CoCalc -- test_context.c

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/heimdal/lib/gssapi/test_context.c
³⁴⁸⁸⁹ views
1
/*
2
 * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of KTH nor the names of its contributors may be
18
 *    used to endorse or promote products derived from this software without
19
 *    specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
22
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
25
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
28
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
30
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
31
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32
 */
33

34
#include "krb5/gsskrb5_locl.h"
35
#include <err.h>
36
#include <getarg.h>
37
#include <gssapi.h>
38
#include <gssapi_krb5.h>
39
#include <gssapi_spnego.h>
40
#include <gssapi_ntlm.h>
41
#include "test_common.h"
42

43
static char *type_string;
44
static char *mech_string;
45
static char *ret_mech_string;
46
static char *client_name;
47
static char *client_password;
48
static int dns_canon_flag = -1;
49
static int mutual_auth_flag = 0;
50
static int dce_style_flag = 0;
51
static int wrapunwrap_flag = 0;
52
static int iov_flag = 0;
53
static int getverifymic_flag = 0;
54
static int deleg_flag = 0;
55
static int policy_deleg_flag = 0;
56
static int server_no_deleg_flag = 0;
57
static int ei_flag = 0;
58
static char *gsskrb5_acceptor_identity = NULL;
59
static char *session_enctype_string = NULL;
60
static int client_time_offset = 0;
61
static int server_time_offset = 0;
62
static int max_loops = 0;
63
static char *limit_enctype_string = NULL;
64
static int version_flag = 0;
65
static int verbose_flag = 0;
66
static int help_flag	= 0;
67

68
static krb5_context context;
69
static krb5_enctype limit_enctype = 0;
70

71
static struct {
72
    const char *name;
73
    gss_OID oid;
74
} o2n[] = {
75
    { "krb5", NULL /* GSS_KRB5_MECHANISM */ },
76
    { "spnego", NULL /* GSS_SPNEGO_MECHANISM */ },
77
    { "ntlm", NULL /* GSS_NTLM_MECHANISM */ },
78
    { "sasl-digest-md5", NULL /* GSS_SASL_DIGEST_MD5_MECHANISM */ }
79
};
80

81
static void
82
init_o2n(void)
83
{
84
    o2n[0].oid = GSS_KRB5_MECHANISM;
85
    o2n[1].oid = GSS_SPNEGO_MECHANISM;
86
    o2n[2].oid = GSS_NTLM_MECHANISM;
87
    o2n[3].oid = GSS_SASL_DIGEST_MD5_MECHANISM;
88
}
89

90
static gss_OID
91
string_to_oid(const char *name)
92
{
93
    int i;
94
    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
95
	if (strcasecmp(name, o2n[i].name) == 0)
96
	    return o2n[i].oid;
97
    errx(1, "name '%s' not unknown", name);
98
}
99

100
static const char *
101
oid_to_string(const gss_OID oid)
102
{
103
    int i;
104
    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
105
	if (gss_oid_equal(oid, o2n[i].oid))
106
	    return o2n[i].name;
107
    return "unknown oid";
108
}
109

110
static void
111
loop(gss_OID mechoid,
112
     gss_OID nameoid, const char *target,
113
     gss_cred_id_t init_cred,
114
     gss_ctx_id_t *sctx, gss_ctx_id_t *cctx,
115
     gss_OID *actual_mech,
116
     gss_cred_id_t *deleg_cred)
117
{
118
    int server_done = 0, client_done = 0;
119
    int num_loops = 0;
120
    OM_uint32 maj_stat, min_stat;
121
    gss_name_t gss_target_name;
122
    gss_buffer_desc input_token, output_token;
123
    OM_uint32 flags = 0, ret_cflags, ret_sflags;
124
    gss_OID actual_mech_client;
125
    gss_OID actual_mech_server;
126

127
    *actual_mech = GSS_C_NO_OID;
128

129
    flags |= GSS_C_INTEG_FLAG;
130
    flags |= GSS_C_CONF_FLAG;
131

132
    if (mutual_auth_flag)
133
	flags |= GSS_C_MUTUAL_FLAG;
134
    if (dce_style_flag)
135
	flags |= GSS_C_DCE_STYLE;
136
    if (deleg_flag)
137
	flags |= GSS_C_DELEG_FLAG;
138
    if (policy_deleg_flag)
139
	flags |= GSS_C_DELEG_POLICY_FLAG;
140

141
    input_token.value = rk_UNCONST(target);
142
    input_token.length = strlen(target);
143

144
    maj_stat = gss_import_name(&min_stat,
145
			       &input_token,
146
			       nameoid,
147
			       &gss_target_name);
148
    if (GSS_ERROR(maj_stat))
149
	err(1, "import name creds failed with: %d", maj_stat);
150

151
    input_token.length = 0;
152
    input_token.value = NULL;
153

154
    while (!server_done || !client_done) {
155
	num_loops++;
156

157
	gsskrb5_set_time_offset(client_time_offset);
158

159
	maj_stat = gss_init_sec_context(&min_stat,
160
					init_cred,
161
					cctx,
162
					gss_target_name,
163
					mechoid,
164
					flags,
165
					0,
166
					NULL,
167
					&input_token,
168
					&actual_mech_client,
169
					&output_token,
170
					&ret_cflags,
171
					NULL);
172
	if (GSS_ERROR(maj_stat))
173
	    errx(1, "init_sec_context: %s",
174
		 gssapi_err(maj_stat, min_stat, mechoid));
175
	if (maj_stat & GSS_S_CONTINUE_NEEDED)
176
	    ;
177
	else
178
	    client_done = 1;
179

180
	gsskrb5_get_time_offset(&client_time_offset);
181

182
	if (client_done && server_done)
183
	    break;
184

185
	if (input_token.length != 0)
186
	    gss_release_buffer(&min_stat, &input_token);
187

188
	gsskrb5_set_time_offset(server_time_offset);
189

190
	maj_stat = gss_accept_sec_context(&min_stat,
191
					  sctx,
192
					  GSS_C_NO_CREDENTIAL,
193
					  &output_token,
194
					  GSS_C_NO_CHANNEL_BINDINGS,
195
					  NULL,
196
					  &actual_mech_server,
197
					  &input_token,
198
					  &ret_sflags,
199
					  NULL,
200
					  deleg_cred);
201
	if (GSS_ERROR(maj_stat))
202
		errx(1, "accept_sec_context: %s",
203
		     gssapi_err(maj_stat, min_stat, actual_mech_server));
204

205
	gsskrb5_get_time_offset(&server_time_offset);
206

207
	if (output_token.length != 0)
208
	    gss_release_buffer(&min_stat, &output_token);
209

210
	if (maj_stat & GSS_S_CONTINUE_NEEDED)
211
	    ;
212
	else
213
	    server_done = 1;
214
    }
215
    if (output_token.length != 0)
216
	gss_release_buffer(&min_stat, &output_token);
217
    if (input_token.length != 0)
218
	gss_release_buffer(&min_stat, &input_token);
219
    gss_release_name(&min_stat, &gss_target_name);
220

221
    if (deleg_flag || policy_deleg_flag) {
222
	if (server_no_deleg_flag) {
223
	    if (*deleg_cred != GSS_C_NO_CREDENTIAL)
224
		errx(1, "got delegated cred but didn't expect one");
225
	} else if (*deleg_cred == GSS_C_NO_CREDENTIAL)
226
	    errx(1, "asked for delegarated cred but did get one");
227
    } else if (*deleg_cred != GSS_C_NO_CREDENTIAL)
228
	  errx(1, "got deleg_cred cred but didn't ask");
229

230
    if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0)
231
	errx(1, "mech mismatch");
232
    *actual_mech = actual_mech_server;
233

234
    if (max_loops && num_loops > max_loops)
235
	errx(1, "num loops %d was lager then max loops %d",
236
	     num_loops, max_loops);
237

238
    if (verbose_flag) {
239
	printf("server time offset: %d\n", server_time_offset);
240
	printf("client time offset: %d\n", client_time_offset);
241
	printf("num loops %d\n", num_loops);
242
    }
243
}
244

245
static void
246
wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
247
{
248
    gss_buffer_desc input_token, output_token, output_token2;
249
    OM_uint32 min_stat, maj_stat;
250
    gss_qop_t qop_state;
251
    int conf_state;
252

253
    input_token.value = "foo";
254
    input_token.length = 3;
255

256
    maj_stat = gss_wrap(&min_stat, cctx, flags, 0, &input_token,
257
			&conf_state, &output_token);
258
    if (maj_stat != GSS_S_COMPLETE)
259
	errx(1, "gss_wrap failed: %s",
260
	     gssapi_err(maj_stat, min_stat, mechoid));
261

262
    maj_stat = gss_unwrap(&min_stat, sctx, &output_token,
263
			  &output_token2, &conf_state, &qop_state);
264
    if (maj_stat != GSS_S_COMPLETE)
265
	errx(1, "gss_unwrap failed: %s",
266
	     gssapi_err(maj_stat, min_stat, mechoid));
267

268
    gss_release_buffer(&min_stat, &output_token);
269
    gss_release_buffer(&min_stat, &output_token2);
270

271
#if 0 /* doesn't work for NTLM yet */
272
    if (!!conf_state != !!flags)
273
	errx(1, "conf_state mismatch");
274
#endif
275
}
276

277
#define USE_CONF		1
278
#define USE_HEADER_ONLY		2
279
#define USE_SIGN_ONLY		4
280
#define FORCE_IOV		8
281

282
static void
283
wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
284
{
285
    krb5_data token, header, trailer;
286
    OM_uint32 min_stat, maj_stat;
287
    gss_qop_t qop_state;
288
    int conf_state, conf_state2;
289
    gss_iov_buffer_desc iov[6];
290
    unsigned char *p;
291
    int iov_len;
292
    char header_data[9] = "ABCheader";
293
    char trailer_data[10] = "trailerXYZ";
294

295
    char token_data[16] = "0123456789abcdef";
296

297
    memset(&iov, 0, sizeof(iov));
298

299
    if (flags & USE_SIGN_ONLY) {
300
	header.data = header_data;
301
	header.length = 9;
302
	trailer.data = trailer_data;
303
	trailer.length = 10;
304
    } else {
305
	header.data = NULL;
306
	header.length = 0;
307
	trailer.data = NULL;
308
	trailer.length = 0;
309
    }
310

311
    token.data = token_data;
312
    token.length = 16;
313

314
    iov_len = sizeof(iov)/sizeof(iov[0]);
315

316
    memset(iov, 0, sizeof(iov));
317

318
    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
319

320
    if (header.length != 0) {
321
	iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
322
	iov[1].buffer.length = header.length;
323
	iov[1].buffer.value = header.data;
324
    } else {
325
	iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
326
	iov[1].buffer.length = 0;
327
	iov[1].buffer.value = NULL;
328
    }
329
    iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
330
    iov[2].buffer.length = token.length;
331
    iov[2].buffer.value = token.data;
332
    if (trailer.length != 0) {
333
	iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
334
	iov[3].buffer.length = trailer.length;
335
	iov[3].buffer.value = trailer.data;
336
    } else {
337
	iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
338
	iov[3].buffer.length = 0;
339
	iov[3].buffer.value = NULL;
340
    }
341
    if (dce_style_flag) {
342
	iov[4].type = GSS_IOV_BUFFER_TYPE_EMPTY;
343
    } else {
344
	iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
345
    }
346
    iov[4].buffer.length = 0;
347
    iov[4].buffer.value = 0;
348
    if (dce_style_flag) {
349
	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
350
    } else if (flags & USE_HEADER_ONLY) {
351
	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
352
    } else {
353
	iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
354
    }
355
    iov[5].buffer.length = 0;
356
    iov[5].buffer.value = 0;
357

358
    maj_stat = gss_wrap_iov(&min_stat, cctx, dce_style_flag || flags & USE_CONF, 0, &conf_state,
359
			    iov, iov_len);
360
    if (maj_stat != GSS_S_COMPLETE)
361
	errx(1, "gss_wrap_iov failed");
362

363
    token.length =
364
	iov[0].buffer.length +
365
	iov[1].buffer.length +
366
	iov[2].buffer.length +
367
	iov[3].buffer.length +
368
	iov[4].buffer.length +
369
	iov[5].buffer.length;
370
    token.data = emalloc(token.length);
371

372
    p = token.data;
373
    memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
374
    p += iov[0].buffer.length;
375
    memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
376
    p += iov[1].buffer.length;
377
    memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
378
    p += iov[2].buffer.length;
379
    memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
380
    p += iov[3].buffer.length;
381
    memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
382
    p += iov[4].buffer.length;
383
    memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
384
    p += iov[5].buffer.length;
385

386
    assert(p - ((unsigned char *)token.data) == token.length);
387

388
    if ((flags & (USE_SIGN_ONLY|FORCE_IOV)) == 0) {
389
	gss_buffer_desc input, output;
390

391
	input.value = token.data;
392
	input.length = token.length;
393

394
	maj_stat = gss_unwrap(&min_stat, sctx, &input,
395
			      &output, &conf_state2, &qop_state);
396

397
	if (maj_stat != GSS_S_COMPLETE)
398
	    errx(1, "gss_unwrap from gss_wrap_iov failed: %s",
399
		 gssapi_err(maj_stat, min_stat, mechoid));
400

401
	gss_release_buffer(&min_stat, &output);
402
    } else {
403
	maj_stat = gss_unwrap_iov(&min_stat, sctx, &conf_state2, &qop_state,
404
				  iov, iov_len);
405

406
	if (maj_stat != GSS_S_COMPLETE)
407
	    errx(1, "gss_unwrap_iov failed: %x %s", flags,
408
		 gssapi_err(maj_stat, min_stat, mechoid));
409

410
    }
411
    if (conf_state2 != conf_state)
412
	errx(1, "conf state wrong for iov: %x", flags);
413

414

415
    free(token.data);
416
}
417

418
static void
419
getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
420
{
421
    gss_buffer_desc input_token, output_token;
422
    OM_uint32 min_stat, maj_stat;
423
    gss_qop_t qop_state;
424

425
    input_token.value = "bar";
426
    input_token.length = 3;
427

428
    maj_stat = gss_get_mic(&min_stat, cctx, 0, &input_token,
429
			   &output_token);
430
    if (maj_stat != GSS_S_COMPLETE)
431
	errx(1, "gss_get_mic failed: %s",
432
	     gssapi_err(maj_stat, min_stat, mechoid));
433

434
    maj_stat = gss_verify_mic(&min_stat, sctx, &input_token,
435
			      &output_token, &qop_state);
436
    if (maj_stat != GSS_S_COMPLETE)
437
	errx(1, "gss_verify_mic failed: %s",
438
	     gssapi_err(maj_stat, min_stat, mechoid));
439

440
    gss_release_buffer(&min_stat, &output_token);
441
}
442

443
static void
444
empty_release(void)
445
{
446
    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
447
    gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
448
    gss_name_t name = GSS_C_NO_NAME;
449
    gss_OID_set oidset = GSS_C_NO_OID_SET;
450
    OM_uint32 junk;
451

452
    gss_delete_sec_context(&junk, &ctx, NULL);
453
    gss_release_cred(&junk, &cred);
454
    gss_release_name(&junk, &name);
455
    gss_release_oid_set(&junk, &oidset);
456
}
457

458
/*
459
 *
460
 */
461

462
static struct getargs args[] = {
463
    {"name-type",0,	arg_string, &type_string,  "type of name", NULL },
464
    {"mech-type",0,	arg_string, &mech_string,  "type of mech", NULL },
465
    {"ret-mech-type",0,	arg_string, &ret_mech_string,
466
     "type of return mech", NULL },
467
    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
468
     "use dns to canonicalize", NULL },
469
    {"mutual-auth",0,	arg_flag,	&mutual_auth_flag,"mutual auth", NULL },
470
    {"client-name", 0,  arg_string,     &client_name, "client name", NULL },
471
    {"client-password", 0,  arg_string, &client_password, "client password", NULL },
472
    {"limit-enctype",0,	arg_string,	&limit_enctype_string, "enctype", NULL },
473
    {"dce-style",0,	arg_flag,	&dce_style_flag, "dce-style", NULL },
474
    {"wrapunwrap",0,	arg_flag,	&wrapunwrap_flag, "wrap/unwrap", NULL },
475
    {"iov", 0, 		arg_flag,	&iov_flag, "wrap/unwrap iov", NULL },
476
    {"getverifymic",0,	arg_flag,	&getverifymic_flag,
477
     "get and verify mic", NULL },
478
    {"delegate",0,	arg_flag,	&deleg_flag, "delegate credential", NULL },
479
    {"policy-delegate",0,	arg_flag,	&policy_deleg_flag, "policy delegate credential", NULL },
480
    {"server-no-delegate",0,	arg_flag,	&server_no_deleg_flag,
481
     "server should get a credential", NULL },
482
    {"export-import-cred",0,	arg_flag,	&ei_flag, "test export/import cred", NULL },
483
    {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL },
484
    {"session-enctype",	0, arg_string,	&session_enctype_string, "enctype", NULL },
485
    {"client-time-offset",	0, arg_integer,	&client_time_offset, "time", NULL },
486
    {"server-time-offset",	0, arg_integer,	&server_time_offset, "time", NULL },
487
    {"max-loops",	0, arg_integer,	&max_loops, "time", NULL },
488
    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
489
    {"verbose",	'v',	arg_flag,	&verbose_flag, "verbose", NULL },
490
    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
491
};
492

493
static void
494
usage (int ret)
495
{
496
    arg_printusage (args, sizeof(args)/sizeof(*args),
497
		    NULL, "service@host");
498
    exit (ret);
499
}
500

501
int
502
main(int argc, char **argv)
503
{
504
    int optind = 0;
505
    OM_uint32 min_stat, maj_stat;
506
    gss_ctx_id_t cctx, sctx;
507
    void *ctx;
508
    gss_OID nameoid, mechoid, actual_mech, actual_mech2;
509
    gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
510
    gss_name_t cname = GSS_C_NO_NAME;
511
    gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
512

513
    setprogname(argv[0]);
514

515
    init_o2n();
516

517
    if (krb5_init_context(&context))
518
	errx(1, "krb5_init_context");
519

520
    cctx = sctx = GSS_C_NO_CONTEXT;
521

522
    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
523
	usage(1);
524

525
    if (help_flag)
526
	usage (0);
527

528
    if(version_flag){
529
	print_version(NULL);
530
	exit(0);
531
    }
532

533
    argc -= optind;
534
    argv += optind;
535

536
    if (argc != 1)
537
	usage(1);
538

539
    if (dns_canon_flag != -1)
540
	gsskrb5_set_dns_canonicalize(dns_canon_flag);
541

542
    if (type_string == NULL)
543
	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
544
    else if (strcmp(type_string, "hostbased-service") == 0)
545
	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
546
    else if (strcmp(type_string, "krb5-principal-name") == 0)
547
	nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
548
    else
549
	errx(1, "%s not suppported", type_string);
550

551
    if (mech_string == NULL)
552
	mechoid = GSS_KRB5_MECHANISM;
553
    else
554
	mechoid = string_to_oid(mech_string);
555

556
    if (gsskrb5_acceptor_identity) {
557
	maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
558
	if (maj_stat)
559
	    errx(1, "gsskrb5_acceptor_identity: %s",
560
		 gssapi_err(maj_stat, 0, GSS_C_NO_OID));
561
    }
562

563
    if (client_password) {
564
	credential_data.value = client_password;
565
	credential_data.length = strlen(client_password);
566
    }
567

568
    if (client_name) {
569
	gss_buffer_desc cn;
570

571
	cn.value = client_name;
572
	cn.length = strlen(client_name);
573

574
	maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
575
	if (maj_stat)
576
	    errx(1, "gss_import_name: %s",
577
		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
578
    }
579

580
    if (client_password) {
581
	maj_stat = gss_acquire_cred_with_password(&min_stat,
582
						  cname,
583
						  &credential_data,
584
						  GSS_C_INDEFINITE,
585
						  GSS_C_NO_OID_SET,
586
						  GSS_C_INITIATE,
587
						  &client_cred,
588
						  NULL,
589
						  NULL);
590
	if (GSS_ERROR(maj_stat))
591
	    errx(1, "gss_acquire_cred_with_password: %s",
592
		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
593
    } else {
594
	maj_stat = gss_acquire_cred(&min_stat,
595
				    cname,
596
				    GSS_C_INDEFINITE,
597
				    GSS_C_NO_OID_SET,
598
				    GSS_C_INITIATE,
599
				    &client_cred,
600
				    NULL,
601
				    NULL);
602
	if (GSS_ERROR(maj_stat))
603
	    errx(1, "gss_acquire_cred: %s",
604
		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
605
    }
606

607
    if (limit_enctype_string) {
608
	krb5_error_code ret;
609

610
	ret = krb5_string_to_enctype(context,
611
				     limit_enctype_string,
612
				     &limit_enctype);
613
	if (ret)
614
	    krb5_err(context, 1, ret, "krb5_string_to_enctype");
615
    }
616

617

618
    if (limit_enctype) {
619
	if (client_cred == NULL)
620
	    errx(1, "client_cred missing");
621

622
	maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
623
						   1, &limit_enctype);
624
	if (maj_stat)
625
	    errx(1, "gss_krb5_set_allowable_enctypes: %s",
626
		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
627
    }
628

629
    loop(mechoid, nameoid, argv[0], client_cred,
630
	 &sctx, &cctx, &actual_mech, &deleg_cred);
631

632
    if (verbose_flag)
633
	printf("resulting mech: %s\n", oid_to_string(actual_mech));
634

635
    if (ret_mech_string) {
636
	gss_OID retoid;
637

638
	retoid = string_to_oid(ret_mech_string);
639

640
	if (gss_oid_equal(retoid, actual_mech) == 0)
641
	    errx(1, "actual_mech mech is not the expected type %s",
642
		 ret_mech_string);
643
    }
644

645
    /* XXX should be actual_mech */
646
    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
647
	time_t time;
648
	gss_buffer_desc authz_data;
649
	gss_buffer_desc in, out1, out2;
650
	krb5_keyblock *keyblock, *keyblock2;
651
	krb5_timestamp now;
652
	krb5_error_code ret;
653

654
	ret = krb5_timeofday(context, &now);
655
	if (ret)
656
	    errx(1, "krb5_timeofday failed");
657

658
	/* client */
659
	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
660
						     &cctx,
661
						     1, /* version */
662
						     &ctx);
663
	if (maj_stat != GSS_S_COMPLETE)
664
	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
665
		 gssapi_err(maj_stat, min_stat, actual_mech));
666

667

668
	maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
669
	if (maj_stat != GSS_S_COMPLETE)
670
	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
671
		     gssapi_err(maj_stat, min_stat, actual_mech));
672

673
	/* server */
674
	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
675
						     &sctx,
676
						     1, /* version */
677
						     &ctx);
678
	if (maj_stat != GSS_S_COMPLETE)
679
	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
680
		     gssapi_err(maj_stat, min_stat, actual_mech));
681
	maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
682
	if (maj_stat != GSS_S_COMPLETE)
683
	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
684
		     gssapi_err(maj_stat, min_stat, actual_mech));
685

686
 	maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
687
							     sctx,
688
							     &time);
689
	if (maj_stat != GSS_S_COMPLETE)
690
	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
691
		     gssapi_err(maj_stat, min_stat, actual_mech));
692

693
	if (time > now)
694
	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
695
		 "time authtime is before now: %ld %ld",
696
		 (long)time, (long)now);
697

698
 	maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
699
						    sctx,
700
						    &keyblock);
701
	if (maj_stat != GSS_S_COMPLETE)
702
	    errx(1, "gsskrb5_export_service_keyblock failed: %s",
703
		     gssapi_err(maj_stat, min_stat, actual_mech));
704

705
	krb5_free_keyblock(context, keyblock);
706

707
 	maj_stat = gsskrb5_get_subkey(&min_stat,
708
				      sctx,
709
				      &keyblock);
710
	if (maj_stat != GSS_S_COMPLETE
711
	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
712
	    errx(1, "gsskrb5_get_subkey server failed: %s",
713
		     gssapi_err(maj_stat, min_stat, actual_mech));
714

715
	if (maj_stat != GSS_S_COMPLETE)
716
	    keyblock = NULL;
717
	else if (limit_enctype && keyblock->keytype != limit_enctype)
718
	    errx(1, "gsskrb5_get_subkey wrong enctype");
719

720
 	maj_stat = gsskrb5_get_subkey(&min_stat,
721
				      cctx,
722
				      &keyblock2);
723
	if (maj_stat != GSS_S_COMPLETE
724
	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
725
	    errx(1, "gsskrb5_get_subkey client failed: %s",
726
		     gssapi_err(maj_stat, min_stat, actual_mech));
727

728
	if (maj_stat != GSS_S_COMPLETE)
729
	    keyblock2 = NULL;
730
	else if (limit_enctype && keyblock->keytype != limit_enctype)
731
	    errx(1, "gsskrb5_get_subkey wrong enctype");
732

733
	if (keyblock || keyblock2) {
734
	    if (keyblock == NULL)
735
		errx(1, "server missing token keyblock");
736
	    if (keyblock2 == NULL)
737
		errx(1, "client missing token keyblock");
738

739
	    if (keyblock->keytype != keyblock2->keytype)
740
		errx(1, "enctype mismatch");
741
	    if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
742
		errx(1, "key length mismatch");
743
	    if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
744
		       keyblock2->keyvalue.length) != 0)
745
		errx(1, "key data mismatch");
746
	}
747

748
	if (session_enctype_string) {
749
	    krb5_enctype enctype;
750

751
	    ret = krb5_string_to_enctype(context,
752
					 session_enctype_string,
753
					 &enctype);
754

755
	    if (ret)
756
		krb5_err(context, 1, ret, "krb5_string_to_enctype");
757

758
	    if (enctype != keyblock->keytype)
759
		errx(1, "keytype is not the expected %d != %d",
760
		     (int)enctype, (int)keyblock2->keytype);
761
	}
762

763
	if (keyblock)
764
	    krb5_free_keyblock(context, keyblock);
765
	if (keyblock2)
766
	    krb5_free_keyblock(context, keyblock2);
767

768
 	maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
769
						sctx,
770
						&keyblock);
771
	if (maj_stat != GSS_S_COMPLETE
772
	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
773
	    errx(1, "gsskrb5_get_initiator_subkey failed: %s",
774
		     gssapi_err(maj_stat, min_stat, actual_mech));
775

776
	if (maj_stat == GSS_S_COMPLETE) {
777

778
	    if (limit_enctype && keyblock->keytype != limit_enctype)
779
		errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
780
	    krb5_free_keyblock(context, keyblock);
781
	}
782

783
 	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
784
							       sctx,
785
							       128,
786
							       &authz_data);
787
	if (maj_stat == GSS_S_COMPLETE)
788
	    gss_release_buffer(&min_stat, &authz_data);
789

790

791
	memset(&out1, 0, sizeof(out1));
792
	memset(&out2, 0, sizeof(out2));
793

794
	in.value = "foo";
795
	in.length = 3;
796

797
	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
798
			  100, &out1);
799
	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
800
			  100, &out2);
801

802
	if (out1.length != out2.length)
803
	    errx(1, "prf len mismatch");
804
	if (memcmp(out1.value, out2.value, out1.length) != 0)
805
	    errx(1, "prf data mismatch");
806

807
	gss_release_buffer(&min_stat, &out1);
808

809
	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
810
			  100, &out1);
811

812
	if (out1.length != out2.length)
813
	    errx(1, "prf len mismatch");
814
	if (memcmp(out1.value, out2.value, out1.length) != 0)
815
	    errx(1, "prf data mismatch");
816

817
	gss_release_buffer(&min_stat, &out1);
818
	gss_release_buffer(&min_stat, &out2);
819

820
	in.value = "bar";
821
	in.length = 3;
822

823
	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
824
			  100, &out1);
825
	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
826
			  100, &out2);
827

828
	if (out1.length != out2.length)
829
	    errx(1, "prf len mismatch");
830
	if (memcmp(out1.value, out2.value, out1.length) != 0)
831
	    errx(1, "prf data mismatch");
832

833
	gss_release_buffer(&min_stat, &out1);
834
	gss_release_buffer(&min_stat, &out2);
835

836
	wrapunwrap_flag = 1;
837
	getverifymic_flag = 1;
838
    }
839

840
    if (wrapunwrap_flag) {
841
	wrapunwrap(cctx, sctx, 0, actual_mech);
842
	wrapunwrap(cctx, sctx, 1, actual_mech);
843
	wrapunwrap(sctx, cctx, 0, actual_mech);
844
	wrapunwrap(sctx, cctx, 1, actual_mech);
845
    }
846

847
    if (iov_flag) {
848
	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
849
	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
850
	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
851
	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
852
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
853

854
	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
855
	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
856
	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
857
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
858

859
	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
860
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
861
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
862

863
/* works */
864
	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
865
	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
866

867
	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
868
	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
869

870
	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
871
	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
872

873
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
874
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
875

876
	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
877
	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
878

879
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
880
	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
881
    }
882

883
    if (getverifymic_flag) {
884
	getverifymic(cctx, sctx, actual_mech);
885
	getverifymic(cctx, sctx, actual_mech);
886
	getverifymic(sctx, cctx, actual_mech);
887
	getverifymic(sctx, cctx, actual_mech);
888
    }
889

890

891
    gss_delete_sec_context(&min_stat, &cctx, NULL);
892
    gss_delete_sec_context(&min_stat, &sctx, NULL);
893

894
    if (deleg_cred != GSS_C_NO_CREDENTIAL) {
895
	gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
896
	gss_buffer_desc cb;
897

898
	if (verbose_flag)
899
	    printf("checking actual mech (%s) on delegated cred\n",
900
		   oid_to_string(actual_mech));
901
	loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
902

903
	gss_delete_sec_context(&min_stat, &cctx, NULL);
904
	gss_delete_sec_context(&min_stat, &sctx, NULL);
905

906
	gss_release_cred(&min_stat, &cred2);
907

908
	/* try again using SPNEGO */
909
	if (verbose_flag)
910
	    printf("checking spnego on delegated cred\n");
911
	loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
912
	     &actual_mech2, &cred2);
913

914
	gss_delete_sec_context(&min_stat, &cctx, NULL);
915
	gss_delete_sec_context(&min_stat, &sctx, NULL);
916

917
	gss_release_cred(&min_stat, &cred2);
918

919
	/* check export/import */
920
	if (ei_flag) {
921

922
	    maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
923
	    if (maj_stat != GSS_S_COMPLETE)
924
		errx(1, "export failed: %s",
925
		     gssapi_err(maj_stat, min_stat, NULL));
926

927
	    maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
928
	    if (maj_stat != GSS_S_COMPLETE)
929
		errx(1, "import failed: %s",
930
		     gssapi_err(maj_stat, min_stat, NULL));
931

932
	    gss_release_buffer(&min_stat, &cb);
933
	    gss_release_cred(&min_stat, &deleg_cred);
934

935
	    if (verbose_flag)
936
		printf("checking actual mech (%s) on export/imported cred\n",
937
		       oid_to_string(actual_mech));
938
	    loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
939
		 &actual_mech2, &deleg_cred);
940

941
	    gss_release_cred(&min_stat, &deleg_cred);
942

943
	    gss_delete_sec_context(&min_stat, &cctx, NULL);
944
	    gss_delete_sec_context(&min_stat, &sctx, NULL);
945

946
	    /* try again using SPNEGO */
947
	    if (verbose_flag)
948
		printf("checking SPNEGO on export/imported cred\n");
949
	    loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
950
		 &actual_mech2, &deleg_cred);
951

952
	    gss_release_cred(&min_stat, &deleg_cred);
953

954
	    gss_delete_sec_context(&min_stat, &cctx, NULL);
955
	    gss_delete_sec_context(&min_stat, &sctx, NULL);
956

957
	    gss_release_cred(&min_stat, &cred2);
958

959
	} else  {
960
	    gss_release_cred(&min_stat, &deleg_cred);
961
	}
962

963
    }
964

965
    empty_release();
966

967
    krb5_free_context(context);
968

969
    return 0;
970
}
971

972
Product

Resources

Company
