diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-09-13 12:27:04 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-09-13 12:27:16 -0400 |
| commit | d81d68ebd8ade84e240f7d95edf0a562f6931ea2 (patch) | |
| tree | 81d13948ae392081571fa97f60d001cc9cf5a598 | |
| parent | d9af383d069b571457849dea77dbef01ccb55370 (diff) | |
| download | krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.tar.gz krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.tar.xz krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.zip | |
Tidy up GSSAPI test programs
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | src/tests/gssapi/Makefile.in | 95 | ||||
| -rw-r--r-- | src/tests/gssapi/common.c | 211 | ||||
| -rw-r--r-- | src/tests/gssapi/common.h | 70 | ||||
| -rw-r--r-- | src/tests/gssapi/t_accname.c | 82 | ||||
| -rw-r--r-- | src/tests/gssapi/t_ccselect.c | 79 | ||||
| -rw-r--r-- | src/tests/gssapi/t_ccselect.py | 26 | ||||
| -rw-r--r-- | src/tests/gssapi/t_client_keytab.py | 32 | ||||
| -rw-r--r-- | src/tests/gssapi/t_credstore.c | 75 | ||||
| -rw-r--r-- | src/tests/gssapi/t_export_cred.c | 74 | ||||
| -rw-r--r-- | src/tests/gssapi/t_export_name.c | 92 | ||||
| -rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 54 | ||||
| -rw-r--r-- | src/tests/gssapi/t_gssexts.c | 414 | ||||
| -rw-r--r-- | src/tests/gssapi/t_imp_cred.c | 81 | ||||
| -rw-r--r-- | src/tests/gssapi/t_imp_name.c | 132 | ||||
| -rw-r--r-- | src/tests/gssapi/t_inq_cred.c | 91 | ||||
| -rw-r--r-- | src/tests/gssapi/t_namingexts.c | 458 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.c | 497 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.py | 26 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u2proxy_krb5.c | 149 | ||||
| -rw-r--r-- | src/tests/gssapi/t_saslname.c | 138 | ||||
| -rw-r--r-- | src/tests/gssapi/t_spnego.c | 247 |
22 files changed, 940 insertions, 2186 deletions
diff --git a/.gitignore b/.gitignore index 47af0871b..9737d260b 100644 --- a/.gitignore +++ b/.gitignore @@ -262,10 +262,13 @@ testlog /src/tests/gssapi/ccrefresh /src/tests/gssapi/t_accname /src/tests/gssapi/t_ccselect +/src/tests/gssapi/t_credstore /src/tests/gssapi/t_export_cred +/src/tests/gssapi/t_export_name /src/tests/gssapi/t_gssexts /src/tests/gssapi/t_imp_cred /src/tests/gssapi/t_imp_name +/src/tests/gssapi/t_inq_cred /src/tests/gssapi/t_namingexts /src/tests/gssapi/t_s4u /src/tests/gssapi/t_s4u2proxy_krb5 diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 35ff010ca..a34c28eeb 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -4,61 +4,68 @@ DEFINES = -DUSE_AUTOCONF_H PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_imp_cred.c \ - $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \ - $(srcdir)/t_namingexts.c $(srcdir)/t_gssexts.c $(srcdir)/t_saslname.c \ - $(srcdir)/t_credstore.c $(srcdir)/t_export_name.c +SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_credstore.c \ + $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ + $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ + $(srcdir)/t_inq_cred.c $(srcdir)/t_namingexts.c $(srcdir)/t_s4u.c \ + $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ + $(srcdir)/t_spnego.c -OBJS= t_accname.o t_ccselect.o t_imp_cred.o t_imp_name.o t_s4u.o \ - t_s4u2proxy_krb5.o t_namingexts.o t_gssexts.o t_spnego.o t_saslname.o \ - t_credstore.o t_export_name.o t_export_cred.o +OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_credstore.o \ + t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \ + t_inq_cred.o t_namingexts.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ + t_spnego.o -all:: t_accname t_ccselect t_imp_cred t_imp_name t_s4u t_s4u2proxy_krb5 \ - t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name \ - t_export_cred +COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) +COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -check-pytests:: t_accname t_ccselect t_imp_cred t_inq_cred t_spnego \ - t_s4u2proxy_krb5 t_s4u t_export_name t_export_cred ccinit ccrefresh +all:: ccinit ccrefresh t_accname t_ccselect t_credstore t_export_cred \ + t_export_name t_gssexts t_imp_cred t_imp_name t_inq_cred t_namingexts \ + t_s4u t_s4u2proxy_krb5 t_saslname t_spnego + +check-pytests:: ccinit ccrefresh t_accname t_ccselect t_credstore \ + t_export_cred t_export_name t_imp_cred t_inq_cred t_s4u \ + t_s4u2proxy_krb5 t_spnego $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) ccinit: ccinit.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS) ccrefresh: ccrefresh.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccrefresh ccrefresh.o $(KRB5_BASE_LIBS) -t_accname: t_accname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_accname t_accname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_ccselect: t_ccselect.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_ccselect t_ccselect.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_imp_cred: t_imp_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_imp_cred t_imp_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_inq_cred: t_inq_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_inq_cred t_inq_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_s4u2proxy_krb5.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_namingexts: t_namingexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_namingexts t_namingexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_gssexts: t_gssexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_gssexts t_gssexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_spnego: t_spnego.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_spnego t_spnego.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_saslname: t_saslname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_saslname t_saslname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_credstore: t_credstore.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_credstore t_credstore.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_export_name: t_export_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_export_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_export_cred: t_export_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_export_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) +t_accname: t_accname.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS) +t_ccselect: t_ccselect.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS) +t_credstore: t_credstore.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_credstore.o $(COMMON_LIBS) +t_export_cred: t_export_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_export_cred.o $(COMMON_LIBS) +t_export_name: t_export_name.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_export_name.o $(COMMON_LIBS) +t_gssexts: t_gssexts.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_gssexts.o $(COMMON_LIBS) +t_imp_cred: t_imp_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_imp_cred.o $(COMMON_LIBS) +t_imp_name: t_imp_name.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_imp_name.o $(COMMON_LIBS) +t_inq_cred: t_inq_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS) +t_namingexts: t_namingexts.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS) +t_s4u: t_s4u.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_s4u.o $(COMMON_LIBS) +t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_s4u2proxy_krb5.o $(COMMON_LIBS) +t_saslname: t_saslname.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_saslname.o $(COMMON_LIBS) +t_spnego: t_spnego.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_spnego.o $(COMMON_LIBS) clean:: - $(RM) t_accname t_ccselect t_imp_cred t_imp_name t_inq_cred t_s4u \ - t_s4u2proxy_krb5 t_namingexts t_gssexts t_spnego \ - t_saslname t_credstore t_export_name t_export_cred + $(RM) ccinit ccrefresh t_accname t_ccselect t_credstore t_export_cred \ + $(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_inq_cred + $(RM) t_namingexts t_s4u t_s4u2proxy_krb5 t_saslname t_spnego diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c new file mode 100644 index 000000000..ab968ccb7 --- /dev/null +++ b/src/tests/gssapi/common.c @@ -0,0 +1,211 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/common.c - Common utility functions for GSSAPI test programs */ +/* + * Copyright (C) 2012 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <string.h> +#include "common.h" + +gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" }; +gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" }; +gss_OID_desc mech_iakerb = { 6, "\053\006\001\005\002\005" }; +gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 }; +gss_OID_set_desc mechset_spnego = { 1, &mech_spnego }; +gss_OID_set_desc mechset_iakerb = { 1, &mech_iakerb }; + +static void +display_status(const char *msg, OM_uint32 code, int type) +{ + OM_uint32 maj_stat, min_stat, msg_ctx = 0; + gss_buffer_desc buf; + + do { + maj_stat = gss_display_status(&min_stat, code, type, GSS_C_NULL_OID, + &msg_ctx, &buf); + fprintf(stderr, "%s: %.*s\n", msg, (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&min_stat, &buf); + } while (msg_ctx != 0); +} + +void +check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor) +{ + if (GSS_ERROR(major)) { + display_status(msg, major, GSS_C_GSS_CODE); + display_status(msg, minor, GSS_C_MECH_CODE); + exit(1); + } +} + +void +check_k5err(krb5_context context, const char *msg, krb5_error_code code) +{ + const char *errmsg; + + if (code) { + errmsg = krb5_get_error_message(context, code); + printf("%s: %s\n", msg, errmsg); + krb5_free_error_message(context, errmsg); + exit(1); + } +} + +void +errout(const char *msg) +{ + fprintf(stderr, "%s\n", msg); + exit(1); +} + +gss_name_t +import_name(const char *str) +{ + OM_uint32 major, minor; + gss_name_t name; + gss_buffer_desc buf; + gss_OID nametype = NULL; + + if (*str == 'u') + nametype = GSS_C_NT_USER_NAME; + else if (*str == 'p') + nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; + else if (*str == 'h') + nametype = GSS_C_NT_HOSTBASED_SERVICE; + if (nametype == NULL || str[1] != ':') + errout("names must begin with u: or p: or h:"); + buf.value = (char *)str + 2; + buf.length = strlen(str) - 2; + major = gss_import_name(&minor, &buf, nametype, &name); + check_gsserr("gss_import_name", major, minor); + return name; +} + +void +display_canon_name(const char *tag, gss_name_t name, gss_OID mech) +{ + gss_name_t canon; + OM_uint32 major, minor; + gss_buffer_desc buf; + + major = gss_canonicalize_name(&minor, name, mech, &canon); + check_gsserr("gss_canonicalize_name", major, minor); + + major = gss_display_name(&minor, canon, &buf, NULL); + check_gsserr("gss_display_name", major, minor); + + printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value); + + (void)gss_release_name(&minor, &canon); + (void)gss_release_buffer(&minor, &buf); +} + +void +display_oid(const char *tag, gss_OID oid) +{ + OM_uint32 major, minor; + gss_buffer_desc buf; + + major = gss_oid_to_str(&minor, oid, &buf); + check_gsserr("gss_oid_to_str", major, minor); + printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); +} + +static void +dump_attribute(gss_name_t name, gss_buffer_t attribute, int noisy) +{ + OM_uint32 major, minor; + gss_buffer_desc value; + gss_buffer_desc display_value; + int authenticated = 0; + int complete = 0; + int more = -1; + unsigned int i; + + while (more != 0) { + value.value = NULL; + display_value.value = NULL; + + major = gss_get_name_attribute(&minor, name, attribute, &authenticated, + &complete, &value, &display_value, + &more); + check_gsserr("gss_get_name_attribute", major, minor); + + printf("Attribute %.*s %s %s\n\n%.*s\n", + (int)attribute->length, (char *)attribute->value, + authenticated ? "Authenticated" : "", + complete ? "Complete" : "", + (int)display_value.length, (char *)display_value.value); + + if (noisy) { + for (i = 0; i < value.length; i++) { + if ((i % 32) == 0) + printf("\n"); + printf("%02x", ((char *)value.value)[i] & 0xFF); + } + printf("\n\n"); + } + + (void)gss_release_buffer(&minor, &value); + (void)gss_release_buffer(&minor, &display_value); + } +} + +void +enumerate_attributes(gss_name_t name, int noisy) +{ + OM_uint32 major, minor; + int is_mechname; + gss_OID mech = GSS_C_NO_OID; + gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; + size_t i; + + major = gss_inquire_name(&minor, name, &is_mechname, &mech, &attrs); + check_gsserr("gss_inquire_name", major, minor); + + if (attrs != GSS_C_NO_BUFFER_SET) { + for (i = 0; i < attrs->count; i++) + dump_attribute(name, &attrs->elements[i], noisy); + } + + (void)gss_release_buffer_set(&minor, &attrs); +} + +void +print_hex(FILE *fp, gss_buffer_t buf) +{ + size_t i; + const unsigned char *bytes = buf->value; + + for (i = 0; i < buf->length; i++) + printf("%02X", bytes[i]); + printf("\n"); +} diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h new file mode 100644 index 000000000..be3bdb94c --- /dev/null +++ b/src/tests/gssapi/common.h @@ -0,0 +1,70 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/common.h - Declarations for GSSAPI test utility functions */ +/* + * Copyright (C) 2012 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef COMMON_H +#define COMMON_H + +#include <gssapi/gssapi_krb5.h> + +gss_OID_desc mech_krb5; +gss_OID_desc mech_spnego; +gss_OID_desc mech_iakerb; +gss_OID_set_desc mechset_krb5; +gss_OID_set_desc mechset_spnego; +gss_OID_set_desc mechset_iakerb; + +/* Display an error message (containing msg) and exit if major is an error. */ +void check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor); + +/* Display an error message (containing msg) and exit if code is an error. */ +void check_k5err(krb5_context context, const char *msg, krb5_error_code code); + +/* Display an error message containing msg and exit. */ +void errout(const char *msg); + +/* Import a GSSAPI name based on a string of the form 'u:username', + * 'p:principalname', or 'h:host@service' (or just 'h:service'). */ +gss_name_t import_name(const char *str); + +/* Display name as canonicalized to mech, preceded by tag. */ +void display_canon_name(const char *tag, gss_name_t name, gss_OID mech); + +/* Display oid in printable form, preceded by tag. */ +void display_oid(const char *tag, gss_OID oid); + +/* Display attributes of name, including hex value if noisy is true. */ +void enumerate_attributes(gss_name_t name, int noisy); + +/* Display the contents of buf to fp in hex, followed by a newline. */ +void print_hex(FILE *fp, gss_buffer_t buf); + +#endif /* COMMON_H */ diff --git a/src/tests/gssapi/t_accname.c b/src/tests/gssapi/t_accname.c index 0326cedc7..c85784232 100644 --- a/src/tests/gssapi/t_accname.c +++ b/src/tests/gssapi/t_accname.c @@ -25,9 +25,8 @@ #include <stdio.h> #include <stdlib.h> -#include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for acceptor names, intended to be run from a Python test @@ -42,39 +41,11 @@ * Usage: ./t_accname targetname [acceptorname] */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -display_status(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); -} - int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t acceptor_cred; - gss_buffer_desc buf; gss_name_t target_name, acceptor_name = GSS_C_NO_NAME, real_acceptor_name; gss_buffer_desc token, tmp, namebuf; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; @@ -85,37 +56,16 @@ main(int argc, char *argv[]) return 1; } - /* Import the target name as a krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name(target_name)", major, minor); - return 1; - } - - /* Import the acceptor name as a host-based name. */ - if (argc >= 3) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, - &acceptor_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name(acceptor_name)", major, minor); - return 1; - } - } + /* Import target and acceptor names. */ + target_name = import_name(argv[1]); + if (argc >= 3) + acceptor_name = import_name(argv[2]); /* Get acceptor cred. */ major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &acceptor_cred, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_acquire_cred", major, minor); - return 1; - } + check_gsserr("gss_acquire_cred", major, minor); /* Create krb5 initiator context and get the first token. */ token.value = NULL; @@ -126,10 +76,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_init_sec_context", major, minor); - return 1; - } + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -137,26 +84,17 @@ main(int argc, char *argv[]) major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) { - display_status("gss_accept_sec_context", major, minor); - return 1; - } + check_gsserr("gss_accept_sec_context", major, minor); major = gss_inquire_context(&minor, acceptor_context, NULL, &real_acceptor_name, NULL, NULL, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_inquire_context", major, minor); - return 1; - } + check_gsserr("gss_inquire_context", major, minor); namebuf.value = NULL; namebuf.length = 0; major = gss_display_name(&minor, real_acceptor_name, &namebuf, NULL); - if (GSS_ERROR(major)) { - display_status("gss_display_name", major, minor); - return 1; - } + check_gsserr("gss_display_name", major, minor); printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value); diff --git a/src/tests/gssapi/t_ccselect.c b/src/tests/gssapi/t_ccselect.c index 620ce1c4b..05b0a844a 100644 --- a/src/tests/gssapi/t_ccselect.c +++ b/src/tests/gssapi/t_ccselect.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for client credential selection, intended to be run from a @@ -43,40 +43,11 @@ * Usage: ./t_ccselect [targetprinc|gss:service@host] [initiatorprinc|-] */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t initiator_cred = GSS_C_NO_CREDENTIAL; - gss_buffer_desc buf; gss_name_t target_name, initiator_name = GSS_C_NO_NAME; gss_name_t real_initiator_name; gss_buffer_desc token, tmp, namebuf; @@ -84,47 +55,20 @@ main(int argc, char *argv[]) gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s targetprinc [initiatorprinc|-]\n", argv[0]); + fprintf(stderr, "Usage: %s targetname [initiatorname|-]\n", argv[0]); return 1; } - /* Import the target name. */ - if (strncmp(argv[1], "gss:", 4) == 0) { - /* Import as host-based service. */ - buf.value = argv[1] + 4; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, - &target_name); - } else { - /* Import as krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - } - if (GSS_ERROR(major)) - gsserr("gss_import_name(target_name)", major, minor); + target_name = import_name(argv[1]); - /* Import the initiator name as a krb5 principal and get creds, maybe. */ if (argc >= 3) { - if (strcmp(argv[2], "-") != 0) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &initiator_name); - if (GSS_ERROR(major)) - gsserr("gss_import_name(initiator_name)", major, minor); - } - - /* Get acceptor cred. */ + /* Get initiator cred. */ + if (strcmp(argv[2], "-") != 0) + initiator_name = import_name(argv[2]); major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE, &initiator_cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_acquire_cred", major, minor); + check_gsserr("gss_acquire_cred", major, minor); } @@ -136,8 +80,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_init_sec_context", major, minor); + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -147,14 +90,12 @@ main(int argc, char *argv[]) GSS_C_NO_CHANNEL_BINDINGS, &real_initiator_name, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) - gsserr("gss_accept_sec_context", major, minor); + check_gsserr("gss_accept_sec_context", major, minor); namebuf.value = NULL; namebuf.length = 0; major = gss_display_name(&minor, real_initiator_name, &namebuf, NULL); - if (GSS_ERROR(major)) - gsserr("gss_display_name(initiator)", major, minor); + check_gsserr("gss_display_name(initiator)", major, minor); printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value); (void)gss_release_name(&minor, &target_name); diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 78f307f01..6b7bce617 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -28,16 +28,19 @@ r1 = K5Realm(create_user=False) r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000, testdir=os.path.join(r1.testdir, 'r2')) +host1 = 'p:' + r1.host_princ +host2 = 'p:' + r2.host_princ + # gsserver specifies the target as a GSS name. The resulting # principal will have the host-based type, but the realm won't be # known before the client cache is selected (since k5test realms have # no domain-realm mapping by default). -gssserver = 'gss:host@' + hostname +gssserver = 'h:host@' + hostname # refserver specifies the target as a principal in the referral realm. # The principal won't be treated as a host principal by the # .k5identity rules since it has unknown type. -refserver = 'host/' + hostname + '@' +refserver = 'p:host/' + hostname + '@' # Make each realm's keytab contain entries for both realm's servers. #r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % @@ -47,8 +50,7 @@ refserver = 'host/' + hostname + '@' # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'], - expected_code=1) +output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1) if 'No Kerberos credentials available' not in output: fail('Expected error not seen in output when no credentials available') @@ -75,24 +77,24 @@ r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) # Check that we can find a cache for a specified client principal. -output = r1.run_as_client(['./t_ccselect', r1.host_princ, alice]) +output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice]) if output != (alice + '\n'): fail('alice not chosen when specified') -output = r2.run_as_client(['./t_ccselect', r2.host_princ, zaphod]) +output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod]) if output != (zaphod + '\n'): fail('zaphod not chosen when specified') # Check that we can guess a cache based on the service realm. -output = r1.run_as_client(['./t_ccselect', r1.host_princ]) +output = r1.run_as_client(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen as default initiator cred for server in r1') -output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-']) +output = r1.run_as_client(['./t_ccselect', host1, '-']) if output != (alice + '\n'): fail('alice not chosen as default initiator name for server in r1') -output = r2.run_as_client(['./t_ccselect', r2.host_princ]) +output = r2.run_as_client(['./t_ccselect', host2]) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator cred for server in r1') -output = r2.run_as_client(['./t_ccselect', r2.host_princ, '-']) +output = r2.run_as_client(['./t_ccselect', host2, '-']) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') @@ -111,7 +113,7 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm)) k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) k5id.write('noprinc service=bogus') k5id.close() -output = r1.run_as_client(['./t_ccselect', r1.host_princ]) +output = r1.run_as_client(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') output = r2.run_as_client(['./t_ccselect', gssserver]) @@ -120,7 +122,7 @@ if output != (zaphod + '\n'): output = r1.run_as_client(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run_as_client(['./t_ccselect', 'gss:bogus@' + hostname], +output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) if 'Can\'t find client principal noprinc' not in output: fail('Expected error not seen when k5identity selects bad principal.') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 71cb89e78..71566a5d3 100644 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -5,14 +5,17 @@ from k5test import * # Point HOME at realm.testdir for tests using .k5identity. realm = K5Realm(get_creds=False) bob = 'bob@' + realm.realm -gssserver = 'gss:host@' + hostname +phost = 'p:' + realm.host_princ +puser = 'p:' + realm.user_princ +pbob = 'p:' + bob +gssserver = 'h:host@' + hostname realm.env_client['HOME'] = realm.testdir realm.addprinc(bob, password('bob')) realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run_as_client(['./t_ccselect', realm.host_princ]) +out = realm.run_as_client(['./t_ccselect', phost]) if realm.user_princ not in out: fail('Authenticated as wrong principal') realm.run_as_client([kdestroy]) @@ -30,27 +33,26 @@ realm.run_as_client([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds realm.run_as_client(['./ccinit', realm.ccache, bob]) -out = realm.run_as_client(['./t_ccselect', realm.host_princ]) +out = realm.run_as_client(['./t_ccselect', phost]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run_as_client(['./t_ccselect', realm.host_princ, realm.user_princ], - expected_code=1) +out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1) if 'Principal in credential cache does not match desired name' not in out: fail('Expected error not seen') realm.run_as_client([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client(['./ccrefresh', realm.ccache]) @@ -59,26 +61,26 @@ if int(out) < 1000: realm.run_as_client([kdestroy]) # Test 7: empty ccache specified, pick first principal from client keytab -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(realm.user_princ) realm.run_as_client([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run_as_client(['./t_imp_cred', realm.host_princ], expected_code=1) +out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1) if 'Credential cache is empty' not in out: fail('Expected error not seen') realm.run_as_client([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab realm.run_as_client(['./ccinit', realm.ccache, bob]) -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(bob) # Leave tickets for next test. # Test 10: ccache specified with creds, time to refresh realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(bob) out = realm.run_as_client(['./ccrefresh', realm.ccache]) if int(out) < 1000: @@ -94,14 +96,14 @@ realm.env_client['KRB5CCNAME'] = ccname # Test 11: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') realm.run_as_client(['./ccinit', bobcache, bob]) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 12: name specified, matching cache in collection, time to refresh realm.run_as_client(['./ccrefresh', bobcache, '1']) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client(['./ccrefresh', bobcache]) @@ -111,7 +113,7 @@ realm.run_as_client([kdestroy, '-A']) # Test 13: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client([klist]) @@ -120,7 +122,7 @@ if 'Default principal: %s\n' % realm.user_princ not in out: realm.run_as_client([kdestroy, '-A']) # Test 14: name specified, collection has no default cache -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Make sure the tickets we acquired didn't become the default diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c index 73c11f8b5..085bc794e 100644 --- a/src/tests/gssapi/t_credstore.c +++ b/src/tests/gssapi/t_credstore.c @@ -27,41 +27,14 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_ext.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" static void -print_gss_status(int type, OM_uint32 code) -{ - OM_uint32 major, minor; - gss_buffer_desc msg; - OM_uint32 msg_ctx = 0; - - do { - major = gss_display_status(&minor, code, type, - GSS_C_NULL_OID, &msg_ctx, &msg); - if (major == 0) { - fprintf(stdout, "%s. ", (char *)msg.value); - major = gss_release_buffer(&minor, &msg); - } - } while (msg_ctx); -} - -static void -print_status(char *msg, OM_uint32 major, OM_uint32 minor) -{ - fprintf(stdout, "%s: ", msg); - print_gss_status(GSS_C_GSS_CODE, major); - print_gss_status(GSS_C_MECH_CODE, minor); - fprintf(stdout, "\n"); -} - -static void -usage(const char *name) +usage(void) { fprintf(stderr, - "Usage: %s <principal> [--cred_store {<key> <value>} ...]\n", - name); + "Usage: t_credstore principal [--cred_store {key value} ...]\n"); + exit(1); } int @@ -74,10 +47,8 @@ main(int argc, char *argv[]) gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; int i, e; - if (argc < 2 || ((argc - 3) % 2)) { - usage(argv[0]); - exit(1); - } + if (argc < 2 || ((argc - 3) % 2)) + usage(); store.count = (argc - 3) / 2; store.elements = calloc(store.count, @@ -88,10 +59,8 @@ main(int argc, char *argv[]) } if (argc > 2) { - if (strcmp(argv[2], "--cred_store") != 0) { - usage(argv[0]); - exit(1); - } + if (strcmp(argv[2], "--cred_store") != 0) + usage(); for (i = 3, e = 0; i < argc; i += 2, e++) { store.elements[e].key = argv[i]; @@ -104,19 +73,11 @@ main(int argc, char *argv[]) major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, NULL, NULL); - if (major) { - print_status("gss_acquire_cred(default user creds) failed", - major, minor); - goto out; - } + check_gsserr("gss_acquire_cred", major, minor); major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, GSS_C_NO_OID, 1, 0, &store, NULL, NULL); - if (major) { - print_status("gss_store_cred_in_store(default user creds) failed", - major, minor); - goto out; - } + check_gsserr("gss_store_cred_into", major, minor); gss_release_cred(&minor, &cred); @@ -128,27 +89,17 @@ main(int argc, char *argv[]) major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &service); - if (major) { - print_status("gss_import_name(principal) failed", major, minor); - goto out; - } + check_gsserr("gss_import_name", major, minor); major = gss_acquire_cred_from(&minor, service, 0, GSS_C_NO_OID_SET, GSS_C_BOTH, &store, &cred, NULL, NULL); - if (major) { - print_status("gss_acquire_cred_from_store(principal) failed", - major, minor); - goto out; - } + check_gsserr("gss_acquire_cred_from", major, minor); fprintf(stdout, "Cred Store Success\n"); - major = 0; - -out: gss_release_name(&minor, &service); gss_release_cred(&minor, &cred); free(store.elements); - return major; + return 0; } diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c index f7ddbc7ad..6f62eed81 100644 --- a/src/tests/gssapi/t_export_cred.c +++ b/src/tests/gssapi/t_export_cred.c @@ -25,80 +25,8 @@ #include <stdio.h> #include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" }; -static gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" }; -static gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 }; -static gss_OID_set_desc mechset_spnego = { 1, &mech_spnego }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -/* If maj_stat indicates an error, display an error message (containing msg) - * and exit. */ -static void -check_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - if (GSS_ERROR(maj_stat)) { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); - } -} - -/* Display an error message and exit. */ -static void -errout(const char *msg) -{ - fprintf(stderr, "%s\n", msg); - exit(1); -} - -/* Import a GSSAPI name based on a string of the form 'u:username', - * 'p:principalname', or 'h:host@service' (or just 'h:service'). */ -static gss_name_t -import_name(const char *str) -{ - OM_uint32 major, minor; - gss_name_t name; - gss_buffer_desc buf; - gss_OID nametype = NULL; - - if (*str == 'u') - nametype = GSS_C_NT_USER_NAME; - else if (*str == 'p') - nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; - else if (*str == 'h') - nametype = GSS_C_NT_HOSTBASED_SERVICE; - if (nametype == NULL || str[1] != ':') - errout("names must begin with u: or p: or h:"); - buf.value = (char *)str + 2; - buf.length = strlen(str) - 2; - major = gss_import_name(&minor, &buf, nametype, &name); - check_gsserr("gss_import_name", major, minor); - return name; -} +#include "common.h" /* Display a usage error message and exit. */ static void diff --git a/src/tests/gssapi/t_export_name.c b/src/tests/gssapi/t_export_name.c index d765e28fb..676ac54be 100644 --- a/src/tests/gssapi/t_export_name.c +++ b/src/tests/gssapi/t_export_name.c @@ -41,55 +41,12 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} +#include "common.h" static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) +usage(void) { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -print_hex(FILE *fp, gss_buffer_t buf) -{ - size_t i; - const unsigned char *bytes = buf->value; - - for (i = 0; i < buf->length; i++) - printf("%02X", bytes[i]); - printf("\n"); -} - -static void -usage(const char *progname) -{ - fprintf(stderr, - "Usage: %s [-k|-s] user:username|krb5:princ|gss:service@host\n", - progname); + fprintf(stderr, "Usage: t_export_name [-k|-s] name\n"); exit(1); } @@ -97,60 +54,41 @@ int main(int argc, char *argv[]) { OM_uint32 minor, major; - gss_OID mech = (gss_OID)gss_mech_krb5, nametype = NULL; + gss_OID mech = (gss_OID)gss_mech_krb5; gss_name_t name, mechname, impname; gss_buffer_desc buf, buf2; - const char *name_arg, *progname = argv[0]; + const char *name_arg; char opt; + /* Parse arguments. */ while (argc > 1 && argv[1][0] == '-') { opt = argv[1][1]; argc--, argv++; if (opt == 'k') - mech = (gss_OID)gss_mech_krb5; + mech = &mech_krb5; else if (opt == 's') - mech = &spnego_mech; + mech = &mech_spnego; else - usage(progname); + usage(); } if (argc != 2) - usage(progname); + usage(); name_arg = argv[1]; /* Import the name. */ - if (strncmp(name_arg, "user:", 5) == 0) { - nametype = GSS_C_NT_USER_NAME; - name_arg += 5; - } else if (strncmp(name_arg, "krb5:", 5) == 0) { - nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; - name_arg += 5; - } else if (strncmp(name_arg, "host:", 5) == 0) { - nametype = GSS_C_NT_HOSTBASED_SERVICE; - name_arg += 5; - } else { - usage(progname); - } - buf.value = (char *)name_arg; - buf.length = strlen(name_arg); - major = gss_import_name(&minor, &buf, nametype, &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); + name = import_name(name_arg); /* Canonicalize and export the name. */ major = gss_canonicalize_name(&minor, name, mech, &mechname); - if (GSS_ERROR(major)) - gsserr("gss_canonicalize_name", major, minor); + check_gsserr("gss_canonicalize_name", major, minor); major = gss_export_name(&minor, mechname, &buf); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); /* Import and re-export the name, and compare the results. */ major = gss_import_name(&minor, &buf, GSS_C_NT_EXPORT_NAME, &impname); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); major = gss_export_name(&minor, impname, &buf2); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); if (buf.length != buf2.length || memcmp(buf.value, buf2.value, buf.length) != 0) { fprintf(stderr, "Mismatched results:\n"); diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index d3dd881bc..b21380f08 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -3,7 +3,7 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_spnego', realm.host_princ, realm.keytab]) + realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab]) ### Test acceptor name behavior. @@ -24,16 +24,16 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew') # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run_as_client(['./t_accname', 'service1/andrew']) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'service1/barack']) +output = realm.run_as_client(['./t_accname', 'p:service1/barack']) if 'service1/barack' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin']) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/dwight'], +output = realm.run_as_client(['./t_accname', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') @@ -41,39 +41,41 @@ if 'Wrong principal in request' not in output: # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service1']) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew', + 'h:service1']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service2'], - expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew', + 'h:service2'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service2']) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin', + 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service1'], - expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin', + 'h:service1'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run_as_client(['./t_accname', realm.host_princ, - 'host@%s' % socket.gethostname()]) +output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()]) if realm.host_princ not in output: fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run_as_client(['./t_accname', 'host/-nomatch-', - 'host@%s' % socket.gethostname()], +output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. -realm.run_as_client(['./t_imp_cred', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'service1/barack', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'service1/andrew', 'service1/abraham']) -output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'], +realm.run_as_client(['./t_imp_cred', 'p:service1/barack']) +realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) +realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) +output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_imp_cred output') @@ -94,7 +96,7 @@ if 'Cred Store Success' not in output: # Verify that we can't acquire acceptor creds without a keytab. os.remove(realm.keytab) -output = realm.run_as_client(['./t_accname', 'abc'], expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1) if ('gss_acquire_cred: Keytab' not in output or 'nonexistent or empty' not in output): fail('Expected error message not seen for nonexistent keytab') @@ -108,8 +110,8 @@ ignore_conf = { 'all' : { 'libdefaults' : { realm = K5Realm(krb5_conf=ignore_conf) realm.run_kadminl('addprinc -randkey host/-nomatch-') realm.run_kadminl('xst host/-nomatch-') -output = realm.run_as_client(['./t_accname', 'host/-nomatch-', - 'host@%s' % socket.gethostname()]) +output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: fail('Expected host/-nomatch- in t_accname output') @@ -157,16 +159,16 @@ if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test gss_export_name behavior. -out = realm.run_as_client(['./t_export_name', 'user:x']) +out = realm.run_as_client(['./t_export_name', 'u:x']) if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n': fail('Unexpected output from t_export_name (krb5 username)') -output = realm.run_as_client(['./t_export_name', '-s', 'user:xyz']) +output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz']) if output != '0401000806062B06010505020000000378797A\n': fail('Unexpected output from t_export_name (SPNEGO username)') -output = realm.run_as_client(['./t_export_name', 'krb5:a@b']) +output = realm.run_as_client(['./t_export_name', 'p:a@b']) if output != '0401000B06092A864886F71201020200000003614062\n': fail('Unexpected output from t_export_name (krb5 principal)') -output = realm.run_as_client(['./t_export_name', '-s', 'krb5:a@b']) +output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b']) if output != '0401000806062B060105050200000003614062\n': fail('Unexpected output from t_export_name (SPNEGO krb5 principal)') diff --git a/src/tests/gssapi/t_gssexts.c b/src/tests/gssapi/t_gssexts.c index 059f63340..d008c0862 100644 --- a/src/tests/gssapi/t_gssexts.c +++ b/src/tests/gssapi/t_gssexts.c @@ -27,7 +27,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for protocol transition (S4U2Self) and constrained delegation @@ -53,94 +53,17 @@ * Usage eg: * * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU' - * ./t_s4u delegtest@WIN.MIT.EDU HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab + * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - static int use_spnego = 0; static void -displayStatus_1(char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -displayStatus(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) -{ - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -testPrf(OM_uint32 *minor, gss_ctx_id_t initiatorContext, - gss_ctx_id_t acceptorContext, int flags) +test_prf(gss_ctx_id_t initiatorContext, gss_ctx_id_t acceptorContext, + int flags) { gss_buffer_desc constant; - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; unsigned int i; gss_buffer_desc initiatorPrf; gss_buffer_desc acceptorPrf; @@ -151,207 +74,124 @@ testPrf(OM_uint32 *minor, gss_ctx_id_t initiatorContext, initiatorPrf.value = NULL; acceptorPrf.value = NULL; - major = gss_pseudo_random(minor, initiatorContext, flags, - &constant, 19, &initiatorPrf); - if (GSS_ERROR(major)) { - displayStatus("gss_pseudo_random", major, *minor); - return major; - } + major = gss_pseudo_random(&minor, initiatorContext, flags, &constant, 19, + &initiatorPrf); + check_gsserr("gss_pseudo_random", major, minor); printf("%s\n", flags == GSS_C_PRF_KEY_FULL ? "PRF_KEY_FULL" : "PRF_KEY_PARTIAL"); printf("Initiator PRF: "); - for (i = 0; i < initiatorPrf.length; i++) { + for (i = 0; i < initiatorPrf.length; i++) printf("%02x ", ((char *)initiatorPrf.value)[i] & 0xFF); - } printf("\n"); - major = gss_pseudo_random(minor, acceptorContext, flags, - &constant, 19, &acceptorPrf); - if (GSS_ERROR(major)) { - displayStatus("gss_pseudo_random", major, *minor); - gss_release_buffer(&tmp_minor, &initiatorPrf); - return major; - } + major = gss_pseudo_random(&minor, acceptorContext, flags, &constant, 19, + &acceptorPrf); + check_gsserr("gss_pseudo_random", major, minor); printf("Acceptor PRF: "); - for (i = 0; i < acceptorPrf.length; i++) { + for (i = 0; i < acceptorPrf.length; i++) printf("%02x ", ((char *)acceptorPrf.value)[i] & 0xFF); - } printf("\n"); if (acceptorPrf.length != initiatorPrf.length || memcmp(acceptorPrf.value, initiatorPrf.value, initiatorPrf.length)) { fprintf(stderr, "Initiator and acceptor PRF output does not match\n"); - major = GSS_S_FAILURE; + exit(1); } - gss_release_buffer(&tmp_minor, &initiatorPrf); - gss_release_buffer(&tmp_minor, &acceptorPrf); - - return major; + (void)gss_release_buffer(&minor, &initiatorPrf); + (void)gss_release_buffer(&minor, &acceptorPrf); } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, gss_cred_id_t claimant_cred_handle, - gss_cred_id_t verifier_cred_handle, - gss_cred_id_t *deleg_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t claimant_cred_handle, + gss_cred_id_t verifier_cred_handle, + gss_cred_id_t *deleg_cred_handle) { - OM_uint32 major, tmp_minor; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; OM_uint32 time_rec; - gss_OID mech = GSS_C_NO_OID; - - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; + gss_OID mech; *deleg_cred_handle = GSS_C_NO_CREDENTIAL; - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } - - displayCanonName(minor, target_name, "Target name"); + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); + display_canon_name("Target name", target_name, &mech_krb5); - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - displayOID(minor, mech, "Target mech"); + mech = use_spnego ? &mech_spnego : &mech_krb5; + display_oid("Target mech", mech); - major = gss_init_sec_context(minor, - claimant_cred_handle, - &initiator_context, - target_name, - mech, + major = gss_init_sec_context(&minor, claimant_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); + (void)gss_release_name(&minor, &target_name); + check_gsserr("gss_init_sec_context", major, minor); - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(&tmp_minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - mech = GSS_C_NO_OID; - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + NULL, &tmp, NULL, &time_rec, deleg_cred_handle); + check_gsserr("gss_accept_sec_context", major, minor); - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - testPrf(minor, initiator_context, acceptor_context, GSS_C_PRF_KEY_FULL); - testPrf(minor, initiator_context, acceptor_context, GSS_C_PRF_KEY_PARTIAL); - } - - (void) gss_release_name(&tmp_minor, &source_name); - (void) gss_delete_sec_context(&tmp_minor, &acceptor_context, NULL); - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_release_buffer(&tmp_minor, &tmp); - (void) gss_release_oid(&tmp_minor, &mech); + test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_FULL); + test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_PARTIAL); - return major; + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -static OM_uint32 -getDefaultCred(OM_uint32 *minor, const char *keytab_name, gss_OID_set mechs, - gss_cred_id_t *impersonator_cred_handle) +static void +get_default_cred(const char *keytab_name, gss_OID_set mechs, + gss_cred_id_t *impersonator_cred_handle) { - OM_uint32 major = GSS_S_FAILURE, tmp_minor; - - if (keytab_name) { - krb5_error_code code; - krb5_context context = NULL; - krb5_keytab keytab = NULL; - krb5_principal keytab_principal = NULL; - krb5_ccache ccache = NULL; - - code = krb5_init_context(&context); - if (code) { - displayStatus("krb5_init_context", major, code); - return major; - } - - code = krb5_kt_resolve(context, keytab_name, &keytab); - if (code) { - displayStatus("krb5_kt_resolve", major, code); - goto out; - } - - code = krb5_cc_default(context, &ccache); - if (code) { - displayStatus("krb5_cc_default", major, code); - goto out; - } - - code = krb5_cc_get_principal(context, ccache, &keytab_principal); - if (code) { - displayStatus("krb5_cc_get_principal", major, code); - goto out; - } - - major = gss_krb5_import_cred(minor, - ccache, - keytab_principal, - keytab, + OM_uint32 major = GSS_S_FAILURE, minor; + krb5_error_code ret; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_principal keytab_principal = NULL; + krb5_ccache ccache = NULL; + + if (keytab_name != NULL) { + ret = krb5_init_context(&context); + check_k5err(context, "krb5_init_context", ret); + + ret = krb5_kt_resolve(context, keytab_name, &keytab); + check_k5err(context, "krb5_kt_resolve", ret); + + ret = krb5_cc_default(context, &ccache); + check_k5err(context, "krb5_cc_default", ret); + + ret = krb5_cc_get_principal(context, ccache, &keytab_principal); + check_k5err(context, "krb5_cc_get_principal", ret); + + major = gss_krb5_import_cred(&minor, ccache, keytab_principal, keytab, impersonator_cred_handle); - if (GSS_ERROR(major)) { - displayStatus("gss_krb5_import_cred", major, *minor); - goto out; - } - - out: - if (code) - *minor = code; + check_gsserr("gss_krb5_import_cred", major, minor); + krb5_free_principal(context, keytab_principal); krb5_cc_close(context, ccache); krb5_kt_close(context, keytab); krb5_free_context(context); } else { - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - - major = gss_acquire_cred(minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - mechs, - GSS_C_BOTH, - impersonator_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, *minor); - } - (void) gss_release_oid_set(&tmp_minor, &actual_mechs); + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, + mechs, GSS_C_BOTH, impersonator_cred_handle, + NULL, NULL); + check_gsserr("gss_acquire_cred", major, minor); } - - return major; } int @@ -362,9 +202,7 @@ main(int argc, char *argv[]) gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; + gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET; uid_t uid; if (argc < 2 || argc > 5) { @@ -380,93 +218,45 @@ main(int argc, char *argv[]) argv++; } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &user); + user = import_name(argv[1]); major = gss_pname_to_uid(&minor, user, NULL, &uid); - if (GSS_ERROR(major)) { - displayStatus("gss_pname_to_uid(user)", major, minor); - goto out; - } + check_gsserr("gss_pname_to_uid(user)", major, minor); - if (argc > 2 && strcmp(argv[2], "-")) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target)", major, minor); - goto out; - } - } else { - target = GSS_C_NO_NAME; - } + if (argc > 2 && strcmp(argv[2], "-") != 0) + target = import_name(argv[2]); - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; - major = getDefaultCred(&minor, - argc > 3 ? argv[3] : NULL, - &mechs, - &impersonator_cred_handle); - if (GSS_ERROR(major)) - goto out; + get_default_cred((argc > 3) ? argv[3] : NULL, mechs, + &impersonator_cred_handle); printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); /* get S4U2Self cred */ - major = gss_acquire_cred_impersonate_name(&minor, - impersonator_cred_handle, - user, - GSS_C_INDEFINITE, - &mechs, + major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, + user, GSS_C_INDEFINITE, mechs, GSS_C_INITIATE, - &user_cred_handle, - &actual_mechs, + &user_cred_handle, &actual_mechs, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred_impersonate_name", major, minor); - goto out; - } + check_gsserr("gss_acquire_cred_impersonate_name", major, minor); /* Try to store it in default ccache */ - major = gss_store_cred(&minor, - user_cred_handle, - GSS_C_INITIATE, - &mechs.elements[0], - 1, - 1, - NULL, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_store_cred", major, minor); - goto out; - } + major = gss_store_cred(&minor, user_cred_handle, GSS_C_INITIATE, + &mechs->elements[0], 1, 1, NULL, NULL); + check_gsserr("gss_store_cred", major, minor); - major = initAcceptSecContext(&minor, - user_cred_handle, - impersonator_cred_handle, - &delegated_cred_handle); - if (GSS_ERROR(major)) - goto out; + init_accept_sec_context(user_cred_handle, impersonator_cred_handle, + &delegated_cred_handle); printf("\n"); -out: - (void) gss_release_name(&minor, &user); - (void) gss_release_name(&minor, &target); - (void) gss_release_cred(&minor, &delegated_cred_handle); - (void) gss_release_cred(&minor, &impersonator_cred_handle); - (void) gss_release_cred(&minor, &user_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_name(&minor, &user); + (void)gss_release_name(&minor, &target); + (void)gss_release_cred(&minor, &delegated_cred_handle); + (void)gss_release_cred(&minor, &impersonator_cred_handle); + (void)gss_release_cred(&minor, &user_cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + return 0; } diff --git a/src/tests/gssapi/t_imp_cred.c b/src/tests/gssapi/t_imp_cred.c index 2818b22fd..8e00daefd 100644 --- a/src/tests/gssapi/t_imp_cred.c +++ b/src/tests/gssapi/t_imp_cred.c @@ -39,102 +39,51 @@ #include "k5-platform.h" #include <krb5.h> -#include <gssapi/gssapi_krb5.h> -static void -display_status(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -exit_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status(msg, maj_stat, GSS_C_GSS_CODE); - display_status(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -exit_kerr(krb5_context context, const char *msg, krb5_error_code code) -{ - const char *errmsg; - - errmsg = krb5_get_error_message(context, code); - printf("%s: %s\n", msg, errmsg); - krb5_free_error_message(context, errmsg); - exit(1); -} +#include "common.h" int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t initiator_cred, acceptor_cred; - gss_buffer_desc buf, token, tmp; + gss_buffer_desc token, tmp; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; gss_name_t target_name; - krb5_context context; + krb5_context context = NULL; krb5_ccache cc; krb5_keytab kt; krb5_principal princ = NULL; krb5_error_code ret; if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s targetprinc [acceptorprinc]\n", argv[0]); + fprintf(stderr, "Usage: %s targetname [acceptorprinc]\n", argv[0]); return 1; } - /* Import the target name as a krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name", major, minor); - return 1; - } + /* Import the target name. */ + target_name = import_name(argv[1]); /* Acquire the krb5 objects we need. */ ret = krb5_init_context(&context); - if (ret) - exit_kerr(NULL, "krb5_init_context", ret); + check_k5err(context, "krb5_init_context", ret); ret = krb5_cc_default(context, &cc); - if (ret) - exit_kerr(context, "krb5_cc_default", ret); + check_k5err(context, "krb5_cc_default", ret); ret = krb5_kt_default(context, &kt); - if (ret) - exit_kerr(context, "krb5_kt_default", ret); + check_k5err(context, "krb5_kt_default", ret); if (argc >= 3) { ret = krb5_parse_name(context, argv[2], &princ); - if (ret) - exit_kerr(context, "krb5_parse_name", ret); + check_k5err(context, "krb5_parse_name", ret); } /* Get initiator cred. */ major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred); - if (GSS_ERROR(major)) - exit_gsserr("gss_krb5_import_cred (initiator)", major, minor); + check_gsserr("gss_krb5_import_cred (initiator)", major, minor); /* Get acceptor cred. */ major = gss_krb5_import_cred(&minor, NULL, princ, kt, &acceptor_cred); - if (GSS_ERROR(major)) - exit_gsserr("gss_krb5_import_cred (acceptor)", major, minor); + check_gsserr("gss_krb5_import_cred (acceptor)", major, minor); /* Create krb5 initiator context and get the first token. */ token.value = NULL; @@ -145,8 +94,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - exit_gsserr("gss_init_sec_context", major, minor); + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -154,8 +102,7 @@ main(int argc, char *argv[]) major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) - exit_gsserr("gss_accept_sec_context", major, minor); + check_gsserr("gss_accept_sec_context", major, minor); krb5_cc_close(context, cc); krb5_kt_close(context, kt); diff --git a/src/tests/gssapi/t_imp_name.c b/src/tests/gssapi/t_imp_name.c index a51c98046..4fcd61b50 100644 --- a/src/tests/gssapi/t_imp_name.c +++ b/src/tests/gssapi/t_imp_name.c @@ -21,130 +21,38 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + */ + +/* * Simple test program for testing how GSSAPI import name works. (May * be made into a more full-fledged test program later.) - * */ -#include <unistd.h> -#include <stdlib.h> #include <stdio.h> -#include <string.h> -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_generic.h> - -#define GSSAPI_V2 -void display_status (char *, OM_uint32, OM_uint32); -static void display_status_1 (char *, OM_uint32, int); -static void display_buffer (gss_buffer_desc); -static int test_import_name (char *); -FILE *display_file; +#include "common.h" -int main(argc, argv) - int argc; - char **argv; +int +main(int argc, char **argv) { - int retval; - - display_file = stdout; - - retval = test_import_name("host@dcl.mit.edu"); - - return retval; -} - -static int test_import_name(name) - char *name; -{ - OM_uint32 maj_stat, min_stat; + const char *name = "host@dcl.mit.edu"; + OM_uint32 major, minor; gss_name_t gss_name; - gss_buffer_desc buffer_name; + gss_buffer_desc buf; gss_OID name_oid; - buffer_name.value = name; - buffer_name.length = strlen(name) + 1; - maj_stat = gss_import_name(&min_stat, &buffer_name, - (gss_OID) gss_nt_service_name, - &gss_name); - if (maj_stat != GSS_S_COMPLETE) { - display_status("parsing name", maj_stat, min_stat); - return -1; - } + gss_name = import_name(name); - maj_stat = gss_display_name(&min_stat, gss_name, &buffer_name, - &name_oid); - if (maj_stat != GSS_S_COMPLETE) { - display_status("displaying context", maj_stat, min_stat); - return -1; - } - printf("name is: "); - display_buffer(buffer_name); - printf("\n"); - (void) gss_release_buffer(&min_stat, &buffer_name); + major = gss_display_name(&minor, gss_name, &buf, &name_oid); + check_gsserr("gss_display_name", major, minor); + printf("name is: %.*s\n", (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); - gss_oid_to_str(&min_stat, name_oid, &buffer_name); - printf("name type is: "); - display_buffer(buffer_name); - printf("\n"); - (void) gss_release_buffer(&min_stat, &buffer_name); -#ifdef GSSAPI_V2 - (void) gss_release_oid(&min_stat, &name_oid); -#endif - (void) gss_release_name(&min_stat, &gss_name); - return 0; -} - -static void display_buffer(buffer) - gss_buffer_desc buffer; -{ - char *namebuf; - - namebuf = malloc(buffer.length+1); - if (!namebuf) { - fprintf(stderr, "display_buffer: couldn't allocate buffer!\n"); - exit(1); - } - strncpy(namebuf, buffer.value, buffer.length); - namebuf[buffer.length] = '\0'; - printf("%s", namebuf); - free(namebuf); -} - -void display_status(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static void display_status_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 min_stat; - gss_buffer_desc msg; -#ifdef GSSAPI_V2 - OM_uint32 msg_ctx; -#else /* GSSAPI_V2 */ - int msg_ctx; -#endif /* GSSAPI_V2 */ - - msg_ctx = 0; - while (1) { - (void) gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - if (display_file) - fprintf(display_file, "GSS-API error %s: %s\n", m, - (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); + major = gss_oid_to_str(&minor, name_oid, &buf); + check_gsserr("gss_oid_to_str", major, minor); + printf("name type is: %.*s\n", (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); + (void)gss_release_name(&minor, &gss_name); - if (!msg_ctx) - break; - } + return 0; } diff --git a/src/tests/gssapi/t_inq_cred.c b/src/tests/gssapi/t_inq_cred.c index ed93a6eaf..8dd331d67 100644 --- a/src/tests/gssapi/t_inq_cred.c +++ b/src/tests/gssapi/t_inq_cred.c @@ -29,7 +29,7 @@ * script. Acquires credentials, inquires them, and prints the resulting name * and lifetime. * - * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorprinc|gss:service@host] + * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorname] * * By default no mechanism is specified when acquiring credentials; -k * indicates the krb5 mech and -s indicates SPNEGO. By default or with -i, @@ -43,44 +43,13 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} +#include "common.h" static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -usage(const char *progname) +usage(void) { fprintf(stderr, - "Usage: %s [-k|-s] [-a|-b|-i] [princ|gss:service@host]\n", - progname); + "Usage: t_inq_cred [-k|-s] [-a|-b|-i] [princ|gss:service@host]\n"); exit(1); } @@ -89,13 +58,11 @@ main(int argc, char *argv[]) { OM_uint32 minor, major, lifetime; gss_cred_usage_t cred_usage = GSS_C_INITIATE; - gss_OID mech = GSS_C_NO_OID; - gss_OID_set_desc mechs; - gss_OID_set mechset = GSS_C_NO_OID_SET; + gss_OID_set mechs = GSS_C_NO_OID_SET; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_name_t name = GSS_C_NO_NAME; gss_buffer_desc buf; - const char *name_arg = NULL, *progname = argv[0]; + const char *name_arg = NULL; char opt; while (argc > 1 && argv[1][0] == '-') { @@ -108,60 +75,36 @@ main(int argc, char *argv[]) else if (opt == 'i') cred_usage = GSS_C_INITIATE; else if (opt == 'k') - mech = (gss_OID)gss_mech_krb5; + mechs = &mechset_krb5; else if (opt == 's') - mech = &spnego_mech; + mechs = &mechset_spnego; else - usage(progname); + usage(); } if (argc > 2) - usage(progname); + usage(); if (argc > 1) name_arg = argv[1]; /* Import the name, if given. */ - if (name_arg != NULL && strncmp(name_arg, "gss:", 4) == 0) { - /* Import as host-based service. */ - buf.value = (char *)name_arg + 4; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, GSS_C_NT_HOSTBASED_SERVICE, - &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); - } else if (name_arg != NULL) { - /* Import as krb5 principal name. */ - buf.value = (char *)name_arg; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); - } - - if (mech != GSS_C_NO_OID) { - mechs.elements = mech; - mechs.count = 1; - mechset = &mechs; - } + if (name_arg != NULL) + name = import_name(name_arg); /* Acquire a credential. */ - major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechset, - cred_usage, &cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_acquire_cred", major, minor); + major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, cred_usage, + &cred, NULL, NULL); + check_gsserr("gss_acquire_cred", major, minor); /* Inquire about the credential. */ (void)gss_release_name(&minor, &name); major = gss_inquire_cred(&minor, cred, &name, &lifetime, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_inquire_cred", major, minor); + check_gsserr("gss_inquire_cred", major, minor); /* Get a display form of the name. */ buf.value = NULL; buf.length = 0; major = gss_display_name(&minor, name, &buf, NULL); - if (GSS_ERROR(major)) - gsserr("gss_display_name", major, minor); + check_gsserr("gss_display_name", major, minor); printf("name: %.*s\n", (int)buf.length, (char *)buf.value); printf("lifetime: %d\n", (int)lifetime); diff --git a/src/tests/gssapi/t_namingexts.c b/src/tests/gssapi/t_namingexts.c index 86d276e22..7d06f337f 100644 --- a/src/tests/gssapi/t_namingexts.c +++ b/src/tests/gssapi/t_namingexts.c @@ -27,280 +27,90 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> -#include <gssapi/gssapi_generic.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; +#include "common.h" static int use_spnego = 0; -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - gss_release_name(&tmp, &canon); - displayStatus("gss_display_name", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_name(&tmp, &canon); - gss_release_buffer(&tmp, &buf); - - return GSS_S_COMPLETE; -} - static void -dumpAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attribute, - int noisy) -{ - OM_uint32 major, tmp; - gss_buffer_desc value; - gss_buffer_desc display_value; - int authenticated = 0; - int complete = 0; - int more = -1; - unsigned int i; - - while (more != 0) { - value.value = NULL; - display_value.value = NULL; - - major = gss_get_name_attribute(minor, - name, - attribute, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major)) { - displayStatus("gss_get_name_attribute", major, *minor); - break; - } - - printf("Attribute %.*s %s %s\n\n%.*s\n", - (int)attribute->length, (char *)attribute->value, - authenticated ? "Authenticated" : "", - complete ? "Complete" : "", - (int)display_value.length, (char *)display_value.value); - - if (noisy) { - for (i = 0; i < value.length; i++) { - if ((i % 32) == 0) - printf("\n"); - printf("%02x", ((char *)value.value)[i] & 0xFF); - } - printf("\n\n"); - } - - gss_release_buffer(&tmp, &value); - gss_release_buffer(&tmp, &display_value); - } -} - -static OM_uint32 -enumerateAttributes(OM_uint32 *minor, - gss_name_t name, - int noisy) -{ - OM_uint32 major, tmp; - int name_is_MN; - gss_OID mech = GSS_C_NO_OID; - gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; - unsigned int i; - - major = gss_inquire_name(minor, - name, - &name_is_MN, - &mech, - &attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_name", major, *minor); - return major; - } - - if (attrs != GSS_C_NO_BUFFER_SET) { - for (i = 0; i < attrs->count; i++) - dumpAttribute(minor, name, &attrs->elements[i], noisy); - } - - gss_release_oid(&tmp, &mech); - gss_release_buffer_set(&tmp, &attrs); - - return major; -} - -static OM_uint32 -testExportImportName(OM_uint32 *minor, - gss_name_t name) +test_export_import_name(gss_name_t name) { - OM_uint32 major, tmp; - gss_buffer_desc exported_name; + OM_uint32 major, minor; + gss_buffer_desc exported_name = GSS_C_EMPTY_BUFFER; gss_name_t imported_name = GSS_C_NO_NAME; unsigned int i; - exported_name.value = NULL; - - major = gss_export_name_composite(minor, - name, - &exported_name); - if (GSS_ERROR(major)) { - displayStatus("gss_export_name_composite", major, *minor); - return major; - } + major = gss_export_name_composite(&minor, name, &exported_name); + check_gsserr("gss_export_name_composite", major, minor); printf("Exported name:\n"); - for (i = 0; i < exported_name.length; i++) { if ((i % 32) == 0) printf("\n"); printf("%02x", ((char *)exported_name.value)[i] & 0xFF); } - printf("\n"); - major = gss_import_name(minor, &exported_name, gss_nt_exported_name, + major = gss_import_name(&minor, &exported_name, GSS_C_NT_EXPORT_NAME, &imported_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name", major, *minor); - gss_release_buffer(&tmp, &exported_name); - return major; - } - - gss_release_buffer(&tmp, &exported_name); + check_gsserr("gss_import_name", major, minor); + (void)gss_release_buffer(&minor, &exported_name); printf("\n"); - displayCanonName(minor, imported_name, "Re-imported name"); + display_canon_name("Re-imported name", imported_name, &mech_krb5); printf("Re-imported attributes:\n\n"); - major = enumerateAttributes(minor, imported_name, 0); + enumerate_attributes(imported_name, 0); - gss_release_name(&tmp, &imported_name); - - return major; + (void)gss_release_name(&minor, &imported_name); } -static OM_uint32 -testGreetAuthzData(OM_uint32 *minor, - gss_name_t name) +static void +test_greet_authz_data(gss_name_t name) { - OM_uint32 major; + OM_uint32 major, minor; gss_buffer_desc attr; gss_buffer_desc value; attr.value = "urn:greet:greeting"; attr.length = strlen((char *)attr.value); - major = gss_delete_name_attribute(minor, - name, - &attr); + major = gss_delete_name_attribute(&minor, name, &attr); if (major == GSS_S_UNAVAILABLE) { fprintf(stderr, "Warning: greet_client plugin not installed\n"); - return GSS_S_COMPLETE; - } else if (GSS_ERROR(major)) { - displayStatus("gss_delete_name_attribute", major, *minor); - return major; + exit(1); } + check_gsserr("gss_delete_name_attribute", major, minor); value.value = "Hello, acceptor world!"; value.length = strlen((char *)value.value); - - major = gss_set_name_attribute(minor, - name, - 1, - &attr, - &value); + major = gss_set_name_attribute(&minor, name, 1, &attr, &value); if (major == GSS_S_UNAVAILABLE) - return GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_set_name_attribute", major, *minor); - - return major; + return; + check_gsserr("gss_set_name_attribute", major, minor); } -static OM_uint32 -testMapNameToAny(OM_uint32 *minor, - gss_name_t name) +static void +test_map_name_to_any(gss_name_t name) { - OM_uint32 major; - OM_uint32 tmp_minor; + OM_uint32 major, minor; gss_buffer_desc type_id; krb5_pac pac; - krb5_context context; - krb5_error_code code; - size_t len; + krb5_context context = NULL; + krb5_error_code ret; + size_t len, i; krb5_ui_4 *types; type_id.value = "mspac"; type_id.length = strlen((char *)type_id.value); - major = gss_map_name_to_any(minor, - name, - 1, /* authenticated */ - &type_id, - (gss_any_t *)&pac); + major = gss_map_name_to_any(&minor, name, 1, &type_id, (gss_any_t *)&pac); if (major == GSS_S_UNAVAILABLE) - return GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_map_name_to_any", major, *minor); - - code = krb5_init_context(&context); - if (code != 0) { - gss_release_any_name_mapping(&tmp_minor, name, - &type_id, (gss_any_t *)&pac); - *minor = code; - return GSS_S_FAILURE; - } + return; + check_gsserr("gss_map_name_to_any", major, minor); - code = krb5_pac_get_types(context, pac, &len, &types); - if (code == 0) { - size_t i; + ret = krb5_init_context(&context); + check_k5err(context, "krb5_init_context", ret); + if (krb5_pac_get_types(context, pac, &len, &types) == 0) { printf("PAC buffer types:"); for (i = 0; i < len; i++) printf(" %d", types[i]); @@ -308,101 +118,62 @@ testMapNameToAny(OM_uint32 *minor, free(types); } - gss_release_any_name_mapping(&tmp_minor, name, - &type_id, (gss_any_t *)&pac); - - return GSS_S_COMPLETE; + (void)gss_release_any_name_mapping(&minor, name, &type_id, + (gss_any_t *)&pac); } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_cred_id_t verifier_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t verifier_cred_handle) { - OM_uint32 major; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; + gss_OID mech = use_spnego ? &mech_spnego : &mech_krb5; OM_uint32 time_rec; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); - displayCanonName(minor, target_name, "Target name"); + display_canon_name("Target name", target_name, &mech_krb5); - major = gss_init_sec_context(minor, - verifier_cred_handle, - &initiator_context, - target_name, - use_spnego ? - (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5, + major = gss_init_sec_context(&minor, verifier_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); - - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - NULL, - &tmp, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - enumerateAttributes(minor, source_name, 1); - testExportImportName(minor, source_name); - testMapNameToAny(minor, source_name); - } - - (void) gss_release_name(minor, &source_name); - (void) gss_delete_sec_context(minor, &acceptor_context, NULL); - (void) gss_release_buffer(minor, &token); - (void) gss_release_buffer(minor, &tmp); - - return major; + check_gsserr("gss_init_sec_context", major, minor); + + (void)gss_release_name(&minor, &target_name); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + NULL, &tmp, NULL, &time_rec, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + + display_canon_name("Source name", source_name, &mech_krb5); + enumerate_attributes(source_name, 1); + test_export_import_name(source_name); + test_map_name_to_any(source_name); + + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { - OM_uint32 minor, major, tmp; + OM_uint32 minor, major; gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_name_t name = GSS_C_NO_NAME; + gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET; + gss_name_t tmp_name, name; if (argc > 1 && strcmp(argv[1], "--spnego") == 0) { use_spnego++; @@ -410,77 +181,38 @@ int main(int argc, char *argv[]) argv++; } - if (argc > 1) { - gss_buffer_desc name_buf; - gss_name_t tmp_name; - - name_buf.value = argv[1]; - name_buf.length = strlen(argv[1]); - - major = gss_import_name(&minor, &name_buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &tmp_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name", major, minor); - goto out; - } - - major = gss_canonicalize_name(&minor, tmp_name, - (gss_OID)gss_mech_krb5, &name); - if (GSS_ERROR(major)) { - gss_release_name(&tmp, &tmp_name); - displayStatus("gss_canonicalze_name", major, minor); - goto out; - } - - gss_release_name(&tmp, &tmp_name); - - major = testGreetAuthzData(&minor, name); - if (GSS_ERROR(major)) - goto out; - } else { - fprintf(stderr, "Usage: %s [--spnego] [principal] [keytab]\n", argv[0]); + if (argc < 2) { + fprintf(stderr, "Usage: %s [--spnego] principal [keytab]\n", argv[0]); exit(1); } - if (argc > 2) { + tmp_name = import_name(argv[1]); + major = gss_canonicalize_name(&minor, tmp_name, &mech_krb5, &name); + check_gsserr("gss_canonicalze_name", major, minor); + (void)gss_release_name(&minor, &tmp_name); + + test_greet_authz_data(name); + + if (argc >= 3) { major = krb5_gss_register_acceptor_identity(argv[2]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, minor); } - - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; /* get default cred */ - major = gss_acquire_cred(&minor, - name, - GSS_C_INDEFINITE, - &mechs, - GSS_C_BOTH, - &cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } + major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, GSS_C_BOTH, + &cred_handle, &actual_mechs, NULL); + check_gsserr("gss_acquire_cred", major, minor); - (void) gss_release_oid_set(&minor, &actual_mechs); + (void)gss_release_oid_set(&minor, &actual_mechs); - major = initAcceptSecContext(&minor, cred_handle); - if (GSS_ERROR(major)) - goto out; + init_accept_sec_context(cred_handle); printf("\n"); -out: - (void) gss_release_cred(&tmp, &cred_handle); - (void) gss_release_oid_set(&tmp, &actual_mechs); - (void) gss_release_name(&tmp, &name); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_cred(&minor, &cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + (void)gss_release_name(&minor, &name); + return 0; } diff --git a/src/tests/gssapi/t_s4u.c b/src/tests/gssapi/t_s4u.c index ef9016640..62b97352b 100644 --- a/src/tests/gssapi/t_s4u.c +++ b/src/tests/gssapi/t_s4u.c @@ -23,12 +23,6 @@ * or implied warranty. */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <gssapi/gssapi_krb5.h> - /* * Test program for protocol transition (S4U2Self) and constrained delegation * (S4U2Proxy) @@ -53,192 +47,27 @@ * Usage eg: * * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU' - * ./t_s4u delegtest@WIN.MIT.EDU HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab + * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static int use_spnego = 0; - -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - printf("%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) -{ - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); +#include <stdio.h> +#include <stdlib.h> +#include <string.h> - gss_release_buffer(&tmp_minor, &buf); +#include "common.h" - return GSS_S_COMPLETE; -} +static int use_spnego = 0; static void -dumpAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attribute, - int noisy) +test_greet_authz_data(gss_name_t *name) { - OM_uint32 major, tmp_minor; - gss_buffer_desc value; - gss_buffer_desc display_value; - int authenticated = 0; - int complete = 0; - int more = -1; - unsigned int i; - - while (more != 0) { - value.value = NULL; - display_value.value = NULL; - - major = gss_get_name_attribute(minor, - name, - attribute, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major)) { - displayStatus("gss_get_name_attribute", major, *minor); - break; - } - - printf("Attribute %.*s %s %s\n\n%.*s\n", - (int)attribute->length, (char *)attribute->value, - authenticated ? "Authenticated" : "", - complete ? "Complete" : "", - (int)display_value.length, (char *)display_value.value); - - if (noisy) { - for (i = 0; i < value.length; i++) { - if ((i % 32) == 0) - printf("\n"); - printf("%02x", ((char *)value.value)[i] & 0xFF); - } - printf("\n\n"); - } - - gss_release_buffer(&tmp_minor, &value); - gss_release_buffer(&tmp_minor, &display_value); - } -} - -static OM_uint32 -enumerateAttributes(OM_uint32 *minor, - gss_name_t name, - int noisy) -{ - OM_uint32 major, tmp_minor; - int name_is_MN; - gss_OID mech = GSS_C_NO_OID; - gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; - unsigned int i; - - major = gss_inquire_name(minor, - name, - &name_is_MN, - &mech, - &attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_name", major, *minor); - return major; - } - - if (attrs != GSS_C_NO_BUFFER_SET) { - for (i = 0; i < attrs->count; i++) - dumpAttribute(minor, name, &attrs->elements[i], noisy); - } - - gss_release_oid(&tmp_minor, &mech); - gss_release_buffer_set(&tmp_minor, &attrs); - - return major; -} - -static OM_uint32 -testGreetAuthzData(OM_uint32 *minor, - gss_name_t *name) -{ - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; gss_buffer_desc attr; gss_buffer_desc value; gss_name_t canon; - major = gss_canonicalize_name(minor, - *name, - (gss_OID)gss_mech_krb5, - &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } + major = gss_canonicalize_name(&minor, *name, &mech_krb5, &canon); + check_gsserr("gss_canonicalize_name", major, minor); attr.value = "greet:greeting"; attr.length = strlen((char *)attr.value); @@ -246,124 +75,75 @@ testGreetAuthzData(OM_uint32 *minor, value.value = "Hello, acceptor world!"; value.length = strlen((char *)value.value); - major = gss_set_name_attribute(minor, - canon, - 1, - &attr, - &value); - if (major == GSS_S_UNAVAILABLE) - major = GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_set_name_attribute", major, *minor); - else { - gss_release_name(&tmp_minor, name); - *name = canon; - canon = GSS_C_NO_NAME; + major = gss_set_name_attribute(&minor, canon, 1, &attr, &value); + if (major == GSS_S_UNAVAILABLE) { + (void)gss_release_name(&minor, &canon); + return; } - - if (canon != GSS_C_NO_NAME) - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; + check_gsserr("gss_set_name_attribute", major, minor); + gss_release_name(&minor, name); + *name = canon; } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_cred_id_t claimant_cred_handle, - gss_cred_id_t verifier_cred_handle, - gss_cred_id_t *deleg_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t claimant_cred_handle, + gss_cred_id_t verifier_cred_handle, + gss_cred_id_t *deleg_cred_handle) { - OM_uint32 major, tmp_minor; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; OM_uint32 time_rec; gss_OID mech = GSS_C_NO_OID; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - *deleg_cred_handle = GSS_C_NO_CREDENTIAL; - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); - displayCanonName(minor, target_name, "Target name"); + display_canon_name("Target name", target_name, &mech_krb5); - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - displayOID(minor, mech, "Target mech"); + mech = use_spnego ? &mech_spnego : &mech_krb5; + display_oid("Target mech", mech); - major = gss_init_sec_context(minor, - claimant_cred_handle, - &initiator_context, - target_name, - mech, + major = gss_init_sec_context(&minor, claimant_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); + check_gsserr("gss_init_sec_context", major, minor); - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(&tmp_minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } + (void)gss_release_name(&minor, &target_name); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); - (void) gss_delete_sec_context(minor, &initiator_context, NULL); mech = GSS_C_NO_OID; - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + &mech, &tmp, NULL, &time_rec, deleg_cred_handle); + check_gsserr("gss_accept_sec_context", major, minor); - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - displayOID(minor, mech, "Source mech"); - enumerateAttributes(minor, source_name, 1); - } + display_canon_name("Source name", source_name, &mech_krb5); + display_oid("Source mech", mech); + enumerate_attributes(source_name, 1); - (void) gss_release_name(&tmp_minor, &source_name); - (void) gss_delete_sec_context(&tmp_minor, &acceptor_context, NULL); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_release_buffer(&tmp_minor, &tmp); - (void) gss_release_oid(&tmp_minor, &mech); - - return major; + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -static OM_uint32 -constrainedDelegate(OM_uint32 *minor, - gss_OID_set desired_mechs, - gss_name_t target, - gss_cred_id_t delegated_cred_handle, - gss_cred_id_t verifier_cred_handle) +static void +constrained_delegate(gss_OID_set desired_mechs, gss_name_t target, + gss_cred_id_t delegated_cred_handle, + gss_cred_id_t verifier_cred_handle) { - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_name_t cred_name = GSS_C_NO_NAME; OM_uint32 time_rec, lifetime; @@ -374,55 +154,44 @@ constrainedDelegate(OM_uint32 *minor, printf("Constrained delegation tests follow\n"); printf("-----------------------------------\n\n"); - if (gss_inquire_cred(minor, verifier_cred_handle, &cred_name, + if (gss_inquire_cred(&minor, verifier_cred_handle, &cred_name, &lifetime, &usage, NULL) == GSS_S_COMPLETE) { - displayCanonName(minor, cred_name, "Proxy name"); - gss_release_name(&tmp_minor, &cred_name); + display_canon_name("Proxy name", cred_name, &mech_krb5); + (void)gss_release_name(&minor, &cred_name); } - displayCanonName(minor, target, "Target name"); - if (gss_inquire_cred(minor, delegated_cred_handle, &cred_name, + display_canon_name("Target name", target, &mech_krb5); + if (gss_inquire_cred(&minor, delegated_cred_handle, &cred_name, &lifetime, &usage, &mechs) == GSS_S_COMPLETE) { - displayCanonName(minor, cred_name, "Delegated name"); - displayOID(minor, &mechs->elements[0], "Delegated mech"); - gss_release_name(&tmp_minor, &cred_name); + display_canon_name("Delegated name", cred_name, &mech_krb5); + display_oid("Delegated mech", &mechs->elements[0]); + (void)gss_release_name(&minor, &cred_name); } printf("\n"); - major = gss_init_sec_context(minor, - delegated_cred_handle, - &initiator_context, - target, - mechs ? &mechs->elements[0] : - (gss_OID)gss_mech_krb5, + major = gss_init_sec_context(&minor, delegated_cred_handle, + &initiator_context, target, + mechs ? &mechs->elements[0] : &mech_krb5, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); - if (GSS_ERROR(major)) - displayStatus("gss_init_sec_context", major, *minor); + check_gsserr("gss_init_sec_context", major, minor); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_delete_sec_context(&tmp_minor, &initiator_context, NULL); - (void) gss_release_oid_set(&tmp_minor, &mechs); - - return major; + (void)gss_release_buffer(&minor, &token); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_release_oid_set(&minor, &mechs); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; + gss_OID_set mechs; if (argc < 2 || argc > 5) { fprintf(stderr, "Usage: %s [--spnego] [user] " @@ -437,113 +206,59 @@ int main(int argc, char *argv[]) argv++; } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); + user = import_name(argv[1]); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &user); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(user)", major, minor); - goto out; - } - - if (argc > 2 && strcmp(argv[2], "-")) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target)", major, minor); - goto out; - } - } else { - target = GSS_C_NO_NAME; - } + if (argc > 2 && strcmp(argv[2], "-")) + target = import_name(argv[2]); if (argc > 3) { major = krb5_gss_register_acceptor_identity(argv[3]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", - major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, 0); } - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; - - /* get default cred */ - major = gss_acquire_cred(&minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mechs, - GSS_C_BOTH, - &impersonator_cred_handle, - &actual_mechs, + /* Get default cred. */ + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs, + GSS_C_BOTH, &impersonator_cred_handle, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } - - (void) gss_release_oid_set(&minor, &actual_mechs); + check_gsserr("gss_acquire_cred", major, minor); printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); - major = testGreetAuthzData(&minor, &user); - if (GSS_ERROR(major)) - goto out; + test_greet_authz_data(&user); - /* get S4U2Self cred */ - major = gss_acquire_cred_impersonate_name(&minor, - impersonator_cred_handle, - user, - GSS_C_INDEFINITE, - &mechs, + /* Get S4U2Self cred. */ + major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, + user, GSS_C_INDEFINITE, mechs, GSS_C_INITIATE, - &user_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred_impersonate_name", major, minor); - goto out; - } - - major = initAcceptSecContext(&minor, - user_cred_handle, - impersonator_cred_handle, - &delegated_cred_handle); - if (GSS_ERROR(major)) - goto out; + &user_cred_handle, NULL, NULL); + check_gsserr("gss_acquire_cred_impersonate_name", major, minor); + init_accept_sec_context(user_cred_handle, impersonator_cred_handle, + &delegated_cred_handle); printf("\n"); if (target != GSS_C_NO_NAME && delegated_cred_handle != GSS_C_NO_CREDENTIAL) { - major = constrainedDelegate(&minor, &mechs, target, - delegated_cred_handle, - impersonator_cred_handle); + constrained_delegate(mechs, target, delegated_cred_handle, + impersonator_cred_handle); } else if (target != GSS_C_NO_NAME) { - fprintf(stderr, "Warning: no delegated credentials handle returned\n\n"); + fprintf(stderr, "Warning: no delegated cred handle returned\n\n"); fprintf(stderr, "Verify:\n\n"); - fprintf(stderr, " - The TGT for the impersonating service is forwardable\n"); - fprintf(stderr, " - The T2A4D flag set on the impersonating service's UAC\n"); - fprintf(stderr, " - The user is not marked sensitive and cannot be delegated\n"); + fprintf(stderr, " - The TGT for the impersonating service is " + "forwardable\n"); + fprintf(stderr, " - The T2A4D flag set on the impersonating service's " + "UAC\n"); + fprintf(stderr, " - The user is not marked sensitive and cannot be " + "delegated\n"); fprintf(stderr, "\n"); } -out: - (void) gss_release_name(&minor, &user); - (void) gss_release_name(&minor, &target); - (void) gss_release_cred(&minor, &delegated_cred_handle); - (void) gss_release_cred(&minor, &impersonator_cred_handle); - (void) gss_release_cred(&minor, &user_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_name(&minor, &user); + (void)gss_release_name(&minor, &target); + (void)gss_release_cred(&minor, &delegated_cred_handle); + (void)gss_release_cred(&minor, &impersonator_cred_handle); + (void)gss_release_cred(&minor, &user_cred_handle); + return 0; } diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 4c68c961a..d6a0f2b8d 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -13,6 +13,10 @@ service2 = 'service/2@%s' % realm.realm realm.addprinc(service2) realm.extract_keytab(service2, realm.keytab) +puser = 'p:' + realm.user_princ +pservice1 = 'p:' + service1 +pservice2 = 'p:' + service2 + # Get forwardable creds for service1 in the default cache. realm.kinit(service1, None, ['-f', '-k']) @@ -21,7 +25,7 @@ realm.kinit(service1, None, ['-f', '-k']) # support for allowing it. realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache]) output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - service1, service2], expected_code=1) + pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') @@ -29,7 +33,7 @@ if ('auth1: ' + realm.user_princ not in output or # Again with SPNEGO. Bug #7045 prevents us from checking the error # message, but we can at least exercise the code. output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, service1, service2], + storagecache, pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output): fail('krb5 -> s4u2proxy (SPNEGO)') @@ -39,27 +43,25 @@ if ('auth1: ' + realm.user_princ not in output): # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - service1, service2]) + pservice1, pservice2]) if 'no credential delegated' not in output: fail('krb5 -> no delegated cred') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run_as_server(['./t_s4u', realm.user_princ, service2]) -if ('Warning: no delegated credentials handle' not in output or +output = realm.run_as_server(['./t_s4u', puser, pservice2]) +if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self') -output = realm.run_as_server(['./t_s4u', '--spnego', realm.user_princ, - service2]) -if ('Warning: no delegated credentials handle' not in output or +output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2]) +if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self (SPNEGO)') # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1) -output = realm.run_as_server(['./t_s4u', realm.user_princ, service2], - expected_code=1) +output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') @@ -68,8 +70,8 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it) so bug #7045 does # not apply and we can verify the error message. -output = realm.run_as_server(['./t_s4u', '--spnego', realm.user_princ, - service2], expected_code=1) +output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], + expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c index 7e7ba39c8..36267302b 100644 --- a/src/tests/gssapi/t_s4u2proxy_krb5.c +++ b/src/tests/gssapi/t_s4u2proxy_krb5.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Usage: ./t_s4u2proxy_krb5 [--spnego] client_cache storage_cache @@ -41,49 +41,10 @@ * service2 using S4U2Proxy. * * The default keytab must contain keys for service1 and service2. The default - * ccache must contain a TGT for service1. service1 and service2 must be given - * as krb5 principal names. This program assumes that krb5 or SPNEGO - * authentication requires only one token exchange. + * ccache must contain a TGT for service1. This program assumes that krb5 or + * SPNEGO authentication requires only one token exchange. */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - printf("%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -gsserr(OM_uint32 maj_stat, OM_uint32 min_stat, const char *msg) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -krb5err(krb5_context context, krb5_error_code code, const char *msg) -{ - const char *emsg = krb5_get_error_message(context, code); - - printf("%s: %s\n", msg, emsg); - krb5_free_error_message(context, emsg); - exit(1); -} - int main(int argc, char *argv[]) { @@ -94,9 +55,9 @@ main(int argc, char *argv[]) krb5_ccache storage_ccache = NULL; krb5_principal client_princ = NULL; OM_uint32 minor, major; - gss_buffer_desc buf, token; + gss_buffer_desc buf = GSS_C_EMPTY_BUFFER, token = GSS_C_EMPTY_BUFFER; gss_OID mech; - gss_OID_set_desc mechs; + gss_OID_set mechs; gss_name_t service1_name = GSS_C_NO_NAME; gss_name_t service2_name = GSS_C_NO_NAME; gss_name_t client_name = GSS_C_NO_NAME; @@ -104,7 +65,6 @@ main(int argc, char *argv[]) gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; /* Parse arguments. */ if (argc >= 2 && strcmp(argv[1], "--spnego") == 0) { @@ -122,70 +82,49 @@ main(int argc, char *argv[]) service1 = argv[3]; service2 = argv[4]; - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - mechs.elements = mech; - mechs.count = 1; + mech = use_spnego ? &mech_spnego : &mech_krb5; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; ret = krb5_init_context(&context); - if (ret) - krb5err(context, ret, "krb5_init_context"); + check_k5err(context, "krb5_init_context", ret); /* Get GSS name and GSS_C_BOTH cred for service1, using the default * ccache. */ - buf.value = (char *)service1; - buf.length = strlen(service1); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &service1_name); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_import_name(service1)"); + service1_name = import_name(service1); major = gss_acquire_cred(&minor, service1_name, GSS_C_INDEFINITE, - &mechs, GSS_C_BOTH, &service1_cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_acquire_cred(service1)"); + mechs, GSS_C_BOTH, &service1_cred, NULL, NULL); + check_gsserr("gss_acquire_cred(service1)", major, minor); /* Get GSS name for service2. */ - buf.value = (char *)service2; - buf.length = strlen(service2); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &service2_name); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_import_name(service2)"); + service2_name = import_name(service2); /* Create initiator context and get the first token, using the client * ccache. */ major = gss_krb5_ccache_name(&minor, client_ccname, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_ccache_name(1)"); - token.value = NULL; - token.length = 0; + check_gsserr("gss_krb5_ccache_name(1)", major, minor); major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator_context, service1_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); if (GSS_ERROR(major)) - gsserr(major, minor, "gss_init_sec_context(1)"); + check_gsserr("gss_init_sec_context(1)", major, minor); /* Pass the token to gss_accept_sec_context. */ - buf.value = NULL; - buf.length = 0; major = gss_accept_sec_context(&minor, &acceptor_context, service1_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &buf, NULL, NULL, &deleg_cred); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_accept_sec_context(1)"); - gss_release_buffer(&minor, &token); + check_gsserr("gss_accept_sec_context(1)", major, minor); + (void)gss_release_buffer(&minor, &token); /* Display and remember the client principal. */ major = gss_display_name(&minor, client_name, &buf, NULL); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_display_name(1)"); + check_gsserr("gss_display_name(1)", major, minor); printf("auth1: %.*s\n", (int)buf.length, (char *)buf.value); /* Assumes buffer is null-terminated, which in our implementation it is. */ ret = krb5_parse_name(context, buf.value, &client_princ); - if (ret) - krb5err(context, ret, "krb5_parse_name"); - gss_release_buffer(&minor, &buf); + check_k5err(context, "krb5_parse_name", ret); + (void)gss_release_buffer(&minor, &buf); if (deleg_cred == GSS_C_NO_CREDENTIAL) { printf("no credential delegated.\n"); @@ -194,61 +133,49 @@ main(int argc, char *argv[]) /* Store the delegated credentials. */ ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache); - if (ret) - krb5err(context, ret, "krb5_cc_resolve"); + check_k5err(context, "krb5_cc_resolve", ret); ret = krb5_cc_initialize(context, storage_ccache, client_princ); - if (ret) - krb5err(context, ret, "krb5_cc_initialize"); + check_k5err(context, "krb5_cc_initialize", ret); major = gss_krb5_copy_ccache(&minor, deleg_cred, storage_ccache); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_copy_ccache"); + check_gsserr("gss_krb5_copy_ccache", major, minor); ret = krb5_cc_close(context, storage_ccache); - if (ret) - krb5err(context, ret, "krb5_cc_close"); + check_k5err(context, "krb5_cc_close", ret); - gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); - gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); /* Create initiator context and get the first token, using the storage * ccache. */ major = gss_krb5_ccache_name(&minor, storage_ccname, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_ccache_name(2)"); - token.value = NULL; - token.length = 0; + check_gsserr("gss_krb5_ccache_name(2)", major, minor); major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator_context, service2_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_init_sec_context(2)"); + check_gsserr("gss_init_sec_context(2)", major, minor); /* Pass the token to gss_accept_sec_context. */ - buf.value = NULL; - buf.length = 0; major = gss_accept_sec_context(&minor, &acceptor_context, GSS_C_NO_CREDENTIAL, &token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &buf, NULL, NULL, &deleg_cred); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_accept_sec_context(2)"); - gss_release_buffer(&minor, &token); + check_gsserr("gss_accept_sec_context(2)", major, minor); + (void)gss_release_buffer(&minor, &token); major = gss_display_name(&minor, client_name, &buf, NULL); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_display_name(2)"); + check_gsserr("gss_display_name(2)", major, minor); printf("auth2: %.*s\n", (int)buf.length, (char *)buf.value); - gss_release_buffer(&minor, &buf); + (void)gss_release_buffer(&minor, &buf); cleanup: - gss_release_name(&minor, &client_name); - gss_release_name(&minor, &service1_name); - gss_release_name(&minor, &service2_name); - gss_release_cred(&minor, &service1_cred); - gss_release_cred(&minor, &deleg_cred); - gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); - gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); + (void)gss_release_name(&minor, &client_name); + (void)gss_release_name(&minor, &service1_name); + (void)gss_release_name(&minor, &service2_name); + (void)gss_release_cred(&minor, &service1_cred); + (void)gss_release_cred(&minor, &deleg_cred); + (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); krb5_free_principal(context, client_princ); krb5_free_context(context); return 0; diff --git a/src/tests/gssapi/t_saslname.c b/src/tests/gssapi/t_saslname.c index 27cc22d51..b874caf97 100644 --- a/src/tests/gssapi/t_saslname.c +++ b/src/tests/gssapi/t_saslname.c @@ -27,49 +27,19 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_ext.h> +#include "common.h" static void -displayStatus_1(char *m, OM_uint32 code, int type) +dump_known_mech_attrs(gss_OID mech) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -displayStatus(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -dumpKnownMechAttrs(OM_uint32 *minor, gss_OID mech) -{ - OM_uint32 major, tmpMinor; + OM_uint32 major, minor; gss_OID_set mech_attrs = GSS_C_NO_OID_SET; gss_OID_set known_attrs = GSS_C_NO_OID_SET; size_t i; - major = gss_inquire_attrs_for_mech(minor, mech, &mech_attrs, &known_attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_attrs_for_mech", major, *minor); - return major; - } + major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs, + &known_attrs); + check_gsserr("gss_inquire_attrs_for_mech", major, minor); printf("Known attributes\n"); printf("----------------\n"); @@ -78,38 +48,32 @@ dumpKnownMechAttrs(OM_uint32 *minor, gss_OID mech) gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER; gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER; - major = gss_display_mech_attr(minor, &known_attrs->elements[i], + major = gss_display_mech_attr(&minor, &known_attrs->elements[i], &name, &short_desc, &long_desc); - if (GSS_ERROR(major)) { - displayStatus("gss_display_mech_attr", major, *minor); - continue; - } + check_gsserr("gss_display_mech_attr", major, minor); printf("%.*s (%.*s): %.*s\n", (int)short_desc.length, (char *)short_desc.value, (int)name.length, (char *)name.value, (int)long_desc.length, (char *)long_desc.value); - gss_release_buffer(minor, &name); - gss_release_buffer(minor, &short_desc); - gss_release_buffer(minor, &long_desc); + (void)gss_release_buffer(&minor, &name); + (void)gss_release_buffer(&minor, &short_desc); + (void)gss_release_buffer(&minor, &long_desc); } printf("\n"); - gss_release_oid_set(&tmpMinor, &mech_attrs); - gss_release_oid_set(&tmpMinor, &known_attrs); - return GSS_S_COMPLETE; + (void)gss_release_oid_set(&minor, &mech_attrs); + (void)gss_release_oid_set(&minor, &known_attrs); } -static -OM_uint32 dumpMechAttrs(OM_uint32 *minor, gss_OID mech) +static void +dump_mech_attrs(gss_OID mech) { - OM_uint32 major, tmpMinor; + OM_uint32 major, minor; gss_OID_set mech_attrs = GSS_C_NO_OID_SET; gss_OID_set known_attrs = GSS_C_NO_OID_SET; size_t i; - major = gss_inquire_attrs_for_mech(minor, mech, &mech_attrs, &known_attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_attrs_for_mech", major, *minor); - return major; - } + major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs, + &known_attrs); + check_gsserr("gss_inquire_attrs_for_mech", major, minor); printf("Mech attrs: "); @@ -118,39 +82,32 @@ OM_uint32 dumpMechAttrs(OM_uint32 *minor, gss_OID mech) gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER; gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER; - major = gss_display_mech_attr(minor, &mech_attrs->elements[i], + major = gss_display_mech_attr(&minor, &mech_attrs->elements[i], &name, &short_desc, &long_desc); - if (GSS_ERROR(major)) { - displayStatus("gss_display_mech_attr", major, *minor); - continue; - } + check_gsserr("gss_display_mech_attr", major, minor); printf("%.*s ", (int)name.length, (char *)name.value); - gss_release_buffer(minor, &name); - gss_release_buffer(minor, &short_desc); - gss_release_buffer(minor, &long_desc); + (void)gss_release_buffer(&minor, &name); + (void)gss_release_buffer(&minor, &short_desc); + (void)gss_release_buffer(&minor, &long_desc); } printf("\n"); - gss_release_oid_set(&tmpMinor, &mech_attrs); - gss_release_oid_set(&tmpMinor, &known_attrs); - - return GSS_S_COMPLETE; + (void)gss_release_oid_set(&minor, &mech_attrs); + (void)gss_release_oid_set(&minor, &known_attrs); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { gss_OID_set mechs; OM_uint32 major, minor; size_t i; major = gss_indicate_mechs(&minor, &mechs); - if (GSS_ERROR(major)) { - displayStatus("gss_indicate_mechs", major, minor); - return major; - } - + check_gsserr("gss_indicate_mechs", major, minor); if (mechs->count > 0) - dumpKnownMechAttrs(&minor, mechs->elements); + dump_known_mech_attrs(mechs->elements); + for (i = 0; i < mechs->count; i++) { gss_buffer_desc oidstr = GSS_C_EMPTY_BUFFER; gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER; @@ -180,30 +137,29 @@ int main(int argc, char *argv[]) (char *)mech_name.value); printf("Mech desc : %.*s\n", (int)mech_description.length, (char *)mech_description.value); - dumpMechAttrs(&minor, &mechs->elements[i]); + dump_mech_attrs(&mechs->elements[i]); printf("-------------------------------------------------------------" "-----------------\n"); - if (GSS_ERROR(gss_inquire_mech_for_saslname(&minor, &sasl_mech_name, - &oid))) { - displayStatus("gss_inquire_mech_for_saslname", major, minor); - } else if (oid == GSS_C_NO_OID || - (oid->length != mechs->elements[i].length && - memcmp(oid->elements, mechs->elements[i].elements, - oid->length) != 0)) { - gss_release_buffer(&minor, &oidstr); - (void) gss_oid_to_str(&minor, oid, &oidstr); + major = gss_inquire_mech_for_saslname(&minor, &sasl_mech_name, &oid); + check_gsserr("gss_inquire_mech_for_saslname", major, minor); + + if (oid == GSS_C_NO_OID || + (oid->length != mechs->elements[i].length && + memcmp(oid->elements, mechs->elements[i].elements, + oid->length) != 0)) { + (void)gss_release_buffer(&minor, &oidstr); + (void)gss_oid_to_str(&minor, oid, &oidstr); fprintf(stderr, "Got different OID %.*s for mechanism %.*s\n", (int)oidstr.length, (char *)oidstr.value, (int)sasl_mech_name.length, (char *)sasl_mech_name.value); } - gss_release_buffer(&minor, &oidstr); - gss_release_buffer(&minor, &sasl_mech_name); - gss_release_buffer(&minor, &mech_name); - gss_release_buffer(&minor, &mech_description); + (void)gss_release_buffer(&minor, &oidstr); + (void)gss_release_buffer(&minor, &sasl_mech_name); + (void)gss_release_buffer(&minor, &mech_name); + (void)gss_release_buffer(&minor, &mech_description); } - gss_release_oid_set(&minor, &mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_oid_set(&minor, &mechs); + return 0; } diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c index adb5737ab..aee80d446 100644 --- a/src/tests/gssapi/t_spnego.c +++ b/src/tests/gssapi/t_spnego.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for SPNEGO and gss_set_neg_mechs @@ -39,224 +39,65 @@ * ./t_spnego host/test.host@REALM testhost.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) +int +main(int argc, char *argv[]) { - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_name_t target_name, - gss_cred_id_t verifier_cred_handle) -{ - OM_uint32 major; - gss_buffer_desc token, tmp; + OM_uint32 minor, major; + gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL; + gss_OID_set actual_mechs = GSS_C_NO_OID_SET; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; + gss_name_t target_name, source_name = GSS_C_NO_NAME; OM_uint32 time_rec; gss_OID mech = GSS_C_NO_OID; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - - major = gss_init_sec_context(minor, - GSS_C_NO_CREDENTIAL, - &initiator_context, - target_name, - &spnego_mech, - GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, - &time_rec); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - displayOID(minor, mech, "Source mech"); - } - - (void) gss_release_name(minor, &source_name); - (void) gss_delete_sec_context(minor, &acceptor_context, NULL); - (void) gss_release_buffer(minor, &token); - (void) gss_release_buffer(minor, &tmp); - (void) gss_release_oid(minor, &mech); - - return major; -} - -int main(int argc, char *argv[]) -{ - OM_uint32 minor, major; - gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; - gss_name_t target_name; - if (argc < 2 || argc > 3) { fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]); exit(1); } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target_name)", major, minor); - goto out; - } + target_name = import_name(argv[1]); - if (argc > 2) { + if (argc >= 3) { major = krb5_gss_register_acceptor_identity(argv[2]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", - major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, 0); } - mechs.elements = &spnego_mech; - mechs.count = 1; - - /* get default acceptor cred */ - major = gss_acquire_cred(&minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mechs, - GSS_C_ACCEPT, - &verifier_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } + /* Get default acceptor cred. */ + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, + &mechset_spnego, GSS_C_ACCEPT, + &verifier_cred_handle, &actual_mechs, NULL); + check_gsserr("gss_acquire_cred", major, minor); /* Restrict the acceptor to krb5, to exercise the neg_mechs logic. */ - mechs.elements = (gss_OID)gss_mech_krb5; - mechs.count = 1; - major = gss_set_neg_mechs(&minor, verifier_cred_handle, &mechs); - if (GSS_ERROR(major)) { - displayStatus("gss_set_neg_mechs", major, minor); - goto out; - } - - major = initAcceptSecContext(&minor, target_name, verifier_cred_handle); - if (GSS_ERROR(major)) - goto out; - - printf("\n"); + major = gss_set_neg_mechs(&minor, verifier_cred_handle, &mechset_krb5); + check_gsserr("gss_set_neg_mechs", major, minor); -out: - (void) gss_release_cred(&minor, &verifier_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - (void) gss_release_name(&minor, &target_name); - - return GSS_ERROR(major) ? 1 : 0; + major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, + &initiator_context, target_name, &mech_spnego, + GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, + &time_rec); + check_gsserr("gss_init_sec_context", major, minor); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + &mech, &tmp, NULL, &time_rec, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + + display_canon_name("Source name", source_name, &mech_krb5); + display_oid("Source mech", mech); + + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_name(&minor, &source_name); + (void)gss_release_name(&minor, &target_name); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); + (void)gss_release_cred(&minor, &verifier_cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + return 0; } |