📄 squid_kerb_auth.c
字号:
if (debug) fprintf(stderr, "%s| %s: Oversized message\n", LogTime(), PROGRAM); fprintf(stdout, "NA Oversized message\n"); err = 0; continue; } if (debug) fprintf(stderr, "%s| %s: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf?buf:"NULL",length); if (buf[0] == '\0') { if (debug) fprintf(stderr, "%s| %s: Invalid request\n", LogTime(), PROGRAM); fprintf(stdout, "NA Invalid request\n"); continue; } if (strlen(buf) < 2) { if (debug) fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf); fprintf(stdout, "NA Invalid request\n"); continue; } if ( !strncmp(buf, "QQ", 2) ) { gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_release_buffer(&minor_status, &service); gss_release_cred(&minor_status, &server_creds); gss_release_cred(&minor_status, &delegated_cred); gss_release_name(&minor_status, &server_name); gss_release_name(&minor_status, &client_name); gss_delete_sec_context(&minor_status, &gss_context, NULL); if (kerberosToken) { /* Allocated by parseNegTokenInit, but no matching free function exists.. */ if (!spnego_flag) free((char *)kerberosToken); kerberosToken=NULL; } if (spnego_flag) { /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ if (spnegoToken) free((char *)spnegoToken); spnegoToken=NULL; } if (token) { free(token); token=NULL; } if (host_name) { free(host_name); host_name=NULL; } exit(0); } if ( !strncmp(buf, "YR", 2) && !strncmp(buf, "KK", 2) ) { if (debug) fprintf(stderr, "%s| %s: Invalid request [%s]\n", LogTime(), PROGRAM, buf); fprintf(stdout, "NA Invalid request\n"); continue; } if ( !strncmp(buf, "YR", 2) ){ if (gss_context != GSS_C_NO_CONTEXT ) gss_delete_sec_context(&minor_status, &gss_context, NULL); gss_context = GSS_C_NO_CONTEXT; } if (strlen(buf) <= 3) { if (debug) fprintf(stderr, "%s| %s: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf); fprintf(stdout, "NA Invalid negotiate request\n"); continue; } input_token.length = base64_decode_len(buf+3); input_token.value = malloc(input_token.length); base64_decode(input_token.value,buf+3,input_token.length); #ifndef HAVE_SPNEGO if (( rc=parseNegTokenInit (input_token.value, input_token.length, &kerberosToken, &kerberosTokenLength))!=0 ){ if (debug) fprintf(stderr, "%s| %s: parseNegTokenInit failed with rc=%d\n", LogTime(), PROGRAM, rc); /* if between 100 and 200 it might be a GSSAPI token and not a SPNEGO token */ if ( rc < 100 || rc > 199 ) { if (debug) fprintf(stderr, "%s| %s: Invalid GSS-SPNEGO query [%s]\n", LogTime(), PROGRAM, buf); fprintf(stdout, "NA Invalid GSS-SPNEGO query\n"); goto cleanup; } if ((input_token.length >= sizeof ntlmProtocol + 1) && (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { if (debug) fprintf(stderr, "%s| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); goto cleanup; } spnego_flag=0; } else { gss_release_buffer(&minor_status, &input_token); input_token.length=kerberosTokenLength; input_token.value=(void *)kerberosToken; spnego_flag=1; }#else if ((input_token.length >= sizeof ntlmProtocol + 1) && (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { if (debug) fprintf(stderr, "%s| %s: received type %d NTLM token\n", LogTime(), PROGRAM, (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); fprintf(stdout, "NA received type %d NTLM token\n",(int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); goto cleanup; } #endif if ( service_principal ) { if ( strcasecmp(service_principal,"GSS_C_NO_NAME") ){ major_status = gss_import_name(&minor_status, &service, (gss_OID) GSS_C_NULL_OID, &server_name); } else { server_name = GSS_C_NO_NAME; major_status = GSS_S_COMPLETE; } } else { major_status = gss_import_name(&minor_status, &service, gss_nt_service_name, &server_name); } if ( check_gss_err(major_status,minor_status,"gss_import_name()",debug,loging) ) goto cleanup; major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); if (check_gss_err(major_status,minor_status,"gss_acquire_cred()",debug,loging) ) goto cleanup; major_status = gss_accept_sec_context(&minor_status, &gss_context, server_creds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &output_token, &ret_flags, NULL, &delegated_cred); if (output_token.length) {#ifndef HAVE_SPNEGO if (spnego_flag) { if ((rc=makeNegTokenTarg (output_token.value, output_token.length, &spnegoToken, &spnegoTokenLength))!=0 ) { if (debug) fprintf(stderr, "%s| %s: makeNegTokenTarg failed with rc=%d\n", LogTime(), PROGRAM, rc); fprintf(stdout, "NA makeNegTokenTarg failed with rc=%d\n",rc); goto cleanup; } } else { spnegoToken = output_token.value; spnegoTokenLength = output_token.length; }#else spnegoToken = output_token.value; spnegoTokenLength = output_token.length;#endif token = malloc(base64_encode_len(spnegoTokenLength)); if (token == NULL) { if (debug) fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM); fprintf(stdout, "NA Not enough memory\n"); goto cleanup; } base64_encode(token,(const char *)spnegoToken,base64_encode_len(spnegoTokenLength),spnegoTokenLength); if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) ) goto cleanup; if (major_status & GSS_S_CONTINUE_NEEDED) { if (debug) fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), PROGRAM); fprintf(stdout, "TT %s\n",token); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) ) goto cleanup; fprintf(stdout, "AF %s %s\n",token,(char *)output_token.value); if (debug) fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,(char *)output_token.value); if (loging) fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value); goto cleanup; } else { if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,loging) ) goto cleanup; if (major_status & GSS_S_CONTINUE_NEEDED) { if (debug) fprintf(stderr, "%s| %s: continuation needed\n", LogTime(), PROGRAM); fprintf(stdout, "NA No token to return to continue\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,loging) ) goto cleanup; /* * Return dummy token AA. May need an extra return tag then AF */ fprintf(stdout, "AF %s %s\n","AA==",(char *)output_token.value); if (debug) fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", (char *)output_token.value); if (loging) fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);cleanup: gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_release_cred(&minor_status, &server_creds); gss_release_cred(&minor_status, &delegated_cred); gss_release_name(&minor_status, &server_name); gss_release_name(&minor_status, &client_name); if (kerberosToken) { /* Allocated by parseNegTokenInit, but no matching free function exists.. */ if (!spnego_flag) free((char *)kerberosToken); kerberosToken=NULL; } if (spnego_flag) { /* Allocated by makeNegTokenTarg, but no matching free function exists.. */ if (spnegoToken) free((char *)spnegoToken); spnegoToken=NULL; } if (token) { free(token); token=NULL; } continue; } }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -