|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/* tests/gssapi/t_enctypes.c - gss_krb5_set_allowable_enctypes test */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright (C) 2013 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All rights reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Redistribution and use in source and binary forms, with or without
|
|
Packit |
fd8b60 |
* modification, are permitted provided that the following conditions
|
|
Packit |
fd8b60 |
* are met:
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions of source code must retain the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions in binary form must reproduce the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer in
|
|
Packit |
fd8b60 |
* the documentation and/or other materials provided with the
|
|
Packit |
fd8b60 |
* distribution.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
Packit |
fd8b60 |
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
Packit |
fd8b60 |
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
Packit |
fd8b60 |
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
Packit |
fd8b60 |
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
Packit |
fd8b60 |
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
Packit |
fd8b60 |
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
Packit |
fd8b60 |
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
fd8b60 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
Packit |
fd8b60 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
Packit |
fd8b60 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
Packit |
fd8b60 |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include "k5-int.h"
|
|
Packit |
fd8b60 |
#include "common.h"
|
|
Packit |
fd8b60 |
#include "gssapi_ext.h"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* This test program establishes contexts with the krb5 mech, the default
|
|
Packit |
fd8b60 |
* initiator name, a specified target name, and the default acceptor name.
|
|
Packit |
fd8b60 |
* Before the exchange, gss_set_allowable_enctypes is called for the initiator
|
|
Packit |
fd8b60 |
* and the acceptor cred if requested. If the exchange is successful, the
|
|
Packit |
fd8b60 |
* resulting contexts are exported with gss_krb5_export_lucid_sec_context,
|
|
Packit |
fd8b60 |
* checked for mismatches, and the GSS protocol and keys are displayed. Exits
|
|
Packit |
fd8b60 |
* with status 0 if all operations are successful, or 1 if not.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Usage: ./t_enctypes [-i initenctypes] [-a accenctypes] targetname
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
usage()
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
errout("Usage: t_enctypes [-i initenctypes] [-a accenctypes] "
|
|
Packit |
fd8b60 |
"targetname");
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Error out if ikey is not the same as akey. */
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check_key_match(gss_krb5_lucid_key_t *ikey, gss_krb5_lucid_key_t *akey)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
if (ikey->type != akey->type || ikey->length != akey->length ||
|
|
Packit |
fd8b60 |
memcmp(ikey->data, akey->data, ikey->length) != 0)
|
|
Packit |
fd8b60 |
errout("Initiator and acceptor keys do not match");
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Display the name of enctype. */
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
display_enctype(krb5_enctype enctype)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
char ename[128];
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (krb5_enctype_to_name(enctype, FALSE, ename, sizeof(ename)) == 0)
|
|
Packit |
fd8b60 |
fputs(ename, stdout);
|
|
Packit |
fd8b60 |
else
|
|
Packit |
fd8b60 |
fputs("(unknown)", stdout);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
int
|
|
Packit |
fd8b60 |
main(int argc, char *argv[])
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_error_code ret;
|
|
Packit |
fd8b60 |
krb5_context kctx = NULL;
|
|
Packit |
fd8b60 |
krb5_enctype *ienc = NULL, *aenc = NULL, zero = 0;
|
|
Packit |
fd8b60 |
OM_uint32 minor, major, flags;
|
|
Packit |
fd8b60 |
gss_name_t tname;
|
|
Packit |
fd8b60 |
gss_cred_id_t icred = GSS_C_NO_CREDENTIAL, acred = GSS_C_NO_CREDENTIAL;
|
|
Packit |
fd8b60 |
gss_ctx_id_t ictx, actx;
|
|
Packit |
fd8b60 |
gss_krb5_lucid_context_v1_t *ilucid, *alucid;
|
|
Packit |
fd8b60 |
gss_krb5_rfc1964_keydata_t *i1964, *a1964;
|
|
Packit |
fd8b60 |
gss_krb5_cfx_keydata_t *icfx, *acfx;
|
|
Packit |
fd8b60 |
gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
|
|
Packit |
fd8b60 |
gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
|
|
Packit |
fd8b60 |
unsigned int ssf;
|
|
Packit |
fd8b60 |
size_t count;
|
|
Packit |
fd8b60 |
void *lptr;
|
|
Packit |
fd8b60 |
int c;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ret = krb5_init_context(&kctx);
|
|
Packit |
fd8b60 |
check_k5err(kctx, "krb5_init_context", ret);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Parse arguments. */
|
|
Packit |
fd8b60 |
while ((c = getopt(argc, argv, "i:a:")) != -1) {
|
|
Packit |
fd8b60 |
switch (c) {
|
|
Packit |
fd8b60 |
case 'i':
|
|
Packit |
fd8b60 |
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &ienc);
|
|
Packit |
fd8b60 |
check_k5err(kctx, "krb5_parse_enctype_list(initiator)", ret);
|
|
Packit |
fd8b60 |
break;
|
|
Packit |
fd8b60 |
case 'a':
|
|
Packit |
fd8b60 |
ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &aenc);
|
|
Packit |
fd8b60 |
check_k5err(kctx, "krb5_parse_enctype_list(acceptor)", ret);
|
|
Packit |
fd8b60 |
break;
|
|
Packit |
fd8b60 |
default:
|
|
Packit |
fd8b60 |
usage();
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
argc -= optind;
|
|
Packit |
fd8b60 |
argv += optind;
|
|
Packit |
fd8b60 |
if (argc != 1)
|
|
Packit |
fd8b60 |
usage();
|
|
Packit |
fd8b60 |
tname = import_name(*argv);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (ienc != NULL) {
|
|
Packit |
fd8b60 |
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
|
|
Packit |
fd8b60 |
&mechset_krb5, GSS_C_INITIATE, &icred, NULL,
|
|
Packit |
fd8b60 |
NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_acquire_cred(initiator)", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for (count = 0; ienc[count]; count++);
|
|
Packit |
fd8b60 |
major = gss_krb5_set_allowable_enctypes(&minor, icred, count, ienc);
|
|
Packit |
fd8b60 |
check_gsserr("gss_krb5_set_allowable_enctypes(init)", major, minor);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if (aenc != NULL) {
|
|
Packit |
fd8b60 |
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
|
|
Packit |
fd8b60 |
&mechset_krb5, GSS_C_ACCEPT, &acred, NULL,
|
|
Packit |
fd8b60 |
NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_acquire_cred(acceptor)", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for (count = 0; aenc[count]; count++);
|
|
Packit |
fd8b60 |
major = gss_krb5_set_allowable_enctypes(&minor, acred, count, aenc);
|
|
Packit |
fd8b60 |
check_gsserr("gss_krb5_set_allowable_enctypes(acc)", major, minor);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
|
|
Packit |
fd8b60 |
establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
|
|
Packit |
fd8b60 |
NULL, NULL, NULL);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Query the SSF value and range-check the result. */
|
|
Packit |
fd8b60 |
major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset);
|
|
Packit |
fd8b60 |
check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor);
|
|
Packit |
fd8b60 |
if (bufset->elements[0].length != 4)
|
|
Packit |
fd8b60 |
errout("SSF buffer has unexpected length");
|
|
Packit |
fd8b60 |
ssf = load_32_be(bufset->elements[0].value);
|
|
Packit |
fd8b60 |
if (ssf < 56 || ssf > 256)
|
|
Packit |
fd8b60 |
errout("SSF value not within acceptable range (56-256)");
|
|
Packit |
fd8b60 |
(void)gss_release_buffer_set(&minor, &bufset);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Export to lucid contexts. */
|
|
Packit |
fd8b60 |
major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
|
|
Packit |
fd8b60 |
check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
|
|
Packit |
fd8b60 |
ilucid = lptr;
|
|
Packit |
fd8b60 |
major = gss_krb5_export_lucid_sec_context(&minor, &actx, 1, &lptr);
|
|
Packit |
fd8b60 |
check_gsserr("gss_export_lucid_sec_context(acceptor)", major, minor);
|
|
Packit |
fd8b60 |
alucid = lptr;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Grab the session keys and make sure they match. */
|
|
Packit |
fd8b60 |
if (ilucid->protocol != alucid->protocol)
|
|
Packit |
fd8b60 |
errout("Initiator/acceptor protocol mismatch");
|
|
Packit |
fd8b60 |
if (ilucid->protocol) {
|
|
Packit |
fd8b60 |
icfx = &ilucid->cfx_kd;
|
|
Packit |
fd8b60 |
acfx = &alucid->cfx_kd;
|
|
Packit |
fd8b60 |
if (icfx->have_acceptor_subkey != acfx->have_acceptor_subkey)
|
|
Packit |
fd8b60 |
errout("Initiator/acceptor have_acceptor_subkey mismatch");
|
|
Packit |
fd8b60 |
check_key_match(&icfx->ctx_key, &acfx->ctx_key);
|
|
Packit |
fd8b60 |
if (icfx->have_acceptor_subkey)
|
|
Packit |
fd8b60 |
check_key_match(&icfx->acceptor_subkey, &acfx->acceptor_subkey);
|
|
Packit |
fd8b60 |
fputs("cfx ", stdout);
|
|
Packit |
fd8b60 |
display_enctype(icfx->ctx_key.type);
|
|
Packit |
fd8b60 |
if (icfx->have_acceptor_subkey) {
|
|
Packit |
fd8b60 |
fputs(" ", stdout);
|
|
Packit |
fd8b60 |
display_enctype(icfx->acceptor_subkey.type);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
fputs("\n", stdout);
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
i1964 = &ilucid->rfc1964_kd;
|
|
Packit |
fd8b60 |
a1964 = &alucid->rfc1964_kd;
|
|
Packit |
fd8b60 |
if (i1964->sign_alg != a1964->sign_alg ||
|
|
Packit |
fd8b60 |
i1964->seal_alg != a1964->seal_alg)
|
|
Packit |
fd8b60 |
errout("Initiator/acceptor sign or seal alg mismatch");
|
|
Packit |
fd8b60 |
check_key_match(&i1964->ctx_key, &a1964->ctx_key);
|
|
Packit |
fd8b60 |
fputs("rfc1964 ", stdout);
|
|
Packit |
fd8b60 |
display_enctype(i1964->ctx_key.type);
|
|
Packit |
fd8b60 |
fputs("\n", stdout);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5_free_context(kctx);
|
|
Packit |
fd8b60 |
free(ienc);
|
|
Packit |
fd8b60 |
free(aenc);
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &tname);
|
|
Packit |
fd8b60 |
(void)gss_release_cred(&minor, &icred);
|
|
Packit |
fd8b60 |
(void)gss_release_cred(&minor, &acred);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &ictx, NULL);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &actx, NULL);
|
|
Packit |
fd8b60 |
(void)gss_krb5_free_lucid_sec_context(&minor, ilucid);
|
|
Packit |
fd8b60 |
(void)gss_krb5_free_lucid_sec_context(&minor, alucid);
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|