/*********************************************************************** * File: verify.c * Author: Juan Carlos Luciani (jluciani@novell.com) * * Abstract: Implements the VerifyAuthTokenCredentials functionality * for the Kerberos system over GSS-API. * * Copyright (C) 2005 Novell, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; version 2.1 * of the License. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Library General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free * Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * To contact Novell about this file by physical or electronic mail, * you may find current contact information at www.novell.com. ***********************************************************************/ //===[ Include files ]===================================================== #include "internal.h" //===[ Type definitions ]================================================== typedef struct _CacheCred { LIST_ENTRY listEntry; char *pName; int32_t nameLen; int32_t refCount; gss_cred_id_t gssCred; } CacheCred; //===[ Function prototypes ]=============================================== //===[ Global variables ]================================================== // Server Credential List and syncronizing mutex static LIST_ENTRY g_serverCredListHead = {&g_serverCredListHead, &g_serverCredListHead}; static pthread_mutex_t g_serverCredMutex = PTHREAD_MUTEX_INITIALIZER; //++======================================================================= static CasaStatus GetServiceCredentials( IN const ConfigIf *pServiceConfigIf, INOUT gss_cred_id_t **ppServerCreds) // // Arguments: // // Returns: // // Abstract: // // Notes: // // L2 //=======================================================================-- { CasaStatus retStatus; gss_OID_set_desc mechOidSet; gss_OID_set desiredMechs; gss_name_t gssServiceName; OM_uint32 gssMajStat; OM_uint32 gssMinStat; gss_buffer_desc gssBuffer; char *pKrbServiceName; DbgTrace(2, "krb5_token -GetServiceCredentials- Start\n", 0); // Obtain the Krb Service Principal Name configured for the service pKrbServiceName = pServiceConfigIf->getEntryValue(pServiceConfigIf, "KerberosPrincipal"); if (pKrbServiceName) { LIST_ENTRY *pListEntry; CacheCred *pCacheCred = NULL; int32_t krbServiceNameLen = strlen(pKrbServiceName); // Gain exclusive access to our server credential cache pthread_mutex_lock(&g_serverCredMutex); // Look if we already have the credentials in our cash pListEntry = g_serverCredListHead.Flink; while (pListEntry != &g_serverCredListHead) { // Get pointer to the current entry pCacheCred = CONTAINING_RECORD(pListEntry, CacheCred, listEntry); // Check if this is the credential that we need if (pCacheCred->nameLen == krbServiceNameLen && memcmp(pKrbServiceName, pCacheCred->pName, krbServiceNameLen) == 0) { // This is the credential that we need, stop looking. break; } else { // This is not the credential that we are looking for pCacheCred = NULL; } // Advance to the next entry pListEntry = pListEntry->Flink; } // Proceed based on whether or not a credential was found if (pCacheCred) { // Credential found in the cache, increment its reference count // and return it to the caller. pCacheCred->refCount ++; *ppServerCreds = &pCacheCred->gssCred; // Success retStatus = CASA_STATUS_SUCCESS; } else { // Needed credential not found in the cache, create a cache entry. pCacheCred = malloc(sizeof(*pCacheCred)); if (pCacheCred) { // Initialize the refCount on the entry pCacheCred->refCount = 0; // Allocate buffer to contain the service name within the cache entry pCacheCred->pName = malloc(krbServiceNameLen + 1); if (pCacheCred->pName) { // Save the service name within the entry strcpy(pCacheCred->pName, pKrbServiceName); pCacheCred->nameLen = krbServiceNameLen; // Determine the desired mechanism if (g_mechOid != GSS_C_NULL_OID) { desiredMechs = &mechOidSet; mechOidSet.count = 1; mechOidSet.elements = g_mechOid; } else { desiredMechs = GSS_C_NULL_OID_SET; } // Import the service name into something that GSS-API can understand // based on its format. gssBuffer.value = pKrbServiceName; gssBuffer.length = krbServiceNameLen + 1; if (strchr(pKrbServiceName, '@') != NULL) { // The name is of the form "servicename@hostname" gssMajStat = gss_import_name(&gssMinStat, &gssBuffer, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &gssServiceName); } else { // The name is of the form "servicename" gssMajStat = gss_import_name(&gssMinStat, &gssBuffer, (gss_OID) GSS_C_NT_USER_NAME, &gssServiceName); } if (gssMajStat == GSS_S_COMPLETE) { // Now attempt to acquire the credentials gssMajStat = gss_acquire_cred(&gssMinStat, gssServiceName, 0, desiredMechs, GSS_C_ACCEPT, &pCacheCred->gssCred, NULL, NULL); if (gssMajStat == GSS_S_COMPLETE) { // Success retStatus = CASA_STATUS_SUCCESS; } else { DbgTrace(0, "krb5_token -GetServiceCredentials- Error acquiring service credential\n", 0); LogGssStatuses("acquiring credential", gssMajStat, gssMinStat); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_CONFIGURATION_ERROR); } // Release the imported name gss_release_name(&gssMinStat, &gssServiceName); } else { DbgTrace(0, "krb5_token -GetServiceCredentials- Error importing service name\n", 0); LogGssStatuses("importing service name", gssMajStat, gssMinStat); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_OBJECT_NOT_FOUND); } // Check if we were successful at obtaining the credentials if (CASA_SUCCESS(retStatus)) { // Insert the entry in the cache, increment its reference count, // and return it to the caller. InsertTailList(&g_serverCredListHead, &pCacheCred->listEntry); pCacheCred->refCount ++; *ppServerCreds = &pCacheCred->gssCred; } else { // Failed, free the allocated buffers free(pCacheCred->pName); free(pCacheCred); } } else { DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0); // Free buffer allocated for cache entry free(pCacheCred); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_INSUFFICIENT_RESOURCES); } } else { DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_INSUFFICIENT_RESOURCES); } } // Release exclusive access to our server credential cache pthread_mutex_unlock(&g_serverCredMutex); // Free the krb service principal name free(pKrbServiceName); } else { DbgTrace(0, "krb5_token -GetServiceCredentials- No Kerberos principal name configured\n", 0); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_CONFIGURATION_ERROR); } DbgTrace(2, "krb5_token -GetServiceCredentials- End, retStatus = %08X\n", retStatus); return retStatus; } //++======================================================================= static void ReleaseServiceCredentials( IN gss_cred_id_t *pServerCreds) // // Arguments: // // Returns: // // Abstract: // // Notes: // // L2 //=======================================================================-- { CacheCred *pCacheCred = CONTAINING_RECORD(pServerCreds, CacheCred, gssCred); DbgTrace(2, "krb5_token -ReleaseServiceCredentials- Start\n", 0); // Gain exclusive access to our server credential cache pthread_mutex_lock(&g_serverCredMutex); // Decrement the reference count on the entry pCacheCred->refCount --; // Release exclusive access to our server credential cache pthread_mutex_unlock(&g_serverCredMutex); DbgTrace(2, "krb5_token -ReleaseServiceCredentials- End\n", 0); } //++======================================================================= CasaStatus SSCS_CALL Krb5AuthTokenIf_ValidateAuthTokenCredentials( IN const void *pIfInstance, IN const ConfigIf *pServiceConfigIf, IN const char *pUserName, IN const int userNameLen, IN const char *pTokenBuf, IN const int tokenBufLen) // // Arguments: // pIfInstance - // Pointer to interface object. // // pServiceConfigIf - // Pointer to service config object to which the client is trying to // authenticate. // // pUserName - // Pointer to string with the username that is being // authenticated to the service. The length of the name // is specified by the pUserNameLen parameter. Note that // the string does not need to be NULL terminated. // // userNameLen - // Length of the user name contained within the buffer // pointed at by pUserNameBuf (Does not include the NULL // terminator). If this parameter is set to -1 then the // function assumes that the username string is NULL // terminated. // // pTokenBuf - // Pointer to buffer that will receive the authentication // token. The length of this buffer is specified by the // pTokenBufLen parameter. Note that the the authentication // token will be in the form of a NULL terminated string. // // tokenBufLen - // Length of the data contained within the buffer pointed // at by pTokenBuf. (Does not include the NULL // terminator). If this parameter is set to -1 then the // function assumes that the username string is NULL // terminated. // // Returns: // Casa status. // // Description: // Validates authentication token credentials. // // L2 //=======================================================================-- { CasaStatus retStatus; gss_cred_id_t *pServerCreds; DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Start\n", 0); // Validate input parameters if (pIfInstance == NULL || pServiceConfigIf == NULL || pUserName == NULL || userNameLen == 0 || pTokenBuf == NULL || tokenBufLen == 0) { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Invalid input parameter\n", 0); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_INVALID_PARAMETER); goto exit; } // Get server credentials retStatus = GetServiceCredentials(pServiceConfigIf, &pServerCreds); if (CASA_SUCCESS(retStatus)) { gss_buffer_desc gssRecvToken; // Server credentials obtained, now decode the incoming token. retStatus = DecodeData(pTokenBuf, /*pTokenBuf[tokenBufLen] == '\0' ? tokenBufLen - 1 : tokenBufLen,*/ tokenBufLen + 1, &gssRecvToken.value, (int32_t*) &gssRecvToken.length); if (CASA_SUCCESS(retStatus)) { OM_uint32 gssMajStat; OM_uint32 gssMinStat; gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT; gss_buffer_desc gssSendToken = {0}; OM_uint32 gssRetFlags; gss_name_t gssClient; gss_OID gssDoid; // Process token received from client gssMajStat = gss_accept_sec_context(&gssMinStat, &gssContext, *pServerCreds, &gssRecvToken, GSS_C_NO_CHANNEL_BINDINGS, &gssClient, &gssDoid, &gssSendToken, &gssRetFlags, NULL, NULL); if (gssMajStat == GSS_S_COMPLETE) { gss_buffer_desc gssDisplayName; gss_OID gssNameType; gssMajStat = gss_display_name(&gssMinStat, gssClient, &gssDisplayName, &gssNameType); if (gssMajStat == GSS_S_COMPLETE) { int actualUserNameLen; // Determine the name of the user name provided by the caller if (userNameLen == -1) actualUserNameLen = strlen(pUserName); else actualUserNameLen = userNameLen; // Verify that the user names match if (actualUserNameLen == gssDisplayName.length && strncmp(pUserName, gssDisplayName.value, actualUserNameLen) == 0) { // The names match, credentials validated. retStatus = CASA_STATUS_SUCCESS; } else { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- The user names do not match\n", 0); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_AUTHENTICATION_FAILURE); } // Free the client display name gss_release_buffer(&gssMinStat, &gssDisplayName); } else { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Error obtaining display name\n", 0); LogGssStatuses("obtaining display name", gssMajStat, gssMinStat); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_UNSUCCESSFUL); } } else { DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- gss_accept_sec_context error\n", 0); LogGssStatuses("accepting sec context", gssMajStat, gssMinStat); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_AUTHENTICATION_FAILURE); } // Free send token if necessary if (gssSendToken.length != 0) { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Un-expected send token returned by gss_accept_sec_context\n", 0); gss_release_buffer(&gssMinStat, &gssSendToken); } // Free context if necessary if (gssContext != GSS_C_NO_CONTEXT) gss_delete_sec_context(&gssMinStat, &gssContext, GSS_C_NO_BUFFER); // Free the buffer associated with the token free(gssRecvToken.value); } else { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Token decode failure\n", 0); } ReleaseServiceCredentials(pServerCreds); } else { DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Failed to get the server credentials\n", 0); } exit: DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- End, retStatus = %08X\n", retStatus); return retStatus; } //++======================================================================= //++======================================================================= //++=======================================================================