static void gp_set_cred_options(gssx_cred *cred, gss_cred_id_t gss_cred)
{
struct gssx_cred_element *ce;
struct gssx_option *op;
uint32_t num_ktypes = 0;
krb5_enctype *ktypes;
uint32_t maj, min;
int i, j;
for (i = 0; i < cred->elements.elements_len; i++) {
ce = &cred->elements.elements_val[i];
for (j = 0; j < ce->options.options_len; j++) {
op = &ce->options.options_val[j];
if ((op->option.octet_string_len ==
sizeof(KRB5_SET_ALLOWED_ENCTYPE)) &&
(strncmp(KRB5_SET_ALLOWED_ENCTYPE,
op->option.octet_string_val,
op->option.octet_string_len) == 0)) {
num_ktypes = op->value.octet_string_len / sizeof(krb5_enctype);
ktypes = (krb5_enctype *)op->value.octet_string_val;
break;
}
}
}
if (num_ktypes) {
maj = gss_krb5_set_allowable_enctypes(&min, gss_cred,
num_ktypes, ktypes);
if (maj != GSS_S_COMPLETE) {
GPDEBUG("Failed to set allowable enctypes\n");
}
}
}
int
main(int argc, char *argv[])
{
krb5_error_code ret;
krb5_context kctx = NULL;
krb5_enctype *ienc = NULL, *aenc = NULL, zero = 0;
OM_uint32 minor, major, flags;
gss_name_t tname;
gss_cred_id_t icred = GSS_C_NO_CREDENTIAL, acred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t ictx, actx;
gss_krb5_lucid_context_v1_t *ilucid, *alucid;
gss_krb5_rfc1964_keydata_t *i1964, *a1964;
gss_krb5_cfx_keydata_t *icfx, *acfx;
size_t count;
void *lptr;
int c;
ret = krb5_init_context(&kctx);
check_k5err(kctx, "krb5_init_context", ret);
/* Parse arguments. */
while ((c = getopt(argc, argv, "i:a:")) != -1) {
switch (c) {
case 'i':
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &ienc);
check_k5err(kctx, "krb5_parse_enctype_list(initiator)", ret);
break;
case 'a':
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &aenc);
check_k5err(kctx, "krb5_parse_enctype_list(acceptor)", ret);
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 1)
usage();
tname = import_name(*argv);
if (ienc != NULL) {
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
&mechset_krb5, GSS_C_INITIATE, &icred, NULL,
NULL);
check_gsserr("gss_acquire_cred(initiator)", major, minor);
for (count = 0; ienc[count]; count++);
major = gss_krb5_set_allowable_enctypes(&minor, icred, count, ienc);
check_gsserr("gss_krb5_set_allowable_enctypes(init)", major, minor);
}
if (aenc != NULL) {
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
&mechset_krb5, GSS_C_ACCEPT, &acred, NULL,
NULL);
check_gsserr("gss_acquire_cred(acceptor)", major, minor);
for (count = 0; aenc[count]; count++);
major = gss_krb5_set_allowable_enctypes(&minor, acred, count, aenc);
check_gsserr("gss_krb5_set_allowable_enctypes(acc)", major, minor);
}
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
NULL, NULL, NULL);
/* Export to lucid contexts. */
major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
ilucid = lptr;
major = gss_krb5_export_lucid_sec_context(&minor, &actx, 1, &lptr);
check_gsserr("gss_export_lucid_sec_context(acceptor)", major, minor);
alucid = lptr;
/* Grab the session keys and make sure they match. */
if (ilucid->protocol != alucid->protocol)
errout("Initiator/acceptor protocol mismatch");
if (ilucid->protocol) {
icfx = &ilucid->cfx_kd;
acfx = &alucid->cfx_kd;
if (icfx->have_acceptor_subkey != acfx->have_acceptor_subkey)
errout("Initiator/acceptor have_acceptor_subkey mismatch");
check_key_match(&icfx->ctx_key, &acfx->ctx_key);
if (icfx->have_acceptor_subkey)
check_key_match(&icfx->acceptor_subkey, &acfx->acceptor_subkey);
fputs("cfx ", stdout);
display_enctype(icfx->ctx_key.type);
if (icfx->have_acceptor_subkey) {
fputs(" ", stdout);
display_enctype(icfx->acceptor_subkey.type);
}
fputs("\n", stdout);
} else {
i1964 = &ilucid->rfc1964_kd;
a1964 = &alucid->rfc1964_kd;
if (i1964->sign_alg != a1964->sign_alg ||
i1964->seal_alg != a1964->seal_alg)
errout("Initiator/acceptor sign or seal alg mismatch");
check_key_match(&i1964->ctx_key, &a1964->ctx_key);
fputs("rfc1964 ", stdout);
display_enctype(i1964->ctx_key.type);
fputs("\n", stdout);
}
krb5_free_context(kctx);
free(ienc);
free(aenc);
(void)gss_release_name(&minor, &tname);
(void)gss_release_cred(&minor, &icred);
(void)gss_release_cred(&minor, &acred);
(void)gss_delete_sec_context(&minor, &ictx, NULL);
(void)gss_delete_sec_context(&minor, &actx, NULL);
(void)gss_krb5_free_lucid_sec_context(&minor, ilucid);
(void)gss_krb5_free_lucid_sec_context(&minor, alucid);
return 0;
}
_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc,
const char **error_string)
{
int ret = 0;
OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
#ifdef SAMBA4_USES_HEIMDAL
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
#endif
krb5_enctype *etypes = NULL;
if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
bool expired = false;
OM_uint32 lifetime = 0;
gss_cred_usage_t usage = 0;
maj_stat = gss_inquire_cred(&min_stat, cred->client_gss_creds->creds,
NULL, &lifetime, &usage, NULL);
if (maj_stat == GSS_S_CREDENTIALS_EXPIRED) {
DEBUG(3, ("Credentials for %s expired, must refresh credentials cache\n", cli_credentials_get_principal(cred, cred)));
expired = true;
} else if (maj_stat == GSS_S_COMPLETE && lifetime < 300) {
DEBUG(3, ("Credentials for %s will expire shortly (%u sec), must refresh credentials cache\n", cli_credentials_get_principal(cred, cred), lifetime));
expired = true;
} else if (maj_stat != GSS_S_COMPLETE) {
*error_string = talloc_asprintf(cred, "inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
gssapi_error_string(cred, maj_stat, min_stat, NULL));
return EINVAL;
}
if (expired) {
cli_credentials_unconditionally_invalidate_client_gss_creds(cred);
} else {
DEBUG(5, ("GSSAPI credentials for %s will expire in %u secs\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
*_gcc = cred->client_gss_creds;
return 0;
}
}
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
} else {
DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
}
return ret;
}
gcc = talloc(cred, struct gssapi_creds_container);
if (!gcc) {
(*error_string) = error_message(ENOMEM);
return ENOMEM;
}
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32) KRB5_CC_NOTFOUND)) {
/* This CCACHE is no good. Ensure we don't use it again */
cli_credentials_unconditionally_invalidate_ccache(cred);
/* Now try again to get a ccache */
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
DEBUG(1, ("Failed to re-get CCACHE for GSSAPI client: %s\n", error_message(ret)));
return ret;
}
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
}
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
return ret;
}
/*
* transfer the enctypes from the smb_krb5_context to the gssapi layer
*
* We use 'our' smb_krb5_context to do the AS-REQ and it is possible
* to configure the enctypes via the krb5.conf.
*
* And the gss_init_sec_context() creates it's own krb5_context and
* the TGS-REQ had all enctypes in it and only the ones configured
* and used for the AS-REQ, so it wasn't possible to disable the usage
* of AES keys.
*/
min_stat = get_kerberos_allowed_etypes(ccache->smb_krb5_context->krb5_context,
&etypes);
if (min_stat == 0) {
OM_uint32 num_ktypes;
for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++);
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
num_ktypes,
(int32_t *) etypes);
SAFE_FREE(etypes);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_krb5_set_allowable_enctypes failed: %s", error_message(ret));
return ret;
}
}
#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
GSS_KRB5_CRED_NO_CI_FLAGS_X,
&empty_buffer);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
return ret;
}
#endif
cred->client_gss_creds_obtained = cred->ccache_obtained;
talloc_set_destructor(gcc, free_gssapi_creds);
cred->client_gss_creds = gcc;
*_gcc = gcc;
return 0;
}
int
main(int argc, char **argv)
{
gss_OID_set oidset = GSS_C_NULL_OID_SET;
gss_OID mechoid = GSS_C_NO_OID;
OM_uint32 maj_stat, min_stat;
gss_cred_id_t cred;
gss_name_t target = GSS_C_NO_NAME;
int i, optidx = 0;
gss_cred_usage_t cred_usage = GSS_C_BOTH;
gss_OID type = GSS_C_NT_HOSTBASED_SERVICE;
gss_key_value_set_desc store, *storep = GSS_C_NO_CRED_STORE;
gss_key_value_element_desc elements[2];
store.count = 0;
store.elements = elements;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc != 0)
usage(1);
if (acquire_type) {
if (strcasecmp(acquire_type, "both") == 0)
cred_usage = GSS_C_BOTH;
else if (strcasecmp(acquire_type, "accept") == 0)
cred_usage = GSS_C_ACCEPT;
else if (strcasecmp(acquire_type, "initiate") == 0)
cred_usage = GSS_C_INITIATE;
else
errx(1, "unknown type %s", acquire_type);
}
if (name_type) {
if (strcasecmp("hostbased-service", name_type) == 0)
type = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcasecmp("user-name", name_type) == 0)
type = GSS_C_NT_USER_NAME;
else
errx(1, "unknown name type %s", name_type);
}
if (ccache) {
store.elements[store.count].key = "ccache";
store.elements[store.count].value = ccache;
store.count++;
}
if (client_keytab) {
store.elements[store.count].key = "client_keytab";
store.elements[store.count].value = client_keytab;
store.count++;
}
if (store.count)
storep = &store;
if (kerberos_flag) {
mechoid = GSS_KRB5_MECHANISM;
maj_stat = gss_create_empty_oid_set(&min_stat, &oidset);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_create_empty_oid_set: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
maj_stat = gss_add_oid_set_member(&min_stat, GSS_KRB5_MECHANISM, &oidset);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_add_oid_set_member: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (target_name) {
gss_buffer_desc name;
name.value = target_name;
name.length = strlen(target_name);
maj_stat = gss_import_name(&min_stat, &name,
GSS_C_NT_HOSTBASED_SERVICE, &target);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
for (i = 0; i < num_loops; i++) {
cred = acquire_cred_service(acquire_name, type, oidset, cred_usage, storep);
if (enctype) {
int32_t enctypelist = enctype;
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, cred,
1, &enctypelist);
if (maj_stat)
errx(1, "gss_krb5_set_allowable_enctypes: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (target) {
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_buffer_desc out;
out.length = 0;
out.value = NULL;
maj_stat = gss_init_sec_context(&min_stat,
cred, &context,
target, mechoid,
GSS_C_MUTUAL_FLAG, 0, NULL,
GSS_C_NO_BUFFER, NULL,
&out, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
errx(1, "init_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
gss_release_buffer(&min_stat, &out);
gss_delete_sec_context(&min_stat, &context, NULL);
}
gss_release_cred(&min_stat, &cred);
}
return 0;
}
int
main(int argc, char **argv)
{
struct module_stat stat;
int mod;
int syscall_num;
stat.version = sizeof(stat);
mod = modfind("gsstest_syscall");
if (mod < 0) {
fprintf(stderr, "%s: kernel support not present\n", argv[0]);
exit(1);
}
modstat(mod, &stat);
syscall_num = stat.data.intval;
switch (atoi(argv[1])) {
case 1:
syscall(syscall_num, 1, NULL, NULL);
break;
case 2: {
struct gsstest_2_args args;
struct gsstest_2_res res;
char hostname[512];
char token_buffer[8192];
OM_uint32 maj_stat, min_stat;
gss_ctx_id_t client_context = GSS_C_NO_CONTEXT;
gss_cred_id_t client_cred;
gss_OID mech_type = GSS_C_NO_OID;
gss_buffer_desc name_buf, message_buf;
gss_name_t name;
int32_t enctypes[] = {
ETYPE_DES_CBC_CRC,
ETYPE_ARCFOUR_HMAC_MD5,
ETYPE_ARCFOUR_HMAC_MD5_56,
ETYPE_AES256_CTS_HMAC_SHA1_96,
ETYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_DES3_CBC_SHA1,
};
int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
int established;
int i;
for (i = 0; i < num_enctypes; i++) {
printf("testing etype %d\n", enctypes[i]);
args.output_token.length = sizeof(token_buffer);
args.output_token.value = token_buffer;
gethostname(hostname, sizeof(hostname));
snprintf(token_buffer, sizeof(token_buffer),
"nfs@%s", hostname);
name_buf.length = strlen(token_buffer);
name_buf.value = token_buffer;
maj_stat = gss_import_name(&min_stat, &name_buf,
GSS_C_NT_HOSTBASED_SERVICE, &name);
if (GSS_ERROR(maj_stat)) {
printf("gss_import_name failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME,
0, GSS_C_NO_OID_SET, GSS_C_INITIATE, &client_cred,
NULL, NULL);
if (GSS_ERROR(maj_stat)) {
printf("gss_acquire_cred (client) failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat,
client_cred, 1, &enctypes[i]);
if (GSS_ERROR(maj_stat)) {
printf("gss_krb5_set_allowable_enctypes failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
res.output_token.length = 0;
res.output_token.value = 0;
established = 0;
while (!established) {
maj_stat = gss_init_sec_context(&min_stat,
client_cred,
&client_context,
name,
GSS_C_NO_OID,
(GSS_C_MUTUAL_FLAG
|GSS_C_CONF_FLAG
|GSS_C_INTEG_FLAG
|GSS_C_SEQUENCE_FLAG
|GSS_C_REPLAY_FLAG),
0,
GSS_C_NO_CHANNEL_BINDINGS,
&res.output_token,
&mech_type,
&args.input_token,
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
printf("gss_init_sec_context failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
if (args.input_token.length) {
args.step = 1;
syscall(syscall_num, 2, &args, &res);
gss_release_buffer(&min_stat,
&args.input_token);
if (res.maj_stat != GSS_S_COMPLETE
&& res.maj_stat != GSS_S_CONTINUE_NEEDED) {
printf("gss_accept_sec_context (kernel) failed\n");
report_error(mech_type, res.maj_stat,
res.min_stat);
goto out;
}
}
if (maj_stat == GSS_S_COMPLETE)
established = 1;
}
message_buf.value = "Hello world";
message_buf.length = strlen((char *) message_buf.value);
maj_stat = gss_get_mic(&min_stat, client_context,
GSS_C_QOP_DEFAULT, &message_buf, &args.input_token);
if (GSS_ERROR(maj_stat)) {
printf("gss_get_mic failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
args.step = 2;
syscall(syscall_num, 2, &args, &res);
gss_release_buffer(&min_stat, &args.input_token);
if (GSS_ERROR(res.maj_stat)) {
printf("kernel gss_verify_mic failed\n");
report_error(mech_type, res.maj_stat, res.min_stat);
goto out;
}
maj_stat = gss_verify_mic(&min_stat, client_context,
&message_buf, &res.output_token, NULL);
if (GSS_ERROR(maj_stat)) {
printf("gss_verify_mic failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
maj_stat = gss_wrap(&min_stat, client_context,
TRUE, GSS_C_QOP_DEFAULT, &message_buf, NULL,
&args.input_token);
if (GSS_ERROR(maj_stat)) {
printf("gss_wrap failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
args.step = 3;
syscall(syscall_num, 2, &args, &res);
gss_release_buffer(&min_stat, &args.input_token);
if (GSS_ERROR(res.maj_stat)) {
printf("kernel gss_unwrap failed\n");
report_error(mech_type, res.maj_stat, res.min_stat);
goto out;
}
maj_stat = gss_unwrap(&min_stat, client_context,
&res.output_token, &message_buf, NULL, NULL);
if (GSS_ERROR(maj_stat)) {
printf("gss_unwrap failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
gss_release_buffer(&min_stat, &message_buf);
maj_stat = gss_wrap(&min_stat, client_context,
FALSE, GSS_C_QOP_DEFAULT, &message_buf, NULL,
&args.input_token);
if (GSS_ERROR(maj_stat)) {
printf("gss_wrap failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
args.step = 4;
syscall(syscall_num, 2, &args, &res);
gss_release_buffer(&min_stat, &args.input_token);
if (GSS_ERROR(res.maj_stat)) {
printf("kernel gss_unwrap failed\n");
report_error(mech_type, res.maj_stat, res.min_stat);
goto out;
}
maj_stat = gss_unwrap(&min_stat, client_context,
&res.output_token, &message_buf, NULL, NULL);
if (GSS_ERROR(maj_stat)) {
printf("gss_unwrap failed\n");
report_error(mech_type, maj_stat, min_stat);
goto out;
}
gss_release_buffer(&min_stat, &message_buf);
args.step = 5;
syscall(syscall_num, 2, &args, &res);
gss_release_name(&min_stat, &name);
gss_release_cred(&min_stat, &client_cred);
gss_delete_sec_context(&min_stat, &client_context,
GSS_C_NO_BUFFER);
}
break;
}
case 3:
syscall(syscall_num, 3, NULL, NULL);
break;
case 4:
syscall(syscall_num, 4, NULL, NULL);
break;
}
return (0);
out:
return (1);
}
int
main(int argc, char **argv)
{
int optind = 0;
OM_uint32 min_stat, maj_stat;
gss_ctx_id_t cctx, sctx;
void *ctx;
gss_OID nameoid, mechoid, actual_mech, actual_mech2;
gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
gss_name_t cname = GSS_C_NO_NAME;
gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
setprogname(argv[0]);
init_o2n();
if (krb5_init_context(&context))
errx(1, "krb5_init_context");
cctx = sctx = GSS_C_NO_CONTEXT;
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 1)
usage(1);
if (dns_canon_flag != -1)
gsskrb5_set_dns_canonicalize(dns_canon_flag);
if (type_string == NULL)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "hostbased-service") == 0)
nameoid = GSS_C_NT_HOSTBASED_SERVICE;
else if (strcmp(type_string, "krb5-principal-name") == 0)
nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
else
errx(1, "%s not suppported", type_string);
if (mech_string == NULL)
mechoid = GSS_KRB5_MECHANISM;
else
mechoid = string_to_oid(mech_string);
if (gsskrb5_acceptor_identity) {
maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
if (maj_stat)
errx(1, "gsskrb5_acceptor_identity: %s",
gssapi_err(maj_stat, 0, GSS_C_NO_OID));
}
if (client_password) {
credential_data.value = client_password;
credential_data.length = strlen(client_password);
}
if (client_name) {
gss_buffer_desc cn;
cn.value = client_name;
cn.length = strlen(client_name);
maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
if (maj_stat)
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (client_password) {
maj_stat = gss_acquire_cred_with_password(&min_stat,
cname,
&credential_data,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred_with_password: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
} else {
maj_stat = gss_acquire_cred(&min_stat,
cname,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_cred,
NULL,
NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_acquire_cred: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
if (limit_enctype_string) {
krb5_error_code ret;
ret = krb5_string_to_enctype(context,
limit_enctype_string,
&limit_enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
}
if (limit_enctype) {
if (client_cred == NULL)
errx(1, "client_cred missing");
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
1, &limit_enctype);
if (maj_stat)
errx(1, "gss_krb5_set_allowable_enctypes: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
loop(mechoid, nameoid, argv[0], client_cred,
&sctx, &cctx, &actual_mech, &deleg_cred);
if (verbose_flag)
printf("resulting mech: %s\n", oid_to_string(actual_mech));
if (ret_mech_string) {
gss_OID retoid;
retoid = string_to_oid(ret_mech_string);
if (gss_oid_equal(retoid, actual_mech) == 0)
errx(1, "actual_mech mech is not the expected type %s",
ret_mech_string);
}
/* XXX should be actual_mech */
if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
time_t time;
gss_buffer_desc authz_data;
gss_buffer_desc in, out1, out2;
krb5_keyblock *keyblock, *keyblock2;
krb5_timestamp now;
krb5_error_code ret;
ret = krb5_timeofday(context, &now);
if (ret)
errx(1, "krb5_timeofday failed");
/* client */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&cctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
/* server */
maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
&sctx,
1, /* version */
&ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
sctx,
&time);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (time > now)
errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
"time authtime is before now: %ld %ld",
(long)time, (long)now);
maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gsskrb5_export_service_keyblock failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
krb5_free_keyblock(context, keyblock);
maj_stat = gsskrb5_get_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey server failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
maj_stat = gsskrb5_get_subkey(&min_stat,
cctx,
&keyblock2);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_subkey client failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat != GSS_S_COMPLETE)
keyblock2 = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
if (keyblock || keyblock2) {
if (keyblock == NULL)
errx(1, "server missing token keyblock");
if (keyblock2 == NULL)
errx(1, "client missing token keyblock");
if (keyblock->keytype != keyblock2->keytype)
errx(1, "enctype mismatch");
if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
errx(1, "key length mismatch");
if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
keyblock2->keyvalue.length) != 0)
errx(1, "key data mismatch");
}
if (session_enctype_string) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context,
session_enctype_string,
&enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
if (enctype != keyblock->keytype)
errx(1, "keytype is not the expected %d != %d",
(int)enctype, (int)keyblock2->keytype);
}
if (keyblock)
krb5_free_keyblock(context, keyblock);
if (keyblock2)
krb5_free_keyblock(context, keyblock2);
maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
sctx,
&keyblock);
if (maj_stat != GSS_S_COMPLETE
&& (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
errx(1, "gsskrb5_get_initiator_subkey failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat == GSS_S_COMPLETE) {
if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
krb5_free_keyblock(context, keyblock);
}
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
sctx,
128,
&authz_data);
if (maj_stat == GSS_S_COMPLETE)
gss_release_buffer(&min_stat, &authz_data);
memset(&out1, 0, sizeof(out1));
memset(&out2, 0, sizeof(out2));
in.value = "foo";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
100, &out1);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
in.value = "bar";
in.length = 3;
gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out1);
gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
100, &out2);
if (out1.length != out2.length)
errx(1, "prf len mismatch");
if (memcmp(out1.value, out2.value, out1.length) != 0)
errx(1, "prf data mismatch");
gss_release_buffer(&min_stat, &out1);
gss_release_buffer(&min_stat, &out2);
wrapunwrap_flag = 1;
getverifymic_flag = 1;
}
if (wrapunwrap_flag) {
wrapunwrap(cctx, sctx, 0, actual_mech);
wrapunwrap(cctx, sctx, 1, actual_mech);
wrapunwrap(sctx, cctx, 0, actual_mech);
wrapunwrap(sctx, cctx, 1, actual_mech);
}
if (iov_flag) {
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
/* works */
wrapunwrap_iov(cctx, sctx, 0, actual_mech);
wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
}
if (getverifymic_flag) {
getverifymic(cctx, sctx, actual_mech);
getverifymic(cctx, sctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
getverifymic(sctx, cctx, actual_mech);
}
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
if (deleg_cred != GSS_C_NO_CREDENTIAL) {
gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
gss_buffer_desc cb;
if (verbose_flag)
printf("checking actual mech (%s) on delegated cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking spnego on delegated cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
&actual_mech2, &cred2);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
/* check export/import */
if (ei_flag) {
maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &cb);
gss_release_cred(&min_stat, &deleg_cred);
if (verbose_flag)
printf("checking actual mech (%s) on export/imported cred\n",
oid_to_string(actual_mech));
loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
/* try again using SPNEGO */
if (verbose_flag)
printf("checking SPNEGO on export/imported cred\n");
loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
&actual_mech2, &deleg_cred);
gss_release_cred(&min_stat, &deleg_cred);
gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL);
gss_release_cred(&min_stat, &cred2);
} else {
gss_release_cred(&min_stat, &deleg_cred);
}
}
empty_release();
krb5_free_context(context);
return 0;
}
