diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:23:53 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:23:53 +0000 |
commit | c000cad09d0b54c455c99271bfb996c2dfe13073 (patch) | |
tree | e47ca809ed512d7fb43ec3d555753b1b658e9819 /libraries/libldap/gssapi.c | |
parent | Initial commit. (diff) | |
download | openldap-c000cad09d0b54c455c99271bfb996c2dfe13073.tar.xz openldap-c000cad09d0b54c455c99271bfb996c2dfe13073.zip |
Adding upstream version 2.4.47+dfsg.upstream/2.4.47+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'libraries/libldap/gssapi.c')
-rw-r--r-- | libraries/libldap/gssapi.c | 1011 |
1 files changed, 1011 insertions, 0 deletions
diff --git a/libraries/libldap/gssapi.c b/libraries/libldap/gssapi.c new file mode 100644 index 0000000..bbd9f4c --- /dev/null +++ b/libraries/libldap/gssapi.c @@ -0,0 +1,1011 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2018 The OpenLDAP Foundation. + * All rights reserved. + * + * Author: Stefan Metzmacher <metze@sernet.de> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/socket.h> +#include <ac/stdlib.h> +#include <ac/string.h> +#include <ac/time.h> +#include <ac/errno.h> +#include <ac/ctype.h> +#include <ac/unistd.h> + +#ifdef HAVE_LIMITS_H +#include <limits.h> +#endif + +#include "ldap-int.h" + +#ifdef HAVE_GSSAPI + +#ifdef HAVE_GSSAPI_GSSAPI_H +#include <gssapi/gssapi.h> +#else +#include <gssapi.h> +#endif + +static char * +gsserrstr( + char *buf, + ber_len_t buf_len, + gss_OID mech, + int gss_rc, + OM_uint32 minor_status ) +{ + OM_uint32 min2; + gss_buffer_desc mech_msg = GSS_C_EMPTY_BUFFER; + gss_buffer_desc gss_msg = GSS_C_EMPTY_BUFFER; + gss_buffer_desc minor_msg = GSS_C_EMPTY_BUFFER; + OM_uint32 msg_ctx = 0; + + if (buf == NULL) { + return NULL; + } + + if (buf_len == 0) { + return NULL; + } + +#ifdef HAVE_GSS_OID_TO_STR + gss_oid_to_str(&min2, mech, &mech_msg); +#endif + gss_display_status(&min2, gss_rc, GSS_C_GSS_CODE, + mech, &msg_ctx, &gss_msg); + gss_display_status(&min2, minor_status, GSS_C_MECH_CODE, + mech, &msg_ctx, &minor_msg); + + snprintf(buf, buf_len, "gss_rc[%d:%*s] mech[%*s] minor[%u:%*s]", + gss_rc, (int)gss_msg.length, + (const char *)(gss_msg.value?gss_msg.value:""), + (int)mech_msg.length, + (const char *)(mech_msg.value?mech_msg.value:""), + minor_status, (int)minor_msg.length, + (const char *)(minor_msg.value?minor_msg.value:"")); + + gss_release_buffer(&min2, &mech_msg); + gss_release_buffer(&min2, &gss_msg); + gss_release_buffer(&min2, &minor_msg); + + buf[buf_len-1] = '\0'; + + return buf; +} + +static void +sb_sasl_gssapi_init( + struct sb_sasl_generic_data *p, + ber_len_t *min_send, + ber_len_t *max_send, + ber_len_t *max_recv ) +{ + gss_ctx_id_t gss_ctx = (gss_ctx_id_t)p->ops_private; + int gss_rc; + OM_uint32 minor_status; + gss_OID ctx_mech = GSS_C_NO_OID; + OM_uint32 ctx_flags = 0; + int conf_req_flag = 0; + OM_uint32 max_input_size; + + gss_inquire_context(&minor_status, + gss_ctx, + NULL, + NULL, + NULL, + &ctx_mech, + &ctx_flags, + NULL, + NULL); + + if (ctx_flags & (GSS_C_CONF_FLAG)) { + conf_req_flag = 1; + } + +#if defined(HAVE_CYRUS_SASL) +#define SEND_PREALLOC_SIZE SASL_MIN_BUFF_SIZE +#else +#define SEND_PREALLOC_SIZE 4096 +#endif +#define SEND_MAX_WIRE_SIZE 0x00A00000 +#define RECV_MAX_WIRE_SIZE 0x0FFFFFFF +#define FALLBACK_SEND_MAX_SIZE 0x009FFFB8 /* from MIT 1.5.x */ + + gss_rc = gss_wrap_size_limit(&minor_status, gss_ctx, + conf_req_flag, GSS_C_QOP_DEFAULT, + SEND_MAX_WIRE_SIZE, &max_input_size); + if ( gss_rc != GSS_S_COMPLETE ) { + char msg[256]; + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_init: failed to wrap size limit: %s\n", + gsserrstr( msg, sizeof(msg), ctx_mech, gss_rc, minor_status ) ); + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_init: fallback to default wrap size limit\n"); + /* + * some libgssglue/libgssapi versions + * have a broken gss_wrap_size_limit() + * implementation + */ + max_input_size = FALLBACK_SEND_MAX_SIZE; + } + + *min_send = SEND_PREALLOC_SIZE; + *max_send = max_input_size; + *max_recv = RECV_MAX_WIRE_SIZE; +} + +static ber_int_t +sb_sasl_gssapi_encode( + struct sb_sasl_generic_data *p, + unsigned char *buf, + ber_len_t len, + Sockbuf_Buf *dst ) +{ + gss_ctx_id_t gss_ctx = (gss_ctx_id_t)p->ops_private; + int gss_rc; + OM_uint32 minor_status; + gss_buffer_desc unwrapped, wrapped; + gss_OID ctx_mech = GSS_C_NO_OID; + OM_uint32 ctx_flags = 0; + int conf_req_flag = 0; + int conf_state; + unsigned char *b; + ber_len_t pkt_len; + + unwrapped.value = buf; + unwrapped.length = len; + + gss_inquire_context(&minor_status, + gss_ctx, + NULL, + NULL, + NULL, + &ctx_mech, + &ctx_flags, + NULL, + NULL); + + if (ctx_flags & (GSS_C_CONF_FLAG)) { + conf_req_flag = 1; + } + + gss_rc = gss_wrap(&minor_status, gss_ctx, + conf_req_flag, GSS_C_QOP_DEFAULT, + &unwrapped, &conf_state, + &wrapped); + if ( gss_rc != GSS_S_COMPLETE ) { + char msg[256]; + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_encode: failed to encode packet: %s\n", + gsserrstr( msg, sizeof(msg), ctx_mech, gss_rc, minor_status ) ); + return -1; + } + + if ( conf_req_flag && conf_state == 0 ) { + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_encode: GSS_C_CONF_FLAG was ignored by our gss_wrap()\n" ); + return -1; + } + + pkt_len = 4 + wrapped.length; + + /* Grow the packet buffer if neccessary */ + if ( dst->buf_size < pkt_len && + ber_pvt_sb_grow_buffer( dst, pkt_len ) < 0 ) + { + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_encode: failed to grow the buffer to %lu bytes\n", + pkt_len ); + return -1; + } + + dst->buf_end = pkt_len; + + b = (unsigned char *)dst->buf_base; + + b[0] = (unsigned char)(wrapped.length >> 24); + b[1] = (unsigned char)(wrapped.length >> 16); + b[2] = (unsigned char)(wrapped.length >> 8); + b[3] = (unsigned char)(wrapped.length >> 0); + + /* copy the wrapped blob to the right location */ + memcpy(b + 4, wrapped.value, wrapped.length); + + gss_release_buffer(&minor_status, &wrapped); + + return 0; +} + +static ber_int_t +sb_sasl_gssapi_decode( + struct sb_sasl_generic_data *p, + const Sockbuf_Buf *src, + Sockbuf_Buf *dst ) +{ + gss_ctx_id_t gss_ctx = (gss_ctx_id_t)p->ops_private; + int gss_rc; + OM_uint32 minor_status; + gss_buffer_desc unwrapped, wrapped; + gss_OID ctx_mech = GSS_C_NO_OID; + OM_uint32 ctx_flags = 0; + int conf_req_flag = 0; + int conf_state; + unsigned char *b; + + wrapped.value = src->buf_base + 4; + wrapped.length = src->buf_end - 4; + + gss_inquire_context(&minor_status, + gss_ctx, + NULL, + NULL, + NULL, + &ctx_mech, + &ctx_flags, + NULL, + NULL); + + if (ctx_flags & (GSS_C_CONF_FLAG)) { + conf_req_flag = 1; + } + + gss_rc = gss_unwrap(&minor_status, gss_ctx, + &wrapped, &unwrapped, + &conf_state, GSS_C_QOP_DEFAULT); + if ( gss_rc != GSS_S_COMPLETE ) { + char msg[256]; + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_decode: failed to decode packet: %s\n", + gsserrstr( msg, sizeof(msg), ctx_mech, gss_rc, minor_status ) ); + return -1; + } + + if ( conf_req_flag && conf_state == 0 ) { + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_encode: GSS_C_CONF_FLAG was ignored by our peer\n" ); + return -1; + } + + /* Grow the packet buffer if neccessary */ + if ( dst->buf_size < unwrapped.length && + ber_pvt_sb_grow_buffer( dst, unwrapped.length ) < 0 ) + { + ber_log_printf( LDAP_DEBUG_ANY, p->sbiod->sbiod_sb->sb_debug, + "sb_sasl_gssapi_decode: failed to grow the buffer to %lu bytes\n", + unwrapped.length ); + return -1; + } + + dst->buf_end = unwrapped.length; + + b = (unsigned char *)dst->buf_base; + + /* copy the wrapped blob to the right location */ + memcpy(b, unwrapped.value, unwrapped.length); + + gss_release_buffer(&minor_status, &unwrapped); + + return 0; +} + +static void +sb_sasl_gssapi_reset_buf( + struct sb_sasl_generic_data *p, + Sockbuf_Buf *buf ) +{ + ber_pvt_sb_buf_destroy( buf ); +} + +static void +sb_sasl_gssapi_fini( struct sb_sasl_generic_data *p ) +{ +} + +static const struct sb_sasl_generic_ops sb_sasl_gssapi_ops = { + sb_sasl_gssapi_init, + sb_sasl_gssapi_encode, + sb_sasl_gssapi_decode, + sb_sasl_gssapi_reset_buf, + sb_sasl_gssapi_fini +}; + +static int +sb_sasl_gssapi_install( + Sockbuf *sb, + gss_ctx_id_t gss_ctx ) +{ + struct sb_sasl_generic_install install_arg; + + install_arg.ops = &sb_sasl_gssapi_ops; + install_arg.ops_private = gss_ctx; + + return ldap_pvt_sasl_generic_install( sb, &install_arg ); +} + +static void +sb_sasl_gssapi_remove( Sockbuf *sb ) +{ + ldap_pvt_sasl_generic_remove( sb ); +} + +static int +map_gsserr2ldap( + LDAP *ld, + gss_OID mech, + int gss_rc, + OM_uint32 minor_status ) +{ + char msg[256]; + + Debug( LDAP_DEBUG_ANY, "%s\n", + gsserrstr( msg, sizeof(msg), mech, gss_rc, minor_status ), + NULL, NULL ); + + if (gss_rc == GSS_S_COMPLETE) { + ld->ld_errno = LDAP_SUCCESS; + } else if (GSS_CALLING_ERROR(gss_rc)) { + ld->ld_errno = LDAP_LOCAL_ERROR; + } else if (GSS_ROUTINE_ERROR(gss_rc)) { + ld->ld_errno = LDAP_INAPPROPRIATE_AUTH; + } else if (gss_rc == GSS_S_CONTINUE_NEEDED) { + ld->ld_errno = LDAP_SASL_BIND_IN_PROGRESS; + } else if (GSS_SUPPLEMENTARY_INFO(gss_rc)) { + ld->ld_errno = LDAP_AUTH_UNKNOWN; + } else if (GSS_ERROR(gss_rc)) { + ld->ld_errno = LDAP_AUTH_UNKNOWN; + } else { + ld->ld_errno = LDAP_OTHER; + } + + return ld->ld_errno; +} + + +static int +ldap_gssapi_get_rootdse_infos ( + LDAP *ld, + char **pmechlist, + char **pldapServiceName, + char **pdnsHostName ) +{ + /* we need to query the server for supported mechs anyway */ + LDAPMessage *res, *e; + char *attrs[] = { + "supportedSASLMechanisms", + "ldapServiceName", + "dnsHostName", + NULL + }; + char **values, *mechlist; + char *ldapServiceName = NULL; + char *dnsHostName = NULL; + int rc; + + Debug( LDAP_DEBUG_TRACE, "ldap_gssapi_get_rootdse_infos\n", 0, 0, 0 ); + + rc = ldap_search_s( ld, "", LDAP_SCOPE_BASE, + NULL, attrs, 0, &res ); + + if ( rc != LDAP_SUCCESS ) { + return ld->ld_errno; + } + + e = ldap_first_entry( ld, res ); + if ( e == NULL ) { + ldap_msgfree( res ); + if ( ld->ld_errno == LDAP_SUCCESS ) { + ld->ld_errno = LDAP_NO_SUCH_OBJECT; + } + return ld->ld_errno; + } + + values = ldap_get_values( ld, e, "supportedSASLMechanisms" ); + if ( values == NULL ) { + ldap_msgfree( res ); + ld->ld_errno = LDAP_NO_SUCH_ATTRIBUTE; + return ld->ld_errno; + } + + mechlist = ldap_charray2str( values, " " ); + if ( mechlist == NULL ) { + LDAP_VFREE( values ); + ldap_msgfree( res ); + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + LDAP_VFREE( values ); + + values = ldap_get_values( ld, e, "ldapServiceName" ); + if ( values == NULL ) { + goto get_dns_host_name; + } + + ldapServiceName = ldap_charray2str( values, " " ); + if ( ldapServiceName == NULL ) { + LDAP_FREE( mechlist ); + LDAP_VFREE( values ); + ldap_msgfree( res ); + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + LDAP_VFREE( values ); + +get_dns_host_name: + + values = ldap_get_values( ld, e, "dnsHostName" ); + if ( values == NULL ) { + goto done; + } + + dnsHostName = ldap_charray2str( values, " " ); + if ( dnsHostName == NULL ) { + LDAP_FREE( mechlist ); + LDAP_FREE( ldapServiceName ); + LDAP_VFREE( values ); + ldap_msgfree( res ); + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + LDAP_VFREE( values ); + +done: + ldap_msgfree( res ); + + *pmechlist = mechlist; + *pldapServiceName = ldapServiceName; + *pdnsHostName = dnsHostName; + + return LDAP_SUCCESS; +} + + +static int check_for_gss_spnego_support( LDAP *ld, const char *mechs_str ) +{ + int rc; + char **mechs_list = NULL; + + mechs_list = ldap_str2charray( mechs_str, " " ); + if ( mechs_list == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + rc = ldap_charray_inlist( mechs_list, "GSS-SPNEGO" ); + ldap_charray_free( mechs_list ); + if ( rc != 1) { + ld->ld_errno = LDAP_STRONG_AUTH_NOT_SUPPORTED; + return ld->ld_errno; + } + + return LDAP_SUCCESS; +} + +static int +guess_service_principal( + LDAP *ld, + const char *ldapServiceName, + const char *dnsHostName, + gss_name_t *principal ) +{ + gss_buffer_desc input_name; + /* GSS_KRB5_NT_PRINCIPAL_NAME */ + gss_OID_desc nt_principal = + {10, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; + const char *host = ld->ld_defconn->lconn_server->lud_host; + OM_uint32 minor_status; + int gss_rc; + int ret; + size_t svc_principal_size; + char *svc_principal = NULL; + const char *principal_fmt = NULL; + const char *str = NULL; + const char *givenstr = NULL; + const char *ignore = "not_defined_in_RFC4178@please_ignore"; + int allow_remote = 0; + + if (ldapServiceName) { + givenstr = strchr(ldapServiceName, ':'); + if (givenstr && givenstr[1]) { + givenstr++; + if (strcmp(givenstr, ignore) == 0) { + givenstr = NULL; + } + } else { + givenstr = NULL; + } + } + + if ( ld->ld_options.ldo_gssapi_options & LDAP_GSSAPI_OPT_ALLOW_REMOTE_PRINCIPAL ) { + allow_remote = 1; + } + + if (allow_remote && givenstr) { + principal_fmt = "%s"; + svc_principal_size = strlen(givenstr) + 1; + str = givenstr; + + } else if (allow_remote && dnsHostName) { + principal_fmt = "ldap/%s"; + svc_principal_size = STRLENOF("ldap/") + strlen(dnsHostName) + 1; + str = dnsHostName; + + } else { + principal_fmt = "ldap/%s"; + svc_principal_size = STRLENOF("ldap/") + strlen(host) + 1; + str = host; + } + + svc_principal = (char*) ldap_memalloc(svc_principal_size * sizeof(char)); + if ( svc_principal == NULL ) { + ld->ld_errno = LDAP_NO_MEMORY; + return ld->ld_errno; + } + + ret = snprintf( svc_principal, svc_principal_size, principal_fmt, str ); + if (ret < 0 || (size_t)ret >= svc_principal_size) { + ld->ld_errno = LDAP_LOCAL_ERROR; + return ld->ld_errno; + } + + Debug( LDAP_DEBUG_TRACE, "principal for host[%s]: '%s'\n", + host, svc_principal, 0 ); + + input_name.value = svc_principal; + input_name.length = (size_t)ret; + + gss_rc = gss_import_name( &minor_status, &input_name, &nt_principal, principal ); + ldap_memfree( svc_principal ); + if ( gss_rc != GSS_S_COMPLETE ) { + return map_gsserr2ldap( ld, GSS_C_NO_OID, gss_rc, minor_status ); + } + + return LDAP_SUCCESS; +} + +void ldap_int_gssapi_close( LDAP *ld, LDAPConn *lc ) +{ + if ( lc && lc->lconn_gss_ctx ) { + OM_uint32 minor_status; + OM_uint32 ctx_flags = 0; + gss_ctx_id_t old_gss_ctx = GSS_C_NO_CONTEXT; + old_gss_ctx = (gss_ctx_id_t)lc->lconn_gss_ctx; + + gss_inquire_context(&minor_status, + old_gss_ctx, + NULL, + NULL, + NULL, + NULL, + &ctx_flags, + NULL, + NULL); + + if (!( ld->ld_options.ldo_gssapi_options & LDAP_GSSAPI_OPT_DO_NOT_FREE_GSS_CONTEXT )) { + gss_delete_sec_context( &minor_status, &old_gss_ctx, GSS_C_NO_BUFFER ); + } + lc->lconn_gss_ctx = GSS_C_NO_CONTEXT; + + if (ctx_flags & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG)) { + /* remove wrapping layer */ + sb_sasl_gssapi_remove( lc->lconn_sb ); + } + } +} + +static void +ldap_int_gssapi_setup( + LDAP *ld, + LDAPConn *lc, + gss_ctx_id_t gss_ctx) +{ + OM_uint32 minor_status; + OM_uint32 ctx_flags = 0; + + ldap_int_gssapi_close( ld, lc ); + + gss_inquire_context(&minor_status, + gss_ctx, + NULL, + NULL, + NULL, + NULL, + &ctx_flags, + NULL, + NULL); + + lc->lconn_gss_ctx = gss_ctx; + + if (ctx_flags & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG)) { + /* setup wrapping layer */ + sb_sasl_gssapi_install( lc->lconn_sb, gss_ctx ); + } +} + +#ifdef LDAP_R_COMPILE +ldap_pvt_thread_mutex_t ldap_int_gssapi_mutex; +#endif + +static int +ldap_int_gss_spnego_bind_s( LDAP *ld ) +{ + int rc; + int gss_rc; + OM_uint32 minor_status; + char *mechlist = NULL; + char *ldapServiceName = NULL; + char *dnsHostName = NULL; + gss_OID_set supported_mechs = GSS_C_NO_OID_SET; + int spnego_support = 0; +#define __SPNEGO_OID_LENGTH 6 +#define __SPNEGO_OID "\053\006\001\005\005\002" + gss_OID_desc spnego_oid = {__SPNEGO_OID_LENGTH, __SPNEGO_OID}; + gss_OID req_mech = GSS_C_NO_OID; + gss_OID ret_mech = GSS_C_NO_OID; + gss_ctx_id_t gss_ctx = GSS_C_NO_CONTEXT; + gss_name_t principal = GSS_C_NO_NAME; + OM_uint32 req_flags; + OM_uint32 ret_flags; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + struct berval cred, *scred = NULL; + + LDAP_MUTEX_LOCK( &ldap_int_gssapi_mutex ); + + /* get information from RootDSE entry */ + rc = ldap_gssapi_get_rootdse_infos ( ld, &mechlist, + &ldapServiceName, &dnsHostName); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + + /* check that the server supports GSS-SPNEGO */ + rc = check_for_gss_spnego_support( ld, mechlist ); + if ( rc != LDAP_SUCCESS ) { + goto rc_error; + } + + /* prepare new gss_ctx_id_t */ + rc = guess_service_principal( ld, ldapServiceName, dnsHostName, &principal ); + if ( rc != LDAP_SUCCESS ) { + goto rc_error; + } + + /* see if our gssapi library supports spnego */ + gss_rc = gss_indicate_mechs( &minor_status, &supported_mechs ); + if ( gss_rc != GSS_S_COMPLETE ) { + goto gss_error; + } + gss_rc = gss_test_oid_set_member( &minor_status, + &spnego_oid, supported_mechs, &spnego_support); + gss_release_oid_set( &minor_status, &supported_mechs); + if ( gss_rc != GSS_S_COMPLETE ) { + goto gss_error; + } + if ( spnego_support != 0 ) { + req_mech = &spnego_oid; + } + + req_flags = ld->ld_options.ldo_gssapi_flags; + req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; + + /* + * loop around gss_init_sec_context() and ldap_sasl_bind_s() + */ + input_token.value = NULL; + input_token.length = 0; + gss_rc = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &gss_ctx, + principal, + req_mech, + req_flags, + 0, + NULL, + &input_token, + &ret_mech, + &output_token, + &ret_flags, + NULL); + if ( gss_rc == GSS_S_COMPLETE ) { + rc = LDAP_INAPPROPRIATE_AUTH; + goto rc_error; + } + if ( gss_rc != GSS_S_CONTINUE_NEEDED ) { + goto gss_error; + } + while (1) { + cred.bv_val = (char *)output_token.value; + cred.bv_len = output_token.length; + rc = ldap_sasl_bind_s( ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred ); + gss_release_buffer( &minor_status, &output_token ); + if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) { + goto rc_error; + } + + if ( scred ) { + input_token.value = scred->bv_val; + input_token.length = scred->bv_len; + } else { + input_token.value = NULL; + input_token.length = 0; + } + + gss_rc = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &gss_ctx, + principal, + req_mech, + req_flags, + 0, + NULL, + &input_token, + &ret_mech, + &output_token, + &ret_flags, + NULL); + if ( scred ) { + ber_bvfree( scred ); + } + if ( gss_rc == GSS_S_COMPLETE ) { + gss_release_buffer( &minor_status, &output_token ); + break; + } + + if ( gss_rc != GSS_S_CONTINUE_NEEDED ) { + goto gss_error; + } + } + + ldap_int_gssapi_setup( ld, ld->ld_defconn, gss_ctx); + gss_ctx = GSS_C_NO_CONTEXT; + + rc = LDAP_SUCCESS; + goto rc_error; + +gss_error: + rc = map_gsserr2ldap( ld, + (ret_mech != GSS_C_NO_OID ? ret_mech : req_mech ), + gss_rc, minor_status ); +rc_error: + LDAP_MUTEX_UNLOCK( &ldap_int_gssapi_mutex ); + LDAP_FREE( mechlist ); + LDAP_FREE( ldapServiceName ); + LDAP_FREE( dnsHostName ); + gss_release_buffer( &minor_status, &output_token ); + if ( gss_ctx != GSS_C_NO_CONTEXT ) { + gss_delete_sec_context( &minor_status, &gss_ctx, GSS_C_NO_BUFFER ); + } + if ( principal != GSS_C_NO_NAME ) { + gss_release_name( &minor_status, &principal ); + } + return rc; +} + +int +ldap_int_gssapi_config( struct ldapoptions *lo, int option, const char *arg ) +{ + int ok = 0; + + switch( option ) { + case LDAP_OPT_SIGN: + + if (!arg) { + } else if (strcasecmp(arg, "on") == 0) { + ok = 1; + } else if (strcasecmp(arg, "yes") == 0) { + ok = 1; + } else if (strcasecmp(arg, "true") == 0) { + ok = 1; + + } + if (ok) { + lo->ldo_gssapi_flags |= GSS_C_INTEG_FLAG; + } + + return 0; + + case LDAP_OPT_ENCRYPT: + + if (!arg) { + } else if (strcasecmp(arg, "on") == 0) { + ok = 1; + } else if (strcasecmp(arg, "yes") == 0) { + ok = 1; + } else if (strcasecmp(arg, "true") == 0) { + ok = 1; + } + + if (ok) { + lo->ldo_gssapi_flags |= GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG; + } + + return 0; + + case LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL: + + if (!arg) { + } else if (strcasecmp(arg, "on") == 0) { + ok = 1; + } else if (strcasecmp(arg, "yes") == 0) { + ok = 1; + } else if (strcasecmp(arg, "true") == 0) { + ok = 1; + } + + if (ok) { + lo->ldo_gssapi_options |= LDAP_GSSAPI_OPT_ALLOW_REMOTE_PRINCIPAL; + } + + return 0; + } + + return -1; +} + +int +ldap_int_gssapi_get_option( LDAP *ld, int option, void *arg ) +{ + if ( ld == NULL ) + return -1; + + switch ( option ) { + case LDAP_OPT_SSPI_FLAGS: + * (unsigned *) arg = (unsigned) ld->ld_options.ldo_gssapi_flags; + break; + + case LDAP_OPT_SIGN: + if ( ld->ld_options.ldo_gssapi_flags & GSS_C_INTEG_FLAG ) { + * (int *) arg = (int)-1; + } else { + * (int *) arg = (int)0; + } + break; + + case LDAP_OPT_ENCRYPT: + if ( ld->ld_options.ldo_gssapi_flags & GSS_C_CONF_FLAG ) { + * (int *) arg = (int)-1; + } else { + * (int *) arg = (int)0; + } + break; + + case LDAP_OPT_SASL_METHOD: + * (char **) arg = LDAP_STRDUP("GSS-SPNEGO"); + break; + + case LDAP_OPT_SECURITY_CONTEXT: + if ( ld->ld_defconn && ld->ld_defconn->lconn_gss_ctx ) { + * (gss_ctx_id_t *) arg = (gss_ctx_id_t)ld->ld_defconn->lconn_gss_ctx; + } else { + * (gss_ctx_id_t *) arg = GSS_C_NO_CONTEXT; + } + break; + + case LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT: + if ( ld->ld_options.ldo_gssapi_options & LDAP_GSSAPI_OPT_DO_NOT_FREE_GSS_CONTEXT ) { + * (int *) arg = (int)-1; + } else { + * (int *) arg = (int)0; + } + break; + + case LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL: + if ( ld->ld_options.ldo_gssapi_options & LDAP_GSSAPI_OPT_ALLOW_REMOTE_PRINCIPAL ) { + * (int *) arg = (int)-1; + } else { + * (int *) arg = (int)0; + } + break; + + default: + return -1; + } + + return 0; +} + +int +ldap_int_gssapi_set_option( LDAP *ld, int option, void *arg ) +{ + if ( ld == NULL ) + return -1; + + switch ( option ) { + case LDAP_OPT_SSPI_FLAGS: + if ( arg != LDAP_OPT_OFF ) { + ld->ld_options.ldo_gssapi_flags = * (unsigned *)arg; + } + break; + + case LDAP_OPT_SIGN: + if ( arg != LDAP_OPT_OFF ) { + ld->ld_options.ldo_gssapi_flags |= GSS_C_INTEG_FLAG; + } + break; + + case LDAP_OPT_ENCRYPT: + if ( arg != LDAP_OPT_OFF ) { + ld->ld_options.ldo_gssapi_flags |= GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG; + } + break; + + case LDAP_OPT_SASL_METHOD: + if ( arg != LDAP_OPT_OFF ) { + const char *m = (const char *)arg; + if ( strcmp( "GSS-SPNEGO", m ) != 0 ) { + /* we currently only support GSS-SPNEGO */ + return -1; + } + } + break; + + case LDAP_OPT_SECURITY_CONTEXT: + if ( arg != LDAP_OPT_OFF && ld->ld_defconn) { + ldap_int_gssapi_setup( ld, ld->ld_defconn, + (gss_ctx_id_t) arg); + } + break; + + case LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT: + if ( arg != LDAP_OPT_OFF ) { + ld->ld_options.ldo_gssapi_options |= LDAP_GSSAPI_OPT_DO_NOT_FREE_GSS_CONTEXT; + } + break; + + case LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL: + if ( arg != LDAP_OPT_OFF ) { + ld->ld_options.ldo_gssapi_options |= LDAP_GSSAPI_OPT_ALLOW_REMOTE_PRINCIPAL; + } + break; + + default: + return -1; + } + + return 0; +} + +#else /* HAVE_GSSAPI */ +#define ldap_int_gss_spnego_bind_s(ld) LDAP_NOT_SUPPORTED +#endif /* HAVE_GSSAPI */ + +int +ldap_gssapi_bind( + LDAP *ld, + LDAP_CONST char *dn, + LDAP_CONST char *creds ) +{ + return LDAP_NOT_SUPPORTED; +} + +int +ldap_gssapi_bind_s( + LDAP *ld, + LDAP_CONST char *dn, + LDAP_CONST char *creds ) +{ + if ( dn != NULL ) { + return LDAP_NOT_SUPPORTED; + } + + if ( creds != NULL ) { + return LDAP_NOT_SUPPORTED; + } + + return ldap_int_gss_spnego_bind_s(ld); +} |