kerberosgss.c 36 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237
  1. /**
  2. * Copyright (c) 2006-2010 Apple Inc. All rights reserved.
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License");
  5. * you may not use this file except in compliance with the License.
  6. * You may obtain a copy of the License at
  7. *
  8. * http://www.apache.org/licenses/LICENSE-2.0
  9. *
  10. * Unless required by applicable law or agreed to in writing, software
  11. * distributed under the License is distributed on an "AS IS" BASIS,
  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. * See the License for the specific language governing permissions and
  14. * limitations under the License.
  15. *
  16. **/
  17. /*
  18. * S4U2Proxy implementation
  19. * Copyright (C) 2015 David Mansfield
  20. * Code inspired by mod_auth_kerb.
  21. */
  22. #include "kerberosgss.h"
  23. #include "base64.h"
  24. #include <stdio.h>
  25. #include <stdlib.h>
  26. #include <string.h>
  27. #include <arpa/inet.h>
  28. #include <errno.h>
  29. #include <stdarg.h>
  30. #include <unistd.h>
  31. #include <krb5.h>
  32. #pragma clang diagnostic push
  33. #pragma clang diagnostic ignored "-Wdeprecated-declarations"
  34. void die1(const char *message) {
  35. if(errno) {
  36. perror(message);
  37. } else {
  38. printf("ERROR: %s\n", message);
  39. }
  40. exit(1);
  41. }
  42. static gss_client_response *gss_error(const char *func, const char *op, OM_uint32 err_maj, OM_uint32 err_min);
  43. static gss_client_response *other_error(const char *fmt, ...);
  44. static gss_client_response *krb5_ctx_error(krb5_context context, krb5_error_code problem);
  45. static gss_client_response *store_gss_creds(gss_server_state *state);
  46. static gss_client_response *create_krb5_ccache(gss_server_state *state, krb5_context context, krb5_principal princ, krb5_ccache *ccache);
  47. static gss_client_response *verify_krb5_kdc(krb5_context context,
  48. krb5_creds *creds,
  49. const char *service);
  50. static gss_client_response *init_gss_creds(const char *credential_cache, gss_cred_id_t *cred);
  51. /*
  52. * Protocol transition
  53. */
  54. OM_uint32 KRB5_CALLCONV
  55. gss_acquire_cred_impersonate_name(
  56. OM_uint32 *, /* minor_status */
  57. const gss_cred_id_t, /* impersonator_cred_handle */
  58. const gss_name_t, /* desired_name */
  59. OM_uint32, /* time_req */
  60. const gss_OID_set, /* desired_mechs */
  61. gss_cred_usage_t, /* cred_usage */
  62. gss_cred_id_t *, /* output_cred_handle */
  63. gss_OID_set *, /* actual_mechs */
  64. OM_uint32 *); /* time_rec */
  65. /*
  66. char* server_principal_details(const char* service, const char* hostname)
  67. {
  68. char match[1024];
  69. int match_len = 0;
  70. char* result = NULL;
  71. int code;
  72. krb5_context kcontext;
  73. krb5_keytab kt = NULL;
  74. krb5_kt_cursor cursor = NULL;
  75. krb5_keytab_entry entry;
  76. char* pname = NULL;
  77. // Generate the principal prefix we want to match
  78. snprintf(match, 1024, "%s/%s@", service, hostname);
  79. match_len = strlen(match);
  80. code = krb5_init_context(&kcontext);
  81. if (code)
  82. {
  83. PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
  84. "Cannot initialize Kerberos5 context", code));
  85. return NULL;
  86. }
  87. if ((code = krb5_kt_default(kcontext, &kt)))
  88. {
  89. PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
  90. "Cannot get default keytab", code));
  91. goto end;
  92. }
  93. if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor)))
  94. {
  95. PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
  96. "Cannot get sequence cursor from keytab", code));
  97. goto end;
  98. }
  99. while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0)
  100. {
  101. if ((code = krb5_unparse_name(kcontext, entry.principal, &pname)))
  102. {
  103. PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
  104. "Cannot parse principal name from keytab", code));
  105. goto end;
  106. }
  107. if (strncmp(pname, match, match_len) == 0)
  108. {
  109. result = malloc(strlen(pname) + 1);
  110. strcpy(result, pname);
  111. krb5_free_unparsed_name(kcontext, pname);
  112. krb5_free_keytab_entry_contents(kcontext, &entry);
  113. break;
  114. }
  115. krb5_free_unparsed_name(kcontext, pname);
  116. krb5_free_keytab_entry_contents(kcontext, &entry);
  117. }
  118. if (result == NULL)
  119. {
  120. PyErr_SetObject(KrbException_class, Py_BuildValue("((s:i))",
  121. "Principal not found in keytab", -1));
  122. }
  123. end:
  124. if (cursor)
  125. krb5_kt_end_seq_get(kcontext, kt, &cursor);
  126. if (kt)
  127. krb5_kt_close(kcontext, kt);
  128. krb5_free_context(kcontext);
  129. return result;
  130. }
  131. */
  132. gss_client_response *authenticate_gss_client_init(const char* service, long int gss_flags, const char* credentials_cache, gss_client_state* state) {
  133. OM_uint32 maj_stat;
  134. OM_uint32 min_stat;
  135. gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
  136. gss_client_response *response = NULL;
  137. int ret = AUTH_GSS_COMPLETE;
  138. state->server_name = GSS_C_NO_NAME;
  139. state->context = GSS_C_NO_CONTEXT;
  140. state->gss_flags = gss_flags;
  141. state->username = NULL;
  142. state->response = NULL;
  143. state->credentials_cache = NULL;
  144. // Import server name first
  145. name_token.length = strlen(service);
  146. name_token.value = (char *)service;
  147. maj_stat = gss_import_name(&min_stat, &name_token, gss_krb5_nt_service_name, &state->server_name);
  148. if (GSS_ERROR(maj_stat)) {
  149. response = gss_error(__func__, "gss_import_name", maj_stat, min_stat);
  150. response->return_code = AUTH_GSS_ERROR;
  151. goto end;
  152. }
  153. if (credentials_cache && strlen(credentials_cache) > 0) {
  154. state->credentials_cache = strdup(credentials_cache);
  155. if (state->credentials_cache == NULL) die1("Memory allocation failed");
  156. }
  157. end:
  158. if(response == NULL) {
  159. response = calloc(1, sizeof(gss_client_response));
  160. if(response == NULL) die1("Memory allocation failed");
  161. response->return_code = ret;
  162. }
  163. return response;
  164. }
  165. gss_client_response *authenticate_gss_client_clean(gss_client_state *state) {
  166. OM_uint32 min_stat;
  167. int ret = AUTH_GSS_COMPLETE;
  168. gss_client_response *response = NULL;
  169. if(state->context != GSS_C_NO_CONTEXT)
  170. gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
  171. if(state->server_name != GSS_C_NO_NAME)
  172. gss_release_name(&min_stat, &state->server_name);
  173. if(state->username != NULL) {
  174. free(state->username);
  175. state->username = NULL;
  176. }
  177. if (state->response != NULL) {
  178. free(state->response);
  179. state->response = NULL;
  180. }
  181. if (state->credentials_cache != NULL) {
  182. free(state->credentials_cache);
  183. state->credentials_cache = NULL;
  184. }
  185. if(response == NULL) {
  186. response = calloc(1, sizeof(gss_client_response));
  187. if(response == NULL) die1("Memory allocation failed");
  188. response->return_code = ret;
  189. }
  190. return response;
  191. }
  192. gss_client_response *authenticate_gss_client_step(gss_client_state* state, const char* challenge) {
  193. OM_uint32 maj_stat;
  194. OM_uint32 min_stat;
  195. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  196. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  197. int ret = AUTH_GSS_CONTINUE;
  198. gss_client_response *response = NULL;
  199. gss_cred_id_t gss_cred = GSS_C_NO_CREDENTIAL;
  200. // Always clear out the old response
  201. if (state->response != NULL) {
  202. free(state->response);
  203. state->response = NULL;
  204. }
  205. // If there is a challenge (data from the server) we need to give it to GSS
  206. if (challenge && *challenge) {
  207. int len;
  208. input_token.value = base64_decode(challenge, &len);
  209. input_token.length = len;
  210. }
  211. if (state->credentials_cache) {
  212. response = init_gss_creds(state->credentials_cache, &gss_cred);
  213. if (response) {
  214. goto end;
  215. }
  216. }
  217. // Do GSSAPI step
  218. maj_stat = gss_init_sec_context(&min_stat,
  219. gss_cred,
  220. &state->context,
  221. state->server_name,
  222. GSS_C_NO_OID,
  223. (OM_uint32)state->gss_flags,
  224. 0,
  225. GSS_C_NO_CHANNEL_BINDINGS,
  226. &input_token,
  227. NULL,
  228. &output_token,
  229. NULL,
  230. NULL);
  231. if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED)) {
  232. response = gss_error(__func__, "gss_init_sec_context", maj_stat, min_stat);
  233. response->return_code = AUTH_GSS_ERROR;
  234. goto end;
  235. }
  236. ret = (maj_stat == GSS_S_COMPLETE) ? AUTH_GSS_COMPLETE : AUTH_GSS_CONTINUE;
  237. // Grab the client response to send back to the server
  238. if(output_token.length) {
  239. state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
  240. maj_stat = gss_release_buffer(&min_stat, &output_token);
  241. }
  242. // Try to get the user name if we have completed all GSS operations
  243. if (ret == AUTH_GSS_COMPLETE) {
  244. gss_name_t gssuser = GSS_C_NO_NAME;
  245. maj_stat = gss_inquire_context(&min_stat, state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);
  246. if(GSS_ERROR(maj_stat)) {
  247. response = gss_error(__func__, "gss_inquire_context", maj_stat, min_stat);
  248. response->return_code = AUTH_GSS_ERROR;
  249. goto end;
  250. }
  251. gss_buffer_desc name_token;
  252. name_token.length = 0;
  253. maj_stat = gss_display_name(&min_stat, gssuser, &name_token, NULL);
  254. if(GSS_ERROR(maj_stat)) {
  255. if(name_token.value)
  256. gss_release_buffer(&min_stat, &name_token);
  257. gss_release_name(&min_stat, &gssuser);
  258. response = gss_error(__func__, "gss_display_name", maj_stat, min_stat);
  259. response->return_code = AUTH_GSS_ERROR;
  260. goto end;
  261. } else {
  262. state->username = (char *)malloc(name_token.length + 1);
  263. if(state->username == NULL) die1("Memory allocation failed");
  264. strncpy(state->username, (char*) name_token.value, name_token.length);
  265. state->username[name_token.length] = 0;
  266. gss_release_buffer(&min_stat, &name_token);
  267. gss_release_name(&min_stat, &gssuser);
  268. }
  269. }
  270. end:
  271. if (gss_cred != GSS_C_NO_CREDENTIAL)
  272. gss_release_cred(&min_stat, &gss_cred);
  273. if(output_token.value)
  274. gss_release_buffer(&min_stat, &output_token);
  275. if(input_token.value)
  276. free(input_token.value);
  277. if(response == NULL) {
  278. response = calloc(1, sizeof(gss_client_response));
  279. if(response == NULL) die1("Memory allocation failed");
  280. response->return_code = ret;
  281. }
  282. // Return the response
  283. return response;
  284. }
  285. static gss_client_response *init_gss_creds(const char *credential_cache, gss_cred_id_t *cred) {
  286. OM_uint32 maj_stat;
  287. OM_uint32 min_stat;
  288. krb5_context context;
  289. krb5_error_code problem;
  290. gss_client_response *response = NULL;
  291. krb5_ccache ccache = NULL;
  292. *cred = GSS_C_NO_CREDENTIAL;
  293. if (credential_cache == NULL || strlen(credential_cache) == 0) {
  294. return NULL;
  295. }
  296. problem = krb5_init_context(&context);
  297. if (problem) {
  298. return other_error("unable to initialize krb5 context (%d)", (int)problem);
  299. }
  300. problem = krb5_cc_resolve(context, credential_cache, &ccache);
  301. if (problem) {
  302. response = krb5_ctx_error(context, problem);
  303. goto done;
  304. }
  305. maj_stat = gss_krb5_import_cred(&min_stat, ccache, NULL, NULL, cred);
  306. if (GSS_ERROR(maj_stat)) {
  307. response = gss_error(__func__, "gss_krb5_import_cred", maj_stat, min_stat);
  308. response->return_code = AUTH_GSS_ERROR;
  309. }
  310. done:
  311. if (response && ccache) {
  312. krb5_cc_close(context, ccache);
  313. }
  314. krb5_free_context(context);
  315. return response;
  316. }
  317. gss_client_response *authenticate_gss_client_unwrap(gss_client_state *state, const char *challenge) {
  318. OM_uint32 maj_stat;
  319. OM_uint32 min_stat;
  320. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  321. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  322. gss_client_response *response = NULL;
  323. int ret = AUTH_GSS_CONTINUE;
  324. // Always clear out the old response
  325. if(state->response != NULL) {
  326. free(state->response);
  327. state->response = NULL;
  328. }
  329. // If there is a challenge (data from the server) we need to give it to GSS
  330. if(challenge && *challenge) {
  331. int len;
  332. input_token.value = base64_decode(challenge, &len);
  333. input_token.length = len;
  334. }
  335. // Do GSSAPI step
  336. maj_stat = gss_unwrap(&min_stat,
  337. state->context,
  338. &input_token,
  339. &output_token,
  340. NULL,
  341. NULL);
  342. if(maj_stat != GSS_S_COMPLETE) {
  343. response = gss_error(__func__, "gss_unwrap", maj_stat, min_stat);
  344. response->return_code = AUTH_GSS_ERROR;
  345. goto end;
  346. } else {
  347. ret = AUTH_GSS_COMPLETE;
  348. }
  349. // Grab the client response
  350. if(output_token.length) {
  351. state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
  352. gss_release_buffer(&min_stat, &output_token);
  353. }
  354. end:
  355. if(output_token.value)
  356. gss_release_buffer(&min_stat, &output_token);
  357. if(input_token.value)
  358. free(input_token.value);
  359. if(response == NULL) {
  360. response = calloc(1, sizeof(gss_client_response));
  361. if(response == NULL) die1("Memory allocation failed");
  362. response->return_code = ret;
  363. }
  364. // Return the response
  365. return response;
  366. }
  367. gss_client_response *authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user) {
  368. OM_uint32 maj_stat;
  369. OM_uint32 min_stat;
  370. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  371. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  372. int ret = AUTH_GSS_CONTINUE;
  373. gss_client_response *response = NULL;
  374. char buf[4096], server_conf_flags;
  375. unsigned long buf_size;
  376. // Always clear out the old response
  377. if(state->response != NULL) {
  378. free(state->response);
  379. state->response = NULL;
  380. }
  381. if(challenge && *challenge) {
  382. int len;
  383. input_token.value = base64_decode(challenge, &len);
  384. input_token.length = len;
  385. }
  386. if(user) {
  387. // get bufsize
  388. server_conf_flags = ((char*) input_token.value)[0];
  389. ((char*) input_token.value)[0] = 0;
  390. buf_size = ntohl(*((long *) input_token.value));
  391. free(input_token.value);
  392. #ifdef PRINTFS
  393. printf("User: %s, %c%c%c\n", user,
  394. server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-',
  395. server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-',
  396. server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-');
  397. printf("Maximum GSS token size is %ld\n", buf_size);
  398. #endif
  399. // agree to terms (hack!)
  400. buf_size = htonl(buf_size); // not relevant without integrity/privacy
  401. memcpy(buf, &buf_size, 4);
  402. buf[0] = GSS_AUTH_P_NONE;
  403. // server decides if principal can log in as user
  404. strncpy(buf + 4, user, sizeof(buf) - 4);
  405. input_token.value = buf;
  406. input_token.length = 4 + strlen(user);
  407. }
  408. // Do GSSAPI wrap
  409. maj_stat = gss_wrap(&min_stat,
  410. state->context,
  411. 0,
  412. GSS_C_QOP_DEFAULT,
  413. &input_token,
  414. NULL,
  415. &output_token);
  416. if (maj_stat != GSS_S_COMPLETE) {
  417. response = gss_error(__func__, "gss_wrap", maj_stat, min_stat);
  418. response->return_code = AUTH_GSS_ERROR;
  419. goto end;
  420. } else
  421. ret = AUTH_GSS_COMPLETE;
  422. // Grab the client response to send back to the server
  423. if (output_token.length) {
  424. state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);;
  425. gss_release_buffer(&min_stat, &output_token);
  426. }
  427. end:
  428. if (output_token.value)
  429. gss_release_buffer(&min_stat, &output_token);
  430. if(response == NULL) {
  431. response = calloc(1, sizeof(gss_client_response));
  432. if(response == NULL) die1("Memory allocation failed");
  433. response->return_code = ret;
  434. }
  435. // Return the response
  436. return response;
  437. }
  438. gss_client_response *authenticate_gss_server_init(const char *service, bool constrained_delegation, const char *username, gss_server_state *state)
  439. {
  440. OM_uint32 maj_stat;
  441. OM_uint32 min_stat;
  442. gss_buffer_desc name_token = GSS_C_EMPTY_BUFFER;
  443. int ret = AUTH_GSS_COMPLETE;
  444. gss_client_response *response = NULL;
  445. gss_cred_usage_t usage = GSS_C_ACCEPT;
  446. state->context = GSS_C_NO_CONTEXT;
  447. state->server_name = GSS_C_NO_NAME;
  448. state->client_name = GSS_C_NO_NAME;
  449. state->server_creds = GSS_C_NO_CREDENTIAL;
  450. state->client_creds = GSS_C_NO_CREDENTIAL;
  451. state->username = NULL;
  452. state->targetname = NULL;
  453. state->response = NULL;
  454. state->constrained_delegation = constrained_delegation;
  455. state->delegated_credentials_cache = NULL;
  456. // Server name may be empty which means we aren't going to create our own creds
  457. size_t service_len = strlen(service);
  458. if (service_len != 0)
  459. {
  460. // Import server name first
  461. name_token.length = strlen(service);
  462. name_token.value = (char *)service;
  463. maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, &state->server_name);
  464. if (GSS_ERROR(maj_stat))
  465. {
  466. response = gss_error(__func__, "gss_import_name", maj_stat, min_stat);
  467. response->return_code = AUTH_GSS_ERROR;
  468. goto end;
  469. }
  470. if (state->constrained_delegation)
  471. {
  472. usage = GSS_C_BOTH;
  473. }
  474. // Get credentials
  475. maj_stat = gss_acquire_cred(&min_stat, state->server_name, GSS_C_INDEFINITE,
  476. GSS_C_NO_OID_SET, usage, &state->server_creds, NULL, NULL);
  477. if (GSS_ERROR(maj_stat))
  478. {
  479. response = gss_error(__func__, "gss_acquire_cred", maj_stat, min_stat);
  480. response->return_code = AUTH_GSS_ERROR;
  481. goto end;
  482. }
  483. }
  484. // If a username was passed, perform the S4U2Self protocol transition to acquire
  485. // a credentials from that user as if we had done gss_accept_sec_context.
  486. // In this scenario, the passed username is assumed to be already authenticated
  487. // by some external mechanism, and we are here to "bootstrap" some gss credentials.
  488. // In authenticate_gss_server_step we will bypass the actual authentication step.
  489. if (username != NULL)
  490. {
  491. gss_name_t gss_username;
  492. name_token.length = strlen(username);
  493. name_token.value = (char *)username;
  494. maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_USER_NAME, &gss_username);
  495. if (GSS_ERROR(maj_stat))
  496. {
  497. response = gss_error(__func__, "gss_import_name", maj_stat, min_stat);
  498. response->return_code = AUTH_GSS_ERROR;
  499. goto end;
  500. }
  501. maj_stat = gss_acquire_cred_impersonate_name(&min_stat,
  502. state->server_creds,
  503. gss_username,
  504. GSS_C_INDEFINITE,
  505. GSS_C_NO_OID_SET,
  506. GSS_C_INITIATE,
  507. &state->client_creds,
  508. NULL,
  509. NULL);
  510. if (GSS_ERROR(maj_stat))
  511. {
  512. response = gss_error(__func__, "gss_acquire_cred_impersonate_name", maj_stat, min_stat);
  513. response->return_code = AUTH_GSS_ERROR;
  514. }
  515. gss_release_name(&min_stat, &gss_username);
  516. if (response != NULL)
  517. {
  518. goto end;
  519. }
  520. // because the username MAY be a "local" username,
  521. // we want get the canonical name from the acquired creds.
  522. maj_stat = gss_inquire_cred(&min_stat, state->client_creds, &state->client_name, NULL, NULL, NULL);
  523. if (GSS_ERROR(maj_stat))
  524. {
  525. response = gss_error(__func__, "gss_inquire_cred", maj_stat, min_stat);
  526. response->return_code = AUTH_GSS_ERROR;
  527. goto end;
  528. }
  529. }
  530. end:
  531. if(response == NULL) {
  532. response = calloc(1, sizeof(gss_client_response));
  533. if(response == NULL) die1("Memory allocation failed");
  534. response->return_code = ret;
  535. }
  536. // Return the response
  537. return response;
  538. }
  539. gss_client_response *authenticate_gss_server_clean(gss_server_state *state)
  540. {
  541. OM_uint32 min_stat;
  542. int ret = AUTH_GSS_COMPLETE;
  543. gss_client_response *response = NULL;
  544. if (state->context != GSS_C_NO_CONTEXT)
  545. gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
  546. if (state->server_name != GSS_C_NO_NAME)
  547. gss_release_name(&min_stat, &state->server_name);
  548. if (state->client_name != GSS_C_NO_NAME)
  549. gss_release_name(&min_stat, &state->client_name);
  550. if (state->server_creds != GSS_C_NO_CREDENTIAL)
  551. gss_release_cred(&min_stat, &state->server_creds);
  552. if (state->client_creds != GSS_C_NO_CREDENTIAL)
  553. gss_release_cred(&min_stat, &state->client_creds);
  554. if (state->username != NULL)
  555. {
  556. free(state->username);
  557. state->username = NULL;
  558. }
  559. if (state->targetname != NULL)
  560. {
  561. free(state->targetname);
  562. state->targetname = NULL;
  563. }
  564. if (state->response != NULL)
  565. {
  566. free(state->response);
  567. state->response = NULL;
  568. }
  569. if (state->delegated_credentials_cache)
  570. {
  571. // TODO: what about actually destroying the cache? It can't be done now as
  572. // the whole point is having it around for the lifetime of the "session"
  573. free(state->delegated_credentials_cache);
  574. }
  575. if(response == NULL) {
  576. response = calloc(1, sizeof(gss_client_response));
  577. if(response == NULL) die1("Memory allocation failed");
  578. response->return_code = ret;
  579. }
  580. // Return the response
  581. return response;
  582. }
  583. gss_client_response *authenticate_gss_server_step(gss_server_state *state, const char *auth_data)
  584. {
  585. OM_uint32 maj_stat;
  586. OM_uint32 min_stat;
  587. gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  588. gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
  589. int ret = AUTH_GSS_CONTINUE;
  590. gss_client_response *response = NULL;
  591. // Always clear out the old response
  592. if (state->response != NULL)
  593. {
  594. free(state->response);
  595. state->response = NULL;
  596. }
  597. // we don't need to check the authentication token if S4U2Self protocol
  598. // transition was done, because we already have the client credentials.
  599. if (state->client_creds == GSS_C_NO_CREDENTIAL)
  600. {
  601. if (auth_data && *auth_data)
  602. {
  603. int len;
  604. input_token.value = base64_decode(auth_data, &len);
  605. input_token.length = len;
  606. }
  607. else
  608. {
  609. response = calloc(1, sizeof(gss_client_response));
  610. if(response == NULL) die1("Memory allocation failed");
  611. response->message = strdup("No auth_data value in request from client");
  612. response->return_code = AUTH_GSS_ERROR;
  613. goto end;
  614. }
  615. maj_stat = gss_accept_sec_context(&min_stat,
  616. &state->context,
  617. state->server_creds,
  618. &input_token,
  619. GSS_C_NO_CHANNEL_BINDINGS,
  620. &state->client_name,
  621. NULL,
  622. &output_token,
  623. NULL,
  624. NULL,
  625. &state->client_creds);
  626. if (GSS_ERROR(maj_stat))
  627. {
  628. response = gss_error(__func__, "gss_accept_sec_context", maj_stat, min_stat);
  629. response->return_code = AUTH_GSS_ERROR;
  630. goto end;
  631. }
  632. // Grab the server response to send back to the client
  633. if (output_token.length)
  634. {
  635. state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
  636. maj_stat = gss_release_buffer(&min_stat, &output_token);
  637. }
  638. }
  639. // Get the user name
  640. maj_stat = gss_display_name(&min_stat, state->client_name, &output_token, NULL);
  641. if (GSS_ERROR(maj_stat))
  642. {
  643. response = gss_error(__func__, "gss_display_name", maj_stat, min_stat);
  644. response->return_code = AUTH_GSS_ERROR;
  645. goto end;
  646. }
  647. state->username = (char *)malloc(output_token.length + 1);
  648. strncpy(state->username, (char*) output_token.value, output_token.length);
  649. state->username[output_token.length] = 0;
  650. // Get the target name if no server creds were supplied
  651. if (state->server_creds == GSS_C_NO_CREDENTIAL)
  652. {
  653. gss_name_t target_name = GSS_C_NO_NAME;
  654. maj_stat = gss_inquire_context(&min_stat, state->context, NULL, &target_name, NULL, NULL, NULL, NULL, NULL);
  655. if (GSS_ERROR(maj_stat))
  656. {
  657. response = gss_error(__func__, "gss_inquire_context", maj_stat, min_stat);
  658. response->return_code = AUTH_GSS_ERROR;
  659. goto end;
  660. }
  661. maj_stat = gss_display_name(&min_stat, target_name, &output_token, NULL);
  662. if (GSS_ERROR(maj_stat))
  663. {
  664. response = gss_error(__func__, "gss_display_name", maj_stat, min_stat);
  665. response->return_code = AUTH_GSS_ERROR;
  666. goto end;
  667. }
  668. state->targetname = (char *)malloc(output_token.length + 1);
  669. strncpy(state->targetname, (char*) output_token.value, output_token.length);
  670. state->targetname[output_token.length] = 0;
  671. }
  672. if (state->constrained_delegation && state->client_creds != GSS_C_NO_CREDENTIAL)
  673. {
  674. if ((response = store_gss_creds(state)) != NULL)
  675. {
  676. goto end;
  677. }
  678. }
  679. ret = AUTH_GSS_COMPLETE;
  680. end:
  681. if (output_token.length)
  682. gss_release_buffer(&min_stat, &output_token);
  683. if (input_token.value)
  684. free(input_token.value);
  685. if(response == NULL) {
  686. response = calloc(1, sizeof(gss_client_response));
  687. if(response == NULL) die1("Memory allocation failed");
  688. response->return_code = ret;
  689. }
  690. // Return the response
  691. return response;
  692. }
  693. /*
  694. * username, password: Credentials to validate. Null not allowed
  695. * service: Service principal (e.g. HTTP/somehost.example.org) of key
  696. * stored in default keytab which will be used to verify KDC.
  697. * Empty string (*not* NULL) will bypass KDC verification
  698. * return: response->return_code will be
  699. * -1 (AUTH_GSS_ERROR) for error, see response->message
  700. * 0 for auth fail
  701. * 1 for auth ok
  702. */
  703. gss_client_response *authenticate_user_krb5_password(const char *username,
  704. const char *password,
  705. const char *service)
  706. {
  707. krb5_context context = NULL;
  708. krb5_error_code problem;
  709. krb5_principal user_principal = NULL;
  710. krb5_get_init_creds_opt *opt = NULL;
  711. krb5_creds creds;
  712. bool auth_ok = false;
  713. gss_client_response *response = NULL;
  714. if (username == NULL || password == NULL || service == NULL) {
  715. return other_error("username, password and service must all be non-null");
  716. }
  717. memset(&creds, 0, sizeof(creds));
  718. problem = krb5_init_context(&context);
  719. if (problem) {
  720. // can't call krb5_ctx_error without a context...
  721. response = other_error("unable to initialize krb5 context (%d)", (int)problem);
  722. goto out;
  723. }
  724. problem = krb5_parse_name(context, username, &user_principal);
  725. if (problem) {
  726. response = krb5_ctx_error(context, problem);
  727. goto out;
  728. }
  729. problem = krb5_get_init_creds_opt_alloc(context, &opt);
  730. if (problem) {
  731. response = krb5_ctx_error(context, problem);
  732. goto out;
  733. }
  734. problem = krb5_get_init_creds_password(context, &creds, user_principal,
  735. (char *)password, NULL,
  736. NULL, 0, NULL, opt);
  737. switch (problem) {
  738. case 0:
  739. auth_ok = true;
  740. break;
  741. case KRB5KDC_ERR_PREAUTH_FAILED:
  742. case KRB5KRB_AP_ERR_BAD_INTEGRITY:
  743. case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
  744. /* "expected" error */
  745. auth_ok = false;
  746. break;
  747. default:
  748. /* unexpected error */
  749. response = krb5_ctx_error(context, problem);
  750. break;
  751. }
  752. if (auth_ok && strlen(service) > 0) {
  753. response = verify_krb5_kdc(context, &creds, service);
  754. }
  755. out:
  756. krb5_free_cred_contents(context, &creds);
  757. if (opt != NULL) {
  758. krb5_get_init_creds_opt_free(context, opt);
  759. }
  760. if (user_principal != NULL) {
  761. krb5_free_principal(context, user_principal);
  762. }
  763. if (context != NULL) {
  764. krb5_free_context(context);
  765. }
  766. if (response == NULL) {
  767. response = calloc(1, sizeof(gss_client_response));
  768. if(response == NULL) die1("Memory allocation failed");
  769. response->return_code = auth_ok ? 1 : 0;
  770. }
  771. return response;
  772. }
  773. /*
  774. * The username/password have been verified, now we must verify the
  775. * response came from a valid KDC by getting a ticket for our own
  776. * service that we can verify using our keytab.
  777. *
  778. * Based on mod_auth_kerb
  779. */
  780. static gss_client_response *verify_krb5_kdc(krb5_context context,
  781. krb5_creds *creds,
  782. const char *service)
  783. {
  784. krb5_error_code problem;
  785. krb5_keytab keytab = NULL;
  786. krb5_ccache tmp_ccache = NULL;
  787. krb5_principal server_princ = NULL;
  788. krb5_creds *new_creds = NULL;
  789. krb5_auth_context auth_context = NULL;
  790. krb5_data req;
  791. gss_client_response *response = NULL;
  792. memset(&req, 0, sizeof(req));
  793. problem = krb5_kt_default (context, &keytab);
  794. if (problem) {
  795. response = krb5_ctx_error(context, problem);
  796. goto out;
  797. }
  798. problem = krb5_cc_new_unique(context, "MEMORY", NULL, &tmp_ccache);
  799. if (problem) {
  800. response = krb5_ctx_error(context, problem);
  801. goto out;
  802. }
  803. problem = krb5_cc_initialize(context, tmp_ccache, creds->client);
  804. if (problem) {
  805. response = krb5_ctx_error(context, problem);
  806. goto out;
  807. }
  808. problem = krb5_cc_store_cred(context, tmp_ccache, creds);
  809. if (problem) {
  810. response = krb5_ctx_error(context, problem);
  811. goto out;
  812. }
  813. problem = krb5_parse_name(context, service, &server_princ);
  814. if (problem) {
  815. response = krb5_ctx_error(context, problem);
  816. goto out;
  817. }
  818. /*
  819. * creds->server is (almost always?) krbtgt service, and server_princ is not.
  820. * In which case retrieve a service ticket for server_princ service from KDC
  821. */
  822. if (!krb5_principal_compare(context, server_princ, creds->server)) {
  823. krb5_creds match_cred;
  824. memset (&match_cred, 0, sizeof(match_cred));
  825. match_cred.client = creds->client;
  826. match_cred.server = server_princ;
  827. problem = krb5_get_credentials(context, 0, tmp_ccache, &match_cred, &new_creds);
  828. if (problem) {
  829. response = krb5_ctx_error(context, problem);
  830. goto out;
  831. }
  832. creds = new_creds;
  833. }
  834. problem = krb5_mk_req_extended(context, &auth_context, 0, NULL, creds, &req);
  835. if (problem) {
  836. response = krb5_ctx_error(context, problem);
  837. goto out;
  838. }
  839. krb5_auth_con_free(context, auth_context);
  840. auth_context = NULL;
  841. problem = krb5_auth_con_init(context, &auth_context);
  842. if (problem) {
  843. response = krb5_ctx_error(context, problem);
  844. goto out;
  845. }
  846. /* disable replay cache checks */
  847. krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
  848. problem = krb5_rd_req(context, &auth_context, &req,
  849. server_princ, keytab, 0, NULL);
  850. if (problem) {
  851. response = krb5_ctx_error(context, problem);
  852. goto out;
  853. }
  854. out:
  855. krb5_free_data_contents(context, &req);
  856. if (auth_context) {
  857. krb5_auth_con_free(context, auth_context);
  858. }
  859. if (new_creds) {
  860. krb5_free_creds(context, new_creds);
  861. }
  862. if (server_princ) {
  863. krb5_free_principal(context, server_princ);
  864. }
  865. if (tmp_ccache) {
  866. krb5_cc_destroy (context, tmp_ccache);
  867. }
  868. if (keytab) {
  869. krb5_kt_close (context, keytab);
  870. }
  871. return response;
  872. }
  873. static gss_client_response *store_gss_creds(gss_server_state *state)
  874. {
  875. OM_uint32 maj_stat, min_stat;
  876. krb5_principal princ = NULL;
  877. krb5_ccache ccache = NULL;
  878. krb5_error_code problem;
  879. krb5_context context;
  880. gss_client_response *response = NULL;
  881. problem = krb5_init_context(&context);
  882. if (problem) {
  883. response = other_error("No auth_data value in request from client");
  884. return response;
  885. }
  886. problem = krb5_parse_name(context, state->username, &princ);
  887. if (problem) {
  888. response = krb5_ctx_error(context, problem);
  889. goto end;
  890. }
  891. if ((response = create_krb5_ccache(state, context, princ, &ccache)))
  892. {
  893. goto end;
  894. }
  895. maj_stat = gss_krb5_copy_ccache(&min_stat, state->client_creds, ccache);
  896. if (GSS_ERROR(maj_stat)) {
  897. response = gss_error(__func__, "gss_krb5_copy_ccache", maj_stat, min_stat);
  898. response->return_code = AUTH_GSS_ERROR;
  899. goto end;
  900. }
  901. krb5_cc_close(context, ccache);
  902. ccache = NULL;
  903. response = calloc(1, sizeof(gss_client_response));
  904. if(response == NULL) die1("Memory allocation failed");
  905. // TODO: something other than AUTH_GSS_COMPLETE?
  906. response->return_code = AUTH_GSS_COMPLETE;
  907. end:
  908. if (princ)
  909. krb5_free_principal(context, princ);
  910. if (ccache)
  911. krb5_cc_destroy(context, ccache);
  912. krb5_free_context(context);
  913. return response;
  914. }
  915. static gss_client_response *create_krb5_ccache(gss_server_state *state, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
  916. {
  917. char *ccname = NULL;
  918. int fd;
  919. krb5_error_code problem;
  920. krb5_ccache tmp_ccache = NULL;
  921. gss_client_response *error = NULL;
  922. // TODO: mod_auth_kerb used a temp file under /run/httpd/krbcache. what can we do?
  923. ccname = strdup("FILE:/tmp/krb5cc_nodekerberos_XXXXXX");
  924. if (!ccname) die1("Memory allocation failed");
  925. fd = mkstemp(ccname + strlen("FILE:"));
  926. if (fd < 0) {
  927. error = other_error("mkstemp() failed: %s", strerror(errno));
  928. goto end;
  929. }
  930. close(fd);
  931. problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache);
  932. if (problem) {
  933. error = krb5_ctx_error(kcontext, problem);
  934. goto end;
  935. }
  936. problem = krb5_cc_initialize(kcontext, tmp_ccache, princ);
  937. if (problem) {
  938. error = krb5_ctx_error(kcontext, problem);
  939. goto end;
  940. }
  941. state->delegated_credentials_cache = strdup(ccname);
  942. // TODO: how/when to cleanup the creds cache file?
  943. // TODO: how to expose the credentials expiration time?
  944. *ccache = tmp_ccache;
  945. tmp_ccache = NULL;
  946. end:
  947. if (tmp_ccache)
  948. krb5_cc_destroy(kcontext, tmp_ccache);
  949. if (ccname && error)
  950. unlink(ccname);
  951. if (ccname)
  952. free(ccname);
  953. return error;
  954. }
  955. gss_client_response *gss_error(const char *func, const char *op, OM_uint32 err_maj, OM_uint32 err_min) {
  956. OM_uint32 maj_stat, min_stat;
  957. OM_uint32 msg_ctx = 0;
  958. gss_buffer_desc status_string;
  959. gss_client_response *response = calloc(1, sizeof(gss_client_response));
  960. if(response == NULL) die1("Memory allocation failed");
  961. char *message = NULL;
  962. message = calloc(1024, 1);
  963. if(message == NULL) die1("Memory allocation failed");
  964. response->message = message;
  965. int nleft = 1024;
  966. int n;
  967. n = snprintf(message, nleft, "%s(%s)", func, op);
  968. message += n;
  969. nleft -= n;
  970. do {
  971. maj_stat = gss_display_status (&min_stat,
  972. err_maj,
  973. GSS_C_GSS_CODE,
  974. GSS_C_NO_OID,
  975. &msg_ctx,
  976. &status_string);
  977. if(GSS_ERROR(maj_stat))
  978. break;
  979. n = snprintf(message, nleft, ": %.*s",
  980. (int)status_string.length, (char*)status_string.value);
  981. message += n;
  982. nleft -= n;
  983. gss_release_buffer(&min_stat, &status_string);
  984. maj_stat = gss_display_status (&min_stat,
  985. err_min,
  986. GSS_C_MECH_CODE,
  987. GSS_C_NULL_OID,
  988. &msg_ctx,
  989. &status_string);
  990. if(!GSS_ERROR(maj_stat)) {
  991. n = snprintf(message, nleft, ": %.*s",
  992. (int)status_string.length, (char*)status_string.value);
  993. message += n;
  994. nleft -= n;
  995. gss_release_buffer(&min_stat, &status_string);
  996. }
  997. } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
  998. return response;
  999. }
  1000. static gss_client_response *krb5_ctx_error(krb5_context context, krb5_error_code problem)
  1001. {
  1002. gss_client_response *response = NULL;
  1003. const char *error_text = krb5_get_error_message(context, problem);
  1004. response = calloc(1, sizeof(gss_client_response));
  1005. if(response == NULL) die1("Memory allocation failed");
  1006. response->message = strdup(error_text);
  1007. // TODO: something other than AUTH_GSS_ERROR? AUTH_KRB5_ERROR ?
  1008. response->return_code = AUTH_GSS_ERROR;
  1009. krb5_free_error_message(context, error_text);
  1010. return response;
  1011. }
  1012. static gss_client_response *other_error(const char *fmt, ...)
  1013. {
  1014. size_t needed;
  1015. char *msg;
  1016. gss_client_response *response = NULL;
  1017. va_list ap, aps;
  1018. va_start(ap, fmt);
  1019. va_copy(aps, ap);
  1020. needed = vsnprintf(NULL, 0, fmt, aps) + 1;
  1021. va_end(aps);
  1022. msg = malloc(needed);
  1023. if (!msg) die1("Memory allocation failed");
  1024. vsnprintf(msg, needed, fmt, ap);
  1025. va_end(ap);
  1026. response = calloc(1, sizeof(gss_client_response));
  1027. if(response == NULL) die1("Memory allocation failed");
  1028. response->message = msg;
  1029. // TODO: something other than AUTH_GSS_ERROR?
  1030. response->return_code = AUTH_GSS_ERROR;
  1031. return response;
  1032. }
  1033. #pragma clang diagnostic pop