2 * Copyright (C) 1998-2000 Luke Howard. All rights reserved.
6 * Implementation of GSS-API client side binding for SASL
14 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <netinet/in.h>
21 #include <arpa/nameser.h>
26 #include "gssldap-int.h"
29 typedef gss_uint32 OM_uint32;
32 char ldap_domain_name[128];
37 #define LDAP_SERVICE "_ldap"
38 #define TCP_PROTOCOL "_tcp"
40 int locate_ldap_server(char *domain, char **server_name);
41 int ldap_delete_tickets(LDAP *ld, char *service_name);
42 static int negotiate_security_options(gssldap_client_state_t state,
44 int ldap_reset_principal(LDAP *ld, char *service_name, gss_name_t target_name);
45 unsigned long gsssasl_pack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
46 gsssasl_security_negotiation_t inmask,
47 size_t masklength, gss_buffer_t wrapped_tok);
49 int gsssasl_unpack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
50 gss_buffer_t wrapped_tok,
51 gsssasl_security_negotiation_t *outmask,
55 static int debug_ = 1;
56 #define TRACE(x) do { if (debug_) fprintf(stderr, "%s\n", x); fflush(stderr); } while (0);
57 #define LDAP_PERROR(ld, x) do { if (debug_) ldap_perror(ld, x); } while (0);
58 #define LOG_STATUS(msg, min, maj) log_status(msg, min, maj)
61 #define LDAP_PERROR(ld, x)
62 #define LOG_STATUS(msg, min, maj)
63 #endif /* GSSSASL_DEBUG */
65 #ifdef HACK_SERVICE_NAME
66 char *__service = NULL;
70 * The read and write fns need to access the context in here and
71 * there doesn't appear to be a way to pass this info to them.
73 static gss_ctx_id_t security_context;
74 static int security_layer = 0;
75 static int security_token_size = 0;
77 LDAP_CALLBACK int LDAP_C ldap_gssapi_read(LBER_SOCKET sock, void *data,
84 gss_buffer_desc recv_tok;
85 gss_buffer_desc wrapped_tok;
88 (GSSSASL_INTEGRITY_PROTECTION | GSSSASL_PRIVACY_PROTECTION))
90 if (recv(sock, (char *)&pdulen, sizeof(pdulen), 0) != sizeof(pdulen))
92 wrapped_tok.length = ntohl(pdulen);
96 fprintf(stderr, "Reading data of %d octets\n",
99 #endif /* GSSSASL_DEBUG */
100 if ((int)wrapped_tok.length > security_token_size)
102 wrapped_tok.value = malloc(wrapped_tok.length);
103 if (wrapped_tok.value == NULL)
105 if (recv(sock, wrapped_tok.value, wrapped_tok.length, 0)
106 != (int)wrapped_tok.length)
108 gss_release_buffer(&rc, &wrapped_tok);
111 maj_stat = gss_unwrap(&min_stat,
117 if (maj_stat != GSS_S_COMPLETE)
119 gss_release_buffer(&rc, &wrapped_tok);
125 fprintf(stderr, "Got %d bytes of %s data\n",
126 recv_tok.length, rc ? "private" : "signed");
128 #endif /* GSSSASL_DEBUG */
129 if ((int)recv_tok.length > len)
131 gss_release_buffer(&rc, &recv_tok);
132 gss_release_buffer(&rc, &wrapped_tok);
133 return GSS_S_FAILURE;
135 memcpy(data, recv_tok.value, recv_tok.length);
136 pdulen = recv_tok.length;
137 gss_release_buffer(&rc, &recv_tok);
138 gss_release_buffer(&rc, &wrapped_tok);
143 return read(sock, data, len);
146 LDAP_CALLBACK int LDAP_C ldap_gssapi_write(LBER_SOCKET sock, const void *data,
153 gss_buffer_desc send_tok;
154 gss_buffer_desc wrapped_tok;
158 (GSSSASL_INTEGRITY_PROTECTION | GSSSASL_PRIVACY_PROTECTION))
160 send_tok.length = len;
161 send_tok.value = (void *) data;
165 fprintf(stderr, "Sending %d bytes of data\n",
168 #endif /* GSSSASL_DEBUG */
169 maj_stat = gss_wrap(&min_stat,
171 (security_layer & GSSSASL_PRIVACY_PROTECTION) ? 1 : 0,
176 if (maj_stat != GSS_S_COMPLETE)
181 fprintf(stderr, "Sent %d bytes of %s data\n",
182 wrapped_tok.length, rc ? "private" : "signed");
184 #endif /* GSSSASL_DEBUG */
185 pdulen = htonl(wrapped_tok.length);
186 ptr = calloc(1, sizeof(pdulen) + wrapped_tok.length);
187 memcpy(ptr, &pdulen, sizeof(pdulen));
188 memcpy(&ptr[sizeof(pdulen)], wrapped_tok.value, wrapped_tok.length);
189 rc = send(sock, ptr, sizeof(pdulen) + wrapped_tok.length, 0);
191 if (rc == (wrapped_tok.length + sizeof(pdulen)))
193 gss_release_buffer(&maj_stat, &wrapped_tok);
197 return send(sock, data, len, 0);
202 * Dump the token to stderr
204 static void print_token(gss_buffer_t tok)
207 unsigned char *p = tok->value;
209 for (i = 0; i < (int)tok->length; i++, p++)
211 fprintf(stderr, "%02x ", *p);
214 fprintf(stderr, "\n");
217 fprintf(stderr, "\n");
223 * Handle a GSS-API error
225 static void log_status_impl(const char *reason, OM_uint32 res, int type)
227 OM_uint32 maj_stat, min_stat;
234 maj_stat = gss_display_status(&min_stat,
243 fprintf(stderr, "ldap_adgssapi_bind: %s: %s\n",
247 (void) gss_release_buffer(&min_stat, &msg);
255 * Cover function to handle a GSS-API error
257 static void log_status(const char *reason, OM_uint32 maj_stat,
260 log_status_impl(reason, maj_stat, GSS_C_GSS_CODE);
261 log_status_impl(reason, min_stat, GSS_C_MECH_CODE);
264 #endif /* GSSSASL_DEBUG */
267 * Send a GSS-API token as part of a SASL BindRequest
269 static int send_token(gssldap_client_state_t state, gss_buffer_t send_tok)
273 TRACE("==> send_token");
275 cred.bv_val = send_tok->value;
276 cred.bv_len = send_tok->length;
278 if (ldap_sasl_bind(state->ld,
284 &state->msgid) != LDAP_SUCCESS)
286 LDAP_PERROR(state->ld, "send_token");
287 TRACE("<== send_token");
290 TRACE("<== send_token");
295 * Parse the final result sent back from the server.
297 static int parse_bind_result(gssldap_client_state_t state)
299 LDAPMessage *res = NULL, *msg = NULL;
302 TRACE("==> parse_bind_result");
304 if (ldap_result(state->ld,
310 LDAP_PERROR(state->ld, "ldap_result");
311 TRACE("<== parse_bind_result");
314 for (msg = ldap_first_message(state->ld, res);
316 msg = ldap_next_message(state->ld, msg))
318 if (ldap_msgtype(msg) == LDAP_RES_BIND)
320 ldap_parse_result(state->ld, msg, &rc, NULL, NULL, NULL, NULL, 0);
328 TRACE("<== parse_bind_result");
330 if (rc == LDAP_SUCCESS)
339 * Receive a GSS-API token from a SASL BindResponse
340 * The contents of recv_tok must be freed by the
343 static int recv_token(gssldap_client_state_t state, gss_buffer_t recv_tok)
345 struct berval *servercred = NULL;
346 LDAPMessage *res = NULL, *msg = NULL;
349 TRACE("==> recv_token");
351 if (ldap_result(state->ld, state->msgid, LDAP_MSG_ALL, NULL, &res) <= 0)
353 LDAP_PERROR(state->ld, "ldap_result");
354 TRACE("<== recv_token");
357 recv_tok->value = NULL;
358 recv_tok->length = 0;
360 for (msg = ldap_first_message(state->ld, res);
362 msg = ldap_next_message(state->ld, msg))
364 if (ldap_msgtype(msg) == LDAP_RES_BIND && servercred == NULL)
366 rc = ldap_parse_sasl_bind_result(state->ld,
370 if (rc == LDAP_SUCCESS && servercred != NULL)
372 recv_tok->value = malloc(servercred->bv_len);
373 if (recv_tok->value != NULL)
375 memcpy(recv_tok->value, servercred->bv_val, servercred->bv_len);
376 recv_tok->length = servercred->bv_len;
389 TRACE("<== recv_token");
390 if (servercred != NULL)
392 nslberi_free(servercred);
393 TRACE("<== recv_token");
396 if (state->rc == LDAP_SUCCESS)
398 state->rc = LDAP_OPERATIONS_ERROR;
402 LDAP_PERROR(state->ld, "recv_token");
405 TRACE("<== recv_token");
410 * The client calls GSS_Init_sec_context, passing in 0 for
411 * input_context_handle (initially) and a targ_name equal to output_name
412 * from GSS_Import_Name called with input_name_type of
413 * GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
414 * "service@hostname" where "service" is the service name specified in
415 * the protocol's profile, and "hostname" is the fully qualified host
416 * name of the server. The client then responds with the resulting
417 * output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
418 * then the client should expect the server to issue a token in a
419 * subsequent challenge. The client must pass the token to another call
420 * to GSS_Init_sec_context, repeating the actions in this paragraph.
422 static int client_establish_context(LDAP *ld, gssldap_client_state_t state,
425 gss_buffer_desc send_tok;
426 gss_buffer_desc recv_tok;
427 gss_buffer_desc *token_ptr;
428 gss_name_t target_name;
431 gss_OID oid = GSS_C_NULL_OID;
434 TRACE("==> client_establish_context");
436 memset(&recv_tok, '\0', sizeof(recv_tok));
437 send_tok.value = service_name;
438 send_tok.length = strlen(send_tok.value) + 1;
440 maj_stat = gss_import_name(&min_stat,
442 (gss_OID) gss_nt_service_name,
444 if (ldap_reset_principal(ld, service_name, target_name))
446 TRACE("<== client_establish_context");
450 token_ptr = GSS_C_NO_BUFFER;
451 state->context = GSS_C_NO_CONTEXT;
455 maj_stat = gss_init_sec_context(&min_stat,
460 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
469 if (token_ptr != GSS_C_NO_BUFFER)
470 (void) gss_release_buffer(&min_stat, &recv_tok);
472 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
474 LOG_STATUS("initializing context", maj_stat, min_stat);
475 (void) gss_release_name(&min_stat, &target_name);
476 TRACE("<== client_establish_context");
482 fprintf(stderr, "Sending init_sec_context token (size=%d)...\n",
485 print_token(&send_tok);
488 if (send_token(state, &send_tok) < 0)
490 TRACE("Send_token failed");
491 (void) gss_release_buffer(&min_stat, &send_tok);
492 (void) gss_release_name(&min_stat, &target_name);
493 TRACE("<== client_establish_context");
496 (void) gss_release_buffer(&min_stat, &send_tok);
497 if (maj_stat == GSS_S_CONTINUE_NEEDED)
499 TRACE("continue needed...");
500 if (recv_token(state, &recv_tok) < 0)
502 TRACE("recv_token failed");
503 (void) gss_release_name(&min_stat, &target_name);
504 TRACE("<== client_establish_context");
510 fprintf(stderr, "Received token (size=%d)...\n",
513 print_token(&recv_tok);
516 token_ptr = &recv_tok;
518 } while (maj_stat == GSS_S_CONTINUE_NEEDED);
520 (void) gss_release_name(&min_stat, &target_name);
522 TRACE("<== client_establish_context");
527 * When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes
528 * the following actions: If the last call to GSS_Init_sec_context
529 * returned an output_token, then the client responds with the
530 * output_token, otherwise the client responds with no data. The client
531 * should then expect the server to issue a token in a subsequent
532 * challenge. The client passes this token to GSS_Unwrap and interprets
533 * the first octet of resulting cleartext as a bit-mask specifying the
534 * security layers supported by the server and the second through fourth
535 * octets as the maximum size output_message to send to the server. The
536 * client then constructs data, with the first octet containing the
537 * bit-mask specifying the selected security layer, the second through
538 * fourth octets containing in network byte order the maximum size
539 * output_message the client is able to receive, and the remaining
540 * octets containing the authorization identity. The client passes the
541 * data to GSS_Wrap with conf_flag set to FALSE, and responds with the
542 * generated output_message. The client can then consider the server
545 static int negotiate_security_options(gssldap_client_state_t state,
550 gss_buffer_desc recv_tok;
551 gss_buffer_desc send_tok;
554 gsssasl_security_negotiation_t send_mask;
555 gsssasl_security_negotiation_t recv_mask;
557 TRACE("==> negotiate_security_options");
559 memset(&send_tok, '\0', sizeof(send_tok));
560 memset(&recv_tok, '\0', sizeof(recv_tok));
561 if ((rc = recv_token(state, &recv_tok)) < 0)
563 TRACE("<== negotiate_security_options (recv_token failed)");
569 fprintf(stderr, "Received token (size=%d)...\n",
572 print_token(&recv_tok);
574 #endif /* GSSSASL_DEBUG */
576 maj_stat = gsssasl_unpack_security_token(&min_stat,
582 if (maj_stat != GSS_S_COMPLETE)
584 LOG_STATUS("unpacking security negotiation token",
587 TRACE("<== negotiate_security_options (unpack failed)");
593 fprintf(stderr, "Received security token level %d size %d\n",
594 recv_mask->security_layer,
595 recv_mask->token_size);
598 if ((~recv_mask->security_layer) & layer)
601 TRACE("<== negotiate_security_options (unsupported security layer)");
604 mask_length = sizeof(recv_mask) +
605 GSSAPI_LDAP_DN_PREFIX_LEN + strlen(state->binddn);
606 send_mask = NSLDAPI_MALLOC(mask_length);
607 if (send_mask == NULL)
610 TRACE("<== negotiate_security_options (malloc failed)");
613 send_mask->security_layer = layer;
614 send_mask->token_size = recv_mask->token_size;
615 memcpy(send_mask->identity, GSSAPI_LDAP_DN_PREFIX, GSSAPI_LDAP_DN_PREFIX_LEN);
616 memcpy(send_mask->identity + GSSAPI_LDAP_DN_PREFIX_LEN,
618 mask_length - sizeof(recv_mask) - GSSAPI_LDAP_DN_PREFIX_LEN);
624 fprintf(stderr, "Sending security token level %d size %d\n",
625 send_mask->security_layer,
626 send_mask->token_size);
629 maj_stat = gsssasl_pack_security_token(&min_stat,
634 if (maj_stat != GSS_S_COMPLETE)
636 LOG_STATUS("packing security negotiation token", maj_stat, min_stat);
637 NSLDAPI_FREE(send_mask);
638 TRACE("<== negotiate_security_options (pack failed)");
641 if ((rc = send_token(state, &send_tok)) < 0)
643 NSLDAPI_FREE(send_mask);
644 TRACE("<== negotiate_security_options (send_token failed)");
647 rc = parse_bind_result(state);
651 security_context = state->context;
652 security_layer = layer;
653 security_token_size = send_mask->token_size;
656 NSLDAPI_FREE(send_mask);
657 if (send_tok.value != NULL)
658 gss_release_buffer(&rc, &send_tok);
659 if (recv_tok.value != NULL)
660 gss_release_buffer(&rc, &recv_tok);
661 TRACE("<== negotiate_security_options");
667 * Temporary function to enable debugging
670 LDAP_CALL ldap_gssapi_debug(int on)
676 #endif /* GSSSASL_DEBUG */
679 * Public function for doing a GSS-API SASL bind
682 LDAP_CALL ldap_adgssapi_bind(LDAP *ld, const char *who, int layer)
684 gssldap_client_state_desc state;
689 struct ldap_io_fns iofns;
691 if (!NSLDAPI_VALID_LDAP_POINTER(ld) || ld->ld_defhost == NULL)
696 for (i = 0; i < (int)strlen(ld->ld_defhost); i++)
697 ld->ld_defhost[i] = toupper(ld->ld_defhost[i]);
700 NSLDAPI_MALLOC(sizeof(GSSAPI_LDAP_SERVICE_NAME "@") + strlen(ld->ld_defhost));
701 if (service_name == NULL)
705 strcpy(service_name, GSSAPI_LDAP_SERVICE_NAME "@");
706 strcat(service_name, ld->ld_defhost);
711 fprintf(stderr, "LDAP service name: %s\n", service_name);
719 state.context = GSS_C_NO_CONTEXT;
720 state.rc = LDAP_OPERATIONS_ERROR;
722 rc = client_establish_context(ld, &state, service_name);
725 rc = negotiate_security_options(&state, layer);
730 gss_buffer_desc tname;
731 gss_buffer_desc sname;
732 gss_name_t targ_name;
734 OM_uint32 context_flags;
742 maj_stat = gss_inquire_context(&min_stat,
751 if (maj_stat != GSS_S_COMPLETE)
753 LOG_STATUS("inquiring context", maj_stat, min_stat);
754 return LDAP_OPERATIONS_ERROR;
756 maj_stat = gss_display_name(&min_stat,
760 if (maj_stat != GSS_S_COMPLETE)
762 LOG_STATUS("displaying source name", maj_stat, min_stat);
763 return LDAP_OPERATIONS_ERROR;
765 maj_stat = gss_display_name(&min_stat,
769 if (maj_stat != GSS_S_COMPLETE)
771 LOG_STATUS("displaying target name", maj_stat, min_stat);
772 return LDAP_OPERATIONS_ERROR;
777 "\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
778 (int) sname.length, (char *) sname.value,
779 (int) tname.length, (char *) tname.value, lifetime,
781 (is_local) ? "locally initiated" : "remotely initiated",
782 (is_open) ? "open" : "closed");
785 (void) gss_release_name(&min_stat, &src_name);
786 (void) gss_release_name(&min_stat, &targ_name);
787 (void) gss_release_buffer(&min_stat, &sname);
788 (void) gss_release_buffer(&min_stat, &tname);
790 state.rc = LDAP_SUCCESS;
793 if (state.rc == LDAP_SUCCESS)
795 if (layer == GSSSASL_PRIVACY_PROTECTION)
797 memset(&iofns, 0, sizeof(iofns));
798 iofns.liof_read = ldap_gssapi_read;
799 iofns.liof_write = ldap_gssapi_write;
800 state.rc = ldap_set_option(ld, LDAP_OPT_IO_FN_PTRS, &iofns);
804 NSLDAPI_FREE(service_name);
805 LDAP_SET_LDERRNO(ld, state.rc, NULL, NULL);
810 /* Wrap and encode a security negotiation token */
811 unsigned long gsssasl_pack_security_token(OM_uint32 *min_stat,
812 gss_ctx_id_t context,
813 gsssasl_security_negotiation_t inmask,
814 size_t masklength, gss_buffer_t wrapped_tok)
818 gss_buffer_desc send_tok;
820 wrapped_tok->length = 0;
821 wrapped_tok->value = NULL;
823 if (masklength < sizeof(gsssasl_security_negotiation_desc))
824 return GSS_S_FAILURE;
826 inmask->token_size = htonl(inmask->token_size);
828 send_tok.length = masklength;
829 send_tok.value = inmask;
831 maj_stat = gss_wrap(min_stat,
839 inmask->token_size = ntohl(inmask->token_size);
844 /* Unwrap and decode a security negotiation token. */
845 int gsssasl_unpack_security_token(OM_uint32 *min_stat, gss_ctx_id_t context,
846 gss_buffer_t wrapped_tok,
847 gsssasl_security_negotiation_t *outmask,
852 gss_buffer_desc recv_tok;
856 memset(&recv_tok, '\0', sizeof(recv_tok));
858 maj_stat = gss_unwrap(min_stat,
864 if (maj_stat != GSS_S_COMPLETE)
869 if (recv_tok.length < sizeof(gsssasl_security_negotiation_desc))
871 gss_release_buffer(&rc, &recv_tok);
872 return GSS_S_FAILURE;
878 * we're lazy and don't copy the token. This could cause
879 * problems if libgssapi uses a different malloc!
881 *masklength = recv_tok.length;
882 *outmask = (gsssasl_security_negotiation_t) recv_tok.value;
883 if (*outmask == NULL)
885 gss_release_buffer(&rc, &recv_tok);
886 return GSS_S_FAILURE;
888 return GSS_S_COMPLETE;
891 int ldap_reset_principal(LDAP *ld, char *service_name, gss_name_t target_name)
893 krb5_context context = NULL;
894 krb5_principal princ;
895 krb5_principal princ1;
896 krb5_principal temp_princ;
898 char *server_name = NULL;
901 princ = (krb5_principal)(target_name);
903 if (krb5_init_context(&context))
906 realm = strdup(ldap_domain_name);
907 for (i = 0; i < (int)strlen(realm); i++)
908 realm[i] = toupper(realm[i]);
909 server_name = strdup(ld->ld_defhost);
910 for (i = 0; i < (int)strlen(server_name); i++)
911 server_name[i] = tolower(server_name[i]);
913 temp_princ = malloc(sizeof(*princ));
914 memcpy(temp_princ, princ, sizeof(*princ));
916 krb5_build_principal(context, &princ1, strlen(realm), realm, "ldap",
917 server_name, ldap_domain_name, 0);
919 memcpy(princ, princ1, sizeof(*princ1));
921 krb5_free_principal(context, temp_princ);
925 if (server_name != NULL)
928 krb5_free_context(context);
932 int ldap_delete_tickets(LDAP *ld, char *service_name)
936 krb5_context context = NULL;
937 krb5_ccache v5Cache = NULL;
939 krb5_cc_cursor v5Cursor;
940 krb5_error_code code;
943 if (!NSLDAPI_VALID_LDAP_POINTER(ld) || ld->ld_defhost == NULL)
948 for (i = 0; i < (int)strlen(ld->ld_defhost); i++)
949 ld->ld_defhost[i] = toupper(ld->ld_defhost[i]);
953 if (krb5_init_context(&context))
956 if (krb5_cc_default(context, &v5Cache))
958 if (krb5_cc_start_seq_get(context, v5Cache, &v5Cursor))
961 memset(&creds, '\0', sizeof(creds));
963 while (!(code = krb5_cc_next_cred(context, v5Cache, &v5Cursor, &creds)))
965 if (krb5_unparse_name(context, creds.server, &sServerName))
967 krb5_free_cred_contents(context, &creds);
970 if (!memcmp(sServerName, service_name, strlen(service_name)))
972 krb5_cc_remove_cred(context, v5Cache, 0, &creds);
977 if ((code == KRB5_CC_END) || (code == KRB5_CC_NOTFOUND))
979 krb5_cc_end_seq_get(context, v5Cache, &v5Cursor);
984 if ((v5Cache != NULL) && (context != NULL))
985 krb5_cc_close(context, v5Cache);
987 krb5_free_context(context);
991 int locate_ldap_server(char *domain, char **server_name)
1001 unsigned char reply[1024];
1004 strcpy(ldap_domain_name, domain);
1005 sprintf(service, "%s.%s.%s.", LDAP_SERVICE, TCP_PROTOCOL, domain);
1009 memset(reply, '\0', sizeof(reply));
1010 length = res_search(service, C_IN, T_SRV, reply, sizeof(reply));
1014 ptr += sizeof(HEADER);
1015 if ((rc = dn_expand(reply, reply + length, ptr, host,
1020 while (ptr < reply + length)
1022 if ((rc = dn_expand(reply, reply + length, ptr, host,
1026 location_type = (ptr[0] << 8) | ptr[1];
1028 entry_length = (ptr[0] << 8) | ptr[1];
1030 if (location_type == T_SRV)
1032 if ((rc = dn_expand(reply, reply + length, ptr + 6, host,
1036 (*server_name) = strdup(host);
1041 ptr += entry_length;
1044 return(return_code);