static int32_t get_version_capa(struct client *client, int32_t *version, int32_t *capa, char **version_str) { put32(client, eGetVersionAndCapabilities); ret32(client, *version); ret32(client, *capa); retstring(client, *version_str); return GSMERR_OK; }
static void * handleServer(void *ptr) { struct handler *handler; struct client *c; int32_t op; c = (struct client *)ptr; while(1) { ret32(c, op); handler = find_op(op); if (handler == NULL) { logmessage(c, __FILE__, __LINE__, 0, "op %d not supported", (int)op); exit(1); } logmessage(c, __FILE__, __LINE__, 0, "---> Got op %s from server %s", handler->name, c->servername); if ((handler->func)(handler->op, c)) break; } return NULL; }
static int HandleOP(AcquirePKInitCreds) { int32_t flags; krb5_data pfxdata; char fn[] = "FILE:/tmp/pkcs12-creds-XXXXXXX"; krb5_principal principal = NULL; int fd; ret32(c, flags); retdata(c, pfxdata); fd = mkstemp(fn + 5); if (fd < 0) errx(1, "mkstemp"); net_write(fd, pfxdata.data, pfxdata.length); krb5_data_free(&pfxdata); close(fd); if (principal) krb5_free_principal(context, principal); put32(c, -1); /* hResource */ put32(c, GSMERR_NOT_SUPPORTED); return 0; }
static int acquire_cred(struct client *client, const char *username, const char *password, int32_t flags, int32_t *hCred) { int32_t val; put32(client, eAcquireCreds); putstring(client, username); putstring(client, password); put32(client, flags); ret32(client, val); ret32(client, *hCred); return val; }
static int HandleOP(Unwrap) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; int conf_state; gss_qop_t qop_state; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "unwrap: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_unwrap(&min_stat, ctx, &input_token, &output_token, &conf_state, &qop_state); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); krb5_data_free(&token); if (maj_stat == GSS_S_COMPLETE) { token.data = output_token.value; token.length = output_token.length; } else { token.data = NULL; token.length = 0; } put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); if (maj_stat == GSS_S_COMPLETE) gss_release_buffer(&min_stat, &output_token); return 0; }
static int toast_resource(struct client *client, int32_t hCred) { int32_t val; put32(client, eToastResource); put32(client, hCred); ret32(client, val); return val; }
static int accept_sec_context(struct client *client, int32_t *hContext, int32_t flags, const krb5_data *itoken, krb5_data *otoken, int32_t *hDelegCred) { int32_t val; krb5_data_zero(otoken); put32(client, eAcceptContext); put32(client, *hContext); put32(client, flags); putdata(client, *itoken); ret32(client, *hContext); ret32(client, val); retdata(client, *otoken); ret32(client, *hDelegCred); return val; }
static int init_sec_context(struct client *client, int32_t *hContext, int32_t *hCred, int32_t flags, const char *targetname, const krb5_data *itoken, krb5_data *otoken) { int32_t val; krb5_data_zero(otoken); put32(client, eInitContext); put32(client, *hContext); put32(client, *hCred); put32(client, flags); putstring(client, targetname); putdata(client, *itoken); ret32(client, *hContext); ret32(client, val); retdata(client, *otoken); return val; }
static int HandleOP(ToastResource) { int32_t handle; ret32(c, handle); logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle); del_handle(&c->handles, handle); put32(c, GSMERR_OK); return 0; }
static int HandleOP(Verify) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data msg, mic; gss_ctx_id_t ctx; gss_buffer_desc msg_token, mic_token; gss_qop_t qop; ret32(c, hContext); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "verify: reference to unknown context"); ret32(c, flags); ret32(c, seqno); retdata(c, msg); msg_token.length = msg.length; msg_token.value = msg.data; retdata(c, mic); mic_token.length = mic.length; mic_token.value = mic.data; maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token, &mic_token, &qop); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_verify_mic failed"); krb5_data_free(&mic); krb5_data_free(&msg); put32(c, 0); /* XXX fix gsm_error */ return 0; }
static int HandleOP(Sign) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "sign: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token, &output_token); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_get_mic failed"); krb5_data_free(&token); token.data = output_token.value; token.length = output_token.length; put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); gss_release_buffer(&min_stat, &output_token); return 0; }
static int32_t verify_mic(struct client *client, int32_t hContext, krb5_data *in, krb5_data *mic) { int32_t val; put32(client, eVerify); put32(client, hContext); put32(client, 0); put32(client, 0); putdata(client, *in); putdata(client, *mic); ret32(client, val); return val; }
static int32_t decrypt_token(struct client *client, int32_t hContext, int flags, krb5_data *in, krb5_data *out) { int32_t val; put32(client, eDecrypt); put32(client, hContext); put32(client, flags); put32(client, 0); putdata(client, *in); ret32(client, val); retdata(client, *out); return val; }
static int HandleOP(AcquireCreds) { char *name, *password; int32_t gsm_error, flags, handle = 0; krb5_principal principal = NULL; krb5_get_init_creds_opt *opt = NULL; krb5_error_code ret; retstring(c, name); retstring(c, password); ret32(c, flags); logmessage(c, __FILE__, __LINE__, 0, "username: %s password: %s", name, password); ret = krb5_parse_name(context, name, &principal); if (ret) { gsm_error = convert_krb5_to_gsm(ret); goto out; } ret = krb5_get_init_creds_opt_alloc (context, &opt); if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL); gsm_error = acquire_cred(c, principal, opt, &handle); out: logmessage(c, __FILE__, __LINE__, 0, "AcquireCreds handle: %d return code: %d", handle, gsm_error); if (opt) krb5_get_init_creds_opt_free (context, opt); if (principal) krb5_free_principal(context, principal); free(name); free(password); put32(c, gsm_error); put32(c, handle); return 0; }
static int32_t unwrap_token_ext(struct client *client, int32_t hContext, int32_t flags, int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer, krb5_data *out) { int32_t val; put32(client, eUnwrapExt); put32(client, hContext); put32(client, flags); put32(client, bflags); putdata(client, *header); putdata(client, *in); putdata(client, *trailer); ret32(client, val); retdata(client, *out); return val; }
static int HandleOP(SetLoggingSocket) { int32_t portnum; krb5_socket_t sock; int ret; ret32(c, portnum); logmessage(c, __FILE__, __LINE__, 0, "logging port on peer is: %d", (int)portnum); socket_set_port((struct sockaddr *)(&c->sa), htons(portnum)); sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0); if (sock == rk_INVALID_SOCKET) return 0; ret = connect(sock, (struct sockaddr *)&c->sa, c->salen); if (ret < 0) { logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s", strerror(errno)); rk_closesocket(sock); return 0; } if (c->logging) krb5_storage_free(c->logging); c->logging = krb5_storage_from_socket(sock); rk_closesocket(sock); krb5_store_int32(c->logging, eLogSetMoniker); store_string(c->logging, c->moniker); logmessage(c, __FILE__, __LINE__, 0, "logging turned on"); return 0; }
static int HandleOP(AcceptContext) { OM_uint32 maj_stat, min_stat, ret_flags; int32_t hContext, deleg_hcred, flags; krb5_data in_token; int32_t new_context_id = 0, gsm_error = 0; krb5_data out_token = { 0 , NULL }; gss_ctx_id_t ctx; gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; gss_buffer_desc input_token, output_token; ret32(c, hContext); ret32(c, flags); retdata(c, in_token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) hContext = 0; if (in_token.length) { input_token.length = in_token.length; input_token.value = in_token.data; } else { input_token.length = 0; input_token.value = NULL; } maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &input_token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &output_token, &ret_flags, NULL, &deleg_cred); if (GSS_ERROR(maj_stat)) { if (hContext != 0) del_handle(&c->handles, hContext); logmessage(c, __FILE__, __LINE__, 0, "gss_accept_sec_context returns code: %d/%d", maj_stat, min_stat); new_context_id = 0; } else { if (hContext == 0) new_context_id = add_handle(c, handle_context, ctx); else new_context_id = hContext; } if (output_token.length) { out_token.data = output_token.value; out_token.length = output_token.length; } if ((ret_flags & GSS_C_DCE_STYLE) != 0) logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style"); if ((ret_flags & GSS_C_DELEG_FLAG) != 0) { deleg_hcred = add_handle(c, handle_cred, deleg_cred); logmessage(c, __FILE__, __LINE__, 0, "accept_context delegated handle: %d", deleg_hcred); } else { gss_release_cred(&min_stat, &deleg_cred); deleg_hcred = 0; } gsm_error = convert_gss_to_gsm(maj_stat); put32(c, new_context_id); put32(c, gsm_error); putdata(c, out_token); put32(c, deleg_hcred); if (output_token.length) gss_release_buffer(&min_stat, &output_token); krb5_data_free(&in_token); return 0; }
static int HandleOP(WrapExt) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, bflags; krb5_data token, header, trailer; gss_ctx_id_t ctx; unsigned char *p; int conf_state, iov_len; gss_iov_buffer_desc iov[6]; ret32(c, hContext); ret32(c, flags); ret32(c, bflags); retdata(c, header); retdata(c, token); retdata(c, trailer); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "wrap: reference to unknown context"); memset(&iov, 0, sizeof(iov)); iov_len = sizeof(iov)/sizeof(iov[0]); if (bflags & WRAP_EXP_ONLY_HEADER) iov_len -= 2; /* skip trailer and padding, aka dce-style */ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; if (header.length != 0) { iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.length = header.length; iov[1].buffer.value = header.data; } else { iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; iov[2].buffer.length = token.length; iov[2].buffer.value = token.data; if (trailer.length != 0) { iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[3].buffer.length = trailer.length; iov[3].buffer.value = trailer.data; } else { iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; maj_stat = gss_wrap_iov_length(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov_length failed"); maj_stat = gss_wrap_iov(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov failed"); krb5_data_free(&token); token.length = iov[0].buffer.length + iov[2].buffer.length + iov[4].buffer.length + iov[5].buffer.length; token.data = malloc(token.length); p = token.data; memcpy(p, iov[0].buffer.value, iov[0].buffer.length); p += iov[0].buffer.length; memcpy(p, iov[2].buffer.value, iov[2].buffer.length); p += iov[2].buffer.length; memcpy(p, iov[4].buffer.value, iov[4].buffer.length); p += iov[4].buffer.length; memcpy(p, iov[5].buffer.value, iov[5].buffer.length); p += iov[5].buffer.length; gss_release_iov_buffer(NULL, iov, iov_len); put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); free(token.data); return 0; }
static int HandleOP(UnwrapExt) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, bflags; krb5_data token, header, trailer; gss_ctx_id_t ctx; gss_iov_buffer_desc iov[3]; int conf_state, iov_len; gss_qop_t qop_state; ret32(c, hContext); ret32(c, flags); ret32(c, bflags); retdata(c, header); retdata(c, token); retdata(c, trailer); iov_len = sizeof(iov)/sizeof(iov[0]); if (bflags & WRAP_EXP_ONLY_HEADER) iov_len -= 1; /* skip trailer and padding, aka dce-style */ ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "unwrap: reference to unknown context"); if (header.length != 0) { iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[0].buffer.length = header.length; iov[0].buffer.value = header.data; } else { iov[0].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.length = token.length; iov[1].buffer.value = token.data; if (trailer.length != 0) { iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[2].buffer.length = trailer.length; iov[2].buffer.value = trailer.data; } else { iov[2].type = GSS_IOV_BUFFER_TYPE_EMPTY; } maj_stat = gss_unwrap_iov(&min_stat, ctx, &conf_state, &qop_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); if (maj_stat == GSS_S_COMPLETE) { token.data = iov[1].buffer.value; token.length = iov[1].buffer.length; } else { token.data = NULL; token.length = 0; } put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); return 0; }
static int HandleOP(InitContext) { OM_uint32 maj_stat, min_stat, ret_flags; int32_t hContext, hCred, flags; krb5_data target_name, in_token; int32_t new_context_id = 0, gsm_error = 0; krb5_data out_token = { 0 , NULL }; gss_ctx_id_t ctx; gss_cred_id_t creds; gss_name_t gss_target_name; gss_buffer_desc input_token, output_token; gss_OID oid = GSS_C_NO_OID; gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER; ret32(c, hContext); ret32(c, hCred); ret32(c, flags); retdata(c, target_name); retdata(c, in_token); logmessage(c, __FILE__, __LINE__, 0, "targetname: <%.*s>", (int)target_name.length, (char *)target_name.data); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) hContext = 0; creds = find_handle(c->handles, hCred, handle_cred); if (creds == NULL) abort(); input_token.length = target_name.length; input_token.value = target_name.data; maj_stat = gss_import_name(&min_stat, &input_token, GSS_KRB5_NT_PRINCIPAL_NAME, &gss_target_name); if (GSS_ERROR(maj_stat)) { logmessage(c, __FILE__, __LINE__, 0, "import name creds failed with: %d", maj_stat); gsm_error = convert_gss_to_gsm(maj_stat); goto out; } /* oid from flags */ if (in_token.length) { input_token.length = in_token.length; input_token.value = in_token.data; input_token_ptr = &input_token; if (ctx == NULL) krb5_errx(context, 1, "initcreds, context NULL, but not first req"); } else { input_token.length = 0; input_token.value = NULL; if (ctx) krb5_errx(context, 1, "initcreds, context not NULL, but first req"); } if ((flags & GSS_C_DELEG_FLAG) != 0) logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating"); if ((flags & GSS_C_DCE_STYLE) != 0) logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style"); maj_stat = gss_init_sec_context(&min_stat, creds, &ctx, gss_target_name, oid, flags & 0x7f, 0, NULL, input_token_ptr, NULL, &output_token, &ret_flags, NULL); if (GSS_ERROR(maj_stat)) { if (hContext != 0) del_handle(&c->handles, hContext); new_context_id = 0; logmessage(c, __FILE__, __LINE__, 0, "gss_init_sec_context returns code: %d/%d", maj_stat, min_stat); } else { if (input_token.length == 0) new_context_id = add_handle(c, handle_context, ctx); else new_context_id = hContext; } gsm_error = convert_gss_to_gsm(maj_stat); if (output_token.length) { out_token.data = output_token.value; out_token.length = output_token.length; } out: logmessage(c, __FILE__, __LINE__, 0, "InitContext return code: %d", gsm_error); put32(c, new_context_id); put32(c, gsm_error); putdata(c, out_token); gss_release_name(&min_stat, &gss_target_name); if (output_token.length) gss_release_buffer(&min_stat, &output_token); krb5_data_free(&in_token); krb5_data_free(&target_name); return 0; }