Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/tests/replay.c
34878 views
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

2
/* tests/replay.c - test replay cache using libkrb5 functions */

3
/*

4
 * Copyright (C) 2019 by the Massachusetts Institute of Technology.

5
 * All rights reserved.

6
 *

7
 * Redistribution and use in source and binary forms, with or without

8
 * modification, are permitted provided that the following conditions

9
 * are met:

10
 *

11
 * * Redistributions of source code must retain the above copyright

12
 *   notice, this list of conditions and the following disclaimer.

13
 *

14
 * * Redistributions in binary form must reproduce the above copyright

15
 *   notice, this list of conditions and the following disclaimer in

16
 *   the documentation and/or other materials provided with the

17
 *   distribution.

18
 *

19
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

20
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

21
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

22
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

23
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

24
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

25
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

26
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

28
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

29
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

30
 * OF THE POSSIBILITY OF SUCH DAMAGE.

31
 */

32


33
#include "k5-int.h"

34


35
int

36
main(int argc, char **argv)

37
{

38
    krb5_error_code ret;

39
    krb5_context ctx;

40
    krb5_auth_context c_authcon, s_authcon, s_authcon2;

41
    krb5_rcache rc;

42
    krb5_ccache cc;

43
    krb5_principal client, server;

44
    krb5_creds mcred, *cred, **tmpcreds;

45
    krb5_data der_apreq, der_krbsafe, der_krbpriv, *der_krbcred, tmpdata;

46
    krb5_address addr;

47
    struct in_addr inaddr;

48
    const char *server_name;

49


50
    assert(argc == 2);

51
    server_name = argv[1];

52


53
    /* Create client and server auth contexts.  (They will use a replay cache

54
     * by default.) */

55
    ret = krb5_init_context(&ctx);

56
    assert(ret == 0);

57
    ret = krb5_auth_con_init(ctx, &c_authcon);

58
    assert(ret == 0);

59
    ret = krb5_auth_con_init(ctx, &s_authcon);

60
    assert(ret == 0);

61


62
    /* Set dummy addresses for the auth contexts. */

63
    memset(&inaddr, 0, sizeof(inaddr));

64
    addr.addrtype = ADDRTYPE_INET;

65
    addr.length = sizeof(inaddr);

66
    addr.contents = (uint8_t *)&inaddr;

67
    ret = krb5_auth_con_setaddrs(ctx, c_authcon, &addr, &addr);

68
    assert(ret == 0);

69
    ret = krb5_auth_con_setaddrs(ctx, s_authcon, &addr, &addr);

70
    assert(ret == 0);

71


72
    /* Set up replay caches for the auth contexts. */

73
    tmpdata = string2data("testclient");

74
    ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);

75
    assert(ret == 0);

76
    ret = krb5_auth_con_setrcache(ctx, c_authcon, rc);

77
    assert(ret == 0);

78
    tmpdata = string2data("testserver");

79
    ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);

80
    assert(ret == 0);

81
    ret = krb5_auth_con_setrcache(ctx, s_authcon, rc);

82
    assert(ret == 0);

83


84
    /* Construct the client and server principal names. */

85
    ret = krb5_cc_default(ctx, &cc);

86
    assert(ret == 0);

87
    ret = krb5_cc_get_principal(ctx, cc, &client);

88
    assert(ret == 0);

89
    ret = krb5_parse_name(ctx, server_name, &server);

90
    assert(ret == 0);

91


92
    /* Get credentials for the client. */

93
    memset(&mcred, 0, sizeof(mcred));

94
    mcred.client = client;

95
    mcred.server = server;

96
    ret = krb5_get_credentials(ctx, 0, cc, &mcred, &cred);

97
    assert(ret == 0);

98


99
    /* Send an AP-REP to establish the sessions. */

100
    ret = krb5_mk_req_extended(ctx, &c_authcon, 0, NULL, cred, &der_apreq);

101
    assert(ret == 0);

102
    ret = krb5_rd_req(ctx, &s_authcon, &der_apreq, NULL, NULL, NULL, NULL);

103
    assert(ret == 0);

104


105
    /* Set up another server auth context with the same rcache name and replay

106
     * the AP-REQ. */

107
    ret = krb5_auth_con_init(ctx, &s_authcon2);

108
    assert(ret == 0);

109
    tmpdata = string2data("testserver");

110
    ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);

111
    assert(ret == 0);

112
    ret = krb5_auth_con_setrcache(ctx, s_authcon2, rc);

113
    assert(ret == 0);

114
    ret = krb5_rd_req(ctx, &s_authcon2, &der_apreq, NULL, NULL, NULL, NULL);

115
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

116
    krb5_auth_con_free(ctx, s_authcon2);

117


118
    /* Make a KRB-SAFE message with the client auth context. */

119
    tmpdata = string2data("safemsg");

120
    ret = krb5_mk_safe(ctx, c_authcon, &tmpdata, &der_krbsafe, NULL);

121
    assert(ret == 0);

122
    /* Play it back to the client to detect a reflection. */

123
    ret = krb5_rd_safe(ctx, c_authcon, &der_krbsafe, &tmpdata, NULL);

124
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

125
    /* Send it to the server auth context twice, to detect a replay. */

126
    ret = krb5_rd_safe(ctx, s_authcon, &der_krbsafe, &tmpdata, NULL);

127
    assert(ret == 0);

128
    krb5_free_data_contents(ctx, &tmpdata);

129
    ret = krb5_rd_safe(ctx, s_authcon, &der_krbsafe, &tmpdata, NULL);

130
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

131


132
    /* Make a KRB-PRIV message with the client auth context. */

133
    tmpdata = string2data("safemsg");

134
    ret = krb5_mk_priv(ctx, c_authcon, &tmpdata, &der_krbpriv, NULL);

135
    assert(ret == 0);

136
    /* Play it back to the client to detect a reflection. */

137
    ret = krb5_rd_priv(ctx, c_authcon, &der_krbpriv, &tmpdata, NULL);

138
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

139
    /* Send it to the server auth context twice, to detect a replay. */

140
    ret = krb5_rd_priv(ctx, s_authcon, &der_krbpriv, &tmpdata, NULL);

141
    assert(ret == 0);

142
    krb5_free_data_contents(ctx, &tmpdata);

143
    ret = krb5_rd_priv(ctx, s_authcon, &der_krbpriv, &tmpdata, NULL);

144
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

145


146
    /* Make a KRB-CRED message with the client auth context. */

147
    tmpdata = string2data("safemsg");

148
    ret = krb5_mk_1cred(ctx, c_authcon, cred, &der_krbcred, NULL);

149
    assert(ret == 0);

150
    /* Play it back to the client to detect a reflection. */

151
    ret = krb5_rd_cred(ctx, c_authcon, der_krbcred, &tmpcreds, NULL);

152
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

153
    /* Send it to the server auth context twice, to detect a replay. */

154
    ret = krb5_rd_cred(ctx, s_authcon, der_krbcred, &tmpcreds, NULL);

155
    assert(ret == 0);

156
    krb5_free_tgt_creds(ctx, tmpcreds);

157
    ret = krb5_rd_cred(ctx, s_authcon, der_krbcred, &tmpcreds, NULL);

158
    assert(ret == KRB5KRB_AP_ERR_REPEAT);

159


160
    krb5_free_data_contents(ctx, &der_apreq);

161
    krb5_free_data_contents(ctx, &der_krbsafe);

162
    krb5_free_data_contents(ctx, &der_krbpriv);

163
    krb5_free_data(ctx, der_krbcred);

164
    krb5_free_creds(ctx, cred);

165
    krb5_cc_close(ctx, cc);

166
    krb5_free_principal(ctx, client);

167
    krb5_free_principal(ctx, server);

168
    krb5_auth_con_free(ctx, c_authcon);

169
    krb5_auth_con_free(ctx, s_authcon);

170
    krb5_free_context(ctx);

171
    return 0;

172
}

173


174