1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* tests/gssapi/t_iov.c - Test program for IOV functions */
3
/*
4
 * Copyright (C) 2013 by the Massachusetts Institute of Technology.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * * Redistributions of source code must retain the above copyright
12
 *   notice, this list of conditions and the following disclaimer.
13
 *
14
 * * Redistributions in binary form must reproduce the above copyright
15
 *   notice, this list of conditions and the following disclaimer in
16
 *   the documentation and/or other materials provided with the
17
 *   distribution.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30
 * OF THE POSSIBILITY OF SUCH DAMAGE.
31
 */
32

33
#include <stdio.h>
34
#include <stdlib.h>
35
#include <string.h>
36
#include <stddef.h>
37
#include "common.h"
38

39
/* Concatenate iov (except for sign-only buffers) into a contiguous token. */
40
static void
41
concat_iov(gss_iov_buffer_desc *iov, size_t iovlen, char **buf_out,
42
           size_t *len_out)
43
{
44
    size_t len, i;
45
    char *buf;
46

47
    /* Concatenate the result into a contiguous buffer. */
48
    len = 0;
49
    for (i = 0; i < iovlen; i++) {
50
        if (GSS_IOV_BUFFER_TYPE(iov[i].type) != GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
51
            len += iov[i].buffer.length;
52
    }
53
    buf = malloc(len);
54
    if (buf == NULL)
55
        errout("malloc failed");
56
    len = 0;
57
    for (i = 0; i < iovlen; i++) {
58
        if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
59
            continue;
60
        memcpy(buf + len, iov[i].buffer.value, iov[i].buffer.length);
61
        len += iov[i].buffer.length;
62
    }
63
    *buf_out = buf;
64
    *len_out = len;
65
}
66

67
static void
68
check_encrypted(const char *msg, int conf, const char *buf, const char *plain)
69
{
70
    int same = memcmp(buf, plain, strlen(plain)) == 0;
71

72
    if ((conf && same) || (!conf && !same))
73
        errout(msg);
74
}
75

76
/*
77
 * Wrap str in standard form (HEADER | DATA | PADDING | TRAILER) using the
78
 * caller-provided array iov, which must have space for four elements.  Library
79
 * allocation will be used for the header/padding/trailer buffers, so the
80
 * caller must check and free them.
81
 */
82
static void
83
wrap_std(gss_ctx_id_t ctx, char *str, gss_iov_buffer_desc *iov, int conf)
84
{
85
    OM_uint32 minor, major;
86
    int oconf;
87

88
    /* Lay out iov array. */
89
    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
90
    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
91
    iov[1].buffer.value = str;
92
    iov[1].buffer.length = strlen(str);
93
    iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
94
    iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
95

96
    /* Wrap.  This will allocate header/padding/trailer buffers as necessary
97
     * and encrypt str in place. */
98
    major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 4);
99
    check_gsserr("gss_wrap_iov(std)", major, minor);
100
    if (oconf != conf)
101
        errout("gss_wrap_iov(std) conf");
102
}
103

104
/* Create standard tokens using gss_wrap_iov and ctx1, and make sure we can
105
 * unwrap them using ctx2 in all of the supported ways. */
106
static void
107
test_standard_wrap(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
108
{
109
    OM_uint32 major, minor;
110
    gss_iov_buffer_desc iov[4], stiov[2];
111
    gss_qop_t qop;
112
    gss_buffer_desc input, output;
113
    const char *string1 = "The swift brown fox jumped over the lazy dog.";
114
    const char *string2 = "Now is the time!";
115
    const char *string3 = "x";
116
    const char *string4 = "!@#";
117
    char data[1024], *fulltoken;
118
    size_t len;
119
    int oconf;
120
    ptrdiff_t offset;
121

122
    /* Wrap a standard token and unwrap it using the iov array. */
123
    memcpy(data, string1, strlen(string1) + 1);
124
    wrap_std(ctx1, data, iov, conf);
125
    check_encrypted("gss_wrap_iov(std1) encryption", conf, data, string1);
126
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
127
    check_gsserr("gss_unwrap_iov(std1)", major, minor);
128
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
129
        errout("gss_unwrap_iov(std1) conf/qop");
130
    if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(string1))
131
        errout("gss_unwrap_iov(std1) data buffer");
132
    if (memcmp(data, string1, iov[1].buffer.length) != 0)
133
        errout("gss_unwrap_iov(std1) decryption");
134
    (void)gss_release_iov_buffer(&minor, iov, 4);
135

136
    /* Wrap a standard token and unwrap it using gss_unwrap(). */
137
    memcpy(data, string2, strlen(string2) + 1);
138
    wrap_std(ctx1, data, iov, conf);
139
    concat_iov(iov, 4, &fulltoken, &len);
140
    input.value = fulltoken;
141
    input.length = len;
142
    major = gss_unwrap(&minor, ctx2, &input, &output, &oconf, &qop);
143
    check_gsserr("gss_unwrap(std2)", major, minor);
144
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
145
        errout("gss_unwrap(std2) conf/qop");
146
    if (output.length != strlen(string2) ||
147
        memcmp(output.value, string2, output.length) != 0)
148
        errout("gss_unwrap(std2) decryption");
149
    (void)gss_release_buffer(&minor, &output);
150
    (void)gss_release_iov_buffer(&minor, iov, 4);
151
    free(fulltoken);
152

153
    /* Wrap a standard token and unwrap it using a stream buffer. */
154
    memcpy(data, string3, strlen(string3) + 1);
155
    wrap_std(ctx1, data, iov, conf);
156
    concat_iov(iov, 4, &fulltoken, &len);
157
    stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
158
    stiov[0].buffer.value = fulltoken;
159
    stiov[0].buffer.length = len;
160
    stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
161
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
162
    check_gsserr("gss_unwrap_iov(std3)", major, minor);
163
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
164
        errout("gss_unwrap_iov(std3) conf/qop");
165
    if (stiov[1].buffer.length != strlen(string3) ||
166
        memcmp(stiov[1].buffer.value, string3, strlen(string3)) != 0)
167
        errout("gss_unwrap_iov(std3) decryption");
168
    offset = (char *)stiov[1].buffer.value - fulltoken;
169
    if (offset < 0 || (size_t)offset > len)
170
        errout("gss_unwrap_iov(std3) offset");
171
    (void)gss_release_iov_buffer(&minor, iov, 4);
172
    free(fulltoken);
173

174
    /* Wrap a token using gss_wrap and unwrap it using a stream buffer with
175
     * allocation and copying. */
176
    input.value = (char *)string4;
177
    input.length = strlen(string4);
178
    major = gss_wrap(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &input, &oconf,
179
                     &output);
180
    check_gsserr("gss_wrap(std4)", major, minor);
181
    if (oconf != conf)
182
        errout("gss_wrap(std4) conf");
183
    stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
184
    stiov[0].buffer = output;
185
    stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
186
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
187
    check_gsserr("gss_unwrap_iov(std4)", major, minor);
188
    if (!(GSS_IOV_BUFFER_FLAGS(stiov[1].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
189
        errout("gss_unwrap_iov(std4) allocated");
190
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
191
        errout("gss_unwrap_iov(std4) conf/qop");
192
    if (stiov[1].buffer.length != strlen(string4) ||
193
        memcmp(stiov[1].buffer.value, string4, strlen(string4)) != 0)
194
        errout("gss_unwrap_iov(std4) decryption");
195
    (void)gss_release_buffer(&minor, &output);
196
    (void)gss_release_iov_buffer(&minor, stiov, 2);
197
}
198

199
/*
200
 * Wrap an AEAD token (HEADER | SIGN_ONLY | DATA | PADDING | TRAILER) using the
201
 * caller-provided array iov, which must have space for five elements, and the
202
 * caller-provided buffer data, which must be big enough to handle the test
203
 * inputs.  Library allocation will not be used.
204
 */
205
static void
206
wrap_aead(gss_ctx_id_t ctx, const char *sign, const char *wrap,
207
          gss_iov_buffer_desc *iov, char *data, int conf)
208
{
209
    OM_uint32 major, minor;
210
    int oconf;
211
    char *ptr;
212

213
    /* Lay out iov array. */
214
    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
215
    iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
216
    iov[1].buffer.value = (char *)sign;
217
    iov[1].buffer.length = strlen(sign);
218
    iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
219
    iov[2].buffer.value = (char *)wrap;
220
    iov[2].buffer.length = strlen(wrap);
221
    iov[3].type = GSS_IOV_BUFFER_TYPE_PADDING;
222
    iov[4].type = GSS_IOV_BUFFER_TYPE_TRAILER;
223

224
    /* Get header/padding/trailer lengths. */
225
    major = gss_wrap_iov_length(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf,
226
                                iov, 5);
227
    check_gsserr("gss_wrap_iov_length(aead)", major, minor);
228
    if (oconf != conf)
229
        errout("gss_wrap_iov_length(aead) conf");
230
    if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
231
        errout("gss_wrap_iov_length(aead) sign-only buffer");
232
    if (iov[2].buffer.value != wrap || iov[2].buffer.length != strlen(wrap))
233
        errout("gss_wrap_iov_length(aead) data buffer");
234

235
    /* Set iov buffer pointers using returned lengths. */
236
    iov[0].buffer.value = data;
237
    ptr = data + iov[0].buffer.length;
238
    memcpy(ptr, wrap, strlen(wrap));
239
    iov[2].buffer.value = ptr;
240
    ptr += iov[2].buffer.length;
241
    iov[3].buffer.value = ptr;
242
    ptr += iov[3].buffer.length;
243
    iov[4].buffer.value = ptr;
244

245
    /* Wrap the AEAD token. */
246
    major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 5);
247
    check_gsserr("gss_wrap_iov(aead)", major, minor);
248
    if (oconf != conf)
249
        errout("gss_wrap_iov(aead) conf");
250
    if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
251
        errout("gss_wrap_iov(aead) sign-only buffer");
252
    if (iov[2].buffer.length != strlen(wrap))
253
        errout("gss_wrap_iov(aead) data buffer");
254
    check_encrypted("gss_wrap_iov(aead) encryption", conf, iov[2].buffer.value,
255
                    wrap);
256
}
257

258
/* Create AEAD tokens using gss_wrap_iov and ctx1, and make sure we can unwrap
259
 * them using ctx2 in all of the supported ways. */
260
static void
261
test_aead(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
262
{
263
    OM_uint32 major, minor;
264
    gss_iov_buffer_desc iov[5], stiov[3];
265
    gss_qop_t qop;
266
    gss_buffer_desc input, assoc, output;
267
    const char *sign = "This data is only signed.";
268
    const char *wrap = "This data is wrapped in-place.";
269
    char data[1024], *fulltoken;
270
    size_t len;
271
    int oconf;
272
    ptrdiff_t offset;
273

274
    /* Wrap an AEAD token and unwrap it using the IOV array. */
275
    wrap_aead(ctx1, sign, wrap, iov, data, conf);
276
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 5);
277
    check_gsserr("gss_unwrap_iov(aead1)", major, minor);
278
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
279
        errout("gss_unwrap_iov(aead1) conf/qop");
280
    if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
281
        errout("gss_unwrap_iov(aead1) sign-only buffer");
282
    if (iov[2].buffer.length != strlen(wrap) ||
283
        memcmp(iov[2].buffer.value, wrap, iov[2].buffer.length) != 0)
284
        errout("gss_unwrap_iov(aead1) decryption");
285

286
    /* Wrap an AEAD token and unwrap it using gss_unwrap_aead. */
287
    wrap_aead(ctx1, sign, wrap, iov, data, conf);
288
    concat_iov(iov, 5, &fulltoken, &len);
289
    input.value = fulltoken;
290
    input.length = len;
291
    assoc.value = (char *)sign;
292
    assoc.length = strlen(sign);
293
    major = gss_unwrap_aead(&minor, ctx2, &input, &assoc, &output, &oconf,
294
                            &qop);
295
    check_gsserr("gss_unwrap_aead(aead2)", major, minor);
296
    if (output.length != strlen(wrap) ||
297
        memcmp(output.value, wrap, output.length) != 0)
298
        errout("gss_unwrap_aead(aead2) decryption");
299
    free(fulltoken);
300
    (void)gss_release_buffer(&minor, &output);
301

302
    /* Wrap an AEAD token and unwrap it using a stream buffer. */
303
    wrap_aead(ctx1, sign, wrap, iov, data, conf);
304
    concat_iov(iov, 5, &fulltoken, &len);
305
    stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
306
    stiov[0].buffer.value = fulltoken;
307
    stiov[0].buffer.length = len;
308
    stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
309
    stiov[1].buffer.value = (char *)sign;
310
    stiov[1].buffer.length = strlen(sign);
311
    stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
312
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
313
    check_gsserr("gss_unwrap_iov(aead3)", major, minor);
314
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
315
        errout("gss_unwrap_iov(aead3) conf/qop");
316
    if (stiov[2].buffer.length != strlen(wrap) ||
317
        memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
318
        errout("gss_unwrap_iov(aead3) decryption");
319
    offset = (char *)stiov[2].buffer.value - fulltoken;
320
    if (offset < 0 || (size_t)offset > len)
321
        errout("gss_unwrap_iov(aead3) offset");
322
    free(fulltoken);
323
    (void)gss_release_iov_buffer(&minor, iov, 4);
324

325
    /* Wrap a token using gss_wrap_aead and unwrap it using a stream buffer
326
     * with allocation and copying. */
327
    input.value = (char *)wrap;
328
    input.length = strlen(wrap);
329
    assoc.value = (char *)sign;
330
    assoc.length = strlen(sign);
331
    major = gss_wrap_aead(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &assoc,
332
                          &input, &oconf, &output);
333
    check_gsserr("gss_wrap_aead(aead4)", major, minor);
334
    if (oconf != conf)
335
        errout("gss_wrap(aead4) conf");
336
    stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
337
    stiov[0].buffer = output;
338
    stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
339
    stiov[1].buffer = assoc;
340
    stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
341
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
342
    check_gsserr("gss_unwrap_iov(aead4)", major, minor);
343
    if (!(GSS_IOV_BUFFER_FLAGS(stiov[2].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
344
        errout("gss_unwrap_iov(aead4) allocated");
345
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
346
        errout("gss_unwrap_iov(aead4) conf/qop");
347
    if (stiov[2].buffer.length != strlen(wrap) ||
348
        memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
349
        errout("gss_unwrap_iov(aead4) decryption");
350
    (void)gss_release_buffer(&minor, &output);
351
    (void)gss_release_iov_buffer(&minor, stiov, 3);
352
}
353

354
/*
355
 * Get a MIC for sign1, sign2, and sign3 using the caller-provided array iov,
356
 * which must have space for four elements, and the caller-provided buffer
357
 * data, which must be big enough for the MIC.  If data is NULL, the library
358
 * will be asked to allocate the MIC buffer.  The MIC will be located in
359
 * iov[3].buffer.
360
 */
361
static void
362
mic(gss_ctx_id_t ctx, const char *sign1, const char *sign2, const char *sign3,
363
    gss_iov_buffer_desc *iov, char *data)
364
{
365
    OM_uint32 minor, major;
366
    krb5_boolean allocated;
367

368
    /* Lay out iov array. */
369
    iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
370
    iov[0].buffer.value = (char *)sign1;
371
    iov[0].buffer.length = strlen(sign1);
372
    iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
373
    iov[1].buffer.value = (char *)sign2;
374
    iov[1].buffer.length = strlen(sign2);
375
    iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
376
    iov[2].buffer.value = (char *)sign3;
377
    iov[2].buffer.length = strlen(sign3);
378
    iov[3].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN;
379
    if (data == NULL) {
380
        /* Ask the library to allocate the MIC buffer. */
381
        iov[3].type |= GSS_IOV_BUFFER_FLAG_ALLOCATE;
382
    } else {
383
        /* Get the MIC length and use the caller-provided buffer. */
384
        major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 4);
385
        check_gsserr("gss_get_mic_iov_length", major, minor);
386
        iov[3].buffer.value = data;
387
    }
388
    major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 4);
389
    check_gsserr("gss_get_mic_iov", major, minor);
390
    allocated = (GSS_IOV_BUFFER_FLAGS(iov[3].type) &
391
                 GSS_IOV_BUFFER_FLAG_ALLOCATED) != 0;
392
    if (allocated != (data == NULL))
393
        errout("gss_get_mic_iov allocated");
394
}
395

396
static void
397
test_mic(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2)
398
{
399
    OM_uint32 major, minor;
400
    gss_iov_buffer_desc iov[4];
401
    gss_qop_t qop;
402
    gss_buffer_desc concatbuf, micbuf;
403
    const char *sign1 = "Data and sign-only ";
404
    const char *sign2 = "buffers are treated ";
405
    const char *sign3 = "equally by gss_get_mic_iov";
406
    char concat[1024], data[1024];
407

408
    (void)snprintf(concat, sizeof(concat), "%s%s%s", sign1, sign2, sign3);
409
    concatbuf.value = concat;
410
    concatbuf.length = strlen(concat);
411

412
    /* MIC with a caller-provided buffer and verify with the IOV array. */
413
    mic(ctx1, sign1, sign2, sign3, iov, data);
414
    major = gss_verify_mic_iov(&minor, ctx2, &qop, iov, 4);
415
    check_gsserr("gss_verify_mic_iov(mic1)", major, minor);
416
    if (qop != GSS_C_QOP_DEFAULT)
417
        errout("gss_verify_mic_iov(mic1) qop");
418

419
    /* MIC with an allocated buffer and verify with gss_verify_mic. */
420
    mic(ctx1, sign1, sign2, sign3, iov, NULL);
421
    major = gss_verify_mic(&minor, ctx2, &concatbuf, &iov[3].buffer, &qop);
422
    check_gsserr("gss_verify_mic(mic2)", major, minor);
423
    if (qop != GSS_C_QOP_DEFAULT)
424
        errout("gss_verify_mic(mic2) qop");
425
    (void)gss_release_iov_buffer(&minor, iov, 4);
426

427
    /* MIC with gss_c_get_mic and verify using the IOV array (which is still
428
     * mostly set up from the last call to mic(). */
429
    major = gss_get_mic(&minor, ctx1, GSS_C_QOP_DEFAULT, &concatbuf, &micbuf);
430
    check_gsserr("gss_get_mic(mic3)", major, minor);
431
    iov[3].buffer = micbuf;
432
    major = gss_verify_mic_iov(&minor, ctx2, &qop, iov, 4);
433
    check_gsserr("gss_verify_mic_iov(mic3)", major, minor);
434
    if (qop != GSS_C_QOP_DEFAULT)
435
        errout("gss_verify_mic_iov(mic3) qop");
436
    (void)gss_release_buffer(&minor, &micbuf);
437
}
438

439
/* Create a DCE-style token and make sure we can unwrap it. */
440
static void
441
test_dce(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
442
{
443
    OM_uint32 major, minor;
444
    gss_iov_buffer_desc iov[4];
445
    gss_qop_t qop;
446
    const char *sign1 = "First data to be signed";
447
    const char *sign2 = "Second data to be signed";
448
    const char *wrap = "This data must align to 16 bytes";
449
    int oconf;
450
    char data[1024];
451

452
    /* Wrap a SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER token. */
453
    memcpy(data, wrap, strlen(wrap) + 1);
454
    iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
455
    iov[0].buffer.value = (char *)sign1;
456
    iov[0].buffer.length = strlen(sign1);
457
    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
458
    iov[1].buffer.value = data;
459
    iov[1].buffer.length = strlen(wrap);
460
    iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
461
    iov[2].buffer.value = (char *)sign2;
462
    iov[2].buffer.length = strlen(sign2);
463
    iov[3].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
464
    major = gss_wrap_iov(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &oconf, iov,
465
                         4);
466
    check_gsserr("gss_wrap_iov(dce)", major, minor);
467
    if (oconf != conf)
468
        errout("gss_wrap_iov(dce) conf");
469
    if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
470
        errout("gss_wrap_iov(dce) sign1 buffer");
471
    if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
472
        errout("gss_wrap_iov(dce) data buffer");
473
    if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
474
        errout("gss_wrap_iov(dce) sign2 buffer");
475
    check_encrypted("gss_wrap_iov(dce) encryption", conf, data, wrap);
476

477
    /* Make sure we can unwrap it. */
478
    major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
479
    check_gsserr("gss_unwrap_iov(std1)", major, minor);
480
    if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
481
        errout("gss_unwrap_iov(std1) conf/qop");
482
    if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
483
        errout("gss_unwrap_iov(dce) sign1 buffer");
484
    if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
485
        errout("gss_unwrap_iov(dce) data buffer");
486
    if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
487
        errout("gss_unwrap_iov(dce) sign2 buffer");
488
    if (memcmp(data, wrap, iov[1].buffer.length) != 0)
489
        errout("gss_unwrap_iov(dce) decryption");
490
    (void)gss_release_iov_buffer(&minor, iov, 4);
491
}
492

493
int
494
main(int argc, char *argv[])
495
{
496
    OM_uint32 minor, flags;
497
    gss_OID mech = &mech_krb5;
498
    gss_name_t tname;
499
    gss_ctx_id_t ictx, actx;
500

501
    /* Parse arguments. */
502
    argv++;
503
    if (*argv != NULL && strcmp(*argv, "-s") == 0) {
504
        mech = &mech_spnego;
505
        argv++;
506
    }
507
    if (*argv == NULL || *(argv + 1) != NULL)
508
        errout("Usage: t_iov [-s] targetname");
509
    tname = import_name(*argv);
510

511
    flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
512
    establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
513
                       flags, &ictx, &actx, NULL, NULL, NULL);
514

515
    /* Test standard token wrapping and unwrapping in both directions, with and
516
     * without confidentiality. */
517
    test_standard_wrap(ictx, actx, 0);
518
    test_standard_wrap(ictx, actx, 1);
519
    test_standard_wrap(actx, ictx, 0);
520
    test_standard_wrap(actx, ictx, 1);
521

522
    /* Test AEAD wrapping. */
523
    test_aead(ictx, actx, 0);
524
    test_aead(ictx, actx, 1);
525
    test_aead(actx, ictx, 0);
526
    test_aead(actx, ictx, 1);
527

528
    /* Test MIC tokens. */
529
    test_mic(ictx, actx);
530
    test_mic(actx, ictx);
531

532
    /* Test DCE wrapping with DCE-style contexts. */
533
    (void)gss_delete_sec_context(&minor, &ictx, NULL);
534
    (void)gss_delete_sec_context(&minor, &actx, NULL);
535
    flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE;
536
    establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
537
                       flags, &ictx, &actx, NULL, NULL, NULL);
538
    test_dce(ictx, actx, 0);
539
    test_dce(ictx, actx, 1);
540
    test_dce(actx, ictx, 0);
541
    test_dce(actx, ictx, 1);
542

543
    (void)gss_release_name(&minor, &tname);
544
    (void)gss_delete_sec_context(&minor, &ictx, NULL);
545
    (void)gss_delete_sec_context(&minor, &actx, NULL);
546
    return 0;
547
}
548

549