int main (int argc, char *argv[]) { gss_uint32 maj_stat, min_stat, ret_flags, time_rec; gss_buffer_desc bufdesc, bufdesc2; gss_name_t servername = GSS_C_NO_NAME, name; gss_ctx_id_t cctx = GSS_C_NO_CONTEXT; gss_ctx_id_t sctx = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds; Shishi *handle; size_t i; struct gss_channel_bindings_struct cb; memset (&cb, 0, sizeof (cb)); cb.application_data.length = 3; cb.application_data.value = (char *) "hej"; do if (strcmp (argv[argc - 1], "-v") == 0 || strcmp (argv[argc - 1], "--verbose") == 0) debug = 1; else if (strcmp (argv[argc - 1], "-b") == 0 || strcmp (argv[argc - 1], "--break-on-error") == 0) break_on_error = 1; else if (strcmp (argv[argc - 1], "-h") == 0 || strcmp (argv[argc - 1], "-?") == 0 || strcmp (argv[argc - 1], "--help") == 0) { printf ("Usage: %s [-vbh?] [--verbose] [--break-on-error] [--help]\n", argv[0]); return 1; } while (argc-- > 1); handle = shishi (); /* Name of service. */ bufdesc.value = (char *) "*****@*****.**"; bufdesc.length = strlen (bufdesc.value); maj_stat = gss_import_name (&min_stat, &bufdesc, GSS_C_NT_HOSTBASED_SERVICE, &servername); if (GSS_ERROR (maj_stat)) fail ("gss_import_name (host/server)\n"); /* Get credential, for server. */ maj_stat = gss_acquire_cred (&min_stat, servername, 0, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); if (GSS_ERROR (maj_stat)) { fail ("gss_acquire_cred"); display_status ("acquire credentials", maj_stat, min_stat); } for (i = 0; i < 3; i++) { /* Start client. */ switch (i) { case 0: maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &cctx, servername, GSS_KRB5, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &bufdesc2, NULL, NULL); if (maj_stat != GSS_S_CONTINUE_NEEDED) fail ("loop 0 init failure\n"); break; case 1: /* Default OID, channel bindings. */ maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &cctx, servername, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, 0, &cb, GSS_C_NO_BUFFER, NULL, &bufdesc2, NULL, NULL); if (maj_stat != GSS_S_CONTINUE_NEEDED) fail ("loop 0 init failure\n"); break; case 2: /* No mutual authentication. */ maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &cctx, servername, GSS_KRB5, GSS_C_REPLAY_FLAG | GSS_C_CONF_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &bufdesc2, &ret_flags, NULL); if (ret_flags != (GSS_C_REPLAY_FLAG | GSS_C_CONF_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_PROT_READY_FLAG)) fail ("loop 2 ret_flags failure (%d)\n", ret_flags); if (maj_stat != GSS_S_COMPLETE) fail ("loop 1 init failure\n"); break; default: fail ("default?!\n"); break; } if (GSS_ERROR (maj_stat)) { fail ("gss_accept_sec_context failure\n"); display_status ("accept_sec_context", maj_stat, min_stat); } if (debug) { char *p = bufdesc2.value; Shishi_asn1 apreq = shishi_der2asn1_apreq (handle, p + 17, bufdesc2.length - 17); printf ("\nClient AP-REQ:\n\n"); shishi_apreq_print (handle, stdout, apreq); } /* Start server. */ switch (i) { case 0: maj_stat = gss_accept_sec_context (&min_stat, &sctx, server_creds, &bufdesc2, GSS_C_NO_CHANNEL_BINDINGS, &name, NULL, &bufdesc, &ret_flags, &time_rec, NULL); if (ret_flags != (GSS_C_MUTUAL_FLAG | /* XXX GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | */ GSS_C_PROT_READY_FLAG)) fail ("loop 0 accept flag failure (%d)\n", ret_flags); break; case 1: maj_stat = gss_accept_sec_context (&min_stat, &sctx, server_creds, &bufdesc2, &cb, &name, NULL, &bufdesc, &ret_flags, &time_rec, NULL); break; case 2: maj_stat = gss_accept_sec_context (&min_stat, &sctx, server_creds, &bufdesc2, GSS_C_NO_CHANNEL_BINDINGS, &name, NULL, &bufdesc, &ret_flags, &time_rec, NULL); break; default: fail ("default?!\n"); break; } if (GSS_ERROR (maj_stat)) { fail ("gss_accept_sec_context failure\n"); display_status ("accept_sec_context", maj_stat, min_stat); } if (debug) { char *p = bufdesc2.value; Shishi_asn1 aprep = shishi_der2asn1_aprep (handle, p + 15, bufdesc.length - 15); printf ("\nServer AP-REP:\n\n"); shishi_aprep_print (handle, stdout, aprep); } switch (i) { case 0: maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &cctx, servername, GSS_KRB5, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, &bufdesc, NULL, &bufdesc2, NULL, NULL); break; case 1: /* Check ret_flags. */ maj_stat = gss_init_sec_context (&min_stat, GSS_C_NO_CREDENTIAL, &cctx, servername, GSS_KRB5, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, 0, GSS_C_NO_CHANNEL_BINDINGS, &bufdesc, NULL, &bufdesc2, &ret_flags, &time_rec); if (ret_flags != (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_PROT_READY_FLAG)) fail ("loop 1 ret_flags failure (%d)\n", ret_flags); break; /* No case 2. */ default: break; } if (GSS_ERROR (maj_stat)) { fail ("gss_init_sec_context failure (2)\n"); display_status ("init_sec_context", maj_stat, min_stat); } { gss_buffer_desc pt, pt2, ct; int conf_state; gss_qop_t qop_state; pt.value = (char *) "foo"; pt.length = strlen (pt.value) + 1; maj_stat = gss_wrap (&min_stat, cctx, 0, 0, &pt, &conf_state, &ct); if (GSS_ERROR (maj_stat)) { fail ("client gss_wrap failure\n"); display_status ("client wrap", maj_stat, min_stat); } maj_stat = gss_unwrap (&min_stat, sctx, &ct, &pt2, &conf_state, &qop_state); if (GSS_ERROR (maj_stat)) { fail ("server gss_unwrap failure\n"); display_status ("client wrap", maj_stat, min_stat); } if (pt.length != pt2.length || memcmp (pt2.value, pt.value, pt.length) != 0) fail ("wrap+unwrap failed (%d, %d, %.*s)\n", (int) pt.length, (int) pt2.length, (int) pt2.length, (char *) pt2.value); gss_release_buffer (&min_stat, &ct); gss_release_buffer (&min_stat, &pt2); } maj_stat = gss_delete_sec_context (&min_stat, &cctx, GSS_C_NO_BUFFER); if (GSS_ERROR (maj_stat)) { fail ("client gss_delete_sec_context failure\n"); display_status ("client delete_sec_context", maj_stat, min_stat); } maj_stat = gss_delete_sec_context (&min_stat, &sctx, GSS_C_NO_BUFFER); if (GSS_ERROR (maj_stat)) { fail ("server gss_delete_sec_context failure\n"); display_status ("server delete_sec_context", maj_stat, min_stat); } success ("loop %d ok\n", (int) i); } /* Clean up. */ maj_stat = gss_release_cred (&min_stat, &server_creds); if (GSS_ERROR (maj_stat)) { fail ("gss_release_cred"); display_status ("release credentials", maj_stat, min_stat); } maj_stat = gss_release_name (&min_stat, &servername); if (GSS_ERROR (maj_stat)) { fail ("gss_release_name failure\n"); display_status ("gss_release_name", maj_stat, min_stat); } shishi_done (handle); /* We're done. */ if (debug) printf ("Kerberos 5 security context self tests done with %d errors\n", error_count); return error_count ? 1 : 0; }
static Shishi_ap * auth (Shishi * h, int verbose, const char *cname, const char *sname) { Shishi_key *key; Shishi_ap *ap; Shishi_asn1 apreq; char *buf; size_t buflen; int rc; printf ("Client: %s\n", cname); printf ("Server: %s\n", sname); /* Get key for the server. */ key = shishi_hostkeys_for_server (h, sname); if (!key) { printf ("could not find key: %s\n", shishi_error (h)); return NULL; } if (verbose) shishi_key_print (h, stderr, key); /* Read Authentication request from client */ printf ("Waiting for client to authenticate itself...\n"); rc = shishi_apreq_parse (h, stdin, &apreq); if (rc != SHISHI_OK) { printf ("could not read AP-REQ: %s\n", shishi_strerror (rc)); return NULL; } /* Create Authentication context */ rc = shishi_ap (h, &ap); if (rc != SHISHI_OK) { printf ("Could not create AP: %s\n", shishi_strerror (rc)); return NULL; } /* Store request in context */ shishi_ap_req_set (ap, apreq); /* Process authentication request */ rc = shishi_ap_req_process (ap, key); if (rc != SHISHI_OK) { printf ("Could not process AP-REQ: %s\n", shishi_strerror (rc)); return NULL; } if (verbose) shishi_authenticator_print (h, stderr, shishi_ap_authenticator (ap)); rc = shishi_authenticator_client (h, shishi_ap_authenticator (ap), &buf, &buflen); printf ("Client name (from authenticator): %.*s\n", (int) buflen, buf); free (buf); rc = shishi_encticketpart_clientrealm (h, shishi_tkt_encticketpart (shishi_ap_tkt (ap)), &buf, &buflen); printf ("Client name (from encticketpart): %.*s\n", (int) buflen, buf); free (buf); rc = shishi_ticket_server (h, shishi_tkt_ticket (shishi_ap_tkt (ap)), &buf, &buflen); printf ("Server name (from ticket): %.*s\n", (int) buflen, buf); free (buf); /* User is authenticated. */ printf ("User authenticated.\n"); /* Authenticate ourself to client, if request */ if (shishi_apreq_mutual_required_p (h, apreq)) { Shishi_asn1 aprep; printf ("Mutual authentication required.\n"); rc = shishi_ap_rep_asn1 (ap, &aprep); if (rc != SHISHI_OK) { printf ("Error creating AP-REP: %s\n", shishi_strerror (rc)); return NULL; } if (verbose) shishi_encapreppart_print (h, stderr, shishi_ap_encapreppart (ap)); shishi_aprep_print (h, stdout, aprep); /* We are authenticated to client */ } return ap; }