gssapictx.c 19.4 KB
Newer Older
Brian Wellington's avatar
Brian Wellington committed
1
/*
Automatic Updater's avatar
Automatic Updater committed
2
 * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
Brian Wellington's avatar
Brian Wellington committed
3
 * Copyright (C) 2000, 2001  Internet Software Consortium.
Brian Wellington's avatar
Brian Wellington committed
4
 *
Automatic Updater's avatar
Automatic Updater committed
5
 * Permission to use, copy, modify, and/or distribute this software for any
Brian Wellington's avatar
Brian Wellington committed
6 7 8
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
Mark Andrews's avatar
Mark Andrews committed
9 10 11 12 13 14 15
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
Brian Wellington's avatar
Brian Wellington committed
16 17
 */

18
/* $Id: gssapictx.c,v 1.17 2010/06/03 02:27:11 marka Exp $ */
Brian Wellington's avatar
Brian Wellington committed
19

Brian Wellington's avatar
Brian Wellington committed
20 21 22
#include <config.h>

#include <stdlib.h>
23
#include <string.h>
Brian Wellington's avatar
Brian Wellington committed
24 25 26 27 28 29 30

#include <isc/buffer.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/lex.h>
#include <isc/mem.h>
#include <isc/once.h>
31
#include <isc/print.h>
32
#include <isc/platform.h>
Brian Wellington's avatar
Brian Wellington committed
33 34 35 36 37 38 39 40 41 42 43 44
#include <isc/random.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>

#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/types.h>
#include <dns/keyvalues.h>
45
#include <dns/log.h>
Brian Wellington's avatar
Brian Wellington committed
46 47 48 49 50 51

#include <dst/gssapi.h>
#include <dst/result.h>

#include "dst_internal.h"

52 53 54 55 56 57 58 59 60
/*
 * If we're using our own SPNEGO implementation (see configure.in),
 * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
 */
#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
#include "spnego.h"
#define	gss_accept_sec_context	gss_accept_sec_context_spnego
#define	gss_init_sec_context	gss_init_sec_context_spnego
#endif
Brian Wellington's avatar
Brian Wellington committed
61

62 63 64 65 66 67 68 69
/*
 * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
 * one for anything but Kerberos.  Supplying an explicit OID set
 * doesn't appear to hurt anything in other implementations, so we
 * always use one.  If we're not using our own SPNEGO implementation,
 * we include SPNEGO's OID.
 */
#if defined(GSSAPI)
70
#include ISC_PLATFORM_KRB5HEADER
Brian Wellington's avatar
Brian Wellington committed
71

72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
static unsigned char krb5_mech_oid_bytes[] = {
	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
};

#ifndef USE_ISC_SPNEGO
static unsigned char spnego_mech_oid_bytes[] = {
	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
};
#endif

static gss_OID_desc mech_oid_set_array[] = {
	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
#ifndef USE_ISC_SPNEGO
	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
#endif
};

static gss_OID_set_desc mech_oid_set = {
	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
	mech_oid_set_array
};

#endif

#define REGION_TO_GBUFFER(r, gb) \
	do { \
		(gb).length = (r).length; \
		(gb).value = (r).base; \
Brian Wellington's avatar
Brian Wellington committed
100 101
	} while (0)

102 103 104 105
#define GBUFFER_TO_REGION(gb, r) \
	do { \
		(r).length = (gb).length; \
		(r).base = (gb).value; \
Brian Wellington's avatar
Brian Wellington committed
106 107
	} while (0)

108 109 110 111 112

#define RETERR(x) do { \
	result = (x); \
	if (result != ISC_R_SUCCESS) \
		goto out; \
Brian Wellington's avatar
Brian Wellington committed
113 114
	} while (0)

115
#ifdef GSSAPI
Brian Wellington's avatar
Brian Wellington committed
116 117 118 119 120 121 122 123 124 125
static inline void
name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
		gss_buffer_desc *gbuffer)
{
	dns_name_t tname, *namep;
	isc_region_t r;
	isc_result_t result;

	if (!dns_name_isabsolute(name))
		namep = name;
126 127
	else
	{
Brian Wellington's avatar
Brian Wellington committed
128 129 130 131 132 133
		unsigned int labels;
		dns_name_init(&tname, NULL);
		labels = dns_name_countlabels(name);
		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
		namep = &tname;
	}
Automatic Updater's avatar
Automatic Updater committed
134

Brian Wellington's avatar
Brian Wellington committed
135 136 137 138 139 140
	result = dns_name_totext(namep, ISC_FALSE, buffer);
	isc_buffer_putuint8(buffer, 0);
	isc_buffer_usedregion(buffer, &r);
	REGION_TO_GBUFFER(r, *gbuffer);
}

141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179
static void
log_cred(const gss_cred_id_t cred) {
	OM_uint32 gret, minor, lifetime;
	gss_name_t gname;
	gss_buffer_desc gbuffer;
	gss_cred_usage_t usage;
	const char *usage_text;
	char buf[1024];

	gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
	if (gret != GSS_S_COMPLETE) {
		gss_log(3, "failed gss_inquire_cred: %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
		return;
	}

	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
	if (gret != GSS_S_COMPLETE)
		gss_log(3, "failed gss_display_name: %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
	else {
		switch (usage) {
		case GSS_C_BOTH:
			usage_text = "GSS_C_BOTH";
			break;
		case GSS_C_INITIATE:
			usage_text = "GSS_C_INITIATE";
			break;
		case GSS_C_ACCEPT:
			usage_text = "GSS_C_ACCEPT";
			break;
		default:
			usage_text = "???";
		}
		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
			usage_text, (unsigned long)lifetime);
	}

	if (gret == GSS_S_COMPLETE) {
180 181 182 183 184 185 186
		if (gbuffer.length != 0) {
			gret = gss_release_buffer(&minor, &gbuffer);
			if (gret != GSS_S_COMPLETE)
				gss_log(3, "failed gss_release_buffer: %s",
					gss_error_tostring(gret, minor, buf,
							   sizeof(buf)));
		}
187 188 189 190 191 192 193 194 195
	}

	gret = gss_release_name(&minor, &gname);
	if (gret != GSS_S_COMPLETE)
		gss_log(3, "failed gss_release_name: %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
}
#endif

196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
#ifdef GSSAPI
/*
 * check for the most common configuration errors.
 *
 * The errors checked for are:
 *   - tkey-gssapi-credential doesn't start with DNS/
 *   - the default realm in /etc/krb5.conf and the
 *     tkey-gssapi-credential bind config option don't match
 */
static void
dst_gssapi_check_config(const char *gss_name) {
	const char *p;
	krb5_context krb5_ctx;
	char *krb5_realm = NULL;

	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
		gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) "
			"should start with 'DNS/'", gss_name);
		return;
	}

	if (krb5_init_context(&krb5_ctx) != 0) {
		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
		return;
	}
	if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
		krb5_free_context(krb5_ctx);
		return;
	}
	p = strchr(gss_name, '/');
	if (p == NULL) {
		gss_log(ISC_LOG_ERROR, "badly formatted "
			"tkey-gssapi-credentials (%s)", gss_name);
		krb5_free_context(krb5_ctx);
		return;
	}
	if (strcasecmp(p + 1, krb5_realm) != 0) {
		gss_log(ISC_LOG_ERROR, "default realm from krb5.conf (%s) "
			"does not match tkey-gssapi-credential (%s)",
			krb5_realm, gss_name);
		krb5_free_context(krb5_ctx);
		return;
	}
	krb5_free_context(krb5_ctx);
}
#endif

Brian Wellington's avatar
Brian Wellington committed
244
isc_result_t
245 246 247 248
dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
		       gss_cred_id_t *cred)
{
#ifdef GSSAPI
Brian Wellington's avatar
Brian Wellington committed
249 250 251 252 253 254 255 256
	isc_buffer_t namebuf;
	gss_name_t gname;
	gss_buffer_desc gnamebuf;
	unsigned char array[DNS_NAME_MAXTEXT + 1];
	OM_uint32 gret, minor;
	gss_OID_set mechs;
	OM_uint32 lifetime;
	gss_cred_usage_t usage;
257
	char buf[1024];
Brian Wellington's avatar
Brian Wellington committed
258 259 260

	REQUIRE(cred != NULL && *cred == NULL);

261 262 263 264 265 266 267 268 269
	/*
	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
	 * here when we're in the acceptor role, which would let us
	 * default the hostname and use a compiled in default service
	 * name of "DNS", giving one less thing to configure in
	 * named.conf.  Unfortunately, this creates a circular
	 * dependency due to DNS-based realm lookup in at least one
	 * GSSAPI implementation (Heimdal).  Oh well.
	 */
Brian Wellington's avatar
Brian Wellington committed
270 271 272
	if (name != NULL) {
		isc_buffer_init(&namebuf, array, sizeof(array));
		name_to_gbuffer(name, &namebuf, &gnamebuf);
273 274 275
		gret = gss_import_name(&minor, &gnamebuf,
				       GSS_C_NO_OID, &gname);
		if (gret != GSS_S_COMPLETE) {
276 277
			dst_gssapi_check_config((char *)array);

278 279 280
			gss_log(3, "failed gss_import_name: %s",
				gss_error_tostring(gret, minor, buf,
						   sizeof(buf)));
Brian Wellington's avatar
Brian Wellington committed
281
			return (ISC_R_FAILURE);
282
		}
Brian Wellington's avatar
Brian Wellington committed
283 284 285
	} else
		gname = NULL;

286 287 288 289 290 291 292 293 294
	/* Get the credentials. */
	if (gname != NULL)
		gss_log(3, "acquiring credentials for %s",
			(char *)gnamebuf.value);
	else {
		/* XXXDCL does this even make any sense? */
		gss_log(3, "acquiring credentials for ?");
	}

Brian Wellington's avatar
Brian Wellington committed
295 296 297 298 299 300
	if (initiate)
		usage = GSS_C_INITIATE;
	else
		usage = GSS_C_ACCEPT;

	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
301 302 303 304 305 306 307 308
				&mech_oid_set,
				usage, cred, &mechs, &lifetime);

	if (gret != GSS_S_COMPLETE) {
		gss_log(3, "failed to acquire %s credentials for %s: %s",
			initiate ? "initiate" : "accept",
			(char *)gnamebuf.value,
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
309
		dst_gssapi_check_config((char *)array);
Brian Wellington's avatar
Brian Wellington committed
310
		return (ISC_R_FAILURE);
311 312 313 314 315 316 317 318
	}

	gss_log(4, "acquired %s credentials for %s",
		initiate ? "initiate" : "accept",
		(char *)gnamebuf.value);

	log_cred(*cred);

Brian Wellington's avatar
Brian Wellington committed
319
	return (ISC_R_SUCCESS);
320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490
#else
	UNUSED(name);
	UNUSED(initiate);
	UNUSED(cred);

	return (ISC_R_NOTIMPLEMENTED);
#endif
}

isc_boolean_t
dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
				    dns_name_t *realm)
{
#ifdef GSSAPI
	char sbuf[DNS_NAME_FORMATSIZE];
	char nbuf[DNS_NAME_FORMATSIZE];
	char rbuf[DNS_NAME_FORMATSIZE];
	char *sname;
	char *rname;

	/*
	 * It is far, far easier to write the names we are looking at into
	 * a string, and do string operations on them.
	 */
	dns_name_format(signer, sbuf, sizeof(sbuf));
	if (name != NULL)
		dns_name_format(name, nbuf, sizeof(nbuf));
	dns_name_format(realm, rbuf, sizeof(rbuf));

	/*
	 * Find the realm portion.  This is the part after the @.  If it
	 * does not exist, we don't have something we like, so we fail our
	 * compare.
	 */
	rname = strstr(sbuf, "\\@");
	if (rname == NULL)
		return (isc_boolean_false);
	*rname = '\0';
	rname += 2;

	/*
	 * Find the host portion of the signer's name.  We do this by
	 * searching for the first / character.  We then check to make
	 * certain the instance name is "host"
	 *
	 * This will work for
	 *    host/example.com@EXAMPLE.COM
	 */
	sname = strchr(sbuf, '/');
	if (sname == NULL)
		return (isc_boolean_false);
	*sname = '\0';
	sname++;
	if (strcmp(sbuf, "host") != 0)
		return (isc_boolean_false);

	/*
	 * Now, we do a simple comparison between the name and the realm.
	 */
	if (name != NULL) {
		if ((strcasecmp(sname, nbuf) == 0)
		    && (strcmp(rname, rbuf) == 0))
			return (isc_boolean_true);
	} else {
		if (strcmp(rname, rbuf) == 0)
			return (isc_boolean_true);
	}

	return (isc_boolean_false);
#else
	UNUSED(signer);
	UNUSED(name);
	UNUSED(realm);
	return (isc_boolean_false);
#endif
}

isc_boolean_t
dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
				  dns_name_t *realm)
{
#ifdef GSSAPI
	char sbuf[DNS_NAME_FORMATSIZE];
	char nbuf[DNS_NAME_FORMATSIZE];
	char rbuf[DNS_NAME_FORMATSIZE];
	char *sname;
	char *nname;
	char *rname;

	/*
	 * It is far, far easier to write the names we are looking at into
	 * a string, and do string operations on them.
	 */
	dns_name_format(signer, sbuf, sizeof(sbuf));
	if (name != NULL)
		dns_name_format(name, nbuf, sizeof(nbuf));
	dns_name_format(realm, rbuf, sizeof(rbuf));

	/*
	 * Find the realm portion.  This is the part after the @.  If it
	 * does not exist, we don't have something we like, so we fail our
	 * compare.
	 */
	rname = strstr(sbuf, "\\@");
	if (rname == NULL)
		return (isc_boolean_false);
	sname = strstr(sbuf, "\\$");
	if (sname == NULL)
		return (isc_boolean_false);

	/*
	 * Verify that the $ and @ follow one another.
	 */
	if (rname - sname != 2)
		return (isc_boolean_false);

	/*
	 * Find the host portion of the signer's name.  Zero out the $ so
	 * it terminates the signer's name, and skip past the @ for
	 * the realm.
	 *
	 * All service principals in Microsoft format seem to be in
	 *    machinename$@EXAMPLE.COM
	 * format.
	 */
	*rname = '\0';
	rname += 2;
	*sname = '\0';
	sname = sbuf;

	/*
	 * Find the first . in the target name, and make it the end of
	 * the string.   The rest of the name has to match the realm.
	 */
	if (name != NULL) {
		nname = strchr(nbuf, '.');
		if (nname == NULL)
			return (isc_boolean_false);
		*nname++ = '\0';
	}

	/*
	 * Now, we do a simple comparison between the name and the realm.
	 */
	if (name != NULL) {
		if ((strcasecmp(sname, nbuf) == 0)
		    && (strcmp(rname, rbuf) == 0)
		    && (strcasecmp(nname, rbuf) == 0))
			return (isc_boolean_true);
	} else {
		if (strcmp(rname, rbuf) == 0)
			return (isc_boolean_true);
	}


	return (isc_boolean_false);
#else
	UNUSED(signer);
	UNUSED(name);
	UNUSED(realm);
	return (isc_boolean_false);
#endif
}

isc_result_t
dst_gssapi_releasecred(gss_cred_id_t *cred) {
#ifdef GSSAPI
	OM_uint32 gret, minor;
	char buf[1024];

	REQUIRE(cred != NULL && *cred != NULL);
Automatic Updater's avatar
Automatic Updater committed
491

492 493 494 495 496 497 498
	gret = gss_release_cred(&minor, cred);
	if (gret != GSS_S_COMPLETE) {
		/* Log the error, but still free the credential's memory */
		gss_log(3, "failed releasing credential: %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
	}
	*cred = NULL;
Automatic Updater's avatar
Automatic Updater committed
499

500 501 502 503 504 505
	return(ISC_R_SUCCESS);
#else
	UNUSED(cred);

	return (ISC_R_NOTIMPLEMENTED);
#endif
Brian Wellington's avatar
Brian Wellington committed
506 507 508
}

isc_result_t
509 510
dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
Brian Wellington's avatar
Brian Wellington committed
511
{
512
#ifdef GSSAPI
Brian Wellington's avatar
Brian Wellington committed
513 514 515
	isc_region_t r;
	isc_buffer_t namebuf;
	gss_name_t gname;
516
	OM_uint32 gret, minor, ret_flags, flags;
517
	gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
Brian Wellington's avatar
Brian Wellington committed
518
	isc_result_t result;
519
	gss_buffer_desc gnamebuf;
Brian Wellington's avatar
Brian Wellington committed
520
	unsigned char array[DNS_NAME_MAXTEXT + 1];
521
	char buf[1024];
Brian Wellington's avatar
Brian Wellington committed
522

523 524
	/* Client must pass us a valid gss_ctx_id_t here */
	REQUIRE(gssctx != NULL);
Automatic Updater's avatar
Automatic Updater committed
525

Brian Wellington's avatar
Brian Wellington committed
526 527
	isc_buffer_init(&namebuf, array, sizeof(array));
	name_to_gbuffer(name, &namebuf, &gnamebuf);
528 529

	/* Get the name as a GSS name */
Brian Wellington's avatar
Brian Wellington committed
530
	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
531 532 533 534
	if (gret != GSS_S_COMPLETE) {
		result = ISC_R_FAILURE;
		goto out;
	}
Brian Wellington's avatar
Brian Wellington committed
535 536

	if (intoken != NULL) {
537
		/* Don't call gss_release_buffer for gintoken! */
Brian Wellington's avatar
Brian Wellington committed
538 539
		REGION_TO_GBUFFER(*intoken, gintoken);
		gintokenp = &gintoken;
540
	} else {
Brian Wellington's avatar
Brian Wellington committed
541
		gintokenp = NULL;
542
	}
Brian Wellington's avatar
Brian Wellington committed
543

544 545 546 547
	/*
	 * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
	 * servers don't like it.
	 */
Brian Wellington's avatar
Brian Wellington committed
548
	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
549
		GSS_C_INTEG_FLAG;
550 551 552 553 554 555 556 557 558 559 560 561 562

	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
				    gname, GSS_SPNEGO_MECHANISM, flags,
				    0, NULL, gintokenp,
				    NULL, &gouttoken, &ret_flags, NULL);

	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
		gss_log(3, "Failure initiating security context");
		gss_log(3, "%s", gss_error_tostring(gret, minor,
						    buf, sizeof(buf)));
		result = ISC_R_FAILURE;
		goto out;
	}
Automatic Updater's avatar
Automatic Updater committed
563

564 565 566 567
	/*
	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
	 * MUTUAL and INTEG flags, fail if either not set.
	 */
Brian Wellington's avatar
Brian Wellington committed
568

569 570 571 572 573 574 575 576
	/*
	 * RFC 2744 states the a valid output token has a non-zero length.
	 */
	if (gouttoken.length != 0) {
		GBUFFER_TO_REGION(gouttoken, r);
		RETERR(isc_buffer_copyregion(outtoken, &r));
		(void)gss_release_buffer(&minor, &gouttoken);
	}
577 578
	(void)gss_release_name(&minor, &gname);

Brian Wellington's avatar
Brian Wellington committed
579
	if (gret == GSS_S_COMPLETE)
580
		result = ISC_R_SUCCESS;
Brian Wellington's avatar
Brian Wellington committed
581
	else
582
		result = DNS_R_CONTINUE;
Brian Wellington's avatar
Brian Wellington committed
583 584

 out:
585 586 587 588 589 590 591 592 593
	return (result);
#else
	UNUSED(name);
	UNUSED(intoken);
	UNUSED(outtoken);
	UNUSED(gssctx);

	return (ISC_R_NOTIMPLEMENTED);
#endif
Brian Wellington's avatar
Brian Wellington committed
594 595 596
}

isc_result_t
597
dst_gssapi_acceptctx(gss_cred_id_t cred,
598
		     isc_region_t *intoken, isc_buffer_t **outtoken,
599 600
		     gss_ctx_id_t *ctxout, dns_name_t *principal,
		     isc_mem_t *mctx)
Brian Wellington's avatar
Brian Wellington committed
601
{
602
#ifdef GSSAPI
Brian Wellington's avatar
Brian Wellington committed
603 604
	isc_region_t r;
	isc_buffer_t namebuf;
605
	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
Automatic Updater's avatar
Automatic Updater committed
606
			gouttoken = GSS_C_EMPTY_BUFFER;
607 608 609
	OM_uint32 gret, minor;
	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
	gss_name_t gname = NULL;
Brian Wellington's avatar
Brian Wellington committed
610
	isc_result_t result;
611
	char buf[1024];
Brian Wellington's avatar
Brian Wellington committed
612

613 614
	REQUIRE(outtoken != NULL && *outtoken == NULL);

615
	log_cred(cred);
Brian Wellington's avatar
Brian Wellington committed
616 617 618

	REGION_TO_GBUFFER(*intoken, gintoken);

619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654
	if (*ctxout == NULL)
		context = GSS_C_NO_CONTEXT;
	else
		context = *ctxout;

	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
				      GSS_C_NO_CHANNEL_BINDINGS, &gname,
				      NULL, &gouttoken, NULL, NULL, NULL);

	result = ISC_R_FAILURE;

	switch (gret) {
	case GSS_S_COMPLETE:
		result = ISC_R_SUCCESS;
		break;
	case GSS_S_CONTINUE_NEEDED:
		result = DNS_R_CONTINUE;
		break;
	case GSS_S_DEFECTIVE_TOKEN:
	case GSS_S_DEFECTIVE_CREDENTIAL:
	case GSS_S_BAD_SIG:
	case GSS_S_DUPLICATE_TOKEN:
	case GSS_S_OLD_TOKEN:
	case GSS_S_NO_CRED:
	case GSS_S_CREDENTIALS_EXPIRED:
	case GSS_S_BAD_BINDINGS:
	case GSS_S_NO_CONTEXT:
	case GSS_S_BAD_MECH:
	case GSS_S_FAILURE:
		result = DNS_R_INVALIDTKEY;
		/* fall through */
	default:
		gss_log(3, "failed gss_accept_sec_context: %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
		return (result);
	}
Brian Wellington's avatar
Brian Wellington committed
655

656
	if (gouttoken.length > 0) {
657
		RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
658
		GBUFFER_TO_REGION(gouttoken, r);
659
		RETERR(isc_buffer_copyregion(*outtoken, &r));
660
		(void)gss_release_buffer(&minor, &gouttoken);
661
	}
Brian Wellington's avatar
Brian Wellington committed
662

663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689
	if (gret == GSS_S_COMPLETE) {
		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
		if (gret != GSS_S_COMPLETE) {
			gss_log(3, "failed gss_display_name: %s",
				gss_error_tostring(gret, minor,
						   buf, sizeof(buf)));
			RETERR(ISC_R_FAILURE);
		}

		/*
		 * Compensate for a bug in Solaris8's implementation
		 * of gss_display_name().  Should be harmless in any
		 * case, since principal names really should not
		 * contain null characters.
		 */
		if (gnamebuf.length > 0 &&
		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
			gnamebuf.length--;

		gss_log(3, "gss-api source name (accept) is %.*s",
			(int)gnamebuf.length, (char *)gnamebuf.value);

		GBUFFER_TO_REGION(gnamebuf, r);
		isc_buffer_init(&namebuf, r.base, r.length);
		isc_buffer_add(&namebuf, r.length);

		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
690
					 0, NULL));
691

692 693 694 695 696 697 698
		if (gnamebuf.length != 0) {
			gret = gss_release_buffer(&minor, &gnamebuf);
			if (gret != GSS_S_COMPLETE)
				gss_log(3, "failed gss_release_buffer: %s",
					gss_error_tostring(gret, minor, buf,
							   sizeof(buf)));
		}
699 700 701
	}

	*ctxout = context;
Brian Wellington's avatar
Brian Wellington committed
702 703

 out:
704 705 706 707 708 709 710
	if (gname != NULL) {
		gret = gss_release_name(&minor, &gname);
		if (gret != GSS_S_COMPLETE)
			gss_log(3, "failed gss_release_name: %s",
				gss_error_tostring(gret, minor, buf,
						   sizeof(buf)));
	}
Brian Wellington's avatar
Brian Wellington committed
711

712
	return (result);
Brian Wellington's avatar
Brian Wellington committed
713 714 715 716
#else
	UNUSED(cred);
	UNUSED(intoken);
	UNUSED(outtoken);
717 718 719 720
	UNUSED(ctxout);
	UNUSED(principal);
	UNUSED(mctx);

Brian Wellington's avatar
Brian Wellington committed
721
	return (ISC_R_NOTIMPLEMENTED);
722
#endif
Brian Wellington's avatar
Brian Wellington committed
723 724 725
}

isc_result_t
726
dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
Brian Wellington's avatar
Brian Wellington committed
727
{
728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746
#ifdef GSSAPI
	OM_uint32 gret, minor;
	char buf[1024];

	UNUSED(mctx);

	REQUIRE(gssctx != NULL && *gssctx != NULL);

	/* Delete the context from the GSS provider */
	gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
	if (gret != GSS_S_COMPLETE) {
		/* Log the error, but still free the context's memory */
		gss_log(3, "Failure deleting security context %s",
			gss_error_tostring(gret, minor, buf, sizeof(buf)));
	}
	return(ISC_R_SUCCESS);
#else
	UNUSED(mctx);
	UNUSED(gssctx);
Brian Wellington's avatar
Brian Wellington committed
747
	return (ISC_R_NOTIMPLEMENTED);
748
#endif
Brian Wellington's avatar
Brian Wellington committed
749 750
}

751 752 753 754
char *
gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
		   char *buf, size_t buflen) {
#ifdef GSSAPI
755
	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
Automatic Updater's avatar
Automatic Updater committed
756
			msg_major = GSS_C_EMPTY_BUFFER;
757 758 759 760 761
	OM_uint32 msg_ctx, minor_stat;

	/* Handle major status */
	msg_ctx = 0;
	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
Automatic Updater's avatar
Automatic Updater committed
762
				 GSS_C_NULL_OID, &msg_ctx, &msg_major);
763 764 765 766 767 768 769 770

	/* Handle minor status */
	msg_ctx = 0;
	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);

	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
		(char *)msg_major.value, (char *)msg_minor.value);
Automatic Updater's avatar
Automatic Updater committed
771

772 773 774 775
	if (msg_major.length != 0)
		(void)gss_release_buffer(&minor_stat, &msg_major);
	if (msg_minor.length != 0)
		(void)gss_release_buffer(&minor_stat, &msg_minor);
776 777 778 779
	return(buf);
#else
	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
		 major, minor);
Automatic Updater's avatar
Automatic Updater committed
780

781
	return (buf);
Brian Wellington's avatar
Brian Wellington committed
782
#endif
783 784 785 786 787 788 789 790 791 792 793
}

void
gss_log(int level, const char *fmt, ...) {
	va_list ap;

	va_start(ap, fmt);
	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
		       DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
	va_end(ap);
}
794 795

/*! \file */