2 * Copyright (c) 2018, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
46 * Callback to handle GSS authentication and authorization
48 * @param conn connection file descriptor
49 * @param acceptor_name name of acceptor to present to initiator
50 * @param acceptor_realm realm of acceptor to present to initiator
51 * @param gssctx GSS context
52 * @param auth_cb authorization callback
53 * @param auth_cookie generic data to pass to the authorization callback
54 * @return 0 on successful auth, 1 on disallowed auth, -1 on error
56 static int tr_gss_auth_connection(int conn,
57 const char *acceptor_name,
58 const char *acceptor_realm,
60 TR_GSS_AUTH_FN auth_cb,
64 int auth, autherr = 0;
65 gss_buffer_desc nameBuffer = {0, NULL};
67 nameBuffer.value = talloc_asprintf(NULL, "%s@%s", acceptor_name, acceptor_realm);
68 if (nameBuffer.value == NULL) {
69 tr_err("tr_gss_auth_connection: Error allocating acceptor name.");
72 nameBuffer.length = strlen(nameBuffer.value);
74 rc = gsscon_passive_authenticate(conn, nameBuffer, gssctx, auth_cb, auth_cookie);
75 talloc_free(nameBuffer.value);
77 tr_debug("tr_gss_auth_connection: Error from gsscon_passive_authenticate(), rc = %d.", rc);
81 rc = gsscon_authorize(*gssctx, &auth, &autherr);
83 tr_debug("tr_gss_auth_connection: Error from gsscon_authorize, rc = %d, autherr = %d.",
89 tr_debug("tr_gss_auth_connection: Connection authenticated, conn = %d.", conn);
91 tr_debug("tr_gss_auth_connection: Authentication failed, conn %d.", conn);
97 * Read a request from the GSS connection
99 * @param mem_ctx talloc context for the result
100 * @param conn file descriptor for the connection
101 * @param gssctx GSS context
102 * @return talloc'ed string containing the request, or null on error
104 static char *tr_gss_read_req(TALLOC_CTX *mem_ctx, int conn, gss_ctx_id_t gssctx)
111 err = gsscon_read_encrypted_token(conn, gssctx, &buf, &buflen);
112 if (err || (buf == NULL)) {
115 tr_debug("tr_gss_read_req: Error reading from connection, rc=%d", err);
119 tr_debug("tr_gss_read_req: Read %u bytes.", (unsigned) buflen);
121 // get a talloc'ed version, guaranteed to have a null termination
122 retval = talloc_asprintf(mem_ctx, "%.*s", (int) buflen, buf);
129 * Write a response to the GSS connection
131 * @param conn file descriptor for the connection
132 * @param gssctx GSS context
133 * @param resp encoded response string to send
134 * @return 0 on success, -1 on error
136 static int tr_gss_write_resp(int conn, gss_ctx_id_t gssctx, const char *resp)
140 /* Send the response over the connection */
141 err = gsscon_write_encrypted_token (conn, gssctx, resp, strlen(resp) + 1);
143 tr_debug("tr_gss_send_response: Error sending response over connection, rc=%d.", err);
150 * Handle a request/response connection
152 * Authorizes/authenticates the connection, then reads a response, passes that to a
153 * callback to get a response, sends that, then returns.
155 * @param conn connection file descriptor
156 * @param acceptor_name acceptor name to present
157 * @param acceptor_realm acceptor realm to present
158 * @param auth_cb callback for authorization
159 * @param auth_cookie cookie for the auth_cb
160 * @param req_cb callback to handle the request and produce the response
161 * @param req_cookie cookie for the req_cb
163 void tr_gss_handle_connection(int conn,
164 const char *acceptor_name,
165 const char *acceptor_realm,
166 TR_GSS_AUTH_FN auth_cb,
168 TR_GSS_HANDLE_REQ_FN req_cb,
171 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
172 gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT;
173 char *req_str = NULL;
174 char *resp_str = NULL;
176 if (tr_gss_auth_connection(conn,
182 tr_notice("tr_gss_handle_connection: Error authorizing connection.");
186 tr_debug("tr_gss_handle_connection: Connection authorized");
188 // TODO: should there be a timeout on this?
189 while (1) { /* continue until an error breaks us out */
190 // try to read a request
191 req_str = tr_gss_read_req(tmp_ctx, conn, gssctx);
193 if ( req_str == NULL) {
194 // an error occurred, give up
195 tr_notice("tr_gss_handle_connection: Error reading request");
197 } else if (strlen(req_str) > 0) {
198 // we got a request message, exit the loop and process it
202 // no error, but no message, keep waiting for one
203 talloc_free(req_str); // this would be cleaned up anyway, but may as well free it
206 /* Hand off the request for processing and get the response */
207 resp_str = req_cb(tmp_ctx, req_str, req_cookie);
209 if (resp_str == NULL) {
210 // no response, clean up
215 if (tr_gss_write_resp(conn, gssctx, resp_str)) {
216 tr_notice("tr_gss_handle_connection: Error writing response");
220 talloc_free(tmp_ctx);