2 * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "client_locl.h"
36 #include <gssapi/gssapi_ext.h>
37 #include "gss_common.h"
41 * A simplistic client implementing draft-brezak-spnego-http-04.txt
45 do_connect (const char *hostname, const char *port)
47 struct addrinfo *ai, *a;
48 struct addrinfo hints;
52 memset (&hints, 0, sizeof(hints));
53 hints.ai_family = PF_UNSPEC;
54 hints.ai_socktype = SOCK_STREAM;
55 hints.ai_protocol = 0;
57 error = getaddrinfo (hostname, port, &hints, &ai);
59 errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
61 for (a = ai; a != NULL; a = a->ai_next) {
62 s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
65 if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
66 warn ("connect(%s)", hostname);
74 errx (1, "failed to contact %s", hostname);
80 fdprintf(int s, const char *fmt, ...)
88 vasprintf(&str, fmt, ap);
97 ret = write(s, buf, len);
99 err(1, "connection closed");
108 //static int version_flag;
109 static int verbose_flag;
110 static int mutual_flag = 1;
111 static int delegate_flag;
112 static char *mech = NULL;
113 static char *port_str = "http";
114 static char *gss_service = "HTTP";
115 static char *user = NULL;
116 static char *pwd = NULL;
118 static struct option const long_opts[] = {
119 { "help", no_argument, 0, 'h' },
120 { "mech", required_argument, 0, 'm' },
121 { "password", required_argument, 0, 'p' },
122 { "gss-service", required_argument, 0, 's' },
123 { "user", required_argument, 0, 'u' },
127 static const char *short_opts = "hm:p:s:u:";
132 fprintf(stderr, "Usage: http_client [OPTION] URL\n"
133 "-m mech, --mech=mech gssapi mech to use\n"
134 "-p pass, --password=pass password to acquire credentials\n"
135 "-s service, --gss-service=service gssapi service to use\n"
136 "-u user, --user=user client's username\n");
154 http_req_zero(struct http_req *req)
156 req->response = NULL;
158 req->num_headers = 0;
164 http_req_free(struct http_req *req)
169 for (i = 0; i < req->num_headers; i++)
170 free(req->headers[i]);
177 http_find_header(struct http_req *req, const char *header)
179 int i, len = strlen(header);
181 for (i = 0; i < req->num_headers; i++) {
182 if (strncasecmp(header, req->headers[i], len) == 0) {
183 return req->headers[i] + len + 1;
191 http_query(int s, const char *host, const char *page,
192 char **headers, int num_headers, struct http_req *req)
194 enum { RESPONSE, HEADER, BODY } state;
196 // char in_buf[4096], *in_ptr = in_buf;
197 char in_buf[8000], *in_ptr = in_buf;
200 size_t content_length = 0;
204 fdprintf(s, "GET %s HTTP/1.0\r\n", page);
205 for (i = 0; i < num_headers; i++)
206 fdprintf(s, "%s\r\n", headers[i]);
207 fdprintf(s, "Keep-Alive: 115\r\n");
208 fdprintf(s, "Connection: keep-alive\r\n");
209 fdprintf(s, "Host: %s\r\n\r\n", host);
214 ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1);
218 err (1, "read: %lu", (unsigned long)ret);
220 in_buf[ret + in_len] = '\0';
222 if (state == HEADER || state == RESPONSE) {
229 p = strstr(in_buf, "\r\n");
233 } else if (p == in_buf) {
234 memmove(in_buf, in_buf + 2, sizeof(in_buf) - 2);
239 } else if (state == RESPONSE) {
240 req->response = strndup(in_buf, p - in_buf);
243 req->headers = realloc(req->headers,
244 (req->num_headers + 1) * sizeof(req->headers[0]));
245 req->headers[req->num_headers] = strndup(in_buf, p - in_buf);
246 if (req->headers[req->num_headers] == NULL)
248 if (strncmp(req->headers[req->num_headers], "Content-Length:", 15) == 0)
249 content_length = atoi(req->headers[req->num_headers] + 16);
252 memmove(in_buf, p + 2, sizeof(in_buf) - (p - in_buf) - 2);
253 in_len -= (p - in_buf) + 2;
254 in_ptr -= (p - in_buf) + 2;
260 req->body = realloc(req->body, req->body_size + in_len + 1);
262 memcpy((char *)req->body + req->body_size, in_buf, in_len);
263 req->body_size += in_len;
264 ((char *)req->body)[req->body_size] = '\0';
266 if (content_length && req->body_size == content_length)
279 printf("response: %s\n", req->response);
280 for (i = 0; i < req->num_headers; i++)
281 printf("header[%d] %s\n", i, req->headers[i]);
282 printf("body: %.*s\n", (int)req->body_size, (char *)req->body);
290 do_http(const char *host, const char *page, gss_OID mech_oid, gss_cred_id_t cred)
293 int i, done, print_body, gssapi_done, gssapi_started;
294 char *headers[10]; /* XXX */
296 gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
297 gss_name_t server = GSS_C_NO_NAME;
303 flags |= GSS_C_DELEG_FLAG;
305 flags |= GSS_C_MUTUAL_FLAG;
312 s = do_connect(host, port_str);
314 errx(1, "connection failed");
319 http_query(s, host, page, headers, num_headers, &req);
320 for (i = 0 ; i < num_headers; i++)
324 if (strstr(req.response, " 200 ") != NULL) {
327 } else if (strstr(req.response, " 401 ") != NULL) {
328 if (http_find_header(&req, "WWW-Authenticate:") == NULL)
329 errx(1, "Got %s but missed `WWW-Authenticate'", req.response);
334 const char *h = http_find_header(&req, "WWW-Authenticate:");
336 errx(1, "Got %s but missed `WWW-Authenticate'", req.response);
338 if (strncasecmp(h, "GSSAPI", 6) == 0) {
339 OM_uint32 maj_stat, min_stat;
340 gss_buffer_desc input_token, output_token;
343 printf("Negotiate found\n");
346 if (server == GSS_C_NO_NAME) {
348 asprintf(&name, "%s@%s", gss_service, host);
349 input_token.length = strlen(name);
350 input_token.value = name;
352 maj_stat = gss_import_name(&min_stat,
354 GSS_C_NT_HOSTBASED_SERVICE,
356 if (GSS_ERROR(maj_stat))
357 gss_err (1, maj_stat, min_stat, "gss_inport_name");
359 input_token.length = 0;
360 input_token.value = NULL;
366 while(h[i] && isspace((unsigned char)h[i]))
369 int len = strlen(&h[i]);
371 errx(1, "invalid Negotiate token");
372 input_token.value = malloc(len);
373 len = base64_decode(&h[i], input_token.value);
375 errx(1, "invalid base64 Negotiate token %s", &h[i]);
376 input_token.length = len;
379 errx(1, "Negotiate already started");
382 input_token.length = 0;
383 input_token.value = NULL;
387 gss_init_sec_context(&min_stat,
394 GSS_C_NO_CHANNEL_BINDINGS,
400 if (GSS_ERROR(maj_stat))
401 gss_err (1, maj_stat, min_stat, "gss_init_sec_context");
402 else if (maj_stat & GSS_S_CONTINUE_NEEDED)
405 gss_name_t targ_name, src_name;
406 gss_buffer_desc name_buffer;
411 printf("\nNegotiate done: %s\n", mech);
413 maj_stat = gss_inquire_context(&min_stat,
422 if (GSS_ERROR(maj_stat))
423 gss_err (1, maj_stat, min_stat, "gss_inquire_context");
425 maj_stat = gss_display_name(&min_stat,
429 if (GSS_ERROR(maj_stat))
430 gss_err (1, maj_stat, min_stat, "gss_display_name");
432 printf("Source: %.*s\n",
433 (int)name_buffer.length,
434 (char *)name_buffer.value);
436 gss_release_buffer(&min_stat, &name_buffer);
438 maj_stat = gss_display_name(&min_stat,
442 if (GSS_ERROR(maj_stat))
443 gss_err (1, maj_stat, min_stat, "gss_display_name");
445 printf("Target: %.*s\n",
446 (int)name_buffer.length,
447 (char *)name_buffer.value);
449 gss_release_name(&min_stat, &targ_name);
450 gss_release_buffer(&min_stat, &name_buffer);
453 if (output_token.length) {
456 base64_encode(output_token.value,
460 asprintf(&headers[0], "Authorization: GSSAPI %s",
464 gss_release_buffer(&min_stat, &output_token);
466 if (input_token.length)
467 free(input_token.value);
475 printf("%s\n\n", req.response);
477 for (i = 0; i < req.num_headers; i++)
478 printf("%s\n", req.headers[i]);
481 if (print_body || verbose_flag)
482 printf("%.*s\n", (int)req.body_size, (char *)req.body);
489 if (gssapi_done == 0)
490 errx(1, "gssapi not done but http dance done");
496 main(int argc, char *argv[])
499 gss_buffer_desc token;
500 gss_OID mech_oid = GSS_C_NO_OID;
501 OM_uint32 maj_stat, min_stat;
502 gss_name_t gss_username = GSS_C_NO_NAME;
503 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
504 char *p, *host, *page;
506 while ((c = getopt_long(argc, argv, short_opts, long_opts, NULL)) != EOF) {
512 mech_oid = select_mech(mech);
518 gss_service = optarg;
532 if (strncmp(p, "http://", 7) == 0)
535 p = strchr(host, '/');
544 token.length = strlen(token.value);
545 maj_stat = gss_import_name(&min_stat, &token,
548 if (GSS_ERROR(maj_stat))
549 gss_err(1, maj_stat, min_stat, "Invalid user name %s", user);
553 gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET;
556 token.length = strlen(token.value);
557 mechs.elements = mech_oid;
560 maj_stat = gss_acquire_cred_with_password(&min_stat,
561 gss_username, &token, 0,
562 mechsp, GSS_C_INITIATE,
564 if (GSS_ERROR(maj_stat))
565 gss_err(1, maj_stat, min_stat, "Failed to load initial credentials");
568 ret = do_http(host, page, mech_oid, cred);
570 if (gss_username != GSS_C_NO_NAME)
571 gss_release_name(&min_stat, &gss_username);
573 if (cred != GSS_C_NO_CREDENTIAL)
574 gss_release_cred(&min_stat, &cred);
projects / mod_auth_kerb.git / blob