1 /* 2 * Copyright (c) 2006 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of KTH nor the names of its contributors may be 18 * used to endorse or promote products derived from this software without 19 * specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY 22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE 25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include "common.h" 35 RCSID("$Id: gssmask.c 21229 2007-06-20 10:19:19Z lha $"); 36 37 /* 38 * 39 */ 40 41 enum handle_type { handle_context, handle_cred }; 42 43 struct handle { 44 int32_t idx; 45 enum handle_type type; 46 void *ptr; 47 struct handle *next; 48 }; 49 50 struct client { 51 krb5_storage *sock; 52 krb5_storage *logging; 53 char *moniker; 54 int32_t nHandle; 55 struct handle *handles; 56 struct sockaddr_storage sa; 57 socklen_t salen; 58 char servername[MAXHOSTNAMELEN]; 59 }; 60 61 FILE *logfile; 62 static char *targetname; 63 krb5_context context; 64 65 /* 66 * 67 */ 68 69 static void 70 logmessage(struct client *c, const char *file, unsigned int lineno, 71 int level, const char *fmt, ...) 72 { 73 char *message; 74 va_list ap; 75 int32_t ackid; 76 77 va_start(ap, fmt); 78 vasprintf(&message, fmt, ap); 79 va_end(ap); 80 81 if (logfile) 82 fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message); 83 84 if (c->logging) { 85 if (krb5_store_int32(c->logging, eLogInfo) != 0) 86 errx(1, "krb5_store_int32: log level"); 87 if (krb5_store_string(c->logging, file) != 0) 88 errx(1, "krb5_store_string: filename"); 89 if (krb5_store_int32(c->logging, lineno) != 0) 90 errx(1, "krb5_store_string: filename"); 91 if (krb5_store_string(c->logging, message) != 0) 92 errx(1, "krb5_store_string: message"); 93 if (krb5_ret_int32(c->logging, &ackid) != 0) 94 errx(1, "krb5_ret_int32: ackid"); 95 } 96 free(message); 97 } 98 99 /* 100 * 101 */ 102 103 static int32_t 104 add_handle(struct client *c, enum handle_type type, void *data) 105 { 106 struct handle *h; 107 108 h = ecalloc(1, sizeof(*h)); 109 110 h->idx = ++c->nHandle; 111 h->type = type; 112 h->ptr = data; 113 h->next = c->handles; 114 c->handles = h; 115 116 return h->idx; 117 } 118 119 static void 120 del_handle(struct handle **h, int32_t idx) 121 { 122 OM_uint32 min_stat; 123 124 if (idx == 0) 125 return; 126 127 while (*h) { 128 if ((*h)->idx == idx) { 129 struct handle *p = *h; 130 *h = (*h)->next; 131 switch(p->type) { 132 case handle_context: { 133 gss_ctx_id_t c = p->ptr; 134 gss_delete_sec_context(&min_stat, &c, NULL); 135 break; } 136 case handle_cred: { 137 gss_cred_id_t c = p->ptr; 138 gss_release_cred(&min_stat, &c); 139 break; } 140 } 141 free(p); 142 return; 143 } 144 h = &((*h)->next); 145 } 146 errx(1, "tried to delete an unexisting handle"); 147 } 148 149 static void * 150 find_handle(struct handle *h, int32_t idx, enum handle_type type) 151 { 152 if (idx == 0) 153 return NULL; 154 155 while (h) { 156 if (h->idx == idx) { 157 if (type == h->type) 158 return h->ptr; 159 errx(1, "monger switched type on handle!"); 160 } 161 h = h->next; 162 } 163 return NULL; 164 } 165 166 167 static int32_t 168 convert_gss_to_gsm(OM_uint32 maj_stat) 169 { 170 switch(maj_stat) { 171 case 0: 172 return GSMERR_OK; 173 case GSS_S_CONTINUE_NEEDED: 174 return GSMERR_CONTINUE_NEEDED; 175 case GSS_S_DEFECTIVE_TOKEN: 176 return GSMERR_INVALID_TOKEN; 177 case GSS_S_BAD_MIC: 178 return GSMERR_AP_MODIFIED; 179 default: 180 return GSMERR_ERROR; 181 } 182 } 183 184 static int32_t 185 convert_krb5_to_gsm(krb5_error_code ret) 186 { 187 switch(ret) { 188 case 0: 189 return GSMERR_OK; 190 default: 191 return GSMERR_ERROR; 192 } 193 } 194 195 /* 196 * 197 */ 198 199 static int32_t 200 acquire_cred(struct client *c, 201 krb5_principal principal, 202 krb5_get_init_creds_opt *opt, 203 int32_t *handle) 204 { 205 krb5_error_code ret; 206 krb5_creds cred; 207 krb5_ccache id; 208 gss_cred_id_t gcred; 209 OM_uint32 maj_stat, min_stat; 210 211 *handle = 0; 212 213 krb5_get_init_creds_opt_set_forwardable (opt, 1); 214 krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30); 215 216 memset(&cred, 0, sizeof(cred)); 217 218 ret = krb5_get_init_creds_password (context, 219 &cred, 220 principal, 221 NULL, 222 NULL, 223 NULL, 224 0, 225 NULL, 226 opt); 227 if (ret) { 228 logmessage(c, __FILE__, __LINE__, 0, 229 "krb5_get_init_creds failed: %d", ret); 230 return convert_krb5_to_gsm(ret); 231 } 232 233 ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id); 234 if (ret) 235 krb5_err (context, 1, ret, "krb5_cc_initialize"); 236 237 ret = krb5_cc_initialize (context, id, cred.client); 238 if (ret) 239 krb5_err (context, 1, ret, "krb5_cc_initialize"); 240 241 ret = krb5_cc_store_cred (context, id, &cred); 242 if (ret) 243 krb5_err (context, 1, ret, "krb5_cc_store_cred"); 244 245 krb5_free_cred_contents (context, &cred); 246 247 maj_stat = gss_krb5_import_cred(&min_stat, 248 id, 249 NULL, 250 NULL, 251 &gcred); 252 krb5_cc_close(context, id); 253 if (maj_stat) { 254 logmessage(c, __FILE__, __LINE__, 0, 255 "krb5 import creds failed with: %d", maj_stat); 256 return convert_gss_to_gsm(maj_stat); 257 } 258 259 *handle = add_handle(c, handle_cred, gcred); 260 261 return 0; 262 } 263 264 265 /* 266 * 267 */ 268 269 #define HandleOP(h) \ 270 handle##h(enum gssMaggotOp op, struct client *c) 271 272 /* 273 * 274 */ 275 276 static int 277 HandleOP(GetVersionInfo) 278 { 279 put32(c, GSSMAGGOTPROTOCOL); 280 errx(1, "GetVersionInfo"); 281 } 282 283 static int 284 HandleOP(GoodBye) 285 { 286 struct handle *h = c->handles; 287 int i = 0; 288 289 while (h) { 290 h = h->next; 291 i++; 292 } 293 294 if (i != 0) 295 logmessage(c, __FILE__, __LINE__, 0, 296 "Did not toast all resources: %d", i); 297 return 1; 298 } 299 300 static int 301 HandleOP(InitContext) 302 { 303 OM_uint32 maj_stat, min_stat, ret_flags; 304 int32_t hContext, hCred, flags; 305 krb5_data target_name, in_token; 306 int32_t new_context_id = 0, gsm_error = 0; 307 krb5_data out_token = { 0 , NULL }; 308 309 gss_ctx_id_t ctx; 310 gss_cred_id_t creds; 311 gss_name_t gss_target_name; 312 gss_buffer_desc input_token, output_token; 313 gss_OID oid = GSS_C_NO_OID; 314 gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER; 315 316 ret32(c, hContext); 317 ret32(c, hCred); 318 ret32(c, flags); 319 retdata(c, target_name); 320 retdata(c, in_token); 321 322 logmessage(c, __FILE__, __LINE__, 0, 323 "targetname: <%.*s>", (int)target_name.length, 324 (char *)target_name.data); 325 326 ctx = find_handle(c->handles, hContext, handle_context); 327 if (ctx == NULL) 328 hContext = 0; 329 creds = find_handle(c->handles, hCred, handle_cred); 330 if (creds == NULL) 331 abort(); 332 333 input_token.length = target_name.length; 334 input_token.value = target_name.data; 335 336 maj_stat = gss_import_name(&min_stat, 337 &input_token, 338 GSS_KRB5_NT_PRINCIPAL_NAME, 339 &gss_target_name); 340 if (GSS_ERROR(maj_stat)) { 341 logmessage(c, __FILE__, __LINE__, 0, 342 "import name creds failed with: %d", maj_stat); 343 gsm_error = convert_gss_to_gsm(maj_stat); 344 goto out; 345 } 346 347 /* oid from flags */ 348 349 if (in_token.length) { 350 input_token.length = in_token.length; 351 input_token.value = in_token.data; 352 input_token_ptr = &input_token; 353 if (ctx == NULL) 354 krb5_errx(context, 1, "initcreds, context NULL, but not first req"); 355 } else { 356 input_token.length = 0; 357 input_token.value = NULL; 358 if (ctx) 359 krb5_errx(context, 1, "initcreds, context not NULL, but first req"); 360 } 361 362 if ((flags & GSS_C_DELEG_FLAG) != 0) 363 logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating"); 364 if ((flags & GSS_C_DCE_STYLE) != 0) 365 logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style"); 366 367 maj_stat = gss_init_sec_context(&min_stat, 368 creds, 369 &ctx, 370 gss_target_name, 371 oid, 372 flags & 0x7f, 373 0, 374 NULL, 375 input_token_ptr, 376 NULL, 377 &output_token, 378 &ret_flags, 379 NULL); 380 if (GSS_ERROR(maj_stat)) { 381 if (hContext != 0) 382 del_handle(&c->handles, hContext); 383 new_context_id = 0; 384 logmessage(c, __FILE__, __LINE__, 0, 385 "gss_init_sec_context returns code: %d/%d", 386 maj_stat, min_stat); 387 } else { 388 if (input_token.length == 0) 389 new_context_id = add_handle(c, handle_context, ctx); 390 else 391 new_context_id = hContext; 392 } 393 394 gsm_error = convert_gss_to_gsm(maj_stat); 395 396 if (output_token.length) { 397 out_token.data = output_token.value; 398 out_token.length = output_token.length; 399 } 400 401 out: 402 logmessage(c, __FILE__, __LINE__, 0, 403 "InitContext return code: %d", gsm_error); 404 405 put32(c, new_context_id); 406 put32(c, gsm_error); 407 putdata(c, out_token); 408 409 gss_release_name(&min_stat, &gss_target_name); 410 if (output_token.length) 411 gss_release_buffer(&min_stat, &output_token); 412 krb5_data_free(&in_token); 413 krb5_data_free(&target_name); 414 415 return 0; 416 } 417 418 static int 419 HandleOP(AcceptContext) 420 { 421 OM_uint32 maj_stat, min_stat, ret_flags; 422 int32_t hContext, deleg_hcred, flags; 423 krb5_data in_token; 424 int32_t new_context_id = 0, gsm_error = 0; 425 krb5_data out_token = { 0 , NULL }; 426 427 gss_ctx_id_t ctx; 428 gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; 429 gss_buffer_desc input_token, output_token; 430 gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER; 431 432 ret32(c, hContext); 433 ret32(c, flags); 434 retdata(c, in_token); 435 436 ctx = find_handle(c->handles, hContext, handle_context); 437 if (ctx == NULL) 438 hContext = 0; 439 440 if (in_token.length) { 441 input_token.length = in_token.length; 442 input_token.value = in_token.data; 443 input_token_ptr = &input_token; 444 } else { 445 input_token.length = 0; 446 input_token.value = NULL; 447 } 448 449 maj_stat = gss_accept_sec_context(&min_stat, 450 &ctx, 451 GSS_C_NO_CREDENTIAL, 452 &input_token, 453 GSS_C_NO_CHANNEL_BINDINGS, 454 NULL, 455 NULL, 456 &output_token, 457 &ret_flags, 458 NULL, 459 &deleg_cred); 460 if (GSS_ERROR(maj_stat)) { 461 if (hContext != 0) 462 del_handle(&c->handles, hContext); 463 logmessage(c, __FILE__, __LINE__, 0, 464 "gss_accept_sec_context returns code: %d/%d", 465 maj_stat, min_stat); 466 new_context_id = 0; 467 } else { 468 if (hContext == 0) 469 new_context_id = add_handle(c, handle_context, ctx); 470 else 471 new_context_id = hContext; 472 } 473 if (output_token.length) { 474 out_token.data = output_token.value; 475 out_token.length = output_token.length; 476 } 477 if ((ret_flags & GSS_C_DCE_STYLE) != 0) 478 logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style"); 479 if ((ret_flags & GSS_C_DELEG_FLAG) != 0) { 480 deleg_hcred = add_handle(c, handle_cred, deleg_cred); 481 logmessage(c, __FILE__, __LINE__, 0, 482 "accept_context delegated handle: %d", deleg_hcred); 483 } else { 484 gss_release_cred(&min_stat, &deleg_cred); 485 deleg_hcred = 0; 486 } 487 488 489 gsm_error = convert_gss_to_gsm(maj_stat); 490 491 put32(c, new_context_id); 492 put32(c, gsm_error); 493 putdata(c, out_token); 494 put32(c, deleg_hcred); 495 496 if (output_token.length) 497 gss_release_buffer(&min_stat, &output_token); 498 krb5_data_free(&in_token); 499 500 return 0; 501 } 502 503 static int 504 HandleOP(ToastResource) 505 { 506 int32_t handle; 507 508 ret32(c, handle); 509 logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle); 510 del_handle(&c->handles, handle); 511 put32(c, GSMERR_OK); 512 513 return 0; 514 } 515 516 static int 517 HandleOP(AcquireCreds) 518 { 519 char *name, *password; 520 int32_t gsm_error, flags, handle = 0; 521 krb5_principal principal = NULL; 522 krb5_get_init_creds_opt *opt = NULL; 523 krb5_error_code ret; 524 525 retstring(c, name); 526 retstring(c, password); 527 ret32(c, flags); 528 529 logmessage(c, __FILE__, __LINE__, 0, 530 "username: %s password: %s", name, password); 531 532 ret = krb5_parse_name(context, name, &principal); 533 if (ret) { 534 gsm_error = convert_krb5_to_gsm(ret); 535 goto out; 536 } 537 538 ret = krb5_get_init_creds_opt_alloc (context, &opt); 539 if (ret) 540 krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); 541 542 krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL); 543 544 gsm_error = acquire_cred(c, principal, opt, &handle); 545 546 out: 547 logmessage(c, __FILE__, __LINE__, 0, 548 "AcquireCreds handle: %d return code: %d", handle, gsm_error); 549 550 if (opt) 551 krb5_get_init_creds_opt_free (context, opt); 552 if (principal) 553 krb5_free_principal(context, principal); 554 free(name); 555 free(password); 556 557 put32(c, gsm_error); 558 put32(c, handle); 559 560 return 0; 561 } 562 563 static int 564 HandleOP(Sign) 565 { 566 OM_uint32 maj_stat, min_stat; 567 int32_t hContext, flags, seqno; 568 krb5_data token; 569 gss_ctx_id_t ctx; 570 gss_buffer_desc input_token, output_token; 571 572 ret32(c, hContext); 573 ret32(c, flags); 574 ret32(c, seqno); 575 retdata(c, token); 576 577 ctx = find_handle(c->handles, hContext, handle_context); 578 if (ctx == NULL) 579 errx(1, "sign: reference to unknown context"); 580 581 input_token.length = token.length; 582 input_token.value = token.data; 583 584 maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token, 585 &output_token); 586 if (maj_stat != GSS_S_COMPLETE) 587 errx(1, "gss_get_mic failed"); 588 589 krb5_data_free(&token); 590 591 token.data = output_token.value; 592 token.length = output_token.length; 593 594 put32(c, 0); /* XXX fix gsm_error */ 595 putdata(c, token); 596 597 gss_release_buffer(&min_stat, &output_token); 598 599 return 0; 600 } 601 602 static int 603 HandleOP(Verify) 604 { 605 OM_uint32 maj_stat, min_stat; 606 int32_t hContext, flags, seqno; 607 krb5_data msg, mic; 608 gss_ctx_id_t ctx; 609 gss_buffer_desc msg_token, mic_token; 610 gss_qop_t qop; 611 612 ret32(c, hContext); 613 614 ctx = find_handle(c->handles, hContext, handle_context); 615 if (ctx == NULL) 616 errx(1, "verify: reference to unknown context"); 617 618 ret32(c, flags); 619 ret32(c, seqno); 620 retdata(c, msg); 621 622 msg_token.length = msg.length; 623 msg_token.value = msg.data; 624 625 retdata(c, mic); 626 627 mic_token.length = mic.length; 628 mic_token.value = mic.data; 629 630 maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token, 631 &mic_token, &qop); 632 if (maj_stat != GSS_S_COMPLETE) 633 errx(1, "gss_verify_mic failed"); 634 635 krb5_data_free(&mic); 636 krb5_data_free(&msg); 637 638 put32(c, 0); /* XXX fix gsm_error */ 639 640 return 0; 641 } 642 643 static int 644 HandleOP(GetVersionAndCapabilities) 645 { 646 int32_t cap = HAS_MONIKER; 647 char name[256] = "unknown", *str; 648 649 if (targetname) 650 cap |= ISSERVER; /* is server */ 651 652 #ifdef HAVE_UNAME 653 { 654 struct utsname ut; 655 if (uname(&ut) == 0) { 656 snprintf(name, sizeof(name), "%s-%s-%s", 657 ut.sysname, ut.version, ut.machine); 658 } 659 } 660 #endif 661 662 asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name); 663 664 put32(c, GSSMAGGOTPROTOCOL); 665 put32(c, cap); 666 putstring(c, str); 667 free(str); 668 669 return 0; 670 } 671 672 static int 673 HandleOP(GetTargetName) 674 { 675 if (targetname) 676 putstring(c, targetname); 677 else 678 putstring(c, ""); 679 return 0; 680 } 681 682 static int 683 HandleOP(SetLoggingSocket) 684 { 685 int32_t portnum; 686 int fd, ret; 687 688 ret32(c, portnum); 689 690 logmessage(c, __FILE__, __LINE__, 0, 691 "logging port on peer is: %d", (int)portnum); 692 693 socket_set_port((struct sockaddr *)(&c->sa), htons(portnum)); 694 695 fd = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0); 696 if (fd < 0) 697 return 0; 698 699 ret = connect(fd, (struct sockaddr *)&c->sa, c->salen); 700 if (ret < 0) { 701 logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s", 702 strerror(errno)); 703 close(fd); 704 return 0; 705 } 706 707 if (c->logging) 708 krb5_storage_free(c->logging); 709 c->logging = krb5_storage_from_fd(fd); 710 close(fd); 711 712 krb5_store_int32(c->logging, eLogSetMoniker); 713 store_string(c->logging, c->moniker); 714 715 logmessage(c, __FILE__, __LINE__, 0, "logging turned on"); 716 717 return 0; 718 } 719 720 721 static int 722 HandleOP(ChangePassword) 723 { 724 errx(1, "ChangePassword"); 725 } 726 727 static int 728 HandleOP(SetPasswordSelf) 729 { 730 errx(1, "SetPasswordSelf"); 731 } 732 733 static int 734 HandleOP(Wrap) 735 { 736 OM_uint32 maj_stat, min_stat; 737 int32_t hContext, flags, seqno; 738 krb5_data token; 739 gss_ctx_id_t ctx; 740 gss_buffer_desc input_token, output_token; 741 int conf_state; 742 743 ret32(c, hContext); 744 ret32(c, flags); 745 ret32(c, seqno); 746 retdata(c, token); 747 748 ctx = find_handle(c->handles, hContext, handle_context); 749 if (ctx == NULL) 750 errx(1, "wrap: reference to unknown context"); 751 752 input_token.length = token.length; 753 input_token.value = token.data; 754 755 maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token, 756 &conf_state, &output_token); 757 if (maj_stat != GSS_S_COMPLETE) 758 errx(1, "gss_wrap failed"); 759 760 krb5_data_free(&token); 761 762 token.data = output_token.value; 763 token.length = output_token.length; 764 765 put32(c, 0); /* XXX fix gsm_error */ 766 putdata(c, token); 767 768 gss_release_buffer(&min_stat, &output_token); 769 770 return 0; 771 } 772 773 774 static int 775 HandleOP(Unwrap) 776 { 777 OM_uint32 maj_stat, min_stat; 778 int32_t hContext, flags, seqno; 779 krb5_data token; 780 gss_ctx_id_t ctx; 781 gss_buffer_desc input_token, output_token; 782 int conf_state; 783 gss_qop_t qop_state; 784 785 ret32(c, hContext); 786 ret32(c, flags); 787 ret32(c, seqno); 788 retdata(c, token); 789 790 ctx = find_handle(c->handles, hContext, handle_context); 791 if (ctx == NULL) 792 errx(1, "unwrap: reference to unknown context"); 793 794 input_token.length = token.length; 795 input_token.value = token.data; 796 797 maj_stat = gss_unwrap(&min_stat, ctx, &input_token, 798 &output_token, &conf_state, &qop_state); 799 800 if (maj_stat != GSS_S_COMPLETE) 801 errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); 802 803 krb5_data_free(&token); 804 if (maj_stat == GSS_S_COMPLETE) { 805 token.data = output_token.value; 806 token.length = output_token.length; 807 } else { 808 token.data = NULL; 809 token.length = 0; 810 } 811 put32(c, 0); /* XXX fix gsm_error */ 812 putdata(c, token); 813 814 if (maj_stat == GSS_S_COMPLETE) 815 gss_release_buffer(&min_stat, &output_token); 816 817 return 0; 818 } 819 820 static int 821 HandleOP(Encrypt) 822 { 823 return handleWrap(op, c); 824 } 825 826 static int 827 HandleOP(Decrypt) 828 { 829 return handleUnwrap(op, c); 830 } 831 832 static int 833 HandleOP(ConnectLoggingService2) 834 { 835 errx(1, "ConnectLoggingService2"); 836 } 837 838 static int 839 HandleOP(GetMoniker) 840 { 841 putstring(c, c->moniker); 842 return 0; 843 } 844 845 static int 846 HandleOP(CallExtension) 847 { 848 errx(1, "CallExtension"); 849 } 850 851 static int 852 HandleOP(AcquirePKInitCreds) 853 { 854 int32_t flags; 855 krb5_data pfxdata; 856 857 ret32(c, flags); 858 retdata(c, pfxdata); 859 860 /* get credentials */ 861 862 krb5_data_free(&pfxdata); 863 864 put32(c, -1); /* hResource */ 865 put32(c, GSMERR_NOT_SUPPORTED); 866 return 0; 867 } 868 869 /* 870 * 871 */ 872 873 struct handler { 874 enum gssMaggotOp op; 875 const char *name; 876 int (*func)(enum gssMaggotOp, struct client *); 877 }; 878 879 #define S(a) { e##a, #a, handle##a } 880 881 struct handler handlers[] = { 882 S(GetVersionInfo), 883 S(GoodBye), 884 S(InitContext), 885 S(AcceptContext), 886 S(ToastResource), 887 S(AcquireCreds), 888 S(Encrypt), 889 S(Decrypt), 890 S(Sign), 891 S(Verify), 892 S(GetVersionAndCapabilities), 893 S(GetTargetName), 894 S(SetLoggingSocket), 895 S(ChangePassword), 896 S(SetPasswordSelf), 897 S(Wrap), 898 S(Unwrap), 899 S(ConnectLoggingService2), 900 S(GetMoniker), 901 S(CallExtension), 902 S(AcquirePKInitCreds) 903 }; 904 905 #undef S 906 907 /* 908 * 909 */ 910 911 static struct handler * 912 find_op(int32_t op) 913 { 914 int i; 915 916 for (i = 0; i < sizeof(handlers)/sizeof(handlers[0]); i++) 917 if (handlers[i].op == op) 918 return &handlers[i]; 919 return NULL; 920 } 921 922 static struct client * 923 create_client(int fd, int port, const char *moniker) 924 { 925 struct client *c; 926 927 c = ecalloc(1, sizeof(*c)); 928 929 if (moniker) { 930 c->moniker = estrdup(moniker); 931 } else { 932 char hostname[MAXHOSTNAMELEN]; 933 gethostname(hostname, sizeof(hostname)); 934 asprintf(&c->moniker, "gssmask: %s:%d", hostname, port); 935 } 936 937 { 938 c->salen = sizeof(c->sa); 939 getpeername(fd, (struct sockaddr *)&c->sa, &c->salen); 940 941 getnameinfo((struct sockaddr *)&c->sa, c->salen, 942 c->servername, sizeof(c->servername), 943 NULL, 0, NI_NUMERICHOST); 944 } 945 946 c->sock = krb5_storage_from_fd(fd); 947 if (c->sock == NULL) 948 errx(1, "krb5_storage_from_fd"); 949 950 close(fd); 951 952 return c; 953 } 954 955 static void 956 free_client(struct client *c) 957 { 958 while(c->handles) 959 del_handle(&c->handles, c->handles->idx); 960 961 free(c->moniker); 962 krb5_storage_free(c->sock); 963 if (c->logging) 964 krb5_storage_free(c->logging); 965 free(c); 966 } 967 968 969 static void * 970 handleServer(void *ptr) 971 { 972 struct handler *handler; 973 struct client *c; 974 int32_t op; 975 976 c = (struct client *)ptr; 977 978 979 while(1) { 980 ret32(c, op); 981 982 handler = find_op(op); 983 if (handler == NULL) { 984 logmessage(c, __FILE__, __LINE__, 0, 985 "op %d not supported", (int)op); 986 exit(1); 987 } 988 989 logmessage(c, __FILE__, __LINE__, 0, 990 "---> Got op %s from server %s", 991 handler->name, c->servername); 992 993 if ((handler->func)(handler->op, c)) 994 break; 995 } 996 997 return NULL; 998 } 999 1000 1001 static char *port_str; 1002 static int version_flag; 1003 static int help_flag; 1004 static char *logfile_str; 1005 static char *moniker_str; 1006 1007 static int port = 4711; 1008 1009 struct getargs args[] = { 1010 { "spn", 0, arg_string, &targetname, "This host's SPN", 1011 "service/host@REALM" }, 1012 { "port", 'p', arg_string, &port_str, "Use this port", 1013 "number-of-service" }, 1014 { "logfile", 0, arg_string, &logfile_str, "logfile", 1015 "number-of-service" }, 1016 { "moniker", 0, arg_string, &moniker_str, "nickname", 1017 "name" }, 1018 { "version", 0, arg_flag, &version_flag, "Print version", 1019 NULL }, 1020 { "help", 0, arg_flag, &help_flag, NULL, 1021 NULL } 1022 }; 1023 1024 static void 1025 usage(int ret) 1026 { 1027 arg_printusage (args, 1028 sizeof(args) / sizeof(args[0]), 1029 NULL, 1030 ""); 1031 exit (ret); 1032 } 1033 1034 int 1035 main(int argc, char **argv) 1036 { 1037 int optidx = 0; 1038 1039 setprogname (argv[0]); 1040 1041 if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) 1042 usage (1); 1043 1044 if (help_flag) 1045 usage (0); 1046 1047 if (version_flag) { 1048 print_version (NULL); 1049 return 0; 1050 } 1051 1052 if (optidx != argc) 1053 usage (1); 1054 1055 if (port_str) { 1056 char *ptr; 1057 1058 port = strtol (port_str, &ptr, 10); 1059 if (port == 0 && ptr == port_str) 1060 errx (1, "Bad port `%s'", port_str); 1061 } 1062 1063 krb5_init_context(&context); 1064 1065 { 1066 const char *lf = logfile_str; 1067 if (lf == NULL) 1068 lf = "/dev/tty"; 1069 1070 logfile = fopen(lf, "w"); 1071 if (logfile == NULL) 1072 err(1, "error opening %s", lf); 1073 } 1074 1075 mini_inetd(htons(port)); 1076 fprintf(logfile, "connected\n"); 1077 1078 { 1079 struct client *c; 1080 1081 c = create_client(0, port, moniker_str); 1082 /* close(0); */ 1083 1084 handleServer(c); 1085 1086 free_client(c); 1087 } 1088 1089 krb5_free_context(context); 1090 1091 return 0; 1092 } 1093