/*- * * Copyright (c) 2015 IETF Trust and Benjamin Kaduk. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * - Neither the name of Internet Society, IETF or IETF Trust, nor the * names of specific contributors, may be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include #include #include #include const char *role; /* * This helper is used only on buffers that we allocate ourselves (e.g., * from receive_token()). Buffers allocated by GSS routines must use * gss_release_buffer(). */ static void release_buffer(gss_buffer_t buf) { free(buf->value); buf->value = NULL; buf->length = 0; } /* * Helper to send a token on the specified file descriptor. * * If errors are encountered, this routine must not directly cause * termination of the process because compliant GSS applications * must release resources allocated by the GSS library before * exiting. * * Returns 0 on success, nonzero on failure. */ static int send_token(int fd, gss_buffer_t token) { /* * Supply token framing and transmission code here. * * It is advisable for the application protocol to specify the * length of the token being transmitted unless the underlying * transit does so implicitly. * * In addition to checking for error returns from whichever * syscall(s) are used to send data, applications should have * a loop to handle EINTR returns. */ fprintf(stderr, "%s: write %zu bytes\n", role, (size_t)token->length); uint32_t len = htole32(token->length); ssize_t nwrit; if ((nwrit = write(fd, &len, sizeof(len))) == -1) err(1, "write length"); if ((size_t)nwrit != sizeof(len)) errx(1, "write truncated from %zu to to %zd bytes", sizeof(len), nwrit); if ((nwrit = write(fd, token->value, token->length)) == -1) err(1, "write token"); if ((size_t)nwrit != token->length) errx(1, "write truncated from %zu to %zd bytes", (size_t)token->length, nwrit); return 0; } /* * Helper to receive a token on the specified file descriptor. * * If errors are encountered, this routine must not directly cause * termination of the process because compliant GSS applications * must release resources allocated by the GSS library before * exiting. * * Returns 0 on success, nonzero on failure. */ static int receive_token(int fd, gss_buffer_t token) { /* * Supply token framing and transmission code here. * * In addition to checking for error returns from whichever * syscall(s) are used to receive data, applications should have * a loop to handle EINTR returns. * * This routine is assumed to allocate memory for the local copy * of the received token, which must be freed with release_buffer(). */ uint32_t len; ssize_t nread; memset(token, 0, sizeof(*token)); fprintf(stderr, "%s: reading...\n", role); if ((nread = read(fd, &len, sizeof(len))) == -1) err(1, "read length"); if ((size_t)nread != sizeof(len)) errx(1, "read truncated from %zu to %zd bytes", sizeof(len), nread); token->length = le32toh(len); fprintf(stderr, "%s: reading %u bytes\n", role, le32toh(len)); if ((token->value = malloc(token->length)) == NULL) return 1; if ((nread = read(fd, token->value, token->length)) == -1) err(1, "read token"); if ((size_t)nread != token->length) errx(1, "read truncated from %zu to %zd bytes", (size_t)token->length, nread); fprintf(stderr, "%s: read %zu bytes\n", role, (size_t)token->length); return 0; } static void do_initiator(int readfd, int writefd, int anon) { int initiator_established = 0, ret; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; OM_uint32 major, minor, req_flags, ret_flags; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER; gss_name_t target_name = GSS_C_NO_NAME; /* Applications should set target_name to a real value. */ name_buf.value = "HTTP@www.example.com"; name_buf.length = strlen(name_buf.value); major = gss_import_name(&minor, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &target_name); if (GSS_ERROR(major)) { warnx("Could not import name"); goto cleanup; } /* Mutual authentication will require a token from acceptor to * initiator and thus a second call to gss_init_sec_context(). */ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG; if (anon) req_flags |= GSS_C_ANON_FLAG; while (!initiator_established) { /* The initiator_cred_handle, mech_type, time_req, * input_chan_bindings, actual_mech_type, and time_rec * parameters are not needed in many cases. We pass * GSS_C_NO_CREDENTIAL, GSS_C_NO_OID, 0, NULL, NULL, and NULL * for them, respectively. */ fprintf(stderr, "%s: gss_init_sec_context\n", role); major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ctx, target_name, GSS_C_NO_OID, req_flags, 0, NULL, &input_token, NULL, &output_token, &ret_flags, NULL); fprintf(stderr, "%s: gss_init_sec_context returned 0x%x\n", role, major); /* This was allocated by receive_token() and is no longer * needed. Free it now to avoid leaks if the loop continues. */ release_buffer(&input_token); if (anon) { /* Initiators that wish to remain anonymous must check * whether their request has been honored before sending * each token. */ if (!(ret_flags & GSS_C_ANON_FLAG)) { warnx("Anonymous requested but not available"); goto cleanup; } } /* Always send a token if we are expecting another input token * (GSS_S_CONTINUE_NEEDED is set) or if it is nonempty. */ if ((major & GSS_S_CONTINUE_NEEDED) || output_token.length > 0) { ret = send_token(writefd, &output_token); if (ret != 0) goto cleanup; } /* Check for errors after sending the token so that we will send * error tokens. */ if (GSS_ERROR(major)) { warnx("gss_init_sec_context() error major 0x%x", major); goto cleanup; } /* Free the output token's storage; we don't need it anymore. * gss_release_buffer() is safe to call on the output buffer * from gss_int_sec_context(), even if there is no storage * associated with that buffer. */ (void)gss_release_buffer(&minor, &output_token); if (major & GSS_S_CONTINUE_NEEDED) { ret = receive_token(readfd, &input_token); if (ret != 0) goto cleanup; } else if (major == GSS_S_COMPLETE) { initiator_established = 1; } else { /* This situation is forbidden by RFC 2743. Bail out. */ warnx("major not complete or continue but not error"); goto cleanup; } } /* while (!initiator_established) */ if ((ret_flags & req_flags) != req_flags) { warnx("Negotiated context does not support requested flags"); goto cleanup; } printf("Initiator's context negotiation successful\n"); cleanup: /* We are required to release storage for nonzero-length output * tokens. gss_release_buffer() zeros the length, so we * will not attempt to release the same buffer twice. */ if (output_token.length > 0) (void)gss_release_buffer(&minor, &output_token); /* Do not request a context deletion token; pass NULL. */ (void)gss_delete_sec_context(&minor, &ctx, NULL); (void)gss_release_name(&minor, &target_name); } /* * Perform authorization checks on the initiator's GSS name object. * * Returns 0 on success (the initiator is authorized) and nonzero * when the initiator is not authorized. */ static int check_authz(gss_name_t client_name) { /* * Supply authorization checking code here. * * Options include bitwise comparison of the exported name against * a local database and introspection against name attributes. */ return 0; } static void do_acceptor(int readfd, int writefd) { int acceptor_established = 0, ret; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; OM_uint32 major, minor, ret_flags; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; gss_name_t client_name; gss_buffer_desc client_display_name = GSS_C_EMPTY_BUFFER; major = GSS_S_CONTINUE_NEEDED; while (!acceptor_established) { if (major & GSS_S_CONTINUE_NEEDED) { ret = receive_token(readfd, &input_token); if (ret != 0) goto cleanup; } else if (major == GSS_S_COMPLETE) { acceptor_established = 1; break; } else { /* This situation is forbidden by RFC 2743. Bail out. */ warnx("major not complete or continue but not error"); goto cleanup; } /* We can use the default behavior or do not need the returned * information for the parameters acceptor_cred_handle, * input_chan_bindings, mech_type, time_rec, and * delegated_cred_handle, and pass the values * GSS_C_NO_CREDENTIAL, NULL, NULL, NULL, and NULL, * respectively. In some cases the src_name will not be * needed, but most likely it will be needed for some * authorization or logging functionality. */ fprintf(stderr, "%s: gss_accept_sec_context\n", role); major = gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &input_token, NULL, &client_name, NULL, &output_token, &ret_flags, NULL, NULL); fprintf(stderr, "%s: gss_accept_sec_context returned 0x%x\n", role, major); /* This was allocated by receive_token() and is no longer * needed. Free it now to avoid leaks if the loop continues. */ release_buffer(&input_token); /* Always send a token if we are expecting another input token * (GSS_S_CONTINUE_NEEDED is set) or if it is nonempty. */ if ((major & GSS_S_CONTINUE_NEEDED) || output_token.length > 0) { ret = send_token(writefd, &output_token); if (ret != 0) goto cleanup; } /* Check for errors after sending the token so that we will send * error tokens. */ if (GSS_ERROR(major)) { warnx("gss_accept_sec_context() error major 0x%x", major); goto cleanup; } /* Free the output token's storage; we don't need it anymore. * gss_release_buffer() is safe to call on the output buffer * from gss_accept_sec_context(), even if there is no storage * associated with that buffer. */ (void)gss_release_buffer(&minor, &output_token); } /* while (!acceptor_established) */ if (!(ret_flags & GSS_C_INTEG_FLAG)) { warnx("Negotiated context does not support integrity"); goto cleanup; } char display[128] = {0}; size_t displaylen = sizeof(display); (void)gss_display_name(&minor, client_name, &client_display_name, NULL); if (client_display_name.length < displaylen - 1) displaylen = client_display_name.length; memcpy(display, client_display_name.value, displaylen); printf("Acceptor's context negotiation with %s successful\n", display); ret = check_authz(client_name); if (ret != 0) printf("Client is not authorized; rejecting access\n"); cleanup: release_buffer(&input_token); /* We are required to release storage for nonzero-length output * tokens. gss_release_buffer() zeros the length, so we * will not attempt to release the same buffer twice. */ if (output_token.length > 0) (void)gss_release_buffer(&minor, &output_token); /* Do not request a context deletion token, pass NULL. */ (void)gss_delete_sec_context(&minor, &ctx, NULL); (void)gss_release_name(&minor, &client_name); } int main(void) { pid_t pid; int fd_itoa[2] = {-1, -1}, fd_atoi[2] = {-1, -1}; if (pipe(fd_itoa) == -1) err(1, "pipe 1"); if (pipe(fd_atoi) == -1) err(1, "pipe 1"); pid = fork(); if (pid == 0) { role = "initiator"; setenv("KRB5CCNAME", "krb5cc.jruser", 1); do_initiator(fd_atoi[0], fd_itoa[1], 0); } else if (pid > 0) { int status; role = "acceptor"; setenv("KRB5CCNAME", "krb5cc.HTTP", 1); setenv("KRB5_KTNAME", "kt.HTTP", 1); do_acceptor(fd_itoa[0], fd_atoi[1]); if (wait(&status) == -1) err(1, "wait"); printf("child returned %d\n", status); } else { err(1, "fork() failed"); } fflush(stdout); exit(ferror(stdout)); }