diff options
author | Greg Hudson <ghudson@mit.edu> | 2012-08-22 14:49:33 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-09-11 01:18:47 -0400 |
commit | 285374977d233bbdfcdfaaf8642dbc554e3058fe (patch) | |
tree | 0d7f6653faf7ea002f65d788cd639860d3fdce2e /src/tests/gssapi | |
parent | 9c1a6246f1f6f4904e66f9f9eefbdc59e5c8b69f (diff) | |
download | krb5-285374977d233bbdfcdfaaf8642dbc554e3058fe.tar.gz krb5-285374977d233bbdfcdfaaf8642dbc554e3058fe.tar.xz krb5-285374977d233bbdfcdfaaf8642dbc554e3058fe.zip |
Add tests for GSS cred export and import
ticket: 7354
Diffstat (limited to 'src/tests/gssapi')
-rw-r--r-- | src/tests/gssapi/Makefile.in | 12 | ||||
-rw-r--r-- | src/tests/gssapi/t_export_cred.c | 214 | ||||
-rw-r--r-- | src/tests/gssapi/t_export_cred.py | 50 |
3 files changed, 272 insertions, 4 deletions
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 0ad730fc40..35ff010ca5 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -11,17 +11,19 @@ SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_imp_cred.c \ OBJS= t_accname.o t_ccselect.o t_imp_cred.o t_imp_name.o t_s4u.o \ t_s4u2proxy_krb5.o t_namingexts.o t_gssexts.o t_spnego.o t_saslname.o \ - t_credstore.o t_export_name.o + t_credstore.o t_export_name.o t_export_cred.o all:: t_accname t_ccselect t_imp_cred t_imp_name t_s4u t_s4u2proxy_krb5 \ - t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name + t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name \ + t_export_cred check-pytests:: t_accname t_ccselect t_imp_cred t_inq_cred t_spnego \ - t_s4u2proxy_krb5 t_s4u t_export_name ccinit ccrefresh + t_s4u2proxy_krb5 t_s4u t_export_name t_export_cred ccinit ccrefresh $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS) ccinit: ccinit.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS) @@ -53,8 +55,10 @@ t_credstore: t_credstore.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_credstore t_credstore.o $(GSS_LIBS) $(KRB5_BASE_LIBS) t_export_name: t_export_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_export_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) +t_export_cred: t_export_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_export_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) clean:: $(RM) t_accname t_ccselect t_imp_cred t_imp_name t_inq_cred t_s4u \ t_s4u2proxy_krb5 t_namingexts t_gssexts t_spnego \ - t_saslname t_credstore t_export_name + t_saslname t_credstore t_export_name t_export_cred diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c new file mode 100644 index 0000000000..f7ddbc7ad8 --- /dev/null +++ b/src/tests/gssapi/t_export_cred.c @@ -0,0 +1,214 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * Copyright 2011 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +#include <gssapi/gssapi_krb5.h> + +static gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" }; +static gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" }; +static gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 }; +static gss_OID_set_desc mechset_spnego = { 1, &mech_spnego }; + +static void +display_status_1(const char *m, OM_uint32 code, int type) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + maj_stat = gss_display_status(&min_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + fprintf(stderr, "%s: %s\n", m, (char *)msg.value); + (void) gss_release_buffer(&min_stat, &msg); + + if (!msg_ctx) + break; + } +} + +/* If maj_stat indicates an error, display an error message (containing msg) + * and exit. */ +static void +check_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) +{ + if (GSS_ERROR(maj_stat)) { + display_status_1(msg, maj_stat, GSS_C_GSS_CODE); + display_status_1(msg, min_stat, GSS_C_MECH_CODE); + exit(1); + } +} + +/* Display an error message and exit. */ +static void +errout(const char *msg) +{ + fprintf(stderr, "%s\n", msg); + exit(1); +} + +/* Import a GSSAPI name based on a string of the form 'u:username', + * 'p:principalname', or 'h:host@service' (or just 'h:service'). */ +static gss_name_t +import_name(const char *str) +{ + OM_uint32 major, minor; + gss_name_t name; + gss_buffer_desc buf; + gss_OID nametype = NULL; + + if (*str == 'u') + nametype = GSS_C_NT_USER_NAME; + else if (*str == 'p') + nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; + else if (*str == 'h') + nametype = GSS_C_NT_HOSTBASED_SERVICE; + if (nametype == NULL || str[1] != ':') + errout("names must begin with u: or p: or h:"); + buf.value = (char *)str + 2; + buf.length = strlen(str) - 2; + major = gss_import_name(&minor, &buf, nametype, &name); + check_gsserr("gss_import_name", major, minor); + return name; +} + +/* Display a usage error message and exit. */ +static void +usage(void) +{ + fprintf(stderr, "Usage: t_export_cred [-k|-s] [-i initiatorname] " + "[-a acceptorname] targetname\n"); + exit(1); +} + +/* Export *cred to a token, then release *cred and replace it by re-importing + * the token. */ +static void +export_import_cred(gss_cred_id_t *cred) +{ + OM_uint32 major, minor; + gss_buffer_desc buf; + + major = gss_export_cred(&minor, *cred, &buf); + check_gsserr("gss_export_cred", major, minor); + (void)gss_release_cred(&minor, cred); + major = gss_import_cred(&minor, &buf, cred); + check_gsserr("gss_import_cred", major, minor); + (void)gss_release_buffer(&minor, &buf); +} + +int +main(int argc, char *argv[]) +{ + OM_uint32 major, minor, flags; + gss_name_t initiator_name = GSS_C_NO_NAME, acceptor_name = GSS_C_NO_NAME; + gss_name_t target_name; + gss_cred_id_t initiator_cred, acceptor_cred, delegated_cred; + gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; + gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; + gss_OID mech = GSS_C_NO_OID; + gss_OID_set mechs = GSS_C_NO_OID_SET; + gss_buffer_desc token, tmp; + char optchar; + + /* Parse arguments. */ + argv++; + while (*argv != NULL && **argv == '-') { + optchar = (*argv)[1]; + argv++; + if (optchar == 'i') { + if (*argv == NULL) + usage(); + initiator_name = import_name(*argv++); + } else if (optchar == 'a') { + if (*argv == NULL) + usage(); + acceptor_name = import_name(*argv++); + } else if (optchar == 'k') { + mech = &mech_krb5; + mechs = &mechset_krb5; + } else if (optchar == 's') { + mech = &mech_spnego; + mechs = &mechset_spnego; + } else { + usage(); + } + } + if (*argv == NULL || *(argv + 1) != NULL) + usage(); + target_name = import_name(argv[0]); + + /* Get initiator cred and export/import it. */ + major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE, mechs, + GSS_C_INITIATE, &initiator_cred, NULL, NULL); + check_gsserr("gss_acquire_cred(initiator)", major, minor); + export_import_cred(&initiator_cred); + + /* Get acceptor cred and export/import it. */ + major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, mechs, + GSS_C_ACCEPT, &acceptor_cred, NULL, NULL); + check_gsserr("gss_acquire_cred(acceptor)", major, minor); + export_import_cred(&acceptor_cred); + + /* Initiate and accept a security context (one-token exchange only), + * delegating credentials. */ + flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; + major = gss_init_sec_context(&minor, initiator_cred, &initiator_context, + target_name, mech, flags, GSS_C_INDEFINITE, + GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, + NULL, &token, NULL, NULL); + check_gsserr("gss_init_sec_context", major, minor); + + major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, + &token, GSS_C_NO_CHANNEL_BINDINGS, + NULL, NULL, &tmp, NULL, NULL, + &delegated_cred); + check_gsserr("gss_accept_sec_context", major, minor); + + /* Import, release, export, and store delegated creds */ + export_import_cred(&delegated_cred); + major = gss_store_cred(&minor, delegated_cred, GSS_C_INITIATE, + GSS_C_NULL_OID, 1, 1, NULL, NULL); + check_gsserr("gss_store_cred", major, minor); + + (void)gss_release_name(&minor, &initiator_name); + (void)gss_release_name(&minor, &acceptor_name); + (void)gss_release_name(&minor, &target_name); + (void)gss_release_cred(&minor, &initiator_cred); + (void)gss_release_cred(&minor, &acceptor_cred); + (void)gss_release_cred(&minor, &delegated_cred); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); + return 0; +} diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py new file mode 100644 index 0000000000..3f7b6576d9 --- /dev/null +++ b/src/tests/gssapi/t_export_cred.py @@ -0,0 +1,50 @@ +#!/usr/bin/python +from k5test import * + +# Test gss_export_cred and gss_import_cred. + +# Make up a filename to hold user's initial credentials. +def ccache_savefile(realm): + return os.path.join(realm.testdir, 'ccache.copy') + +# Move user's initial credentials into the save file. +def ccache_save(realm): + os.rename(realm.ccache, ccache_savefile(realm)) + +# Copy user's initial credentials from the save file into the ccache. +def ccache_restore(realm): + shutil.copyfile(ccache_savefile(realm), realm.ccache) + +# Run t_export_cred with the saved ccache and verify that it stores a +# forwarded cred into the default ccache. +def check(realm, args): + ccache_restore(realm) + realm.run_as_client(['./t_export_cred'] + args) + output = realm.run_as_client([klist, '-f']) + if 'Flags: Ff' not in output: + fail('Forwarded tickets not found in ccache after t_export_cred') + +# Check a given set of arguments with no specified mech and with krb5 +# and SPNEGO as the specified mech. +def check_mechs(realm, args): + check(realm, args) + check(realm, ['-k'] + args) + check(realm, ['-s'] + args) + +# Make a realm, get forwardable tickets, and save a copy for each test. +realm = K5Realm(get_creds=False) +realm.kinit(realm.user_princ, password('user'), ['-f']) +ccache_save(realm) + +# Test with default initiator and acceptor cred. +tname = 'p:' + realm.host_princ +check_mechs(realm, [tname]) + +# Test with principal-named initiator and acceptor cred. +iname = 'p:' + realm.user_princ +check_mechs(realm, ['-i', iname, '-a', tname, tname]) + +# Test with host-based acceptor cred. +check_mechs(realm, ['-a', 'h:host', tname]) + +success('gss_export_cred/gss_import_cred tests') |