Re: Kerberos pac ResourceGroups parsing

[Andrey K <ankor2023@xxxxxxxxx>]

Hello, Alex,

I have posted a PR: https://github.com/squid-cache/squid/pull/1597

This is my first contribution to open source. Could you please verify if everything is OK.

Kind regards,

    Ankor.

чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:

On 2023-11-16 07:48, Andrey K wrote:

> I have slightly patched the negotiate_kerberos_pac.cc to
> implement ResourceGropIds-block parsing.

Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request


Thank you,

Alex.


> Maybe it will be useful for the community.
> This patch can be included in future Squid-releases.
>
> Kind regards,
>     Ankor.
>
> The patch for the
> file src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc below:
>
> @@ -362,6 +362,123 @@
>       return ad_groups;
>   }
>
> +
> +char *
> +get_resource_group_domain_sid(uint32_t ResourceGroupDomainSid){
> +
> +    if (ResourceGroupDomainSid!= 0) {
> +        uint8_t rev;
> +        uint64_t idauth;
> +        char dli[256];
> +        char *ag;
> +        int l;
> +
> +        align(4);
> +
> +        uint32_t nauth = get4byt();
> +
> +        size_t length = 1+1+6+nauth*4;
> +
> +            ag=(char *)xcalloc((length+1)*sizeof(char),1);
> +            // the first byte is a length of the SID
> +            ag[0] = (char) length;
> +            memcpy((void *)&ag[1],(const void*)&p[bpos],1);
> +            memcpy((void *)&ag[2],(const void*)&p[bpos+1],1);
> +            ag[2] = ag[2]+1;
> +            memcpy((void *)&ag[3],(const void*)&p[bpos+2],6+nauth*4);
> +
> +
> +
> +        /* mainly for debug only */
> +        rev = get1byt();
> +        bpos = bpos + 1; /*nsub*/
> +        idauth = get6byt_be();
> +
> +        snprintf(dli,sizeof(dli),"S-%d-%lu",rev,(long unsigned int)idauth);
> +        for ( l=0; l<(int)nauth; l++ ) {
> +            uint32_t sauth;
> +            sauth = get4byt();
> +            snprintf((char
> *)&dli[strlen(dli)],sizeof(dli)-strlen(dli),"-%u",sauth);
> +        }
> +        debug((char *) "%s| %s: INFO: Got ResourceGroupDomainSid %s\n",
> LogTime(), PROGRAM, dli);
> +        return ag;
> +    }
> +
> +    return NULL;
> +}
> +
> +char *
> +get_resource_groups(char *ad_groups, char *resource_group_domain_sid,
> uint32_t ResourceGroupIds, uint32_t ResourceGroupCount){
> +    size_t group_domain_sid_len = resource_group_domain_sid[0];
> +    char *ag;
> +    size_t length;
> +
> +    resource_group_domain_sid++; //now it points to the actual data
> +
> +
> +    if (ResourceGroupIds!= 0) {
> +        uint32_t ngroup;
> +        int l;
> +
> +        align(4);
> +        ngroup = get4byt();
> +        if ( ngroup != ResourceGroupCount) {
> +            debug((char *) "%s| %s: ERROR: Group encoding error =>
> ResourceGroupCount: %d Array size: %d\n",
> +                  LogTime(), PROGRAM, ResourceGroupCount, ngroup);
> +            return NULL;
> +        }
> +        debug((char *) "%s| %s: INFO: Found %d Resource Group rids\n",
> LogTime(), PROGRAM, ResourceGroupCount);
> +
> +        //make a group template which begins with the ResourceGroupDomainID
> +        length = group_domain_sid_len+4;  //+4 for a rid
> +        ag=(char *)xcalloc(length*sizeof(char),1);
> +        memcpy((void *)ag,(const void*)resource_group_domain_sid,
> group_domain_sid_len);
> +
> +
> +        for ( l=0; l<(int)ResourceGroupCount; l++) {
> +            uint32_t sauth;
> +            memcpy((void *)&ag[group_domain_sid_len],(const
> void*)&p[bpos],4);
> +
> +            if (!pstrcat(ad_groups," group=")) {
> +                debug((char *) "%s| %s: WARN: Too many groups ! size >
> %d : %s\n",
> +                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
> +               xfree(ag);
> +               return NULL;
> +            }
> +
> +
> +            struct base64_encode_ctx ctx;
> +            base64_encode_init(&ctx);
> +            const uint32_t expectedSz = base64_encode_len(length) +1 /*
> terminator */;
> +            char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1));
> +            size_t blen = base64_encode_update(&ctx, b64buf, length,
> reinterpret_cast<uint8_t*>(ag));
> +            blen += base64_encode_final(&ctx, b64buf+blen);
> +            b64buf[expectedSz-1] = '\0';
> +            if (!pstrcat(ad_groups, reinterpret_cast<char*>(b64buf))) {
> +                debug((char *) "%s| %s: WARN: Too many groups ! size >
> %d : %s\n",
> +                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
> +               xfree(ag);
> +               xfree(b64buf);
> +               return NULL;
> +            }
> +            xfree(b64buf);
> +
> +
> +
> +            sauth = get4byt();
> +            debug((char *) "%s| %s: Info: Got rid: %u\n", LogTime(),
> PROGRAM, sauth);
> +            /* attribute */
> +            bpos = bpos+4;
> +        }
> +
> +        xfree(ag);
> +       return ad_groups;
> +    }
> +
> +    return NULL;
> +}
> +
> +
>   char *
>   get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac)
>   {
> @@ -379,14 +496,14 @@
>       uint32_t LogonDomainId=0;
>       uint32_t SidCount=0;
>       uint32_t ExtraSids=0;
> -    /*
>       uint32_t ResourceGroupDomainSid=0;
>       uint32_t ResourceGroupCount=0;
>       uint32_t ResourceGroupIds=0;
> -    */
>       char **Rids=NULL;
>       int l=0;
>
> +    char * resource_group_domain_sid=NULL;
> +
>       if (!ad_groups) {
>           debug((char *) "%s| %s: ERR: No space to store groups\n",
>                 LogTime(), PROGRAM);
> @@ -454,11 +571,11 @@
>       bpos = bpos+40;
>       SidCount = get4byt();
>       ExtraSids = get4byt();
> -    /* 4 bytes ResourceGroupDomainSid
> -     * 4 bytes ResourceGroupCount
> -     * 4 bytes ResourceGroupIds
> -     */
> -    bpos = bpos+12;
> +
> +    ResourceGroupDomainSid = get4byt();
> +    ResourceGroupCount = get4byt();
> +    ResourceGroupIds = get4byt();
> +
>       /*
>        * Read all data from structure => Now check pointers
>        */
> @@ -483,7 +600,15 @@
>       if ((ad_groups = getextrasids(ad_groups,ExtraSids,SidCount))==NULL)
>           goto k5clean;
>
> +    resource_group_domain_sid =
> get_resource_group_domain_sid(ResourceGroupDomainSid);
> +    if(resource_group_domain_sid && ResourceGroupCount &&
> ResourceGroupIds){
> +        get_resource_groups(ad_groups, resource_group_domain_sid,
> ResourceGroupIds, ResourceGroupCount);
> +    }
> +
>       debug((char *) "%s| %s: INFO: Read %d of %d bytes \n", LogTime(),
> PROGRAM, bpos, (int)ad_data->length);
> +
> +    if(resource_group_domain_sid) xfree(resource_group_domain_sid);
> +
>       if (Rids) {
>           for ( l=0; l<(int)GroupCount; l++) {
>               xfree(Rids[l]);
> @@ -493,6 +618,8 @@
>       krb5_free_data(context, ad_data);
>       return ad_groups;
>   k5clean:
> +    if(resource_group_domain_sid) xfree(resource_group_domain_sid);
> +
>       if (Rids) {
>           for ( l=0; l<(int)GroupCount; l++) {
>               xfree(Rids[l]);
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users