1: /*
2: * GSSAPI authentication.
3: *
4: * Copyright (C) 1998-2001 Andrew Tridgell <tridge@samba.org>
5: * Copyright (C) 2001-2002 Martin Pool <mbp@samba.org>
6: * Copyright (C) 2002-2008 Wayne Davison
7: *
8: * This program is free software; you can redistribute it and/or modify
9: * it under the terms of the GNU General Public License as published by
10: * the Free Software Foundation; either version 3 of the License, or
11: * (at your option) any later version.
12: *
13: * This program is distributed in the hope that it will be useful,
14: * but WITHOUT ANY WARRANTY; without even the implied warranty of
15: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: * GNU General Public License for more details.
17: *
18: * You should have received a copy of the GNU General Public License along
19: * with this program; if not, visit the http://fsf.org website.
20: */
21:
22: #include "rsync.h"
23:
24: #ifdef GSSAPI_OPTION
25:
26: #define RSYNC_GSS_SERVICE "host"
27:
28: struct init_context_data {
29: gss_cred_id_t initiator_cred_handle;
30: gss_ctx_id_t *context_handle;
31: gss_name_t target_name;
32: gss_OID mech_type;
33: OM_uint32 req_flags;
34: OM_uint32 time_req;
35: gss_channel_bindings_t input_chan_bindings;
36: gss_OID *actual_mech_type;
37: OM_uint32 *ret_flags;
38: OM_uint32 *time_rec;
39: };
40:
41: struct accept_context_data {
42: gss_ctx_id_t *context_handle;
43: gss_cred_id_t acceptor_cred_handle;
44: gss_channel_bindings_t input_chan_bindings;
45: gss_name_t *src_name;
46: gss_OID *mech_type;
47: OM_uint32 *ret_flags;
48: OM_uint32 *time_rec;
49: gss_cred_id_t *delegated_cred_handle;
50: };
51:
52: int auth_gss_client(int fd, const char *host)
53: {
54: gss_ctx_id_t ctxt = GSS_C_NO_CONTEXT;
55: gss_name_t target_name = GSS_C_NO_NAME;
56: struct init_context_data cb_data;
57: char *buffer;
58: int status;
59: OM_uint32 min_stat;
60:
61: buffer = new_array(char, (strlen(host) + 2 + strlen(RSYNC_GSS_SERVICE)));
62:
63: sprintf(buffer, "%s@%s", RSYNC_GSS_SERVICE, host);
64:
65: import_gss_name(&target_name, buffer, GSS_C_NT_HOSTBASED_SERVICE);
66: free(buffer);
67:
68: cb_data.initiator_cred_handle = GSS_C_NO_CREDENTIAL;
69: cb_data.context_handle = &ctxt;
70: cb_data.target_name = target_name;
71: cb_data.mech_type = GSS_C_NO_OID;
72: cb_data.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
73: cb_data.time_req = 0;
74: cb_data.input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
75: cb_data.actual_mech_type = NULL;
76: cb_data.ret_flags = NULL;
77: cb_data.time_rec = NULL;
78:
79: status = do_gss_dialog(fd, fd, 0, &cb_init_sec_context, (void *)&cb_data);
80: if (ctxt != GSS_C_NO_CONTEXT)
81: gss_delete_sec_context(&min_stat, &ctxt, GSS_C_NO_BUFFER);
82: free_gss_name(&target_name);
83:
84: return status;
85: }
86:
87: /*
88: * The call back function for a gss_init_sec_context dialog
89: */
90: OM_uint32 cb_init_sec_context(OM_uint32 *min_statp, gss_buffer_t in_token, gss_buffer_t out_token, void *cb_data)
91: {
92: struct init_context_data *context_data;
93:
94: context_data = (struct init_context_data *) cb_data;
95: return gss_init_sec_context(min_statp, context_data->initiator_cred_handle, context_data->context_handle, context_data->target_name, context_data->mech_type, context_data->req_flags, context_data->time_req, context_data->input_chan_bindings, in_token, context_data->actual_mech_type, out_token, context_data->ret_flags, context_data->time_rec);
96: }
97:
98: /* Possibly negotiate authentication with the client. Use "leader" to
99: * start off the auth if necessary.
100: *
101: * Return NULL if authentication failed. Return "" if anonymous access.
102: * Otherwise return username.
103: */
104: char *auth_gss_server(int fd_in, int fd_out, int module, const char *host, const char *addr, const char *leader)
105: {
106: struct accept_context_data cb_data;
107: gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
108: gss_ctx_id_t context = GSS_C_NO_CONTEXT;
109: OM_uint32 ret_flags;
110: char *users = lp_auth_users(module);
111: OM_uint32 maj_stat, min_stat;
112: gss_name_t server_name = GSS_C_NO_NAME;
113: gss_name_t client_name = GSS_C_NO_NAME;
114: gss_OID doid = GSS_C_NO_OID;
115: char *user = NULL;
116:
117: /* if no auth list then allow anyone in! */
118: if (!users || !*users)
119: return "";
120:
121: import_gss_name(&server_name, "host", GSS_C_NT_HOSTBASED_SERVICE);
122:
123: maj_stat = gss_acquire_cred(&min_stat, server_name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
124: if (maj_stat != GSS_S_COMPLETE) {
125: error_gss(maj_stat, min_stat, "error acquiring credentials on module %s from %s (%s)", lp_name(module), host, addr);
126: return NULL;
127: }
128:
129: io_printf(fd_out, "%s\n", leader);
130:
131: cb_data.context_handle = &context;
132: cb_data.acceptor_cred_handle = server_creds;
133: cb_data.input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
134: cb_data.src_name = &client_name;
135: cb_data.mech_type = &doid;
136: cb_data.ret_flags = &ret_flags;
137: cb_data.time_rec = NULL;
138: cb_data.delegated_cred_handle = NULL;
139:
140: if (do_gss_dialog(fd_in, fd_out, -1, &cb_accept_sec_context, (void *)&cb_data) < 0)
141: return NULL;
142:
143: user = get_cn(client_name, doid);
144:
145: free_gss_name(&server_name);
146: free_gss_name(&client_name);
147:
148: return user;
149: }
150:
151: /*
152: * The call back function for a gss_accept_sec_context dialog
153: */
154: OM_uint32 cb_accept_sec_context(OM_uint32 *min_statp, gss_buffer_t in_token, gss_buffer_t out_token, void *cb_data)
155: {
156: struct accept_context_data *context_data;
157:
158: context_data = (struct accept_context_data *) cb_data;
159: return gss_accept_sec_context(min_statp, context_data->context_handle, context_data->acceptor_cred_handle, in_token, context_data->input_chan_bindings, context_data->src_name, context_data->mech_type, out_token, context_data->ret_flags, context_data->time_rec, context_data->delegated_cred_handle);
160: }
161:
162: void free_gss_buffer(gss_buffer_t gss_buffer)
163: {
164: OM_uint32 maj_stat, min_stat;
165:
166: if (gss_buffer->length > 0) {
167: maj_stat = gss_release_buffer(&min_stat, gss_buffer);
168: if (maj_stat != GSS_S_COMPLETE) {
169: error_gss(maj_stat, min_stat, "can't release a buffer");
170: }
171: }
172: }
173:
174: void free_gss_name(gss_name_t *gss_buffer)
175: {
176: OM_uint32 maj_stat, min_stat;
177:
178: if (*gss_buffer != GSS_C_NO_NAME) {
179: maj_stat = gss_release_name(&min_stat, gss_buffer);
180: if (maj_stat != GSS_S_COMPLETE) {
181: error_gss(maj_stat, min_stat, "can't release a name");
182: }
183: }
184: }
185:
186: void import_gss_name(gss_name_t *gss_name, const char *name, gss_OID type)
187: {
188: gss_buffer_desc gssname;
189: OM_uint32 maj_stat, min_stat;
190:
191: gssname.value = strdup(name);
192: gssname.length = strlen(name) +1 ;
193:
194: maj_stat = gss_import_name(&min_stat, &gssname, type, gss_name);
195:
196: if (maj_stat != GSS_S_COMPLETE)
197: error_gss(maj_stat, min_stat, "can't resolve %s", name);
198:
199: free_gss_buffer(&gssname);
200: }
201:
202: char *export_name(const gss_name_t input_name)
203: {
204: OM_uint32 maj_stat, min_stat;
205: gss_buffer_desc exported_name;
206: char *exported;
207: gss_OID name_oid;
208:
209: exported = NULL;
210:
211: maj_stat = gss_display_name(&min_stat, input_name, &exported_name, &name_oid);
212: if (maj_stat != GSS_S_COMPLETE) {
213: error_gss(maj_stat, min_stat, "can't get display name");
214: return NULL;
215: }
216:
217: if (exported_name.length > 0)
218: exported = strdup(exported_name.value);
219:
220: free_gss_buffer(&exported_name);
221:
222: return exported;
223: }
224:
225: void error_gss(OM_uint32 major, OM_uint32 minor, const char *format, ...)
226: {
227: OM_uint32 min_stat;
228: gss_buffer_desc gss_msg = GSS_C_EMPTY_BUFFER;
229: OM_uint32 msg_ctx;
230: va_list ap;
231: char message[BIGPATHBUFLEN];
232:
233: va_start(ap, format);
234: vsnprintf(message, sizeof message, format, ap);
235: va_end(ap);
236:
237: msg_ctx = 0;
238: if (major != GSS_S_FAILURE) /* Don't print unspecified failure, the message is useless */
239: do {
240: gss_display_status(&min_stat, major, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &gss_msg);
241: rprintf(FERROR, "GSS-API error: %s: %s\n", message, (char *) gss_msg.value);
242: free_gss_buffer(&gss_msg);
243: } while (msg_ctx != 0);
244:
245: if (minor != 0) {
246: do {
247: gss_display_status(&min_stat, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &gss_msg);
248: rprintf(FERROR, "GSS-API error: %s: %s\n",message, (char *) gss_msg.value);
249: free_gss_buffer(&gss_msg);
250: } while (msg_ctx != 0);
251: }
252: }
253:
254: /*
255: * This function manage a gss dialog
256: * gss tokens are eaten by a call-back function and then send by this function.
257: * Argument to this function can be passed throught the cb_data argument
258: * When told to act as a server, it just begin to wait for a first token before beginning operation
259: * on it
260: */
261: int do_gss_dialog(int fd_in, int fd_out, int isServer, OM_uint32 (*eat_token)(OM_uint32 *,gss_buffer_t, gss_buffer_t, void *), void *cb_data)
262: {
263: OM_uint32 maj_stat, min_stat;
264: gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
265: gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
266:
267: if (isServer)
268: recv_gss_token(fd_in, &in_token);
269:
270: do {
271: maj_stat = (*eat_token)(&min_stat, &in_token, &out_token, cb_data);
272: free_gss_buffer(&in_token);
273: if (maj_stat != GSS_S_COMPLETE
274: && maj_stat != GSS_S_CONTINUE_NEEDED) {
275: error_gss(maj_stat, min_stat, "error during dialog");
276: return -1;
277: }
278:
279: if (out_token.length != 0) {
280: send_gss_token(fd_out, &out_token);
281: }
282: free_gss_buffer(&out_token);
283:
284: if (maj_stat == GSS_S_CONTINUE_NEEDED) {
285: recv_gss_token(fd_in, &in_token);
286: }
287: } while (maj_stat == GSS_S_CONTINUE_NEEDED);
288:
289: return 0;
290: }
291:
292: char *get_cn(const gss_name_t input_name, const gss_OID mech_type)
293: {
294: OM_uint32 maj_stat, min_stat;
295: gss_name_t output_name;
296: gss_buffer_desc exported_name;
297: char *cn;
298:
299: cn = NULL;
300: maj_stat = gss_canonicalize_name(&min_stat, input_name, mech_type, &output_name);
301: if (maj_stat != GSS_S_COMPLETE) {
302: error_gss(maj_stat, min_stat, "canonizing name");
303: return NULL;
304: }
305:
306: maj_stat = gss_export_name(&min_stat, output_name, &exported_name);
307: if (maj_stat != GSS_S_COMPLETE) {
308: error_gss(maj_stat, min_stat, "canonizing name");
309: return NULL;
310: }
311: if (exported_name.length > 0)
312: cn = strdup(exported_name.value);
313:
314: free_gss_name(&output_name);
315: free_gss_buffer(&exported_name);
316:
317: return cn;
318: }
319:
320: void send_gss_token(int fd, gss_buffer_t token)
321: {
322: write_int(fd, token->length);
323: write_buf(fd, token->value, token->length);
324: }
325:
326: void recv_gss_token(int fd, gss_buffer_t token)
327: {
328: token->length = read_int(fd);
329: if (token->length > 0) {
330: token->value = new_array(char, token->length);
331: read_buf(fd, token->value, token->length);
332: }
333: }
334: #endif /* GSSAPI_OPTION */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to gss-auth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / rsync