oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
aa119d1792f5e33d2938cfcf578d56782814d3dd
heimdal/appl/test/gssapi_server.c
Love Hornquist Astrand f17c4a6c5c only check for keytab content where its needed
2013-04-24 16:42:30 -07:00

393 lines
11 KiB
C
Raw Blame History

/*
* Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* A sample server that uses the GSSAPI.
*/
#include "test_locl.h"
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
#include <gssapi/gssapi_spnego.h>
#include "gss_common.h"
static int
process_it(int sock,
gss_ctx_id_t context_hdl,
gss_name_t client_name
)
{
OM_uint32 maj_stat, min_stat;
gss_buffer_desc real_input_token, real_output_token;
gss_buffer_t input_token = &real_input_token,
output_token = &real_output_token;
gss_name_t server_name;
int conf_flag;
print_gss_name("User is", client_name);
maj_stat = gss_inquire_context(&min_stat,
context_hdl,
NULL,
&server_name,
NULL,
NULL,
NULL,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_inquire_context");
print_gss_name("Server is", server_name);
maj_stat = gss_release_name(&min_stat, &server_name);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_release_name");
/* gss_verify_mic */
read_token (sock, input_token);
read_token (sock, output_token);
maj_stat = gss_verify_mic (&min_stat,
context_hdl,
input_token,
output_token,
NULL);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_verify_mic");
fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length,
(char *)input_token->value);
gss_release_buffer (&min_stat, input_token);
gss_release_buffer (&min_stat, output_token);
/* create mic */
input_token->length = 6;
input_token->value = strdup("hejsan");
maj_stat = gss_get_mic(&min_stat,
context_hdl,
GSS_C_QOP_DEFAULT,
input_token,
output_token);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_get_mic");
write_token (sock, input_token);
write_token (sock, output_token);
gss_release_buffer (&min_stat, output_token);
/* gss_unwrap */
read_token (sock, input_token);
maj_stat = gss_unwrap (&min_stat,
context_hdl,
input_token,
output_token,
&conf_flag,
NULL);
if(GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_unwrap");
fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
(char *)output_token->value,
conf_flag ? "CONF" : "INT");
gss_release_buffer (&min_stat, input_token);
gss_release_buffer (&min_stat, output_token);
read_token (sock, input_token);
maj_stat = gss_unwrap (&min_stat,
context_hdl,
input_token,
output_token,
&conf_flag,
NULL);
if(GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_unwrap");
fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
(char *)output_token->value,
conf_flag ? "CONF" : "INT");
gss_release_buffer (&min_stat, input_token);
gss_release_buffer (&min_stat, output_token);
input_token->value = "hejhej";
input_token->length = 6;
maj_stat = gss_wrap (&min_stat,
context_hdl,
1,
GSS_C_QOP_DEFAULT,
input_token,
NULL,
output_token);
write_token (sock, output_token);
gss_release_buffer (&min_stat, output_token);
read_token (sock, input_token);
if (input_token->length != 6 && memcmp(input_token->value, "hejhej", 6) != 0)
errx(1, "invalid reply");
return 0;
}
static int
proto (int sock, const char *service)
{
struct sockaddr_in remote, local;
socklen_t addrlen;
gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
gss_buffer_desc real_input_token, real_output_token;
gss_buffer_t input_token = &real_input_token,
output_token = &real_output_token;
OM_uint32 maj_stat, min_stat;
gss_name_t client_name;
struct gss_channel_bindings_struct input_chan_bindings;
gss_cred_id_t delegated_cred_handle = NULL;
krb5_ccache ccache;
u_char init_buf[4];
u_char acct_buf[4];
gss_OID mech_oid;
char *mech, *p;
addrlen = sizeof(local);
if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
|| addrlen != sizeof(local))
err (1, "getsockname)");
addrlen = sizeof(remote);
if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
|| addrlen != sizeof(remote))
err (1, "getpeername");
input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
input_chan_bindings.initiator_address.length = 4;
init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
init_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF;
init_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF;
input_chan_bindings.initiator_address.value = init_buf;
input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
input_chan_bindings.acceptor_address.length = 4;
acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
acct_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF;
acct_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF;
input_chan_bindings.acceptor_address.value = acct_buf;
input_chan_bindings.application_data.value = emalloc(4);
#if 0
* (unsigned short *)input_chan_bindings.application_data.value =
remote.sin_port;
* ((unsigned short *)input_chan_bindings.application_data.value + 1) =
local.sin_port;
input_chan_bindings.application_data.length = 4;
#else
input_chan_bindings.application_data.length = 0;
input_chan_bindings.application_data.value = NULL;
#endif
delegated_cred_handle = GSS_C_NO_CREDENTIAL;
do {
read_token (sock, input_token);
maj_stat =
gss_accept_sec_context (&min_stat,
&context_hdl,
GSS_C_NO_CREDENTIAL,
input_token,
&input_chan_bindings,
&client_name,
&mech_oid,
output_token,
NULL,
NULL,
&delegated_cred_handle);
if(GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_accept_sec_context");
if (output_token->length != 0)
write_token (sock, output_token);
if (GSS_ERROR(maj_stat)) {
if (context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context (&min_stat,
&context_hdl,
GSS_C_NO_BUFFER);
break;
}
} while(maj_stat & GSS_S_CONTINUE_NEEDED);
p = (char *)mech_oid->elements;
if (mech_oid->length == GSS_KRB5_MECHANISM->length
&& memcmp(p, GSS_KRB5_MECHANISM->elements, mech_oid->length) == 0)
mech = "Kerberos 5";
else if (mech_oid->length == GSS_SPNEGO_MECHANISM->length
&& memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_oid->length) == 0)
mech = "SPNEGO"; /* XXX Silly, wont show up */
else
mech = "Unknown";
printf("Using mech: %s\n", mech);
if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
krb5_context context;
printf("Delegated cred found\n");
maj_stat = krb5_init_context(&context);
maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
maj_stat = gss_krb5_copy_ccache(&min_stat,
delegated_cred_handle,
ccache);
if (maj_stat == 0) {
krb5_principal p;
maj_stat = krb5_cc_get_principal(context, ccache, &p);
if (maj_stat == 0) {
char *name;
maj_stat = krb5_unparse_name(context, p, &name);
if (maj_stat == 0) {
printf("Delegated user is: `%s'\n", name);
free(name);
}
krb5_free_principal(context, p);
}
}
krb5_cc_close(context, ccache);
gss_release_cred(&min_stat, &delegated_cred_handle);
}
if (fork_flag) {
pid_t pid;
int pipefd[2];
if (pipe (pipefd) < 0)
err (1, "pipe");
pid = fork ();
if (pid < 0)
err (1, "fork");
if (pid != 0) {
gss_buffer_desc buf;
maj_stat = gss_export_sec_context (&min_stat,
&context_hdl,
&buf);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_export_sec_context");
write_token (pipefd[1], &buf);
exit (0);
} else {
gss_ctx_id_t context_hdl;
gss_buffer_desc buf;
close (pipefd[1]);
read_token (pipefd[0], &buf);
close (pipefd[0]);
maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
if (GSS_ERROR(maj_stat))
gss_err (1, min_stat, "gss_import_sec_context");
gss_release_buffer (&min_stat, &buf);
return process_it (sock, context_hdl, client_name);
}
} else {
return process_it (sock, context_hdl, client_name);
}
}
static void
loop (int port, const char *service)
{
int sock, sock2;
struct sockaddr_in my_addr;
int one = 1;
if (keytab_str)
gsskrb5_register_acceptor_identity(keytab_str);
sock = socket (AF_INET, SOCK_STREAM, 0);
if (sock < 0)
err (1, "socket");
memset (&my_addr, 0, sizeof(my_addr));
my_addr.sin_family = AF_INET;
my_addr.sin_port = port;
my_addr.sin_addr.s_addr = INADDR_ANY;
if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
(void *)&one, sizeof(one)) < 0)
warn ("setsockopt SO_REUSEADDR");
if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
err (1, "bind");
while (1) {
if (listen (sock, 1) < 0)
err (1, "listen");
sock2 = accept (sock, NULL, NULL);
if (sock2 < 0)
err (1, "accept");
proto (sock2, service);
}
}
/*
* Iterative server; process one connection at a time.
*/
int
main(int argc, char **argv)
{
krb5_context context = NULL; /* XXX */
krb5_error_code ret;
int port = server_setup(&context, argc, argv);
ret = krb5_kt_have_content(context, keytab);
if (ret)
krb5_err (context, 1, ret, "krb5_kt_have_content");
loop (port, service);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink