/***********************************************************************
*
* Copyright (C) 2005-2006 Novell, Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, Novell, Inc.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
*
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
typedef struct _CacheCred
{
LIST_ENTRY listEntry;
char *pName;
int32_t nameLen;
int32_t refCount;
gss_cred_id_t gssCred;
} CacheCred;
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
// Server Credential List and syncronizing mutex
static
LIST_ENTRY g_serverCredListHead = {&g_serverCredListHead, &g_serverCredListHead};
static
pthread_mutex_t g_serverCredMutex = PTHREAD_MUTEX_INITIALIZER;
//++=======================================================================
static
CasaStatus
GetServiceCredentials(
IN const ConfigIf *pServiceConfigIf,
INOUT gss_cred_id_t **ppServerCreds)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
gss_OID_set_desc mechOidSet;
gss_OID_set desiredMechs;
gss_name_t gssServiceName;
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
gss_buffer_desc gssBuffer;
char *pKrbServiceName;
DbgTrace(2, "krb5_token -GetServiceCredentials- Start\n", 0);
// Obtain the Krb Service Principal Name configured for the service
pKrbServiceName = pServiceConfigIf->getEntryValue(pServiceConfigIf, "KerberosPrincipal");
if (pKrbServiceName)
{
LIST_ENTRY *pListEntry;
CacheCred *pCacheCred = NULL;
int32_t krbServiceNameLen = strlen(pKrbServiceName);
// Gain exclusive access to our server credential cache
pthread_mutex_lock(&g_serverCredMutex);
// Look if we already have the credentials in our cash
pListEntry = g_serverCredListHead.Flink;
while (pListEntry != &g_serverCredListHead)
{
// Get pointer to the current entry
pCacheCred = CONTAINING_RECORD(pListEntry, CacheCred, listEntry);
// Check if this is the credential that we need
if (pCacheCred->nameLen == krbServiceNameLen
&& memcmp(pKrbServiceName, pCacheCred->pName, krbServiceNameLen) == 0)
{
// This is the credential that we need, stop looking.
break;
}
else
{
// This is not the credential that we are looking for
pCacheCred = NULL;
}
// Advance to the next entry
pListEntry = pListEntry->Flink;
}
// Proceed based on whether or not a credential was found
if (pCacheCred)
{
// Credential found in the cache, increment its reference count
// and return it to the caller.
pCacheCred->refCount ++;
*ppServerCreds = &pCacheCred->gssCred;
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
// Needed credential not found in the cache, create a cache entry.
pCacheCred = malloc(sizeof(*pCacheCred));
if (pCacheCred)
{
// Initialize the refCount on the entry
pCacheCred->refCount = 0;
// Allocate buffer to contain the service name within the cache entry
pCacheCred->pName = malloc(krbServiceNameLen + 1);
if (pCacheCred->pName)
{
// Save the service name within the entry
strcpy(pCacheCred->pName, pKrbServiceName);
pCacheCred->nameLen = krbServiceNameLen;
// Determine the desired mechanism
if (g_mechOid != GSS_C_NULL_OID)
{
desiredMechs = &mechOidSet;
mechOidSet.count = 1;
mechOidSet.elements = g_mechOid;
}
else
{
desiredMechs = GSS_C_NULL_OID_SET;
}
// Import the service name into something that GSS-API can understand
// based on its format.
gssBuffer.value = pKrbServiceName;
gssBuffer.length = krbServiceNameLen + 1;
if (strchr(pKrbServiceName, '@') != NULL)
{
// The name is of the form "servicename@hostname"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&gssServiceName);
}
else
{
// The name is of the form "servicename"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_USER_NAME,
&gssServiceName);
}
if (gssMajStat == GSS_S_COMPLETE)
{
// Now attempt to acquire the credentials
gssMajStat = gss_acquire_cred(&gssMinStat,
gssServiceName,
0,
desiredMechs,
GSS_C_ACCEPT,
&pCacheCred->gssCred,
NULL,
NULL);
if (gssMajStat == GSS_S_COMPLETE)
{
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Error acquiring service credential\n", 0);
LogGssStatuses("acquiring credential", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_CONFIGURATION_ERROR);
}
// Release the imported name
gss_release_name(&gssMinStat, &gssServiceName);
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Error importing service name\n", 0);
LogGssStatuses("importing service name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_OBJECT_NOT_FOUND);
}
// Check if we were successful at obtaining the credentials
if (CASA_SUCCESS(retStatus))
{
// Insert the entry in the cache, increment its reference count,
// and return it to the caller.
InsertTailList(&g_serverCredListHead, &pCacheCred->listEntry);
pCacheCred->refCount ++;
*ppServerCreds = &pCacheCred->gssCred;
}
else
{
// Failed, free the allocated buffers
free(pCacheCred->pName);
free(pCacheCred);
}
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
// Free buffer allocated for cache entry
free(pCacheCred);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
}
// Release exclusive access to our server credential cache
pthread_mutex_unlock(&g_serverCredMutex);
// Free the krb service principal name
free(pKrbServiceName);
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- No Kerberos principal name configured\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_CONFIGURATION_ERROR);
}
DbgTrace(2, "krb5_token -GetServiceCredentials- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
static
void
ReleaseServiceCredentials(
IN gss_cred_id_t *pServerCreds)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L2
//=======================================================================--
{
CacheCred *pCacheCred = CONTAINING_RECORD(pServerCreds, CacheCred, gssCred);
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- Start\n", 0);
// Gain exclusive access to our server credential cache
pthread_mutex_lock(&g_serverCredMutex);
// Decrement the reference count on the entry
pCacheCred->refCount --;
// Release exclusive access to our server credential cache
pthread_mutex_unlock(&g_serverCredMutex);
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- End\n", 0);
}
//++=======================================================================
CasaStatus SSCS_CALL
Krb5AuthTokenIf_ValidateAuthTokenCredentials(
IN const void *pIfInstance,
IN const ConfigIf *pServiceConfigIf,
IN const char *pUserName,
IN const int userNameLen,
IN const char *pTokenBuf,
IN const int tokenBufLen)
//
// Arguments:
// pIfInstance -
// Pointer to interface object.
//
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pUserName -
// Pointer to string with the username that is being
// authenticated to the service. The length of the name
// is specified by the pUserNameLen parameter. Note that
// the string does not need to be NULL terminated.
//
// userNameLen -
// Length of the user name contained within the buffer
// pointed at by pUserNameBuf (Does not include the NULL
// terminator). If this parameter is set to -1 then the
// function assumes that the username string is NULL
// terminated.
//
// pTokenBuf -
// Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the
// pTokenBufLen parameter. Note that the the authentication
// token will be in the form of a NULL terminated string.
//
// tokenBufLen -
// Length of the data contained within the buffer pointed
// at by pTokenBuf. (Does not include the NULL
// terminator). If this parameter is set to -1 then the
// function assumes that the username string is NULL
// terminated.
//
// Returns:
// Casa status.
//
// Description:
// Validates authentication token credentials.
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
gss_cred_id_t *pServerCreds;
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Start\n", 0);
// Validate input parameters
if (pIfInstance == NULL
|| pServiceConfigIf == NULL
|| pUserName == NULL
|| userNameLen == 0
|| pTokenBuf == NULL
|| tokenBufLen == 0)
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Invalid input parameter\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INVALID_PARAMETER);
goto exit;
}
// Get server credentials
retStatus = GetServiceCredentials(pServiceConfigIf, &pServerCreds);
if (CASA_SUCCESS(retStatus))
{
gss_buffer_desc gssRecvToken;
// Server credentials obtained, now decode the incoming token.
retStatus = DecodeData(pTokenBuf,
/*pTokenBuf[tokenBufLen] == '\0' ? tokenBufLen - 1 : tokenBufLen,*/ tokenBufLen + 1,
&gssRecvToken.value,
(int32_t*) &gssRecvToken.length);
if (CASA_SUCCESS(retStatus))
{
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
gss_buffer_desc gssSendToken = {0};
OM_uint32 gssRetFlags;
gss_name_t gssClient;
gss_OID gssDoid;
// Process token received from client
gssMajStat = gss_accept_sec_context(&gssMinStat,
&gssContext,
*pServerCreds,
&gssRecvToken,
GSS_C_NO_CHANNEL_BINDINGS,
&gssClient,
&gssDoid,
&gssSendToken,
&gssRetFlags,
NULL,
NULL);
if (gssMajStat == GSS_S_COMPLETE)
{
gss_buffer_desc gssDisplayName;
gss_OID gssNameType;
gssMajStat = gss_display_name(&gssMinStat, gssClient, &gssDisplayName, &gssNameType);
if (gssMajStat == GSS_S_COMPLETE)
{
int actualUserNameLen;
// Determine the name of the user name provided by the caller
if (userNameLen == -1)
actualUserNameLen = strlen(pUserName);
else
actualUserNameLen = userNameLen;
// Verify that the user names match
if (actualUserNameLen == gssDisplayName.length
&& strncmp(pUserName, gssDisplayName.value, actualUserNameLen) == 0)
{
// The names match, credentials validated.
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- The user names do not match\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_AUTHENTICATION_FAILURE);
}
// Free the client display name
gss_release_buffer(&gssMinStat, &gssDisplayName);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Error obtaining display name\n", 0);
LogGssStatuses("obtaining display name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
}
else
{
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- gss_accept_sec_context error\n", 0);
LogGssStatuses("accepting sec context", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_AUTHENTICATION_FAILURE);
}
// Free send token if necessary
if (gssSendToken.length != 0)
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Un-expected send token returned by gss_accept_sec_context\n", 0);
gss_release_buffer(&gssMinStat, &gssSendToken);
}
// Free context if necessary
if (gssContext != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&gssMinStat, &gssContext, GSS_C_NO_BUFFER);
// Free the buffer associated with the token
free(gssRecvToken.value);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Token decode failure\n", 0);
}
ReleaseServiceCredentials(pServerCreds);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Failed to get the server credentials\n", 0);
}
exit:
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================