/crypto/heimdal/appl/test/gssapi_server.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 341 lines · 258 code · 49 blank · 34 comment · 50 complexity · fe95564d47baebffbcbaa7f04e4bdcce MD5 · raw file

  1. /*
  2. * Copyright (c) 1997 - 2000 Kungliga Tekniska Hรถgskolan
  3. * (Royal Institute of Technology, Stockholm, Sweden).
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions
  8. * are met:
  9. *
  10. * 1. Redistributions of source code must retain the above copyright
  11. * notice, this list of conditions and the following disclaimer.
  12. *
  13. * 2. Redistributions in binary form must reproduce the above copyright
  14. * notice, this list of conditions and the following disclaimer in the
  15. * documentation and/or other materials provided with the distribution.
  16. *
  17. * 3. Neither the name of the Institute nor the names of its contributors
  18. * may be used to endorse or promote products derived from this software
  19. * without specific prior written permission.
  20. *
  21. * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24. * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31. * SUCH DAMAGE.
  32. */
  33. #include "test_locl.h"
  34. #include <gssapi/gssapi.h>
  35. #include <gssapi/gssapi_krb5.h>
  36. #include <gssapi/gssapi_spnego.h>
  37. #include "gss_common.h"
  38. RCSID("$Id$");
  39. static int
  40. process_it(int sock,
  41. gss_ctx_id_t context_hdl,
  42. gss_name_t client_name
  43. )
  44. {
  45. OM_uint32 maj_stat, min_stat;
  46. gss_buffer_desc real_input_token, real_output_token;
  47. gss_buffer_t input_token = &real_input_token,
  48. output_token = &real_output_token;
  49. gss_name_t server_name;
  50. int conf_flag;
  51. print_gss_name("User is", client_name);
  52. maj_stat = gss_inquire_context(&min_stat,
  53. context_hdl,
  54. NULL,
  55. &server_name,
  56. NULL,
  57. NULL,
  58. NULL,
  59. NULL,
  60. NULL);
  61. if (GSS_ERROR(maj_stat))
  62. gss_err (1, min_stat, "gss_inquire_context");
  63. print_gss_name("Server is", server_name);
  64. maj_stat = gss_release_name(&min_stat, &server_name);
  65. if (GSS_ERROR(maj_stat))
  66. gss_err (1, min_stat, "gss_release_name");
  67. /* gss_verify_mic */
  68. read_token (sock, input_token);
  69. read_token (sock, output_token);
  70. maj_stat = gss_verify_mic (&min_stat,
  71. context_hdl,
  72. input_token,
  73. output_token,
  74. NULL);
  75. if (GSS_ERROR(maj_stat))
  76. gss_err (1, min_stat, "gss_verify_mic");
  77. fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length,
  78. (char *)input_token->value);
  79. gss_release_buffer (&min_stat, input_token);
  80. gss_release_buffer (&min_stat, output_token);
  81. /* gss_unwrap */
  82. read_token (sock, input_token);
  83. maj_stat = gss_unwrap (&min_stat,
  84. context_hdl,
  85. input_token,
  86. output_token,
  87. &conf_flag,
  88. NULL);
  89. if(GSS_ERROR(maj_stat))
  90. gss_err (1, min_stat, "gss_unwrap");
  91. fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
  92. (char *)output_token->value,
  93. conf_flag ? "CONF" : "INT");
  94. gss_release_buffer (&min_stat, input_token);
  95. gss_release_buffer (&min_stat, output_token);
  96. read_token (sock, input_token);
  97. maj_stat = gss_unwrap (&min_stat,
  98. context_hdl,
  99. input_token,
  100. output_token,
  101. &conf_flag,
  102. NULL);
  103. if(GSS_ERROR(maj_stat))
  104. gss_err (1, min_stat, "gss_unwrap");
  105. fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
  106. (char *)output_token->value,
  107. conf_flag ? "CONF" : "INT");
  108. gss_release_buffer (&min_stat, input_token);
  109. gss_release_buffer (&min_stat, output_token);
  110. return 0;
  111. }
  112. static int
  113. proto (int sock, const char *service)
  114. {
  115. struct sockaddr_in remote, local;
  116. socklen_t addrlen;
  117. gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
  118. gss_buffer_desc real_input_token, real_output_token;
  119. gss_buffer_t input_token = &real_input_token,
  120. output_token = &real_output_token;
  121. OM_uint32 maj_stat, min_stat;
  122. gss_name_t client_name;
  123. struct gss_channel_bindings_struct input_chan_bindings;
  124. gss_cred_id_t delegated_cred_handle = NULL;
  125. krb5_ccache ccache;
  126. u_char init_buf[4];
  127. u_char acct_buf[4];
  128. gss_OID mech_oid;
  129. char *mech, *p;
  130. addrlen = sizeof(local);
  131. if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
  132. || addrlen != sizeof(local))
  133. err (1, "getsockname)");
  134. addrlen = sizeof(remote);
  135. if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
  136. || addrlen != sizeof(remote))
  137. err (1, "getpeername");
  138. input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
  139. input_chan_bindings.initiator_address.length = 4;
  140. init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
  141. init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
  142. init_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF;
  143. init_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF;
  144. input_chan_bindings.initiator_address.value = init_buf;
  145. input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
  146. input_chan_bindings.acceptor_address.length = 4;
  147. acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
  148. acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
  149. acct_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF;
  150. acct_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF;
  151. input_chan_bindings.acceptor_address.value = acct_buf;
  152. input_chan_bindings.application_data.value = emalloc(4);
  153. #if 0
  154. * (unsigned short *)input_chan_bindings.application_data.value =
  155. remote.sin_port;
  156. * ((unsigned short *)input_chan_bindings.application_data.value + 1) =
  157. local.sin_port;
  158. input_chan_bindings.application_data.length = 4;
  159. #else
  160. input_chan_bindings.application_data.length = 0;
  161. input_chan_bindings.application_data.value = NULL;
  162. #endif
  163. delegated_cred_handle = GSS_C_NO_CREDENTIAL;
  164. do {
  165. read_token (sock, input_token);
  166. maj_stat =
  167. gss_accept_sec_context (&min_stat,
  168. &context_hdl,
  169. GSS_C_NO_CREDENTIAL,
  170. input_token,
  171. &input_chan_bindings,
  172. &client_name,
  173. &mech_oid,
  174. output_token,
  175. NULL,
  176. NULL,
  177. &delegated_cred_handle);
  178. if(GSS_ERROR(maj_stat))
  179. gss_err (1, min_stat, "gss_accept_sec_context");
  180. if (output_token->length != 0)
  181. write_token (sock, output_token);
  182. if (GSS_ERROR(maj_stat)) {
  183. if (context_hdl != GSS_C_NO_CONTEXT)
  184. gss_delete_sec_context (&min_stat,
  185. &context_hdl,
  186. GSS_C_NO_BUFFER);
  187. break;
  188. }
  189. } while(maj_stat & GSS_S_CONTINUE_NEEDED);
  190. p = (char *)mech_oid->elements;
  191. if (mech_oid->length == GSS_KRB5_MECHANISM->length
  192. && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_oid->length) == 0)
  193. mech = "Kerberos 5";
  194. else if (mech_oid->length == GSS_SPNEGO_MECHANISM->length
  195. && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_oid->length) == 0)
  196. mech = "SPNEGO"; /* XXX Silly, wont show up */
  197. else
  198. mech = "Unknown";
  199. printf("Using mech: %s\n", mech);
  200. if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
  201. krb5_context context;
  202. printf("Delegated cred found\n");
  203. maj_stat = krb5_init_context(&context);
  204. maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
  205. maj_stat = gss_krb5_copy_ccache(&min_stat,
  206. delegated_cred_handle,
  207. ccache);
  208. if (maj_stat == 0) {
  209. krb5_principal p;
  210. maj_stat = krb5_cc_get_principal(context, ccache, &p);
  211. if (maj_stat == 0) {
  212. char *name;
  213. maj_stat = krb5_unparse_name(context, p, &name);
  214. if (maj_stat == 0) {
  215. printf("Delegated user is: `%s'\n", name);
  216. free(name);
  217. }
  218. krb5_free_principal(context, p);
  219. }
  220. }
  221. krb5_cc_close(context, ccache);
  222. gss_release_cred(&min_stat, &delegated_cred_handle);
  223. }
  224. if (fork_flag) {
  225. pid_t pid;
  226. int pipefd[2];
  227. if (pipe (pipefd) < 0)
  228. err (1, "pipe");
  229. pid = fork ();
  230. if (pid < 0)
  231. err (1, "fork");
  232. if (pid != 0) {
  233. gss_buffer_desc buf;
  234. maj_stat = gss_export_sec_context (&min_stat,
  235. &context_hdl,
  236. &buf);
  237. if (GSS_ERROR(maj_stat))
  238. gss_err (1, min_stat, "gss_export_sec_context");
  239. write_token (pipefd[1], &buf);
  240. exit (0);
  241. } else {
  242. gss_ctx_id_t context_hdl;
  243. gss_buffer_desc buf;
  244. close (pipefd[1]);
  245. read_token (pipefd[0], &buf);
  246. close (pipefd[0]);
  247. maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
  248. if (GSS_ERROR(maj_stat))
  249. gss_err (1, min_stat, "gss_import_sec_context");
  250. gss_release_buffer (&min_stat, &buf);
  251. return process_it (sock, context_hdl, client_name);
  252. }
  253. } else {
  254. return process_it (sock, context_hdl, client_name);
  255. }
  256. }
  257. static int
  258. doit (int port, const char *service)
  259. {
  260. int sock, sock2;
  261. struct sockaddr_in my_addr;
  262. int one = 1;
  263. int ret;
  264. sock = socket (AF_INET, SOCK_STREAM, 0);
  265. if (sock < 0)
  266. err (1, "socket");
  267. memset (&my_addr, 0, sizeof(my_addr));
  268. my_addr.sin_family = AF_INET;
  269. my_addr.sin_port = port;
  270. my_addr.sin_addr.s_addr = INADDR_ANY;
  271. if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
  272. (void *)&one, sizeof(one)) < 0)
  273. warn ("setsockopt SO_REUSEADDR");
  274. if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
  275. err (1, "bind");
  276. while (1) {
  277. if (listen (sock, 1) < 0)
  278. err (1, "listen");
  279. sock2 = accept (sock, NULL, NULL);
  280. if (sock2 < 0)
  281. err (1, "accept");
  282. ret = proto (sock2, service);
  283. }
  284. return ret;
  285. }
  286. int
  287. main(int argc, char **argv)
  288. {
  289. krb5_context context = NULL; /* XXX */
  290. int port = server_setup(&context, argc, argv);
  291. return doit (port, service);
  292. }