal_list[i]); - if (code) { - error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } - code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); - if (code) { - debug((char *) "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } - if (creds->server) - krb5_free_principal(kparam.context, creds->server); + if (code) { + debug((char *) "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal_list[i]); + if (code) { + error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + debug((char *) "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + if (creds->server) + krb5_free_principal(kparam.context, creds->server); #ifdef HAVE_HEIMDAL_KERBEROS - service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3); - snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm); + service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3); + snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm); #else - service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3); - snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data); + service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3); + snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data); #endif - code = krb5_parse_name(kparam.context, service, &creds->server); - if (service) - xfree(service); - if (code) { - error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } - code = krb5_get_credentials(kparam.context, 0, kparam.cc, creds, &tgt_creds); - if (code) { - debug((char *) "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code)); - goto loop_end; - } else { - debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name); - found = 1; - break; - } + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + if (code) { + error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } + code = krb5_get_credentials(kparam.context, 0, kparam.cc, creds, &tgt_creds); + if (code) { + debug((char *) "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code)); + goto loop_end; + } else { + debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + break; + } - loop_end: - if (principal_name) - xfree(principal_name); - principal_name = NULL; - } +loop_end: + if (principal_name) + xfree(principal_name); + principal_name = NULL; + } - if (tgt_creds) - krb5_free_creds(kparam.context, tgt_creds); - tgt_creds = NULL; - if (creds) - krb5_free_creds(kparam.context, creds); - creds = NULL; + if (tgt_creds) + krb5_free_creds(kparam.context, tgt_creds); + tgt_creds = NULL; + if (creds) + krb5_free_creds(kparam.context, creds); + creds = NULL; } if (principal_name) { - debug((char *) "%s| %s: DEBUG: Got principal name %s\n", LogTime(), PROGRAM, principal_name); - /* - * build principal - */ - code = krb5_parse_name(kparam.context, principal_name, &principal); - if (code) { - error((char *) "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code)); - retval = 1; - goto cleanup; - } - creds = (krb5_creds *) xmalloc(sizeof(*creds)); - memset(creds, 0, sizeof(*creds)); + debug((char *) "%s| %s: DEBUG: Got principal name %s\n", LogTime(), PROGRAM, principal_name); + /* + * build principal + */ + code = krb5_parse_name(kparam.context, principal_name, &principal); + if (code) { + error((char *) "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code)); + retval = 1; + goto cleanup; + } + creds = (krb5_creds *) xmalloc(sizeof(*creds)); + memset(creds, 0, sizeof(*creds)); - /* - * get credentials - */ + /* + * get credentials + */ #if HAVE_GET_INIT_CREDS_KEYTAB - code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, NULL); + code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, NULL); #else - service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); - snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); - creds->client = principal; - code = krb5_parse_name(kparam.context, service, &creds->server); - if (service) - xfree(service); - code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); + service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3); + snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain); + creds->client = principal; + code = krb5_parse_name(kparam.context, service, &creds->server); + if (service) + xfree(service); + code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0); #endif - if (code) { - error((char *) "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; - } - code = krb5_cc_initialize(kparam.context, kparam.cc, principal); - if (code) { - error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; - } - code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); - if (code) { - error((char *) "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); - retval = 1; - goto cleanup; - } - debug((char *) "%s| %s: DEBUG: Stored credentials\n", LogTime(), PROGRAM); + if (code) { + error((char *) "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_cc_initialize(kparam.context, kparam.cc, principal); + if (code) { + error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + code = krb5_cc_store_cred(kparam.context, kparam.cc, creds); + if (code) { + error((char *) "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code)); + retval = 1; + goto cleanup; + } + debug((char *) "%s| %s: DEBUG: Stored credentials\n", LogTime(), PROGRAM); } else { - debug((char *) "%s| %s: DEBUG: Got no principal name\n", LogTime(), PROGRAM); - retval = 1; + debug((char *) "%s| %s: DEBUG: Got no principal name\n", LogTime(), PROGRAM); + retval = 1; } - cleanup: +cleanup: if (keytab) - krb5_kt_close(kparam.context, keytab); + krb5_kt_close(kparam.context, keytab); if (keytab_name) - xfree(keytab_name); + xfree(keytab_name); if (principal_name) - xfree(principal_name); + xfree(principal_name); if (mem_cache) - xfree(mem_cache); + xfree(mem_cache); if (principal) - krb5_free_principal(kparam.context, principal); + krb5_free_principal(kparam.context, principal); for (i = 0; i < nprinc; i++) { - if (principal_list[i]) - krb5_free_principal(kparam.context, principal_list[i]); + if (principal_list[i]) + krb5_free_principal(kparam.context, principal_list[i]); } if (principal_list) - xfree(principal_list); + xfree(principal_list); if (creds) - krb5_free_creds(kparam.context, creds); + krb5_free_creds(kparam.context, creds); return (retval); } diff --git a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc index 1f882ca544..f2a5fefbf4 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_ldap.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_ldap.cc @@ -225,26 +225,26 @@ convert_domain_to_bind_path(char *domain) int i = 0; if (!domain) - return NULL; + return NULL; for (dp = domain; *dp; dp++) { - if (*dp == '.') - i++; + if (*dp == '.') + i++; } - /* - * add dc= and - * replace . with ,dc= => new length = old length + #dots * 3 + 3 + /* + * add dc= and + * replace . with ,dc= => new length = old length + #dots * 3 + 3 */ bindp = (char *) xmalloc(strlen(domain) + 3 + i * 3 + 1); bp = bindp; strcpy(bp, "dc="); bp += 3; for (dp = domain; *dp; dp++) { - if (*dp == '.') { - strcpy(bp, ",dc="); - bp += 4; - } else - *bp++ = *dp; + if (*dp == '.') { + strcpy(bp, ",dc="); + bp += 4; + } else + *bp++ = *dp; } *bp = '\0'; return bindp; @@ -258,32 +258,32 @@ escape_filter(char *filter) i = 0; for (ldap_filter_esc = filter; *ldap_filter_esc; ldap_filter_esc++) { - if ((*ldap_filter_esc == '*') || - (*ldap_filter_esc == '(') || - (*ldap_filter_esc == ')') || - (*ldap_filter_esc == '\\')) - i = i + 3; + if ((*ldap_filter_esc == '*') || + (*ldap_filter_esc == '(') || + (*ldap_filter_esc == ')') || + (*ldap_filter_esc == '\\')) + i = i + 3; } ldap_filter_esc = (char *) xcalloc(strlen(filter) + i + 1, sizeof(char)); ldf = ldap_filter_esc; for (; *filter; filter++) { - if (*filter == '*') { - strcpy(ldf, "\\2a"); - ldf = ldf + 3; - } else if (*filter == '(') { - strcpy(ldf, "\\28"); - ldf = ldf + 3; - } else if (*filter == ')') { - strcpy(ldf, "\\29"); - ldf = ldf + 3; - } else if (*filter == '\\') { - strcpy(ldf, "\\5c"); - ldf = ldf + 3; - } else { - *ldf = *filter; - ldf++; - } + if (*filter == '*') { + strcpy(ldf, "\\2a"); + ldf = ldf + 3; + } else if (*filter == '(') { + strcpy(ldf, "\\28"); + ldf = ldf + 3; + } else if (*filter == ')') { + strcpy(ldf, "\\29"); + ldf = ldf + 3; + } else if (*filter == '\\') { + strcpy(ldf, "\\5c"); + ldf = ldf + 3; + } else { + *ldf = *filter; + ldf++; + } } *ldf = '\0'; @@ -308,31 +308,31 @@ check_AD(struct main_args *margs, LDAP * ld) debug((char *) "%s| %s: DEBUG: Search ldap server with bind path \"\" and filter: %s\n", LogTime(), PROGRAM, FILTER_SCHEMA); rc = ldap_search_ext_s(ld, (char *) "", LDAP_SCOPE_BASE, (char *) FILTER_SCHEMA, NULL, 0, - NULL, NULL, &searchtime, 0, &res); + NULL, NULL, &searchtime, 0, &res); if (rc == LDAP_SUCCESS) - max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value); + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value); if (max_attr == 1) { - ldap_msgfree(res); - debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM); - rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0, - NULL, NULL, &searchtime, 0, &res); - debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - if (ldap_count_entries(ld, res) > 0) - margs->AD = 1; + ldap_msgfree(res); + debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM); + rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + if (ldap_count_entries(ld, res) > 0) + margs->AD = 1; } else - debug((char *) "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM); + debug((char *) "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM); debug((char *) "%s| %s: DEBUG: Determined ldap server %sas an Active Directory server\n", LogTime(), PROGRAM, margs->AD ? "" : "not "); /* * Cleanup */ if (attr_value) { - for (j = 0; j < max_attr; j++) { - xfree(attr_value[j]); - } - xfree(attr_value); - attr_value = NULL; + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; } ldap_msgfree(res); return rc; @@ -358,9 +358,9 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr searchtime.tv_usec = 0; if (margs->AD) - filter = (char *) FILTER_GROUP_AD; + filter = (char *) FILTER_GROUP_AD; else - filter = (char *) FILTER_GROUP; + filter = (char *) FILTER_GROUP; ldap_filter_esc = escape_filter(ldap_group); @@ -368,30 +368,30 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); if (depth > margs->mdepth) { - debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth); - return 0; + debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth); + return 0; } debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); if (search_exp) - xfree(search_exp); + xfree(search_exp); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind_s(ld); - return 0; + error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind_s(ld); + return 0; } debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); if (margs->AD) - max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); else - max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); + max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); /* * Compare group names @@ -400,57 +400,57 @@ search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_gr ldepth = depth + 1; for (j = 0; j < max_attr; j++) { - /* Compare first CN= value assuming it is the same as the group name itself */ - av = attr_value[j]; - if (!strncasecmp("CN=", av, 3)) { - av += 3; - if ((avp = strchr(av, ','))) { - *avp = '\0'; - } - } - if (debug_enabled) { - int n; - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); - for (n = 0; av[n] != '\0'; n++) - fprintf(stderr, "%02x", (unsigned char) av[n]); - fprintf(stderr, "\n"); - } - if (!strcasecmp(group, av)) { - retval = 1; - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - break; - } else - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - /* - * Do recursive group search - */ - debug((char *) "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av); - av = attr_value[j]; - if (search_group_tree(margs, ld, bindp, av, group, ldepth)) { - retval = 1; - if (!strncasecmp("CN=", av, 3)) { - av += 3; - if ((avp = strchr(av, ','))) { - *avp = '\0'; - } - } - if (debug_enabled) - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - else - break; - - } + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value[j]; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) { + int n; + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); + for (n = 0; av[n] != '\0'; n++) + fprintf(stderr, "%02x", (unsigned char) av[n]); + fprintf(stderr, "\n"); + } + if (!strcasecmp(group, av)) { + retval = 1; + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + break; + } else + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + /* + * Do recursive group search + */ + debug((char *) "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av); + av = attr_value[j]; + if (search_group_tree(margs, ld, bindp, av, group, ldepth)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + + } } /* * Cleanup */ if (attr_value) { - for (j = 0; j < max_attr; j++) { - xfree(attr_value[j]); - } - xfree(attr_value); - attr_value = NULL; + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; } ldap_msgfree(res); @@ -467,21 +467,21 @@ ldap_set_defaults(struct main_args *margs, LDAP * ld) val = LDAP_VERSION3; rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); if (rc != LDAP_SUCCESS) { - debug((char *) "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; + debug((char *) "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; } rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); if (rc != LDAP_SUCCESS) { - debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; + debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; } #ifdef LDAP_OPT_NETWORK_TIMEOUT tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); if (rc != LDAP_SUCCESS) { - debug((char *) "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; + debug((char *) "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; } #endif /* LDAP_OPT_NETWORK_TIMEOUT */ return LDAP_SUCCESS; @@ -503,64 +503,64 @@ ldap_set_ssl_defaults(struct main_args *margs) #ifdef HAVE_OPENLDAP if (!margs->rc_allow) { - debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM); - val = LDAP_OPT_X_TLS_DEMAND; - rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT DEMAND for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; - } - ssl_cacertfile = getenv("TLS_CACERTFILE"); - free_path = 0; - if (!ssl_cacertfile) { - ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem"); - free_path = 1; - } - debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile); - rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile); - if (ssl_cacertfile && free_path) { - xfree(ssl_cacertfile); - ssl_cacertfile = NULL; - } - if (rc != LDAP_OPT_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; - } + debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM); + val = LDAP_OPT_X_TLS_DEMAND; + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT DEMAND for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } + ssl_cacertfile = getenv("TLS_CACERTFILE"); + free_path = 0; + if (!ssl_cacertfile) { + ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem"); + free_path = 1; + } + debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile); + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile); + if (ssl_cacertfile && free_path) { + xfree(ssl_cacertfile); + ssl_cacertfile = NULL; + } + if (rc != LDAP_OPT_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } } else { - debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); - val = LDAP_OPT_X_TLS_ALLOW; - rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - return rc; - } + debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); + val = LDAP_OPT_X_TLS_ALLOW; + rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + return rc; + } } #elif defined(HAVE_LDAPSSL_CLIENT_INIT) - /* + /* * Solaris SSL ldap calls require path to certificate database */ -/* - * rc = ldapssl_client_init( ssl_certdbpath, NULL ); - * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2); - */ + /* + * rc = ldapssl_client_init( ssl_certdbpath, NULL ); + * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2); + */ ssl_certdbpath = getenv("SSL_CERTDBPATH"); if (!ssl_certdbpath) { - ssl_certdbpath = xstrdup("/etc/certs"); + ssl_certdbpath = xstrdup("/etc/certs"); } debug((char *) "%s| %s: DEBUG: Set certificate database path for ldap server to %s.(Changeable through setting environment variable SSL_CERTDBPATH)\n", LogTime(), PROGRAM, ssl_certdbpath); if (!margs->rc_allow) { - rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2); + rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2); } else { - rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0); - debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); + rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0); + debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM); } if (ssl_certdbpath) { - xfree(ssl_certdbpath); - ssl_certdbpath = NULL; + xfree(ssl_certdbpath); + ssl_certdbpath = NULL; } if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); - return rc; + error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); + return rc; } #else error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM); @@ -583,47 +583,47 @@ get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute); for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) { - BerElement *b; - char *attr; - - switch (ldap_msgtype(msg)) { - - case LDAP_RES_SEARCH_ENTRY: - - for (attr = ldap_first_attribute(ld, msg, &b); attr; - attr = ldap_next_attribute(ld, msg, b)) { - if (strcasecmp(attr, attribute) == 0) { - struct berval **values; - int il; - - if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { - for (il = 0; values[il] != NULL; il++) { - - attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *)); - if (!attr_value) - break; - - attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1); - memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len); - attr_value[il][values[il]->bv_len] = 0; - } - max_attr = il; - } - ber_bvecfree(values); - } - ldap_memfree(attr); - } - ber_free(b, 0); - break; - case LDAP_RES_SEARCH_REFERENCE: - debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); - break; - case LDAP_RES_SEARCH_RESULT: - debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM); - break; - default: - break; - } + BerElement *b; + char *attr; + + switch (ldap_msgtype(msg)) { + + case LDAP_RES_SEARCH_ENTRY: + + for (attr = ldap_first_attribute(ld, msg, &b); attr; + attr = ldap_next_attribute(ld, msg, b)) { + if (strcasecmp(attr, attribute) == 0) { + struct berval **values; + int il; + + if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) { + for (il = 0; values[il] != NULL; il++) { + + attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *)); + if (!attr_value) + break; + + attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1); + memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len); + attr_value[il][values[il]->bv_len] = 0; + } + max_attr = il; + } + ber_bvecfree(values); + } + ldap_memfree(attr); + } + ber_free(b, 0); + break; + case LDAP_RES_SEARCH_REFERENCE: + debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM); + break; + case LDAP_RES_SEARCH_RESULT: + debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM); + break; + default: + break; + } } debug((char *) "%s| %s: DEBUG: %d ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute); @@ -645,8 +645,8 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) #endif int rc = 0; - /* - * Use ldap open here to check if TCP connection is possible. If possible use it. + /* + * Use ldap open here to check if TCP connection is possible. If possible use it. * (Not sure if this is the best way) */ #ifdef HAVE_OPENLDAP @@ -654,9 +654,9 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) memset(url, 0, sizeof(*url)); #ifdef HAVE_LDAP_URL_LUD_SCHEME if (ssl) - url->lud_scheme = (char *) "ldaps"; + url->lud_scheme = (char *) "ldaps"; else - url->lud_scheme = (char *) "ldap"; + url->lud_scheme = (char *) "ldap"; #endif url->lud_host = host; url->lud_port = port; @@ -670,125 +670,125 @@ tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl) #elif defined(HAVE_LDAP_URL_PARSE) rc = ldap_url_parse(ldapuri, &url); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - if (ldapuri) - xfree(ldapuri); - if (url) - xfree(url); - return NULL; + error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + if (ldapuri) + xfree(ldapuri); + if (url) + xfree(url); + return NULL; } #else #error "No URL parsing function" #endif if (url) { - xfree(url); - url = NULL; + xfree(url); + url = NULL; } rc = ldap_initialize(&ld, ldapuri); if (ldapuri) - xfree(ldapuri); + xfree(ldapuri); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; + error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; } #else ld = ldap_init(host, port); #endif rc = ldap_set_defaults(margs, ld); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; + error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; } if (ssl) { - /* - * Try Start TLS first - */ - debug((char *) "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM); - rc = ldap_set_ssl_defaults(margs); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; - } + /* + * Try Start TLS first + */ + debug((char *) "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM); + rc = ldap_set_ssl_defaults(margs); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } #ifdef HAVE_OPENLDAP - /* - * Use tls if possible - */ - rc = ldap_start_tls_s(ld, NULL, NULL); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - url = (LDAPURLDesc *) xmalloc(sizeof(*url)); - memset(url, 0, sizeof(*url)); + /* + * Use tls if possible + */ + rc = ldap_start_tls_s(ld, NULL, NULL); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + url = (LDAPURLDesc *) xmalloc(sizeof(*url)); + memset(url, 0, sizeof(*url)); #ifdef HAVE_LDAP_URL_LUD_SCHEME - url->lud_scheme = (char *) "ldaps"; + url->lud_scheme = (char *) "ldaps"; #endif - url->lud_host = host; - url->lud_port = port; + url->lud_host = host; + url->lud_port = port; #ifdef HAVE_LDAP_SCOPE_DEFAULT - url->lud_scope = LDAP_SCOPE_DEFAULT; + url->lud_scope = LDAP_SCOPE_DEFAULT; #else - url->lud_scope = LDAP_SCOPE_SUBTREE; + url->lud_scope = LDAP_SCOPE_SUBTREE; #endif #ifdef HAVE_LDAP_URL_DESC2STR - ldapuri = ldap_url_desc2str(url); + ldapuri = ldap_url_desc2str(url); #elif defined(HAVE_LDAP_URL_PARSE) - rc = ldap_url_parse(ldapuri, &url); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - if (ldapuri) - xfree(ldapuri); - if (url) - xfree(url); - return NULL; - } + rc = ldap_url_parse(ldapuri, &url); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + if (ldapuri) + xfree(ldapuri); + if (url) + xfree(url); + return NULL; + } #else #error "No URL parsing function" #endif - if (url) { - xfree(url); - url = NULL; - } - rc = ldap_initialize(&ld, ldapuri); - if (ldapuri) - xfree(ldapuri); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; - } - rc = ldap_set_defaults(margs, ld); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; - } - } + if (url) { + xfree(url); + url = NULL; + } + rc = ldap_initialize(&ld, ldapuri); + if (ldapuri) + xfree(ldapuri); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + rc = ldap_set_defaults(margs, ld); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + } #elif defined(HAVE_LDAPSSL_CLIENT_INIT) - ld = ldapssl_init(host, port, 1); - if (!ld) { - error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; - } - rc = ldap_set_defaults(margs, ld); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - return NULL; - } + ld = ldapssl_init(host, port, 1); + if (!ld) { + error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } + rc = ldap_set_defaults(margs, ld); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + return NULL; + } #else - error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM); + error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM); #endif } return ld; @@ -831,19 +831,19 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) * Fill Kerberos memory cache with credential from keytab for SASL/GSSAPI */ if (domain) { - debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); + debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); - kc = krb5_create_cache(margs, domain); - if (kc) { - error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); - } + kc = krb5_create_cache(margs, domain); + if (kc) { + error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); + } } if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) { - /* - * If Kerberos fails and no url given exit here - */ - retval = 0; - goto cleanup; + /* + * If Kerberos fails and no url given exit here + */ + retval = 0; + goto cleanup; } #ifndef HAVE_SUN_LDAP_SDK /* @@ -857,141 +857,141 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) debug((char *) "%s| %s: DEBUG: Initialise ldap connection\n", LogTime(), PROGRAM); if (domain && !kc) { - if (margs->ssl) { - debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); - } - debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain); - /* - * Loop over list of ldap servers of users domain - */ - nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain); - for (i = 0; i < nhosts; i++) { - port = 389; - if (hlist[i].port != -1) - port = hlist[i].port; - debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port); - - ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl); - if (!ld) - continue; - - /* - * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username) - */ + if (margs->ssl) { + debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); + } + debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain); + /* + * Loop over list of ldap servers of users domain + */ + nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain); + for (i = 0; i < nhosts; i++) { + port = 389; + if (hlist[i].port != -1) + port = hlist[i].port; + debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port); + + ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl); + if (!ld) + continue; + + /* + * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username) + */ #if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN) - debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM); - - rc = tool_sasl_bind(ld, bindp, margs->ssl); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - continue; - } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); - lcreds->dn = bindp ? xstrdup(bindp) : NULL; - lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; - ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); - if (ld != NULL) { - debug((char *) "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port); - break; - } + debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM); + + rc = tool_sasl_bind(ld, bindp, margs->ssl); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + continue; + } + lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds->dn = bindp ? xstrdup(bindp) : NULL; + lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL; + ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds); + if (ld != NULL) { + debug((char *) "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port); + break; + } #else - ldap_unbind(ld); - ld = NULL; - error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM); - continue; + ldap_unbind(ld); + ld = NULL; + error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM); + continue; #endif - } - nhosts = free_hostname_list(&hlist, nhosts); - if (ld == NULL) { - debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); - } - bindp = convert_domain_to_bind_path(domain); + } + nhosts = free_hostname_list(&hlist, nhosts); + if (ld == NULL) { + debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); + } + bindp = convert_domain_to_bind_path(domain); } if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) { - /* - * If username does not contain a domain and a url was given then try it - */ - hostname = strstr(margs->lurl, "://") + 3; - ssl = strstr(margs->lurl, "ldaps://"); - if (ssl) { - debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); - } - debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname); - /* - * Loop over list of ldap servers - */ - host = xstrdup(hostname); - port = 389; - if ((p = strchr(host, ':'))) { - *p = '\0'; - p++; - port = atoi(p); - } - nhosts = get_hostname_list(margs, &hlist, 0, host); - if (host) - xfree(host); - host = NULL; - for (i = 0; i < nhosts; i++) { - - ld = tool_ldap_open(margs, hlist[i].host, port, ssl); - if (!ld) - continue; - /* - * ldap bind with username/password authentication - */ - - debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM); - rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - continue; - } - lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); - lcreds->dn = xstrdup(margs->luser); - lcreds->pw = xstrdup(margs->lpass); - ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds); - debug((char *) "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port); - break; - - } - nhosts = free_hostname_list(&hlist, nhosts); - if (bindp) - xfree(bindp); - if (margs->lbind) { - bindp = xstrdup(margs->lbind); - } else { - bindp = convert_domain_to_bind_path(domain); - } + /* + * If username does not contain a domain and a url was given then try it + */ + hostname = strstr(margs->lurl, "://") + 3; + ssl = strstr(margs->lurl, "ldaps://"); + if (ssl) { + debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM); + } + debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname); + /* + * Loop over list of ldap servers + */ + host = xstrdup(hostname); + port = 389; + if ((p = strchr(host, ':'))) { + *p = '\0'; + p++; + port = atoi(p); + } + nhosts = get_hostname_list(margs, &hlist, 0, host); + if (host) + xfree(host); + host = NULL; + for (i = 0; i < nhosts; i++) { + + ld = tool_ldap_open(margs, hlist[i].host, port, ssl); + if (!ld) + continue; + /* + * ldap bind with username/password authentication + */ + + debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM); + rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + continue; + } + lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds)); + lcreds->dn = xstrdup(margs->luser); + lcreds->pw = xstrdup(margs->lpass); + ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds); + debug((char *) "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port); + break; + + } + nhosts = free_hostname_list(&hlist, nhosts); + if (bindp) + xfree(bindp); + if (margs->lbind) { + bindp = xstrdup(margs->lbind); + } else { + bindp = convert_domain_to_bind_path(domain); + } } if (ld == NULL) { - debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); - retval = 0; - goto cleanup; + debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno)); + retval = 0; + goto cleanup; } /* * ldap search for user */ - /* + /* * Check if server is AD by querying for attribute samaccountname */ margs->AD = 0; rc = check_AD(margs, ld); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - retval = 0; - goto cleanup; + error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; } if (margs->AD) - filter = (char *) FILTER_AD; + filter = (char *) FILTER_AD; else - filter = (char *) FILTER; + filter = (char *) FILTER; ldap_filter_esc = escape_filter(user); @@ -999,218 +999,218 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group) snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); if (ldap_filter_esc) - xfree(ldap_filter_esc); + xfree(ldap_filter_esc); debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp); rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); if (search_exp) - xfree(search_exp); + xfree(search_exp); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); - ld = NULL; - retval = 0; - goto cleanup; + error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; } debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); if (ldap_count_entries(ld, res) != 0) { - if (margs->AD) - max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); - else { - max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); - } - - /* - * Compare group names - */ - retval = 0; - for (j = 0; j < max_attr; j++) { - - /* Compare first CN= value assuming it is the same as the group name itself */ - av = attr_value[j]; - if (!strncasecmp("CN=", av, 3)) { - av += 3; - if ((avp = strchr(av, ','))) { - *avp = '\0'; - } - } - if (debug_enabled) { - int n; - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); - for (n = 0; av[n] != '\0'; n++) - fprintf(stderr, "%02x", (unsigned char) av[n]); - fprintf(stderr, "\n"); - } - if (!strcasecmp(group, av)) { - retval = 1; - if (debug_enabled) - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - else - break; - } else - debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - } - /* - * Do recursive group search for AD only since posixgroups can not contain other groups - */ - if (!retval && margs->AD) { - if (debug_enabled && max_attr > 0) { - debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM); - } - for (j = 0; j < max_attr; j++) { - - av = attr_value[j]; - if (search_group_tree(margs, ld, bindp, av, group, 1)) { - retval = 1; - if (!strncasecmp("CN=", av, 3)) { - av += 3; - if ((avp = strchr(av, ','))) { - *avp = '\0'; - } - } - if (debug_enabled) - debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); - else - break; - } - } - } - /* - * Cleanup - */ - if (attr_value) { - for (j = 0; j < max_attr; j++) { - xfree(attr_value[j]); - } - xfree(attr_value); - attr_value = NULL; - } - ldap_msgfree(res); + if (margs->AD) + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value); + else { + max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value); + } + + /* + * Compare group names + */ + retval = 0; + for (j = 0; j < max_attr; j++) { + + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value[j]; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) { + int n; + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av); + for (n = 0; av[n] != '\0'; n++) + fprintf(stderr, "%02x", (unsigned char) av[n]); + fprintf(stderr, "\n"); + } + if (!strcasecmp(group, av)) { + retval = 1; + if (debug_enabled) + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + } else + debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + } + /* + * Do recursive group search for AD only since posixgroups can not contain other groups + */ + if (!retval && margs->AD) { + if (debug_enabled && max_attr > 0) { + debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM); + } + for (j = 0; j < max_attr; j++) { + + av = attr_value[j]; + if (search_group_tree(margs, ld, bindp, av, group, 1)) { + retval = 1; + if (!strncasecmp("CN=", av, 3)) { + av += 3; + if ((avp = strchr(av, ','))) { + *avp = '\0'; + } + } + if (debug_enabled) + debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group); + else + break; + } + } + } + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } + ldap_msgfree(res); } else if (ldap_count_entries(ld, res) == 0 && margs->AD) { - ldap_msgfree(res); - ldap_unbind(ld); - ld = NULL; - retval = 0; - goto cleanup; + ldap_msgfree(res); + ldap_unbind(ld); + ld = NULL; + retval = 0; + goto cleanup; } else { - ldap_msgfree(res); - retval = 0; + ldap_msgfree(res); + retval = 0; } if (!margs->AD && retval == 0) { - /* - * Check for primary Group membership - */ - debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group); - filter = (char *) FILTER_UID; - - ldap_filter_esc = escape_filter(user); - - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - - if (ldap_filter_esc) - xfree(ldap_filter_esc); - - debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); - rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); - - debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); - - max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value); - - if (max_attr == 1) { - char **attr_value_2 = NULL; - int max_attr_2 = 0; - - ldap_msgfree(res); - filter = (char *) FILTER_GID; - - ldap_filter_esc = escape_filter(attr_value[0]); - - search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); - snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); - - if (ldap_filter_esc) - xfree(ldap_filter_esc); - - debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); - rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, - search_exp, NULL, 0, - NULL, NULL, &searchtime, 0, &res); - if (search_exp) - xfree(search_exp); - - max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2); - /* - * Compare group names - */ - retval = 0; - if (max_attr_2 == 1) { - - /* Compare first CN= value assuming it is the same as the group name itself */ - av = attr_value_2[0]; - if (!strcasecmp(group, av)) { - retval = 1; - debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group); - } else - debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group); - - } - /* - * Cleanup - */ - if (attr_value_2) { - for (j = 0; j < max_attr_2; j++) { - xfree(attr_value_2[j]); - } - xfree(attr_value_2); - attr_value_2 = NULL; - } - ldap_msgfree(res); - - debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); - - } else - debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group); - /* - * Cleanup - */ - if (attr_value) { - for (j = 0; j < max_attr; j++) { - xfree(attr_value[j]); - } - xfree(attr_value); - attr_value = NULL; - } + /* + * Check for primary Group membership + */ + debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group); + filter = (char *) FILTER_UID; + + ldap_filter_esc = escape_filter(user); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y"); + + max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value); + + if (max_attr == 1) { + char **attr_value_2 = NULL; + int max_attr_2 = 0; + + ldap_msgfree(res); + filter = (char *) FILTER_GID; + + ldap_filter_esc = escape_filter(attr_value[0]); + + search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1); + snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc); + + if (ldap_filter_esc) + xfree(ldap_filter_esc); + + debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp); + rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE, + search_exp, NULL, 0, + NULL, NULL, &searchtime, 0, &res); + if (search_exp) + xfree(search_exp); + + max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2); + /* + * Compare group names + */ + retval = 0; + if (max_attr_2 == 1) { + + /* Compare first CN= value assuming it is the same as the group name itself */ + av = attr_value_2[0]; + if (!strcasecmp(group, av)) { + retval = 1; + debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group); + } else + debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group); + + } + /* + * Cleanup + */ + if (attr_value_2) { + for (j = 0; j < max_attr_2; j++) { + xfree(attr_value_2[j]); + } + xfree(attr_value_2); + attr_value_2 = NULL; + } + ldap_msgfree(res); + + debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group); + + } else + debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group); + /* + * Cleanup + */ + if (attr_value) { + for (j = 0; j < max_attr; j++) { + xfree(attr_value[j]); + } + xfree(attr_value); + attr_value = NULL; + } } rc = ldap_unbind(ld); ld = NULL; if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); } debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM); - cleanup: +cleanup: if (domain) - krb5_cleanup(); + krb5_cleanup(); if (lcreds) { - if (lcreds->dn) - xfree(lcreds->dn); - if (lcreds->pw) - xfree(lcreds->pw); - xfree(lcreds); + if (lcreds->dn) + xfree(lcreds->dn); + if (lcreds->pw) + xfree(lcreds->pw); + xfree(lcreds); } if (bindp) - xfree(bindp); + xfree(bindp); bindp = NULL; return (retval); diff --git a/helpers/external_acl/kerberos_ldap_group/support_log.cc b/helpers/external_acl/kerberos_ldap_group/support_log.cc index 3affceaadc..3d43d985f8 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_log.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_log.cc @@ -41,9 +41,9 @@ LogTime() gettimeofday(&now, NULL); if (now.tv_sec != last_t) { - tm = localtime(&now.tv_sec); - strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); - last_t = now.tv_sec; + tm = localtime(&now.tv_sec); + strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); + last_t = now.tv_sec; } return buf; } @@ -57,7 +57,7 @@ void log(char *format,...) { if (!log_enabled) - return; + return; va_list args; va_start(args, format); vfprintf(stderr, format, args); diff --git a/helpers/external_acl/kerberos_ldap_group/support_member.cc b/helpers/external_acl/kerberos_ldap_group/support_member.cc index 3093714e65..5d0b54f76f 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_member.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_member.cc @@ -33,14 +33,14 @@ int check_memberof(struct main_args *margs, char *user, char *domain) { - /* + /* * Check order: * * 1. Check domain against list of groups per domain * 1a. If domain does not exist in list try default domain - * 1b. If default domain does not exist use default group against ldap url with user/password + * 1b. If default domain does not exist use default group against ldap url with user/password * 1c. If default group does not exist exit with error. - * 2. Query ldap membership + * 2. Query ldap membership * 2a. Use GSSAPI/SASL with HTTP/fqdn@DOMAIN credentials from keytab * 2b. Use username/password with TLS * @@ -53,85 +53,85 @@ check_memberof(struct main_args *margs, char *user, char *domain) gr = margs->groups; while (gr && domain) { - debug((char *) "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); - if (gr->domain && !strcasecmp(gr->domain, domain)) { - debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); - /* query ldap */ - if (get_memberof(margs, user, domain, gr->group)) { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - else - log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - found++; - break; - } else { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - else - log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - } - } - gr = gr->next; + debug((char *) "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (gr->domain && !strcasecmp(gr->domain, domain)) { + debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + else + log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + found++; + break; + } else { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + else + log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + } + } + gr = gr->next; } if (found) - return (1); + return (1); /* Check default domain */ gr = margs->groups; while (gr && domain) { - debug((char *) "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); - if (gr->domain && !strcasecmp(gr->domain, "")) { - debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); - /* query ldap */ - if (get_memberof(margs, user, domain, gr->group)) { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - else - log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - found++; - break; - } else { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - else - log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); - } - } - gr = gr->next; + debug((char *) "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (gr->domain && !strcasecmp(gr->domain, "")) { + debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + else + log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + found++; + break; + } else { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + else + log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain); + } + } + gr = gr->next; } if (found) - return (1); + return (1); /* Check default group with ldap url */ gr = margs->groups; while (gr) { - debug((char *) "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); - if (!gr->domain) { - debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); - /* query ldap */ - if (get_memberof(margs, user, domain, gr->group)) { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); - else - log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); - found++; - break; - } else { - if (debug_enabled) - debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); - else - log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); - } - } - gr = gr->next; + debug((char *) "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + if (!gr->domain) { + debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL"); + /* query ldap */ + if (get_memberof(margs, user, domain, gr->group)) { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + else + log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + found++; + break; + } else { + if (debug_enabled) + debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + else + log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL"); + } + } + gr = gr->next; } if (found) - return (1); + return (1); return (0); } diff --git a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc index 6f2cd39015..fa9d64b78f 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_netbios.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_netbios.cc @@ -32,8 +32,7 @@ struct ndstruct *init_nd(void); struct ndstruct * -init_nd(void) -{ +init_nd(void) { struct ndstruct *ndsp; ndsp = (struct ndstruct *) xmalloc(sizeof(struct ndstruct)); ndsp->netbios = NULL; @@ -64,67 +63,67 @@ create_nd(struct main_args *margs) dp = NULL; if (!p) { - debug((char *) "%s| %s: DEBUG: No netbios names defined.\n", LogTime(), PROGRAM); - return (0); + debug((char *) "%s| %s: DEBUG: No netbios names defined.\n", LogTime(), PROGRAM); + return (0); } while (*p) { /* loop over group list */ - if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ - p++; - continue; - } - if (*p == '@') { /* end of group name - start of domain name */ - if (p == np) { /* empty group name not allowed */ - debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); - } - *p = '\0'; - p++; - ndsp = init_nd(); - ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; - dp = p; /* after @ starts new domain name */ - } else if (*p == ':') { /* end of group name or end of domain name */ - if (p == np) { /* empty group name not allowed */ - debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); - } - *p = '\0'; - p++; - if (dp) { /* end of domain name */ - ndsp->domain = xstrdup(dp); - dp = NULL; - } else { /* end of group name and no domain name */ - ndsp = init_nd(); - ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; - } - ndspn = ndsp; - np = p; /* after : starts new group name */ - if (!ndsp->domain || !strcmp(ndsp->domain, "")) { - debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); - return (1); - } - debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); - } else - p++; + if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */ + p++; + continue; + } + if (*p == '@') { /* end of group name - start of domain name */ + if (p == np) { /* empty group name not allowed */ + debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; + dp = p; /* after @ starts new domain name */ + } else if (*p == ':') { /* end of group name or end of domain name */ + if (p == np) { /* empty group name not allowed */ + debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); + } + *p = '\0'; + p++; + if (dp) { /* end of domain name */ + ndsp->domain = xstrdup(dp); + dp = NULL; + } else { /* end of group name and no domain name */ + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; + } + ndspn = ndsp; + np = p; /* after : starts new group name */ + if (!ndsp->domain || !strcmp(ndsp->domain, "")) { + debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + return (1); + } + debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); + } else + p++; } if (p == np) { /* empty group name not allowed */ - debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); - return (1); + debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p); + return (1); } if (dp) { /* end of domain name */ - ndsp->domain = xstrdup(dp); + ndsp->domain = xstrdup(dp); } else { /* end of group name and no domain name */ - ndsp = init_nd(); - ndsp->netbios = xstrdup(np); - if (ndspn) /* Have already an existing structure */ - ndsp->next = ndspn; + ndsp = init_nd(); + ndsp->netbios = xstrdup(np); + if (ndspn) /* Have already an existing structure */ + ndsp->next = ndspn; } if (!ndsp->domain || !strcmp(ndsp->domain, "")) { - debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); - return (1); + debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios); + return (1); } debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain); @@ -139,12 +138,12 @@ get_netbios_name(struct main_args *margs, char *netbios) nd = margs->ndoms; while (nd && netbios) { - debug((char *) "%s| %s: DEBUG: Netbios domain loop: netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); - if (nd->netbios && !strcasecmp(nd->netbios, netbios)) { - debug((char *) "%s| %s: DEBUG: Found netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); - return (nd->domain); - } - nd = nd->next; + debug((char *) "%s| %s: DEBUG: Netbios domain loop: netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); + if (nd->netbios && !strcasecmp(nd->netbios, netbios)) { + debug((char *) "%s| %s: DEBUG: Found netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain); + return (nd->domain); + } + nd = nd->next; } return NULL; diff --git a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc index 52dddf5864..b497344280 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_resolv.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_resolv.cc @@ -55,23 +55,23 @@ static void msort(struct hstruct *array, size_t nitems, int (*cmp) (struct hstru */ /* * See http://www.ietf.org/rfc/rfc2782.txt - * + * */ void nsError(int nserror, char *service) { switch (nserror) { case HOST_NOT_FOUND: - error((char *) "%s| %s: ERROR: res_search: Unknown service record: %s\n", LogTime(), PROGRAM, service); - break; + error((char *) "%s| %s: ERROR: res_search: Unknown service record: %s\n", LogTime(), PROGRAM, service); + break; case NO_DATA: - error((char *) "%s| %s: ERROR: res_search: No SRV record for %s\n", LogTime(), PROGRAM, service); - break; + error((char *) "%s| %s: ERROR: res_search: No SRV record for %s\n", LogTime(), PROGRAM, service); + break; case TRY_AGAIN: - error((char *) "%s| %s: ERROR: res_search: No response for SRV query\n", LogTime(), PROGRAM); - break; + error((char *) "%s| %s: ERROR: res_search: No response for SRV query\n", LogTime(), PROGRAM); + break; default: - error((char *) "%s| %s: ERROR: res_search: Unexpected error: %s\n", LogTime(), PROGRAM, strerror(nserror)); + error((char *) "%s| %s: ERROR: res_search: Unexpected error: %s\n", LogTime(), PROGRAM, strerror(nserror)); } } @@ -94,21 +94,21 @@ static void sort(struct hstruct *array, int nitems, int (*cmp) (struct hstruct *, struct hstruct *), int begin, int end) { if (end > begin) { - int pivot = begin; - int l = begin + 1; - int r = end; - while (l < r) { - if (cmp(&array[l], &array[pivot]) <= 0) { - l += 1; - } else { - r -= 1; - swap(&array[l], &array[r]); - } - } - l -= 1; - swap(&array[begin], &array[l]); - sort(array, nitems, cmp, begin, l); - sort(array, nitems, cmp, r, end); + int pivot = begin; + int l = begin + 1; + int r = end; + while (l < r) { + if (cmp(&array[l], &array[pivot]) <= 0) { + l += 1; + } else { + r -= 1; + swap(&array[l], &array[r]); + } + } + l -= 1; + swap(&array[begin], &array[l]); + sort(array, nitems, cmp, begin, l); + sort(array, nitems, cmp, r, end); } } @@ -122,24 +122,24 @@ static int compare_hosts(struct hstruct *host1, struct hstruct *host2) { /* - * + * * The comparison function must return an integer less than, equal to, * or greater than zero if the first argument is considered to be * respectively less than, equal to, or greater than the second. */ if ((host1->priority < host2->priority) && (host1->priority != -1)) - return -1; + return -1; if ((host1->priority < host2->priority) && (host1->priority == -1)) - return 1; + return 1; if ((host1->priority > host2->priority) && (host2->priority != -1)) - return 1; + return 1; if ((host1->priority > host2->priority) && (host2->priority == -1)) - return -1; + return -1; if (host1->priority == host2->priority) { - if (host1->weight > host2->weight) - return -1; - if (host1->weight < host2->weight) - return 1; + if (host1->weight > host2->weight) + return -1; + if (host1->weight < host2->weight) + return 1; } return 0; } @@ -152,14 +152,14 @@ free_hostname_list(struct hstruct **hlist, int nhosts) hp = *hlist; for (i = 0; i < nhosts; i++) { - if (hp[i].host) - xfree(hp[i].host); - hp[i].host = NULL; + if (hp[i].host) + xfree(hp[i].host); + hp[i].host = NULL; } if (hp) - xfree(hp); + xfree(hp); hp = NULL; *hlist = hp; return 0; @@ -177,41 +177,41 @@ get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, c struct hstruct *hp = NULL; if (!name) - return (nhosts); + return (nhosts); hp = *hlist; rc = getaddrinfo((const char *) name, NULL, NULL, &hres); if (rc != 0) { - error((char *) "%s| %s: ERROR: Error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); - return (nhosts); + error((char *) "%s| %s: ERROR: Error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); + return (nhosts); } hres_list = hres; count = 0; while (hres_list) { - count++; - hres_list = hres_list->ai_next; + count++; + hres_list = hres_list->ai_next; } hres_list = hres; count = 0; while (hres_list) { - rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0); - if (rc != 0) { - error((char *) "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); - freeaddrinfo(hres); - *hlist = hp; - return (nhosts); - } - count++; - debug((char *) "%s| %s: DEBUG: Resolved address %d of %s to %s\n", LogTime(), PROGRAM, count, name, host); + rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0); + if (rc != 0) { + error((char *) "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc)); + freeaddrinfo(hres); + *hlist = hp; + return (nhosts); + } + count++; + debug((char *) "%s| %s: DEBUG: Resolved address %d of %s to %s\n", LogTime(), PROGRAM, count, name, host); - hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); - hp[nhosts].host = xstrdup(host); - hp[nhosts].port = -1; - hp[nhosts].priority = -1; - hp[nhosts].weight = -1; - nhosts++; + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); + hp[nhosts].host = xstrdup(host); + hp[nhosts].port = -1; + hp[nhosts].priority = -1; + hp[nhosts].weight = -1; + nhosts++; - hres_list = hres_list->ai_next; + hres_list = hres_list->ai_next; } freeaddrinfo(hres); @@ -240,181 +240,181 @@ get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, u_char *p; if (margs->ssl) { - service = (char *) xmalloc(strlen("_ldaps._tcp.") + strlen(domain) + 1); - strcpy(service, "_ldaps._tcp."); + service = (char *) xmalloc(strlen("_ldaps._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldaps._tcp."); } else { - service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); - strcpy(service, "_ldap._tcp."); + service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldap._tcp."); } strcat(service, domain); #ifndef PACKETSZ_MULT -/* - * It seems Solaris doesn't give back the real length back when res_search uses a to small buffer - * Set a bigger one here - */ + /* + * It seems Solaris doesn't give back the real length back when res_search uses a to small buffer + * Set a bigger one here + */ #define PACKETSZ_MULT 10 #endif hp = *hlist; buffer = (u_char *) xmalloc(PACKETSZ_MULT * NS_PACKETSZ); if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { - error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); - nsError(h_errno, service); - if (margs->ssl) { - xfree(service); - service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); - strcpy(service, "_ldap._tcp."); - strcat(service, domain); - if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { - error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); - nsError(h_errno, service); - goto cleanup; - } - } else { - goto cleanup; - } + error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + if (margs->ssl) { + xfree(service); + service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1); + strcpy(service, "_ldap._tcp."); + strcat(service, domain); + if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) { + error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + goto cleanup; + } + } else { + goto cleanup; + } } if (len > PACKETSZ_MULT * NS_PACKETSZ) { - olen = len; - buffer = (u_char *) xrealloc(buffer, len); - if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) { - error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); - nsError(h_errno, service); - goto cleanup; - } - if (len > olen) { - error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len); - goto cleanup; - } + olen = len; + buffer = (u_char *) xrealloc(buffer, len); + if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) { + error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service); + nsError(h_errno, service); + goto cleanup; + } + if (len > olen) { + error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len); + goto cleanup; + } } p = buffer; p += 6 * NS_INT16SZ; /* Header(6*16bit) = id + flags + 4*section count */ if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len); - goto cleanup; + error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len); + goto cleanup; } if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { - error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; + error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; } p += size; /* Query name */ p += 2 * NS_INT16SZ; /* Query type + class (2*16bit) */ if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len); - goto cleanup; + error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len); + goto cleanup; } while (p < buffer + len) { - if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { - error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; - } - p += size; /* Resource Record name */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len); - goto cleanup; - } - NS_GET16(type, p); /* RR type (16bit) */ - p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len); - goto cleanup; - } - NS_GET16(rdlength, p); /* RR data length (16bit) */ + if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) { + error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; + } + p += size; /* Resource Record name */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(type, p); /* RR type (16bit) */ + p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(rdlength, p); /* RR data length (16bit) */ - if (type == ns_t_srv) { /* SRV record */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len); - goto cleanup; - } - NS_GET16(priority, p); /* Priority (16bit) */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len); - goto cleanup; - } - NS_GET16(weight, p); /* Weight (16bit) */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len); - goto cleanup; - } - NS_GET16(port, p); /* Port (16bit) */ - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len); - goto cleanup; - } - if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) { - error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); - goto cleanup; - } - debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host); - hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1)); - hp[nh].host = xstrdup(host); - hp[nh].port = port; - hp[nh].priority = priority; - hp[nh].weight = weight; - nh++; - p += size; - } else { - p += rdlength; - } - if (p > buffer + len) { - error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len); - goto cleanup; - } + if (type == ns_t_srv) { /* SRV record */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(priority, p); /* Priority (16bit) */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(weight, p); /* Weight (16bit) */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len); + goto cleanup; + } + NS_GET16(port, p); /* Port (16bit) */ + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len); + goto cleanup; + } + if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) { + error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno)); + goto cleanup; + } + debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host); + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1)); + hp[nh].host = xstrdup(host); + hp[nh].port = port; + hp[nh].priority = priority; + hp[nh].weight = weight; + nh++; + p += size; + } else { + p += rdlength; + } + if (p > buffer + len) { + error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len); + goto cleanup; + } } if (p != buffer + len) { #if (SIZEOF_LONG == 8) - errror("%s| %s: ERROR: Inconsistence message length: %ld!=0\n", LogTime(), PROGRAM, buffer + len - p); + errror("%s| %s: ERROR: Inconsistence message length: %ld!=0\n", LogTime(), PROGRAM, buffer + len - p); #else - error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p); + error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p); #endif - goto cleanup; + goto cleanup; } nhosts = get_hostname_list(margs, &hp, nh, domain); /* Remove duplicates */ for (i = 0; i < nhosts; i++) { - for (j = i + 1; j < nhosts; j++) { - if (!strcasecmp(hp[i].host, hp[j].host)) { - if (hp[i].port == hp[j].port || - (hp[i].port == -1 && hp[j].port == 389) || - (hp[i].port == 389 && hp[j].port == -1)) { - xfree(hp[j].host); - for (k = j + 1; k < nhosts; k++) { - hp[k - 1].host = hp[k].host; - hp[k - 1].port = hp[k].port; - hp[k - 1].priority = hp[k].priority; - hp[k - 1].weight = hp[k].weight; - } - j--; - nhosts--; - hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); - } - } - } + for (j = i + 1; j < nhosts; j++) { + if (!strcasecmp(hp[i].host, hp[j].host)) { + if (hp[i].port == hp[j].port || + (hp[i].port == -1 && hp[j].port == 389) || + (hp[i].port == 389 && hp[j].port == -1)) { + xfree(hp[j].host); + for (k = j + 1; k < nhosts; k++) { + hp[k - 1].host = hp[k].host; + hp[k - 1].port = hp[k].port; + hp[k - 1].priority = hp[k].priority; + hp[k - 1].weight = hp[k].weight; + } + j--; + nhosts--; + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); + } + } + } } /* Sort by Priority / Weight */ msort(hp, nhosts, compare_hosts); if (debug_enabled) { - debug((char *) "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain); - for (i = 0; i < nhosts; i++) { - debug((char *) "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight); - } + debug((char *) "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain); + for (i = 0; i < nhosts; i++) { + debug((char *) "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight); + } } if (buffer) - xfree(buffer); + xfree(buffer); if (service) - xfree(service); + xfree(service); *hlist = hp; return (nhosts); - cleanup: +cleanup: if (buffer) - xfree(buffer); + xfree(buffer); if (service) - xfree(service); + xfree(service); *hlist = hp; return (nhosts); } diff --git a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc index e6bdadb2b4..6d5fc921f7 100644 --- a/helpers/external_acl/kerberos_ldap_group/support_sasl.cc +++ b/helpers/external_acl/kerberos_ldap_group/support_sasl.cc @@ -102,7 +102,7 @@ lutil_sasl_defaults( defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults)); if (defaults == NULL) - return NULL; + return NULL; defaults->mech = mech ? xstrdup(mech) : NULL; defaults->realm = realm ? xstrdup(realm) : NULL; @@ -111,16 +111,16 @@ lutil_sasl_defaults( defaults->authzid = authzid ? xstrdup(authzid) : NULL; if (defaults->mech == NULL) { - ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech); + ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech); } if (defaults->realm == NULL) { - ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm); + ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm); } if (defaults->authcid == NULL) { - ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid); + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid); } if (defaults->authzid == NULL) { - ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid); + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid); } defaults->resps = NULL; defaults->nresps = 0; @@ -142,33 +142,33 @@ interaction( flags = flags; switch (interact->id) { case SASL_CB_GETREALM: - if (defaults) - dflt = defaults->realm; - break; + if (defaults) + dflt = defaults->realm; + break; case SASL_CB_AUTHNAME: - if (defaults) - dflt = defaults->authcid; - break; + if (defaults) + dflt = defaults->authcid; + break; case SASL_CB_PASS: - if (defaults) - dflt = defaults->passwd; - noecho = 1; - break; + if (defaults) + dflt = defaults->passwd; + noecho = 1; + break; case SASL_CB_USER: - if (defaults) - dflt = defaults->authzid; - break; + if (defaults) + dflt = defaults->authzid; + break; case SASL_CB_NOECHOPROMPT: - noecho = 1; - challenge = 1; - break; + noecho = 1; + challenge = 1; + break; case SASL_CB_ECHOPROMPT: - challenge = 1; - break; + challenge = 1; + break; } if (dflt && !*dflt) - dflt = NULL; + dflt = NULL; /* input must be empty */ interact->result = (dflt && *dflt) ? dflt : ""; @@ -187,14 +187,14 @@ lutil_sasl_interact( sasl_interact_t *interact = (sasl_interact_t *) in; if (ld == NULL) - return LDAP_PARAM_ERROR; + return LDAP_PARAM_ERROR; while (interact->id != SASL_CB_LIST_END) { - int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults); + int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults); - if (rc) - return rc; - interact++; + if (rc) + return rc; + interact++; } return LDAP_SUCCESS; @@ -207,17 +207,17 @@ lutil_sasl_freedefs( lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults; if (defs->mech) - xfree(defs->mech); + xfree(defs->mech); if (defs->realm) - xfree(defs->realm); + xfree(defs->realm); if (defs->authcid) - xfree(defs->authcid); + xfree(defs->authcid); if (defs->passwd) - xfree(defs->passwd); + xfree(defs->passwd); if (defs->authzid) - xfree(defs->authzid); + xfree(defs->authzid); if (defs->resps) - xfree(defs->resps); + xfree(defs->resps); xfree(defs); } @@ -229,7 +229,7 @@ tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) * unsigned sasl_flags = LDAP_SASL_AUTOMATIC; * unsigned sasl_flags = LDAP_SASL_QUIET; */ - /* + /* * Avoid SASL messages */ #ifdef HAVE_SUN_LDAP_SDK @@ -245,7 +245,7 @@ tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) #else char *sasl_mech = NULL; #endif - /* + /* * Force encryption */ char *sasl_secprops; @@ -253,40 +253,39 @@ tool_sasl_bind(LDAP * ld, char *binddn, char *ssl) * char *sasl_secprops = (char *)"maxssf=56"; * char *sasl_secprops = NULL; */ - struct berval passwd = - {0, NULL}; + struct berval passwd = {0, NULL}; void *defaults; int rc = LDAP_SUCCESS; if (ssl) - sasl_secprops = (char *) "maxssf=0"; + sasl_secprops = (char *) "maxssf=0"; else - sasl_secprops = (char *) "maxssf=56"; -/* sasl_secprops = (char *)"maxssf=0"; */ -/* sasl_secprops = (char *)"maxssf=56"; */ + sasl_secprops = (char *) "maxssf=56"; + /* sasl_secprops = (char *)"maxssf=0"; */ + /* sasl_secprops = (char *)"maxssf=56"; */ if (sasl_secprops != NULL) { - rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, - (void *) sasl_secprops); - if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc)); - return rc; - } + rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, + (void *) sasl_secprops); + if (rc != LDAP_SUCCESS) { + error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc)); + return rc; + } } defaults = lutil_sasl_defaults(ld, - sasl_mech, - sasl_realm, - sasl_authc_id, - passwd.bv_val, - sasl_authz_id); + sasl_mech, + sasl_realm, + sasl_authc_id, + passwd.bv_val, + sasl_authz_id); rc = ldap_sasl_interactive_bind_s(ld, binddn, - sasl_mech, NULL, NULL, - sasl_flags, lutil_sasl_interact, defaults); + sasl_mech, NULL, NULL, + sasl_flags, lutil_sasl_interact, defaults); lutil_sasl_freedefs(defaults); if (rc != LDAP_SUCCESS) { - error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); + error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); } return rc; } diff --git a/helpers/negotiate_auth/kerberos/base64.cc b/helpers/negotiate_auth/kerberos/base64.cc index 7dab33a9d2..32c2b8c873 100644 --- a/helpers/negotiate_auth/kerberos/base64.cc +++ b/helpers/negotiate_auth/kerberos/base64.cc @@ -14,7 +14,7 @@ static int base64_initialized = 0; #define BASE64_VALUE_SZ 256 int base64_value[BASE64_VALUE_SZ]; const char base64_code[] = -"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static void @@ -23,10 +23,10 @@ ska_base64_init(void) int i; for (i = 0; i < BASE64_VALUE_SZ; i++) - base64_value[i] = -1; + base64_value[i] = -1; for (i = 0; i < 64; i++) - base64_value[(int) base64_code[i]] = i; + base64_value[(int) base64_code[i]] = i; base64_value[(int) '='] = 0; base64_initialized = 1; @@ -39,30 +39,30 @@ ska_base64_decode(char *result, const char *data, int result_size) int c; long val; if (!data) - return; + return; if (!base64_initialized) - ska_base64_init(); + ska_base64_init(); val = c = 0; for (j = 0; *data; data++) { - unsigned int k = ((unsigned char) *data) % BASE64_VALUE_SZ; - if (base64_value[k] < 0) - continue; - val <<= 6; - val += base64_value[k]; - if (++c < 4) - continue; - /* One quantum of four encoding characters/24 bit */ - if (j >= result_size) - break; - result[j++] = val >> 16; /* High 8 bits */ - if (j >= result_size) - break; - result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */ - if (j >= result_size) - break; - result[j++] = val & 0xff; /* Low 8 bits */ - val = c = 0; + unsigned int k = ((unsigned char) *data) % BASE64_VALUE_SZ; + if (base64_value[k] < 0) + continue; + val <<= 6; + val += base64_value[k]; + if (++c < 4) + continue; + /* One quantum of four encoding characters/24 bit */ + if (j >= result_size) + break; + result[j++] = val >> 16; /* High 8 bits */ + if (j >= result_size) + break; + result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */ + if (j >= result_size) + break; + result[j++] = val & 0xff; /* Low 8 bits */ + val = c = 0; } return; } @@ -70,70 +70,70 @@ ska_base64_decode(char *result, const char *data, int result_size) /* adopted from http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with adjustments */ void ska_base64_encode(char *result, const char *data, int result_size, - int data_size) + int data_size) { int bits = 0; int char_count = 0; int out_cnt = 0; if (!data) - return; + return; if (!base64_initialized) - ska_base64_init(); + ska_base64_init(); while (data_size--) { - int c = (unsigned char) *data++; - bits += c; - char_count++; - if (char_count == 3) { - if (out_cnt >= result_size) - break; - result[out_cnt++] = base64_code[bits >> 18]; - if (out_cnt >= result_size) - break; - result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; - if (out_cnt >= result_size) - break; - result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; - if (out_cnt >= result_size) - break; - result[out_cnt++] = base64_code[bits & 0x3f]; - bits = 0; - char_count = 0; - } else { - bits <<= 8; - } + int c = (unsigned char) *data++; + bits += c; + char_count++; + if (char_count == 3) { + if (out_cnt >= result_size) + break; + result[out_cnt++] = base64_code[bits >> 18]; + if (out_cnt >= result_size) + break; + result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; + if (out_cnt >= result_size) + break; + result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; + if (out_cnt >= result_size) + break; + result[out_cnt++] = base64_code[bits & 0x3f]; + bits = 0; + char_count = 0; + } else { + bits <<= 8; + } } if (char_count != 0) { - bits <<= 16 - (8 * char_count); - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = base64_code[bits >> 18]; - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; - if (char_count == 1) { - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = '='; - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = '='; - } else { - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; - if (out_cnt >= result_size) - goto end; - result[out_cnt++] = '='; - } + bits <<= 16 - (8 * char_count); + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = base64_code[bits >> 18]; + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; + if (char_count == 1) { + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = '='; + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = '='; + } else { + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; + if (out_cnt >= result_size) + goto end; + result[out_cnt++] = '='; + } } - end: +end: if (out_cnt >= result_size) { - result[result_size - 1] = '\0'; /* terminate */ + result[result_size - 1] = '\0'; /* terminate */ } else { - result[out_cnt] = '\0'; /* terminate */ + result[out_cnt] = '\0'; /* terminate */ } return; } @@ -151,10 +151,10 @@ ska_base64_decode_len(const char *data) j = 0; for (i = strlen(data) - 1; i >= 0; i--) { - if (data[i] == '=') - j++; - if (data[i] != '=') - break; + if (data[i] == '=') + j++; + if (data[i] != '=') + break; } return strlen(data) / 4 * 3 - j; } diff --git a/helpers/negotiate_auth/kerberos/base64.h b/helpers/negotiate_auth/kerberos/base64.h index ece76e7532..c3e365410f 100644 --- a/helpers/negotiate_auth/kerberos/base64.h +++ b/helpers/negotiate_auth/kerberos/base64.h @@ -4,7 +4,7 @@ void ska_base64_decode(char *result, const char *data, int result_size); void ska_base64_encode(char *result, const char *data, int result_size, - int data_size); + int data_size); int ska_base64_encode_len(int len); int ska_base64_decode_len(const char *data); diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc index 7101a388f9..eb36689ec9 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc @@ -79,12 +79,11 @@ #endif int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int log); + const char *function, int log); char *gethost_name(void); static const char *LogTime(void); -static const unsigned char ntlmProtocol[] = -{'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; +static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; static const char * LogTime() @@ -96,9 +95,9 @@ LogTime() gettimeofday(&now, NULL); if (now.tv_sec != last_t) { - tm = localtime((time_t *) & now.tv_sec); - strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); - last_t = now.tv_sec; + tm = localtime((time_t *) & now.tv_sec); + strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); + last_t = now.tv_sec; } return buf; } @@ -115,31 +114,31 @@ gethost_name(void) rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX)); if (rc) { - fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", - LogTime(), PROGRAM, hostname); - return NULL; + fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", + LogTime(), PROGRAM, hostname); + return NULL; } rc = getaddrinfo(hostname, NULL, NULL, &hres); if (rc != 0) { - fprintf(stderr, - "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", - LogTime(), PROGRAM, gai_strerror(rc)); - return NULL; + fprintf(stderr, + "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n", + LogTime(), PROGRAM, gai_strerror(rc)); + return NULL; } hres_list = hres; count = 0; while (hres_list) { - count++; - hres_list = hres_list->ai_next; + count++; + hres_list = hres_list->ai_next; } rc = getnameinfo(hres->ai_addr, hres->ai_addrlen, hostname, - sizeof(hostname), NULL, 0, 0); + sizeof(hostname), NULL, 0, 0); if (rc != 0) { - fprintf(stderr, - "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", - LogTime(), PROGRAM, gai_strerror(rc)); - freeaddrinfo(hres); - return NULL; + fprintf(stderr, + "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n", + LogTime(), PROGRAM, gai_strerror(rc)); + freeaddrinfo(hres); + return NULL; } freeaddrinfo(hres); hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0'; @@ -148,56 +147,56 @@ gethost_name(void) int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function, int log) + const char *function, int log) { if (GSS_ERROR(major_status)) { - OM_uint32 maj_stat, min_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - char buf[1024]; - size_t len; - - len = 0; - msg_ctx = 0; - while (!msg_ctx) { - /* convert major status code (GSS-API error) to text */ - maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length + 1) { - snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - if (sizeof(buf) > len + 2) { - snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); - len += 2; - } - msg_ctx = 0; - while (!msg_ctx) { - /* convert minor status code (underlying routine error) to text */ - maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length) { - snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf); - fprintf(stdout, "BH %s failed: %s\n", function, buf); - if (log) - fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(), - PROGRAM); - return (1); + OM_uint32 maj_stat, min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + len = 0; + msg_ctx = 0; + while (!msg_ctx) { + /* convert major status code (GSS-API error) to text */ + maj_stat = gss_display_status(&min_stat, major_status, + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length + 1) { + snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + if (sizeof(buf) > len + 2) { + snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); + len += 2; + } + msg_ctx = 0; + while (!msg_ctx) { + /* convert minor status code (underlying routine error) to text */ + maj_stat = gss_display_status(&min_stat, minor_status, + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length) { + snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf); + fprintf(stdout, "BH %s failed: %s\n", function, buf); + if (log) + fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(), + PROGRAM); + return (1); } return (0); } @@ -233,301 +232,301 @@ main(int argc, char *const argv[]) setbuf(stdin, NULL); while (-1 != (opt = getopt(argc, argv, "dirs:h"))) { - switch (opt) { - case 'd': - debug_enabled = 1; - break; - case 'i': - log = 1; - break; - case 'r': - norealm = 1; - break; - case 's': - service_principal = xstrdup(optarg); - break; - case 'h': - fprintf(stderr, "Usage: \n"); - fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n"); - fprintf(stderr, "-d full debug\n"); - fprintf(stderr, "-i informational messages\n"); - fprintf(stderr, "-r remove realm from username\n"); - fprintf(stderr, "-s service principal name\n"); - fprintf(stderr, "-h help\n"); - fprintf(stderr, - "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); - fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); - exit(0); - default: - fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), - PROGRAM, opt); - } + switch (opt) { + case 'd': + debug_enabled = 1; + break; + case 'i': + log = 1; + break; + case 'r': + norealm = 1; + break; + case 's': + service_principal = xstrdup(optarg); + break; + case 'h': + fprintf(stderr, "Usage: \n"); + fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n"); + fprintf(stderr, "-d full debug\n"); + fprintf(stderr, "-i informational messages\n"); + fprintf(stderr, "-r remove realm from username\n"); + fprintf(stderr, "-s service principal name\n"); + fprintf(stderr, "-h help\n"); + fprintf(stderr, + "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n"); + fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n"); + exit(0); + default: + fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), + PROGRAM, opt); + } } debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, SQUID_KERB_AUTH_VERSION); if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) { - service.value = service_principal; - service.length = strlen((char *) service.value); + service.value = service_principal; + service.length = strlen((char *) service.value); } else { - host_name = gethost_name(); - if (!host_name) { - fprintf(stderr, - "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", - LogTime(), PROGRAM); - fprintf(stdout, "BH hostname error\n"); - exit(-1); - } - service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2); - snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2, - "%s@%s", service_name, host_name); - service.length = strlen((char *) service.value); + host_name = gethost_name(); + if (!host_name) { + fprintf(stderr, + "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n", + LogTime(), PROGRAM); + fprintf(stdout, "BH hostname error\n"); + exit(-1); + } + service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2); + snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2, + "%s@%s", service_name, host_name); + service.length = strlen((char *) service.value); } while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - if (ferror(stdin)) { - debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", - LogTime(), PROGRAM, ferror(stdin), - strerror(ferror(stdin))); - - fprintf(stdout, "BH input error\n"); - exit(1); /* BIIG buffer */ - } - fprintf(stdout, "BH input error\n"); - exit(0); - } - c = (char *) memchr(buf, '\n', sizeof(buf) - 1); - if (c) { - *c = '\0'; - length = c - buf; - } else { - err = 1; - } - if (err) { - debug((char *) "%s| %s: ERROR: Oversized message\n", LogTime(), PROGRAM); - fprintf(stdout, "BH Oversized message\n"); - err = 0; - continue; - } - debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length); - - if (buf[0] == '\0') { - debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - if (strlen(buf) < 2) { - debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - if (!strncmp(buf, "QQ", 2)) { - gss_release_buffer(&minor_status, &input_token); - gss_release_buffer(&minor_status, &output_token); - gss_release_buffer(&minor_status, &service); - gss_release_cred(&minor_status, &server_creds); - if (server_name) - gss_release_name(&minor_status, &server_name); - if (client_name) - gss_release_name(&minor_status, &client_name); - if (gss_context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&minor_status, &gss_context, NULL); - if (kerberosToken) { - /* Allocated by parseNegTokenInit, but no matching free function exists.. */ - if (!spnego_flag) - xfree((char *) kerberosToken); - kerberosToken = NULL; - } - if (spnego_flag) { - /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ - if (spnegoToken) - xfree((char *) spnegoToken); - spnegoToken = NULL; - } - if (token) { - xfree(token); - token = NULL; - } - if (host_name) { - xfree(host_name); - host_name = NULL; - } - fprintf(stdout, "BH quit command\n"); - exit(0); - } - if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) { - debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf); - fprintf(stdout, "BH Invalid request\n"); - continue; - } - if (!strncmp(buf, "YR", 2)) { - if (gss_context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&minor_status, &gss_context, NULL); - gss_context = GSS_C_NO_CONTEXT; - } - if (strlen(buf) <= 3) { - debug((char *) "%s| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf); - fprintf(stdout, "BH Invalid negotiate request\n"); - continue; - } - input_token.length = ska_base64_decode_len(buf + 3); - debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n", - LogTime(), PROGRAM, buf + 3, (int) input_token.length); - input_token.value = xmalloc(input_token.length); - - ska_base64_decode((char *) input_token.value, buf + 3, input_token.length); - - - if ((input_token.length >= sizeof ntlmProtocol + 1) && - (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { - debug((char *) "%s| %s: WARNING: received type %d NTLM token\n", - LogTime(), PROGRAM, - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); - fprintf(stdout, "BH received type %d NTLM token\n", - (int) *((unsigned char *) input_token.value + - sizeof ntlmProtocol)); - goto cleanup; - } - if (service_principal) { - if (strcasecmp(service_principal, "GSS_C_NO_NAME")) { - major_status = gss_import_name(&minor_status, &service, - (gss_OID) GSS_C_NULL_OID, &server_name); - - } else { - server_name = GSS_C_NO_NAME; - major_status = GSS_S_COMPLETE; - } - } else { - major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); - } - - if (check_gss_err(major_status, minor_status, "gss_import_name()", log)) - goto cleanup; - - major_status = - gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); - if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log)) - goto cleanup; - - major_status = gss_accept_sec_context(&minor_status, - &gss_context, - server_creds, - &input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, NULL, &output_token, &ret_flags, NULL, NULL); - - - if (output_token.length) { - spnegoToken = (const unsigned char *) output_token.value; - spnegoTokenLength = output_token.length; - token = (char *) xmalloc(ska_base64_encode_len(spnegoTokenLength)); - if (token == NULL) { - debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - ska_base64_encode(token, (const char *) spnegoToken, - ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength); - - if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM); - fprintf(stdout, "TT %s\n", token); - goto cleanup; - } - gss_release_buffer(&minor_status, &output_token); - major_status = - gss_display_name(&minor_status, client_name, &output_token, - NULL); - - if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) - goto cleanup; - user = (char *) xmalloc(output_token.length + 1); - if (user == NULL) { - debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - memcpy(user, output_token.value, output_token.length); - user[output_token.length] = '\0'; - if (norealm && (p = strchr(user, '@')) != NULL) { - *p = '\0'; - } - fprintf(stdout, "AF %s %s\n", token, user); - debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user); - if (log) - fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - goto cleanup; - } else { - if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) - goto cleanup; - if (major_status & GSS_S_CONTINUE_NEEDED) { - debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM); - fprintf(stdout, "NA %s\n", token); - goto cleanup; - } - gss_release_buffer(&minor_status, &output_token); - major_status = - gss_display_name(&minor_status, client_name, &output_token, - NULL); - - if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) - goto cleanup; - /* - * Return dummy token AA. May need an extra return tag then AF - */ - user = (char *) xmalloc(output_token.length + 1); - if (user == NULL) { - debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); - fprintf(stdout, "BH Not enough memory\n"); - goto cleanup; - } - memcpy(user, output_token.value, output_token.length); - user[output_token.length] = '\0'; - if (norealm && (p = strchr(user, '@')) != NULL) { - *p = '\0'; - } - fprintf(stdout, "AF %s %s\n", "AA==", user); - debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user); - if (log) - fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), - PROGRAM, user); - - } - cleanup: - gss_release_buffer(&minor_status, &input_token); - gss_release_buffer(&minor_status, &output_token); - gss_release_cred(&minor_status, &server_creds); - if (server_name) - gss_release_name(&minor_status, &server_name); - if (client_name) - gss_release_name(&minor_status, &client_name); - if (kerberosToken) { - /* Allocated by parseNegTokenInit, but no matching free function exists.. */ - if (!spnego_flag) - xfree((char *) kerberosToken); - kerberosToken = NULL; - } - if (spnego_flag) { - /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ - if (spnegoToken) - xfree((char *) spnegoToken); - spnegoToken = NULL; - } - if (token) { - xfree(token); - token = NULL; - } - if (user) { - xfree(user); - user = NULL; - } - continue; + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + if (ferror(stdin)) { + debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", + LogTime(), PROGRAM, ferror(stdin), + strerror(ferror(stdin))); + + fprintf(stdout, "BH input error\n"); + exit(1); /* BIIG buffer */ + } + fprintf(stdout, "BH input error\n"); + exit(0); + } + c = (char *) memchr(buf, '\n', sizeof(buf) - 1); + if (c) { + *c = '\0'; + length = c - buf; + } else { + err = 1; + } + if (err) { + debug((char *) "%s| %s: ERROR: Oversized message\n", LogTime(), PROGRAM); + fprintf(stdout, "BH Oversized message\n"); + err = 0; + continue; + } + debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length); + + if (buf[0] == '\0') { + debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM); + fprintf(stdout, "BH Invalid request\n"); + continue; + } + if (strlen(buf) < 2) { + debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf); + fprintf(stdout, "BH Invalid request\n"); + continue; + } + if (!strncmp(buf, "QQ", 2)) { + gss_release_buffer(&minor_status, &input_token); + gss_release_buffer(&minor_status, &output_token); + gss_release_buffer(&minor_status, &service); + gss_release_cred(&minor_status, &server_creds); + if (server_name) + gss_release_name(&minor_status, &server_name); + if (client_name) + gss_release_name(&minor_status, &client_name); + if (gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, &gss_context, NULL); + if (kerberosToken) { + /* Allocated by parseNegTokenInit, but no matching free function exists.. */ + if (!spnego_flag) + xfree((char *) kerberosToken); + kerberosToken = NULL; + } + if (spnego_flag) { + /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ + if (spnegoToken) + xfree((char *) spnegoToken); + spnegoToken = NULL; + } + if (token) { + xfree(token); + token = NULL; + } + if (host_name) { + xfree(host_name); + host_name = NULL; + } + fprintf(stdout, "BH quit command\n"); + exit(0); + } + if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) { + debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf); + fprintf(stdout, "BH Invalid request\n"); + continue; + } + if (!strncmp(buf, "YR", 2)) { + if (gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, &gss_context, NULL); + gss_context = GSS_C_NO_CONTEXT; + } + if (strlen(buf) <= 3) { + debug((char *) "%s| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf); + fprintf(stdout, "BH Invalid negotiate request\n"); + continue; + } + input_token.length = ska_base64_decode_len(buf + 3); + debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n", + LogTime(), PROGRAM, buf + 3, (int) input_token.length); + input_token.value = xmalloc(input_token.length); + + ska_base64_decode((char *) input_token.value, buf + 3, input_token.length); + + + if ((input_token.length >= sizeof ntlmProtocol + 1) && + (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { + debug((char *) "%s| %s: WARNING: received type %d NTLM token\n", + LogTime(), PROGRAM, + (int) *((unsigned char *) input_token.value + + sizeof ntlmProtocol)); + fprintf(stdout, "BH received type %d NTLM token\n", + (int) *((unsigned char *) input_token.value + + sizeof ntlmProtocol)); + goto cleanup; + } + if (service_principal) { + if (strcasecmp(service_principal, "GSS_C_NO_NAME")) { + major_status = gss_import_name(&minor_status, &service, + (gss_OID) GSS_C_NULL_OID, &server_name); + + } else { + server_name = GSS_C_NO_NAME; + major_status = GSS_S_COMPLETE; + } + } else { + major_status = gss_import_name(&minor_status, &service, + gss_nt_service_name, &server_name); + } + + if (check_gss_err(major_status, minor_status, "gss_import_name()", log)) + goto cleanup; + + major_status = + gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); + if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log)) + goto cleanup; + + major_status = gss_accept_sec_context(&minor_status, + &gss_context, + server_creds, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, NULL, &output_token, &ret_flags, NULL, NULL); + + + if (output_token.length) { + spnegoToken = (const unsigned char *) output_token.value; + spnegoTokenLength = output_token.length; + token = (char *) xmalloc(ska_base64_encode_len(spnegoTokenLength)); + if (token == NULL) { + debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); + fprintf(stdout, "BH Not enough memory\n"); + goto cleanup; + } + ska_base64_encode(token, (const char *) spnegoToken, + ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength); + + if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) + goto cleanup; + if (major_status & GSS_S_CONTINUE_NEEDED) { + debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM); + fprintf(stdout, "TT %s\n", token); + goto cleanup; + } + gss_release_buffer(&minor_status, &output_token); + major_status = + gss_display_name(&minor_status, client_name, &output_token, + NULL); + + if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) + goto cleanup; + user = (char *) xmalloc(output_token.length + 1); + if (user == NULL) { + debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); + fprintf(stdout, "BH Not enough memory\n"); + goto cleanup; + } + memcpy(user, output_token.value, output_token.length); + user[output_token.length] = '\0'; + if (norealm && (p = strchr(user, '@')) != NULL) { + *p = '\0'; + } + fprintf(stdout, "AF %s %s\n", token, user); + debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user); + if (log) + fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), + PROGRAM, user); + goto cleanup; + } else { + if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log)) + goto cleanup; + if (major_status & GSS_S_CONTINUE_NEEDED) { + debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM); + fprintf(stdout, "NA %s\n", token); + goto cleanup; + } + gss_release_buffer(&minor_status, &output_token); + major_status = + gss_display_name(&minor_status, client_name, &output_token, + NULL); + + if (check_gss_err(major_status, minor_status, "gss_display_name()", log)) + goto cleanup; + /* + * Return dummy token AA. May need an extra return tag then AF + */ + user = (char *) xmalloc(output_token.length + 1); + if (user == NULL) { + debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM); + fprintf(stdout, "BH Not enough memory\n"); + goto cleanup; + } + memcpy(user, output_token.value, output_token.length); + user[output_token.length] = '\0'; + if (norealm && (p = strchr(user, '@')) != NULL) { + *p = '\0'; + } + fprintf(stdout, "AF %s %s\n", "AA==", user); + debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user); + if (log) + fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(), + PROGRAM, user); + + } +cleanup: + gss_release_buffer(&minor_status, &input_token); + gss_release_buffer(&minor_status, &output_token); + gss_release_cred(&minor_status, &server_creds); + if (server_name) + gss_release_name(&minor_status, &server_name); + if (client_name) + gss_release_name(&minor_status, &client_name); + if (kerberosToken) { + /* Allocated by parseNegTokenInit, but no matching free function exists.. */ + if (!spnego_flag) + xfree((char *) kerberosToken); + kerberosToken = NULL; + } + if (spnego_flag) { + /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ + if (spnegoToken) + xfree((char *) spnegoToken); + spnegoToken = NULL; + } + if (token) { + xfree(token); + token = NULL; + } + if (user) { + xfree(user); + user = NULL; + } + continue; } } #else @@ -543,11 +542,11 @@ main(int argc, char *const argv[]) setbuf(stdin, NULL); char buf[MAX_AUTHTOKEN_LEN]; while (1) { - if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { - fprintf(stdout, "BH input error\n"); - exit(0); - } - fprintf(stdout, "BH Kerberos authentication not supported\n"); + if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) { + fprintf(stdout, "BH input error\n"); + exit(0); + } + fprintf(stdout, "BH Kerberos authentication not supported\n"); } } #endif /* HAVE_GSSAPI */ diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc index d7d0eefe93..f1d1391617 100644 --- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc +++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc @@ -69,7 +69,7 @@ static const char *LogTime(void); int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function); + const char *function); const char *squid_kerb_proxy_auth(char *proxy); @@ -85,68 +85,67 @@ LogTime() gettimeofday(&now, NULL); if (now.tv_sec != last_t) { - tm = localtime((const time_t *) &now.tv_sec); - strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); - last_t = now.tv_sec; + tm = localtime((const time_t *) &now.tv_sec); + strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); + last_t = now.tv_sec; } return buf; } #ifndef gss_mech_spnego -static gss_OID_desc _gss_mech_spnego = -{6, (void *) "\x2b\x06\x01\x05\x05\x02"}; +static gss_OID_desc _gss_mech_spnego = {6, (void *) "\x2b\x06\x01\x05\x05\x02"}; gss_OID gss_mech_spnego = &_gss_mech_spnego; #endif int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, - const char *function) + const char *function) { if (GSS_ERROR(major_status)) { - OM_uint32 maj_stat, min_stat; - OM_uint32 msg_ctx = 0; - gss_buffer_desc status_string; - char buf[1024]; - size_t len; - - len = 0; - msg_ctx = 0; - while (!msg_ctx) { - /* convert major status code (GSS-API error) to text */ - maj_stat = gss_display_status(&min_stat, major_status, - GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length + 1) { - snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - if (sizeof(buf) > len + 2) { - snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); - len += 2; - } - msg_ctx = 0; - while (!msg_ctx) { - /* convert minor status code (underlying routine error) to text */ - maj_stat = gss_display_status(&min_stat, minor_status, - GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); - if (maj_stat == GSS_S_COMPLETE) { - if (sizeof(buf) > len + status_string.length) { - snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); - len += status_string.length; - } - gss_release_buffer(&min_stat, &status_string); - break; - } - gss_release_buffer(&min_stat, &status_string); - } - fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function, - buf); - return (1); + OM_uint32 maj_stat, min_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + char buf[1024]; + size_t len; + + len = 0; + msg_ctx = 0; + while (!msg_ctx) { + /* convert major status code (GSS-API error) to text */ + maj_stat = gss_display_status(&min_stat, major_status, + GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length + 1) { + snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + if (sizeof(buf) > len + 2) { + snprintf(buf + len, (sizeof(buf) - len), "%s", ". "); + len += 2; + } + msg_ctx = 0; + while (!msg_ctx) { + /* convert minor status code (underlying routine error) to text */ + maj_stat = gss_display_status(&min_stat, minor_status, + GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string); + if (maj_stat == GSS_S_COMPLETE) { + if (sizeof(buf) > len + status_string.length) { + snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value); + len += status_string.length; + } + gss_release_buffer(&min_stat, &status_string); + break; + } + gss_release_buffer(&min_stat, &status_string); + } + fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function, + buf); + return (1); } return (0); } @@ -166,37 +165,37 @@ squid_kerb_proxy_auth(char *proxy) setbuf(stdin, NULL); if (!proxy) { - fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(), - PROGRAM); - return NULL; + fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(), + PROGRAM); + return NULL; } service.value = xmalloc(strlen("HTTP") + strlen(proxy) + 2); snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, "%s@%s", "HTTP", proxy); service.length = strlen((char *) service.value); major_status = gss_import_name(&minor_status, &service, - gss_nt_service_name, &server_name); + gss_nt_service_name, &server_name); if (check_gss_err(major_status, minor_status, "gss_import_name()")) - goto cleanup; + goto cleanup; major_status = gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, &gss_context, server_name, - gss_mech_spnego, - 0, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, NULL, &output_token, NULL, NULL); + GSS_C_NO_CREDENTIAL, &gss_context, server_name, + gss_mech_spnego, + 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, NULL, &output_token, NULL, NULL); if (check_gss_err(major_status, minor_status, "gss_init_sec_context()")) - goto cleanup; + goto cleanup; if (output_token.length) { - token = (char *) xmalloc(ska_base64_encode_len(output_token.length)); - ska_base64_encode(token, (const char *) output_token.value, - ska_base64_encode_len(output_token.length), output_token.length); + token = (char *) xmalloc(ska_base64_encode_len(output_token.length)); + ska_base64_encode(token, (const char *) output_token.value, + ska_base64_encode_len(output_token.length), output_token.length); } - cleanup: +cleanup: gss_delete_sec_context(&minor_status, &gss_context, NULL); gss_release_buffer(&minor_status, &service); gss_release_buffer(&minor_status, &input_token); @@ -214,21 +213,21 @@ main(int argc, char *argv[]) int count; if (argc < 2) { - fprintf(stderr, "%s| %s: Error: No proxy server name given\n", - LogTime(), PROGRAM); - exit(99); + fprintf(stderr, "%s| %s: Error: No proxy server name given\n", + LogTime(), PROGRAM); + exit(99); } if (argc == 3) { - count = atoi(argv[2]); - while (count > 0) { - Token = (const char *) squid_kerb_proxy_auth(argv[1]); - fprintf(stdout, "YR %s\n", Token ? Token : "NULL"); - count--; - } - fprintf(stdout, "QQ\n"); + count = atoi(argv[2]); + while (count > 0) { + Token = (const char *) squid_kerb_proxy_auth(argv[1]); + fprintf(stdout, "YR %s\n", Token ? Token : "NULL"); + count--; + } + fprintf(stdout, "QQ\n"); } else { - Token = (const char *) squid_kerb_proxy_auth(argv[1]); - fprintf(stdout, "Token: %s\n", Token ? Token : "NULL"); + Token = (const char *) squid_kerb_proxy_auth(argv[1]); + fprintf(stdout, "Token: %s\n", Token ? Token : "NULL"); } exit(0); diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc index ae7e9120eb..2d33265081 100644 --- a/src/HttpHeaderTools.cc +++ b/src/HttpHeaderTools.cc @@ -153,10 +153,10 @@ httpHeaderHasConnDir(const HttpHeader * hdr, const char *directive) list = hdr->getList(HDR_PROXY_CONNECTION); else #endif - if (hdr->has(HDR_CONNECTION)) - list = hdr->getList(HDR_CONNECTION); - else - return 0; + if (hdr->has(HDR_CONNECTION)) + list = hdr->getList(HDR_CONNECTION); + else + return 0; res = strListIsMember(&list, directive, ',');