Adds functionality to create gss context into openvas-krb5

greenbone · Oct 24, 2024 · 682a7be · 682a7be
1 parent 51a083b
commit 682a7be
Show file tree

Hide file tree

Showing 5 changed files with 468 additions and 114 deletions.
diff --git a/kerberos/.gitignore b/kerberos/.gitignore
@@ -0,0 +1,3 @@
+a.out
+test.sh
+krb5.conf
diff --git a/kerberos/authenticate_test.c b/kerberos/authenticate_test.c
@@ -2,12 +2,13 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-
+#include <string.h>
 
 #define GUARD_ENV_SET(var, env)                  \
   do                                             \
     {                                            \
-      if ((var = getenv (env)) == NULL)          \
+      var = okrb5_slice_from_str (getenv (env)); \
+      if (var.len == 0)                          \
         {                                        \
           fprintf (stderr, env " is not set\n"); \
           return 1;                              \
@@ -21,69 +22,54 @@ main ()
   char *kdc = NULL;
   OKrb5ErrorCode result = O_KRB5_SUCCESS;
   OKrb5Credential credentials;
-  OKrb5Element *element = NULL;
-  OKrb5Data *data = NULL;
+  OKrb5GSSContext *context = NULL;
+  struct OKrb5Slice from_application = {.data = NULL, .len = 0};
+  struct OKrb5Slice *to_application = NULL;
+  bool more = false;
   GUARD_ENV_SET (credentials.config_path, "KRB5_CONFIG");
   GUARD_ENV_SET (credentials.realm, "KRB5_REALM");
-  GUARD_ENV_SET (credentials.user, "KRB5_USER");
-  GUARD_ENV_SET (credentials.password, "KRB5_PASSWORD");
-  if (o_krb5_find_kdc (&credentials, &kdc))
-    {
-      GUARD_ENV_SET (kdc, "KRB5_KDC");
-      if (o_krb5_add_realm (&credentials, kdc))
-        {
-          fprintf (stderr, "Unable to add kdc\n");
-          return 1;
-        }
-    }
-  else
+  GUARD_ENV_SET (credentials.user.user, "KRB5_USER");
+  GUARD_ENV_SET (credentials.user.password, "KRB5_PASSWORD");
+  GUARD_ENV_SET (credentials.target.host_name, "KRB5_TARGET_HOST");
+  GUARD_ENV_SET (credentials.kdc, "KRB5_KDC");
+  credentials.target.service = okrb5_slice_from_str ("cifs");
+  memset (&credentials.target.domain, 0, sizeof (struct OKrb5Slice));
+  printf ("Using realm: %s\n", (char *) credentials.realm.data);
+  // TODO: move to overall function
+  // TODO: refactor signature to use slice
+  // if (o_krb5_find_kdc (&credentials, &kdc))
+  //   {
+  //     if (o_krb5_add_realm (&credentials, credentials.kdc.data))
+  //       {
+  //         fprintf (stderr, "Unable to add kdc\n");
+  //         return 1;
+  //       }
+  //   }
+  // else
+  //   {
+  //     printf ("Using kdc: %s\n", kdc);
+  //     free (kdc);
+  //   }
+  context = okrb5_gss_init_context ();
+  printf ("Using realm: %s\n", (char *) credentials.realm.data);
+  if ((result = o_krb5_gss_prepare_context (&credentials, context)))
     {
-      printf ("Using kdc: %s\n", kdc);
-      free (kdc);
-    }
-
-#if OPENVAS_KRB5_CACHED != 1
-
-  if ((result = o_krb5_authenticate (credentials, &element)))
-    {
-      fprintf (stderr, "Error: %d: %s\n", result,
-               krb5_get_error_message (element->ctx, result - O_KRB5_ERROR));
-      return result;
-    }
-
-  printf ("Authentication Token:\n");
-  printf ("--------------------\n");
-  printf ("End time:     %d\n", element->creds.times.endtime);
-  printf ("start time:     %d\n", element->creds.times.starttime);
-  printf ("Renew till:     %d\n", element->creds.times.renew_till);
-  if ((result = o_krb5_request (element, "test", 5, &data)))
-    {
-      fprintf (stderr, "unable to create request: %d", result);
-    }
-  if ((result = o_krb5_free_data (element, data)))
-    {
-      fprintf (stderr, "unable to free request: %d", result);
+      fprintf (stderr, "Unable to prepare context: %d\n", result);
+      return 1;
     }
-
-  return 0;
-#else
-
-  if ((result = o_krb5_cache_request (credentials, "test", 5, &data)))
+  printf ("Using realm: %s\n", (char *) credentials.realm.data);
+  // first call always empty
+  if ((result = o_krb5_gss_update_context (context, &from_application,
+                                           &to_application, &more)))
     {
-      fprintf (stderr, "unable to create request: %d\n", result);
+      fprintf (stderr, "Unable to update context: %d\n", result);
       return 1;
     }
-  element = o_krb5_cache_find(&credentials)->element;
-  if (element == NULL)
+  printf ("success: %d: outdata_len: %zu\n", result, to_application->len);
+
+  for (size_t i = 0; i < to_application->len; i++)
     {
-      fprintf (stderr, "element not found: %d", result);
-      return 1;
+      printf ("%02x", ((char *) to_application->data)[i]);
     }
-  printf ("Authentication Token:\n");
-  printf ("--------------------\n");
-  printf ("End time:     %d\n", element->creds.times.endtime);
-  printf ("start time:     %d\n", element->creds.times.starttime);
-  printf ("Renew till:     %d\n", element->creds.times.renew_till);
-  o_krb5_cache_clear();
-#endif
+  printf ("\n");
 }