summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/appl/gssmask
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/appl/gssmask
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/appl/gssmask')
-rw-r--r--third_party/heimdal/appl/gssmask/Makefile.am13
-rw-r--r--third_party/heimdal/appl/gssmask/NTMakefile35
-rw-r--r--third_party/heimdal/appl/gssmask/common.c97
-rw-r--r--third_party/heimdal/appl/gssmask/common.h114
-rw-r--r--third_party/heimdal/appl/gssmask/gssmaestro.c962
-rw-r--r--third_party/heimdal/appl/gssmask/gssmask.c1268
-rw-r--r--third_party/heimdal/appl/gssmask/protocol.h317
7 files changed, 2806 insertions, 0 deletions
diff --git a/third_party/heimdal/appl/gssmask/Makefile.am b/third_party/heimdal/appl/gssmask/Makefile.am
new file mode 100644
index 0000000..55673a0
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/Makefile.am
@@ -0,0 +1,13 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_PROGRAMS = gssmask gssmaestro
+
+gssmask_SOURCES = gssmask.c common.c common.h protocol.h
+
+gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h
+
+LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken) $(top_builddir)/lib/krb5/libkrb5.la
+
+EXTRA_DIST = NTMakefile
diff --git a/third_party/heimdal/appl/gssmask/NTMakefile b/third_party/heimdal/appl/gssmask/NTMakefile
new file mode 100644
index 0000000..4ad1dc4
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=appl\gssmask
+
+!include ../../windows/NTMakefile.w32
+
diff --git a/third_party/heimdal/appl/gssmask/common.c b/third_party/heimdal/appl/gssmask/common.c
new file mode 100644
index 0000000..8d7d8fa
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/common.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+RCSID("$Id$");
+
+krb5_error_code
+store_string(krb5_storage *sp, const char *str)
+{
+ size_t len = strlen(str) + 1;
+ krb5_error_code ret;
+
+ ret = krb5_store_int32(sp, len);
+ if (ret)
+ return ret;
+ ret = krb5_storage_write(sp, str, len);
+ if (ret != len)
+ return EINVAL;
+ return 0;
+}
+
+static void
+add_list(char ****list, size_t *listlen, char **str, size_t len)
+{
+ size_t i;
+ *list = erealloc(*list, sizeof(**list) * (*listlen + 1));
+
+ (*list)[*listlen] = ecalloc(len, sizeof(**list));
+ for (i = 0; i < len; i++)
+ (*list)[*listlen][i] = str[i];
+ (*listlen)++;
+}
+
+static void
+permute(char ****list, size_t *listlen,
+ char **str, const int start, const int len)
+{
+ int i, j;
+
+#define SWAP(s,i,j) { char *t = str[i]; str[i] = str[j]; str[j] = t; }
+
+ for (i = start; i < len - 1; i++) {
+ for (j = i+1; j < len; j++) {
+ SWAP(str,i,j);
+ permute(list, listlen, str, i+1, len);
+ SWAP(str,i,j);
+ }
+ }
+ add_list(list, listlen, str, len);
+}
+
+char ***
+permutate_all(struct getarg_strings *strings, size_t *size)
+{
+ char **list, ***all = NULL;
+ int i;
+
+ *size = 0;
+
+ list = ecalloc(strings->num_strings, sizeof(*list));
+ for (i = 0; i < strings->num_strings; i++)
+ list[i] = strings->strings[i];
+
+ permute(&all, size, list, 0, strings->num_strings);
+ free(list);
+ return all;
+}
diff --git a/third_party/heimdal/appl/gssmask/common.h b/third_party/heimdal/appl/gssmask/common.h
new file mode 100644
index 0000000..96d10ff
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/common.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <sys/param.h>
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#include <assert.h>
+#include <krb5.h>
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#include <gssapi/gssapi_spnego.h>
+#include <unistd.h>
+
+#include <roken.h>
+#include <getarg.h>
+
+#include "protocol.h"
+
+/*
+ * pthread support is disable because the pthread
+ * test have no "application pthread libflags" variable,
+ * when this is fixed pthread support can be enabled again.
+ */
+#undef ENABLE_PTHREAD_SUPPORT
+
+krb5_error_code store_string(krb5_storage *, const char *);
+
+
+#define ret16(_client, num) \
+ do { \
+ if (krb5_ret_int16((_client)->sock, &(num)) != 0) \
+ errx(1, "krb5_ret_int16 " #num); \
+ } while(0)
+
+#define ret32(_client, num) \
+ do { \
+ if (krb5_ret_int32((_client)->sock, &(num)) != 0) \
+ errx(1, "krb5_ret_int32 " #num); \
+ } while(0)
+
+#define retdata(_client, data) \
+ do { \
+ if (krb5_ret_data((_client)->sock, &(data)) != 0) \
+ errx(1, "krb5_ret_data " #data); \
+ } while(0)
+
+#define retstring(_client, data) \
+ do { \
+ if (krb5_ret_string((_client)->sock, &(data)) != 0) \
+ errx(1, "krb5_ret_data " #data); \
+ } while(0)
+
+
+#define put32(_client, num) \
+ do { \
+ if (krb5_store_int32((_client)->sock, num) != 0) \
+ errx(1, "krb5_store_int32 " #num); \
+ } while(0)
+
+#define putdata(_client, data) \
+ do { \
+ if (krb5_store_data((_client)->sock, data) != 0) \
+ errx(1, "krb5_store_data " #data); \
+ } while(0)
+
+#define putstring(_client, str) \
+ do { \
+ if (store_string((_client)->sock, str) != 0) \
+ errx(1, "krb5_store_str " #str); \
+ } while(0)
+
+char *** permutate_all(struct getarg_strings *, size_t *);
diff --git a/third_party/heimdal/appl/gssmask/gssmaestro.c b/third_party/heimdal/appl/gssmask/gssmaestro.c
new file mode 100644
index 0000000..9ccf1de
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/gssmaestro.c
@@ -0,0 +1,962 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+RCSID("$Id$");
+
+static FILE *logfile;
+
+/*
+ *
+ */
+
+struct client {
+ char *name;
+ struct sockaddr *sa;
+ socklen_t salen;
+ krb5_storage *sock;
+ int32_t capabilities;
+ char *target_name;
+ char *moniker;
+ krb5_storage *logsock;
+ int have_log;
+#ifdef ENABLE_PTHREAD_SUPPORT
+ pthread_t thr;
+#else
+ pid_t child;
+#endif
+};
+
+static struct client **clients;
+static int num_clients;
+
+static int
+init_sec_context(struct client *client,
+ int32_t *hContext, int32_t *hCred,
+ int32_t flags,
+ const char *targetname,
+ const krb5_data *itoken, krb5_data *otoken)
+{
+ int32_t val;
+ krb5_data_zero(otoken);
+ put32(client, eInitContext);
+ put32(client, *hContext);
+ put32(client, *hCred);
+ put32(client, flags);
+ putstring(client, targetname);
+ putdata(client, *itoken);
+ ret32(client, *hContext);
+ ret32(client, val);
+ retdata(client, *otoken);
+ return val;
+}
+
+static int
+accept_sec_context(struct client *client,
+ int32_t *hContext,
+ int32_t flags,
+ const krb5_data *itoken,
+ krb5_data *otoken,
+ int32_t *hDelegCred)
+{
+ int32_t val;
+ krb5_data_zero(otoken);
+ put32(client, eAcceptContext);
+ put32(client, *hContext);
+ put32(client, flags);
+ putdata(client, *itoken);
+ ret32(client, *hContext);
+ ret32(client, val);
+ retdata(client, *otoken);
+ ret32(client, *hDelegCred);
+ return val;
+}
+
+static int
+acquire_cred(struct client *client,
+ const char *username,
+ const char *password,
+ int32_t flags,
+ int32_t *hCred)
+{
+ int32_t val;
+ put32(client, eAcquireCreds);
+ putstring(client, username);
+ putstring(client, password);
+ put32(client, flags);
+ ret32(client, val);
+ ret32(client, *hCred);
+ return val;
+}
+
+static int
+toast_resource(struct client *client,
+ int32_t hCred)
+{
+ int32_t val;
+ put32(client, eToastResource);
+ put32(client, hCred);
+ ret32(client, val);
+ return val;
+}
+
+static int
+goodbye(struct client *client)
+{
+ put32(client, eGoodBye);
+ return GSMERR_OK;
+}
+
+static int
+get_targetname(struct client *client,
+ char **target)
+{
+ put32(client, eGetTargetName);
+ retstring(client, *target);
+ return GSMERR_OK;
+}
+
+static int32_t
+encrypt_token(struct client *client, int32_t hContext, int32_t flags,
+ krb5_data *in, krb5_data *out)
+{
+ int32_t val;
+ put32(client, eEncrypt);
+ put32(client, hContext);
+ put32(client, flags);
+ put32(client, 0);
+ putdata(client, *in);
+ ret32(client, val);
+ retdata(client, *out);
+ return val;
+}
+
+static int32_t
+decrypt_token(struct client *client, int32_t hContext, int flags,
+ krb5_data *in, krb5_data *out)
+{
+ int32_t val;
+ put32(client, eDecrypt);
+ put32(client, hContext);
+ put32(client, flags);
+ put32(client, 0);
+ putdata(client, *in);
+ ret32(client, val);
+ retdata(client, *out);
+ return val;
+}
+
+static int32_t
+wrap_token_ext(struct client *client, int32_t hContext, int32_t flags,
+ int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer,
+ krb5_data *out)
+{
+ int32_t val;
+ put32(client, eWrapExt);
+ put32(client, hContext);
+ put32(client, flags);
+ put32(client, bflags);
+ putdata(client, *header);
+ putdata(client, *in);
+ putdata(client, *trailer);
+ ret32(client, val);
+ retdata(client, *out);
+ return val;
+}
+
+static int32_t
+unwrap_token_ext(struct client *client, int32_t hContext, int32_t flags,
+ int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer,
+ krb5_data *out)
+{
+ int32_t val;
+ put32(client, eUnwrapExt);
+ put32(client, hContext);
+ put32(client, flags);
+ put32(client, bflags);
+ putdata(client, *header);
+ putdata(client, *in);
+ putdata(client, *trailer);
+ ret32(client, val);
+ retdata(client, *out);
+ return val;
+}
+
+static int32_t
+get_mic(struct client *client, int32_t hContext,
+ krb5_data *in, krb5_data *mic)
+{
+ int32_t val;
+ put32(client, eSign);
+ put32(client, hContext);
+ put32(client, 0);
+ put32(client, 0);
+ putdata(client, *in);
+ ret32(client, val);
+ retdata(client, *mic);
+ return val;
+}
+
+static int32_t
+verify_mic(struct client *client, int32_t hContext,
+ krb5_data *in, krb5_data *mic)
+{
+ int32_t val;
+ put32(client, eVerify);
+ put32(client, hContext);
+ put32(client, 0);
+ put32(client, 0);
+ putdata(client, *in);
+ putdata(client, *mic);
+ ret32(client, val);
+ return val;
+}
+
+
+static int32_t
+get_version_capa(struct client *client,
+ int32_t *version, int32_t *capa,
+ char **version_str)
+{
+ put32(client, eGetVersionAndCapabilities);
+ ret32(client, *version);
+ ret32(client, *capa);
+ retstring(client, *version_str);
+ return GSMERR_OK;
+}
+
+static int32_t
+get_moniker(struct client *client,
+ char **moniker)
+{
+ put32(client, eGetMoniker);
+ retstring(client, *moniker);
+ return GSMERR_OK;
+}
+
+static int
+wait_log(struct client *c)
+{
+ int32_t port;
+ struct sockaddr_storage sast;
+ socklen_t salen = sizeof(sast);
+ krb5_socket_t sock, sock2;
+ int ret;
+
+ memset(&sast, 0, sizeof(sast));
+
+ assert(sizeof(sast) >= c->salen);
+
+ sock = socket(c->sa->sa_family, SOCK_STREAM, 0);
+ if (sock == rk_INVALID_SOCKET)
+ err(1, "failed to build socket for %s's logging port", c->moniker);
+
+ sast.ss_family = c->sa->sa_family;
+ ret = bind(sock, (struct sockaddr *)&sast, c->salen);
+ if (ret < 0)
+ err(1, "failed to bind %s's logging port", c->moniker);
+
+ if (listen(sock, SOMAXCONN) < 0)
+ err(1, "failed to listen %s's logging port", c->moniker);
+
+ salen = sizeof(sast);
+ ret = getsockname(sock, (struct sockaddr *)&sast, &salen);
+ if (ret < 0)
+ err(1, "failed to get address of local socket for %s", c->moniker);
+
+ port = socket_get_port((struct sockaddr *)&sast);
+
+ put32(c, eSetLoggingSocket);
+ put32(c, ntohs(port));
+
+ salen = sizeof(sast);
+ sock2 = accept(sock, (struct sockaddr *)&sast, &salen);
+ if (sock2 == rk_INVALID_SOCKET)
+ err(1, "failed to accept local socket for %s", c->moniker);
+ rk_closesocket(sock);
+
+ return sock2;
+}
+
+
+
+
+static int
+build_context(struct client *ipeer, struct client *apeer,
+ int32_t flags, int32_t hCred,
+ int32_t *iContext, int32_t *aContext, int32_t *hDelegCred)
+{
+ int32_t val = GSMERR_ERROR, ic = 0, ac = 0, deleg = 0;
+ krb5_data itoken, otoken;
+ int iDone = 0, aDone = 0;
+ int step = 0;
+ int first_call = 0x80;
+
+ if (apeer->target_name == NULL)
+ errx(1, "apeer %s have no target name", apeer->name);
+
+ krb5_data_zero(&itoken);
+
+ while (!iDone || !aDone) {
+
+ if (iDone) {
+ warnx("iPeer already done, aPeer want extra rtt");
+ val = GSMERR_ERROR;
+ goto out;
+ }
+
+ val = init_sec_context(ipeer, &ic, &hCred, flags|first_call,
+ apeer->target_name, &itoken, &otoken);
+ step++;
+ switch(val) {
+ case GSMERR_OK:
+ iDone = 1;
+ if (aDone)
+ continue;
+ break;
+ case GSMERR_CONTINUE_NEEDED:
+ break;
+ default:
+ warnx("iPeer %s failed with %d (step %d)",
+ ipeer->name, (int)val, step);
+ goto out;
+ }
+
+ if (aDone) {
+ warnx("aPeer already done, iPeer want extra rtt");
+ val = GSMERR_ERROR;
+ goto out;
+ }
+
+ val = accept_sec_context(apeer, &ac, flags|first_call,
+ &otoken, &itoken, &deleg);
+ step++;
+ switch(val) {
+ case GSMERR_OK:
+ aDone = 1;
+ if (iDone)
+ continue;
+ break;
+ case GSMERR_CONTINUE_NEEDED:
+ break;
+ default:
+ warnx("aPeer %s failed with %d (step %d)",
+ apeer->name, (int)val, step);
+ val = GSMERR_ERROR;
+ goto out;
+ }
+ first_call = 0;
+ val = GSMERR_OK;
+ }
+
+ if (iContext == NULL || val != GSMERR_OK) {
+ if (ic)
+ toast_resource(ipeer, ic);
+ if (iContext)
+ *iContext = 0;
+ } else
+ *iContext = ic;
+
+ if (aContext == NULL || val != GSMERR_OK) {
+ if (ac)
+ toast_resource(apeer, ac);
+ if (aContext)
+ *aContext = 0;
+ } else
+ *aContext = ac;
+
+ if (hDelegCred == NULL || val != GSMERR_OK) {
+ if (deleg)
+ toast_resource(apeer, deleg);
+ if (hDelegCred)
+ *hDelegCred = 0;
+ } else
+ *hDelegCred = deleg;
+
+out:
+ return val;
+}
+
+static void
+test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
+{
+ krb5_data msg, mic;
+ int32_t val;
+
+ msg.data = "foo";
+ msg.length = 3;
+
+ krb5_data_zero(&mic);
+
+ val = get_mic(c1, hc1, &msg, &mic);
+ if (val)
+ errx(1, "get_mic failed to host: %s", c1->moniker);
+ val = verify_mic(c2, hc2, &msg, &mic);
+ if (val)
+ errx(1, "verify_mic failed to host: %s", c2->moniker);
+
+ krb5_data_free(&mic);
+}
+
+static int32_t
+test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
+ int conf)
+{
+ krb5_data msg, wrapped, out;
+ int32_t val;
+
+ msg.data = "foo";
+ msg.length = 3;
+
+ krb5_data_zero(&wrapped);
+ krb5_data_zero(&out);
+
+ val = encrypt_token(c1, hc1, conf, &msg, &wrapped);
+ if (val) {
+ warnx("encrypt_token failed to host: %s", c1->moniker);
+ return val;
+ }
+ val = decrypt_token(c2, hc2, conf, &wrapped, &out);
+ if (val) {
+ krb5_data_free(&wrapped);
+ warnx("decrypt_token failed to host: %s", c2->moniker);
+ return val;
+ }
+
+ if (msg.length != out.length) {
+ warnx("decrypted'ed token have wrong length (%lu != %lu)",
+ (unsigned long)msg.length, (unsigned long)out.length);
+ val = GSMERR_ERROR;
+ } else if (memcmp(msg.data, out.data, msg.length) != 0) {
+ warnx("decryptd'ed token have wrong data");
+ val = GSMERR_ERROR;
+ }
+
+ krb5_data_free(&wrapped);
+ krb5_data_free(&out);
+ return val;
+}
+
+static int32_t
+test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
+ int conf, int bflags)
+{
+ krb5_data header, msg, trailer, wrapped, out;
+ int32_t val;
+
+ header.data = "header";
+ header.length = sizeof("header") - 1;
+
+ msg.data = "0123456789abcdef"; /* padded for most enctypes */
+ msg.length = sizeof("0123456789abcdef") - 1;
+
+ trailer.data = "trailer";
+ trailer.length = 7;
+
+ krb5_data_zero(&wrapped);
+ krb5_data_zero(&out);
+
+ val = wrap_token_ext(c1, hc1, conf, bflags, &header, &msg, &trailer, &wrapped);
+ if (val) {
+ warnx("encrypt_token failed to host: %s", c1->moniker);
+ return val;
+ }
+ val = unwrap_token_ext(c2, hc2, conf, bflags, &header, &wrapped, &trailer, &out);
+ if (val) {
+ krb5_data_free(&wrapped);
+ warnx("decrypt_token failed to host: %s", c2->moniker);
+ return val;
+ }
+
+ if (msg.length != out.length) {
+ warnx("decrypted'ed token have wrong length (%lu != %lu)",
+ (unsigned long)msg.length, (unsigned long)out.length);
+ val = GSMERR_ERROR;
+ } else if (memcmp(msg.data, out.data, msg.length) != 0) {
+ warnx("decryptd'ed token have wrong data");
+ val = GSMERR_ERROR;
+ }
+
+ krb5_data_free(&wrapped);
+ krb5_data_free(&out);
+ return val;
+}
+
+
+static int32_t
+test_token(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int wrap_ext)
+{
+ int32_t val;
+ int i;
+
+ for (i = 0; i < 10; i++) {
+ /* mic */
+ test_mic(c1, hc1, c2, hc2);
+ test_mic(c2, hc2, c1, hc1);
+
+ /* wrap */
+ val = test_wrap(c1, hc1, c2, hc2, 0);
+ if (val) return val;
+ val = test_wrap(c2, hc2, c1, hc1, 0);
+ if (val) return val;
+
+ val = test_wrap(c1, hc1, c2, hc2, 1);
+ if (val) return val;
+ val = test_wrap(c2, hc2, c1, hc1, 1);
+ if (val) return val;
+
+ if (wrap_ext) {
+ /* wrap ext */
+ val = test_wrap_ext(c1, hc1, c2, hc2, 1, 0);
+ if (val) return val;
+ val = test_wrap_ext(c2, hc2, c1, hc1, 1, 0);
+ if (val) return val;
+
+ val = test_wrap_ext(c1, hc1, c2, hc2, 1, 1);
+ if (val) return val;
+ val = test_wrap_ext(c2, hc2, c1, hc1, 1, 1);
+ if (val) return val;
+
+ val = test_wrap_ext(c1, hc1, c2, hc2, 0, 0);
+ if (val) return val;
+ val = test_wrap_ext(c2, hc2, c1, hc1, 0, 0);
+ if (val) return val;
+
+ val = test_wrap_ext(c1, hc1, c2, hc2, 0, 1);
+ if (val) return val;
+ val = test_wrap_ext(c2, hc2, c1, hc1, 0, 1);
+ if (val) return val;
+ }
+ }
+ return GSMERR_OK;
+}
+
+static int
+log_function(void *ptr)
+{
+ struct client *c = ptr;
+ int32_t cmd, line;
+ char *file = NULL, *string = NULL;
+
+ while (1) {
+ if (krb5_ret_int32(c->logsock, &cmd))
+ goto out;
+
+ switch (cmd) {
+ case eLogSetMoniker:
+ if (krb5_ret_string(c->logsock, &file))
+ goto out;
+ break;
+ case eLogInfo:
+ case eLogFailure:
+ if (krb5_ret_string(c->logsock, &file))
+ goto out;
+ if (krb5_ret_int32(c->logsock, &line))
+ goto out;
+ if (krb5_ret_string(c->logsock, &string))
+ goto out;
+ printf("%s:%lu: %s\n",
+ file, (unsigned long)line, string);
+ fprintf(logfile, "%s:%lu: %s\n",
+ file, (unsigned long)line, string);
+ fflush(logfile);
+ if (krb5_store_int32(c->logsock, 0))
+ goto out;
+ break;
+ default:
+ errx(1, "client send bad log command: %d", (int)cmd);
+ }
+ }
+out:
+ free(file);
+ free(string);
+
+ return 0;
+}
+
+static void
+connect_client(const char *slave)
+{
+ char *name, *port;
+ struct client *c = ecalloc(1, sizeof(*c));
+ struct addrinfo hints, *res0, *res;
+ int ret;
+ krb5_socket_t sock;
+
+ name = estrdup(slave);
+ port = strchr(name, ':');
+ if (port == NULL)
+ errx(1, "port missing from %s", name);
+ *port++ = 0;
+
+ c->name = estrdup(slave);
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+ ret = getaddrinfo(name, port, &hints, &res0);
+ if (ret)
+ errx(1, "error resolving %s", name);
+
+ for (res = res0, sock = rk_INVALID_SOCKET; res; res = res->ai_next) {
+ sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (sock == rk_INVALID_SOCKET)
+ continue;
+ if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
+ rk_closesocket(sock);
+ sock = rk_INVALID_SOCKET;
+ continue;
+ }
+ c->sa = ecalloc(1, res->ai_addrlen);
+ memcpy(c->sa, res->ai_addr, res->ai_addrlen);
+ c->salen = res->ai_addrlen;
+ break; /* okay we got one */
+ }
+ if (sock == rk_INVALID_SOCKET)
+ err(1, "connect to host: %s", name);
+ freeaddrinfo(res0);
+
+ c->sock = krb5_storage_from_socket(sock);
+ rk_closesocket(sock);
+ if (c->sock == NULL)
+ errx(1, "krb5_storage_from_fd");
+
+ {
+ int32_t version;
+ char *str = NULL;
+ get_version_capa(c, &version, &c->capabilities, &str);
+ if (str) {
+ free(str);
+ }
+ if (c->capabilities & HAS_MONIKER)
+ get_moniker(c, &c->moniker);
+ else
+ c->moniker = c->name;
+ if (c->capabilities & ISSERVER)
+ get_targetname(c, &c->target_name);
+ }
+
+ if (logfile) {
+ printf("starting log socket to client %s\n", c->moniker);
+
+ sock = wait_log(c);
+
+ c->logsock = krb5_storage_from_socket(sock);
+ rk_closesocket(sock);
+ if (c->logsock == NULL)
+ errx(1, "failed to create log krb5_storage");
+#ifdef ENABLE_PTHREAD_SUPPORT
+ pthread_create(&c->thr, NULL, log_function, c);
+#else
+ c->child = fork();
+ if (c->child == -1)
+ errx(1, "failed to fork");
+ else if (c->child == 0) {
+ log_function(c);
+ fclose(logfile);
+ exit(0);
+ }
+#endif
+ }
+
+
+ clients = erealloc(clients, (num_clients + 1) * sizeof(*clients));
+
+ clients[num_clients] = c;
+ num_clients++;
+
+ free(name);
+}
+
+static struct client *
+get_client(const char *slave)
+{
+ size_t i;
+ for (i = 0; i < num_clients; i++)
+ if (strcmp(slave, clients[i]->name) == 0)
+ return clients[i];
+ errx(1, "failed to find client %s", slave);
+}
+
+/*
+ *
+ */
+
+static int version_flag;
+static int help_flag;
+static int wrap_ext = 0;
+static char *logfile_str;
+static getarg_strings principals;
+static getarg_strings slaves;
+
+struct getargs args[] = {
+ { "principals", 0, arg_strings, &principals, "Test principal",
+ NULL },
+ { "slaves", 0, arg_strings, &slaves, "Slaves",
+ NULL },
+ { "log-file", 0, arg_string, &logfile_str, "Logfile",
+ NULL },
+ { "wrap-ext", 0, arg_flag, &wrap_ext, "test wrap extended",
+ NULL },
+ { "version", 0, arg_flag, &version_flag, "Print version",
+ NULL },
+ { "help", 0, arg_flag, &help_flag, NULL,
+ NULL }
+};
+
+static void
+usage(int ret)
+{
+ arg_printusage (args,
+ sizeof(args) / sizeof(args[0]),
+ NULL,
+ "");
+ exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+ int optidx= 0;
+ char *user;
+ char *password;
+ char ***list, **p;
+ size_t num_list, i, j, k;
+ int failed = 0;
+
+ setprogname (argv[0]);
+
+ if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+ usage (1);
+
+ if (help_flag)
+ usage (0);
+
+ if (version_flag) {
+ print_version (NULL);
+ return 0;
+ }
+
+ if (optidx != argc)
+ usage (1);
+
+ if (principals.num_strings == 0)
+ errx(1, "no principals");
+
+ user = estrdup(principals.strings[0]);
+ password = strchr(user, ':');
+ if (password == NULL)
+ errx(1, "password missing from %s", user);
+ *password++ = 0;
+
+ if (slaves.num_strings == 0)
+ errx(1, "no principals");
+
+ if (logfile_str) {
+ printf("open logfile %s\n", logfile_str);
+ logfile = fopen(logfile_str, "w+");
+ if (logfile == NULL)
+ err(1, "failed to open: %s", logfile_str);
+ }
+
+ /*
+ *
+ */
+
+ list = permutate_all(&slaves, &num_list);
+
+ /*
+ * Set up connection to all clients
+ */
+
+ printf("Connecting to slaves\n");
+ for (i = 0; i < slaves.num_strings; i++)
+ connect_client(slaves.strings[i]);
+
+ /*
+ * Test acquire credentials
+ */
+
+ printf("Test acquire credentials\n");
+ for (i = 0; i < slaves.num_strings; i++) {
+ int32_t hCred, val;
+
+ val = acquire_cred(clients[i], user, password, 1, &hCred);
+ if (val != GSMERR_OK) {
+ warnx("Failed to acquire_cred on host %s: %d",
+ clients[i]->moniker, (int)val);
+ failed = 1;
+ } else
+ toast_resource(clients[i], hCred);
+ }
+
+ if (failed)
+ goto out;
+
+ /*
+ * First test if all slaves can build context to them-self.
+ */
+
+ printf("Self context tests\n");
+ for (i = 0; i < num_clients; i++) {
+ int32_t hCred, val, delegCred;
+ int32_t clientC, serverC;
+ struct client *c = clients[i];
+
+ if (c->target_name == NULL)
+ continue;
+
+ printf("%s connects to self using %s\n",
+ c->moniker, c->target_name);
+
+ val = acquire_cred(c, user, password, 1, &hCred);
+ if (val != GSMERR_OK)
+ errx(1, "failed to acquire_cred: %d", (int)val);
+
+ val = build_context(c, c,
+ GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG|
+ GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG|
+ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
+ hCred, &clientC, &serverC, &delegCred);
+ if (val == GSMERR_OK) {
+ test_token(c, clientC, c, serverC, wrap_ext);
+ toast_resource(c, clientC);
+ toast_resource(c, serverC);
+ if (delegCred)
+ toast_resource(c, delegCred);
+ } else {
+ warnx("build_context failed: %d", (int)val);
+ }
+ /*
+ *
+ */
+
+ val = build_context(c, c,
+ GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG,
+ hCred, &clientC, &serverC, &delegCred);
+ if (val == GSMERR_OK) {
+ test_token(c, clientC, c, serverC, wrap_ext);
+ toast_resource(c, clientC);
+ toast_resource(c, serverC);
+ if (delegCred)
+ toast_resource(c, delegCred);
+ } else {
+ warnx("build_context failed: %d", (int)val);
+ }
+
+ toast_resource(c, hCred);
+ }
+ /*
+ * Build contexts though all entries in each lists, including the
+ * step from the last entry to the first, ie treat the list as a
+ * circle.
+ *
+ * Only follow the delegated credential, but test "all"
+ * flags. (XXX only do deleg|mutual right now.
+ */
+
+ printf("\"All\" permutation tests\n");
+
+ for (i = 0; i < num_list; i++) {
+ int32_t hCred, val, delegCred = 0;
+ int32_t clientC = 0, serverC = 0;
+ struct client *client, *server;
+
+ p = list[i];
+
+ client = get_client(p[0]);
+
+ val = acquire_cred(client, user, password, 1, &hCred);
+ if (val != GSMERR_OK)
+ errx(1, "failed to acquire_cred: %d", (int)val);
+
+ for (j = 1; j < num_clients + 1; j++) {
+ server = get_client(p[j % num_clients]);
+
+ if (server->target_name == NULL)
+ break;
+
+ for (k = 1; k < j; k++)
+ printf("\t");
+ printf("%s -> %s\n", client->moniker, server->moniker);
+
+ val = build_context(client, server,
+ GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG|
+ GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG|
+ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
+ hCred, &clientC, &serverC, &delegCred);
+ if (val != GSMERR_OK) {
+ warnx("build_context failed: %d", (int)val);
+ break;
+ }
+
+ val = test_token(client, clientC, server, serverC, wrap_ext);
+ if (val)
+ break;
+
+ toast_resource(client, clientC);
+ toast_resource(server, serverC);
+ if (!delegCred) {
+ warnx("no delegated cred on %s", server->moniker);
+ break;
+ }
+ toast_resource(client, hCred);
+ hCred = delegCred;
+ client = server;
+ }
+ if (hCred)
+ toast_resource(client, hCred);
+ }
+
+ /*
+ * Close all connections to clients
+ */
+
+out:
+ printf("sending goodbye and waiting for log sockets\n");
+ for (i = 0; i < num_clients; i++) {
+ goodbye(clients[i]);
+ if (clients[i]->logsock) {
+#ifdef ENABLE_PTHREAD_SUPPORT
+ pthread_join(&clients[i]->thr, NULL);
+#else
+ waitpid(clients[i]->child, NULL, 0);
+#endif
+ }
+ }
+
+ printf("done\n");
+
+ return 0;
+}
diff --git a/third_party/heimdal/appl/gssmask/gssmask.c b/third_party/heimdal/appl/gssmask/gssmask.c
new file mode 100644
index 0000000..44b59fe
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/gssmask.c
@@ -0,0 +1,1268 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "common.h"
+RCSID("$Id$");
+
+/*
+ *
+ */
+
+enum handle_type { handle_context, handle_cred };
+
+struct handle {
+ int32_t idx;
+ enum handle_type type;
+ void *ptr;
+ struct handle *next;
+};
+
+struct client {
+ krb5_storage *sock;
+ krb5_storage *logging;
+ char *moniker;
+ int32_t nHandle;
+ struct handle *handles;
+ struct sockaddr_storage sa;
+ socklen_t salen;
+ char servername[MAXHOSTNAMELEN];
+};
+
+FILE *logfile;
+static char *targetname;
+krb5_context context;
+
+/*
+ *
+ */
+
+static void
+logmessage(struct client *c, const char *file, unsigned int lineno,
+ int level, const char *fmt, ...)
+{
+ char *message;
+ va_list ap;
+ int32_t ackid;
+ int ret;
+
+ va_start(ap, fmt);
+ ret = vasprintf(&message, fmt, ap);
+ va_end(ap);
+ if (ret == -1)
+ errx(1, "out of memory");
+
+ if (logfile)
+ fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message);
+
+ if (c->logging) {
+ if (krb5_store_int32(c->logging, eLogInfo) != 0)
+ errx(1, "krb5_store_int32: log level");
+ if (krb5_store_string(c->logging, file) != 0)
+ errx(1, "krb5_store_string: filename");
+ if (krb5_store_int32(c->logging, lineno) != 0)
+ errx(1, "krb5_store_string: filename");
+ if (krb5_store_string(c->logging, message) != 0)
+ errx(1, "krb5_store_string: message");
+ if (krb5_ret_int32(c->logging, &ackid) != 0)
+ errx(1, "krb5_ret_int32: ackid");
+ }
+ free(message);
+}
+
+/*
+ *
+ */
+
+static int32_t
+add_handle(struct client *c, enum handle_type type, void *data)
+{
+ struct handle *h;
+
+ h = ecalloc(1, sizeof(*h));
+
+ h->idx = ++c->nHandle;
+ h->type = type;
+ h->ptr = data;
+ h->next = c->handles;
+ c->handles = h;
+
+ return h->idx;
+}
+
+static void
+del_handle(struct handle **h, int32_t idx)
+{
+ OM_uint32 min_stat;
+
+ if (idx == 0)
+ return;
+
+ while (*h) {
+ if ((*h)->idx == idx) {
+ struct handle *p = *h;
+ *h = (*h)->next;
+ switch(p->type) {
+ case handle_context: {
+ gss_ctx_id_t c = p->ptr;
+ gss_delete_sec_context(&min_stat, &c, NULL);
+ break; }
+ case handle_cred: {
+ gss_cred_id_t c = p->ptr;
+ gss_release_cred(&min_stat, &c);
+ break; }
+ }
+ free(p);
+ return;
+ }
+ h = &((*h)->next);
+ }
+ errx(1, "tried to delete an unexisting handle");
+}
+
+static void *
+find_handle(struct handle *h, int32_t idx, enum handle_type type)
+{
+ if (idx == 0)
+ return NULL;
+
+ while (h) {
+ if (h->idx == idx) {
+ if (type == h->type)
+ return h->ptr;
+ errx(1, "monger switched type on handle!");
+ }
+ h = h->next;
+ }
+ return NULL;
+}
+
+
+static int32_t
+convert_gss_to_gsm(OM_uint32 maj_stat)
+{
+ switch(maj_stat) {
+ case 0:
+ return GSMERR_OK;
+ case GSS_S_CONTINUE_NEEDED:
+ return GSMERR_CONTINUE_NEEDED;
+ case GSS_S_DEFECTIVE_TOKEN:
+ return GSMERR_INVALID_TOKEN;
+ case GSS_S_BAD_MIC:
+ return GSMERR_AP_MODIFIED;
+ default:
+ return GSMERR_ERROR;
+ }
+}
+
+static int32_t
+convert_krb5_to_gsm(krb5_error_code ret)
+{
+ switch(ret) {
+ case 0:
+ return GSMERR_OK;
+ default:
+ return GSMERR_ERROR;
+ }
+}
+
+/*
+ *
+ */
+
+static int32_t
+acquire_cred(struct client *c,
+ krb5_principal principal,
+ krb5_get_init_creds_opt *opt,
+ int32_t *handle)
+{
+ krb5_error_code ret;
+ krb5_creds cred;
+ krb5_ccache id;
+ gss_cred_id_t gcred;
+ OM_uint32 maj_stat, min_stat;
+
+ *handle = 0;
+
+ krb5_get_init_creds_opt_set_forwardable (opt, 1);
+ krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30);
+
+ memset(&cred, 0, sizeof(cred));
+
+ ret = krb5_get_init_creds_password (context,
+ &cred,
+ principal,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ NULL,
+ opt);
+ if (ret) {
+ logmessage(c, __FILE__, __LINE__, 0,
+ "krb5_get_init_creds failed: %d", ret);
+ return convert_krb5_to_gsm(ret);
+ }
+
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_initialize");
+
+ ret = krb5_cc_initialize (context, id, cred.client);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_initialize");
+
+ ret = krb5_cc_store_cred (context, id, &cred);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_store_cred");
+
+ krb5_free_cred_contents (context, &cred);
+
+ maj_stat = gss_krb5_import_cred(&min_stat,
+ id,
+ NULL,
+ NULL,
+ &gcred);
+ krb5_cc_close(context, id);
+ if (maj_stat) {
+ logmessage(c, __FILE__, __LINE__, 0,
+ "krb5 import creds failed with: %d", maj_stat);
+ return convert_gss_to_gsm(maj_stat);
+ }
+
+ *handle = add_handle(c, handle_cred, gcred);
+
+ return 0;
+}
+
+
+/*
+ *
+ */
+
+#define HandleOP(h) \
+handle##h(enum gssMaggotOp op, struct client *c)
+
+/*
+ *
+ */
+
+static int
+HandleOP(GetVersionInfo)
+{
+ put32(c, GSSMAGGOTPROTOCOL);
+ errx(1, "GetVersionInfo");
+}
+
+static int
+HandleOP(GoodBye)
+{
+ struct handle *h = c->handles;
+ unsigned int i = 0;
+
+ while (h) {
+ h = h->next;
+ i++;
+ }
+
+ if (i)
+ logmessage(c, __FILE__, __LINE__, 0,
+ "Did not toast all resources: %d", i);
+ return 1;
+}
+
+static int
+HandleOP(InitContext)
+{
+ OM_uint32 maj_stat, min_stat, ret_flags;
+ int32_t hContext, hCred, flags;
+ krb5_data target_name, in_token;
+ int32_t new_context_id = 0, gsm_error = 0;
+ krb5_data out_token = { 0 , NULL };
+
+ gss_ctx_id_t ctx;
+ gss_cred_id_t creds;
+ gss_name_t gss_target_name;
+ gss_buffer_desc input_token;
+ gss_buffer_desc output_token = {0, 0};
+ gss_OID oid = GSS_C_NO_OID;
+ gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
+
+ ret32(c, hContext);
+ ret32(c, hCred);
+ ret32(c, flags);
+ retdata(c, target_name);
+ retdata(c, in_token);
+
+ logmessage(c, __FILE__, __LINE__, 0,
+ "targetname: <%.*s>", (int)target_name.length,
+ (char *)target_name.data);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ hContext = 0;
+ creds = find_handle(c->handles, hCred, handle_cred);
+ if (creds == NULL)
+ abort();
+
+ input_token.length = target_name.length;
+ input_token.value = target_name.data;
+
+ maj_stat = gss_import_name(&min_stat,
+ &input_token,
+ GSS_KRB5_NT_PRINCIPAL_NAME,
+ &gss_target_name);
+ if (GSS_ERROR(maj_stat)) {
+ logmessage(c, __FILE__, __LINE__, 0,
+ "import name creds failed with: %d", maj_stat);
+ gsm_error = convert_gss_to_gsm(maj_stat);
+ goto out;
+ }
+
+ /* oid from flags */
+
+ if (in_token.length) {
+ input_token.length = in_token.length;
+ input_token.value = in_token.data;
+ input_token_ptr = &input_token;
+ if (ctx == NULL)
+ krb5_errx(context, 1, "initcreds, context NULL, but not first req");
+ } else {
+ input_token.length = 0;
+ input_token.value = NULL;
+ if (ctx)
+ krb5_errx(context, 1, "initcreds, context not NULL, but first req");
+ }
+
+ if ((flags & GSS_C_DELEG_FLAG) != 0)
+ logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating");
+ if ((flags & GSS_C_DCE_STYLE) != 0)
+ logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style");
+
+ maj_stat = gss_init_sec_context(&min_stat,
+ creds,
+ &ctx,
+ gss_target_name,
+ oid,
+ flags & 0x7f,
+ 0,
+ NULL,
+ input_token_ptr,
+ NULL,
+ &output_token,
+ &ret_flags,
+ NULL);
+ if (GSS_ERROR(maj_stat)) {
+ if (hContext != 0)
+ del_handle(&c->handles, hContext);
+ new_context_id = 0;
+ logmessage(c, __FILE__, __LINE__, 0,
+ "gss_init_sec_context returns code: %d/%d",
+ maj_stat, min_stat);
+ } else {
+ if (input_token.length == 0)
+ new_context_id = add_handle(c, handle_context, ctx);
+ else
+ new_context_id = hContext;
+ }
+
+ gsm_error = convert_gss_to_gsm(maj_stat);
+
+ if (output_token.length) {
+ out_token.data = output_token.value;
+ out_token.length = output_token.length;
+ }
+
+out:
+ logmessage(c, __FILE__, __LINE__, 0,
+ "InitContext return code: %d", gsm_error);
+
+ put32(c, new_context_id);
+ put32(c, gsm_error);
+ putdata(c, out_token);
+
+ gss_release_name(&min_stat, &gss_target_name);
+ if (output_token.length)
+ gss_release_buffer(&min_stat, &output_token);
+ krb5_data_free(&in_token);
+ krb5_data_free(&target_name);
+
+ return 0;
+}
+
+static int
+HandleOP(AcceptContext)
+{
+ OM_uint32 maj_stat, min_stat, ret_flags;
+ int32_t hContext, deleg_hcred, flags;
+ krb5_data in_token;
+ int32_t new_context_id = 0, gsm_error = 0;
+ krb5_data out_token = { 0 , NULL };
+
+ gss_ctx_id_t ctx;
+ gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+ gss_buffer_desc input_token, output_token;
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ retdata(c, in_token);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ hContext = 0;
+
+ if (in_token.length) {
+ input_token.length = in_token.length;
+ input_token.value = in_token.data;
+ } else {
+ input_token.length = 0;
+ input_token.value = NULL;
+ }
+
+ maj_stat = gss_accept_sec_context(&min_stat,
+ &ctx,
+ GSS_C_NO_CREDENTIAL,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ NULL,
+ NULL,
+ &output_token,
+ &ret_flags,
+ NULL,
+ &deleg_cred);
+ if (GSS_ERROR(maj_stat)) {
+ if (hContext != 0)
+ del_handle(&c->handles, hContext);
+ logmessage(c, __FILE__, __LINE__, 0,
+ "gss_accept_sec_context returns code: %d/%d",
+ maj_stat, min_stat);
+ new_context_id = 0;
+ } else {
+ if (hContext == 0)
+ new_context_id = add_handle(c, handle_context, ctx);
+ else
+ new_context_id = hContext;
+ }
+ if (output_token.length) {
+ out_token.data = output_token.value;
+ out_token.length = output_token.length;
+ }
+ if ((ret_flags & GSS_C_DCE_STYLE) != 0)
+ logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style");
+ if ((ret_flags & GSS_C_DELEG_FLAG) != 0) {
+ deleg_hcred = add_handle(c, handle_cred, deleg_cred);
+ logmessage(c, __FILE__, __LINE__, 0,
+ "accept_context delegated handle: %d", deleg_hcred);
+ } else {
+ gss_release_cred(&min_stat, &deleg_cred);
+ deleg_hcred = 0;
+ }
+
+
+ gsm_error = convert_gss_to_gsm(maj_stat);
+
+ put32(c, new_context_id);
+ put32(c, gsm_error);
+ putdata(c, out_token);
+ put32(c, deleg_hcred);
+
+ if (output_token.length)
+ gss_release_buffer(&min_stat, &output_token);
+ krb5_data_free(&in_token);
+
+ return 0;
+}
+
+static int
+HandleOP(ToastResource)
+{
+ int32_t handle;
+
+ ret32(c, handle);
+ logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle);
+ del_handle(&c->handles, handle);
+ put32(c, GSMERR_OK);
+
+ return 0;
+}
+
+static int
+HandleOP(AcquireCreds)
+{
+ char *name, *password;
+ int32_t gsm_error, flags, handle = 0;
+ krb5_principal principal = NULL;
+ krb5_get_init_creds_opt *opt = NULL;
+ krb5_error_code ret;
+
+ retstring(c, name);
+ retstring(c, password);
+ ret32(c, flags);
+
+ logmessage(c, __FILE__, __LINE__, 0,
+ "username: %s password: %s", name, password);
+
+ ret = krb5_parse_name(context, name, &principal);
+ if (ret) {
+ gsm_error = convert_krb5_to_gsm(ret);
+ goto out;
+ }
+
+ ret = krb5_get_init_creds_opt_alloc (context, &opt);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+
+ krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL);
+
+ gsm_error = acquire_cred(c, principal, opt, &handle);
+
+out:
+ logmessage(c, __FILE__, __LINE__, 0,
+ "AcquireCreds handle: %d return code: %d", handle, gsm_error);
+
+ if (opt)
+ krb5_get_init_creds_opt_free (context, opt);
+ if (principal)
+ krb5_free_principal(context, principal);
+ free(name);
+ free(password);
+
+ put32(c, gsm_error);
+ put32(c, handle);
+
+ return 0;
+}
+
+static int
+HandleOP(Sign)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, seqno;
+ krb5_data token;
+ gss_ctx_id_t ctx;
+ gss_buffer_desc input_token, output_token;
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ ret32(c, seqno);
+ retdata(c, token);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "sign: reference to unknown context");
+
+ input_token.length = token.length;
+ input_token.value = token.data;
+
+ maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token,
+ &output_token);
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_get_mic failed");
+
+ krb5_data_free(&token);
+
+ token.data = output_token.value;
+ token.length = output_token.length;
+
+ put32(c, 0); /* XXX fix gsm_error */
+ putdata(c, token);
+
+ gss_release_buffer(&min_stat, &output_token);
+
+ return 0;
+}
+
+static int
+HandleOP(Verify)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, seqno;
+ krb5_data msg, mic;
+ gss_ctx_id_t ctx;
+ gss_buffer_desc msg_token, mic_token;
+ gss_qop_t qop;
+
+ ret32(c, hContext);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "verify: reference to unknown context");
+
+ ret32(c, flags);
+ ret32(c, seqno);
+ retdata(c, msg);
+
+ msg_token.length = msg.length;
+ msg_token.value = msg.data;
+
+ retdata(c, mic);
+
+ mic_token.length = mic.length;
+ mic_token.value = mic.data;
+
+ maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token,
+ &mic_token, &qop);
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_verify_mic failed");
+
+ krb5_data_free(&mic);
+ krb5_data_free(&msg);
+
+ put32(c, 0); /* XXX fix gsm_error */
+
+ return 0;
+}
+
+static int
+HandleOP(GetVersionAndCapabilities)
+{
+ int32_t cap = HAS_MONIKER;
+ char name[256] = "unknown", *str;
+ int ret;
+
+ if (targetname)
+ cap |= ISSERVER; /* is server */
+
+#ifdef HAVE_UNAME
+ {
+ struct utsname ut;
+ if (uname(&ut) == 0) {
+ snprintf(name, sizeof(name), "%s-%s-%s",
+ ut.sysname, ut.version, ut.machine);
+ }
+ }
+#endif
+
+ ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+ if (ret == -1)
+ errx(1, "out of memory");
+
+ put32(c, GSSMAGGOTPROTOCOL);
+ put32(c, cap);
+ putstring(c, str);
+ free(str);
+
+ return 0;
+}
+
+static int
+HandleOP(GetTargetName)
+{
+ if (targetname)
+ putstring(c, targetname);
+ else
+ putstring(c, "");
+ return 0;
+}
+
+static int
+HandleOP(SetLoggingSocket)
+{
+ int32_t portnum;
+ krb5_socket_t sock;
+ int ret;
+
+ ret32(c, portnum);
+
+ logmessage(c, __FILE__, __LINE__, 0,
+ "logging port on peer is: %d", (int)portnum);
+
+ socket_set_port((struct sockaddr *)(&c->sa), htons(portnum));
+
+ sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
+ if (sock == rk_INVALID_SOCKET)
+ return 0;
+
+ ret = connect(sock, (struct sockaddr *)&c->sa, c->salen);
+ if (ret < 0) {
+ logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s",
+ strerror(errno));
+ rk_closesocket(sock);
+ return 0;
+ }
+
+ if (c->logging)
+ krb5_storage_free(c->logging);
+ c->logging = krb5_storage_from_socket(sock);
+ rk_closesocket(sock);
+
+ krb5_store_int32(c->logging, eLogSetMoniker);
+ store_string(c->logging, c->moniker);
+
+ logmessage(c, __FILE__, __LINE__, 0, "logging turned on");
+
+ return 0;
+}
+
+
+static int
+HandleOP(ChangePassword)
+{
+ errx(1, "ChangePassword");
+}
+
+static int
+HandleOP(SetPasswordSelf)
+{
+ errx(1, "SetPasswordSelf");
+}
+
+static int
+HandleOP(Wrap)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, seqno;
+ krb5_data token;
+ gss_ctx_id_t ctx;
+ gss_buffer_desc input_token, output_token;
+ int conf_state;
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ ret32(c, seqno);
+ retdata(c, token);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "wrap: reference to unknown context");
+
+ input_token.length = token.length;
+ input_token.value = token.data;
+
+ maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token,
+ &conf_state, &output_token);
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_wrap failed");
+
+ krb5_data_free(&token);
+
+ token.data = output_token.value;
+ token.length = output_token.length;
+
+ put32(c, 0); /* XXX fix gsm_error */
+ putdata(c, token);
+
+ gss_release_buffer(&min_stat, &output_token);
+
+ return 0;
+}
+
+
+static int
+HandleOP(Unwrap)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, seqno;
+ krb5_data token;
+ gss_ctx_id_t ctx;
+ gss_buffer_desc input_token, output_token;
+ int conf_state;
+ gss_qop_t qop_state;
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ ret32(c, seqno);
+ retdata(c, token);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "unwrap: reference to unknown context");
+
+ input_token.length = token.length;
+ input_token.value = token.data;
+
+ maj_stat = gss_unwrap(&min_stat, ctx, &input_token,
+ &output_token, &conf_state, &qop_state);
+
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat);
+
+ krb5_data_free(&token);
+ if (maj_stat == GSS_S_COMPLETE) {
+ token.data = output_token.value;
+ token.length = output_token.length;
+ } else {
+ token.data = NULL;
+ token.length = 0;
+ }
+ put32(c, 0); /* XXX fix gsm_error */
+ putdata(c, token);
+
+ if (maj_stat == GSS_S_COMPLETE)
+ gss_release_buffer(&min_stat, &output_token);
+
+ return 0;
+}
+
+static int
+HandleOP(Encrypt)
+{
+ return handleWrap(op, c);
+}
+
+static int
+HandleOP(Decrypt)
+{
+ return handleUnwrap(op, c);
+}
+
+static int
+HandleOP(ConnectLoggingService2)
+{
+ errx(1, "ConnectLoggingService2");
+}
+
+static int
+HandleOP(GetMoniker)
+{
+ putstring(c, c->moniker);
+ return 0;
+}
+
+static int
+HandleOP(CallExtension)
+{
+ errx(1, "CallExtension");
+}
+
+static int
+HandleOP(AcquirePKInitCreds)
+{
+ int32_t flags;
+ krb5_data pfxdata;
+ char fn[] = "FILE:/tmp/pkcs12-creds-XXXXXXX";
+ int fd;
+
+ ret32(c, flags);
+ retdata(c, pfxdata);
+
+ fd = mkstemp(fn + 5);
+ if (fd < 0)
+ errx(1, "mkstemp");
+
+ net_write(fd, pfxdata.data, pfxdata.length);
+ krb5_data_free(&pfxdata);
+ close(fd);
+
+ put32(c, -1); /* hResource */
+ put32(c, GSMERR_NOT_SUPPORTED);
+ return 0;
+}
+
+static int
+HandleOP(WrapExt)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, bflags;
+ krb5_data token, header, trailer;
+ gss_ctx_id_t ctx;
+ unsigned char *p;
+ int conf_state, iov_len;
+ gss_iov_buffer_desc iov[6];
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ ret32(c, bflags);
+ retdata(c, header);
+ retdata(c, token);
+ retdata(c, trailer);
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "wrap: reference to unknown context");
+
+ memset(&iov, 0, sizeof(iov));
+
+ iov_len = sizeof(iov)/sizeof(iov[0]);
+
+ if (bflags & WRAP_EXP_ONLY_HEADER)
+ iov_len -= 2; /* skip trailer and padding, aka dce-style */
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+ if (header.length != 0) {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[1].buffer.length = header.length;
+ iov[1].buffer.value = header.data;
+ } else {
+ iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ }
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[2].buffer.length = token.length;
+ iov[2].buffer.value = token.data;
+ if (trailer.length != 0) {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[3].buffer.length = trailer.length;
+ iov[3].buffer.value = trailer.data;
+ } else {
+ iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ }
+ iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+ iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+
+ maj_stat = gss_wrap_iov_length(&min_stat, ctx, flags, 0, &conf_state,
+ iov, iov_len);
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_wrap_iov_length failed");
+
+ maj_stat = gss_wrap_iov(&min_stat, ctx, flags, 0, &conf_state,
+ iov, iov_len);
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_wrap_iov failed");
+
+ krb5_data_free(&token);
+
+ token.length = iov[0].buffer.length + iov[2].buffer.length + iov[4].buffer.length + iov[5].buffer.length;
+ token.data = malloc(token.length);
+
+ p = token.data;
+ memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
+ p += iov[0].buffer.length;
+ memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
+ p += iov[2].buffer.length;
+ memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
+ p += iov[4].buffer.length;
+ memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
+#if 0 /* Would be needed to keep going, but presently unused */
+ p += iov[5].buffer.length;
+#endif
+
+ gss_release_iov_buffer(NULL, iov, iov_len);
+
+ put32(c, 0); /* XXX fix gsm_error */
+ putdata(c, token);
+
+ free(token.data);
+
+ return 0;
+}
+
+
+static int
+HandleOP(UnwrapExt)
+{
+ OM_uint32 maj_stat, min_stat;
+ int32_t hContext, flags, bflags;
+ krb5_data token, header, trailer;
+ gss_ctx_id_t ctx;
+ gss_iov_buffer_desc iov[3];
+ int conf_state, iov_len;
+ gss_qop_t qop_state;
+
+ ret32(c, hContext);
+ ret32(c, flags);
+ ret32(c, bflags);
+ retdata(c, header);
+ retdata(c, token);
+ retdata(c, trailer);
+
+ iov_len = sizeof(iov)/sizeof(iov[0]);
+
+ if (bflags & WRAP_EXP_ONLY_HEADER)
+ iov_len -= 1; /* skip trailer and padding, aka dce-style */
+
+ ctx = find_handle(c->handles, hContext, handle_context);
+ if (ctx == NULL)
+ errx(1, "unwrap: reference to unknown context");
+
+ if (header.length != 0) {
+ iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[0].buffer.length = header.length;
+ iov[0].buffer.value = header.data;
+ } else {
+ iov[0].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ }
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.length = token.length;
+ iov[1].buffer.value = token.data;
+
+ if (trailer.length != 0) {
+ iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[2].buffer.length = trailer.length;
+ iov[2].buffer.value = trailer.data;
+ } else {
+ iov[2].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+ }
+
+ maj_stat = gss_unwrap_iov(&min_stat, ctx, &conf_state, &qop_state,
+ iov, iov_len);
+
+ if (maj_stat != GSS_S_COMPLETE)
+ errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat);
+
+ if (maj_stat == GSS_S_COMPLETE) {
+ token.data = iov[1].buffer.value;
+ token.length = iov[1].buffer.length;
+ } else {
+ token.data = NULL;
+ token.length = 0;
+ }
+ put32(c, 0); /* XXX fix gsm_error */
+ putdata(c, token);
+
+ return 0;
+}
+
+/*
+ *
+ */
+
+struct handler {
+ enum gssMaggotOp op;
+ const char *name;
+ int (*func)(enum gssMaggotOp, struct client *);
+};
+
+#define S(a) { e##a, #a, handle##a }
+
+struct handler handlers[] = {
+ S(GetVersionInfo),
+ S(GoodBye),
+ S(InitContext),
+ S(AcceptContext),
+ S(ToastResource),
+ S(AcquireCreds),
+ S(Encrypt),
+ S(Decrypt),
+ S(Sign),
+ S(Verify),
+ S(GetVersionAndCapabilities),
+ S(GetTargetName),
+ S(SetLoggingSocket),
+ S(ChangePassword),
+ S(SetPasswordSelf),
+ S(Wrap),
+ S(Unwrap),
+ S(ConnectLoggingService2),
+ S(GetMoniker),
+ S(CallExtension),
+ S(AcquirePKInitCreds),
+ S(WrapExt),
+ S(UnwrapExt),
+};
+
+#undef S
+
+/*
+ *
+ */
+
+static struct handler *
+find_op(int32_t op)
+{
+ int i;
+
+ for (i = 0; i < sizeof(handlers)/sizeof(handlers[0]); i++)
+ if (handlers[i].op == op)
+ return &handlers[i];
+ return NULL;
+}
+
+static struct client *
+create_client(krb5_socket_t sock, int port, const char *moniker)
+{
+ struct client *c;
+ int ret;
+
+ c = ecalloc(1, sizeof(*c));
+
+ if (moniker) {
+ c->moniker = estrdup(moniker);
+ } else {
+ char hostname[MAXHOSTNAMELEN];
+ gethostname(hostname, sizeof(hostname));
+ ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+ if (ret == -1)
+ c->moniker = NULL;
+ }
+
+ if (!c->moniker)
+ errx(1, "out of memory");
+
+ {
+ c->salen = sizeof(c->sa);
+ getpeername(sock, (struct sockaddr *)&c->sa, &c->salen);
+
+ getnameinfo((struct sockaddr *)&c->sa, c->salen,
+ c->servername, sizeof(c->servername),
+ NULL, 0, NI_NUMERICHOST);
+ }
+
+ c->sock = krb5_storage_from_socket(sock);
+ if (c->sock == NULL)
+ errx(1, "krb5_storage_from_socket");
+
+ rk_closesocket(sock);
+
+ return c;
+}
+
+static void
+free_client(struct client *c)
+{
+ while(c->handles)
+ del_handle(&c->handles, c->handles->idx);
+
+ free(c->moniker);
+ krb5_storage_free(c->sock);
+ if (c->logging)
+ krb5_storage_free(c->logging);
+ free(c);
+}
+
+
+static void *
+handleServer(void *ptr)
+{
+ struct handler *handler;
+ struct client *c;
+ int32_t op;
+
+ c = (struct client *)ptr;
+
+
+ while(1) {
+ ret32(c, op);
+
+ handler = find_op(op);
+ if (handler == NULL) {
+ logmessage(c, __FILE__, __LINE__, 0,
+ "op %d not supported", (int)op);
+ exit(1);
+ }
+
+ logmessage(c, __FILE__, __LINE__, 0,
+ "---> Got op %s from server %s",
+ handler->name, c->servername);
+
+ if ((handler->func)(handler->op, c))
+ break;
+ }
+
+ return NULL;
+}
+
+
+static char *port_str;
+static int version_flag;
+static int help_flag;
+static char *logfile_str;
+static char *moniker_str;
+
+static int port = 4711;
+
+struct getargs args[] = {
+ { "spn", 0, arg_string, &targetname, "This host's SPN",
+ "service/host@REALM" },
+ { "port", 'p', arg_string, &port_str, "Use this port",
+ "number-of-service" },
+ { "logfile", 0, arg_string, &logfile_str, "logfile",
+ "number-of-service" },
+ { "moniker", 0, arg_string, &moniker_str, "nickname",
+ "name" },
+ { "version", 0, arg_flag, &version_flag, "Print version",
+ NULL },
+ { "help", 0, arg_flag, &help_flag, NULL,
+ NULL }
+};
+
+static void
+usage(int ret)
+{
+ arg_printusage (args,
+ sizeof(args) / sizeof(args[0]),
+ NULL,
+ "");
+ exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+ int optidx = 0;
+ krb5_error_code ret;
+
+ setprogname (argv[0]);
+
+ if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+ usage (1);
+
+ if (help_flag)
+ usage (0);
+
+ if (version_flag) {
+ print_version (NULL);
+ return 0;
+ }
+
+ if (optidx != argc)
+ usage (1);
+
+ if (port_str) {
+ char *ptr;
+
+ port = strtol (port_str, &ptr, 10);
+ if (port == 0 && ptr == port_str)
+ errx (1, "Bad port `%s'", port_str);
+ }
+
+ ret = krb5_init_context(&context);
+ if (ret)
+ errx(1, "Error initializing kerberos: %d", ret);
+
+ {
+ const char *lf = logfile_str;
+ if (lf == NULL)
+ lf = "/dev/tty";
+
+ logfile = fopen(lf, "w");
+ if (logfile == NULL)
+ err(1, "error opening %s", lf);
+ }
+
+ mini_inetd(htons(port), NULL);
+ fprintf(logfile, "connected\n");
+
+ {
+ struct client *c;
+
+ c = create_client(0, port, moniker_str);
+ /* close(0); */
+
+ handleServer(c);
+
+ free_client(c);
+ }
+
+ krb5_free_context(context);
+
+ return 0;
+}
diff --git a/third_party/heimdal/appl/gssmask/protocol.h b/third_party/heimdal/appl/gssmask/protocol.h
new file mode 100644
index 0000000..1e1f141
--- /dev/null
+++ b/third_party/heimdal/appl/gssmask/protocol.h
@@ -0,0 +1,317 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * $Id$
+ */
+
+/* missing from tests:
+ * - export context
+ * - import context
+ */
+
+/*
+ * wire encodings:
+ * int16: number, 2 bytes, in network order
+ * int32: number, 4 bytes, in network order
+ * length-encoded: [int32 length, data of length bytes]
+ * string: [int32 length, string of length + 1 bytes, includes trailing '\0' ]
+ */
+
+enum gssMaggotErrorCodes {
+ GSMERR_OK = 0,
+ GSMERR_ERROR,
+ GSMERR_CONTINUE_NEEDED,
+ GSMERR_INVALID_TOKEN,
+ GSMERR_AP_MODIFIED,
+ GSMERR_TEST_ISSUE,
+ GSMERR_NOT_SUPPORTED
+};
+
+/*
+ * input:
+ * int32: message OP (enum gssMaggotProtocol)
+ * ...
+ *
+ * return: -- on error
+ * int32: not support (GSMERR_NOT_SUPPORTED)
+ *
+ * return: -- on existing message OP
+ * int32: support (GSMERR_OK) -- only sent for extensions
+ * ...
+ */
+
+#define GSSMAGGOTPROTOCOL 14
+
+enum gssMaggotOp {
+ eGetVersionInfo = 0,
+ /*
+ * input:
+ * none
+ * return:
+ * int32: last version handled
+ */
+ eGoodBye,
+ /*
+ * input:
+ * none
+ * return:
+ * close socket
+ */
+ eInitContext,
+ /*
+ * input:
+ * int32: hContext
+ * int32: hCred
+ * int32: Flags
+ * the lowest 0x7f flags maps directly to GSS-API flags
+ * DELEGATE 0x001
+ * MUTUAL_AUTH 0x002
+ * REPLAY_DETECT 0x004
+ * SEQUENCE_DETECT 0x008
+ * CONFIDENTIALITY 0x010
+ * INTEGRITY 0x020
+ * ANONYMOUS 0x040
+ *
+ * FIRST_CALL 0x080
+ *
+ * NTLM 0x100
+ * SPNEGO 0x200
+ * length-encoded: targetname
+ * length-encoded: token
+ * return:
+ * int32: hNewContextId
+ * int32: gssapi status val
+ * length-encoded: output token
+ */
+ eAcceptContext,
+ /*
+ * input:
+ * int32: hContext
+ * int32: Flags -- unused ?
+ * flags are same as flags for eInitContext
+ * length-encoded: token
+ * return:
+ * int32: hNewContextId
+ * int32: gssapi status val
+ * length-encoded: output token
+ * int32: delegation cred id
+ */
+ eToastResource,
+ /*
+ * input:
+ * int32: hResource
+ * return:
+ * int32: gsm status val
+ */
+ eAcquireCreds,
+ /*
+ * input:
+ * string: principal name
+ * string: password
+ * int32: flags
+ * FORWARDABLE 0x001
+ * DEFAULT_CREDS 0x002
+ *
+ * NTLM 0x100
+ * SPNEGO 0x200
+ * return:
+ * int32: gsm status val
+ * int32: hCred
+ */
+ eEncrypt,
+ /*
+ * input:
+ * int32: hContext
+ * int32: flags
+ * int32: seqno -- unused
+ * length-encode: plaintext
+ * return:
+ * int32: gsm status val
+ * length-encode: ciphertext
+ */
+ eDecrypt,
+ /*
+ * input:
+ * int32: hContext
+ * int32: flags
+ * int32: seqno -- unused
+ * length-encode: ciphertext
+ * return:
+ * int32: gsm status val
+ * length-encode: plaintext
+ */
+ eSign,
+ /* message same as eEncrypt */
+ eVerify,
+ /*
+ * input:
+ * int32: hContext
+ * int32: flags
+ * int32: seqno -- unused
+ * length-encode: message
+ * length-encode: signature
+ * return:
+ * int32: gsm status val
+ */
+ eGetVersionAndCapabilities,
+ /*
+ * return:
+ * int32: protocol version
+ * int32: capability flags */
+#define ISSERVER 0x01
+#define ISKDC 0x02
+#define MS_KERBEROS 0x04
+#define LOGSERVER 0x08
+#define HAS_MONIKER 0x10
+ /* string: version string
+ */
+ eGetTargetName,
+ /*
+ * return:
+ * string: target principal name
+ */
+ eSetLoggingSocket,
+ /*
+ * input:
+ * int32: hostPort
+ * return to the port on the host:
+ * int32: opcode - for example eLogSetMoniker
+ */
+ eChangePassword,
+ /* here ended version 7 of the protocol */
+ /*
+ * input:
+ * string: principal name
+ * string: old password
+ * string: new password
+ * return:
+ * int32: gsm status val
+ */
+ eSetPasswordSelf,
+ /* same as eChangePassword */
+ eWrap,
+ /* message same as eEncrypt */
+ eUnwrap,
+ /* message same as eDecrypt */
+ eConnectLoggingService2,
+ /*
+ * return1:
+ * int16: log port number
+ * int32: master log prototocol version (0)
+ *
+ * wait for master to connect on the master log socket
+ *
+ * return2:
+ * int32: gsm connection status
+ * int32: maggot log prototocol version (2)
+ */
+ eGetMoniker,
+ /*
+ * return:
+ * string: moniker (Nickname the master can refer to maggot)
+ */
+ eCallExtension,
+ /*
+ * input:
+ * string: extension name
+ * int32: message id
+ * return:
+ * int32: gsm status val
+ */
+ eAcquirePKInitCreds,
+ /*
+ * input:
+ * int32: flags
+ * length-encode: certificate (pkcs12 data)
+ * return:
+ * int32: hResource
+ * int32: gsm status val (GSMERR_NOT_SUPPORTED)
+ */
+ /* here ended version 7 of the protocol */
+ eWrapExt,
+ /*
+ * input:
+ * int32: hContext
+ * int32: flags
+ * int32: bflags
+ * length-encode: protocol header
+ * length-encode: plaintext
+ * length-encode: protocol trailer
+ * return:
+ * int32: gsm status val
+ * length-encode: ciphertext
+ */
+ eUnwrapExt,
+ /*
+ * input:
+ * int32: hContext
+ * int32: flags
+ * int32: bflags
+ * length-encode: protocol header
+ * length-encode: ciphertext
+ * length-encode: protocol trailer
+ * return:
+ * int32: gsm status val
+ * length-encode: plaintext
+ */
+ /* here ended version 8 of the protocol */
+
+ eLastProtocolMessage
+};
+
+/* bflags */
+#define WRAP_EXP_ONLY_HEADER 1
+
+enum gssMaggotLogOp{
+ eLogInfo = 0,
+ /*
+ string: File
+ int32: Line
+ string: message
+ reply:
+ int32: ackid
+ */
+ eLogFailure,
+ /*
+ string: File
+ int32: Line
+ string: message
+ reply:
+ int32: ackid
+ */
+ eLogSetMoniker
+ /*
+ string: moniker
+ */
+};