OM_uint32 GSSAPI_CALLCONV
_gss_spnego_import_cred (OM_uint32 *minor_status,
gss_buffer_t value,
gss_cred_id_t *cred_handle)
{
return gss_import_cred(minor_status, value, cred_handle);
}
OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status,
gss_OID mech_type,
gss_buffer_t token,
gss_cred_id_t *cred_handle)
{
struct gpp_cred_handle *cred;
gss_buffer_desc wrap_token = {0};
gss_OID spmech;
OM_uint32 maj, min = 0;
uint32_t len;
GSSI_TRACE();
cred = calloc(1, sizeof(struct gpp_cred_handle));
if (!cred) {
*minor_status = 0;
return GSS_S_FAILURE;
}
/* NOTE: it makes no sense to import a cred remotely atm,
* so we only handle the local case for now. */
spmech = gpp_special_mech(mech_type);
if (spmech == GSS_C_NO_OID) {
maj = GSS_S_FAILURE;
goto done;
}
wrap_token.length = sizeof(uint32_t) + spmech->length + token->length;
wrap_token.value = malloc(wrap_token.length);
if (!wrap_token.value) {
wrap_token.length = 0;
maj = GSS_S_FAILURE;
goto done;
}
len = htobe32(wrap_token.length);
memcpy(wrap_token.value, &len, sizeof(uint32_t));
memcpy(wrap_token.value + sizeof(uint32_t),
spmech->elements, spmech->length);
memcpy(wrap_token.value + sizeof(uint32_t) + spmech->length,
token->value, token->length);
maj = gss_import_cred(&min, &wrap_token, &cred->local);
done:
*minor_status = gpp_map_error(min);
if (maj == GSS_S_COMPLETE) {
*cred_handle = (gss_cred_id_t)cred;
} else {
free(cred);
}
(void)gss_release_buffer(&min, &wrap_token);
return maj;
}
GSSCredential::GSSCredential(const std::string& proxyPath,
const std::string& certificatePath,
const std::string& keyPath)
: credential(GSS_C_NO_CREDENTIAL) {
std::string credbuf;
if (!proxyPath.empty()) {
std::ifstream is(proxyPath.c_str());
getline(is, credbuf, '\0');
if(!is || credbuf.empty()) {
logger.msg(ERROR, "Failed to read proxy file: %s", proxyPath);
return;
}
}
else if (!certificatePath.empty() && !keyPath.empty()) {
std::ifstream is(certificatePath.c_str());
getline(is, credbuf, '\0');
if(!is || credbuf.empty()) {
logger.msg(ERROR, "Failed to read certificate file: %s",
certificatePath);
return;
}
std::string keybuf;
std::ifstream ik(keyPath.c_str());
getline(ik, keybuf, '\0');
if(!ik || keybuf.empty()) {
logger.msg(ERROR, "Failed to read private key file: %s", keyPath);
return;
}
credbuf += "\n";
credbuf += keybuf;
}
if(!credbuf.empty()) {
//Convert to GSS credental only if find credential content
OM_uint32 majstat, minstat;
gss_buffer_desc gbuf;
gbuf.value = (void*)credbuf.c_str();
gbuf.length = credbuf.length();
majstat = gss_import_cred(&minstat, &credential, NULL, 0,
&gbuf, GSS_C_INDEFINITE, NULL);
if (GSS_ERROR(majstat)) {
credential = GSS_C_NO_CREDENTIAL;
logger.msg(ERROR, "Failed to convert GSI credential to "
"GSS credential (major: %d, minor: %d)%s", majstat, minstat, ErrorStr(majstat, minstat));
return;
}
}
}
void
export_import_cred(gss_cred_id_t *cred)
{
OM_uint32 major, minor;
gss_buffer_desc buf;
major = gss_export_cred(&minor, *cred, &buf);
check_gsserr("gss_export_cred", major, minor);
(void)gss_release_cred(&minor, cred);
major = gss_import_cred(&minor, &buf, cred);
check_gsserr("gss_import_cred", major, minor);
(void)gss_release_buffer(&minor, &buf);
}
uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
gssx_cred *cred, gss_cred_id_t *out)
{
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
struct gp_creds_handle *handle = NULL;
uint32_t ret_maj;
uint32_t ret_min;
int ret;
handle = gp_service_get_creds_handle(gpcall->service);
if (!handle) {
ret_maj = GSS_S_FAILURE;
ret_min = EINVAL;
goto done;
}
token.length = cred->cred_handle_reference.octet_string_len;
token.value = malloc(token.length);
if (!token.value) {
ret_maj = GSS_S_FAILURE;
ret_min = ENOMEM;
goto done;
}
ret = gp_decrypt_buffer(handle->context, &handle->key,
&cred->cred_handle_reference,
&token.length, token.value);
if (ret) {
ret_maj = GSS_S_FAILURE;
ret_min = ENOENT;
goto done;
}
ret_maj = gss_import_cred(&ret_min, &token, out);
/* check if there is any client option we need to set on credentials */
gp_set_cred_options(cred, *out);
done:
*min = ret_min;
free(token.value);
return ret_maj;
}
OM_uint32
_gss_spnego_import_cred (OM_uint32 *minor_status,
gss_buffer_t value,
gss_cred_id_t *cred_handle)
{
gssspnego_cred cred;
OM_uint32 major;
*cred_handle = GSS_C_NO_CREDENTIAL;
cred = calloc(1, sizeof(*cred));
if (cred == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
major = gss_import_cred(minor_status, value, &cred->negotiated_cred_id);
if (major == GSS_S_COMPLETE)
*cred_handle = (gss_cred_id_t)cred;
else
free(cred);
return major;
}
int main()
{
OM_uint32 init_maj_stat;
OM_uint32 accept_maj_stat;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 ret_flags;
OM_uint32 req_flags = 0;
OM_uint32 time_rec;
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc * token_ptr;
gss_OID mech_type;
gss_name_t target_name;
gss_ctx_id_t init_context;
gss_ctx_id_t accept_context;
gss_ctx_id_t del_init_context;
gss_ctx_id_t del_accept_context;
gss_cred_id_t delegated_cred;
gss_cred_id_t imported_cred;
gss_cred_id_t cred_handle;
char * error_str;
globus_result_t result;
globus_gsi_cert_utils_cert_type_t cert_type;
int rc = EXIT_SUCCESS;
printf("1..1\n");
/* Activate Modules */
globus_module_activate(GLOBUS_GSI_GSSAPI_MODULE);
/* Initialize variables */
token_ptr = GSS_C_NO_BUFFER;
init_context = GSS_C_NO_CONTEXT;
accept_context = GSS_C_NO_CONTEXT;
del_init_context = GSS_C_NO_CONTEXT;
del_accept_context = GSS_C_NO_CONTEXT;
delegated_cred = GSS_C_NO_CREDENTIAL;
accept_maj_stat = GSS_S_CONTINUE_NEEDED;
ret_flags = 0;
req_flags |= GSS_C_GLOBUS_LIMITED_DELEG_PROXY_FLAG;
/* acquire the credential */
maj_stat = gss_acquire_cred(&min_stat,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred_handle,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gsi_gssapi_test_print_error(stderr, maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* get the subject name */
maj_stat = gss_inquire_cred(&min_stat,
cred_handle,
&target_name,
NULL,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gsi_gssapi_test_print_error(stderr, maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* set up the first security context */
init_maj_stat = gss_init_sec_context(&min_stat,
cred_handle,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&accept_context,
GSS_C_NO_CREDENTIAL,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, accept_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully established initial security context\n",
__FILE__,
__LINE__);
/* delegate our credential over the initial security context and
* insert a restriction extension into the delegated credential.
* This is a post GT 2.0 feature.
*/
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
token_ptr,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
accept_maj_stat=gss_accept_delegation(&min_stat,
accept_context,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&send_tok,
req_flags,
0,
&time_rec,
&delegated_cred,
&mech_type,
&recv_tok);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, accept_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&recv_tok,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully delegated credential\n",
__FILE__,
__LINE__);
/* export and import the delegated credential */
/* this can be done both to a buffer and to a file */
/* New in GT 2.0 */
maj_stat = gss_export_cred(&min_stat,
delegated_cred,
GSS_C_NO_OID,
0,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gsi_gssapi_test_print_error(stderr, maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
maj_stat = gss_import_cred(&min_stat,
&imported_cred,
GSS_C_NO_OID,
0,
&send_tok,
0,
&time_rec);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gsi_gssapi_test_print_error(stderr, maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
printf("# %s:%d: Successfully exported/imported the delegated credential\n",
__FILE__,
__LINE__);
/* set up another security context using the delegated credential */
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&del_accept_context,
imported_cred,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, accept_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gsi_gssapi_test_print_error(stderr, init_maj_stat, min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
/* got sec context based on delegated cred now */
printf("# %s:%d: Successfully established security context with delegated credential\n",
__FILE__,
__LINE__);
/* Verify that the delegated credential is a limited proxy */
result = globus_gsi_cred_get_cert_type(
((gss_cred_id_desc *)imported_cred)->cred_handle,
&cert_type);
if(result != GLOBUS_SUCCESS)
{
char * error_str;
globus_object_t * error_obj;
error_obj = globus_error_get(result);
error_str = globus_error_print_chain(error_obj);
fprintf(stderr, "%s", error_str);
globus_libc_free(error_str);
globus_object_free(error_obj);
rc = EXIT_FAILURE;
goto fail;
}
if (! GLOBUS_GSI_CERT_UTILS_IS_LIMITED_PROXY(cert_type))
{
fprintf(stderr,
"Invalid certificate type. Expected a limited proxy, got %d\n",
(int) cert_type);
rc = EXIT_FAILURE;
goto fail;
}
fail:
printf("%s gssapi_limited_delegation_test\n",
(rc==EXIT_SUCCESS) ? "ok" : "not ok");
globus_module_deactivate_all();
exit(rc);
}
/* Fill out the auth_session_info with a cli_credentials based on the
* auth_session_info we were forwarded over named pipe forwarding.
*
* NOTE: The stucture members of session_info_transport are stolen
* with talloc_move() into auth_session_info for long term use
*/
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport *session_info_transport,
struct loadparm_context *lp_ctx,
const char **reason)
{
struct auth_session_info *session_info;
session_info = talloc_steal(mem_ctx, session_info_transport->session_info);
if (session_info_transport->exported_gssapi_credentials.length) {
struct cli_credentials *creds;
OM_uint32 minor_status;
gss_buffer_desc cred_token;
gss_cred_id_t cred_handle;
const char *error_string;
int ret;
DEBUG(10, ("Delegated credentials supplied by client\n"));
cred_token.value = session_info_transport->exported_gssapi_credentials.data;
cred_token.length = session_info_transport->exported_gssapi_credentials.length;
ret = gss_import_cred(&minor_status,
&cred_token,
&cred_handle);
if (ret != GSS_S_COMPLETE) {
*reason = "Internal error in gss_import_cred()";
return NULL;
}
creds = cli_credentials_init(session_info);
if (!creds) {
*reason = "Out of memory in cli_credentials_init()";
return NULL;
}
session_info->credentials = creds;
cli_credentials_set_conf(creds, lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(creds);
ret = cli_credentials_set_client_gss_creds(creds,
lp_ctx,
cred_handle,
CRED_SPECIFIED,
&error_string);
if (ret) {
*reason = talloc_asprintf(mem_ctx,
"Failed to set pipe forwarded"
"creds: %s\n", error_string);
return NULL;
}
/* This credential handle isn't useful for password
* authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(creds,
CRED_MUST_USE_KERBEROS);
}
return session_info;
}
int
main(int argc, char **argv)
{
int optind = 0;
OM_uint32 min_stat, maj_stat;
gss_ctx_id_t cctx, sctx;
void *ctx;
gss_OID nameoid, mechoid, actual_mech, actual_mech2;
gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
gss_name_t cname = GSS_C_NO_NAME;
gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
setprogname(argv[0]);
init_o2n();
if (krb5_init_context(&context))
errx(1, "krb5_init_context");
cctx = sctx = GSS_C_NO_CONTEXT;
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 1)
usage(1);
if (dns_canon_flag != -1)
gsskrb5_set_dns_canonicalize(dns_canon_flag);
if (type_string == NULL)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "hostbased-service") == 0)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "krb5-principal-name") == 0)
nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
else
errx(1, "%s not suppported", type_string);
if (mech_string == NULL)
mechoid = GSS_KRB5_MECHANISM;
else
mechoid = string_to_oid(mech_string);
if (gsskrb5_acceptor_identity) {
maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
if (maj_stat)
errx(1, "gsskrb5_acceptor_identity: %s",
gssapi_err(maj_stat, 0, GSS_C_NO_OID));
}
if (client_password) {
credential_data.value = client_password;
credential_data.length = strlen(client_password);
}
if (client_name) {
gss_buffer_desc cn;
cn.value = client_name;
cn.length = strlen(client_name);
maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
if (maj_stat)
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (client_password) {
maj_stat = gss_acquire_cred_with_password(&min_stat,
cname,
&credential_data,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred_with_password: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
} else {
maj_stat = gss_acquire_cred(&min_stat,
cname,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (limit_enctype_string) {
krb5_error_code ret;
ret = krb5_string_to_enctype(context,
limit_enctype_string,
&limit_enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
}
if (limit_enctype) {
if (client_cred == NULL)
errx(1, "client_cred missing");
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
1, &limit_enctype);
if (maj_stat)
errx(1, "gss_krb5_set_allowable_enctypes: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
loop(mechoid, nameoid, argv[0], client_cred,
&sctx, &cctx, &actual_mech, &deleg_cred);
if (verbose_flag)
printf("resulting mech: %s\n", oid_to_string(actual_mech));
if (ret_mech_string) {
gss_OID retoid;
retoid = string_to_oid(ret_mech_string);
if (gss_oid_equal(retoid, actual_mech) == 0)
errx(1, "actual_mech mech is not the expected type %s",
ret_mech_string);
}
/* XXX should be actual_mech */
if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
time_t time;
gss_buffer_desc authz_data;
gss_buffer_desc in, out1, out2;
krb5_keyblock *keyblock, *keyblock2;
krb5_timestamp now;
krb5_error_code ret;
ret = krb5_timeofday(context, &now);
if (ret)
errx(1, "krb5_timeofday failed");
/* client */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&cctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
/* server */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&sctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
sctx,
&time);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (time > now)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
"time authtime is before now: %ld %ld",
(long)time, (long)now);
maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_export_service_keyblock failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
krb5_free_keyblock(context, keyblock);
maj_stat = gsskrb5_get_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey server failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
maj_stat = gsskrb5_get_subkey(&min_stat,
cctx,
&keyblock2);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey client failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock2 = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
if (keyblock || keyblock2) {
if (keyblock == NULL)
errx(1, "server missing token keyblock");
if (keyblock2 == NULL)
errx(1, "client missing token keyblock");
if (keyblock->keytype != keyblock2->keytype)
errx(1, "enctype mismatch");
if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
errx(1, "key length mismatch");
if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
keyblock2->keyvalue.length) != 0)
errx(1, "key data mismatch");
}
if (session_enctype_string) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context,
session_enctype_string,
&enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
if (enctype != keyblock->keytype)
errx(1, "keytype is not the expected %d != %d",
(int)enctype, (int)keyblock2->keytype);
}
if (keyblock)
krb5_free_keyblock(context, keyblock);
if (keyblock2)
krb5_free_keyblock(context, keyblock2);
maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_initiator_subkey failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat == GSS_S_COMPLETE) {
if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
krb5_free_keyblock(context, keyblock);
}
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
sctx,
128,
&authz_data);
if (maj_stat == GSS_S_COMPLETE)
gss_release_buffer(&min_stat, &authz_data);
memset(&out1, 0, sizeof(out1));
memset(&out2, 0, sizeof(out2));
in.value = "foo";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
in.value = "bar";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
wrapunwrap_flag = 1;
getverifymic_flag = 1;
}
if (wrapunwrap_flag) {
wrapunwrap(cctx, sctx, 0, actual_mech);
wrapunwrap(cctx, sctx, 1, actual_mech);
wrapunwrap(sctx, cctx, 0, actual_mech);
wrapunwrap(sctx, cctx, 1, actual_mech);
}
if (iov_flag) {
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
/* works */
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
}
if (getverifymic_flag) {
getverifymic(cctx, sctx, actual_mech);
getverifymic(cctx, sctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
}
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
if (deleg_cred != GSS_C_NO_CREDENTIAL) {
gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
gss_buffer_desc cb;
if (verbose_flag)
printf("checking actual mech (%s) on delegated cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking spnego on delegated cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
&actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* check export/import */
if (ei_flag) {
maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &cb);
gss_release_cred(&min_stat, &deleg_cred);
if (verbose_flag)
printf("checking actual mech (%s) on export/imported cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking SPNEGO on export/imported cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
} else {
gss_release_cred(&min_stat, &deleg_cred);
}
}
empty_release();
krb5_free_context(context);
return 0;
}
int main()
{
OM_uint32 init_maj_stat;
OM_uint32 accept_maj_stat;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 ret_flags;
OM_uint32 req_flags = 0;
OM_uint32 time_rec;
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc * token_ptr;
gss_OID mech_type;
gss_name_t target_name;
gss_ctx_id_t init_context;
gss_ctx_id_t accept_context;
gss_ctx_id_t del_init_context;
gss_ctx_id_t del_accept_context;
gss_cred_id_t delegated_cred;
gss_cred_id_t imported_cred;
gss_cred_id_t cred_handle;
char * error_str;
int rc = EXIT_SUCCESS;
printf("1..1\n");
/* Initialize variables */
token_ptr = GSS_C_NO_BUFFER;
init_context = GSS_C_NO_CONTEXT;
accept_context = GSS_C_NO_CONTEXT;
del_init_context = GSS_C_NO_CONTEXT;
del_accept_context = GSS_C_NO_CONTEXT;
delegated_cred = GSS_C_NO_CREDENTIAL;
accept_maj_stat = GSS_S_CONTINUE_NEEDED;
ret_flags = 0;
req_flags |= GSS_C_GLOBUS_SSL_COMPATIBLE;
/* Activate Modules */
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
globus_module_activate(GLOBUS_GSI_GSSAPI_MODULE);
maj_stat = gss_acquire_cred(&min_stat,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred_handle,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* get the subject name */
maj_stat = gss_inquire_cred(&min_stat,
cred_handle,
&target_name,
NULL,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* set up the first security context */
init_maj_stat = gss_init_sec_context(&min_stat,
cred_handle,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&accept_context,
GSS_C_NO_CREDENTIAL,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully established initial security context\n",
__FILE__,
__LINE__);
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
token_ptr,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_wrap(&min_stat,
init_context,
0,
GSS_C_QOP_DEFAULT,
&send_tok,
NULL,
&recv_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
internal_release_buffer(&send_tok);
maj_stat = gss_unwrap(&min_stat,
accept_context,
&recv_tok,
&send_tok,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
accept_maj_stat=gss_accept_delegation(&min_stat,
accept_context,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&send_tok,
req_flags,
0,
&time_rec,
&delegated_cred,
&mech_type,
&recv_tok);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
internal_release_buffer(&send_tok);
maj_stat = gss_wrap(&min_stat,
accept_context,
0,
GSS_C_QOP_DEFAULT,
&recv_tok,
NULL,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_unwrap(&min_stat,
init_context,
&send_tok,
&recv_tok,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&send_tok);
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&recv_tok,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_wrap(&min_stat,
init_context,
0,
GSS_C_QOP_DEFAULT,
&send_tok,
NULL,
&recv_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully delegated credential\n",
__FILE__,
__LINE__);
/* export and import the delegated credential */
/* this can be done both to a buffer and to a file */
/* New in GT 2.0 */
internal_release_buffer(&send_tok);
maj_stat = gss_export_cred(&min_stat,
delegated_cred,
GSS_C_NO_OID,
0,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
maj_stat = gss_import_cred(&min_stat,
&imported_cred,
GSS_C_NO_OID,
0,
&send_tok,
0,
&time_rec);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&send_tok);
printf("# %s:%d: Successfully exported/imported the delegated credential\n",
__FILE__,
__LINE__);
/* set up another security context using the delegated credential */
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
internal_release_buffer(&recv_tok);
accept_maj_stat=gss_accept_sec_context(&min_stat,
&del_accept_context,
imported_cred,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&target_name,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
/* got sec context based on delegated cred now */
printf("# %s:%d: Successfully established security context with delegated credential\n",
__FILE__,
__LINE__);
fail:
printf("%s gssapi_delegation_compat_test\n",
(rc == EXIT_SUCCESS) ? "ok" : "not ok");
globus_module_deactivate_all();
exit(rc);
}
int main()
{
OM_uint32 init_maj_stat;
OM_uint32 accept_maj_stat;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 ret_flags;
OM_uint32 time_rec;
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc * token_ptr;
gss_buffer_desc oid_buffer;
gss_buffer_set_desc oid_buffers;
gss_buffer_set_t inquire_buffers;
gss_OID name_type;
gss_OID mech_type;
gss_OID_set_desc oid_set;
gss_name_t target_name;
gss_ctx_id_t init_context;
gss_ctx_id_t accept_context;
gss_ctx_id_desc * init_context_handle;
gss_ctx_id_t del_init_context;
gss_ctx_id_t del_accept_context;
gss_cred_id_t delegated_cred;
gss_cred_id_t imported_cred;
gss_cred_id_t cred_handle;
char * subject =
"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Samuel Meder";
char * error_str;
char * buf;
/* Initialize variables */
token_ptr = GSS_C_NO_BUFFER;
init_context = GSS_C_NO_CONTEXT;
accept_context = GSS_C_NO_CONTEXT;
del_init_context = GSS_C_NO_CONTEXT;
del_accept_context = GSS_C_NO_CONTEXT;
name_type = GSS_C_NT_USER_NAME;
delegated_cred = GSS_C_NO_CREDENTIAL;
accept_maj_stat = GSS_S_CONTINUE_NEEDED;
ret_flags = 0;
oid_buffer.value = malloc(EXT_SIZE);
oid_buffer.length = EXT_SIZE;
buf = (char *) oid_buffer.value;
memset(buf,'A',EXT_SIZE);
buf[EXT_SIZE-1]='\0';
oid_buffers.count = 1;
oid_buffers.elements = &oid_buffer;
oid_set.count = 1;
oid_set.elements = gss_restrictions_extension;
send_tok.value = subject;
send_tok.length = strlen(subject) + 1;
/* acquire the credential */
maj_stat = gss_acquire_cred(&min_stat,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred_handle,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* import the subject name */
maj_stat = gss_import_name(&min_stat,
&send_tok,
name_type,
&target_name);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* set up the first security context */
init_maj_stat = gss_init_sec_context(&min_stat,
cred_handle,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&accept_context,
GSS_C_NO_CREDENTIAL,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
GSS_C_NO_CREDENTIAL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
printf("%s:%d: Successfully established initial security context\n",
__FILE__,
__LINE__);
/* delegate our credential over the initial security context and
* insert a restriction extension into the delegated credential.
* This is a post GT 2.0 feature.
*/
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
&oid_set,
&oid_buffers,
token_ptr,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_delegation(&min_stat,
accept_context,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&send_tok,
0,
&time_rec,
&delegated_cred,
&mech_type,
&recv_tok);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
&oid_set,
&oid_buffers,
&recv_tok,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
printf("%s:%d: Successfully delegated credential\n",
__FILE__,
__LINE__);
/* export and import the delegated credential */
/* this can be done both to a buffer and to a file */
/* New in GT 2.0 */
maj_stat = gss_export_cred(&min_stat,
delegated_cred,
GSS_C_NO_OID,
0,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
maj_stat = gss_import_cred(&min_stat,
&imported_cred,
GSS_C_NO_OID,
0,
&send_tok,
0,
&time_rec);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
printf("%s:%d: Successfully exported/imported the delegated credential\n",
__FILE__,
__LINE__);
free(oid_buffer.value);
oid_buffer.value = (void *) &oid_set;
oid_buffer.length = 1;
/* Tell the GSS that we will handle restriction extensions */
/* This is a post GT 2.0 feature */
maj_stat = gss_set_sec_context_option(
&min_stat,
&del_init_context,
(gss_OID) GSS_APPLICATION_WILL_HANDLE_EXTENSIONS,
&oid_buffer);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
maj_stat = gss_set_sec_context_option(
&min_stat,
&del_accept_context,
(gss_OID) GSS_APPLICATION_WILL_HANDLE_EXTENSIONS,
&oid_buffer);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* set up another security context using the delegated credential */
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&del_accept_context,
imported_cred,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&target_name,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
GSS_C_NO_CREDENTIAL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
/* got sec context based on delegated cred now */
printf("%s:%d: Successfully established security context with delegated credential\n",
__FILE__,
__LINE__);
/* Extract and print the restrictions extension from the security
* context.
* This is a post GT 2.0 feature.
*/
maj_stat = gss_inquire_sec_context_by_oid(&min_stat,
del_accept_context,
gss_restrictions_extension,
&inquire_buffers);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
printf("%s:%d: Security context contains restriction extension %s\n",
__FILE__,
__LINE__,
(char *) inquire_buffers->elements[0].value);
}
