2 * Copyright (C) 1998-2000 Luke Howard. All rights reserved.
6 * Implementation of GSS-API client side binding for SASL
14 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <netinet/in.h>
21 #include <arpa/nameser.h>
26 #include "gssldap-int.h"
29 typedef gss_uint32 OM_uint32;
32 char ldap_domain_name[128];
37 #define LDAP_SERVICE "_ldap"
38 #define TCP_PROTOCOL "_tcp"
40 int locate_ldap_server(char *domain, char **server_name);
41 int ldap_delete_tickets(LDAP *ld, char *service_name);
42 static int negotiate_security_options(gssldap_client_state_t state,
44 int ldap_reset_principal(LDAP *ld, char *service_name, gss_name_t target_name);
45 unsigned long gsssasl_pack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
46 gsssasl_security_negotiation_t inmask,
47 size_t masklength, gss_buffer_t wrapped_tok);
49 int gsssasl_unpack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
50 gss_buffer_t wrapped_tok,
51 gsssasl_security_negotiation_t *outmask,
55 static int debug_ = 1;
56 #define TRACE(x) do { if (debug_) fprintf(stderr, "%s\n", x); fflush(stderr); } while (0);
57 #define LDAP_PERROR(ld, x) do { if (debug_) ldap_perror(ld, x); } while (0);
58 #define LOG_STATUS(msg, min, maj) log_status(msg, min, maj)
61 #define LDAP_PERROR(ld, x)
62 #define LOG_STATUS(msg, min, maj)
63 #endif /* GSSSASL_DEBUG */
65 #ifdef HACK_SERVICE_NAME
66 char *__service = NULL;
70 * The read and write fns need to access the context in here and
71 * there doesn't appear to be a way to pass this info to them.
73 static gss_ctx_id_t security_context;
74 static int security_layer = 0;
75 static unsigned long security_token_size = 0;
77 LDAP_CALLBACK int LDAP_C ldap_gssapi_read(LBER_SOCKET sock, void *data,
84 gss_buffer_desc recv_tok;
85 gss_buffer_desc wrapped_tok;
89 (GSSSASL_INTEGRITY_PROTECTION | GSSSASL_PRIVACY_PROTECTION))
91 if (recv(sock, (char *)&pdulen, sizeof(pdulen), 0) != sizeof(pdulen))
93 wrapped_tok.length = ntohl(pdulen);
97 fprintf(stderr, "Reading data of %d octets\n",
100 #endif /* GSSSASL_DEBUG */
101 if ((int)wrapped_tok.length > security_token_size)
103 wrapped_tok.value = malloc(wrapped_tok.length);
104 if (wrapped_tok.value == NULL)
106 count = recv(sock, wrapped_tok.value, wrapped_tok.length, 0);
107 if (count != (int)wrapped_tok.length)
109 gss_release_buffer(&rc, &wrapped_tok);
112 maj_stat = gss_unwrap(&min_stat,
118 if (maj_stat != GSS_S_COMPLETE)
120 gss_release_buffer(&rc, &wrapped_tok);
126 fprintf(stderr, "Got %d bytes of %s data\n",
127 recv_tok.length, rc ? "private" : "signed");
129 #endif /* GSSSASL_DEBUG */
130 if ((int)recv_tok.length > len)
132 gss_release_buffer(&rc, &recv_tok);
133 gss_release_buffer(&rc, &wrapped_tok);
134 return GSS_S_FAILURE;
136 memcpy(data, recv_tok.value, recv_tok.length);
137 pdulen = recv_tok.length;
138 gss_release_buffer(&rc, &recv_tok);
139 gss_release_buffer(&rc, &wrapped_tok);
144 return read(sock, data, len);
147 LDAP_CALLBACK int LDAP_C ldap_gssapi_write(LBER_SOCKET sock, const void *data,
154 gss_buffer_desc send_tok;
155 gss_buffer_desc wrapped_tok;
159 (GSSSASL_INTEGRITY_PROTECTION | GSSSASL_PRIVACY_PROTECTION))
161 send_tok.length = len;
162 send_tok.value = (void *) data;
166 fprintf(stderr, "Sending %d bytes of data\n",
169 #endif /* GSSSASL_DEBUG */
170 maj_stat = gss_wrap(&min_stat,
172 (security_layer & GSSSASL_PRIVACY_PROTECTION) ? 1 : 0,
177 if (maj_stat != GSS_S_COMPLETE)
182 fprintf(stderr, "Sent %d bytes of %s data\n",
183 wrapped_tok.length, rc ? "private" : "signed");
185 #endif /* GSSSASL_DEBUG */
186 pdulen = htonl(wrapped_tok.length);
187 ptr = calloc(1, sizeof(pdulen) + wrapped_tok.length);
188 memcpy(ptr, &pdulen, sizeof(pdulen));
189 memcpy(&ptr[sizeof(pdulen)], wrapped_tok.value, wrapped_tok.length);
190 rc = send(sock, ptr, sizeof(pdulen) + wrapped_tok.length, 0);
192 if (rc == (wrapped_tok.length + sizeof(pdulen)))
194 gss_release_buffer(&maj_stat, &wrapped_tok);
198 return send(sock, data, len, 0);
203 * Dump the token to stderr
205 static void print_token(gss_buffer_t tok)
208 unsigned char *p = tok->value;
210 for (i = 0; i < (int)tok->length; i++, p++)
212 fprintf(stderr, "%02x ", *p);
215 fprintf(stderr, "\n");
218 fprintf(stderr, "\n");
224 * Handle a GSS-API error
226 static void log_status_impl(const char *reason, OM_uint32 res, int type)
228 OM_uint32 maj_stat, min_stat;
235 maj_stat = gss_display_status(&min_stat,
244 fprintf(stderr, "ldap_adgssapi_bind: %s: %s\n",
248 (void) gss_release_buffer(&min_stat, &msg);
256 * Cover function to handle a GSS-API error
258 static void log_status(const char *reason, OM_uint32 maj_stat,
261 log_status_impl(reason, maj_stat, GSS_C_GSS_CODE);
262 log_status_impl(reason, min_stat, GSS_C_MECH_CODE);
265 #endif /* GSSSASL_DEBUG */
268 * Send a GSS-API token as part of a SASL BindRequest
270 static int send_token(gssldap_client_state_t state, gss_buffer_t send_tok)
274 TRACE("==> send_token");
276 cred.bv_val = send_tok->value;
277 cred.bv_len = send_tok->length;
279 if (ldap_sasl_bind(state->ld,
285 &state->msgid) != LDAP_SUCCESS)
287 LDAP_PERROR(state->ld, "send_token");
288 TRACE("<== send_token");
291 TRACE("<== send_token");
296 * Parse the final result sent back from the server.
298 static int parse_bind_result(gssldap_client_state_t state)
300 LDAPMessage *res = NULL, *msg = NULL;
303 TRACE("==> parse_bind_result");
305 if (ldap_result(state->ld,
311 LDAP_PERROR(state->ld, "ldap_result");
312 TRACE("<== parse_bind_result");
315 for (msg = ldap_first_message(state->ld, res);
317 msg = ldap_next_message(state->ld, msg))
319 if (ldap_msgtype(msg) == LDAP_RES_BIND)
321 ldap_parse_result(state->ld, msg, &rc, NULL, NULL, NULL, NULL, 0);
329 TRACE("<== parse_bind_result");
331 if (rc == LDAP_SUCCESS)
340 * Receive a GSS-API token from a SASL BindResponse
341 * The contents of recv_tok must be freed by the
344 static int recv_token(gssldap_client_state_t state, gss_buffer_t recv_tok)
346 struct berval *servercred = NULL;
347 LDAPMessage *res = NULL, *msg = NULL;
350 TRACE("==> recv_token");
352 if (ldap_result(state->ld, state->msgid, LDAP_MSG_ALL, NULL, &res) <= 0)
354 LDAP_PERROR(state->ld, "ldap_result");
355 TRACE("<== recv_token");
358 recv_tok->value = NULL;
359 recv_tok->length = 0;
361 for (msg = ldap_first_message(state->ld, res);
363 msg = ldap_next_message(state->ld, msg))
365 if (ldap_msgtype(msg) == LDAP_RES_BIND && servercred == NULL)
367 rc = ldap_parse_sasl_bind_result(state->ld,
371 if (rc == LDAP_SUCCESS && servercred != NULL)
373 recv_tok->value = malloc(servercred->bv_len);
374 if (recv_tok->value != NULL)
376 memcpy(recv_tok->value, servercred->bv_val, servercred->bv_len);
377 recv_tok->length = servercred->bv_len;
390 TRACE("<== recv_token");
391 if (servercred != NULL)
393 nslberi_free(servercred);
394 TRACE("<== recv_token");
397 if (state->rc == LDAP_SUCCESS)
399 state->rc = LDAP_OPERATIONS_ERROR;
403 LDAP_PERROR(state->ld, "recv_token");
406 TRACE("<== recv_token");
411 * The client calls GSS_Init_sec_context, passing in 0 for
412 * input_context_handle (initially) and a targ_name equal to output_name
413 * from GSS_Import_Name called with input_name_type of
414 * GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
415 * "service@hostname" where "service" is the service name specified in
416 * the protocol's profile, and "hostname" is the fully qualified host
417 * name of the server. The client then responds with the resulting
418 * output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
419 * then the client should expect the server to issue a token in a
420 * subsequent challenge. The client must pass the token to another call
421 * to GSS_Init_sec_context, repeating the actions in this paragraph.
423 static int client_establish_context(LDAP *ld, gssldap_client_state_t state,
426 gss_buffer_desc send_tok;
427 gss_buffer_desc recv_tok;
428 gss_buffer_desc *token_ptr;
429 gss_name_t target_name;
432 gss_OID oid = GSS_C_NULL_OID;
435 TRACE("==> client_establish_context");
437 memset(&recv_tok, '\0', sizeof(recv_tok));
438 send_tok.value = service_name;
439 send_tok.length = strlen(send_tok.value) + 1;
441 maj_stat = gss_import_name(&min_stat,
443 (gss_OID) gss_nt_service_name,
445 if (ldap_reset_principal(ld, service_name, target_name))
447 TRACE("<== client_establish_context");
451 token_ptr = GSS_C_NO_BUFFER;
452 state->context = GSS_C_NO_CONTEXT;
456 maj_stat = gss_init_sec_context(&min_stat,
461 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
470 if (token_ptr != GSS_C_NO_BUFFER)
471 (void) gss_release_buffer(&min_stat, &recv_tok);
473 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
475 LOG_STATUS("initializing context", maj_stat, min_stat);
476 (void) gss_release_name(&min_stat, &target_name);
477 TRACE("<== client_establish_context");
483 fprintf(stderr, "Sending init_sec_context token (size=%d)...\n",
486 print_token(&send_tok);
489 if (send_token(state, &send_tok) < 0)
491 TRACE("Send_token failed");
492 (void) gss_release_buffer(&min_stat, &send_tok);
493 (void) gss_release_name(&min_stat, &target_name);
494 TRACE("<== client_establish_context");
497 (void) gss_release_buffer(&min_stat, &send_tok);
498 if (maj_stat == GSS_S_CONTINUE_NEEDED)
500 TRACE("continue needed...");
501 if (recv_token(state, &recv_tok) < 0)
503 TRACE("recv_token failed");
504 (void) gss_release_name(&min_stat, &target_name);
505 TRACE("<== client_establish_context");
511 fprintf(stderr, "Received token (size=%d)...\n",
514 print_token(&recv_tok);
517 token_ptr = &recv_tok;
519 } while (maj_stat == GSS_S_CONTINUE_NEEDED);
521 (void) gss_release_name(&min_stat, &target_name);
523 TRACE("<== client_establish_context");
528 * When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes
529 * the following actions: If the last call to GSS_Init_sec_context
530 * returned an output_token, then the client responds with the
531 * output_token, otherwise the client responds with no data. The client
532 * should then expect the server to issue a token in a subsequent
533 * challenge. The client passes this token to GSS_Unwrap and interprets
534 * the first octet of resulting cleartext as a bit-mask specifying the
535 * security layers supported by the server and the second through fourth
536 * octets as the maximum size output_message to send to the server. The
537 * client then constructs data, with the first octet containing the
538 * bit-mask specifying the selected security layer, the second through
539 * fourth octets containing in network byte order the maximum size
540 * output_message the client is able to receive, and the remaining
541 * octets containing the authorization identity. The client passes the
542 * data to GSS_Wrap with conf_flag set to FALSE, and responds with the
543 * generated output_message. The client can then consider the server
546 static int negotiate_security_options(gssldap_client_state_t state,
551 gss_buffer_desc recv_tok;
552 gss_buffer_desc send_tok;
556 gsssasl_security_negotiation_t send_mask;
557 gsssasl_security_negotiation_t recv_mask;
559 TRACE("==> negotiate_security_options");
561 memset(&send_tok, '\0', sizeof(send_tok));
562 memset(&recv_tok, '\0', sizeof(recv_tok));
563 if ((rc = recv_token(state, &recv_tok)) < 0)
565 TRACE("<== negotiate_security_options (recv_token failed)");
571 fprintf(stderr, "Received token (size=%d)...\n",
574 print_token(&recv_tok);
576 #endif /* GSSSASL_DEBUG */
578 maj_stat = gsssasl_unpack_security_token(&min_stat,
584 if (maj_stat != GSS_S_COMPLETE)
586 LOG_STATUS("unpacking security negotiation token",
589 TRACE("<== negotiate_security_options (unpack failed)");
595 fprintf(stderr, "Received security token level %d size %d\n",
596 recv_mask->security_layer,
597 recv_mask->token_size);
600 if ((~recv_mask->security_layer) & layer)
603 TRACE("<== negotiate_security_options (unsupported security layer)");
606 mask_length = sizeof(recv_mask);
607 send_mask = NSLDAPI_MALLOC(mask_length);
608 if (send_mask == NULL)
611 TRACE("<== negotiate_security_options (malloc failed)");
614 memset(send_mask, '\0', mask_length);
615 send_mask->security_layer = layer;
616 send_mask->token_size = recv_mask->token_size;
617 memcpy(send_mask->identity, "", strlen(""));
623 fprintf(stderr, "Sending security token level %d size %d\n",
624 send_mask->security_layer,
625 send_mask->token_size);
628 maj_stat = gsssasl_pack_security_token(&min_stat,
633 if (maj_stat != GSS_S_COMPLETE)
635 LOG_STATUS("packing security negotiation token", maj_stat, min_stat);
636 NSLDAPI_FREE(send_mask);
637 TRACE("<== negotiate_security_options (pack failed)");
640 if ((rc = send_token(state, &send_tok)) < 0)
642 NSLDAPI_FREE(send_mask);
643 TRACE("<== negotiate_security_options (send_token failed)");
646 rc = parse_bind_result(state);
651 security_context = state->context;
652 security_layer = layer;
653 security_token_size = ntohl(send_mask->token_size);
655 security_token_size >>= 8;
659 NSLDAPI_FREE(send_mask);
660 if (send_tok.value != NULL)
661 gss_release_buffer(&rc, &send_tok);
662 if (recv_tok.value != NULL)
663 gss_release_buffer(&rc, &recv_tok);
664 TRACE("<== negotiate_security_options");
670 * Temporary function to enable debugging
673 LDAP_CALL ldap_gssapi_debug(int on)
679 #endif /* GSSSASL_DEBUG */
682 * Public function for doing a GSS-API SASL bind
685 LDAP_CALL ldap_adgssapi_bind(LDAP *ld, const char *who, int layer)
687 gssldap_client_state_desc state;
692 struct ldap_io_fns iofns;
695 if (!NSLDAPI_VALID_LDAP_POINTER(ld) || ld->ld_defhost == NULL)
700 for (i = 0; i < (int)strlen(ld->ld_defhost); i++)
701 ld->ld_defhost[i] = toupper(ld->ld_defhost[i]);
704 NSLDAPI_MALLOC(sizeof(GSSAPI_LDAP_SERVICE_NAME "@") + strlen(ld->ld_defhost));
705 if (service_name == NULL)
709 strcpy(service_name, GSSAPI_LDAP_SERVICE_NAME "@");
710 realm = strdup(ldap_domain_name);
711 for (i = 0; i < (int)strlen(realm); i++)
712 realm[i] = toupper(realm[i]);
713 strcat(service_name, realm);
719 fprintf(stderr, "LDAP service name: %s\n", service_name);
727 state.context = GSS_C_NO_CONTEXT;
728 state.rc = LDAP_OPERATIONS_ERROR;
730 rc = client_establish_context(ld, &state, service_name);
733 rc = negotiate_security_options(&state, layer);
738 gss_buffer_desc tname;
739 gss_buffer_desc sname;
740 gss_name_t targ_name;
742 OM_uint32 context_flags;
750 maj_stat = gss_inquire_context(&min_stat,
759 if (maj_stat != GSS_S_COMPLETE)
761 LOG_STATUS("inquiring context", maj_stat, min_stat);
762 return LDAP_OPERATIONS_ERROR;
764 maj_stat = gss_display_name(&min_stat,
768 if (maj_stat != GSS_S_COMPLETE)
770 LOG_STATUS("displaying source name", maj_stat, min_stat);
771 return LDAP_OPERATIONS_ERROR;
773 maj_stat = gss_display_name(&min_stat,
777 if (maj_stat != GSS_S_COMPLETE)
779 LOG_STATUS("displaying target name", maj_stat, min_stat);
780 return LDAP_OPERATIONS_ERROR;
785 "\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
786 (int) sname.length, (char *) sname.value,
787 (int) tname.length, (char *) tname.value, lifetime,
789 (is_local) ? "locally initiated" : "remotely initiated",
790 (is_open) ? "open" : "closed");
793 (void) gss_release_name(&min_stat, &src_name);
794 (void) gss_release_name(&min_stat, &targ_name);
795 (void) gss_release_buffer(&min_stat, &sname);
796 (void) gss_release_buffer(&min_stat, &tname);
798 state.rc = LDAP_SUCCESS;
801 if (state.rc == LDAP_SUCCESS)
803 if (layer == GSSSASL_PRIVACY_PROTECTION)
805 memset(&iofns, 0, sizeof(iofns));
806 iofns.liof_read = ldap_gssapi_read;
807 iofns.liof_write = ldap_gssapi_write;
808 state.rc = ldap_set_option(ld, LDAP_OPT_IO_FN_PTRS, &iofns);
812 NSLDAPI_FREE(service_name);
813 LDAP_SET_LDERRNO(ld, state.rc, NULL, NULL);
818 /* Wrap and encode a security negotiation token */
819 unsigned long gsssasl_pack_security_token(OM_uint32 *min_stat,
820 gss_ctx_id_t context,
821 gsssasl_security_negotiation_t inmask,
822 size_t masklength, gss_buffer_t wrapped_tok)
826 gss_buffer_desc send_tok;
828 wrapped_tok->length = 0;
829 wrapped_tok->value = NULL;
832 if (masklength < sizeof(gsssasl_security_negotiation_desc))
833 return GSS_S_FAILURE;
836 inmask->token_size = inmask->token_size;
838 send_tok.length = masklength;
839 send_tok.value = inmask;
841 maj_stat = gss_wrap(min_stat,
849 /* inmask->token_size = ntohl(inmask->token_size);*/
854 /* Unwrap and decode a security negotiation token. */
855 int gsssasl_unpack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
856 gss_buffer_t wrapped_tok,
857 gsssasl_security_negotiation_t *outmask,
862 gss_buffer_desc recv_tok;
866 memset(&recv_tok, '\0', sizeof(recv_tok));
868 maj_stat = gss_unwrap(min_stat,
874 if (maj_stat != GSS_S_COMPLETE)
879 if (recv_tok.length < sizeof(gsssasl_security_negotiation_desc))
881 gss_release_buffer(&rc, &recv_tok);
882 return GSS_S_FAILURE;
888 * we're lazy and don't copy the token. This could cause
889 * problems if libgssapi uses a different malloc!
891 *masklength = recv_tok.length;
892 *outmask = (gsssasl_security_negotiation_t) recv_tok.value;
893 if (*outmask == NULL)
895 gss_release_buffer(&rc, &recv_tok);
896 return GSS_S_FAILURE;
898 return GSS_S_COMPLETE;
901 int ldap_reset_principal(LDAP *ld, char *service_name, gss_name_t target_name)
903 krb5_context context = NULL;
904 krb5_principal princ;
905 krb5_principal princ1;
906 krb5_principal temp_princ;
908 char *server_name = NULL;
911 princ = (krb5_principal)(target_name);
913 if (krb5_init_context(&context))
916 realm = strdup(ldap_domain_name);
917 for (i = 0; i < (int)strlen(realm); i++)
918 realm[i] = toupper(realm[i]);
919 server_name = strdup(ld->ld_defhost);
920 for (i = 0; i < (int)strlen(server_name); i++)
921 server_name[i] = tolower(server_name[i]);
923 temp_princ = malloc(sizeof(*princ));
924 memcpy(temp_princ, princ, sizeof(*princ));
926 krb5_build_principal(context, &princ1, strlen(realm), realm, "ldap",
927 server_name, ldap_domain_name, 0);
929 memcpy(princ, princ1, sizeof(*princ1));
931 krb5_free_principal(context, temp_princ);
935 if (server_name != NULL)
938 krb5_free_context(context);
942 int ldap_delete_tickets(LDAP *ld, char *service_name)
946 krb5_context context = NULL;
947 krb5_ccache v5Cache = NULL;
949 krb5_cc_cursor v5Cursor;
950 krb5_error_code code;
953 if (!NSLDAPI_VALID_LDAP_POINTER(ld) || ld->ld_defhost == NULL)
958 for (i = 0; i < (int)strlen(ld->ld_defhost); i++)
959 ld->ld_defhost[i] = toupper(ld->ld_defhost[i]);
963 if (krb5_init_context(&context))
966 if (krb5_cc_default(context, &v5Cache))
968 if (krb5_cc_start_seq_get(context, v5Cache, &v5Cursor))
971 memset(&creds, '\0', sizeof(creds));
973 while (!(code = krb5_cc_next_cred(context, v5Cache, &v5Cursor, &creds)))
975 if (krb5_unparse_name(context, creds.server, &sServerName))
977 krb5_free_cred_contents(context, &creds);
980 if (!memcmp(sServerName, service_name, strlen(service_name)))
982 krb5_cc_remove_cred(context, v5Cache, 0, &creds);
987 if ((code == KRB5_CC_END) || (code == KRB5_CC_NOTFOUND))
989 krb5_cc_end_seq_get(context, v5Cache, &v5Cursor);
994 if ((v5Cache != NULL) && (context != NULL))
995 krb5_cc_close(context, v5Cache);
997 krb5_free_context(context);
1001 int locate_ldap_server(char *domain, char **server_name)
1011 unsigned char reply[1024];
1014 strcpy(ldap_domain_name, domain);
1015 sprintf(service, "%s.%s.%s.", LDAP_SERVICE, TCP_PROTOCOL, domain);
1019 memset(reply, '\0', sizeof(reply));
1020 length = res_search(service, C_IN, T_SRV, reply, sizeof(reply));
1024 ptr += sizeof(HEADER);
1025 if ((rc = dn_expand(reply, reply + length, ptr, host,
1030 while (ptr < reply + length)
1032 if ((rc = dn_expand(reply, reply + length, ptr, host,
1036 location_type = (ptr[0] << 8) | ptr[1];
1038 entry_length = (ptr[0] << 8) | ptr[1];
1040 if (location_type == T_SRV)
1042 if ((rc = dn_expand(reply, reply + length, ptr + 6, host,
1046 (*server_name) = strdup(host);
1051 ptr += entry_length;
1054 return(return_code);