/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* tests/gssapi/t_add_cred.c - gss_add_cred() tests */ /* * Copyright (C) 2018 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * This program tests the mechglue behavior of gss_add_cred(). It relies on a * krb5 keytab and credentials being present so that initiator and acceptor * credentials can be acquired, but does not use them to initiate or accept any * requests. */ #include #include #include "common.h" int main() { OM_uint32 minor, major; gss_cred_id_t cred1, cred2; gss_cred_usage_t usage; gss_name_t name; /* Check that we get the expected error if we pass neither an input nor an * output cred handle. */ major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, NULL, NULL, NULL, NULL); assert(major == (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED)); /* Regression test for #8737: make sure that desired_name is honored when * creating a credential by passing in a non-matching name. */ name = import_name("p:does/not/match@WRONG_REALM"); major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, name, &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL); assert(major == GSS_S_CRED_UNAVAIL); gss_release_name(&minor, &name); /* Create cred1 with a krb5 initiator cred by passing an output handle but * no input handle. */ major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL); assert(major == GSS_S_COMPLETE); /* Verify that cred1 has the expected mechanism creds. */ major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, NULL, &usage); assert(major == GSS_S_NO_CRED); /* Check that we get the expected error if we try to add another krb5 mech * cred to cred1. */ major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, NULL, NULL, NULL, NULL); assert(major == GSS_S_DUPLICATE_ELEMENT); /* Add an IAKERB acceptor mech cred to cred1. */ major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb, GSS_C_ACCEPT, GSS_C_INDEFINITE, GSS_C_INDEFINITE, NULL, NULL, NULL, NULL); assert(major == GSS_S_COMPLETE); /* Verify cred1 mechanism creds. */ major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); /* Start over with another new cred. */ gss_release_cred(&minor, &cred1); major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, &mech_krb5, GSS_C_ACCEPT, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL); assert(major == GSS_S_COMPLETE); /* Create an expanded cred by passing both an output handle and an input * handle. */ major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &cred2, NULL, NULL, NULL); assert(major == GSS_S_COMPLETE); /* Verify mechanism creds in cred1 and cred2. */ major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, NULL, &usage); assert(major == GSS_S_NO_CRED); major = gss_inquire_cred_by_mech(&minor, cred2, &mech_krb5, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); major = gss_inquire_cred_by_mech(&minor, cred2, &mech_iakerb, NULL, NULL, NULL, &usage); assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); gss_release_cred(&minor, &cred1); gss_release_cred(&minor, &cred2); return 0; }