511 lines
18 KiB
C
511 lines
18 KiB
C
/***********************************************************************
|
|
* File: verify.c
|
|
* Author: Juan Carlos Luciani (jluciani@novell.com)
|
|
*
|
|
* Abstract: Implements the VerifyAuthTokenCredentials functionality
|
|
* for the Kerberos system over GSS-API.
|
|
*
|
|
* Copyright (C) 2005 Novell, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; version 2.1
|
|
* of the License.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Library General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free
|
|
* Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*
|
|
* To contact Novell about this file by physical or electronic mail,
|
|
* you may find current contact information at www.novell.com.
|
|
***********************************************************************/
|
|
|
|
//===[ Include files ]=====================================================
|
|
|
|
#include "internal.h"
|
|
|
|
//===[ Type definitions ]==================================================
|
|
|
|
typedef struct _CacheCred
|
|
{
|
|
LIST_ENTRY listEntry;
|
|
char *pName;
|
|
int32_t nameLen;
|
|
int32_t refCount;
|
|
gss_cred_id_t gssCred;
|
|
|
|
} CacheCred;
|
|
|
|
//===[ Function prototypes ]===============================================
|
|
|
|
//===[ Global variables ]==================================================
|
|
|
|
// Server Credential List and syncronizing mutex
|
|
static
|
|
LIST_ENTRY g_serverCredListHead = {&g_serverCredListHead, &g_serverCredListHead};
|
|
|
|
static
|
|
pthread_mutex_t g_serverCredMutex = PTHREAD_MUTEX_INITIALIZER;
|
|
|
|
|
|
//++=======================================================================
|
|
static
|
|
CasaStatus
|
|
GetServiceCredentials(
|
|
IN const ConfigIf *pServiceConfigIf,
|
|
INOUT gss_cred_id_t **ppServerCreds)
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Abstract:
|
|
//
|
|
// Notes:
|
|
//
|
|
// L2
|
|
//=======================================================================--
|
|
{
|
|
CasaStatus retStatus;
|
|
gss_OID_set_desc mechOidSet;
|
|
gss_OID_set desiredMechs;
|
|
gss_name_t gssServiceName;
|
|
OM_uint32 gssMajStat;
|
|
OM_uint32 gssMinStat;
|
|
gss_buffer_desc gssBuffer;
|
|
char *pKrbServiceName;
|
|
|
|
|
|
DbgTrace(2, "krb5_token -GetServiceCredentials- Start\n", 0);
|
|
|
|
// Obtain the Krb Service Principal Name configured for the service
|
|
pKrbServiceName = pServiceConfigIf->getEntryValue(pServiceConfigIf, "KerberosPrincipal");
|
|
if (pKrbServiceName)
|
|
{
|
|
LIST_ENTRY *pListEntry;
|
|
CacheCred *pCacheCred = NULL;
|
|
int32_t krbServiceNameLen = strlen(pKrbServiceName);
|
|
|
|
// Gain exclusive access to our server credential cache
|
|
pthread_mutex_lock(&g_serverCredMutex);
|
|
|
|
// Look if we already have the credentials in our cash
|
|
pListEntry = g_serverCredListHead.Flink;
|
|
while (pListEntry != &g_serverCredListHead)
|
|
{
|
|
// Get pointer to the current entry
|
|
pCacheCred = CONTAINING_RECORD(pListEntry, CacheCred, listEntry);
|
|
|
|
// Check if this is the credential that we need
|
|
if (pCacheCred->nameLen == krbServiceNameLen
|
|
&& memcmp(pKrbServiceName, pCacheCred->pName, krbServiceNameLen) == 0)
|
|
{
|
|
// This is the credential that we need, stop looking.
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
// This is not the credential that we are looking for
|
|
pCacheCred = NULL;
|
|
}
|
|
|
|
// Advance to the next entry
|
|
pListEntry = pListEntry->Flink;
|
|
}
|
|
|
|
// Proceed based on whether or not a credential was found
|
|
if (pCacheCred)
|
|
{
|
|
// Credential found in the cache, increment its reference count
|
|
// and return it to the caller.
|
|
pCacheCred->refCount ++;
|
|
*ppServerCreds = &pCacheCred->gssCred;
|
|
|
|
// Success
|
|
retStatus = CASA_STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
// Needed credential not found in the cache, create a cache entry.
|
|
pCacheCred = malloc(sizeof(*pCacheCred));
|
|
if (pCacheCred)
|
|
{
|
|
// Initialize the refCount on the entry
|
|
pCacheCred->refCount = 0;
|
|
|
|
// Allocate buffer to contain the service name within the cache entry
|
|
pCacheCred->pName = malloc(krbServiceNameLen + 1);
|
|
if (pCacheCred->pName)
|
|
{
|
|
// Save the service name within the entry
|
|
strcpy(pCacheCred->pName, pKrbServiceName);
|
|
pCacheCred->nameLen = krbServiceNameLen;
|
|
|
|
// Determine the desired mechanism
|
|
if (g_mechOid != GSS_C_NULL_OID)
|
|
{
|
|
desiredMechs = &mechOidSet;
|
|
mechOidSet.count = 1;
|
|
mechOidSet.elements = g_mechOid;
|
|
}
|
|
else
|
|
{
|
|
desiredMechs = GSS_C_NULL_OID_SET;
|
|
}
|
|
|
|
// Import the service name into something that GSS-API can understand
|
|
// based on its format.
|
|
gssBuffer.value = pKrbServiceName;
|
|
gssBuffer.length = krbServiceNameLen + 1;
|
|
if (strchr(pKrbServiceName, '@') != NULL)
|
|
{
|
|
// The name is of the form "servicename@hostname"
|
|
gssMajStat = gss_import_name(&gssMinStat,
|
|
&gssBuffer,
|
|
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
|
|
&gssServiceName);
|
|
}
|
|
else
|
|
{
|
|
// The name is of the form "servicename"
|
|
gssMajStat = gss_import_name(&gssMinStat,
|
|
&gssBuffer,
|
|
(gss_OID) GSS_C_NT_USER_NAME,
|
|
&gssServiceName);
|
|
}
|
|
if (gssMajStat == GSS_S_COMPLETE)
|
|
{
|
|
// Now attempt to acquire the credentials
|
|
gssMajStat = gss_acquire_cred(&gssMinStat,
|
|
gssServiceName,
|
|
0,
|
|
desiredMechs,
|
|
GSS_C_ACCEPT,
|
|
&pCacheCred->gssCred,
|
|
NULL,
|
|
NULL);
|
|
if (gssMajStat == GSS_S_COMPLETE)
|
|
{
|
|
// Success
|
|
retStatus = CASA_STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -GetServiceCredentials- Error acquiring service credential\n", 0);
|
|
LogGssStatuses("acquiring credential", gssMajStat, gssMinStat);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_CONFIGURATION_ERROR);
|
|
}
|
|
|
|
// Release the imported name
|
|
gss_release_name(&gssMinStat, &gssServiceName);
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -GetServiceCredentials- Error importing service name\n", 0);
|
|
LogGssStatuses("importing service name", gssMajStat, gssMinStat);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_OBJECT_NOT_FOUND);
|
|
}
|
|
|
|
// Check if we were successful at obtaining the credentials
|
|
if (CASA_SUCCESS(retStatus))
|
|
{
|
|
// Insert the entry in the cache, increment its reference count,
|
|
// and return it to the caller.
|
|
InsertTailList(&g_serverCredListHead, &pCacheCred->listEntry);
|
|
pCacheCred->refCount ++;
|
|
*ppServerCreds = &pCacheCred->gssCred;
|
|
}
|
|
else
|
|
{
|
|
// Failed, free the allocated buffers
|
|
free(pCacheCred->pName);
|
|
free(pCacheCred);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
|
|
|
|
// Free buffer allocated for cache entry
|
|
free(pCacheCred);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -GetServiceCredentials- Unable to allocate buffer\n", 0);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
}
|
|
|
|
// Release exclusive access to our server credential cache
|
|
pthread_mutex_unlock(&g_serverCredMutex);
|
|
|
|
// Free the krb service principal name
|
|
free(pKrbServiceName);
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -GetServiceCredentials- No Kerberos principal name configured\n", 0);
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_CONFIGURATION_ERROR);
|
|
}
|
|
|
|
DbgTrace(2, "krb5_token -GetServiceCredentials- End, retStatus = %08X\n", retStatus);
|
|
|
|
return retStatus;
|
|
}
|
|
|
|
|
|
//++=======================================================================
|
|
static
|
|
void
|
|
ReleaseServiceCredentials(
|
|
IN gss_cred_id_t *pServerCreds)
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Abstract:
|
|
//
|
|
// Notes:
|
|
//
|
|
// L2
|
|
//=======================================================================--
|
|
{
|
|
CacheCred *pCacheCred = CONTAINING_RECORD(pServerCreds, CacheCred, gssCred);
|
|
|
|
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- Start\n", 0);
|
|
|
|
// Gain exclusive access to our server credential cache
|
|
pthread_mutex_lock(&g_serverCredMutex);
|
|
|
|
// Decrement the reference count on the entry
|
|
pCacheCred->refCount --;
|
|
|
|
// Release exclusive access to our server credential cache
|
|
pthread_mutex_unlock(&g_serverCredMutex);
|
|
|
|
DbgTrace(2, "krb5_token -ReleaseServiceCredentials- End\n", 0);
|
|
}
|
|
|
|
|
|
//++=======================================================================
|
|
CasaStatus SSCS_CALL
|
|
Krb5AuthTokenIf_ValidateAuthTokenCredentials(
|
|
IN const void *pIfInstance,
|
|
IN const ConfigIf *pServiceConfigIf,
|
|
IN const char *pUserName,
|
|
IN const int userNameLen,
|
|
IN const char *pTokenBuf,
|
|
IN const int tokenBufLen)
|
|
//
|
|
// Arguments:
|
|
// pIfInstance -
|
|
// Pointer to interface object.
|
|
//
|
|
// pServiceConfigIf -
|
|
// Pointer to service config object to which the client is trying to
|
|
// authenticate.
|
|
//
|
|
// pUserName -
|
|
// Pointer to string with the username that is being
|
|
// authenticated to the service. The length of the name
|
|
// is specified by the pUserNameLen parameter. Note that
|
|
// the string does not need to be NULL terminated.
|
|
//
|
|
// userNameLen -
|
|
// Length of the user name contained within the buffer
|
|
// pointed at by pUserNameBuf (Does not include the NULL
|
|
// terminator). If this parameter is set to -1 then the
|
|
// function assumes that the username string is NULL
|
|
// terminated.
|
|
//
|
|
// pTokenBuf -
|
|
// Pointer to buffer that will receive the authentication
|
|
// token. The length of this buffer is specified by the
|
|
// pTokenBufLen parameter. Note that the the authentication
|
|
// token will be in the form of a NULL terminated string.
|
|
//
|
|
// tokenBufLen -
|
|
// Length of the data contained within the buffer pointed
|
|
// at by pTokenBuf. (Does not include the NULL
|
|
// terminator). If this parameter is set to -1 then the
|
|
// function assumes that the username string is NULL
|
|
// terminated.
|
|
//
|
|
// Returns:
|
|
// Casa status.
|
|
//
|
|
// Description:
|
|
// Validates authentication token credentials.
|
|
//
|
|
// L2
|
|
//=======================================================================--
|
|
{
|
|
CasaStatus retStatus;
|
|
gss_cred_id_t *pServerCreds;
|
|
|
|
|
|
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Start\n", 0);
|
|
|
|
// Validate input parameters
|
|
if (pIfInstance == NULL
|
|
|| pServiceConfigIf == NULL
|
|
|| pUserName == NULL
|
|
|| userNameLen == 0
|
|
|| pTokenBuf == NULL
|
|
|| tokenBufLen == 0)
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Invalid input parameter\n", 0);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_INVALID_PARAMETER);
|
|
goto exit;
|
|
}
|
|
|
|
// Get server credentials
|
|
retStatus = GetServiceCredentials(pServiceConfigIf, &pServerCreds);
|
|
if (CASA_SUCCESS(retStatus))
|
|
{
|
|
gss_buffer_desc gssRecvToken;
|
|
|
|
// Server credentials obtained, now decode the incoming token.
|
|
retStatus = DecodeData(pTokenBuf,
|
|
/*pTokenBuf[tokenBufLen] == '\0' ? tokenBufLen - 1 : tokenBufLen,*/ tokenBufLen + 1,
|
|
&gssRecvToken.value,
|
|
(int32_t*) &gssRecvToken.length);
|
|
if (CASA_SUCCESS(retStatus))
|
|
{
|
|
OM_uint32 gssMajStat;
|
|
OM_uint32 gssMinStat;
|
|
gss_ctx_id_t gssContext = GSS_C_NO_CONTEXT;
|
|
gss_buffer_desc gssSendToken = {0};
|
|
OM_uint32 gssRetFlags;
|
|
gss_name_t gssClient;
|
|
gss_OID gssDoid;
|
|
|
|
// Process token received from client
|
|
gssMajStat = gss_accept_sec_context(&gssMinStat,
|
|
&gssContext,
|
|
*pServerCreds,
|
|
&gssRecvToken,
|
|
GSS_C_NO_CHANNEL_BINDINGS,
|
|
&gssClient,
|
|
&gssDoid,
|
|
&gssSendToken,
|
|
&gssRetFlags,
|
|
NULL,
|
|
NULL);
|
|
if (gssMajStat == GSS_S_COMPLETE)
|
|
{
|
|
gss_buffer_desc gssDisplayName;
|
|
gss_OID gssNameType;
|
|
gssMajStat = gss_display_name(&gssMinStat, gssClient, &gssDisplayName, &gssNameType);
|
|
if (gssMajStat == GSS_S_COMPLETE)
|
|
{
|
|
int actualUserNameLen;
|
|
|
|
// Determine the name of the user name provided by the caller
|
|
if (userNameLen == -1)
|
|
actualUserNameLen = strlen(pUserName);
|
|
else
|
|
actualUserNameLen = userNameLen;
|
|
|
|
// Verify that the user names match
|
|
if (actualUserNameLen == gssDisplayName.length
|
|
&& strncmp(pUserName, gssDisplayName.value, actualUserNameLen) == 0)
|
|
{
|
|
// The names match, credentials validated.
|
|
retStatus = CASA_STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- The user names do not match\n", 0);
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_AUTHENTICATION_FAILURE);
|
|
}
|
|
|
|
// Free the client display name
|
|
gss_release_buffer(&gssMinStat, &gssDisplayName);
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Error obtaining display name\n", 0);
|
|
LogGssStatuses("obtaining display name", gssMajStat, gssMinStat);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_UNSUCCESSFUL);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- gss_accept_sec_context error\n", 0);
|
|
LogGssStatuses("accepting sec context", gssMajStat, gssMinStat);
|
|
|
|
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
|
|
CASA_FACILITY_KRB5TOKEN,
|
|
CASA_STATUS_AUTHENTICATION_FAILURE);
|
|
}
|
|
|
|
// Free send token if necessary
|
|
if (gssSendToken.length != 0)
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Un-expected send token returned by gss_accept_sec_context\n", 0);
|
|
gss_release_buffer(&gssMinStat, &gssSendToken);
|
|
}
|
|
|
|
// Free context if necessary
|
|
if (gssContext != GSS_C_NO_CONTEXT)
|
|
gss_delete_sec_context(&gssMinStat, &gssContext, GSS_C_NO_BUFFER);
|
|
|
|
// Free the buffer associated with the token
|
|
free(gssRecvToken.value);
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Token decode failure\n", 0);
|
|
}
|
|
|
|
ReleaseServiceCredentials(pServerCreds);
|
|
}
|
|
else
|
|
{
|
|
DbgTrace(0, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- Failed to get the server credentials\n", 0);
|
|
}
|
|
|
|
exit:
|
|
|
|
DbgTrace(1, "krb5_token -Krb5AuthTokenIf_ValidateAuthTokenCredentials- End, retStatus = %08X\n", retStatus);
|
|
|
|
return retStatus;
|
|
}
|
|
|
|
|
|
//++=======================================================================
|
|
//++=======================================================================
|
|
//++=======================================================================
|
|
|