geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Adding the authentication token stuff.

Browse Source
This commit is contained in:
Juan Carlos Luciani
2005-12-14 17:18:24 +00:00
parent 638e26c3cb
commit 458462e755
29 changed files with 4532 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
auth_token/krb5_token/linux/Makefile Normal file
View File

@@ -0,0 +1,20 @@
#
# configure environment
#
TARGET = casa_krb5_token
include global.mak
include defaults.$(PLAT)
include rules.mak
BIN_NAME = $(TARGET)$(xtra).$(BIN)
LIB_NAME = $(TARGET)$(xtra).$(LIB)
#
# target object and source files
#
include objs.$(PLAT)
#
# targets
#
include target.cl

7
auth_token/krb5_token/linux/casa_krb5_token_lux.exp Normal file
View File

@@ -0,0 +1,7 @@
VER_1.0
{
global:
GetAuthTokenInterface;
local:
*;
};

314
auth_token/krb5_token/linux/get.c Normal file
View File

@@ -0,0 +1,314 @@
/***********************************************************************
* File: get.c
* Author: Juan Carlos Luciani (jluciani@novell.com)
*
* Abstract: Implements the GetAuthTokenCredentials functionality
* for the Kerberos system over GSS-API.
*
* Copyright (C) 2005 Novell, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
//++=======================================================================
CasaStatus SSCS_CALL
Krb5AuthTokenIf_GetAuthTokenCredentials(
IN const void *pIfInstance,
IN const ConfigIf *pServiceConfigIf,
INOUT const char *pUserNameBuf,
INOUT int *pUserNameBufLen,
INOUT const char *pTokenBuf,
INOUT int *pTokenBufLen)
//
// Arguments:
// pIfInstance -
// Pointer to interface object.
//
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pUserNameBuf -
// Pointer to buffer that will receive a string with the
// username that should used when authenticating to the
// service. The length of this buffer is specified by the
// pUserNameBufLen parameter. Note that the string
// returned will be NULL terminated.
//
// pUserNameBufLen -
// Pointer to integer that contains the length of the
// buffer pointed at by pUserNameBuf. Upon return of the
// function, the integer will contain the actual length
// of the username string (including the NULL terminator)
// if the function successfully completes or the buffer
// length required if the function fails because the buffer
// pointed at by either pUserNameBuf or pTokenBuf is not
// large enough.
//
// pTokenBuf -
// Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the
// pTokenBufLen parameter. Note that the the authentication
// token will be in the form of a NULL terminated string.
//
// pTokenBufLen -
// Pointer to integer that contains the length of the
// buffer pointed at by pTokenBuf. Upon return of the
// function, the integer will contain the actual length
// of the authentication token if the function successfully
// completes or the buffer length required if the function
// fails because the buffer pointed at by either pUserNameBuf
// or pTokenBuf is not large enough.
//
// Returns:
// Casa Status
//
// Description:
// Get authentication token credentials to authenticate user to specified
// service.
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
char *pKrbServiceName;
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Start\n", 0);
// Validate input parameters
if (pIfInstance == NULL
|| pServiceConfigIf == NULL
|| pUserNameBufLen == NULL
|| (pUserNameBuf == NULL && *pUserNameBufLen != 0)
|| pTokenBufLen == NULL
|| (pTokenBuf == NULL && *pTokenBufLen != 0))
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Invalid input parameter\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INVALID_PARAMETER);
goto exit;
}
// Map service name to Krb Service Principal Name
pKrbServiceName = pServiceConfigIf->getEntryValue(pServiceConfigIf, "KerberosPrincipal");
if (pKrbServiceName)
{
gss_buffer_desc gssBuffer;
gss_name_t gssServiceName;
// Import the service principal name into something that
// GSS-API can understand based on its form.
gssBuffer.value = (void*) pKrbServiceName;
gssBuffer.length = strlen(pKrbServiceName) + 1;
if (strchr(pKrbServiceName, '@') != NULL)
{
// The name is of the form "servicename@hostname"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&gssServiceName);
}
else
{
// The name is of the form "servicename"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_USER_NAME,
&gssServiceName);
}
// Proceed based on the result of the name import operation
if (gssMajStat == GSS_S_COMPLETE)
{
// Establish a context
gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
gss_buffer_desc gssSendToken = {0};
OM_uint32 gssRetFlags;
gssMajStat = gss_init_sec_context(&gssMinStat,
GSS_C_NO_CREDENTIAL,
&gssContext,
gssServiceName,
g_mechOid,
0, // Flags
0,
NULL, // no channel bindings
GSS_C_NO_BUFFER, // no token from peer
NULL, // ignore mech type
&gssSendToken,
&gssRetFlags,
NULL); // ignore time rec
// Proceed based on the result of the gss_init_sec_context operation
if (gssMajStat == GSS_S_COMPLETE
&& gssSendToken.length != 0)
{
// Now get the username
gss_name_t gssClient;
gssMajStat = gss_inquire_context(&gssMinStat,
gssContext,
&gssClient,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
if (gssMajStat == GSS_S_COMPLETE)
{
gss_buffer_desc gssDisplayName;
gss_OID gssNameType;
gssMajStat = gss_display_name(&gssMinStat, gssClient, &gssDisplayName, &gssNameType);
if (gssMajStat == GSS_S_COMPLETE)
{
char *pEncodedToken;
int encodedTokenLen;
// Base64 encode the token
retStatus = EncodeData(gssSendToken.value,
gssSendToken.length,
&pEncodedToken,
&encodedTokenLen);
if (CASA_SUCCESS(retStatus))
{
// Verify that the caller provided buffers that are big enough
if (gssDisplayName.length > *pUserNameBufLen
|| encodedTokenLen > *pTokenBufLen)
{
// At least one of the supplied buffers is not big enough
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Insufficient buffer space provided\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_BUFFER_OVERFLOW);
}
else
{
// The buffers provided are large enough, copy the data and return the actual sizes.
memcpy((void*) pUserNameBuf, gssDisplayName.value, gssDisplayName.length + 1);
memcpy((void*) pTokenBuf, pEncodedToken, encodedTokenLen +1);
// Success
retStatus = CASA_STATUS_SUCCESS;
}
// Return the actual sizes or the sizes required
*pUserNameBufLen = gssDisplayName.length + 1;
*pTokenBufLen = encodedTokenLen;
// Free the buffer containing the encoded token
free(pEncodedToken);
}
else
{
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Encoding failed\n", 0);
}
// Release the buffer associated with the client display name
gss_release_buffer(&gssMinStat, &gssDisplayName);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Error obtaining display name\n", 0);
LogGssStatuses("obtaining display name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Error inquiring context\n", 0);
LogGssStatuses("inquiring context", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Error initing sec context\n", 0);
LogGssStatuses("initializing context", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
// Release send token buffer if necessary
if (gssSendToken.length != 0)
gss_release_buffer(&gssMinStat, &gssSendToken);
// Free context if necessary
if (gssContext != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&gssMinStat, &gssContext, GSS_C_NO_BUFFER);
// Release the buffer associated with the service name
gss_release_name(&gssMinStat, &gssServiceName);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- Error importing service name\n", 0);
LogGssStatuses("importing service name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_OBJECT_NOT_FOUND);
}
// Free the krb service principal name
free(pKrbServiceName);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- No Kerberos principal name configured\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_CONFIGURATION_ERROR);
}
exit:
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_GetAuthTokenCredentials- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================

218
auth_token/krb5_token/linux/interface.c Normal file
View File

@@ -0,0 +1,218 @@
/***********************************************************************
* File: interface.c
* Author: Juan Carlos Luciani (jluciani@novell.com)
*
* Abstract: Implements the AuthTokenIf for the module.
*
* Copyright (C) 2005 Novell, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
//
// Authentication Token Interface instance data
//
typedef struct _AuthTokenIfInstance
{
int refCount;
AuthTokenIf authTokenIf;
} AuthTokenIfInstance, *PAuthTokenIfInstance;
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
// AuthTokenIf synchronization mutex and variables
static
pthread_mutex_t g_authTokenIfMutex = PTHREAD_MUTEX_INITIALIZER;
static
int g_numAuthTokenIfObjs = 0;
//++=======================================================================
int SSCS_CALL
Krb5AuthTokenIf_AddReference(
IN const void *pIfInstance)
//
// Arguments:
// pIfInstance -
// Pointer to interface object.
//
// Returns:
// Interface reference count.
//
// Description:
// Increases interface reference count.
//
// L2
//=======================================================================--
{
int refCount;
AuthTokenIfInstance *pAuthTokenIfInstance = CONTAINING_RECORD(pIfInstance, AuthTokenIfInstance, authTokenIf);
DbgTrace(2, "krb5_token -Krb5AuthTokenIf_AddReference- Start\n", 0);
// Increment the reference count on the object
pthread_mutex_lock(&g_authTokenIfMutex);
pAuthTokenIfInstance->refCount ++;
refCount = pAuthTokenIfInstance->refCount;
pthread_mutex_unlock(&g_authTokenIfMutex);
DbgTrace(2, "krb5_token -Krb5AuthTokenIf_AddReference- End, refCount = %08X\n", refCount);
return refCount;
}
//++=======================================================================
void SSCS_CALL
Krb5AuthTokenIf_ReleaseReference(
IN const void *pIfInstance)
//
// Arguments:
// pIfInstance -
// Pointer to interface object.
//
// Returns:
// Nothing.
//
// Description:
// Decreases interface reference count. The interface is deallocated if
// the reference count becomes zero.
//
// L2
//=======================================================================--
{
bool freeObj = false;
AuthTokenIfInstance *pAuthTokenIfInstance = CONTAINING_RECORD(pIfInstance, AuthTokenIfInstance, authTokenIf);
DbgTrace(2, "krb5_token -Krb5AuthTokenIf_ReleaseReference- Start\n", 0);
// Decrement the reference count on the object and determine if it needs to
// be released.
pthread_mutex_lock(&g_authTokenIfMutex);
pAuthTokenIfInstance->refCount --;
if (pAuthTokenIfInstance->refCount == 0)
{
// The object needs to be released, forget about it.
freeObj = true;
g_numAuthTokenIfObjs --;
}
pthread_mutex_unlock(&g_authTokenIfMutex);
// Free object if necessary
if (freeObj)
free(pAuthTokenIfInstance);
DbgTrace(2, "krb5_token -Krb5AuthTokenIf_ReleaseReference- End\n", 0);
}
//++=======================================================================
CasaStatus SSCS_CALL
GET_AUTH_TOKEN_INTERFACE_RTN(
IN const ConfigIf *pModuleConfigIf,
INOUT AuthTokenIf **ppAuthTokenIf)
//
// Arguments:
// pModuleConfigIf -
// Pointer to configuration interface instance for the module.
//
// ppAuthTokenIf -
// Pointer to variable that will receive pointer to AuthTokenIf
// instance.
//
// Returns:
// Casa Status
//
// Description:
// Gets authentication token interface instance.
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
AuthTokenIfInstance *pAuthTokenIfInstance;
DbgTrace(1, "krb5_token -GetAuthTokenInterface- Start\n", 0);
// Validate input parameters
if (pModuleConfigIf == NULL
|| ppAuthTokenIf == NULL)
{
DbgTrace(0, "krb5_token -GetAuthTokenInterface- Invalid input parameter\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INVALID_PARAMETER);
goto exit;
}
// Allocate space for the interface instance
pAuthTokenIfInstance = malloc(sizeof(*pAuthTokenIfInstance));
if (pAuthTokenIfInstance)
{
// Initialize the interface instance data
pAuthTokenIfInstance->refCount = 1;
pAuthTokenIfInstance->authTokenIf.addReference = Krb5AuthTokenIf_AddReference;
pAuthTokenIfInstance->authTokenIf.releaseReference = Krb5AuthTokenIf_ReleaseReference;
pAuthTokenIfInstance->authTokenIf.getAuthTokenCredentials = Krb5AuthTokenIf_GetAuthTokenCredentials;
pAuthTokenIfInstance->authTokenIf.validateAuthTokenCredentials = Krb5AuthTokenIf_ValidateAuthTokenCredentials;
// Keep track of this object
pthread_mutex_lock(&g_authTokenIfMutex);
g_numAuthTokenIfObjs ++;
pthread_mutex_unlock(&g_authTokenIfMutex);
// Return the interface to the caller
*ppAuthTokenIf = &pAuthTokenIfInstance->authTokenIf;
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -GetAuthTokenInterface- Buffer allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
exit:
DbgTrace(1, "krb5_token -GetAuthTokenInterface- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================

113
auth_token/krb5_token/linux/internal.h Normal file
View File

@@ -0,0 +1,113 @@
/***********************************************************************
* File: internal.h
* Author: Juan Carlos Luciani (jluciani@novell.com)
*
* Abstract: Defines or includes the definitions necessary for the
* module.
*
* Copyright (C) 2005 Novell, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
***********************************************************************/
//===[ Include files ]=====================================================
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <syslog.h>
#include <pthread.h>
#include </usr/include/gssapi/gssapi.h>
#include </usr/include/gssapi/gssapi_krb5.h>
#include <micasa_types.h>
#include <casa_status.h>
#include <list_entry.h>
#include <auth_token_int.h>
//===[ Type definitions ]==================================================
#define CONTAINING_RECORD(address, type, field) ((type *)( \
(char*)(address) - \
(char*)(&((type *)0)->field)))
//
// DbgTrace macro define
//
#define DbgTrace(LEVEL, X, Y) { \
if (LEVEL == 0) \
printf(X, Y); \
else if (DebugLevel >= LEVEL) \
printf(X, Y); \
}
//===[ Inlines functions ]===============================================
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
//===[ Global externals ]==================================================
extern int DebugLevel;
extern gss_OID g_mechOid;
//===[ External prototypes ]===============================================
extern void
LogGssStatuses(
IN char *operation,
IN OM_uint32 majorGssStatus,
IN OM_uint32 minorGssStatus);
extern CasaStatus
EncodeData(
IN const void *pData,
IN const int32_t dataLen,
INOUT char **ppEncodedData,
INOUT int32_t *pEncodedDataLen);
extern CasaStatus
DecodeData(
IN const char *pEncodedData,
IN const int32_t encodedDataLen,
INOUT void **ppData,
INOUT int32_t *pDataLen);
extern CasaStatus CSAPI
Krb5AuthTokenIf_GetAuthTokenCredentials(
IN const void *pIfInstance,
IN const ConfigIf *pServiceConfigIf,
INOUT const char *pUserNameBuf,
INOUT int *pUserNameBufLen,
INOUT const char *pTokenBuf,
INOUT int *pTokenBufLen);
extern CasaStatus CSAPI
Krb5AuthTokenIf_ValidateAuthTokenCredentials(
IN const void *pIfInstance,
IN const ConfigIf *pServiceConfigIf,
IN const char *pUserName,
IN const int userNameLen,
IN const char *pTokenBuf,
IN const int tokenBufLen);
//=========================================================================

10
auth_token/krb5_token/linux/link.lux Normal file
View File

@@ -0,0 +1,10 @@
LINK = $(CC) \
-Wl,-Bsymbolic \
-shared \
-Wl,--version-script=$(TARGET)_$(PLAT).exp \
-Wl,-rpath -Wl,/usr/$(ARCH_LlB) \
-L/usr/$(ARCH_LIB) -lpthread -lc -lgssapi \
-Wl,-soname -Wl,$(TARGET).so \
-o $(LIBDIR)$(XTRA)/$(TARGET).so \
-L$(LIBDIR)$(XTRA) \
$(OBJDIR)*.$(O)

6
auth_token/krb5_token/linux/objs.lux Normal file
View File

@@ -0,0 +1,6 @@
OBJS=\
util.$(O) \
get.$(O) \
verify.$(O) \
interface.$(O)

383
auth_token/krb5_token/linux/util.c Normal file
View File

@@ -0,0 +1,383 @@
/***********************************************************************
* File: util.c
* Author: Juan Carlos Luciani (jluciani@novell.com)
*
* Abstract: Implements common utility functions for the library.
*
* Copyright (C) 2005 Novell, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
#include <stdlib.h>
//===[ Type definitions ]==================================================
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
// Debug Level
int DebugLevel = 1;
// Mechanism OID
gss_OID g_mechOid = GSS_C_NULL_OID;
// Tables for Base64 encoding and decoding
static const int8_t g_Base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const uint8_t g_Expand64[256] =
{
/* ASCII table */
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64,
64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64,
64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
};
/* ************************************************************************
* LogError()
*
* Log error to system log.
*
* ************************************************************************/
//static void
//LogError(char *pFormatStr, ... )
//{
// va_list args;
//
// openlog("CASA", LOG_CONS | LOG_NOWAIT | LOG_ODELAY, LOG_USER);
// va_start(args, pFormatStr);
// vsyslog(LOG_USER | LOG_INFO, pFormatStr, args);
// va_end(args);
// closelog();
//}
//++=======================================================================
void
LogGssStatuses(
IN char *operation,
IN OM_uint32 majorGssStatus,
IN OM_uint32 minorGssStatus)
//
// Arguments:
//
// Returns:
//
// Description:
//
// L2
//=======================================================================--
{
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
OM_uint32 gssMsgCtx;
// Trace the messages associated with the major status
gssMsgCtx = 0;
while (1)
{
gssMajStat = gss_display_status(&gssMinStat,
majorGssStatus,
GSS_C_GSS_CODE,
g_mechOid,
&gssMsgCtx,
&msg);
if (gssMajStat != GSS_S_COMPLETE)
{
DbgTrace(0, "krb5_token -LogGssStatuses- Error obtaining display status\n", 0);
break;
}
// Trace this message
DbgTrace(0, "krb5_token -LogGssStatuses- GSS-API error %s: ", operation);
DbgTrace(0, "%s\n", (char *)msg.value);
if (msg.length != 0)
gss_release_buffer(&gssMinStat, &msg);
if (!gssMsgCtx)
break;
}
// Trace the messages associated with the minor status
gssMsgCtx = 0;
while (1)
{
gssMajStat = gss_display_status(&gssMinStat,
minorGssStatus,
GSS_C_MECH_CODE,
g_mechOid,
&gssMsgCtx,
&msg);
if (gssMajStat != GSS_S_COMPLETE)
{
DbgTrace(0, "krb5_token -LogGssStatuses- Error obtaining display status\n", 0);
break;
}
// Trace this message
DbgTrace(0, "krb5_token -LogGssStatuses- GSS-API error %s: ", operation);
DbgTrace(0, "%s\n", (char *)msg.value);
if (msg.length != 0)
gss_release_buffer(&gssMinStat, &msg);
if (!gssMsgCtx)
break;
}
}
//++=======================================================================
CasaStatus
EncodeData(
IN const void *pData,
IN const int32_t dataLen,
INOUT char **ppEncodedData,
INOUT int32_t *pEncodedDataLen)
//
// Arguments:
//
// Returns:
//
// Description:
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
int encodedSize;
char *pBuffer;
DbgTrace(3, "krb5_token -EncodeData- Start\n", 0);
// Determine the encoded size and allocate a buffer to hold the encoded data
encodedSize = ((dataLen * 4 + 2) / 3) - (dataLen % 3 ) + 4;
*ppEncodedData = malloc(encodedSize);
if (*ppEncodedData)
{
uint8_t *pOut, *pIn;
int i;
// Setup pointers to move through the buffers
pIn = (uint8_t*) pData;
pOut = (uint8_t*) *ppEncodedData;
// Perform the encoding
for (i = 0; i < dataLen - 2; i += 3)
{
*pOut++ = g_Base64[(pIn[i] >> 2) & 0x3F];
*pOut++ = g_Base64[((pIn[i] & 0x3) << 4) |
((int32_t)(pIn[i + 1] & 0xF0) >> 4)];
*pOut++ = g_Base64[((pIn[i + 1] & 0xF) << 2) |
((int32_t)(pIn[i + 2] & 0xC0) >> 6)];
*pOut++ = g_Base64[pIn[i + 2] & 0x3F];
}
if (i < dataLen)
{
*pOut++ = g_Base64[(pIn[i] >> 2) & 0x3F];
if (i == (dataLen - 1))
{
*pOut++ = g_Base64[((pIn[i] & 0x3) << 4)];
*pOut++ = '=';
}
else
{
*pOut++ = g_Base64[((pIn[i] & 0x3) << 4) |
((int32_t)(pIn[i + 1] & 0xF0) >> 4)];
*pOut++ = g_Base64[((pIn[i + 1] & 0xF) << 2)];
}
*pOut++ = '=';
}
*pOut++ = '\0';
// Return the encoded data length
*pEncodedDataLen = (int32_t)(pOut - (uint8_t*)*ppEncodedData);
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -EncodeData- Buffer allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
DbgTrace(3, "krb5_token -EncodeData- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
CasaStatus
DecodeData(
IN const char *pEncodedData,
IN const int32_t encodedDataLen, // Does not include NULL terminator
INOUT void **ppData,
INOUT int32_t *pDataLen)
//
// Arguments:
//
// Returns:
//
// Description:
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
int i, j;
int decodedSize;
DbgTrace(3, "krb5_token -DecodeData- Start\n", 0);
// Determine the decoded size
for (i = 0, j = 0; i < encodedDataLen; i++)
if (g_Expand64[((uint8_t*) pEncodedData)[i]] < 64)
j++;
decodedSize = (j * 3 + 3) / 4;
// Allocate buffer to hold the decoded data
*ppData = malloc(decodedSize);
if (*ppData)
{
bool endReached = false;
uint8_t c0, c1, c2, c3;
uint8_t *p, *q;
// Initialize parameters that will be used during the decode operation
c0 = c1 = c2 = c3 = 0;
p = (uint8_t*) pEncodedData;
q = (uint8_t*) *ppData;
// Decode the data
//
// Loop through the data, piecing back information. Any newlines, and/or
// carriage returns need to be skipped.
while (j > 4)
{
while ((64 == g_Expand64[*p]) && (('\n' == *p) || ('\r' == *p)))
p++;
if (64 == g_Expand64[*p])
{
endReached = true;
break;
}
c0 = *(p++);
while ((64 == g_Expand64[*p]) && (('\n' == *p) || ('\r' == *p)))
p++;
if (64 == g_Expand64[*p])
{
*(q++) = (uint8_t)(g_Expand64[c0] << 2);
j--;
endReached = true;
break;
}
c1 = *(p++);
while ((64 == g_Expand64[*p]) && (('\n' == *p) || ('\r' == *p)))
p++;
if (64 == g_Expand64[*p])
{
*(q++) = (uint8_t)(g_Expand64[c0] << 2 | g_Expand64[c1] >> 4);
*(q++) = (uint8_t)(g_Expand64[c1] << 4);
j -= 2;
endReached = true;
break;
}
c2 = *(p++);
while ((64 == g_Expand64[*p]) && (('\n' == *p) || ('\r' == *p)))
p++;
if (64 == g_Expand64[*p])
{
*(q++) = (uint8_t)(g_Expand64[c0] << 2 | g_Expand64[c1] >> 4);
*(q++) = (uint8_t)(g_Expand64[c1] << 4 | g_Expand64[c2] >> 2);
*(q++) = (uint8_t)(g_Expand64[c2] << 6);
j -= 3;
endReached = true;
break;
}
c3 = *(p++);
*(q++) = (uint8_t)(g_Expand64[c0] << 2 | g_Expand64[c1] >> 4);
*(q++) = (uint8_t)(g_Expand64[c1] << 4 | g_Expand64[c2] >> 2);
*(q++) = (uint8_t)(g_Expand64[c2] << 6 | g_Expand64[c3]);
j -= 4;
}
if (!endReached)
{
if (j > 1)
*(q++) = (uint8_t)(g_Expand64[*p] << 2 | g_Expand64[p[1]] >> 4);
if (j > 2)
*(q++) = (uint8_t)(g_Expand64[p[1]] << 4 | g_Expand64[p[2]] >> 2);
if (j > 3)
*(q++) = (uint8_t)(g_Expand64[p[2]] << 6 | g_Expand64[p[3]]);
}
// Return the length of the decoded data
*pDataLen = (int32_t)(q - (uint8_t*)*ppData);
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -DecodeData- Buffer allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
DbgTrace(3, "krb5_token -DecodeData- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================

510
auth_token/krb5_token/linux/verify.c Normal file
View File

@@ -0,0 +1,510 @@
/***********************************************************************
* File: verify.c
* Author: Juan Carlos Luciani (jluciani@novell.com)
*
* Abstract: Implements the VerifyAuthTokenCredentials functionality
* for the Kerberos system over GSS-API.
*
* Copyright (C) 2005 Novell, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
typedef struct _CacheCred
{
LIST_ENTRY listEntry;
char *pName;
int32_t nameLen;
int32_t refCount;
gss_cred_id_t gssCred;
} CacheCred;
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
// Server Credential List and syncronizing mutex
static
LIST_ENTRY g_serverCredListHead = {&g_serverCredListHead, &g_serverCredListHead};
static
pthread_mutex_t g_serverCredMutex = PTHREAD_MUTEX_INITIALIZER;
//++=======================================================================
static
CasaStatus
GetServiceCredentials(
IN const ConfigIf *pServiceConfigIf,
INOUT gss_cred_id_t **ppServerCreds)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
gss_OID_set_desc mechOidSet;
gss_OID_set desiredMechs;
gss_name_t gssServiceName;
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
gss_buffer_desc gssBuffer;
char *pKrbServiceName;
DbgTrace(2, "krb5_token -GetServiceCredentials- Start\n", 0);
// Obtain the Krb Service Principal Name configured for the service
pKrbServiceName = pServiceConfigIf->getEntryValue(pServiceConfigIf, "KerberosPrincipal");
if (pKrbServiceName)
{
LIST_ENTRY *pListEntry;
CacheCred *pCacheCred = NULL;
int32_t krbServiceNameLen = strlen(pKrbServiceName);
// Gain exclusive access to our server credential cache
pthread_mutex_lock(&g_serverCredMutex);
// Look if we already have the credentials in our cash
pListEntry = g_serverCredListHead.Flink;
while (pListEntry != &g_serverCredListHead)
{
// Get pointer to the current entry
pCacheCred = CONTAINING_RECORD(pListEntry, CacheCred, listEntry);
// Check if this is the credential that we need
if (pCacheCred->nameLen == krbServiceNameLen
&& memcmp(pKrbServiceName, pCacheCred->pName, krbServiceNameLen) == 0)
{
// This is the credential that we need, stop looking.
break;
}
else
{
// This is not the credential that we are looking for
pCacheCred = NULL;
}
// Advance to the next entry
pListEntry = pListEntry->Flink;
}
// Proceed based on whether or not a credential was found
if (pCacheCred)
{
// Credential found in the cache, increment its reference count
// and return it to the caller.
pCacheCred->refCount ++;
*ppServerCreds = &pCacheCred->gssCred;
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
// Needed credential not found in the cache, create a cache entry.
pCacheCred = malloc(sizeof(*pCacheCred));
if (pCacheCred)
{
// Initialize the refCount on the entry
pCacheCred->refCount = 0;
// Allocate buffer to contain the service name within the cache entry
pCacheCred->pName = malloc(krbServiceNameLen + 1);
if (pCacheCred->pName)
{
// Save the service name within the entry
strcpy(pCacheCred->pName, pKrbServiceName);
pCacheCred->nameLen = krbServiceNameLen;
// Determine the desired mechanism
if (g_mechOid != GSS_C_NULL_OID)
{
desiredMechs = &mechOidSet;
mechOidSet.count = 1;
mechOidSet.elements = g_mechOid;
}
else
{
desiredMechs = GSS_C_NULL_OID_SET;
}
// Import the service name into something that GSS-API can understand
// based on its format.
gssBuffer.value = pKrbServiceName;
gssBuffer.length = krbServiceNameLen + 1;
if (strchr(pKrbServiceName, '@') != NULL)
{
// The name is of the form "servicename@hostname"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&gssServiceName);
}
else
{
// The name is of the form "servicename"
gssMajStat = gss_import_name(&gssMinStat,
&gssBuffer,
(gss_OID) GSS_C_NT_USER_NAME,
&gssServiceName);
}
if (gssMajStat == GSS_S_COMPLETE)
{
// Now attempt to acquire the credentials
gssMajStat = gss_acquire_cred(&gssMinStat,
gssServiceName,
0,
desiredMechs,
GSS_C_ACCEPT,
&pCacheCred->gssCred,
NULL,
NULL);
if (gssMajStat == GSS_S_COMPLETE)
{
// Success
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Error acquiring service credential\n", 0);
LogGssStatuses("acquiring credential", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_CONFIGURATION_ERROR);
}
// Release the imported name
gss_release_name(&gssMinStat, &gssServiceName);
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Error importing service name\n", 0);
LogGssStatuses("importing service name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_OBJECT_NOT_FOUND);
}
// Check if we were successful at obtaining the credentials
if (CASA_SUCCESS(retStatus))
{
// Insert the entry in the cache, increment its reference count,
// and return it to the caller.
InsertTailList(&g_serverCredListHead, &pCacheCred->listEntry);
pCacheCred->refCount ++;
*ppServerCreds = &pCacheCred->gssCred;
}
else
{
// Failed, free the allocated buffers
free(pCacheCred->pName);
free(pCacheCred);
}
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
// Free buffer allocated for cache entry
free(pCacheCred);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
}
// Release exclusive access to our server credential cache
pthread_mutex_unlock(&g_serverCredMutex);
// Free the krb service principal name
free(pKrbServiceName);
}
else
{
DbgTrace(0, "krb5_token -GetServiceCredentials- No Kerberos principal name configured\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_CONFIGURATION_ERROR);
}
DbgTrace(2, "krb5_token -GetServiceCredentials- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
static
void
ReleaseServiceCredentials(
IN gss_cred_id_t *pServerCreds)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L2
//=======================================================================--
{
CacheCred *pCacheCred = CONTAINING_RECORD(pServerCreds, CacheCred, gssCred);
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- Start\n", 0);
// Gain exclusive access to our server credential cache
pthread_mutex_lock(&g_serverCredMutex);
// Decrement the reference count on the entry
pCacheCred->refCount --;
// Release exclusive access to our server credential cache
pthread_mutex_unlock(&g_serverCredMutex);
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- End\n", 0);
}
//++=======================================================================
CasaStatus SSCS_CALL
Krb5AuthTokenIf_ValidateAuthTokenCredentials(
IN const void *pIfInstance,
IN const ConfigIf *pServiceConfigIf,
IN const char *pUserName,
IN const int userNameLen,
IN const char *pTokenBuf,
IN const int tokenBufLen)
//
// Arguments:
// pIfInstance -
// Pointer to interface object.
//
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pUserName -
// Pointer to string with the username that is being
// authenticated to the service. The length of the name
// is specified by the pUserNameLen parameter. Note that
// the string does not need to be NULL terminated.
//
// userNameLen -
// Length of the user name contained within the buffer
// pointed at by pUserNameBuf (Does not include the NULL
// terminator). If this parameter is set to -1 then the
// function assumes that the username string is NULL
// terminated.
//
// pTokenBuf -
// Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the
// pTokenBufLen parameter. Note that the the authentication
// token will be in the form of a NULL terminated string.
//
// tokenBufLen -
// Length of the data contained within the buffer pointed
// at by pTokenBuf. (Does not include the NULL
// terminator). If this parameter is set to -1 then the
// function assumes that the username string is NULL
// terminated.
//
// Returns:
// Casa status.
//
// Description:
// Validates authentication token credentials.
//
// L2
//=======================================================================--
{
CasaStatus retStatus;
gss_cred_id_t *pServerCreds;
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Start\n", 0);
// Validate input parameters
if (pIfInstance == NULL
|| pServiceConfigIf == NULL
|| pUserName == NULL
|| userNameLen == 0
|| pTokenBuf == NULL
|| tokenBufLen == 0)
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Invalid input parameter\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INVALID_PARAMETER);
goto exit;
}
// Get server credentials
retStatus = GetServiceCredentials(pServiceConfigIf, &pServerCreds);
if (CASA_SUCCESS(retStatus))
{
gss_buffer_desc gssRecvToken;
// Server credentials obtained, now decode the incoming token.
retStatus = DecodeData(pTokenBuf,
/*pTokenBuf[tokenBufLen] == '\0' ? tokenBufLen - 1 : tokenBufLen,*/ tokenBufLen + 1,
&gssRecvToken.value,
(int32_t*) &gssRecvToken.length);
if (CASA_SUCCESS(retStatus))
{
OM_uint32 gssMajStat;
OM_uint32 gssMinStat;
gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
gss_buffer_desc gssSendToken = {0};
OM_uint32 gssRetFlags;
gss_name_t gssClient;
gss_OID gssDoid;
// Process token received from client
gssMajStat = gss_accept_sec_context(&gssMinStat,
&gssContext,
*pServerCreds,
&gssRecvToken,
GSS_C_NO_CHANNEL_BINDINGS,
&gssClient,
&gssDoid,
&gssSendToken,
&gssRetFlags,
NULL,
NULL);
if (gssMajStat == GSS_S_COMPLETE)
{
gss_buffer_desc gssDisplayName;
gss_OID gssNameType;
gssMajStat = gss_display_name(&gssMinStat, gssClient, &gssDisplayName, &gssNameType);
if (gssMajStat == GSS_S_COMPLETE)
{
int actualUserNameLen;
// Determine the name of the user name provided by the caller
if (userNameLen == -1)
actualUserNameLen = strlen(pUserName);
else
actualUserNameLen = userNameLen;
// Verify that the user names match
if (actualUserNameLen == gssDisplayName.length
&& strncmp(pUserName, gssDisplayName.value, actualUserNameLen) == 0)
{
// The names match, credentials validated.
retStatus = CASA_STATUS_SUCCESS;
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- The user names do not match\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_AUTHENTICATION_FAILURE);
}
// Free the client display name
gss_release_buffer(&gssMinStat, &gssDisplayName);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Error obtaining display name\n", 0);
LogGssStatuses("obtaining display name", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
}
else
{
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- gss_accept_sec_context error\n", 0);
LogGssStatuses("accepting sec context", gssMajStat, gssMinStat);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_AUTHENTICATION_FAILURE);
}
// Free send token if necessary
if (gssSendToken.length != 0)
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Un-expected send token returned by gss_accept_sec_context\n", 0);
gss_release_buffer(&gssMinStat, &gssSendToken);
}
// Free context if necessary
if (gssContext != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&gssMinStat, &gssContext, GSS_C_NO_BUFFER);
// Free the buffer associated with the token
free(gssRecvToken.value);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Token decode failure\n", 0);
}
ReleaseServiceCredentials(pServerCreds);
}
else
{
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Failed to get the server credentials\n", 0);
}
exit:
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================