PageRenderTime 82ms CodeModel.GetById 13ms app.highlight 61ms RepoModel.GetById 1ms app.codeStats 0ms

/crypto/heimdal/lib/gssapi/test_context.c

https://bitbucket.org/freebsd/freebsd-head/
C | 970 lines | 756 code | 172 blank | 42 comment | 213 complexity | 2704fa17d924722cc3f24736124de54e MD5 | raw file
  1/*
  2 * Copyright (c) 2006 - 2008 Kungliga Tekniska Hรถgskolan
  3 * (Royal Institute of Technology, Stockholm, Sweden).
  4 * All rights reserved.
  5 *
  6 * Redistribution and use in source and binary forms, with or without
  7 * modification, are permitted provided that the following conditions
  8 * are met:
  9 *
 10 * 1. Redistributions of source code must retain the above copyright
 11 *    notice, this list of conditions and the following disclaimer.
 12 *
 13 * 2. Redistributions in binary form must reproduce the above copyright
 14 *    notice, this list of conditions and the following disclaimer in the
 15 *    documentation and/or other materials provided with the distribution.
 16 *
 17 * 3. Neither the name of KTH nor the names of its contributors may be
 18 *    used to endorse or promote products derived from this software without
 19 *    specific prior written permission.
 20 *
 21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
 22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
 25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 32 */
 33
 34#include "krb5/gsskrb5_locl.h"
 35#include <err.h>
 36#include <getarg.h>
 37#include <gssapi.h>
 38#include <gssapi_krb5.h>
 39#include <gssapi_spnego.h>
 40#include <gssapi_ntlm.h>
 41#include "test_common.h"
 42
 43static char *type_string;
 44static char *mech_string;
 45static char *ret_mech_string;
 46static char *client_name;
 47static char *client_password;
 48static int dns_canon_flag = -1;
 49static int mutual_auth_flag = 0;
 50static int dce_style_flag = 0;
 51static int wrapunwrap_flag = 0;
 52static int iov_flag = 0;
 53static int getverifymic_flag = 0;
 54static int deleg_flag = 0;
 55static int policy_deleg_flag = 0;
 56static int server_no_deleg_flag = 0;
 57static int ei_flag = 0;
 58static char *gsskrb5_acceptor_identity = NULL;
 59static char *session_enctype_string = NULL;
 60static int client_time_offset = 0;
 61static int server_time_offset = 0;
 62static int max_loops = 0;
 63static char *limit_enctype_string = NULL;
 64static int version_flag = 0;
 65static int verbose_flag = 0;
 66static int help_flag	= 0;
 67
 68static krb5_context context;
 69static krb5_enctype limit_enctype = 0;
 70
 71static struct {
 72    const char *name;
 73    gss_OID oid;
 74} o2n[] = {
 75    { "krb5", NULL /* GSS_KRB5_MECHANISM */ },
 76    { "spnego", NULL /* GSS_SPNEGO_MECHANISM */ },
 77    { "ntlm", NULL /* GSS_NTLM_MECHANISM */ },
 78    { "sasl-digest-md5", NULL /* GSS_SASL_DIGEST_MD5_MECHANISM */ }
 79};
 80
 81static void
 82init_o2n(void)
 83{
 84    o2n[0].oid = GSS_KRB5_MECHANISM;
 85    o2n[1].oid = GSS_SPNEGO_MECHANISM;
 86    o2n[2].oid = GSS_NTLM_MECHANISM;
 87    o2n[3].oid = GSS_SASL_DIGEST_MD5_MECHANISM;
 88}
 89
 90static gss_OID
 91string_to_oid(const char *name)
 92{
 93    int i;
 94    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
 95	if (strcasecmp(name, o2n[i].name) == 0)
 96	    return o2n[i].oid;
 97    errx(1, "name '%s' not unknown", name);
 98}
 99
100static const char *
101oid_to_string(const gss_OID oid)
102{
103    int i;
104    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
105	if (gss_oid_equal(oid, o2n[i].oid))
106	    return o2n[i].name;
107    return "unknown oid";
108}
109
110static void
111loop(gss_OID mechoid,
112     gss_OID nameoid, const char *target,
113     gss_cred_id_t init_cred,
114     gss_ctx_id_t *sctx, gss_ctx_id_t *cctx,
115     gss_OID *actual_mech,
116     gss_cred_id_t *deleg_cred)
117{
118    int server_done = 0, client_done = 0;
119    int num_loops = 0;
120    OM_uint32 maj_stat, min_stat;
121    gss_name_t gss_target_name;
122    gss_buffer_desc input_token, output_token;
123    OM_uint32 flags = 0, ret_cflags, ret_sflags;
124    gss_OID actual_mech_client;
125    gss_OID actual_mech_server;
126
127    *actual_mech = GSS_C_NO_OID;
128
129    flags |= GSS_C_INTEG_FLAG;
130    flags |= GSS_C_CONF_FLAG;
131
132    if (mutual_auth_flag)
133	flags |= GSS_C_MUTUAL_FLAG;
134    if (dce_style_flag)
135	flags |= GSS_C_DCE_STYLE;
136    if (deleg_flag)
137	flags |= GSS_C_DELEG_FLAG;
138    if (policy_deleg_flag)
139	flags |= GSS_C_DELEG_POLICY_FLAG;
140
141    input_token.value = rk_UNCONST(target);
142    input_token.length = strlen(target);
143
144    maj_stat = gss_import_name(&min_stat,
145			       &input_token,
146			       nameoid,
147			       &gss_target_name);
148    if (GSS_ERROR(maj_stat))
149	err(1, "import name creds failed with: %d", maj_stat);
150
151    input_token.length = 0;
152    input_token.value = NULL;
153
154    while (!server_done || !client_done) {
155	num_loops++;
156
157	gsskrb5_set_time_offset(client_time_offset);
158
159	maj_stat = gss_init_sec_context(&min_stat,
160					init_cred,
161					cctx,
162					gss_target_name,
163					mechoid,
164					flags,
165					0,
166					NULL,
167					&input_token,
168					&actual_mech_client,
169					&output_token,
170					&ret_cflags,
171					NULL);
172	if (GSS_ERROR(maj_stat))
173	    errx(1, "init_sec_context: %s",
174		 gssapi_err(maj_stat, min_stat, mechoid));
175	if (maj_stat & GSS_S_CONTINUE_NEEDED)
176	    ;
177	else
178	    client_done = 1;
179
180	gsskrb5_get_time_offset(&client_time_offset);
181
182	if (client_done && server_done)
183	    break;
184
185	if (input_token.length != 0)
186	    gss_release_buffer(&min_stat, &input_token);
187
188	gsskrb5_set_time_offset(server_time_offset);
189
190	maj_stat = gss_accept_sec_context(&min_stat,
191					  sctx,
192					  GSS_C_NO_CREDENTIAL,
193					  &output_token,
194					  GSS_C_NO_CHANNEL_BINDINGS,
195					  NULL,
196					  &actual_mech_server,
197					  &input_token,
198					  &ret_sflags,
199					  NULL,
200					  deleg_cred);
201	if (GSS_ERROR(maj_stat))
202		errx(1, "accept_sec_context: %s",
203		     gssapi_err(maj_stat, min_stat, actual_mech_server));
204
205	gsskrb5_get_time_offset(&server_time_offset);
206
207	if (output_token.length != 0)
208	    gss_release_buffer(&min_stat, &output_token);
209
210	if (maj_stat & GSS_S_CONTINUE_NEEDED)
211	    ;
212	else
213	    server_done = 1;
214    }
215    if (output_token.length != 0)
216	gss_release_buffer(&min_stat, &output_token);
217    if (input_token.length != 0)
218	gss_release_buffer(&min_stat, &input_token);
219    gss_release_name(&min_stat, &gss_target_name);
220
221    if (deleg_flag || policy_deleg_flag) {
222	if (server_no_deleg_flag) {
223	    if (*deleg_cred != GSS_C_NO_CREDENTIAL)
224		errx(1, "got delegated cred but didn't expect one");
225	} else if (*deleg_cred == GSS_C_NO_CREDENTIAL)
226	    errx(1, "asked for delegarated cred but did get one");
227    } else if (*deleg_cred != GSS_C_NO_CREDENTIAL)
228	  errx(1, "got deleg_cred cred but didn't ask");
229
230    if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0)
231	errx(1, "mech mismatch");
232    *actual_mech = actual_mech_server;
233
234    if (max_loops && num_loops > max_loops)
235	errx(1, "num loops %d was lager then max loops %d",
236	     num_loops, max_loops);
237
238    if (verbose_flag) {
239	printf("server time offset: %d\n", server_time_offset);
240	printf("client time offset: %d\n", client_time_offset);
241	printf("num loops %d\n", num_loops);
242    }
243}
244
245static void
246wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
247{
248    gss_buffer_desc input_token, output_token, output_token2;
249    OM_uint32 min_stat, maj_stat;
250    gss_qop_t qop_state;
251    int conf_state;
252
253    input_token.value = "foo";
254    input_token.length = 3;
255
256    maj_stat = gss_wrap(&min_stat, cctx, flags, 0, &input_token,
257			&conf_state, &output_token);
258    if (maj_stat != GSS_S_COMPLETE)
259	errx(1, "gss_wrap failed: %s",
260	     gssapi_err(maj_stat, min_stat, mechoid));
261
262    maj_stat = gss_unwrap(&min_stat, sctx, &output_token,
263			  &output_token2, &conf_state, &qop_state);
264    if (maj_stat != GSS_S_COMPLETE)
265	errx(1, "gss_unwrap failed: %s",
266	     gssapi_err(maj_stat, min_stat, mechoid));
267
268    gss_release_buffer(&min_stat, &output_token);
269    gss_release_buffer(&min_stat, &output_token2);
270
271#if 0 /* doesn't work for NTLM yet */
272    if (!!conf_state != !!flags)
273	errx(1, "conf_state mismatch");
274#endif
275}
276
277#define USE_CONF		1
278#define USE_HEADER_ONLY		2
279#define USE_SIGN_ONLY		4
280#define FORCE_IOV		8
281
282static void
283wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
284{
285    krb5_data token, header, trailer;
286    OM_uint32 min_stat, maj_stat;
287    gss_qop_t qop_state;
288    int conf_state, conf_state2;
289    gss_iov_buffer_desc iov[6];
290    unsigned char *p;
291    int iov_len;
292    char header_data[9] = "ABCheader";
293    char trailer_data[10] = "trailerXYZ";
294
295    char token_data[16] = "0123456789abcdef";
296
297    memset(&iov, 0, sizeof(iov));
298
299    if (flags & USE_SIGN_ONLY) {
300	header.data = header_data;
301	header.length = 9;
302	trailer.data = trailer_data;
303	trailer.length = 10;
304    } else {
305	header.data = NULL;
306	header.length = 0;
307	trailer.data = NULL;
308	trailer.length = 0;
309    }
310
311    token.data = token_data;
312    token.length = 16;
313
314    iov_len = sizeof(iov)/sizeof(iov[0]);
315
316    memset(iov, 0, sizeof(iov));
317
318    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
319
320    if (header.length != 0) {
321	iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
322	iov[1].buffer.length = header.length;
323	iov[1].buffer.value = header.data;
324    } else {
325	iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
326	iov[1].buffer.length = 0;
327	iov[1].buffer.value = NULL;
328    }
329    iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
330    iov[2].buffer.length = token.length;
331    iov[2].buffer.value = token.data;
332    if (trailer.length != 0) {
333	iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
334	iov[3].buffer.length = trailer.length;
335	iov[3].buffer.value = trailer.data;
336    } else {
337	iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
338	iov[3].buffer.length = 0;
339	iov[3].buffer.value = NULL;
340    }
341    if (dce_style_flag) {
342	iov[4].type = GSS_IOV_BUFFER_TYPE_EMPTY;
343    } else {
344	iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
345    }
346    iov[4].buffer.length = 0;
347    iov[4].buffer.value = 0;
348    if (dce_style_flag) {
349	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
350    } else if (flags & USE_HEADER_ONLY) {
351	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
352    } else {
353	iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
354    }
355    iov[5].buffer.length = 0;
356    iov[5].buffer.value = 0;
357
358    maj_stat = gss_wrap_iov(&min_stat, cctx, dce_style_flag || flags & USE_CONF, 0, &conf_state,
359			    iov, iov_len);
360    if (maj_stat != GSS_S_COMPLETE)
361	errx(1, "gss_wrap_iov failed");
362
363    token.length =
364	iov[0].buffer.length +
365	iov[1].buffer.length +
366	iov[2].buffer.length +
367	iov[3].buffer.length +
368	iov[4].buffer.length +
369	iov[5].buffer.length;
370    token.data = emalloc(token.length);
371
372    p = token.data;
373    memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
374    p += iov[0].buffer.length;
375    memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
376    p += iov[1].buffer.length;
377    memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
378    p += iov[2].buffer.length;
379    memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
380    p += iov[3].buffer.length;
381    memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
382    p += iov[4].buffer.length;
383    memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
384    p += iov[5].buffer.length;
385
386    assert(p - ((unsigned char *)token.data) == token.length);
387
388    if ((flags & (USE_SIGN_ONLY|FORCE_IOV)) == 0) {
389	gss_buffer_desc input, output;
390
391	input.value = token.data;
392	input.length = token.length;
393
394	maj_stat = gss_unwrap(&min_stat, sctx, &input,
395			      &output, &conf_state2, &qop_state);
396
397	if (maj_stat != GSS_S_COMPLETE)
398	    errx(1, "gss_unwrap from gss_wrap_iov failed: %s",
399		 gssapi_err(maj_stat, min_stat, mechoid));
400
401	gss_release_buffer(&min_stat, &output);
402    } else {
403	maj_stat = gss_unwrap_iov(&min_stat, sctx, &conf_state2, &qop_state,
404				  iov, iov_len);
405
406	if (maj_stat != GSS_S_COMPLETE)
407	    errx(1, "gss_unwrap_iov failed: %x %s", flags,
408		 gssapi_err(maj_stat, min_stat, mechoid));
409
410    }
411    if (conf_state2 != conf_state)
412	errx(1, "conf state wrong for iov: %x", flags);
413
414
415    free(token.data);
416}
417
418static void
419getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
420{
421    gss_buffer_desc input_token, output_token;
422    OM_uint32 min_stat, maj_stat;
423    gss_qop_t qop_state;
424
425    input_token.value = "bar";
426    input_token.length = 3;
427
428    maj_stat = gss_get_mic(&min_stat, cctx, 0, &input_token,
429			   &output_token);
430    if (maj_stat != GSS_S_COMPLETE)
431	errx(1, "gss_get_mic failed: %s",
432	     gssapi_err(maj_stat, min_stat, mechoid));
433
434    maj_stat = gss_verify_mic(&min_stat, sctx, &input_token,
435			      &output_token, &qop_state);
436    if (maj_stat != GSS_S_COMPLETE)
437	errx(1, "gss_verify_mic failed: %s",
438	     gssapi_err(maj_stat, min_stat, mechoid));
439
440    gss_release_buffer(&min_stat, &output_token);
441}
442
443static void
444empty_release(void)
445{
446    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
447    gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
448    gss_name_t name = GSS_C_NO_NAME;
449    gss_OID_set oidset = GSS_C_NO_OID_SET;
450    OM_uint32 junk;
451
452    gss_delete_sec_context(&junk, &ctx, NULL);
453    gss_release_cred(&junk, &cred);
454    gss_release_name(&junk, &name);
455    gss_release_oid_set(&junk, &oidset);
456}
457
458/*
459 *
460 */
461
462static struct getargs args[] = {
463    {"name-type",0,	arg_string, &type_string,  "type of name", NULL },
464    {"mech-type",0,	arg_string, &mech_string,  "type of mech", NULL },
465    {"ret-mech-type",0,	arg_string, &ret_mech_string,
466     "type of return mech", NULL },
467    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
468     "use dns to canonicalize", NULL },
469    {"mutual-auth",0,	arg_flag,	&mutual_auth_flag,"mutual auth", NULL },
470    {"client-name", 0,  arg_string,     &client_name, "client name", NULL },
471    {"client-password", 0,  arg_string, &client_password, "client password", NULL },
472    {"limit-enctype",0,	arg_string,	&limit_enctype_string, "enctype", NULL },
473    {"dce-style",0,	arg_flag,	&dce_style_flag, "dce-style", NULL },
474    {"wrapunwrap",0,	arg_flag,	&wrapunwrap_flag, "wrap/unwrap", NULL },
475    {"iov", 0, 		arg_flag,	&iov_flag, "wrap/unwrap iov", NULL },
476    {"getverifymic",0,	arg_flag,	&getverifymic_flag,
477     "get and verify mic", NULL },
478    {"delegate",0,	arg_flag,	&deleg_flag, "delegate credential", NULL },
479    {"policy-delegate",0,	arg_flag,	&policy_deleg_flag, "policy delegate credential", NULL },
480    {"server-no-delegate",0,	arg_flag,	&server_no_deleg_flag,
481     "server should get a credential", NULL },
482    {"export-import-cred",0,	arg_flag,	&ei_flag, "test export/import cred", NULL },
483    {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL },
484    {"session-enctype",	0, arg_string,	&session_enctype_string, "enctype", NULL },
485    {"client-time-offset",	0, arg_integer,	&client_time_offset, "time", NULL },
486    {"server-time-offset",	0, arg_integer,	&server_time_offset, "time", NULL },
487    {"max-loops",	0, arg_integer,	&max_loops, "time", NULL },
488    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
489    {"verbose",	'v',	arg_flag,	&verbose_flag, "verbose", NULL },
490    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
491};
492
493static void
494usage (int ret)
495{
496    arg_printusage (args, sizeof(args)/sizeof(*args),
497		    NULL, "service@host");
498    exit (ret);
499}
500
501int
502main(int argc, char **argv)
503{
504    int optind = 0;
505    OM_uint32 min_stat, maj_stat;
506    gss_ctx_id_t cctx, sctx;
507    void *ctx;
508    gss_OID nameoid, mechoid, actual_mech, actual_mech2;
509    gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
510    gss_name_t cname = GSS_C_NO_NAME;
511    gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
512
513    setprogname(argv[0]);
514
515    init_o2n();
516
517    if (krb5_init_context(&context))
518	errx(1, "krb5_init_context");
519
520    cctx = sctx = GSS_C_NO_CONTEXT;
521
522    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
523	usage(1);
524
525    if (help_flag)
526	usage (0);
527
528    if(version_flag){
529	print_version(NULL);
530	exit(0);
531    }
532
533    argc -= optind;
534    argv += optind;
535
536    if (argc != 1)
537	usage(1);
538
539    if (dns_canon_flag != -1)
540	gsskrb5_set_dns_canonicalize(dns_canon_flag);
541
542    if (type_string == NULL)
543	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
544    else if (strcmp(type_string, "hostbased-service") == 0)
545	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
546    else if (strcmp(type_string, "krb5-principal-name") == 0)
547	nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
548    else
549	errx(1, "%s not suppported", type_string);
550
551    if (mech_string == NULL)
552	mechoid = GSS_KRB5_MECHANISM;
553    else
554	mechoid = string_to_oid(mech_string);
555
556    if (gsskrb5_acceptor_identity) {
557	maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
558	if (maj_stat)
559	    errx(1, "gsskrb5_acceptor_identity: %s",
560		 gssapi_err(maj_stat, 0, GSS_C_NO_OID));
561    }
562
563    if (client_password) {
564	credential_data.value = client_password;
565	credential_data.length = strlen(client_password);
566    }
567
568    if (client_name) {
569	gss_buffer_desc cn;
570
571	cn.value = client_name;
572	cn.length = strlen(client_name);
573
574	maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
575	if (maj_stat)
576	    errx(1, "gss_import_name: %s",
577		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
578    }
579
580    if (client_password) {
581	maj_stat = gss_acquire_cred_with_password(&min_stat,
582						  cname,
583						  &credential_data,
584						  GSS_C_INDEFINITE,
585						  GSS_C_NO_OID_SET,
586						  GSS_C_INITIATE,
587						  &client_cred,
588						  NULL,
589						  NULL);
590	if (GSS_ERROR(maj_stat))
591	    errx(1, "gss_acquire_cred_with_password: %s",
592		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
593    } else {
594	maj_stat = gss_acquire_cred(&min_stat,
595				    cname,
596				    GSS_C_INDEFINITE,
597				    GSS_C_NO_OID_SET,
598				    GSS_C_INITIATE,
599				    &client_cred,
600				    NULL,
601				    NULL);
602	if (GSS_ERROR(maj_stat))
603	    errx(1, "gss_acquire_cred: %s",
604		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
605    }
606
607    if (limit_enctype_string) {
608	krb5_error_code ret;
609
610	ret = krb5_string_to_enctype(context,
611				     limit_enctype_string,
612				     &limit_enctype);
613	if (ret)
614	    krb5_err(context, 1, ret, "krb5_string_to_enctype");
615    }
616
617
618    if (limit_enctype) {
619	if (client_cred == NULL)
620	    errx(1, "client_cred missing");
621
622	maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
623						   1, &limit_enctype);
624	if (maj_stat)
625	    errx(1, "gss_krb5_set_allowable_enctypes: %s",
626		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
627    }
628
629    loop(mechoid, nameoid, argv[0], client_cred,
630	 &sctx, &cctx, &actual_mech, &deleg_cred);
631
632    if (verbose_flag)
633	printf("resulting mech: %s\n", oid_to_string(actual_mech));
634
635    if (ret_mech_string) {
636	gss_OID retoid;
637
638	retoid = string_to_oid(ret_mech_string);
639
640	if (gss_oid_equal(retoid, actual_mech) == 0)
641	    errx(1, "actual_mech mech is not the expected type %s",
642		 ret_mech_string);
643    }
644
645    /* XXX should be actual_mech */
646    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
647	time_t time;
648	gss_buffer_desc authz_data;
649	gss_buffer_desc in, out1, out2;
650	krb5_keyblock *keyblock, *keyblock2;
651	krb5_timestamp now;
652	krb5_error_code ret;
653
654	ret = krb5_timeofday(context, &now);
655	if (ret)
656	    errx(1, "krb5_timeofday failed");
657
658	/* client */
659	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
660						     &cctx,
661						     1, /* version */
662						     &ctx);
663	if (maj_stat != GSS_S_COMPLETE)
664	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
665		 gssapi_err(maj_stat, min_stat, actual_mech));
666
667
668	maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
669	if (maj_stat != GSS_S_COMPLETE)
670	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
671		     gssapi_err(maj_stat, min_stat, actual_mech));
672
673	/* server */
674	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
675						     &sctx,
676						     1, /* version */
677						     &ctx);
678	if (maj_stat != GSS_S_COMPLETE)
679	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
680		     gssapi_err(maj_stat, min_stat, actual_mech));
681	maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
682	if (maj_stat != GSS_S_COMPLETE)
683	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
684		     gssapi_err(maj_stat, min_stat, actual_mech));
685
686 	maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
687							     sctx,
688							     &time);
689	if (maj_stat != GSS_S_COMPLETE)
690	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
691		     gssapi_err(maj_stat, min_stat, actual_mech));
692
693	if (time > now)
694	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
695		 "time authtime is before now: %ld %ld",
696		 (long)time, (long)now);
697
698 	maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
699						    sctx,
700						    &keyblock);
701	if (maj_stat != GSS_S_COMPLETE)
702	    errx(1, "gsskrb5_export_service_keyblock failed: %s",
703		     gssapi_err(maj_stat, min_stat, actual_mech));
704
705	krb5_free_keyblock(context, keyblock);
706
707 	maj_stat = gsskrb5_get_subkey(&min_stat,
708				      sctx,
709				      &keyblock);
710	if (maj_stat != GSS_S_COMPLETE
711	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
712	    errx(1, "gsskrb5_get_subkey server failed: %s",
713		     gssapi_err(maj_stat, min_stat, actual_mech));
714
715	if (maj_stat != GSS_S_COMPLETE)
716	    keyblock = NULL;
717	else if (limit_enctype && keyblock->keytype != limit_enctype)
718	    errx(1, "gsskrb5_get_subkey wrong enctype");
719
720 	maj_stat = gsskrb5_get_subkey(&min_stat,
721				      cctx,
722				      &keyblock2);
723	if (maj_stat != GSS_S_COMPLETE
724	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
725	    errx(1, "gsskrb5_get_subkey client failed: %s",
726		     gssapi_err(maj_stat, min_stat, actual_mech));
727
728	if (maj_stat != GSS_S_COMPLETE)
729	    keyblock2 = NULL;
730	else if (limit_enctype && keyblock->keytype != limit_enctype)
731	    errx(1, "gsskrb5_get_subkey wrong enctype");
732
733	if (keyblock || keyblock2) {
734	    if (keyblock == NULL)
735		errx(1, "server missing token keyblock");
736	    if (keyblock2 == NULL)
737		errx(1, "client missing token keyblock");
738
739	    if (keyblock->keytype != keyblock2->keytype)
740		errx(1, "enctype mismatch");
741	    if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
742		errx(1, "key length mismatch");
743	    if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
744		       keyblock2->keyvalue.length) != 0)
745		errx(1, "key data mismatch");
746	}
747
748	if (session_enctype_string) {
749	    krb5_enctype enctype;
750
751	    ret = krb5_string_to_enctype(context,
752					 session_enctype_string,
753					 &enctype);
754
755	    if (ret)
756		krb5_err(context, 1, ret, "krb5_string_to_enctype");
757
758	    if (enctype != keyblock->keytype)
759		errx(1, "keytype is not the expected %d != %d",
760		     (int)enctype, (int)keyblock2->keytype);
761	}
762
763	if (keyblock)
764	    krb5_free_keyblock(context, keyblock);
765	if (keyblock2)
766	    krb5_free_keyblock(context, keyblock2);
767
768 	maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
769						sctx,
770						&keyblock);
771	if (maj_stat != GSS_S_COMPLETE
772	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
773	    errx(1, "gsskrb5_get_initiator_subkey failed: %s",
774		     gssapi_err(maj_stat, min_stat, actual_mech));
775
776	if (maj_stat == GSS_S_COMPLETE) {
777
778	    if (limit_enctype && keyblock->keytype != limit_enctype)
779		errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
780	    krb5_free_keyblock(context, keyblock);
781	}
782
783 	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
784							       sctx,
785							       128,
786							       &authz_data);
787	if (maj_stat == GSS_S_COMPLETE)
788	    gss_release_buffer(&min_stat, &authz_data);
789
790
791	memset(&out1, 0, sizeof(out1));
792	memset(&out2, 0, sizeof(out2));
793
794	in.value = "foo";
795	in.length = 3;
796
797	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
798			  100, &out1);
799	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
800			  100, &out2);
801
802	if (out1.length != out2.length)
803	    errx(1, "prf len mismatch");
804	if (memcmp(out1.value, out2.value, out1.length) != 0)
805	    errx(1, "prf data mismatch");
806
807	gss_release_buffer(&min_stat, &out1);
808
809	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
810			  100, &out1);
811
812	if (out1.length != out2.length)
813	    errx(1, "prf len mismatch");
814	if (memcmp(out1.value, out2.value, out1.length) != 0)
815	    errx(1, "prf data mismatch");
816
817	gss_release_buffer(&min_stat, &out1);
818	gss_release_buffer(&min_stat, &out2);
819
820	in.value = "bar";
821	in.length = 3;
822
823	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
824			  100, &out1);
825	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
826			  100, &out2);
827
828	if (out1.length != out2.length)
829	    errx(1, "prf len mismatch");
830	if (memcmp(out1.value, out2.value, out1.length) != 0)
831	    errx(1, "prf data mismatch");
832
833	gss_release_buffer(&min_stat, &out1);
834	gss_release_buffer(&min_stat, &out2);
835
836	wrapunwrap_flag = 1;
837	getverifymic_flag = 1;
838    }
839
840    if (wrapunwrap_flag) {
841	wrapunwrap(cctx, sctx, 0, actual_mech);
842	wrapunwrap(cctx, sctx, 1, actual_mech);
843	wrapunwrap(sctx, cctx, 0, actual_mech);
844	wrapunwrap(sctx, cctx, 1, actual_mech);
845    }
846
847    if (iov_flag) {
848	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
849	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
850	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
851	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
852	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
853
854	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
855	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
856	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
857	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
858
859	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
860	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
861	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
862
863/* works */
864	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
865	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
866
867	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
868	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
869
870	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
871	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
872
873	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
874	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
875
876	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
877	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
878
879	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
880	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
881    }
882
883    if (getverifymic_flag) {
884	getverifymic(cctx, sctx, actual_mech);
885	getverifymic(cctx, sctx, actual_mech);
886	getverifymic(sctx, cctx, actual_mech);
887	getverifymic(sctx, cctx, actual_mech);
888    }
889
890
891    gss_delete_sec_context(&min_stat, &cctx, NULL);
892    gss_delete_sec_context(&min_stat, &sctx, NULL);
893
894    if (deleg_cred != GSS_C_NO_CREDENTIAL) {
895	gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
896	gss_buffer_desc cb;
897
898	if (verbose_flag)
899	    printf("checking actual mech (%s) on delegated cred\n",
900		   oid_to_string(actual_mech));
901	loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
902
903	gss_delete_sec_context(&min_stat, &cctx, NULL);
904	gss_delete_sec_context(&min_stat, &sctx, NULL);
905
906	gss_release_cred(&min_stat, &cred2);
907
908	/* try again using SPNEGO */
909	if (verbose_flag)
910	    printf("checking spnego on delegated cred\n");
911	loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
912	     &actual_mech2, &cred2);
913
914	gss_delete_sec_context(&min_stat, &cctx, NULL);
915	gss_delete_sec_context(&min_stat, &sctx, NULL);
916
917	gss_release_cred(&min_stat, &cred2);
918
919	/* check export/import */
920	if (ei_flag) {
921
922	    maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
923	    if (maj_stat != GSS_S_COMPLETE)
924		errx(1, "export failed: %s",
925		     gssapi_err(maj_stat, min_stat, NULL));
926
927	    maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
928	    if (maj_stat != GSS_S_COMPLETE)
929		errx(1, "import failed: %s",
930		     gssapi_err(maj_stat, min_stat, NULL));
931
932	    gss_release_buffer(&min_stat, &cb);
933	    gss_release_cred(&min_stat, &deleg_cred);
934
935	    if (verbose_flag)
936		printf("checking actual mech (%s) on export/imported cred\n",
937		       oid_to_string(actual_mech));
938	    loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
939		 &actual_mech2, &deleg_cred);
940
941	    gss_release_cred(&min_stat, &deleg_cred);
942
943	    gss_delete_sec_context(&min_stat, &cctx, NULL);
944	    gss_delete_sec_context(&min_stat, &sctx, NULL);
945
946	    /* try again using SPNEGO */
947	    if (verbose_flag)
948		printf("checking SPNEGO on export/imported cred\n");
949	    loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
950		 &actual_mech2, &deleg_cred);
951
952	    gss_release_cred(&min_stat, &deleg_cred);
953
954	    gss_delete_sec_context(&min_stat, &cctx, NULL);
955	    gss_delete_sec_context(&min_stat, &sctx, NULL);
956
957	    gss_release_cred(&min_stat, &cred2);
958
959	} else  {
960	    gss_release_cred(&min_stat, &deleg_cred);
961	}
962
963    }
964
965    empty_release();
966
967    krb5_free_context(context);
968
969    return 0;
970}