void nip::parse::Parser::import_element() {
block_start();
while (!is(DEDENT, RIGHT_BRACKET)) {
import_name();
}
block_end();
}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_OID mech = (gss_OID)gss_mech_krb5;
gss_name_t name, mechname, impname;
gss_buffer_desc buf, buf2;
const char *name_arg;
char opt;
/* Parse arguments. */
while (argc > 1 && argv[1][0] == '-') {
opt = argv[1][1];
argc--, argv++;
if (opt == 'k')
mech = &mech_krb5;
else if (opt == 's')
mech = &mech_spnego;
else
usage();
}
if (argc != 2)
usage();
name_arg = argv[1];
/* Import the name. */
name = import_name(name_arg);
/* Canonicalize and export the name. */
major = gss_canonicalize_name(&minor, name, mech, &mechname);
check_gsserr("gss_canonicalize_name", major, minor);
major = gss_export_name(&minor, mechname, &buf);
check_gsserr("gss_export_name", major, minor);
/* Import and re-export the name, and compare the results. */
major = gss_import_name(&minor, &buf, GSS_C_NT_EXPORT_NAME, &impname);
check_gsserr("gss_export_name", major, minor);
major = gss_export_name(&minor, impname, &buf2);
check_gsserr("gss_export_name", major, minor);
if (buf.length != buf2.length ||
memcmp(buf.value, buf2.value, buf.length) != 0) {
fprintf(stderr, "Mismatched results:\n");
print_hex(stderr, &buf);
print_hex(stderr, &buf2);
return 1;
}
print_hex(stdout, &buf);
(void)gss_release_name(&minor, &name);
(void)gss_release_name(&minor, &mechname);
(void)gss_release_buffer(&minor, &buf);
(void)gss_release_buffer(&minor, &buf2);
return 0;
}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major, flags;
gss_OID mech = &mech_krb5;
gss_name_t tname;
gss_buffer_desc itok, atok;
gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
if (argc != 2) {
fprintf(stderr, "Usage: %s targetname\n", argv[0]);
return 1;
}
tname = import_name(argv[1]);
/* Get the initial context token. */
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
mech, flags, GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER,
NULL, &itok, NULL, NULL);
check_gsserr("gss_init_sec_context(1)", major, minor);
assert(major == GSS_S_CONTINUE_NEEDED);
/* Process this token into an acceptor context, then discard it. */
major = gss_accept_sec_context(&minor, &actx, GSS_C_NO_CREDENTIAL, &itok,
GSS_C_NO_CHANNEL_BINDINGS, NULL,
NULL, &atok, NULL, NULL, NULL);
check_gsserr("gss_accept_sec_context(1)", major, minor);
(void)gss_release_buffer(&minor, &atok);
(void)gss_delete_sec_context(&minor, &actx, NULL);
/* Process the same token again, producing a replay error. */
major = gss_accept_sec_context(&minor, &actx, GSS_C_NO_CREDENTIAL, &itok,
GSS_C_NO_CHANNEL_BINDINGS, NULL,
NULL, &atok, NULL, NULL, NULL);
check_replay_error("gss_accept_sec_context(2)", major, minor);
assert(atok.length != 0);
/* Send the error token back the initiator. */
(void)gss_release_buffer(&minor, &itok);
major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
mech, flags, GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS, &atok,
NULL, &itok, NULL, NULL);
check_replay_error("gss_init_sec_context(2)", major, minor);
(void)gss_release_name(&minor, &tname);
(void)gss_release_buffer(&minor, &itok);
(void)gss_release_buffer(&minor, &atok);
(void)gss_delete_sec_context(&minor, &ictx, NULL);
(void)gss_delete_sec_context(&minor, &actx, NULL);
return 0;
}
/* Simple embedding example */
int main() {
PyObject *pow_func;
double x;
Py_Initialize();
/* Get a reference to the math.pow function */
pow_func = import_name("math","pow");
/* Call it using our call_func() code */
for (x = 0.0; x < 10.0; x += 0.1) {
printf("%0.2f %0.2f\n", x, call_func(pow_func,x,2.0));
}
/* Done */
Py_DECREF(pow_func);
Py_Finalize();
return 0;
}
int
main(int argc, char **argv)
{
const char *name = "*****@*****.**";
OM_uint32 major, minor;
gss_name_t gss_name;
gss_buffer_desc buf;
gss_OID name_oid;
gss_name = import_name(name);
major = gss_display_name(&minor, gss_name, &buf, &name_oid);
check_gsserr("gss_display_name", major, minor);
printf("name is: %.*s\n", (int)buf.length, (char *)buf.value);
(void)gss_release_buffer(&minor, &buf);
major = gss_oid_to_str(&minor, name_oid, &buf);
check_gsserr("gss_oid_to_str", major, minor);
printf("name type is: %.*s\n", (int)buf.length, (char *)buf.value);
(void)gss_release_buffer(&minor, &buf);
(void)gss_release_name(&minor, &gss_name);
return 0;
}
static int
gss_auth(void *app_data, char *host)
{
OM_uint32 maj_stat, min_stat;
gss_name_t target_name;
gss_buffer_desc input, output_token;
int context_established = 0;
char *p;
int n;
gss_channel_bindings_t bindings;
struct gss_data *d = app_data;
const char *knames[] = { "ftp", "host", NULL }, **kname = knames;
if(import_name(*kname++, host, &target_name))
return AUTH_ERROR;
input.length = 0;
input.value = NULL;
bindings = malloc(sizeof(*bindings));
sockaddr_to_gss_address (myctladdr,
&bindings->initiator_addrtype,
&bindings->initiator_address);
sockaddr_to_gss_address (hisctladdr,
&bindings->acceptor_addrtype,
&bindings->acceptor_address);
bindings->application_data.length = 0;
bindings->application_data.value = NULL;
while(!context_established) {
maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&d->context_hdl,
target_name,
GSS_C_NO_OID,
GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
| GSS_C_DELEG_FLAG,
0,
bindings,
&input,
NULL,
&output_token,
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
OM_uint32 new_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
if(min_stat == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN && *kname != NULL) {
if(import_name(*kname++, host, &target_name))
return AUTH_ERROR;
continue;
}
gss_display_status(&new_stat,
min_stat,
GSS_C_MECH_CODE,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
printf("Error initializing security context: %s\n",
(char*)status_string.value);
gss_release_buffer(&new_stat, &status_string);
return AUTH_CONTINUE;
}
gss_release_buffer(&min_stat, &input);
if (output_token.length != 0) {
base64_encode(output_token.value, output_token.length, &p);
gss_release_buffer(&min_stat, &output_token);
n = ftp_cmd("ADAT %s", p);
free(p);
}
if (GSS_ERROR(maj_stat)) {
if (d->context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context (&min_stat,
&d->context_hdl,
GSS_C_NO_BUFFER);
break;
}
if (maj_stat & GSS_S_CONTINUE_NEEDED) {
p = strstr(ftp->reply, "ADAT=");
if(p == NULL){
printf("Error: expected ADAT in reply. got: %s\n",
ftp->reply);
return AUTH_ERROR;
} else {
p+=5;
input.value = malloc(strlen(p));
input.length = base64_decode(p, input.value);
}
} else {
if(ftp->fullcode != 235) {
printf("Unrecognized response code: %d\n", ftp->fullcode);
return AUTH_ERROR;
}
context_established = 1;
}
}
return AUTH_OK;
}
int
main(int argc, char *argv[])
{
krb5_error_code ret;
krb5_context kctx = NULL;
krb5_enctype *ienc = NULL, *aenc = NULL, zero = 0;
OM_uint32 minor, major, flags;
gss_name_t tname;
gss_cred_id_t icred = GSS_C_NO_CREDENTIAL, acred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t ictx, actx;
gss_krb5_lucid_context_v1_t *ilucid, *alucid;
gss_krb5_rfc1964_keydata_t *i1964, *a1964;
gss_krb5_cfx_keydata_t *icfx, *acfx;
size_t count;
void *lptr;
int c;
ret = krb5_init_context(&kctx);
check_k5err(kctx, "krb5_init_context", ret);
/* Parse arguments. */
while ((c = getopt(argc, argv, "i:a:")) != -1) {
switch (c) {
case 'i':
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &ienc);
check_k5err(kctx, "krb5_parse_enctype_list(initiator)", ret);
break;
case 'a':
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &aenc);
check_k5err(kctx, "krb5_parse_enctype_list(acceptor)", ret);
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 1)
usage();
tname = import_name(*argv);
if (ienc != NULL) {
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
&mechset_krb5, GSS_C_INITIATE, &icred, NULL,
NULL);
check_gsserr("gss_acquire_cred(initiator)", major, minor);
for (count = 0; ienc[count]; count++);
major = gss_krb5_set_allowable_enctypes(&minor, icred, count, ienc);
check_gsserr("gss_krb5_set_allowable_enctypes(init)", major, minor);
}
if (aenc != NULL) {
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
&mechset_krb5, GSS_C_ACCEPT, &acred, NULL,
NULL);
check_gsserr("gss_acquire_cred(acceptor)", major, minor);
for (count = 0; aenc[count]; count++);
major = gss_krb5_set_allowable_enctypes(&minor, acred, count, aenc);
check_gsserr("gss_krb5_set_allowable_enctypes(acc)", major, minor);
}
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
NULL, NULL, NULL);
/* Export to lucid contexts. */
major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
ilucid = lptr;
major = gss_krb5_export_lucid_sec_context(&minor, &actx, 1, &lptr);
check_gsserr("gss_export_lucid_sec_context(acceptor)", major, minor);
alucid = lptr;
/* Grab the session keys and make sure they match. */
if (ilucid->protocol != alucid->protocol)
errout("Initiator/acceptor protocol mismatch");
if (ilucid->protocol) {
icfx = &ilucid->cfx_kd;
acfx = &alucid->cfx_kd;
if (icfx->have_acceptor_subkey != acfx->have_acceptor_subkey)
errout("Initiator/acceptor have_acceptor_subkey mismatch");
check_key_match(&icfx->ctx_key, &acfx->ctx_key);
if (icfx->have_acceptor_subkey)
check_key_match(&icfx->acceptor_subkey, &acfx->acceptor_subkey);
fputs("cfx ", stdout);
display_enctype(icfx->ctx_key.type);
if (icfx->have_acceptor_subkey) {
fputs(" ", stdout);
display_enctype(icfx->acceptor_subkey.type);
}
fputs("\n", stdout);
} else {
i1964 = &ilucid->rfc1964_kd;
a1964 = &alucid->rfc1964_kd;
if (i1964->sign_alg != a1964->sign_alg ||
i1964->seal_alg != a1964->seal_alg)
errout("Initiator/acceptor sign or seal alg mismatch");
check_key_match(&i1964->ctx_key, &a1964->ctx_key);
fputs("rfc1964 ", stdout);
display_enctype(i1964->ctx_key.type);
fputs("\n", stdout);
}
krb5_free_context(kctx);
free(ienc);
free(aenc);
(void)gss_release_name(&minor, &tname);
(void)gss_release_cred(&minor, &icred);
(void)gss_release_cred(&minor, &acred);
(void)gss_delete_sec_context(&minor, &ictx, NULL);
(void)gss_delete_sec_context(&minor, &actx, NULL);
(void)gss_krb5_free_lucid_sec_context(&minor, ilucid);
(void)gss_krb5_free_lucid_sec_context(&minor, alucid);
return 0;
}
int main()
{
void *celib, *k5lib, *gsslib, *celib2;
(void) setvbuf(stdout, 0, _IONBF, 0);
#if 0
/* Simplest test: Load, then unload out of order. */
celib = do_open("com_err", "3.0", 0);
k5lib = do_open("krb5", "3.2", 0);
gsslib = do_open("gssapi_krb5", "2.2", 0);
celib2 = do_open("com_err", "3.0", 0);
do_close(celib);
do_close(k5lib);
do_close(celib2);
do_close(gsslib);
#endif
celib = do_open("com_err", "3.0", 0);
k5lib = do_open("krb5", "3.2", 0);
gsslib = do_open("gssapi_krb5", "2.2", 0);
celib2 = do_open("com_err", "3.0", 0);
do_close(celib2);
{
typedef krb5_error_code KRB5_CALLCONV (*ict)(krb5_context *);
typedef void KRB5_CALLCONV (*fct)(krb5_context);
ict init_context = (ict) get_sym(k5lib, "krb5_init_context");
fct free_context = (fct) get_sym(k5lib, "krb5_free_context");
krb5_context ctx;
krb5_error_code err;
#define CALLING(S) (verbose ? printf("at line %d: calling %s...%*s", __LINE__, #S, (int)(HORIZ+1-strlen(#S)), "") : 0)
#define DONE() (verbose ? printf("done\n") : 0)
CALLING(krb5_init_context);
err = init_context(&ctx);
DONE();
if (err) {
fprintf(stderr, "error 0x%lx initializing context\n",
(unsigned long) err);
exit(1);
}
CALLING(krb5_free_context);
free_context(ctx);
DONE();
}
celib2 = do_open("com_err", "3.0", 0);
do_close(celib);
do_close(k5lib);
do_close(celib2);
do_close(gsslib);
/* Test gssapi_krb5 without having loaded anything else. */
gsslib = do_open("gssapi_krb5", "2.2", 1);
{
OM_uint32 KRB5_CALLCONV (*init_sec_context)(OM_uint32 *, gss_cred_id_t,
gss_ctx_id_t *, gss_name_t,
gss_OID,
OM_uint32, OM_uint32,
gss_channel_bindings_t,
gss_buffer_t, gss_OID *,
gss_buffer_t,
OM_uint32 *, OM_uint32 *)
= get_gfun(gsslib, "gss_init_sec_context");
OM_uint32 KRB5_CALLCONV (*import_name)(OM_uint32 *, gss_buffer_t,
gss_OID, gss_name_t *)
= get_gfun(gsslib, "gss_import_name");
OM_uint32 KRB5_CALLCONV (*release_buffer)(OM_uint32 *, gss_buffer_t)
= get_gfun(gsslib, "gss_release_buffer");
OM_uint32 KRB5_CALLCONV (*release_name)(OM_uint32 *, gss_name_t *)
= get_gfun(gsslib, "gss_release_name");
OM_uint32 KRB5_CALLCONV (*delete_sec_context)(OM_uint32 *,
gss_ctx_id_t *,
gss_buffer_t)
= get_gfun(gsslib, "gss_delete_sec_context");
OM_uint32 gmaj, gmin;
OM_uint32 retflags;
gss_ctx_id_t gctx = GSS_C_NO_CONTEXT;
gss_buffer_desc token;
gss_name_t target;
static gss_buffer_desc target_name_buf = {
9, "*****@*****.**"
};
static gss_OID_desc service_name = {
10, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
};
CALLING(gss_import_name);
gmaj = import_name(&gmin, &target_name_buf, &service_name, &target);
DONE();
if (gmaj != GSS_S_COMPLETE) {
fprintf(stderr,
"import_name reports error major 0x%lx minor 0x%lx(%ld)\n",
(unsigned long) gmaj, (unsigned long) gmin,
(signed long) gmin);
exit(1);
}
/* This will probably get different errors, depending on
whether we have tickets at the time. Doesn't matter much,
we're ignoring the error and testing whether we're doing
cleanup properly. (Though the internal cleanup needed in
the two cases might be different.) */
CALLING(gss_init_sec_context);
gmaj = init_sec_context(&gmin, GSS_C_NO_CREDENTIAL, &gctx, target,
GSS_C_NULL_OID, 0, 0, NULL, GSS_C_NO_BUFFER,
NULL, &token, &retflags, NULL);
DONE();
/* Ignore success/failure indication. */
if (token.length) {
CALLING(gss_release_buffer);
release_buffer(&gmin, &token);
DONE();
}
CALLING(gss_release_name);
release_name(&gmin, &target);
DONE();
if (gctx != GSS_C_NO_CONTEXT) {
CALLING(gss_delete_sec_context);
delete_sec_context(&gmin, gctx, GSS_C_NO_BUFFER);
DONE();
}
}
do_close(gsslib);
/* Test gssapi_krb5 with com_err already loaded, then unload
com_err first. */
celib = do_open("com_err", "3.0", 1);
gsslib = do_open("gssapi_krb5", "2.2", 1);
{
OM_uint32 KRB5_CALLCONV (*init_sec_context)(OM_uint32 *, gss_cred_id_t,
gss_ctx_id_t *, gss_name_t,
gss_OID,
OM_uint32, OM_uint32,
gss_channel_bindings_t,
gss_buffer_t, gss_OID *,
gss_buffer_t,
OM_uint32 *, OM_uint32 *)
= get_gfun(gsslib, "gss_init_sec_context");
OM_uint32 KRB5_CALLCONV (*import_name)(OM_uint32 *, gss_buffer_t,
gss_OID, gss_name_t *)
= get_gfun(gsslib, "gss_import_name");
OM_uint32 KRB5_CALLCONV (*release_buffer)(OM_uint32 *, gss_buffer_t)
= get_gfun(gsslib, "gss_release_buffer");
OM_uint32 KRB5_CALLCONV (*release_name)(OM_uint32 *, gss_name_t *)
= get_gfun(gsslib, "gss_release_name");
OM_uint32 KRB5_CALLCONV (*delete_sec_context)(OM_uint32 *,
gss_ctx_id_t *,
gss_buffer_t)
= get_gfun(gsslib, "gss_delete_sec_context");
OM_uint32 gmaj, gmin;
OM_uint32 retflags;
gss_ctx_id_t gctx = GSS_C_NO_CONTEXT;
gss_buffer_desc token;
gss_name_t target;
static gss_buffer_desc target_name_buf = {
9, "*****@*****.**"
};
static gss_OID_desc service_name = {
10, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
};
CALLING(gss_import_name);
gmaj = import_name(&gmin, &target_name_buf, &service_name, &target);
DONE();
if (gmaj != GSS_S_COMPLETE) {
fprintf(stderr,
"import_name reports error major 0x%lx minor 0x%lx(%ld)\n",
(unsigned long) gmaj, (unsigned long) gmin,
(signed long) gmin);
exit(1);
}
/* This will probably get different errors, depending on
whether we have tickets at the time. Doesn't matter much,
we're ignoring the error and testing whether we're doing
cleanup properly. (Though the internal cleanup needed in
the two cases might be different.) */
CALLING(gss_init_sec_context);
gmaj = init_sec_context(&gmin, GSS_C_NO_CREDENTIAL, &gctx, target,
GSS_C_NULL_OID, 0, 0, NULL, GSS_C_NO_BUFFER,
NULL, &token, &retflags, NULL);
DONE();
/* Ignore success/failure indication. */
if (token.length) {
CALLING(gss_release_buffer);
release_buffer(&gmin, &token);
DONE();
}
CALLING(gss_release_name);
release_name(&gmin, &target);
DONE();
if (gctx != GSS_C_NO_CONTEXT) {
CALLING(gss_delete_sec_context);
delete_sec_context(&gmin, gctx, GSS_C_NO_BUFFER);
DONE();
}
}
do_close(celib);
do_close(gsslib);
return 0;
}
// RUN: %clang_cc1 -triple wasm32-unknown-unknown-wasm -emit-llvm -o - %s | FileCheck %s
void __attribute__((import_name("bar"))) foo(void);
void call(void) {
foo();
}
// CHECK: declare void @foo() [[A:#[0-9]+]]
// CHECK: attributes [[A]] = {{{.*}} "wasm-import-name"="bar" {{.*}}}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_cred_id_t initiator_cred = GSS_C_NO_CREDENTIAL;
gss_name_t target_name, initiator_name = GSS_C_NO_NAME;
gss_name_t real_initiator_name;
gss_buffer_desc token, tmp, namebuf;
gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT;
if (argc < 2 || argc > 3) {
fprintf(stderr, "Usage: %s targetname [initiatorname|-]\n", argv[0]);
return 1;
}
target_name = import_name(argv[1]);
if (argc >= 3) {
/* Get initiator cred. */
if (strcmp(argv[2], "-") != 0)
initiator_name = import_name(argv[2]);
major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_INITIATE,
&initiator_cred, NULL, NULL);
check_gsserr("gss_acquire_cred", major, minor);
}
/* Create krb5 initiator context and get the first token. */
token.value = NULL;
token.length = 0;
major = gss_init_sec_context(&minor, initiator_cred, &initiator_context,
target_name, (gss_OID)gss_mech_krb5,
GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
GSS_C_NO_BUFFER, NULL, &token, NULL, NULL);
check_gsserr("gss_init_sec_context", major, minor);
/* Pass the token to gss_accept_sec_context. */
tmp.value = NULL;
tmp.length = 0;
major = gss_accept_sec_context(&minor, &acceptor_context,
GSS_C_NO_CREDENTIAL, &token,
GSS_C_NO_CHANNEL_BINDINGS,
&real_initiator_name, NULL, &tmp,
NULL, NULL, NULL);
check_gsserr("gss_accept_sec_context", major, minor);
namebuf.value = NULL;
namebuf.length = 0;
major = gss_display_name(&minor, real_initiator_name, &namebuf, NULL);
check_gsserr("gss_display_name(initiator)", major, minor);
printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value);
(void)gss_release_name(&minor, &target_name);
(void)gss_release_name(&minor, &initiator_name);
(void)gss_release_name(&minor, &real_initiator_name);
(void)gss_release_cred(&minor, &initiator_cred);
(void)gss_delete_sec_context(&minor, &initiator_context, NULL);
(void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
(void)gss_release_buffer(&minor, &token);
(void)gss_release_buffer(&minor, &tmp);
(void)gss_release_buffer(&minor, &namebuf);
return 0;
}
int
main(int argc, char *argv[])
{
OM_uint32 minor, major;
gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
gss_OID_set mechs;
if (argc < 2 || argc > 5) {
fprintf(stderr, "Usage: %s [--spnego] [user] "
"[proxy-target] [keytab]\n", argv[0]);
fprintf(stderr, " proxy-target and keytab are optional\n");
exit(1);
}
if (strcmp(argv[1], "--spnego") == 0) {
use_spnego++;
argc--;
argv++;
}
user = import_name(argv[1]);
if (argc > 2 && strcmp(argv[2], "-"))
target = import_name(argv[2]);
if (argc > 3) {
major = krb5_gss_register_acceptor_identity(argv[3]);
check_gsserr("krb5_gss_register_acceptor_identity", major, 0);
}
/* Get default cred. */
mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs,
GSS_C_BOTH, &impersonator_cred_handle, NULL,
NULL);
check_gsserr("gss_acquire_cred", major, minor);
printf("Protocol transition tests follow\n");
printf("-----------------------------------\n\n");
test_greet_authz_data(&user);
/* Get S4U2Self cred. */
major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle,
user, GSS_C_INDEFINITE, mechs,
GSS_C_INITIATE,
&user_cred_handle, NULL, NULL);
check_gsserr("gss_acquire_cred_impersonate_name", major, minor);
init_accept_sec_context(user_cred_handle, impersonator_cred_handle,
&delegated_cred_handle);
printf("\n");
if (target != GSS_C_NO_NAME &&
delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
constrained_delegate(mechs, target, delegated_cred_handle,
impersonator_cred_handle);
} else if (target != GSS_C_NO_NAME) {
fprintf(stderr, "Warning: no delegated cred handle returned\n\n");
fprintf(stderr, "Verify:\n\n");
fprintf(stderr, " - The TGT for the impersonating service is "
"forwardable\n");
fprintf(stderr, " - The T2A4D flag set on the impersonating service's "
"UAC\n");
fprintf(stderr, " - The user is not marked sensitive and cannot be "
"delegated\n");
fprintf(stderr, "\n");
}
(void)gss_release_name(&minor, &user);
(void)gss_release_name(&minor, &target);
(void)gss_release_cred(&minor, &delegated_cred_handle);
(void)gss_release_cred(&minor, &impersonator_cred_handle);
(void)gss_release_cred(&minor, &user_cred_handle);
return 0;
}
static int
gss_auth(void *app_data, char *host)
{
OM_uint32 maj_stat, min_stat;
gss_name_t target_name;
gss_buffer_desc input, output_token;
int context_established = 0;
char *p;
int n;
gss_channel_bindings_t bindings;
struct gssapi_data *d = app_data;
OM_uint32 mech_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
const char *knames[] = { "ftp", "host", NULL }, **kname = knames;
if(import_name(*kname++, host, &target_name))
return AUTH_ERROR;
input.length = 0;
input.value = NULL;
if (ftp_do_gss_bindings) {
bindings = malloc(sizeof(*bindings));
if (bindings == NULL)
errx(1, "out of memory");
sockaddr_to_gss_address (myctladdr,
&bindings->initiator_addrtype,
&bindings->initiator_address);
sockaddr_to_gss_address (hisctladdr,
&bindings->acceptor_addrtype,
&bindings->acceptor_address);
bindings->application_data.length = 0;
bindings->application_data.value = NULL;
} else
bindings = GSS_C_NO_CHANNEL_BINDINGS;
if (ftp_do_gss_delegate)
mech_flags |= GSS_C_DELEG_FLAG;
while(!context_established) {
maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&d->context_hdl,
target_name,
GSS_C_NO_OID,
mech_flags,
0,
bindings,
&input,
NULL,
&output_token,
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
OM_uint32 new_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
d->context_hdl = GSS_C_NO_CONTEXT;
gss_release_name(&min_stat, &target_name);
if(*kname != NULL) {
if(import_name(*kname++, host, &target_name)) {
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
}
continue;
}
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
gss_display_status(&new_stat,
min_stat,
GSS_C_MECH_CODE,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
printf("Error initializing security context: %.*s\n",
(int)status_string.length,
(char*)status_string.value);
gss_release_buffer(&new_stat, &status_string);
return AUTH_CONTINUE;
}
if (input.value) {
free(input.value);
input.value = NULL;
input.length = 0;
}
if (output_token.length != 0) {
base64_encode(output_token.value, output_token.length, &p);
gss_release_buffer(&min_stat, &output_token);
n = command("ADAT %s", p);
free(p);
}
if (GSS_ERROR(maj_stat)) {
if (d->context_hdl != GSS_C_NO_CONTEXT)
gss_delete_sec_context (&min_stat,
&d->context_hdl,
GSS_C_NO_BUFFER);
break;
}
if (maj_stat & GSS_S_CONTINUE_NEEDED) {
p = strstr(reply_string, "ADAT=");
if(p == NULL){
printf("Error: expected ADAT in reply. got: %s\n",
reply_string);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
} else {
p+=5;
input.value = malloc(strlen(p));
input.length = base64_decode(p, input.value);
}
} else {
if(code != 235) {
printf("Unrecognized response code: %d\n", code);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
return AUTH_ERROR;
}
context_established = 1;
}
}
gss_release_name(&min_stat, &target_name);
if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
free(bindings);
if (input.value)
free(input.value);
{
gss_name_t targ_name;
maj_stat = gss_inquire_context(&min_stat,
d->context_hdl,
NULL,
&targ_name,
NULL,
NULL,
NULL,
NULL,
NULL);
if (GSS_ERROR(maj_stat) == 0) {
gss_buffer_desc name;
maj_stat = gss_display_name (&min_stat,
targ_name,
&name,
NULL);
if (GSS_ERROR(maj_stat) == 0) {
printf("Authenticated to <%.*s>\n",
(int)name.length,
(char *)name.value);
gss_release_buffer(&min_stat, &name);
}
gss_release_name(&min_stat, &targ_name);
} else
printf("Failed to get gss name of peer.\n");
}
return AUTH_OK;
}
int
gssAuth(int sock, tunnel_ctx_t* tunnel_ctx, const char *hostname, const char *service)
{
struct sockaddr_in6 remote, local;
socklen_t addrlen;
gss_buffer_desc real_input_token, real_output_token;
gss_buffer_t input_token = &real_input_token, output_token = &real_output_token;
OM_uint32 maj_stat, min_stat;
gss_name_t server = GSS_C_NO_NAME;
gss_channel_bindings_t input_chan_bindings;
if (import_name(service, hostname, &server) < 0) {
return -1;
}
addrlen = sizeof(local);
if (getsockname(sock, (struct sockaddr *) & local, &addrlen) < 0
|| addrlen > sizeof(local)) {
#ifdef SHOW_ERROR
perror("sockname");
#endif
return -1;
}
addrlen = sizeof(remote);
if (getpeername(sock, (struct sockaddr *) & remote, &addrlen) < 0
|| addrlen > sizeof(remote)) {
#ifdef SHOW_ERROR
perror("getpeer");
#endif
return -1;
}
input_token->length = 0;
input_token->value = NULL;
output_token->length = 0;
output_token->value = NULL;
#ifdef GSIGSS
input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
#else
input_chan_bindings = malloc(sizeof(struct gss_channel_bindings_struct));
sockaddr_to_gss_address((struct sockaddr *) & local,
&input_chan_bindings->initiator_addrtype,
&input_chan_bindings->initiator_address);
sockaddr_to_gss_address((struct sockaddr *) & remote,
&input_chan_bindings->acceptor_addrtype,
&input_chan_bindings->acceptor_address);
input_chan_bindings->application_data.length = 0;
input_chan_bindings->application_data.value = NULL;
#endif
while (!tunnel_ctx->isAuthentificated) {
maj_stat =
gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&tunnel_ctx->context_hdl,
server,
GSS_C_NO_OID,
GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
0,
input_chan_bindings,
input_token,
NULL,
output_token,
NULL,
NULL);
if (tunnel_ctx->context_hdl == NULL) {
gss_print_errors(min_stat);
/* send a waste to the server */
eWrite(sock, "123", 3);
return -1;
}
if ((maj_stat != GSS_S_CONTINUE_NEEDED) && (maj_stat != GSS_S_COMPLETE)) {
gss_print_errors(min_stat);
/* send a waste to the server */
eWrite(sock, "123", 3);
return -1;
}
if (output_token->length > 0) {
eWrite(sock, output_token->value, output_token->length);
gss_release_buffer(&min_stat, output_token);
}
if (maj_stat & GSS_S_CONTINUE_NEEDED) {
if( input_token->value == NULL ) {
input_token->value = malloc(MAXBUF);
}
if( input_token->value == NULL ) {
return -1;
}
input_token->length = eRead(sock, input_token->value, MAXBUF);
if( (input_token->length < 0 ) || (input_token->length > MAXBUF) ) {
/* incorrect length */
free(input_token->value);
input_token->value = NULL;
return -1;
}
} else {
tunnel_ctx->isAuthentificated = 1;
}
}
return 1;
}
