/crypto/heimdal/lib/gssapi/test_context.c
C | 970 lines | 756 code | 172 blank | 42 comment | 213 complexity | 2704fa17d924722cc3f24736124de54e MD5 | raw file
1/* 2 * Copyright (c) 2006 - 2008 Kungliga Tekniska Hรถgskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of KTH nor the names of its contributors may be 18 * used to endorse or promote products derived from this software without 19 * specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY 22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE 25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34#include "krb5/gsskrb5_locl.h" 35#include <err.h> 36#include <getarg.h> 37#include <gssapi.h> 38#include <gssapi_krb5.h> 39#include <gssapi_spnego.h> 40#include <gssapi_ntlm.h> 41#include "test_common.h" 42 43static char *type_string; 44static char *mech_string; 45static char *ret_mech_string; 46static char *client_name; 47static char *client_password; 48static int dns_canon_flag = -1; 49static int mutual_auth_flag = 0; 50static int dce_style_flag = 0; 51static int wrapunwrap_flag = 0; 52static int iov_flag = 0; 53static int getverifymic_flag = 0; 54static int deleg_flag = 0; 55static int policy_deleg_flag = 0; 56static int server_no_deleg_flag = 0; 57static int ei_flag = 0; 58static char *gsskrb5_acceptor_identity = NULL; 59static char *session_enctype_string = NULL; 60static int client_time_offset = 0; 61static int server_time_offset = 0; 62static int max_loops = 0; 63static char *limit_enctype_string = NULL; 64static int version_flag = 0; 65static int verbose_flag = 0; 66static int help_flag = 0; 67 68static krb5_context context; 69static krb5_enctype limit_enctype = 0; 70 71static struct { 72 const char *name; 73 gss_OID oid; 74} o2n[] = { 75 { "krb5", NULL /* GSS_KRB5_MECHANISM */ }, 76 { "spnego", NULL /* GSS_SPNEGO_MECHANISM */ }, 77 { "ntlm", NULL /* GSS_NTLM_MECHANISM */ }, 78 { "sasl-digest-md5", NULL /* GSS_SASL_DIGEST_MD5_MECHANISM */ } 79}; 80 81static void 82init_o2n(void) 83{ 84 o2n[0].oid = GSS_KRB5_MECHANISM; 85 o2n[1].oid = GSS_SPNEGO_MECHANISM; 86 o2n[2].oid = GSS_NTLM_MECHANISM; 87 o2n[3].oid = GSS_SASL_DIGEST_MD5_MECHANISM; 88} 89 90static gss_OID 91string_to_oid(const char *name) 92{ 93 int i; 94 for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++) 95 if (strcasecmp(name, o2n[i].name) == 0) 96 return o2n[i].oid; 97 errx(1, "name '%s' not unknown", name); 98} 99 100static const char * 101oid_to_string(const gss_OID oid) 102{ 103 int i; 104 for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++) 105 if (gss_oid_equal(oid, o2n[i].oid)) 106 return o2n[i].name; 107 return "unknown oid"; 108} 109 110static void 111loop(gss_OID mechoid, 112 gss_OID nameoid, const char *target, 113 gss_cred_id_t init_cred, 114 gss_ctx_id_t *sctx, gss_ctx_id_t *cctx, 115 gss_OID *actual_mech, 116 gss_cred_id_t *deleg_cred) 117{ 118 int server_done = 0, client_done = 0; 119 int num_loops = 0; 120 OM_uint32 maj_stat, min_stat; 121 gss_name_t gss_target_name; 122 gss_buffer_desc input_token, output_token; 123 OM_uint32 flags = 0, ret_cflags, ret_sflags; 124 gss_OID actual_mech_client; 125 gss_OID actual_mech_server; 126 127 *actual_mech = GSS_C_NO_OID; 128 129 flags |= GSS_C_INTEG_FLAG; 130 flags |= GSS_C_CONF_FLAG; 131 132 if (mutual_auth_flag) 133 flags |= GSS_C_MUTUAL_FLAG; 134 if (dce_style_flag) 135 flags |= GSS_C_DCE_STYLE; 136 if (deleg_flag) 137 flags |= GSS_C_DELEG_FLAG; 138 if (policy_deleg_flag) 139 flags |= GSS_C_DELEG_POLICY_FLAG; 140 141 input_token.value = rk_UNCONST(target); 142 input_token.length = strlen(target); 143 144 maj_stat = gss_import_name(&min_stat, 145 &input_token, 146 nameoid, 147 &gss_target_name); 148 if (GSS_ERROR(maj_stat)) 149 err(1, "import name creds failed with: %d", maj_stat); 150 151 input_token.length = 0; 152 input_token.value = NULL; 153 154 while (!server_done || !client_done) { 155 num_loops++; 156 157 gsskrb5_set_time_offset(client_time_offset); 158 159 maj_stat = gss_init_sec_context(&min_stat, 160 init_cred, 161 cctx, 162 gss_target_name, 163 mechoid, 164 flags, 165 0, 166 NULL, 167 &input_token, 168 &actual_mech_client, 169 &output_token, 170 &ret_cflags, 171 NULL); 172 if (GSS_ERROR(maj_stat)) 173 errx(1, "init_sec_context: %s", 174 gssapi_err(maj_stat, min_stat, mechoid)); 175 if (maj_stat & GSS_S_CONTINUE_NEEDED) 176 ; 177 else 178 client_done = 1; 179 180 gsskrb5_get_time_offset(&client_time_offset); 181 182 if (client_done && server_done) 183 break; 184 185 if (input_token.length != 0) 186 gss_release_buffer(&min_stat, &input_token); 187 188 gsskrb5_set_time_offset(server_time_offset); 189 190 maj_stat = gss_accept_sec_context(&min_stat, 191 sctx, 192 GSS_C_NO_CREDENTIAL, 193 &output_token, 194 GSS_C_NO_CHANNEL_BINDINGS, 195 NULL, 196 &actual_mech_server, 197 &input_token, 198 &ret_sflags, 199 NULL, 200 deleg_cred); 201 if (GSS_ERROR(maj_stat)) 202 errx(1, "accept_sec_context: %s", 203 gssapi_err(maj_stat, min_stat, actual_mech_server)); 204 205 gsskrb5_get_time_offset(&server_time_offset); 206 207 if (output_token.length != 0) 208 gss_release_buffer(&min_stat, &output_token); 209 210 if (maj_stat & GSS_S_CONTINUE_NEEDED) 211 ; 212 else 213 server_done = 1; 214 } 215 if (output_token.length != 0) 216 gss_release_buffer(&min_stat, &output_token); 217 if (input_token.length != 0) 218 gss_release_buffer(&min_stat, &input_token); 219 gss_release_name(&min_stat, &gss_target_name); 220 221 if (deleg_flag || policy_deleg_flag) { 222 if (server_no_deleg_flag) { 223 if (*deleg_cred != GSS_C_NO_CREDENTIAL) 224 errx(1, "got delegated cred but didn't expect one"); 225 } else if (*deleg_cred == GSS_C_NO_CREDENTIAL) 226 errx(1, "asked for delegarated cred but did get one"); 227 } else if (*deleg_cred != GSS_C_NO_CREDENTIAL) 228 errx(1, "got deleg_cred cred but didn't ask"); 229 230 if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0) 231 errx(1, "mech mismatch"); 232 *actual_mech = actual_mech_server; 233 234 if (max_loops && num_loops > max_loops) 235 errx(1, "num loops %d was lager then max loops %d", 236 num_loops, max_loops); 237 238 if (verbose_flag) { 239 printf("server time offset: %d\n", server_time_offset); 240 printf("client time offset: %d\n", client_time_offset); 241 printf("num loops %d\n", num_loops); 242 } 243} 244 245static void 246wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid) 247{ 248 gss_buffer_desc input_token, output_token, output_token2; 249 OM_uint32 min_stat, maj_stat; 250 gss_qop_t qop_state; 251 int conf_state; 252 253 input_token.value = "foo"; 254 input_token.length = 3; 255 256 maj_stat = gss_wrap(&min_stat, cctx, flags, 0, &input_token, 257 &conf_state, &output_token); 258 if (maj_stat != GSS_S_COMPLETE) 259 errx(1, "gss_wrap failed: %s", 260 gssapi_err(maj_stat, min_stat, mechoid)); 261 262 maj_stat = gss_unwrap(&min_stat, sctx, &output_token, 263 &output_token2, &conf_state, &qop_state); 264 if (maj_stat != GSS_S_COMPLETE) 265 errx(1, "gss_unwrap failed: %s", 266 gssapi_err(maj_stat, min_stat, mechoid)); 267 268 gss_release_buffer(&min_stat, &output_token); 269 gss_release_buffer(&min_stat, &output_token2); 270 271#if 0 /* doesn't work for NTLM yet */ 272 if (!!conf_state != !!flags) 273 errx(1, "conf_state mismatch"); 274#endif 275} 276 277#define USE_CONF 1 278#define USE_HEADER_ONLY 2 279#define USE_SIGN_ONLY 4 280#define FORCE_IOV 8 281 282static void 283wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid) 284{ 285 krb5_data token, header, trailer; 286 OM_uint32 min_stat, maj_stat; 287 gss_qop_t qop_state; 288 int conf_state, conf_state2; 289 gss_iov_buffer_desc iov[6]; 290 unsigned char *p; 291 int iov_len; 292 char header_data[9] = "ABCheader"; 293 char trailer_data[10] = "trailerXYZ"; 294 295 char token_data[16] = "0123456789abcdef"; 296 297 memset(&iov, 0, sizeof(iov)); 298 299 if (flags & USE_SIGN_ONLY) { 300 header.data = header_data; 301 header.length = 9; 302 trailer.data = trailer_data; 303 trailer.length = 10; 304 } else { 305 header.data = NULL; 306 header.length = 0; 307 trailer.data = NULL; 308 trailer.length = 0; 309 } 310 311 token.data = token_data; 312 token.length = 16; 313 314 iov_len = sizeof(iov)/sizeof(iov[0]); 315 316 memset(iov, 0, sizeof(iov)); 317 318 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; 319 320 if (header.length != 0) { 321 iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; 322 iov[1].buffer.length = header.length; 323 iov[1].buffer.value = header.data; 324 } else { 325 iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; 326 iov[1].buffer.length = 0; 327 iov[1].buffer.value = NULL; 328 } 329 iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; 330 iov[2].buffer.length = token.length; 331 iov[2].buffer.value = token.data; 332 if (trailer.length != 0) { 333 iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; 334 iov[3].buffer.length = trailer.length; 335 iov[3].buffer.value = trailer.data; 336 } else { 337 iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; 338 iov[3].buffer.length = 0; 339 iov[3].buffer.value = NULL; 340 } 341 if (dce_style_flag) { 342 iov[4].type = GSS_IOV_BUFFER_TYPE_EMPTY; 343 } else { 344 iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; 345 } 346 iov[4].buffer.length = 0; 347 iov[4].buffer.value = 0; 348 if (dce_style_flag) { 349 iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY; 350 } else if (flags & USE_HEADER_ONLY) { 351 iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY; 352 } else { 353 iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; 354 } 355 iov[5].buffer.length = 0; 356 iov[5].buffer.value = 0; 357 358 maj_stat = gss_wrap_iov(&min_stat, cctx, dce_style_flag || flags & USE_CONF, 0, &conf_state, 359 iov, iov_len); 360 if (maj_stat != GSS_S_COMPLETE) 361 errx(1, "gss_wrap_iov failed"); 362 363 token.length = 364 iov[0].buffer.length + 365 iov[1].buffer.length + 366 iov[2].buffer.length + 367 iov[3].buffer.length + 368 iov[4].buffer.length + 369 iov[5].buffer.length; 370 token.data = emalloc(token.length); 371 372 p = token.data; 373 memcpy(p, iov[0].buffer.value, iov[0].buffer.length); 374 p += iov[0].buffer.length; 375 memcpy(p, iov[1].buffer.value, iov[1].buffer.length); 376 p += iov[1].buffer.length; 377 memcpy(p, iov[2].buffer.value, iov[2].buffer.length); 378 p += iov[2].buffer.length; 379 memcpy(p, iov[3].buffer.value, iov[3].buffer.length); 380 p += iov[3].buffer.length; 381 memcpy(p, iov[4].buffer.value, iov[4].buffer.length); 382 p += iov[4].buffer.length; 383 memcpy(p, iov[5].buffer.value, iov[5].buffer.length); 384 p += iov[5].buffer.length; 385 386 assert(p - ((unsigned char *)token.data) == token.length); 387 388 if ((flags & (USE_SIGN_ONLY|FORCE_IOV)) == 0) { 389 gss_buffer_desc input, output; 390 391 input.value = token.data; 392 input.length = token.length; 393 394 maj_stat = gss_unwrap(&min_stat, sctx, &input, 395 &output, &conf_state2, &qop_state); 396 397 if (maj_stat != GSS_S_COMPLETE) 398 errx(1, "gss_unwrap from gss_wrap_iov failed: %s", 399 gssapi_err(maj_stat, min_stat, mechoid)); 400 401 gss_release_buffer(&min_stat, &output); 402 } else { 403 maj_stat = gss_unwrap_iov(&min_stat, sctx, &conf_state2, &qop_state, 404 iov, iov_len); 405 406 if (maj_stat != GSS_S_COMPLETE) 407 errx(1, "gss_unwrap_iov failed: %x %s", flags, 408 gssapi_err(maj_stat, min_stat, mechoid)); 409 410 } 411 if (conf_state2 != conf_state) 412 errx(1, "conf state wrong for iov: %x", flags); 413 414 415 free(token.data); 416} 417 418static void 419getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid) 420{ 421 gss_buffer_desc input_token, output_token; 422 OM_uint32 min_stat, maj_stat; 423 gss_qop_t qop_state; 424 425 input_token.value = "bar"; 426 input_token.length = 3; 427 428 maj_stat = gss_get_mic(&min_stat, cctx, 0, &input_token, 429 &output_token); 430 if (maj_stat != GSS_S_COMPLETE) 431 errx(1, "gss_get_mic failed: %s", 432 gssapi_err(maj_stat, min_stat, mechoid)); 433 434 maj_stat = gss_verify_mic(&min_stat, sctx, &input_token, 435 &output_token, &qop_state); 436 if (maj_stat != GSS_S_COMPLETE) 437 errx(1, "gss_verify_mic failed: %s", 438 gssapi_err(maj_stat, min_stat, mechoid)); 439 440 gss_release_buffer(&min_stat, &output_token); 441} 442 443static void 444empty_release(void) 445{ 446 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 447 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 448 gss_name_t name = GSS_C_NO_NAME; 449 gss_OID_set oidset = GSS_C_NO_OID_SET; 450 OM_uint32 junk; 451 452 gss_delete_sec_context(&junk, &ctx, NULL); 453 gss_release_cred(&junk, &cred); 454 gss_release_name(&junk, &name); 455 gss_release_oid_set(&junk, &oidset); 456} 457 458/* 459 * 460 */ 461 462static struct getargs args[] = { 463 {"name-type",0, arg_string, &type_string, "type of name", NULL }, 464 {"mech-type",0, arg_string, &mech_string, "type of mech", NULL }, 465 {"ret-mech-type",0, arg_string, &ret_mech_string, 466 "type of return mech", NULL }, 467 {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag, 468 "use dns to canonicalize", NULL }, 469 {"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL }, 470 {"client-name", 0, arg_string, &client_name, "client name", NULL }, 471 {"client-password", 0, arg_string, &client_password, "client password", NULL }, 472 {"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL }, 473 {"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL }, 474 {"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL }, 475 {"iov", 0, arg_flag, &iov_flag, "wrap/unwrap iov", NULL }, 476 {"getverifymic",0, arg_flag, &getverifymic_flag, 477 "get and verify mic", NULL }, 478 {"delegate",0, arg_flag, &deleg_flag, "delegate credential", NULL }, 479 {"policy-delegate",0, arg_flag, &policy_deleg_flag, "policy delegate credential", NULL }, 480 {"server-no-delegate",0, arg_flag, &server_no_deleg_flag, 481 "server should get a credential", NULL }, 482 {"export-import-cred",0, arg_flag, &ei_flag, "test export/import cred", NULL }, 483 {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL }, 484 {"session-enctype", 0, arg_string, &session_enctype_string, "enctype", NULL }, 485 {"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL }, 486 {"server-time-offset", 0, arg_integer, &server_time_offset, "time", NULL }, 487 {"max-loops", 0, arg_integer, &max_loops, "time", NULL }, 488 {"version", 0, arg_flag, &version_flag, "print version", NULL }, 489 {"verbose", 'v', arg_flag, &verbose_flag, "verbose", NULL }, 490 {"help", 0, arg_flag, &help_flag, NULL, NULL } 491}; 492 493static void 494usage (int ret) 495{ 496 arg_printusage (args, sizeof(args)/sizeof(*args), 497 NULL, "service@host"); 498 exit (ret); 499} 500 501int 502main(int argc, char **argv) 503{ 504 int optind = 0; 505 OM_uint32 min_stat, maj_stat; 506 gss_ctx_id_t cctx, sctx; 507 void *ctx; 508 gss_OID nameoid, mechoid, actual_mech, actual_mech2; 509 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL; 510 gss_name_t cname = GSS_C_NO_NAME; 511 gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER; 512 513 setprogname(argv[0]); 514 515 init_o2n(); 516 517 if (krb5_init_context(&context)) 518 errx(1, "krb5_init_context"); 519 520 cctx = sctx = GSS_C_NO_CONTEXT; 521 522 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) 523 usage(1); 524 525 if (help_flag) 526 usage (0); 527 528 if(version_flag){ 529 print_version(NULL); 530 exit(0); 531 } 532 533 argc -= optind; 534 argv += optind; 535 536 if (argc != 1) 537 usage(1); 538 539 if (dns_canon_flag != -1) 540 gsskrb5_set_dns_canonicalize(dns_canon_flag); 541 542 if (type_string == NULL) 543 nameoid = GSS_C_NT_HOSTBASED_SERVICE; 544 else if (strcmp(type_string, "hostbased-service") == 0) 545 nameoid = GSS_C_NT_HOSTBASED_SERVICE; 546 else if (strcmp(type_string, "krb5-principal-name") == 0) 547 nameoid = GSS_KRB5_NT_PRINCIPAL_NAME; 548 else 549 errx(1, "%s not suppported", type_string); 550 551 if (mech_string == NULL) 552 mechoid = GSS_KRB5_MECHANISM; 553 else 554 mechoid = string_to_oid(mech_string); 555 556 if (gsskrb5_acceptor_identity) { 557 maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); 558 if (maj_stat) 559 errx(1, "gsskrb5_acceptor_identity: %s", 560 gssapi_err(maj_stat, 0, GSS_C_NO_OID)); 561 } 562 563 if (client_password) { 564 credential_data.value = client_password; 565 credential_data.length = strlen(client_password); 566 } 567 568 if (client_name) { 569 gss_buffer_desc cn; 570 571 cn.value = client_name; 572 cn.length = strlen(client_name); 573 574 maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname); 575 if (maj_stat) 576 errx(1, "gss_import_name: %s", 577 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); 578 } 579 580 if (client_password) { 581 maj_stat = gss_acquire_cred_with_password(&min_stat, 582 cname, 583 &credential_data, 584 GSS_C_INDEFINITE, 585 GSS_C_NO_OID_SET, 586 GSS_C_INITIATE, 587 &client_cred, 588 NULL, 589 NULL); 590 if (GSS_ERROR(maj_stat)) 591 errx(1, "gss_acquire_cred_with_password: %s", 592 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); 593 } else { 594 maj_stat = gss_acquire_cred(&min_stat, 595 cname, 596 GSS_C_INDEFINITE, 597 GSS_C_NO_OID_SET, 598 GSS_C_INITIATE, 599 &client_cred, 600 NULL, 601 NULL); 602 if (GSS_ERROR(maj_stat)) 603 errx(1, "gss_acquire_cred: %s", 604 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); 605 } 606 607 if (limit_enctype_string) { 608 krb5_error_code ret; 609 610 ret = krb5_string_to_enctype(context, 611 limit_enctype_string, 612 &limit_enctype); 613 if (ret) 614 krb5_err(context, 1, ret, "krb5_string_to_enctype"); 615 } 616 617 618 if (limit_enctype) { 619 if (client_cred == NULL) 620 errx(1, "client_cred missing"); 621 622 maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred, 623 1, &limit_enctype); 624 if (maj_stat) 625 errx(1, "gss_krb5_set_allowable_enctypes: %s", 626 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); 627 } 628 629 loop(mechoid, nameoid, argv[0], client_cred, 630 &sctx, &cctx, &actual_mech, &deleg_cred); 631 632 if (verbose_flag) 633 printf("resulting mech: %s\n", oid_to_string(actual_mech)); 634 635 if (ret_mech_string) { 636 gss_OID retoid; 637 638 retoid = string_to_oid(ret_mech_string); 639 640 if (gss_oid_equal(retoid, actual_mech) == 0) 641 errx(1, "actual_mech mech is not the expected type %s", 642 ret_mech_string); 643 } 644 645 /* XXX should be actual_mech */ 646 if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) { 647 time_t time; 648 gss_buffer_desc authz_data; 649 gss_buffer_desc in, out1, out2; 650 krb5_keyblock *keyblock, *keyblock2; 651 krb5_timestamp now; 652 krb5_error_code ret; 653 654 ret = krb5_timeofday(context, &now); 655 if (ret) 656 errx(1, "krb5_timeofday failed"); 657 658 /* client */ 659 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 660 &cctx, 661 1, /* version */ 662 &ctx); 663 if (maj_stat != GSS_S_COMPLETE) 664 errx(1, "gss_krb5_export_lucid_sec_context failed: %s", 665 gssapi_err(maj_stat, min_stat, actual_mech)); 666 667 668 maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx); 669 if (maj_stat != GSS_S_COMPLETE) 670 errx(1, "gss_krb5_free_lucid_sec_context failed: %s", 671 gssapi_err(maj_stat, min_stat, actual_mech)); 672 673 /* server */ 674 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 675 &sctx, 676 1, /* version */ 677 &ctx); 678 if (maj_stat != GSS_S_COMPLETE) 679 errx(1, "gss_krb5_export_lucid_sec_context failed: %s", 680 gssapi_err(maj_stat, min_stat, actual_mech)); 681 maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx); 682 if (maj_stat != GSS_S_COMPLETE) 683 errx(1, "gss_krb5_free_lucid_sec_context failed: %s", 684 gssapi_err(maj_stat, min_stat, actual_mech)); 685 686 maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat, 687 sctx, 688 &time); 689 if (maj_stat != GSS_S_COMPLETE) 690 errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s", 691 gssapi_err(maj_stat, min_stat, actual_mech)); 692 693 if (time > now) 694 errx(1, "gsskrb5_extract_authtime_from_sec_context failed: " 695 "time authtime is before now: %ld %ld", 696 (long)time, (long)now); 697 698 maj_stat = gsskrb5_extract_service_keyblock(&min_stat, 699 sctx, 700 &keyblock); 701 if (maj_stat != GSS_S_COMPLETE) 702 errx(1, "gsskrb5_export_service_keyblock failed: %s", 703 gssapi_err(maj_stat, min_stat, actual_mech)); 704 705 krb5_free_keyblock(context, keyblock); 706 707 maj_stat = gsskrb5_get_subkey(&min_stat, 708 sctx, 709 &keyblock); 710 if (maj_stat != GSS_S_COMPLETE 711 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY))) 712 errx(1, "gsskrb5_get_subkey server failed: %s", 713 gssapi_err(maj_stat, min_stat, actual_mech)); 714 715 if (maj_stat != GSS_S_COMPLETE) 716 keyblock = NULL; 717 else if (limit_enctype && keyblock->keytype != limit_enctype) 718 errx(1, "gsskrb5_get_subkey wrong enctype"); 719 720 maj_stat = gsskrb5_get_subkey(&min_stat, 721 cctx, 722 &keyblock2); 723 if (maj_stat != GSS_S_COMPLETE 724 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY))) 725 errx(1, "gsskrb5_get_subkey client failed: %s", 726 gssapi_err(maj_stat, min_stat, actual_mech)); 727 728 if (maj_stat != GSS_S_COMPLETE) 729 keyblock2 = NULL; 730 else if (limit_enctype && keyblock->keytype != limit_enctype) 731 errx(1, "gsskrb5_get_subkey wrong enctype"); 732 733 if (keyblock || keyblock2) { 734 if (keyblock == NULL) 735 errx(1, "server missing token keyblock"); 736 if (keyblock2 == NULL) 737 errx(1, "client missing token keyblock"); 738 739 if (keyblock->keytype != keyblock2->keytype) 740 errx(1, "enctype mismatch"); 741 if (keyblock->keyvalue.length != keyblock2->keyvalue.length) 742 errx(1, "key length mismatch"); 743 if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data, 744 keyblock2->keyvalue.length) != 0) 745 errx(1, "key data mismatch"); 746 } 747 748 if (session_enctype_string) { 749 krb5_enctype enctype; 750 751 ret = krb5_string_to_enctype(context, 752 session_enctype_string, 753 &enctype); 754 755 if (ret) 756 krb5_err(context, 1, ret, "krb5_string_to_enctype"); 757 758 if (enctype != keyblock->keytype) 759 errx(1, "keytype is not the expected %d != %d", 760 (int)enctype, (int)keyblock2->keytype); 761 } 762 763 if (keyblock) 764 krb5_free_keyblock(context, keyblock); 765 if (keyblock2) 766 krb5_free_keyblock(context, keyblock2); 767 768 maj_stat = gsskrb5_get_initiator_subkey(&min_stat, 769 sctx, 770 &keyblock); 771 if (maj_stat != GSS_S_COMPLETE 772 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY))) 773 errx(1, "gsskrb5_get_initiator_subkey failed: %s", 774 gssapi_err(maj_stat, min_stat, actual_mech)); 775 776 if (maj_stat == GSS_S_COMPLETE) { 777 778 if (limit_enctype && keyblock->keytype != limit_enctype) 779 errx(1, "gsskrb5_get_initiator_subkey wrong enctype"); 780 krb5_free_keyblock(context, keyblock); 781 } 782 783 maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, 784 sctx, 785 128, 786 &authz_data); 787 if (maj_stat == GSS_S_COMPLETE) 788 gss_release_buffer(&min_stat, &authz_data); 789 790 791 memset(&out1, 0, sizeof(out1)); 792 memset(&out2, 0, sizeof(out2)); 793 794 in.value = "foo"; 795 in.length = 3; 796 797 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 798 100, &out1); 799 gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in, 800 100, &out2); 801 802 if (out1.length != out2.length) 803 errx(1, "prf len mismatch"); 804 if (memcmp(out1.value, out2.value, out1.length) != 0) 805 errx(1, "prf data mismatch"); 806 807 gss_release_buffer(&min_stat, &out1); 808 809 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 810 100, &out1); 811 812 if (out1.length != out2.length) 813 errx(1, "prf len mismatch"); 814 if (memcmp(out1.value, out2.value, out1.length) != 0) 815 errx(1, "prf data mismatch"); 816 817 gss_release_buffer(&min_stat, &out1); 818 gss_release_buffer(&min_stat, &out2); 819 820 in.value = "bar"; 821 in.length = 3; 822 823 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in, 824 100, &out1); 825 gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in, 826 100, &out2); 827 828 if (out1.length != out2.length) 829 errx(1, "prf len mismatch"); 830 if (memcmp(out1.value, out2.value, out1.length) != 0) 831 errx(1, "prf data mismatch"); 832 833 gss_release_buffer(&min_stat, &out1); 834 gss_release_buffer(&min_stat, &out2); 835 836 wrapunwrap_flag = 1; 837 getverifymic_flag = 1; 838 } 839 840 if (wrapunwrap_flag) { 841 wrapunwrap(cctx, sctx, 0, actual_mech); 842 wrapunwrap(cctx, sctx, 1, actual_mech); 843 wrapunwrap(sctx, cctx, 0, actual_mech); 844 wrapunwrap(sctx, cctx, 1, actual_mech); 845 } 846 847 if (iov_flag) { 848 wrapunwrap_iov(cctx, sctx, 0, actual_mech); 849 wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech); 850 wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech); 851 wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech); 852 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech); 853 854 wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech); 855 wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech); 856 wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech); 857 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech); 858 859 wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech); 860 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech); 861 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech); 862 863/* works */ 864 wrapunwrap_iov(cctx, sctx, 0, actual_mech); 865 wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech); 866 867 wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech); 868 wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech); 869 870 wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech); 871 wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech); 872 873 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech); 874 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech); 875 876 wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech); 877 wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech); 878 879 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech); 880 wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech); 881 } 882 883 if (getverifymic_flag) { 884 getverifymic(cctx, sctx, actual_mech); 885 getverifymic(cctx, sctx, actual_mech); 886 getverifymic(sctx, cctx, actual_mech); 887 getverifymic(sctx, cctx, actual_mech); 888 } 889 890 891 gss_delete_sec_context(&min_stat, &cctx, NULL); 892 gss_delete_sec_context(&min_stat, &sctx, NULL); 893 894 if (deleg_cred != GSS_C_NO_CREDENTIAL) { 895 gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL; 896 gss_buffer_desc cb; 897 898 if (verbose_flag) 899 printf("checking actual mech (%s) on delegated cred\n", 900 oid_to_string(actual_mech)); 901 loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2); 902 903 gss_delete_sec_context(&min_stat, &cctx, NULL); 904 gss_delete_sec_context(&min_stat, &sctx, NULL); 905 906 gss_release_cred(&min_stat, &cred2); 907 908 /* try again using SPNEGO */ 909 if (verbose_flag) 910 printf("checking spnego on delegated cred\n"); 911 loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx, 912 &actual_mech2, &cred2); 913 914 gss_delete_sec_context(&min_stat, &cctx, NULL); 915 gss_delete_sec_context(&min_stat, &sctx, NULL); 916 917 gss_release_cred(&min_stat, &cred2); 918 919 /* check export/import */ 920 if (ei_flag) { 921 922 maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb); 923 if (maj_stat != GSS_S_COMPLETE) 924 errx(1, "export failed: %s", 925 gssapi_err(maj_stat, min_stat, NULL)); 926 927 maj_stat = gss_import_cred(&min_stat, &cb, &cred2); 928 if (maj_stat != GSS_S_COMPLETE) 929 errx(1, "import failed: %s", 930 gssapi_err(maj_stat, min_stat, NULL)); 931 932 gss_release_buffer(&min_stat, &cb); 933 gss_release_cred(&min_stat, &deleg_cred); 934 935 if (verbose_flag) 936 printf("checking actual mech (%s) on export/imported cred\n", 937 oid_to_string(actual_mech)); 938 loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx, 939 &actual_mech2, &deleg_cred); 940 941 gss_release_cred(&min_stat, &deleg_cred); 942 943 gss_delete_sec_context(&min_stat, &cctx, NULL); 944 gss_delete_sec_context(&min_stat, &sctx, NULL); 945 946 /* try again using SPNEGO */ 947 if (verbose_flag) 948 printf("checking SPNEGO on export/imported cred\n"); 949 loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx, 950 &actual_mech2, &deleg_cred); 951 952 gss_release_cred(&min_stat, &deleg_cred); 953 954 gss_delete_sec_context(&min_stat, &cctx, NULL); 955 gss_delete_sec_context(&min_stat, &sctx, NULL); 956 957 gss_release_cred(&min_stat, &cred2); 958 959 } else { 960 gss_release_cred(&min_stat, &deleg_cred); 961 } 962 963 } 964 965 empty_release(); 966 967 krb5_free_context(context); 968 969 return 0; 970}