diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-09-13 12:27:04 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-09-13 12:27:16 -0400 |
| commit | d81d68ebd8ade84e240f7d95edf0a562f6931ea2 (patch) | |
| tree | 81d13948ae392081571fa97f60d001cc9cf5a598 /src | |
| parent | d9af383d069b571457849dea77dbef01ccb55370 (diff) | |
| download | krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.tar.gz krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.tar.xz krb5-d81d68ebd8ade84e240f7d95edf0a562f6931ea2.zip | |
Tidy up GSSAPI test programs
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
Diffstat (limited to 'src')
| -rw-r--r-- | src/tests/gssapi/Makefile.in | 95 | ||||
| -rw-r--r-- | src/tests/gssapi/common.c | 211 | ||||
| -rw-r--r-- | src/tests/gssapi/common.h | 70 | ||||
| -rw-r--r-- | src/tests/gssapi/t_accname.c | 82 | ||||
| -rw-r--r-- | src/tests/gssapi/t_ccselect.c | 79 | ||||
| -rw-r--r-- | src/tests/gssapi/t_ccselect.py | 26 | ||||
| -rw-r--r-- | src/tests/gssapi/t_client_keytab.py | 32 | ||||
| -rw-r--r-- | src/tests/gssapi/t_credstore.c | 75 | ||||
| -rw-r--r-- | src/tests/gssapi/t_export_cred.c | 74 | ||||
| -rw-r--r-- | src/tests/gssapi/t_export_name.c | 92 | ||||
| -rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 54 | ||||
| -rw-r--r-- | src/tests/gssapi/t_gssexts.c | 414 | ||||
| -rw-r--r-- | src/tests/gssapi/t_imp_cred.c | 81 | ||||
| -rw-r--r-- | src/tests/gssapi/t_imp_name.c | 132 | ||||
| -rw-r--r-- | src/tests/gssapi/t_inq_cred.c | 91 | ||||
| -rw-r--r-- | src/tests/gssapi/t_namingexts.c | 458 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.c | 497 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u.py | 26 | ||||
| -rw-r--r-- | src/tests/gssapi/t_s4u2proxy_krb5.c | 149 | ||||
| -rw-r--r-- | src/tests/gssapi/t_saslname.c | 138 | ||||
| -rw-r--r-- | src/tests/gssapi/t_spnego.c | 247 |
21 files changed, 937 insertions, 2186 deletions
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 35ff010ca..a34c28eeb 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -4,61 +4,68 @@ DEFINES = -DUSE_AUTOCONF_H PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_imp_cred.c \ - $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \ - $(srcdir)/t_namingexts.c $(srcdir)/t_gssexts.c $(srcdir)/t_saslname.c \ - $(srcdir)/t_credstore.c $(srcdir)/t_export_name.c +SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_credstore.c \ + $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ + $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ + $(srcdir)/t_inq_cred.c $(srcdir)/t_namingexts.c $(srcdir)/t_s4u.c \ + $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ + $(srcdir)/t_spnego.c -OBJS= t_accname.o t_ccselect.o t_imp_cred.o t_imp_name.o t_s4u.o \ - t_s4u2proxy_krb5.o t_namingexts.o t_gssexts.o t_spnego.o t_saslname.o \ - t_credstore.o t_export_name.o t_export_cred.o +OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_credstore.o \ + t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \ + t_inq_cred.o t_namingexts.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ + t_spnego.o -all:: t_accname t_ccselect t_imp_cred t_imp_name t_s4u t_s4u2proxy_krb5 \ - t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name \ - t_export_cred +COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) +COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -check-pytests:: t_accname t_ccselect t_imp_cred t_inq_cred t_spnego \ - t_s4u2proxy_krb5 t_s4u t_export_name t_export_cred ccinit ccrefresh +all:: ccinit ccrefresh t_accname t_ccselect t_credstore t_export_cred \ + t_export_name t_gssexts t_imp_cred t_imp_name t_inq_cred t_namingexts \ + t_s4u t_s4u2proxy_krb5 t_saslname t_spnego + +check-pytests:: ccinit ccrefresh t_accname t_ccselect t_credstore \ + t_export_cred t_export_name t_imp_cred t_inq_cred t_s4u \ + t_s4u2proxy_krb5 t_spnego $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) ccinit: ccinit.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS) ccrefresh: ccrefresh.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccrefresh ccrefresh.o $(KRB5_BASE_LIBS) -t_accname: t_accname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_accname t_accname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_ccselect: t_ccselect.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_ccselect t_ccselect.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_imp_cred: t_imp_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_imp_cred t_imp_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_inq_cred: t_inq_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_inq_cred t_inq_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_s4u2proxy_krb5.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_namingexts: t_namingexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_namingexts t_namingexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_gssexts: t_gssexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_gssexts t_gssexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_spnego: t_spnego.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_spnego t_spnego.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_saslname: t_saslname.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_saslname t_saslname.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_credstore: t_credstore.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_credstore t_credstore.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_export_name: t_export_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_export_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -t_export_cred: t_export_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_export_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS) +t_accname: t_accname.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS) +t_ccselect: t_ccselect.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS) +t_credstore: t_credstore.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_credstore.o $(COMMON_LIBS) +t_export_cred: t_export_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_export_cred.o $(COMMON_LIBS) +t_export_name: t_export_name.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_export_name.o $(COMMON_LIBS) +t_gssexts: t_gssexts.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_gssexts.o $(COMMON_LIBS) +t_imp_cred: t_imp_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_imp_cred.o $(COMMON_LIBS) +t_imp_name: t_imp_name.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_imp_name.o $(COMMON_LIBS) +t_inq_cred: t_inq_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS) +t_namingexts: t_namingexts.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS) +t_s4u: t_s4u.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_s4u.o $(COMMON_LIBS) +t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_s4u2proxy_krb5.o $(COMMON_LIBS) +t_saslname: t_saslname.o $(COMMON_DEPLIBS) + $(CC_LINK) -o $@ t_saslname.o $(COMMON_LIBS) +t_spnego: t_spnego.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_spnego.o $(COMMON_LIBS) clean:: - $(RM) t_accname t_ccselect t_imp_cred t_imp_name t_inq_cred t_s4u \ - t_s4u2proxy_krb5 t_namingexts t_gssexts t_spnego \ - t_saslname t_credstore t_export_name t_export_cred + $(RM) ccinit ccrefresh t_accname t_ccselect t_credstore t_export_cred \ + $(RM) t_export_name t_gssexts t_imp_cred t_imp_name t_inq_cred + $(RM) t_namingexts t_s4u t_s4u2proxy_krb5 t_saslname t_spnego diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c new file mode 100644 index 000000000..ab968ccb7 --- /dev/null +++ b/src/tests/gssapi/common.c @@ -0,0 +1,211 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/common.c - Common utility functions for GSSAPI test programs */ +/* + * Copyright (C) 2012 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <string.h> +#include "common.h" + +gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" }; +gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" }; +gss_OID_desc mech_iakerb = { 6, "\053\006\001\005\002\005" }; +gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 }; +gss_OID_set_desc mechset_spnego = { 1, &mech_spnego }; +gss_OID_set_desc mechset_iakerb = { 1, &mech_iakerb }; + +static void +display_status(const char *msg, OM_uint32 code, int type) +{ + OM_uint32 maj_stat, min_stat, msg_ctx = 0; + gss_buffer_desc buf; + + do { + maj_stat = gss_display_status(&min_stat, code, type, GSS_C_NULL_OID, + &msg_ctx, &buf); + fprintf(stderr, "%s: %.*s\n", msg, (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&min_stat, &buf); + } while (msg_ctx != 0); +} + +void +check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor) +{ + if (GSS_ERROR(major)) { + display_status(msg, major, GSS_C_GSS_CODE); + display_status(msg, minor, GSS_C_MECH_CODE); + exit(1); + } +} + +void +check_k5err(krb5_context context, const char *msg, krb5_error_code code) +{ + const char *errmsg; + + if (code) { + errmsg = krb5_get_error_message(context, code); + printf("%s: %s\n", msg, errmsg); + krb5_free_error_message(context, errmsg); + exit(1); + } +} + +void +errout(const char *msg) +{ + fprintf(stderr, "%s\n", msg); + exit(1); +} + +gss_name_t +import_name(const char *str) +{ + OM_uint32 major, minor; + gss_name_t name; + gss_buffer_desc buf; + gss_OID nametype = NULL; + + if (*str == 'u') + nametype = GSS_C_NT_USER_NAME; + else if (*str == 'p') + nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; + else if (*str == 'h') + nametype = GSS_C_NT_HOSTBASED_SERVICE; + if (nametype == NULL || str[1] != ':') + errout("names must begin with u: or p: or h:"); + buf.value = (char *)str + 2; + buf.length = strlen(str) - 2; + major = gss_import_name(&minor, &buf, nametype, &name); + check_gsserr("gss_import_name", major, minor); + return name; +} + +void +display_canon_name(const char *tag, gss_name_t name, gss_OID mech) +{ + gss_name_t canon; + OM_uint32 major, minor; + gss_buffer_desc buf; + + major = gss_canonicalize_name(&minor, name, mech, &canon); + check_gsserr("gss_canonicalize_name", major, minor); + + major = gss_display_name(&minor, canon, &buf, NULL); + check_gsserr("gss_display_name", major, minor); + + printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value); + + (void)gss_release_name(&minor, &canon); + (void)gss_release_buffer(&minor, &buf); +} + +void +display_oid(const char *tag, gss_OID oid) +{ + OM_uint32 major, minor; + gss_buffer_desc buf; + + major = gss_oid_to_str(&minor, oid, &buf); + check_gsserr("gss_oid_to_str", major, minor); + printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); +} + +static void +dump_attribute(gss_name_t name, gss_buffer_t attribute, int noisy) +{ + OM_uint32 major, minor; + gss_buffer_desc value; + gss_buffer_desc display_value; + int authenticated = 0; + int complete = 0; + int more = -1; + unsigned int i; + + while (more != 0) { + value.value = NULL; + display_value.value = NULL; + + major = gss_get_name_attribute(&minor, name, attribute, &authenticated, + &complete, &value, &display_value, + &more); + check_gsserr("gss_get_name_attribute", major, minor); + + printf("Attribute %.*s %s %s\n\n%.*s\n", + (int)attribute->length, (char *)attribute->value, + authenticated ? "Authenticated" : "", + complete ? "Complete" : "", + (int)display_value.length, (char *)display_value.value); + + if (noisy) { + for (i = 0; i < value.length; i++) { + if ((i % 32) == 0) + printf("\n"); + printf("%02x", ((char *)value.value)[i] & 0xFF); + } + printf("\n\n"); + } + + (void)gss_release_buffer(&minor, &value); + (void)gss_release_buffer(&minor, &display_value); + } +} + +void +enumerate_attributes(gss_name_t name, int noisy) +{ + OM_uint32 major, minor; + int is_mechname; + gss_OID mech = GSS_C_NO_OID; + gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; + size_t i; + + major = gss_inquire_name(&minor, name, &is_mechname, &mech, &attrs); + check_gsserr("gss_inquire_name", major, minor); + + if (attrs != GSS_C_NO_BUFFER_SET) { + for (i = 0; i < attrs->count; i++) + dump_attribute(name, &attrs->elements[i], noisy); + } + + (void)gss_release_buffer_set(&minor, &attrs); +} + +void +print_hex(FILE *fp, gss_buffer_t buf) +{ + size_t i; + const unsigned char *bytes = buf->value; + + for (i = 0; i < buf->length; i++) + printf("%02X", bytes[i]); + printf("\n"); +} diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h new file mode 100644 index 000000000..be3bdb94c --- /dev/null +++ b/src/tests/gssapi/common.h @@ -0,0 +1,70 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/common.h - Declarations for GSSAPI test utility functions */ +/* + * Copyright (C) 2012 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef COMMON_H +#define COMMON_H + +#include <gssapi/gssapi_krb5.h> + +gss_OID_desc mech_krb5; +gss_OID_desc mech_spnego; +gss_OID_desc mech_iakerb; +gss_OID_set_desc mechset_krb5; +gss_OID_set_desc mechset_spnego; +gss_OID_set_desc mechset_iakerb; + +/* Display an error message (containing msg) and exit if major is an error. */ +void check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor); + +/* Display an error message (containing msg) and exit if code is an error. */ +void check_k5err(krb5_context context, const char *msg, krb5_error_code code); + +/* Display an error message containing msg and exit. */ +void errout(const char *msg); + +/* Import a GSSAPI name based on a string of the form 'u:username', + * 'p:principalname', or 'h:host@service' (or just 'h:service'). */ +gss_name_t import_name(const char *str); + +/* Display name as canonicalized to mech, preceded by tag. */ +void display_canon_name(const char *tag, gss_name_t name, gss_OID mech); + +/* Display oid in printable form, preceded by tag. */ +void display_oid(const char *tag, gss_OID oid); + +/* Display attributes of name, including hex value if noisy is true. */ +void enumerate_attributes(gss_name_t name, int noisy); + +/* Display the contents of buf to fp in hex, followed by a newline. */ +void print_hex(FILE *fp, gss_buffer_t buf); + +#endif /* COMMON_H */ diff --git a/src/tests/gssapi/t_accname.c b/src/tests/gssapi/t_accname.c index 0326cedc7..c85784232 100644 --- a/src/tests/gssapi/t_accname.c +++ b/src/tests/gssapi/t_accname.c @@ -25,9 +25,8 @@ #include <stdio.h> #include <stdlib.h> -#include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for acceptor names, intended to be run from a Python test @@ -42,39 +41,11 @@ * Usage: ./t_accname targetname [acceptorname] */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -display_status(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); -} - int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t acceptor_cred; - gss_buffer_desc buf; gss_name_t target_name, acceptor_name = GSS_C_NO_NAME, real_acceptor_name; gss_buffer_desc token, tmp, namebuf; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; @@ -85,37 +56,16 @@ main(int argc, char *argv[]) return 1; } - /* Import the target name as a krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name(target_name)", major, minor); - return 1; - } - - /* Import the acceptor name as a host-based name. */ - if (argc >= 3) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, - &acceptor_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name(acceptor_name)", major, minor); - return 1; - } - } + /* Import target and acceptor names. */ + target_name = import_name(argv[1]); + if (argc >= 3) + acceptor_name = import_name(argv[2]); /* Get acceptor cred. */ major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &acceptor_cred, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_acquire_cred", major, minor); - return 1; - } + check_gsserr("gss_acquire_cred", major, minor); /* Create krb5 initiator context and get the first token. */ token.value = NULL; @@ -126,10 +76,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_init_sec_context", major, minor); - return 1; - } + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -137,26 +84,17 @@ main(int argc, char *argv[]) major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) { - display_status("gss_accept_sec_context", major, minor); - return 1; - } + check_gsserr("gss_accept_sec_context", major, minor); major = gss_inquire_context(&minor, acceptor_context, NULL, &real_acceptor_name, NULL, NULL, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - display_status("gss_inquire_context", major, minor); - return 1; - } + check_gsserr("gss_inquire_context", major, minor); namebuf.value = NULL; namebuf.length = 0; major = gss_display_name(&minor, real_acceptor_name, &namebuf, NULL); - if (GSS_ERROR(major)) { - display_status("gss_display_name", major, minor); - return 1; - } + check_gsserr("gss_display_name", major, minor); printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value); diff --git a/src/tests/gssapi/t_ccselect.c b/src/tests/gssapi/t_ccselect.c index 620ce1c4b..05b0a844a 100644 --- a/src/tests/gssapi/t_ccselect.c +++ b/src/tests/gssapi/t_ccselect.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for client credential selection, intended to be run from a @@ -43,40 +43,11 @@ * Usage: ./t_ccselect [targetprinc|gss:service@host] [initiatorprinc|-] */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t initiator_cred = GSS_C_NO_CREDENTIAL; - gss_buffer_desc buf; gss_name_t target_name, initiator_name = GSS_C_NO_NAME; gss_name_t real_initiator_name; gss_buffer_desc token, tmp, namebuf; @@ -84,47 +55,20 @@ main(int argc, char *argv[]) gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s targetprinc [initiatorprinc|-]\n", argv[0]); + fprintf(stderr, "Usage: %s targetname [initiatorname|-]\n", argv[0]); return 1; } - /* Import the target name. */ - if (strncmp(argv[1], "gss:", 4) == 0) { - /* Import as host-based service. */ - buf.value = argv[1] + 4; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, - &target_name); - } else { - /* Import as krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - } - if (GSS_ERROR(major)) - gsserr("gss_import_name(target_name)", major, minor); + target_name = import_name(argv[1]); - /* Import the initiator name as a krb5 principal and get creds, maybe. */ if (argc >= 3) { - if (strcmp(argv[2], "-") != 0) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &initiator_name); - if (GSS_ERROR(major)) - gsserr("gss_import_name(initiator_name)", major, minor); - } - - /* Get acceptor cred. */ + /* Get initiator cred. */ + if (strcmp(argv[2], "-") != 0) + initiator_name = import_name(argv[2]); major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_INITIATE, &initiator_cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_acquire_cred", major, minor); + check_gsserr("gss_acquire_cred", major, minor); } @@ -136,8 +80,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_init_sec_context", major, minor); + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -147,14 +90,12 @@ main(int argc, char *argv[]) GSS_C_NO_CHANNEL_BINDINGS, &real_initiator_name, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) - gsserr("gss_accept_sec_context", major, minor); + check_gsserr("gss_accept_sec_context", major, minor); namebuf.value = NULL; namebuf.length = 0; major = gss_display_name(&minor, real_initiator_name, &namebuf, NULL); - if (GSS_ERROR(major)) - gsserr("gss_display_name(initiator)", major, minor); + check_gsserr("gss_display_name(initiator)", major, minor); printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value); (void)gss_release_name(&minor, &target_name); diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 78f307f01..6b7bce617 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -28,16 +28,19 @@ r1 = K5Realm(create_user=False) r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000, testdir=os.path.join(r1.testdir, 'r2')) +host1 = 'p:' + r1.host_princ +host2 = 'p:' + r2.host_princ + # gsserver specifies the target as a GSS name. The resulting # principal will have the host-based type, but the realm won't be # known before the client cache is selected (since k5test realms have # no domain-realm mapping by default). -gssserver = 'gss:host@' + hostname +gssserver = 'h:host@' + hostname # refserver specifies the target as a principal in the referral realm. # The principal won't be treated as a host principal by the # .k5identity rules since it has unknown type. -refserver = 'host/' + hostname + '@' +refserver = 'p:host/' + hostname + '@' # Make each realm's keytab contain entries for both realm's servers. #r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % @@ -47,8 +50,7 @@ refserver = 'host/' + hostname + '@' # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'], - expected_code=1) +output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1) if 'No Kerberos credentials available' not in output: fail('Expected error not seen in output when no credentials available') @@ -75,24 +77,24 @@ r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) # Check that we can find a cache for a specified client principal. -output = r1.run_as_client(['./t_ccselect', r1.host_princ, alice]) +output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice]) if output != (alice + '\n'): fail('alice not chosen when specified') -output = r2.run_as_client(['./t_ccselect', r2.host_princ, zaphod]) +output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod]) if output != (zaphod + '\n'): fail('zaphod not chosen when specified') # Check that we can guess a cache based on the service realm. -output = r1.run_as_client(['./t_ccselect', r1.host_princ]) +output = r1.run_as_client(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen as default initiator cred for server in r1') -output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-']) +output = r1.run_as_client(['./t_ccselect', host1, '-']) if output != (alice + '\n'): fail('alice not chosen as default initiator name for server in r1') -output = r2.run_as_client(['./t_ccselect', r2.host_princ]) +output = r2.run_as_client(['./t_ccselect', host2]) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator cred for server in r1') -output = r2.run_as_client(['./t_ccselect', r2.host_princ, '-']) +output = r2.run_as_client(['./t_ccselect', host2, '-']) if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') @@ -111,7 +113,7 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm)) k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) k5id.write('noprinc service=bogus') k5id.close() -output = r1.run_as_client(['./t_ccselect', r1.host_princ]) +output = r1.run_as_client(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') output = r2.run_as_client(['./t_ccselect', gssserver]) @@ -120,7 +122,7 @@ if output != (zaphod + '\n'): output = r1.run_as_client(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run_as_client(['./t_ccselect', 'gss:bogus@' + hostname], +output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) if 'Can\'t find client principal noprinc' not in output: fail('Expected error not seen when k5identity selects bad principal.') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 71cb89e78..71566a5d3 100644 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -5,14 +5,17 @@ from k5test import * # Point HOME at realm.testdir for tests using .k5identity. realm = K5Realm(get_creds=False) bob = 'bob@' + realm.realm -gssserver = 'gss:host@' + hostname +phost = 'p:' + realm.host_princ +puser = 'p:' + realm.user_princ +pbob = 'p:' + bob +gssserver = 'h:host@' + hostname realm.env_client['HOME'] = realm.testdir realm.addprinc(bob, password('bob')) realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run_as_client(['./t_ccselect', realm.host_princ]) +out = realm.run_as_client(['./t_ccselect', phost]) if realm.user_princ not in out: fail('Authenticated as wrong principal') realm.run_as_client([kdestroy]) @@ -30,27 +33,26 @@ realm.run_as_client([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds realm.run_as_client(['./ccinit', realm.ccache, bob]) -out = realm.run_as_client(['./t_ccselect', realm.host_princ]) +out = realm.run_as_client(['./t_ccselect', phost]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run_as_client(['./t_ccselect', realm.host_princ, realm.user_princ], - expected_code=1) +out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1) if 'Principal in credential cache does not match desired name' not in out: fail('Expected error not seen') realm.run_as_client([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client(['./ccrefresh', realm.ccache]) @@ -59,26 +61,26 @@ if int(out) < 1000: realm.run_as_client([kdestroy]) # Test 7: empty ccache specified, pick first principal from client keytab -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(realm.user_princ) realm.run_as_client([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run_as_client(['./t_imp_cred', realm.host_princ], expected_code=1) +out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1) if 'Credential cache is empty' not in out: fail('Expected error not seen') realm.run_as_client([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab realm.run_as_client(['./ccinit', realm.ccache, bob]) -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(bob) # Leave tickets for next test. # Test 10: ccache specified with creds, time to refresh realm.run_as_client(['./ccrefresh', realm.ccache, '1']) -realm.run_as_client(['./t_imp_cred', realm.host_princ]) +realm.run_as_client(['./t_imp_cred', phost]) realm.klist(bob) out = realm.run_as_client(['./ccrefresh', realm.ccache]) if int(out) < 1000: @@ -94,14 +96,14 @@ realm.env_client['KRB5CCNAME'] = ccname # Test 11: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') realm.run_as_client(['./ccinit', bobcache, bob]) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Leave tickets for next test. # Test 12: name specified, matching cache in collection, time to refresh realm.run_as_client(['./ccrefresh', bobcache, '1']) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client(['./ccrefresh', bobcache]) @@ -111,7 +113,7 @@ realm.run_as_client([kdestroy, '-A']) # Test 13: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') out = realm.run_as_client([klist]) @@ -120,7 +122,7 @@ if 'Default principal: %s\n' % realm.user_princ not in out: realm.run_as_client([kdestroy, '-A']) # Test 14: name specified, collection has no default cache -out = realm.run_as_client(['./t_ccselect', realm.host_princ, bob]) +out = realm.run_as_client(['./t_ccselect', phost, pbob]) if bob not in out: fail('Authenticated as wrong principal') # Make sure the tickets we acquired didn't become the default diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c index 73c11f8b5..085bc794e 100644 --- a/src/tests/gssapi/t_credstore.c +++ b/src/tests/gssapi/t_credstore.c @@ -27,41 +27,14 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_ext.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" static void -print_gss_status(int type, OM_uint32 code) -{ - OM_uint32 major, minor; - gss_buffer_desc msg; - OM_uint32 msg_ctx = 0; - - do { - major = gss_display_status(&minor, code, type, - GSS_C_NULL_OID, &msg_ctx, &msg); - if (major == 0) { - fprintf(stdout, "%s. ", (char *)msg.value); - major = gss_release_buffer(&minor, &msg); - } - } while (msg_ctx); -} - -static void -print_status(char *msg, OM_uint32 major, OM_uint32 minor) -{ - fprintf(stdout, "%s: ", msg); - print_gss_status(GSS_C_GSS_CODE, major); - print_gss_status(GSS_C_MECH_CODE, minor); - fprintf(stdout, "\n"); -} - -static void -usage(const char *name) +usage(void) { fprintf(stderr, - "Usage: %s <principal> [--cred_store {<key> <value>} ...]\n", - name); + "Usage: t_credstore principal [--cred_store {key value} ...]\n"); + exit(1); } int @@ -74,10 +47,8 @@ main(int argc, char *argv[]) gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; int i, e; - if (argc < 2 || ((argc - 3) % 2)) { - usage(argv[0]); - exit(1); - } + if (argc < 2 || ((argc - 3) % 2)) + usage(); store.count = (argc - 3) / 2; store.elements = calloc(store.count, @@ -88,10 +59,8 @@ main(int argc, char *argv[]) } if (argc > 2) { - if (strcmp(argv[2], "--cred_store") != 0) { - usage(argv[0]); - exit(1); - } + if (strcmp(argv[2], "--cred_store") != 0) + usage(); for (i = 3, e = 0; i < argc; i += 2, e++) { store.elements[e].key = argv[i]; @@ -104,19 +73,11 @@ main(int argc, char *argv[]) major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, NULL, NULL); - if (major) { - print_status("gss_acquire_cred(default user creds) failed", - major, minor); - goto out; - } + check_gsserr("gss_acquire_cred", major, minor); major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, GSS_C_NO_OID, 1, 0, &store, NULL, NULL); - if (major) { - print_status("gss_store_cred_in_store(default user creds) failed", - major, minor); - goto out; - } + check_gsserr("gss_store_cred_into", major, minor); gss_release_cred(&minor, &cred); @@ -128,27 +89,17 @@ main(int argc, char *argv[]) major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &service); - if (major) { - print_status("gss_import_name(principal) failed", major, minor); - goto out; - } + check_gsserr("gss_import_name", major, minor); major = gss_acquire_cred_from(&minor, service, 0, GSS_C_NO_OID_SET, GSS_C_BOTH, &store, &cred, NULL, NULL); - if (major) { - print_status("gss_acquire_cred_from_store(principal) failed", - major, minor); - goto out; - } + check_gsserr("gss_acquire_cred_from", major, minor); fprintf(stdout, "Cred Store Success\n"); - major = 0; - -out: gss_release_name(&minor, &service); gss_release_cred(&minor, &cred); free(store.elements); - return major; + return 0; } diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c index f7ddbc7ad..6f62eed81 100644 --- a/src/tests/gssapi/t_export_cred.c +++ b/src/tests/gssapi/t_export_cred.c @@ -25,80 +25,8 @@ #include <stdio.h> #include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" }; -static gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" }; -static gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 }; -static gss_OID_set_desc mechset_spnego = { 1, &mech_spnego }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -/* If maj_stat indicates an error, display an error message (containing msg) - * and exit. */ -static void -check_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - if (GSS_ERROR(maj_stat)) { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); - } -} - -/* Display an error message and exit. */ -static void -errout(const char *msg) -{ - fprintf(stderr, "%s\n", msg); - exit(1); -} - -/* Import a GSSAPI name based on a string of the form 'u:username', - * 'p:principalname', or 'h:host@service' (or just 'h:service'). */ -static gss_name_t -import_name(const char *str) -{ - OM_uint32 major, minor; - gss_name_t name; - gss_buffer_desc buf; - gss_OID nametype = NULL; - - if (*str == 'u') - nametype = GSS_C_NT_USER_NAME; - else if (*str == 'p') - nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; - else if (*str == 'h') - nametype = GSS_C_NT_HOSTBASED_SERVICE; - if (nametype == NULL || str[1] != ':') - errout("names must begin with u: or p: or h:"); - buf.value = (char *)str + 2; - buf.length = strlen(str) - 2; - major = gss_import_name(&minor, &buf, nametype, &name); - check_gsserr("gss_import_name", major, minor); - return name; -} +#include "common.h" /* Display a usage error message and exit. */ static void diff --git a/src/tests/gssapi/t_export_name.c b/src/tests/gssapi/t_export_name.c index d765e28fb..676ac54be 100644 --- a/src/tests/gssapi/t_export_name.c +++ b/src/tests/gssapi/t_export_name.c @@ -41,55 +41,12 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} +#include "common.h" static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) +usage(void) { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -print_hex(FILE *fp, gss_buffer_t buf) -{ - size_t i; - const unsigned char *bytes = buf->value; - - for (i = 0; i < buf->length; i++) - printf("%02X", bytes[i]); - printf("\n"); -} - -static void -usage(const char *progname) -{ - fprintf(stderr, - "Usage: %s [-k|-s] user:username|krb5:princ|gss:service@host\n", - progname); + fprintf(stderr, "Usage: t_export_name [-k|-s] name\n"); exit(1); } @@ -97,60 +54,41 @@ int main(int argc, char *argv[]) { OM_uint32 minor, major; - gss_OID mech = (gss_OID)gss_mech_krb5, nametype = NULL; + gss_OID mech = (gss_OID)gss_mech_krb5; gss_name_t name, mechname, impname; gss_buffer_desc buf, buf2; - const char *name_arg, *progname = argv[0]; + const char *name_arg; char opt; + /* Parse arguments. */ while (argc > 1 && argv[1][0] == '-') { opt = argv[1][1]; argc--, argv++; if (opt == 'k') - mech = (gss_OID)gss_mech_krb5; + mech = &mech_krb5; else if (opt == 's') - mech = &spnego_mech; + mech = &mech_spnego; else - usage(progname); + usage(); } if (argc != 2) - usage(progname); + usage(); name_arg = argv[1]; /* Import the name. */ - if (strncmp(name_arg, "user:", 5) == 0) { - nametype = GSS_C_NT_USER_NAME; - name_arg += 5; - } else if (strncmp(name_arg, "krb5:", 5) == 0) { - nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; - name_arg += 5; - } else if (strncmp(name_arg, "host:", 5) == 0) { - nametype = GSS_C_NT_HOSTBASED_SERVICE; - name_arg += 5; - } else { - usage(progname); - } - buf.value = (char *)name_arg; - buf.length = strlen(name_arg); - major = gss_import_name(&minor, &buf, nametype, &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); + name = import_name(name_arg); /* Canonicalize and export the name. */ major = gss_canonicalize_name(&minor, name, mech, &mechname); - if (GSS_ERROR(major)) - gsserr("gss_canonicalize_name", major, minor); + check_gsserr("gss_canonicalize_name", major, minor); major = gss_export_name(&minor, mechname, &buf); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); /* Import and re-export the name, and compare the results. */ major = gss_import_name(&minor, &buf, GSS_C_NT_EXPORT_NAME, &impname); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); major = gss_export_name(&minor, impname, &buf2); - if (GSS_ERROR(major)) - gsserr("gss_export_name", major, minor); + check_gsserr("gss_export_name", major, minor); if (buf.length != buf2.length || memcmp(buf.value, buf2.value, buf.length) != 0) { fprintf(stderr, "Mismatched results:\n"); diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index d3dd881bc..b21380f08 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -3,7 +3,7 @@ from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. for realm in multipass_realms(): - realm.run_as_client(['./t_spnego', realm.host_princ, realm.keytab]) + realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab]) ### Test acceptor name behavior. @@ -24,16 +24,16 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew') # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run_as_client(['./t_accname', 'service1/andrew']) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'service1/barack']) +output = realm.run_as_client(['./t_accname', 'p:service1/barack']) if 'service1/barack' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin']) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/dwight'], +output = realm.run_as_client(['./t_accname', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') @@ -41,39 +41,41 @@ if 'Wrong principal in request' not in output: # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service1']) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew', + 'h:service1']) if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') -output = realm.run_as_client(['./t_accname', 'service1/andrew', 'service2'], - expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:service1/andrew', + 'h:service2'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service2']) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin', + 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') -output = realm.run_as_client(['./t_accname', 'service2/calvin', 'service1'], - expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:service2/calvin', + 'h:service1'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run_as_client(['./t_accname', realm.host_princ, - 'host@%s' % socket.gethostname()]) +output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()]) if realm.host_princ not in output: fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run_as_client(['./t_accname', 'host/-nomatch-', - 'host@%s' % socket.gethostname()], +output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. -realm.run_as_client(['./t_imp_cred', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'service1/barack', 'service1/barack']) -realm.run_as_client(['./t_imp_cred', 'service1/andrew', 'service1/abraham']) -output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'], +realm.run_as_client(['./t_imp_cred', 'p:service1/barack']) +realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) +realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) +output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) if 'Wrong principal in request' not in output: fail('Expected error message not seen in t_imp_cred output') @@ -94,7 +96,7 @@ if 'Cred Store Success' not in output: # Verify that we can't acquire acceptor creds without a keytab. os.remove(realm.keytab) -output = realm.run_as_client(['./t_accname', 'abc'], expected_code=1) +output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1) if ('gss_acquire_cred: Keytab' not in output or 'nonexistent or empty' not in output): fail('Expected error message not seen for nonexistent keytab') @@ -108,8 +110,8 @@ ignore_conf = { 'all' : { 'libdefaults' : { realm = K5Realm(krb5_conf=ignore_conf) realm.run_kadminl('addprinc -randkey host/-nomatch-') realm.run_kadminl('xst host/-nomatch-') -output = realm.run_as_client(['./t_accname', 'host/-nomatch-', - 'host@%s' % socket.gethostname()]) +output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()]) if 'host/-nomatch-' not in output: fail('Expected host/-nomatch- in t_accname output') @@ -157,16 +159,16 @@ if realm.host_princ not in output: fail('Expected %s in t_inq_cred output' % realm.host_princ) # Test gss_export_name behavior. -out = realm.run_as_client(['./t_export_name', 'user:x']) +out = realm.run_as_client(['./t_export_name', 'u:x']) if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n': fail('Unexpected output from t_export_name (krb5 username)') -output = realm.run_as_client(['./t_export_name', '-s', 'user:xyz']) +output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz']) if output != '0401000806062B06010505020000000378797A\n': fail('Unexpected output from t_export_name (SPNEGO username)') -output = realm.run_as_client(['./t_export_name', 'krb5:a@b']) +output = realm.run_as_client(['./t_export_name', 'p:a@b']) if output != '0401000B06092A864886F71201020200000003614062\n': fail('Unexpected output from t_export_name (krb5 principal)') -output = realm.run_as_client(['./t_export_name', '-s', 'krb5:a@b']) +output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b']) if output != '0401000806062B060105050200000003614062\n': fail('Unexpected output from t_export_name (SPNEGO krb5 principal)') diff --git a/src/tests/gssapi/t_gssexts.c b/src/tests/gssapi/t_gssexts.c index 059f63340..d008c0862 100644 --- a/src/tests/gssapi/t_gssexts.c +++ b/src/tests/gssapi/t_gssexts.c @@ -27,7 +27,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for protocol transition (S4U2Self) and constrained delegation @@ -53,94 +53,17 @@ * Usage eg: * * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU' - * ./t_s4u delegtest@WIN.MIT.EDU HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab + * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - static int use_spnego = 0; static void -displayStatus_1(char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -displayStatus(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) -{ - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -testPrf(OM_uint32 *minor, gss_ctx_id_t initiatorContext, - gss_ctx_id_t acceptorContext, int flags) +test_prf(gss_ctx_id_t initiatorContext, gss_ctx_id_t acceptorContext, + int flags) { gss_buffer_desc constant; - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; unsigned int i; gss_buffer_desc initiatorPrf; gss_buffer_desc acceptorPrf; @@ -151,207 +74,124 @@ testPrf(OM_uint32 *minor, gss_ctx_id_t initiatorContext, initiatorPrf.value = NULL; acceptorPrf.value = NULL; - major = gss_pseudo_random(minor, initiatorContext, flags, - &constant, 19, &initiatorPrf); - if (GSS_ERROR(major)) { - displayStatus("gss_pseudo_random", major, *minor); - return major; - } + major = gss_pseudo_random(&minor, initiatorContext, flags, &constant, 19, + &initiatorPrf); + check_gsserr("gss_pseudo_random", major, minor); printf("%s\n", flags == GSS_C_PRF_KEY_FULL ? "PRF_KEY_FULL" : "PRF_KEY_PARTIAL"); printf("Initiator PRF: "); - for (i = 0; i < initiatorPrf.length; i++) { + for (i = 0; i < initiatorPrf.length; i++) printf("%02x ", ((char *)initiatorPrf.value)[i] & 0xFF); - } printf("\n"); - major = gss_pseudo_random(minor, acceptorContext, flags, - &constant, 19, &acceptorPrf); - if (GSS_ERROR(major)) { - displayStatus("gss_pseudo_random", major, *minor); - gss_release_buffer(&tmp_minor, &initiatorPrf); - return major; - } + major = gss_pseudo_random(&minor, acceptorContext, flags, &constant, 19, + &acceptorPrf); + check_gsserr("gss_pseudo_random", major, minor); printf("Acceptor PRF: "); - for (i = 0; i < acceptorPrf.length; i++) { + for (i = 0; i < acceptorPrf.length; i++) printf("%02x ", ((char *)acceptorPrf.value)[i] & 0xFF); - } printf("\n"); if (acceptorPrf.length != initiatorPrf.length || memcmp(acceptorPrf.value, initiatorPrf.value, initiatorPrf.length)) { fprintf(stderr, "Initiator and acceptor PRF output does not match\n"); - major = GSS_S_FAILURE; + exit(1); } - gss_release_buffer(&tmp_minor, &initiatorPrf); - gss_release_buffer(&tmp_minor, &acceptorPrf); - - return major; + (void)gss_release_buffer(&minor, &initiatorPrf); + (void)gss_release_buffer(&minor, &acceptorPrf); } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, gss_cred_id_t claimant_cred_handle, - gss_cred_id_t verifier_cred_handle, - gss_cred_id_t *deleg_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t claimant_cred_handle, + gss_cred_id_t verifier_cred_handle, + gss_cred_id_t *deleg_cred_handle) { - OM_uint32 major, tmp_minor; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; OM_uint32 time_rec; - gss_OID mech = GSS_C_NO_OID; - - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; + gss_OID mech; *deleg_cred_handle = GSS_C_NO_CREDENTIAL; - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } - - displayCanonName(minor, target_name, "Target name"); + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); + display_canon_name("Target name", target_name, &mech_krb5); - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - displayOID(minor, mech, "Target mech"); + mech = use_spnego ? &mech_spnego : &mech_krb5; + display_oid("Target mech", mech); - major = gss_init_sec_context(minor, - claimant_cred_handle, - &initiator_context, - target_name, - mech, + major = gss_init_sec_context(&minor, claimant_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); + (void)gss_release_name(&minor, &target_name); + check_gsserr("gss_init_sec_context", major, minor); - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(&tmp_minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - mech = GSS_C_NO_OID; - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + NULL, &tmp, NULL, &time_rec, deleg_cred_handle); + check_gsserr("gss_accept_sec_context", major, minor); - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - testPrf(minor, initiator_context, acceptor_context, GSS_C_PRF_KEY_FULL); - testPrf(minor, initiator_context, acceptor_context, GSS_C_PRF_KEY_PARTIAL); - } - - (void) gss_release_name(&tmp_minor, &source_name); - (void) gss_delete_sec_context(&tmp_minor, &acceptor_context, NULL); - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_release_buffer(&tmp_minor, &tmp); - (void) gss_release_oid(&tmp_minor, &mech); + test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_FULL); + test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_PARTIAL); - return major; + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -static OM_uint32 -getDefaultCred(OM_uint32 *minor, const char *keytab_name, gss_OID_set mechs, - gss_cred_id_t *impersonator_cred_handle) +static void +get_default_cred(const char *keytab_name, gss_OID_set mechs, + gss_cred_id_t *impersonator_cred_handle) { - OM_uint32 major = GSS_S_FAILURE, tmp_minor; - - if (keytab_name) { - krb5_error_code code; - krb5_context context = NULL; - krb5_keytab keytab = NULL; - krb5_principal keytab_principal = NULL; - krb5_ccache ccache = NULL; - - code = krb5_init_context(&context); - if (code) { - displayStatus("krb5_init_context", major, code); - return major; - } - - code = krb5_kt_resolve(context, keytab_name, &keytab); - if (code) { - displayStatus("krb5_kt_resolve", major, code); - goto out; - } - - code = krb5_cc_default(context, &ccache); - if (code) { - displayStatus("krb5_cc_default", major, code); - goto out; - } - - code = krb5_cc_get_principal(context, ccache, &keytab_principal); - if (code) { - displayStatus("krb5_cc_get_principal", major, code); - goto out; - } - - major = gss_krb5_import_cred(minor, - ccache, - keytab_principal, - keytab, + OM_uint32 major = GSS_S_FAILURE, minor; + krb5_error_code ret; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_principal keytab_principal = NULL; + krb5_ccache ccache = NULL; + + if (keytab_name != NULL) { + ret = krb5_init_context(&context); + check_k5err(context, "krb5_init_context", ret); + + ret = krb5_kt_resolve(context, keytab_name, &keytab); + check_k5err(context, "krb5_kt_resolve", ret); + + ret = krb5_cc_default(context, &ccache); + check_k5err(context, "krb5_cc_default", ret); + + ret = krb5_cc_get_principal(context, ccache, &keytab_principal); + check_k5err(context, "krb5_cc_get_principal", ret); + + major = gss_krb5_import_cred(&minor, ccache, keytab_principal, keytab, impersonator_cred_handle); - if (GSS_ERROR(major)) { - displayStatus("gss_krb5_import_cred", major, *minor); - goto out; - } - - out: - if (code) - *minor = code; + check_gsserr("gss_krb5_import_cred", major, minor); + krb5_free_principal(context, keytab_principal); krb5_cc_close(context, ccache); krb5_kt_close(context, keytab); krb5_free_context(context); } else { - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - - major = gss_acquire_cred(minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - mechs, - GSS_C_BOTH, - impersonator_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, *minor); - } - (void) gss_release_oid_set(&tmp_minor, &actual_mechs); + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, + mechs, GSS_C_BOTH, impersonator_cred_handle, + NULL, NULL); + check_gsserr("gss_acquire_cred", major, minor); } - - return major; } int @@ -362,9 +202,7 @@ main(int argc, char *argv[]) gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; + gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET; uid_t uid; if (argc < 2 || argc > 5) { @@ -380,93 +218,45 @@ main(int argc, char *argv[]) argv++; } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &user); + user = import_name(argv[1]); major = gss_pname_to_uid(&minor, user, NULL, &uid); - if (GSS_ERROR(major)) { - displayStatus("gss_pname_to_uid(user)", major, minor); - goto out; - } + check_gsserr("gss_pname_to_uid(user)", major, minor); - if (argc > 2 && strcmp(argv[2], "-")) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target)", major, minor); - goto out; - } - } else { - target = GSS_C_NO_NAME; - } + if (argc > 2 && strcmp(argv[2], "-") != 0) + target = import_name(argv[2]); - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; - major = getDefaultCred(&minor, - argc > 3 ? argv[3] : NULL, - &mechs, - &impersonator_cred_handle); - if (GSS_ERROR(major)) - goto out; + get_default_cred((argc > 3) ? argv[3] : NULL, mechs, + &impersonator_cred_handle); printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); /* get S4U2Self cred */ - major = gss_acquire_cred_impersonate_name(&minor, - impersonator_cred_handle, - user, - GSS_C_INDEFINITE, - &mechs, + major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, + user, GSS_C_INDEFINITE, mechs, GSS_C_INITIATE, - &user_cred_handle, - &actual_mechs, + &user_cred_handle, &actual_mechs, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred_impersonate_name", major, minor); - goto out; - } + check_gsserr("gss_acquire_cred_impersonate_name", major, minor); /* Try to store it in default ccache */ - major = gss_store_cred(&minor, - user_cred_handle, - GSS_C_INITIATE, - &mechs.elements[0], - 1, - 1, - NULL, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_store_cred", major, minor); - goto out; - } + major = gss_store_cred(&minor, user_cred_handle, GSS_C_INITIATE, + &mechs->elements[0], 1, 1, NULL, NULL); + check_gsserr("gss_store_cred", major, minor); - major = initAcceptSecContext(&minor, - user_cred_handle, - impersonator_cred_handle, - &delegated_cred_handle); - if (GSS_ERROR(major)) - goto out; + init_accept_sec_context(user_cred_handle, impersonator_cred_handle, + &delegated_cred_handle); printf("\n"); -out: - (void) gss_release_name(&minor, &user); - (void) gss_release_name(&minor, &target); - (void) gss_release_cred(&minor, &delegated_cred_handle); - (void) gss_release_cred(&minor, &impersonator_cred_handle); - (void) gss_release_cred(&minor, &user_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_name(&minor, &user); + (void)gss_release_name(&minor, &target); + (void)gss_release_cred(&minor, &delegated_cred_handle); + (void)gss_release_cred(&minor, &impersonator_cred_handle); + (void)gss_release_cred(&minor, &user_cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + return 0; } diff --git a/src/tests/gssapi/t_imp_cred.c b/src/tests/gssapi/t_imp_cred.c index 2818b22fd..8e00daefd 100644 --- a/src/tests/gssapi/t_imp_cred.c +++ b/src/tests/gssapi/t_imp_cred.c @@ -39,102 +39,51 @@ #include "k5-platform.h" #include <krb5.h> -#include <gssapi/gssapi_krb5.h> -static void -display_status(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -exit_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status(msg, maj_stat, GSS_C_GSS_CODE); - display_status(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -exit_kerr(krb5_context context, const char *msg, krb5_error_code code) -{ - const char *errmsg; - - errmsg = krb5_get_error_message(context, code); - printf("%s: %s\n", msg, errmsg); - krb5_free_error_message(context, errmsg); - exit(1); -} +#include "common.h" int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t initiator_cred, acceptor_cred; - gss_buffer_desc buf, token, tmp; + gss_buffer_desc token, tmp; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; gss_name_t target_name; - krb5_context context; + krb5_context context = NULL; krb5_ccache cc; krb5_keytab kt; krb5_principal princ = NULL; krb5_error_code ret; if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s targetprinc [acceptorprinc]\n", argv[0]); + fprintf(stderr, "Usage: %s targetname [acceptorprinc]\n", argv[0]); return 1; } - /* Import the target name as a krb5 principal name. */ - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - display_status("gss_import_name", major, minor); - return 1; - } + /* Import the target name. */ + target_name = import_name(argv[1]); /* Acquire the krb5 objects we need. */ ret = krb5_init_context(&context); - if (ret) - exit_kerr(NULL, "krb5_init_context", ret); + check_k5err(context, "krb5_init_context", ret); ret = krb5_cc_default(context, &cc); - if (ret) - exit_kerr(context, "krb5_cc_default", ret); + check_k5err(context, "krb5_cc_default", ret); ret = krb5_kt_default(context, &kt); - if (ret) - exit_kerr(context, "krb5_kt_default", ret); + check_k5err(context, "krb5_kt_default", ret); if (argc >= 3) { ret = krb5_parse_name(context, argv[2], &princ); - if (ret) - exit_kerr(context, "krb5_parse_name", ret); + check_k5err(context, "krb5_parse_name", ret); } /* Get initiator cred. */ major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred); - if (GSS_ERROR(major)) - exit_gsserr("gss_krb5_import_cred (initiator)", major, minor); + check_gsserr("gss_krb5_import_cred (initiator)", major, minor); /* Get acceptor cred. */ major = gss_krb5_import_cred(&minor, NULL, princ, kt, &acceptor_cred); - if (GSS_ERROR(major)) - exit_gsserr("gss_krb5_import_cred (acceptor)", major, minor); + check_gsserr("gss_krb5_import_cred (acceptor)", major, minor); /* Create krb5 initiator context and get the first token. */ token.value = NULL; @@ -145,8 +94,7 @@ main(int argc, char *argv[]) GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - exit_gsserr("gss_init_sec_context", major, minor); + check_gsserr("gss_init_sec_context", major, minor); /* Pass the token to gss_accept_sec_context. */ tmp.value = NULL; @@ -154,8 +102,7 @@ main(int argc, char *argv[]) major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, &tmp, NULL, NULL, NULL); - if (major != GSS_S_COMPLETE) - exit_gsserr("gss_accept_sec_context", major, minor); + check_gsserr("gss_accept_sec_context", major, minor); krb5_cc_close(context, cc); krb5_kt_close(context, kt); diff --git a/src/tests/gssapi/t_imp_name.c b/src/tests/gssapi/t_imp_name.c index a51c98046..4fcd61b50 100644 --- a/src/tests/gssapi/t_imp_name.c +++ b/src/tests/gssapi/t_imp_name.c @@ -21,130 +21,38 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + */ + +/* * Simple test program for testing how GSSAPI import name works. (May * be made into a more full-fledged test program later.) - * */ -#include <unistd.h> -#include <stdlib.h> #include <stdio.h> -#include <string.h> -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_generic.h> - -#define GSSAPI_V2 -void display_status (char *, OM_uint32, OM_uint32); -static void display_status_1 (char *, OM_uint32, int); -static void display_buffer (gss_buffer_desc); -static int test_import_name (char *); -FILE *display_file; +#include "common.h" -int main(argc, argv) - int argc; - char **argv; +int +main(int argc, char **argv) { - int retval; - - display_file = stdout; - - retval = test_import_name("host@dcl.mit.edu"); - - return retval; -} - -static int test_import_name(name) - char *name; -{ - OM_uint32 maj_stat, min_stat; + const char *name = "host@dcl.mit.edu"; + OM_uint32 major, minor; gss_name_t gss_name; - gss_buffer_desc buffer_name; + gss_buffer_desc buf; gss_OID name_oid; - buffer_name.value = name; - buffer_name.length = strlen(name) + 1; - maj_stat = gss_import_name(&min_stat, &buffer_name, - (gss_OID) gss_nt_service_name, - &gss_name); - if (maj_stat != GSS_S_COMPLETE) { - display_status("parsing name", maj_stat, min_stat); - return -1; - } + gss_name = import_name(name); - maj_stat = gss_display_name(&min_stat, gss_name, &buffer_name, - &name_oid); - if (maj_stat != GSS_S_COMPLETE) { - display_status("displaying context", maj_stat, min_stat); - return -1; - } - printf("name is: "); - display_buffer(buffer_name); - printf("\n"); - (void) gss_release_buffer(&min_stat, &buffer_name); + major = gss_display_name(&minor, gss_name, &buf, &name_oid); + check_gsserr("gss_display_name", major, minor); + printf("name is: %.*s\n", (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); - gss_oid_to_str(&min_stat, name_oid, &buffer_name); - printf("name type is: "); - display_buffer(buffer_name); - printf("\n"); - (void) gss_release_buffer(&min_stat, &buffer_name); -#ifdef GSSAPI_V2 - (void) gss_release_oid(&min_stat, &name_oid); -#endif - (void) gss_release_name(&min_stat, &gss_name); - return 0; -} - -static void display_buffer(buffer) - gss_buffer_desc buffer; -{ - char *namebuf; - - namebuf = malloc(buffer.length+1); - if (!namebuf) { - fprintf(stderr, "display_buffer: couldn't allocate buffer!\n"); - exit(1); - } - strncpy(namebuf, buffer.value, buffer.length); - namebuf[buffer.length] = '\0'; - printf("%s", namebuf); - free(namebuf); -} - -void display_status(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static void display_status_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 min_stat; - gss_buffer_desc msg; -#ifdef GSSAPI_V2 - OM_uint32 msg_ctx; -#else /* GSSAPI_V2 */ - int msg_ctx; -#endif /* GSSAPI_V2 */ - - msg_ctx = 0; - while (1) { - (void) gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - if (display_file) - fprintf(display_file, "GSS-API error %s: %s\n", m, - (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); + major = gss_oid_to_str(&minor, name_oid, &buf); + check_gsserr("gss_oid_to_str", major, minor); + printf("name type is: %.*s\n", (int)buf.length, (char *)buf.value); + (void)gss_release_buffer(&minor, &buf); + (void)gss_release_name(&minor, &gss_name); - if (!msg_ctx) - break; - } + return 0; } diff --git a/src/tests/gssapi/t_inq_cred.c b/src/tests/gssapi/t_inq_cred.c index ed93a6eaf..8dd331d67 100644 --- a/src/tests/gssapi/t_inq_cred.c +++ b/src/tests/gssapi/t_inq_cred.c @@ -29,7 +29,7 @@ * script. Acquires credentials, inquires them, and prints the resulting name * and lifetime. * - * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorprinc|gss:service@host] + * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorname] * * By default no mechanism is specified when acquiring credentials; -k * indicates the krb5 mech and -s indicates SPNEGO. By default or with -i, @@ -43,44 +43,13 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} +#include "common.h" static void -gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -usage(const char *progname) +usage(void) { fprintf(stderr, - "Usage: %s [-k|-s] [-a|-b|-i] [princ|gss:service@host]\n", - progname); + "Usage: t_inq_cred [-k|-s] [-a|-b|-i] [princ|gss:service@host]\n"); exit(1); } @@ -89,13 +58,11 @@ main(int argc, char *argv[]) { OM_uint32 minor, major, lifetime; gss_cred_usage_t cred_usage = GSS_C_INITIATE; - gss_OID mech = GSS_C_NO_OID; - gss_OID_set_desc mechs; - gss_OID_set mechset = GSS_C_NO_OID_SET; + gss_OID_set mechs = GSS_C_NO_OID_SET; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_name_t name = GSS_C_NO_NAME; gss_buffer_desc buf; - const char *name_arg = NULL, *progname = argv[0]; + const char *name_arg = NULL; char opt; while (argc > 1 && argv[1][0] == '-') { @@ -108,60 +75,36 @@ main(int argc, char *argv[]) else if (opt == 'i') cred_usage = GSS_C_INITIATE; else if (opt == 'k') - mech = (gss_OID)gss_mech_krb5; + mechs = &mechset_krb5; else if (opt == 's') - mech = &spnego_mech; + mechs = &mechset_spnego; else - usage(progname); + usage(); } if (argc > 2) - usage(progname); + usage(); if (argc > 1) name_arg = argv[1]; /* Import the name, if given. */ - if (name_arg != NULL && strncmp(name_arg, "gss:", 4) == 0) { - /* Import as host-based service. */ - buf.value = (char *)name_arg + 4; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, GSS_C_NT_HOSTBASED_SERVICE, - &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); - } else if (name_arg != NULL) { - /* Import as krb5 principal name. */ - buf.value = (char *)name_arg; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &name); - if (GSS_ERROR(major)) - gsserr("gss_import_name", major, minor); - } - - if (mech != GSS_C_NO_OID) { - mechs.elements = mech; - mechs.count = 1; - mechset = &mechs; - } + if (name_arg != NULL) + name = import_name(name_arg); /* Acquire a credential. */ - major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechset, - cred_usage, &cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_acquire_cred", major, minor); + major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, cred_usage, + &cred, NULL, NULL); + check_gsserr("gss_acquire_cred", major, minor); /* Inquire about the credential. */ (void)gss_release_name(&minor, &name); major = gss_inquire_cred(&minor, cred, &name, &lifetime, NULL, NULL); - if (GSS_ERROR(major)) - gsserr("gss_inquire_cred", major, minor); + check_gsserr("gss_inquire_cred", major, minor); /* Get a display form of the name. */ buf.value = NULL; buf.length = 0; major = gss_display_name(&minor, name, &buf, NULL); - if (GSS_ERROR(major)) - gsserr("gss_display_name", major, minor); + check_gsserr("gss_display_name", major, minor); printf("name: %.*s\n", (int)buf.length, (char *)buf.value); printf("lifetime: %d\n", (int)lifetime); diff --git a/src/tests/gssapi/t_namingexts.c b/src/tests/gssapi/t_namingexts.c index 86d276e22..7d06f337f 100644 --- a/src/tests/gssapi/t_namingexts.c +++ b/src/tests/gssapi/t_namingexts.c @@ -27,280 +27,90 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> -#include <gssapi/gssapi_generic.h> - -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; +#include "common.h" static int use_spnego = 0; -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - gss_release_name(&tmp, &canon); - displayStatus("gss_display_name", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_name(&tmp, &canon); - gss_release_buffer(&tmp, &buf); - - return GSS_S_COMPLETE; -} - static void -dumpAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attribute, - int noisy) -{ - OM_uint32 major, tmp; - gss_buffer_desc value; - gss_buffer_desc display_value; - int authenticated = 0; - int complete = 0; - int more = -1; - unsigned int i; - - while (more != 0) { - value.value = NULL; - display_value.value = NULL; - - major = gss_get_name_attribute(minor, - name, - attribute, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major)) { - displayStatus("gss_get_name_attribute", major, *minor); - break; - } - - printf("Attribute %.*s %s %s\n\n%.*s\n", - (int)attribute->length, (char *)attribute->value, - authenticated ? "Authenticated" : "", - complete ? "Complete" : "", - (int)display_value.length, (char *)display_value.value); - - if (noisy) { - for (i = 0; i < value.length; i++) { - if ((i % 32) == 0) - printf("\n"); - printf("%02x", ((char *)value.value)[i] & 0xFF); - } - printf("\n\n"); - } - - gss_release_buffer(&tmp, &value); - gss_release_buffer(&tmp, &display_value); - } -} - -static OM_uint32 -enumerateAttributes(OM_uint32 *minor, - gss_name_t name, - int noisy) -{ - OM_uint32 major, tmp; - int name_is_MN; - gss_OID mech = GSS_C_NO_OID; - gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; - unsigned int i; - - major = gss_inquire_name(minor, - name, - &name_is_MN, - &mech, - &attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_name", major, *minor); - return major; - } - - if (attrs != GSS_C_NO_BUFFER_SET) { - for (i = 0; i < attrs->count; i++) - dumpAttribute(minor, name, &attrs->elements[i], noisy); - } - - gss_release_oid(&tmp, &mech); - gss_release_buffer_set(&tmp, &attrs); - - return major; -} - -static OM_uint32 -testExportImportName(OM_uint32 *minor, - gss_name_t name) +test_export_import_name(gss_name_t name) { - OM_uint32 major, tmp; - gss_buffer_desc exported_name; + OM_uint32 major, minor; + gss_buffer_desc exported_name = GSS_C_EMPTY_BUFFER; gss_name_t imported_name = GSS_C_NO_NAME; unsigned int i; - exported_name.value = NULL; - - major = gss_export_name_composite(minor, - name, - &exported_name); - if (GSS_ERROR(major)) { - displayStatus("gss_export_name_composite", major, *minor); - return major; - } + major = gss_export_name_composite(&minor, name, &exported_name); + check_gsserr("gss_export_name_composite", major, minor); printf("Exported name:\n"); - for (i = 0; i < exported_name.length; i++) { if ((i % 32) == 0) printf("\n"); printf("%02x", ((char *)exported_name.value)[i] & 0xFF); } - printf("\n"); - major = gss_import_name(minor, &exported_name, gss_nt_exported_name, + major = gss_import_name(&minor, &exported_name, GSS_C_NT_EXPORT_NAME, &imported_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name", major, *minor); - gss_release_buffer(&tmp, &exported_name); - return major; - } - - gss_release_buffer(&tmp, &exported_name); + check_gsserr("gss_import_name", major, minor); + (void)gss_release_buffer(&minor, &exported_name); printf("\n"); - displayCanonName(minor, imported_name, "Re-imported name"); + display_canon_name("Re-imported name", imported_name, &mech_krb5); printf("Re-imported attributes:\n\n"); - major = enumerateAttributes(minor, imported_name, 0); + enumerate_attributes(imported_name, 0); - gss_release_name(&tmp, &imported_name); - - return major; + (void)gss_release_name(&minor, &imported_name); } -static OM_uint32 -testGreetAuthzData(OM_uint32 *minor, - gss_name_t name) +static void +test_greet_authz_data(gss_name_t name) { - OM_uint32 major; + OM_uint32 major, minor; gss_buffer_desc attr; gss_buffer_desc value; attr.value = "urn:greet:greeting"; attr.length = strlen((char *)attr.value); - major = gss_delete_name_attribute(minor, - name, - &attr); + major = gss_delete_name_attribute(&minor, name, &attr); if (major == GSS_S_UNAVAILABLE) { fprintf(stderr, "Warning: greet_client plugin not installed\n"); - return GSS_S_COMPLETE; - } else if (GSS_ERROR(major)) { - displayStatus("gss_delete_name_attribute", major, *minor); - return major; + exit(1); } + check_gsserr("gss_delete_name_attribute", major, minor); value.value = "Hello, acceptor world!"; value.length = strlen((char *)value.value); - - major = gss_set_name_attribute(minor, - name, - 1, - &attr, - &value); + major = gss_set_name_attribute(&minor, name, 1, &attr, &value); if (major == GSS_S_UNAVAILABLE) - return GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_set_name_attribute", major, *minor); - - return major; + return; + check_gsserr("gss_set_name_attribute", major, minor); } -static OM_uint32 -testMapNameToAny(OM_uint32 *minor, - gss_name_t name) +static void +test_map_name_to_any(gss_name_t name) { - OM_uint32 major; - OM_uint32 tmp_minor; + OM_uint32 major, minor; gss_buffer_desc type_id; krb5_pac pac; - krb5_context context; - krb5_error_code code; - size_t len; + krb5_context context = NULL; + krb5_error_code ret; + size_t len, i; krb5_ui_4 *types; type_id.value = "mspac"; type_id.length = strlen((char *)type_id.value); - major = gss_map_name_to_any(minor, - name, - 1, /* authenticated */ - &type_id, - (gss_any_t *)&pac); + major = gss_map_name_to_any(&minor, name, 1, &type_id, (gss_any_t *)&pac); if (major == GSS_S_UNAVAILABLE) - return GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_map_name_to_any", major, *minor); - - code = krb5_init_context(&context); - if (code != 0) { - gss_release_any_name_mapping(&tmp_minor, name, - &type_id, (gss_any_t *)&pac); - *minor = code; - return GSS_S_FAILURE; - } + return; + check_gsserr("gss_map_name_to_any", major, minor); - code = krb5_pac_get_types(context, pac, &len, &types); - if (code == 0) { - size_t i; + ret = krb5_init_context(&context); + check_k5err(context, "krb5_init_context", ret); + if (krb5_pac_get_types(context, pac, &len, &types) == 0) { printf("PAC buffer types:"); for (i = 0; i < len; i++) printf(" %d", types[i]); @@ -308,101 +118,62 @@ testMapNameToAny(OM_uint32 *minor, free(types); } - gss_release_any_name_mapping(&tmp_minor, name, - &type_id, (gss_any_t *)&pac); - - return GSS_S_COMPLETE; + (void)gss_release_any_name_mapping(&minor, name, &type_id, + (gss_any_t *)&pac); } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_cred_id_t verifier_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t verifier_cred_handle) { - OM_uint32 major; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; + gss_OID mech = use_spnego ? &mech_spnego : &mech_krb5; OM_uint32 time_rec; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); - displayCanonName(minor, target_name, "Target name"); + display_canon_name("Target name", target_name, &mech_krb5); - major = gss_init_sec_context(minor, - verifier_cred_handle, - &initiator_context, - target_name, - use_spnego ? - (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5, + major = gss_init_sec_context(&minor, verifier_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); - - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - NULL, - &tmp, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - enumerateAttributes(minor, source_name, 1); - testExportImportName(minor, source_name); - testMapNameToAny(minor, source_name); - } - - (void) gss_release_name(minor, &source_name); - (void) gss_delete_sec_context(minor, &acceptor_context, NULL); - (void) gss_release_buffer(minor, &token); - (void) gss_release_buffer(minor, &tmp); - - return major; + check_gsserr("gss_init_sec_context", major, minor); + + (void)gss_release_name(&minor, &target_name); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + NULL, &tmp, NULL, &time_rec, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + + display_canon_name("Source name", source_name, &mech_krb5); + enumerate_attributes(source_name, 1); + test_export_import_name(source_name); + test_map_name_to_any(source_name); + + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { - OM_uint32 minor, major, tmp; + OM_uint32 minor, major; gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_name_t name = GSS_C_NO_NAME; + gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET; + gss_name_t tmp_name, name; if (argc > 1 && strcmp(argv[1], "--spnego") == 0) { use_spnego++; @@ -410,77 +181,38 @@ int main(int argc, char *argv[]) argv++; } - if (argc > 1) { - gss_buffer_desc name_buf; - gss_name_t tmp_name; - - name_buf.value = argv[1]; - name_buf.length = strlen(argv[1]); - - major = gss_import_name(&minor, &name_buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &tmp_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name", major, minor); - goto out; - } - - major = gss_canonicalize_name(&minor, tmp_name, - (gss_OID)gss_mech_krb5, &name); - if (GSS_ERROR(major)) { - gss_release_name(&tmp, &tmp_name); - displayStatus("gss_canonicalze_name", major, minor); - goto out; - } - - gss_release_name(&tmp, &tmp_name); - - major = testGreetAuthzData(&minor, name); - if (GSS_ERROR(major)) - goto out; - } else { - fprintf(stderr, "Usage: %s [--spnego] [principal] [keytab]\n", argv[0]); + if (argc < 2) { + fprintf(stderr, "Usage: %s [--spnego] principal [keytab]\n", argv[0]); exit(1); } - if (argc > 2) { + tmp_name = import_name(argv[1]); + major = gss_canonicalize_name(&minor, tmp_name, &mech_krb5, &name); + check_gsserr("gss_canonicalze_name", major, minor); + (void)gss_release_name(&minor, &tmp_name); + + test_greet_authz_data(name); + + if (argc >= 3) { major = krb5_gss_register_acceptor_identity(argv[2]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, minor); } - - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; /* get default cred */ - major = gss_acquire_cred(&minor, - name, - GSS_C_INDEFINITE, - &mechs, - GSS_C_BOTH, - &cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } + major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, GSS_C_BOTH, + &cred_handle, &actual_mechs, NULL); + check_gsserr("gss_acquire_cred", major, minor); - (void) gss_release_oid_set(&minor, &actual_mechs); + (void)gss_release_oid_set(&minor, &actual_mechs); - major = initAcceptSecContext(&minor, cred_handle); - if (GSS_ERROR(major)) - goto out; + init_accept_sec_context(cred_handle); printf("\n"); -out: - (void) gss_release_cred(&tmp, &cred_handle); - (void) gss_release_oid_set(&tmp, &actual_mechs); - (void) gss_release_name(&tmp, &name); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_cred(&minor, &cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + (void)gss_release_name(&minor, &name); + return 0; } diff --git a/src/tests/gssapi/t_s4u.c b/src/tests/gssapi/t_s4u.c index ef9016640..62b97352b 100644 --- a/src/tests/gssapi/t_s4u.c +++ b/src/tests/gssapi/t_s4u.c @@ -23,12 +23,6 @@ * or implied warranty. */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <gssapi/gssapi_krb5.h> - /* * Test program for protocol transition (S4U2Self) and constrained delegation * (S4U2Proxy) @@ -53,192 +47,27 @@ * Usage eg: * * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU' - * ./t_s4u delegtest@WIN.MIT.EDU HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab + * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static int use_spnego = 0; - -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - printf("%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) -{ - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); +#include <stdio.h> +#include <stdlib.h> +#include <string.h> - gss_release_buffer(&tmp_minor, &buf); +#include "common.h" - return GSS_S_COMPLETE; -} +static int use_spnego = 0; static void -dumpAttribute(OM_uint32 *minor, - gss_name_t name, - gss_buffer_t attribute, - int noisy) +test_greet_authz_data(gss_name_t *name) { - OM_uint32 major, tmp_minor; - gss_buffer_desc value; - gss_buffer_desc display_value; - int authenticated = 0; - int complete = 0; - int more = -1; - unsigned int i; - - while (more != 0) { - value.value = NULL; - display_value.value = NULL; - - major = gss_get_name_attribute(minor, - name, - attribute, - &authenticated, - &complete, - &value, - &display_value, - &more); - if (GSS_ERROR(major)) { - displayStatus("gss_get_name_attribute", major, *minor); - break; - } - - printf("Attribute %.*s %s %s\n\n%.*s\n", - (int)attribute->length, (char *)attribute->value, - authenticated ? "Authenticated" : "", - complete ? "Complete" : "", - (int)display_value.length, (char *)display_value.value); - - if (noisy) { - for (i = 0; i < value.length; i++) { - if ((i % 32) == 0) - printf("\n"); - printf("%02x", ((char *)value.value)[i] & 0xFF); - } - printf("\n\n"); - } - - gss_release_buffer(&tmp_minor, &value); - gss_release_buffer(&tmp_minor, &display_value); - } -} - -static OM_uint32 -enumerateAttributes(OM_uint32 *minor, - gss_name_t name, - int noisy) -{ - OM_uint32 major, tmp_minor; - int name_is_MN; - gss_OID mech = GSS_C_NO_OID; - gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; - unsigned int i; - - major = gss_inquire_name(minor, - name, - &name_is_MN, - &mech, - &attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_name", major, *minor); - return major; - } - - if (attrs != GSS_C_NO_BUFFER_SET) { - for (i = 0; i < attrs->count; i++) - dumpAttribute(minor, name, &attrs->elements[i], noisy); - } - - gss_release_oid(&tmp_minor, &mech); - gss_release_buffer_set(&tmp_minor, &attrs); - - return major; -} - -static OM_uint32 -testGreetAuthzData(OM_uint32 *minor, - gss_name_t *name) -{ - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; gss_buffer_desc attr; gss_buffer_desc value; gss_name_t canon; - major = gss_canonicalize_name(minor, - *name, - (gss_OID)gss_mech_krb5, - &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } + major = gss_canonicalize_name(&minor, *name, &mech_krb5, &canon); + check_gsserr("gss_canonicalize_name", major, minor); attr.value = "greet:greeting"; attr.length = strlen((char *)attr.value); @@ -246,124 +75,75 @@ testGreetAuthzData(OM_uint32 *minor, value.value = "Hello, acceptor world!"; value.length = strlen((char *)value.value); - major = gss_set_name_attribute(minor, - canon, - 1, - &attr, - &value); - if (major == GSS_S_UNAVAILABLE) - major = GSS_S_COMPLETE; - else if (GSS_ERROR(major)) - displayStatus("gss_set_name_attribute", major, *minor); - else { - gss_release_name(&tmp_minor, name); - *name = canon; - canon = GSS_C_NO_NAME; + major = gss_set_name_attribute(&minor, canon, 1, &attr, &value); + if (major == GSS_S_UNAVAILABLE) { + (void)gss_release_name(&minor, &canon); + return; } - - if (canon != GSS_C_NO_NAME) - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; + check_gsserr("gss_set_name_attribute", major, minor); + gss_release_name(&minor, name); + *name = canon; } -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_cred_id_t claimant_cred_handle, - gss_cred_id_t verifier_cred_handle, - gss_cred_id_t *deleg_cred_handle) +static void +init_accept_sec_context(gss_cred_id_t claimant_cred_handle, + gss_cred_id_t verifier_cred_handle, + gss_cred_id_t *deleg_cred_handle) { - OM_uint32 major, tmp_minor; - gss_buffer_desc token, tmp; + OM_uint32 major, minor; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; + gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; - gss_name_t target_name = GSS_C_NO_NAME; OM_uint32 time_rec; gss_OID mech = GSS_C_NO_OID; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - *deleg_cred_handle = GSS_C_NO_CREDENTIAL; - major = gss_inquire_cred(minor, verifier_cred_handle, - &target_name, NULL, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_cred", major, *minor); - return major; - } + major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL, + NULL, NULL); + check_gsserr("gss_inquire_cred", major, minor); - displayCanonName(minor, target_name, "Target name"); + display_canon_name("Target name", target_name, &mech_krb5); - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - displayOID(minor, mech, "Target mech"); + mech = use_spnego ? &mech_spnego : &mech_krb5; + display_oid("Target mech", mech); - major = gss_init_sec_context(minor, - claimant_cred_handle, - &initiator_context, - target_name, - mech, + major = gss_init_sec_context(&minor, claimant_cred_handle, + &initiator_context, target_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); + check_gsserr("gss_init_sec_context", major, minor); - if (target_name != GSS_C_NO_NAME) - (void) gss_release_name(&tmp_minor, &target_name); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } + (void)gss_release_name(&minor, &target_name); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); - (void) gss_delete_sec_context(minor, &initiator_context, NULL); mech = GSS_C_NO_OID; - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + &mech, &tmp, NULL, &time_rec, deleg_cred_handle); + check_gsserr("gss_accept_sec_context", major, minor); - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - displayOID(minor, mech, "Source mech"); - enumerateAttributes(minor, source_name, 1); - } + display_canon_name("Source name", source_name, &mech_krb5); + display_oid("Source mech", mech); + enumerate_attributes(source_name, 1); - (void) gss_release_name(&tmp_minor, &source_name); - (void) gss_delete_sec_context(&tmp_minor, &acceptor_context, NULL); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_release_buffer(&tmp_minor, &tmp); - (void) gss_release_oid(&tmp_minor, &mech); - - return major; + (void)gss_release_name(&minor, &source_name); + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); } -static OM_uint32 -constrainedDelegate(OM_uint32 *minor, - gss_OID_set desired_mechs, - gss_name_t target, - gss_cred_id_t delegated_cred_handle, - gss_cred_id_t verifier_cred_handle) +static void +constrained_delegate(gss_OID_set desired_mechs, gss_name_t target, + gss_cred_id_t delegated_cred_handle, + gss_cred_id_t verifier_cred_handle) { - OM_uint32 major, tmp_minor; + OM_uint32 major, minor; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_name_t cred_name = GSS_C_NO_NAME; OM_uint32 time_rec, lifetime; @@ -374,55 +154,44 @@ constrainedDelegate(OM_uint32 *minor, printf("Constrained delegation tests follow\n"); printf("-----------------------------------\n\n"); - if (gss_inquire_cred(minor, verifier_cred_handle, &cred_name, + if (gss_inquire_cred(&minor, verifier_cred_handle, &cred_name, &lifetime, &usage, NULL) == GSS_S_COMPLETE) { - displayCanonName(minor, cred_name, "Proxy name"); - gss_release_name(&tmp_minor, &cred_name); + display_canon_name("Proxy name", cred_name, &mech_krb5); + (void)gss_release_name(&minor, &cred_name); } - displayCanonName(minor, target, "Target name"); - if (gss_inquire_cred(minor, delegated_cred_handle, &cred_name, + display_canon_name("Target name", target, &mech_krb5); + if (gss_inquire_cred(&minor, delegated_cred_handle, &cred_name, &lifetime, &usage, &mechs) == GSS_S_COMPLETE) { - displayCanonName(minor, cred_name, "Delegated name"); - displayOID(minor, &mechs->elements[0], "Delegated mech"); - gss_release_name(&tmp_minor, &cred_name); + display_canon_name("Delegated name", cred_name, &mech_krb5); + display_oid("Delegated mech", &mechs->elements[0]); + (void)gss_release_name(&minor, &cred_name); } printf("\n"); - major = gss_init_sec_context(minor, - delegated_cred_handle, - &initiator_context, - target, - mechs ? &mechs->elements[0] : - (gss_OID)gss_mech_krb5, + major = gss_init_sec_context(&minor, delegated_cred_handle, + &initiator_context, target, + mechs ? &mechs->elements[0] : &mech_krb5, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); - if (GSS_ERROR(major)) - displayStatus("gss_init_sec_context", major, *minor); + check_gsserr("gss_init_sec_context", major, minor); - (void) gss_release_buffer(&tmp_minor, &token); - (void) gss_delete_sec_context(&tmp_minor, &initiator_context, NULL); - (void) gss_release_oid_set(&tmp_minor, &mechs); - - return major; + (void)gss_release_buffer(&minor, &token); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + (void)gss_release_oid_set(&minor, &mechs); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; + gss_OID_set mechs; if (argc < 2 || argc > 5) { fprintf(stderr, "Usage: %s [--spnego] [user] " @@ -437,113 +206,59 @@ int main(int argc, char *argv[]) argv++; } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); + user = import_name(argv[1]); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &user); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(user)", major, minor); - goto out; - } - - if (argc > 2 && strcmp(argv[2], "-")) { - buf.value = argv[2]; - buf.length = strlen((char *)buf.value); - - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target)", major, minor); - goto out; - } - } else { - target = GSS_C_NO_NAME; - } + if (argc > 2 && strcmp(argv[2], "-")) + target = import_name(argv[2]); if (argc > 3) { major = krb5_gss_register_acceptor_identity(argv[3]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", - major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, 0); } - mechs.elements = use_spnego ? (gss_OID)&spnego_mech : - (gss_OID)gss_mech_krb5; - mechs.count = 1; - - /* get default cred */ - major = gss_acquire_cred(&minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mechs, - GSS_C_BOTH, - &impersonator_cred_handle, - &actual_mechs, + /* Get default cred. */ + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs, + GSS_C_BOTH, &impersonator_cred_handle, NULL, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } - - (void) gss_release_oid_set(&minor, &actual_mechs); + check_gsserr("gss_acquire_cred", major, minor); printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); - major = testGreetAuthzData(&minor, &user); - if (GSS_ERROR(major)) - goto out; + test_greet_authz_data(&user); - /* get S4U2Self cred */ - major = gss_acquire_cred_impersonate_name(&minor, - impersonator_cred_handle, - user, - GSS_C_INDEFINITE, - &mechs, + /* Get S4U2Self cred. */ + major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, + user, GSS_C_INDEFINITE, mechs, GSS_C_INITIATE, - &user_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred_impersonate_name", major, minor); - goto out; - } - - major = initAcceptSecContext(&minor, - user_cred_handle, - impersonator_cred_handle, - &delegated_cred_handle); - if (GSS_ERROR(major)) - goto out; + &user_cred_handle, NULL, NULL); + check_gsserr("gss_acquire_cred_impersonate_name", major, minor); + init_accept_sec_context(user_cred_handle, impersonator_cred_handle, + &delegated_cred_handle); printf("\n"); if (target != GSS_C_NO_NAME && delegated_cred_handle != GSS_C_NO_CREDENTIAL) { - major = constrainedDelegate(&minor, &mechs, target, - delegated_cred_handle, - impersonator_cred_handle); + constrained_delegate(mechs, target, delegated_cred_handle, + impersonator_cred_handle); } else if (target != GSS_C_NO_NAME) { - fprintf(stderr, "Warning: no delegated credentials handle returned\n\n"); + fprintf(stderr, "Warning: no delegated cred handle returned\n\n"); fprintf(stderr, "Verify:\n\n"); - fprintf(stderr, " - The TGT for the impersonating service is forwardable\n"); - fprintf(stderr, " - The T2A4D flag set on the impersonating service's UAC\n"); - fprintf(stderr, " - The user is not marked sensitive and cannot be delegated\n"); + fprintf(stderr, " - The TGT for the impersonating service is " + "forwardable\n"); + fprintf(stderr, " - The T2A4D flag set on the impersonating service's " + "UAC\n"); + fprintf(stderr, " - The user is not marked sensitive and cannot be " + "delegated\n"); fprintf(stderr, "\n"); } -out: - (void) gss_release_name(&minor, &user); - (void) gss_release_name(&minor, &target); - (void) gss_release_cred(&minor, &delegated_cred_handle); - (void) gss_release_cred(&minor, &impersonator_cred_handle); - (void) gss_release_cred(&minor, &user_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_name(&minor, &user); + (void)gss_release_name(&minor, &target); + (void)gss_release_cred(&minor, &delegated_cred_handle); + (void)gss_release_cred(&minor, &impersonator_cred_handle); + (void)gss_release_cred(&minor, &user_cred_handle); + return 0; } diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 4c68c961a..d6a0f2b8d 100644 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -13,6 +13,10 @@ service2 = 'service/2@%s' % realm.realm realm.addprinc(service2) realm.extract_keytab(service2, realm.keytab) +puser = 'p:' + realm.user_princ +pservice1 = 'p:' + service1 +pservice2 = 'p:' + service2 + # Get forwardable creds for service1 in the default cache. realm.kinit(service1, None, ['-f', '-k']) @@ -21,7 +25,7 @@ realm.kinit(service1, None, ['-f', '-k']) # support for allowing it. realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache]) output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - service1, service2], expected_code=1) + pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy') @@ -29,7 +33,7 @@ if ('auth1: ' + realm.user_princ not in output or # Again with SPNEGO. Bug #7045 prevents us from checking the error # message, but we can at least exercise the code. output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache, - storagecache, service1, service2], + storagecache, pservice1, pservice2], expected_code=1) if ('auth1: ' + realm.user_princ not in output): fail('krb5 -> s4u2proxy (SPNEGO)') @@ -39,27 +43,25 @@ if ('auth1: ' + realm.user_princ not in output): # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache, - service1, service2]) + pservice1, pservice2]) if 'no credential delegated' not in output: fail('krb5 -> no delegated cred') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run_as_server(['./t_s4u', realm.user_princ, service2]) -if ('Warning: no delegated credentials handle' not in output or +output = realm.run_as_server(['./t_s4u', puser, pservice2]) +if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self') -output = realm.run_as_server(['./t_s4u', '--spnego', realm.user_princ, - service2]) -if ('Warning: no delegated credentials handle' not in output or +output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2]) +if ('Warning: no delegated cred handle' not in output or 'Source name:\t' + realm.user_princ not in output): fail('s4u2self (SPNEGO)') # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1) -output = realm.run_as_server(['./t_s4u', realm.user_princ, service2], - expected_code=1) +output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') @@ -68,8 +70,8 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output: # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it) so bug #7045 does # not apply and we can verify the error message. -output = realm.run_as_server(['./t_s4u', '--spnego', realm.user_princ, - service2], expected_code=1) +output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2], + expected_code=1) if 'NOT_ALLOWED_TO_DELEGATE' not in output: fail('s4u2self') diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c index 7e7ba39c8..36267302b 100644 --- a/src/tests/gssapi/t_s4u2proxy_krb5.c +++ b/src/tests/gssapi/t_s4u2proxy_krb5.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Usage: ./t_s4u2proxy_krb5 [--spnego] client_cache storage_cache @@ -41,49 +41,10 @@ * service2 using S4U2Proxy. * * The default keytab must contain keys for service1 and service2. The default - * ccache must contain a TGT for service1. service1 and service2 must be given - * as krb5 principal names. This program assumes that krb5 or SPNEGO - * authentication requires only one token exchange. + * ccache must contain a TGT for service1. This program assumes that krb5 or + * SPNEGO authentication requires only one token exchange. */ -static void -display_status_1(const char *m, OM_uint32 code, int type) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - printf("%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -gsserr(OM_uint32 maj_stat, OM_uint32 min_stat, const char *msg) -{ - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); - exit(1); -} - -static void -krb5err(krb5_context context, krb5_error_code code, const char *msg) -{ - const char *emsg = krb5_get_error_message(context, code); - - printf("%s: %s\n", msg, emsg); - krb5_free_error_message(context, emsg); - exit(1); -} - int main(int argc, char *argv[]) { @@ -94,9 +55,9 @@ main(int argc, char *argv[]) krb5_ccache storage_ccache = NULL; krb5_principal client_princ = NULL; OM_uint32 minor, major; - gss_buffer_desc buf, token; + gss_buffer_desc buf = GSS_C_EMPTY_BUFFER, token = GSS_C_EMPTY_BUFFER; gss_OID mech; - gss_OID_set_desc mechs; + gss_OID_set mechs; gss_name_t service1_name = GSS_C_NO_NAME; gss_name_t service2_name = GSS_C_NO_NAME; gss_name_t client_name = GSS_C_NO_NAME; @@ -104,7 +65,6 @@ main(int argc, char *argv[]) gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; /* Parse arguments. */ if (argc >= 2 && strcmp(argv[1], "--spnego") == 0) { @@ -122,70 +82,49 @@ main(int argc, char *argv[]) service1 = argv[3]; service2 = argv[4]; - mech = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; - mechs.elements = mech; - mechs.count = 1; + mech = use_spnego ? &mech_spnego : &mech_krb5; + mechs = use_spnego ? &mechset_spnego : &mechset_krb5; ret = krb5_init_context(&context); - if (ret) - krb5err(context, ret, "krb5_init_context"); + check_k5err(context, "krb5_init_context", ret); /* Get GSS name and GSS_C_BOTH cred for service1, using the default * ccache. */ - buf.value = (char *)service1; - buf.length = strlen(service1); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &service1_name); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_import_name(service1)"); + service1_name = import_name(service1); major = gss_acquire_cred(&minor, service1_name, GSS_C_INDEFINITE, - &mechs, GSS_C_BOTH, &service1_cred, NULL, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_acquire_cred(service1)"); + mechs, GSS_C_BOTH, &service1_cred, NULL, NULL); + check_gsserr("gss_acquire_cred(service1)", major, minor); /* Get GSS name for service2. */ - buf.value = (char *)service2; - buf.length = strlen(service2); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &service2_name); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_import_name(service2)"); + service2_name = import_name(service2); /* Create initiator context and get the first token, using the client * ccache. */ major = gss_krb5_ccache_name(&minor, client_ccname, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_ccache_name(1)"); - token.value = NULL; - token.length = 0; + check_gsserr("gss_krb5_ccache_name(1)", major, minor); major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator_context, service1_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); if (GSS_ERROR(major)) - gsserr(major, minor, "gss_init_sec_context(1)"); + check_gsserr("gss_init_sec_context(1)", major, minor); /* Pass the token to gss_accept_sec_context. */ - buf.value = NULL; - buf.length = 0; major = gss_accept_sec_context(&minor, &acceptor_context, service1_cred, &token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &buf, NULL, NULL, &deleg_cred); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_accept_sec_context(1)"); - gss_release_buffer(&minor, &token); + check_gsserr("gss_accept_sec_context(1)", major, minor); + (void)gss_release_buffer(&minor, &token); /* Display and remember the client principal. */ major = gss_display_name(&minor, client_name, &buf, NULL); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_display_name(1)"); + check_gsserr("gss_display_name(1)", major, minor); printf("auth1: %.*s\n", (int)buf.length, (char *)buf.value); /* Assumes buffer is null-terminated, which in our implementation it is. */ ret = krb5_parse_name(context, buf.value, &client_princ); - if (ret) - krb5err(context, ret, "krb5_parse_name"); - gss_release_buffer(&minor, &buf); + check_k5err(context, "krb5_parse_name", ret); + (void)gss_release_buffer(&minor, &buf); if (deleg_cred == GSS_C_NO_CREDENTIAL) { printf("no credential delegated.\n"); @@ -194,61 +133,49 @@ main(int argc, char *argv[]) /* Store the delegated credentials. */ ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache); - if (ret) - krb5err(context, ret, "krb5_cc_resolve"); + check_k5err(context, "krb5_cc_resolve", ret); ret = krb5_cc_initialize(context, storage_ccache, client_princ); - if (ret) - krb5err(context, ret, "krb5_cc_initialize"); + check_k5err(context, "krb5_cc_initialize", ret); major = gss_krb5_copy_ccache(&minor, deleg_cred, storage_ccache); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_copy_ccache"); + check_gsserr("gss_krb5_copy_ccache", major, minor); ret = krb5_cc_close(context, storage_ccache); - if (ret) - krb5err(context, ret, "krb5_cc_close"); + check_k5err(context, "krb5_cc_close", ret); - gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); - gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); /* Create initiator context and get the first token, using the storage * ccache. */ major = gss_krb5_ccache_name(&minor, storage_ccname, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_krb5_ccache_name(2)"); - token.value = NULL; - token.length = 0; + check_gsserr("gss_krb5_ccache_name(2)", major, minor); major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator_context, service2_name, mech, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, NULL); - if (GSS_ERROR(major)) - gsserr(major, minor, "gss_init_sec_context(2)"); + check_gsserr("gss_init_sec_context(2)", major, minor); /* Pass the token to gss_accept_sec_context. */ - buf.value = NULL; - buf.length = 0; major = gss_accept_sec_context(&minor, &acceptor_context, GSS_C_NO_CREDENTIAL, &token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &buf, NULL, NULL, &deleg_cred); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_accept_sec_context(2)"); - gss_release_buffer(&minor, &token); + check_gsserr("gss_accept_sec_context(2)", major, minor); + (void)gss_release_buffer(&minor, &token); major = gss_display_name(&minor, client_name, &buf, NULL); - if (major != GSS_S_COMPLETE) - gsserr(major, minor, "gss_display_name(2)"); + check_gsserr("gss_display_name(2)", major, minor); printf("auth2: %.*s\n", (int)buf.length, (char *)buf.value); - gss_release_buffer(&minor, &buf); + (void)gss_release_buffer(&minor, &buf); cleanup: - gss_release_name(&minor, &client_name); - gss_release_name(&minor, &service1_name); - gss_release_name(&minor, &service2_name); - gss_release_cred(&minor, &service1_cred); - gss_release_cred(&minor, &deleg_cred); - gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); - gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); + (void)gss_release_name(&minor, &client_name); + (void)gss_release_name(&minor, &service1_name); + (void)gss_release_name(&minor, &service2_name); + (void)gss_release_cred(&minor, &service1_cred); + (void)gss_release_cred(&minor, &deleg_cred); + (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER); + (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER); krb5_free_principal(context, client_princ); krb5_free_context(context); return 0; diff --git a/src/tests/gssapi/t_saslname.c b/src/tests/gssapi/t_saslname.c index 27cc22d51..b874caf97 100644 --- a/src/tests/gssapi/t_saslname.c +++ b/src/tests/gssapi/t_saslname.c @@ -27,49 +27,19 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_ext.h> +#include "common.h" static void -displayStatus_1(char *m, OM_uint32 code, int type) +dump_known_mech_attrs(gss_OID mech) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void -displayStatus(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -dumpKnownMechAttrs(OM_uint32 *minor, gss_OID mech) -{ - OM_uint32 major, tmpMinor; + OM_uint32 major, minor; gss_OID_set mech_attrs = GSS_C_NO_OID_SET; gss_OID_set known_attrs = GSS_C_NO_OID_SET; size_t i; - major = gss_inquire_attrs_for_mech(minor, mech, &mech_attrs, &known_attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_attrs_for_mech", major, *minor); - return major; - } + major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs, + &known_attrs); + check_gsserr("gss_inquire_attrs_for_mech", major, minor); printf("Known attributes\n"); printf("----------------\n"); @@ -78,38 +48,32 @@ dumpKnownMechAttrs(OM_uint32 *minor, gss_OID mech) gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER; gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER; - major = gss_display_mech_attr(minor, &known_attrs->elements[i], + major = gss_display_mech_attr(&minor, &known_attrs->elements[i], &name, &short_desc, &long_desc); - if (GSS_ERROR(major)) { - displayStatus("gss_display_mech_attr", major, *minor); - continue; - } + check_gsserr("gss_display_mech_attr", major, minor); printf("%.*s (%.*s): %.*s\n", (int)short_desc.length, (char *)short_desc.value, (int)name.length, (char *)name.value, (int)long_desc.length, (char *)long_desc.value); - gss_release_buffer(minor, &name); - gss_release_buffer(minor, &short_desc); - gss_release_buffer(minor, &long_desc); + (void)gss_release_buffer(&minor, &name); + (void)gss_release_buffer(&minor, &short_desc); + (void)gss_release_buffer(&minor, &long_desc); } printf("\n"); - gss_release_oid_set(&tmpMinor, &mech_attrs); - gss_release_oid_set(&tmpMinor, &known_attrs); - return GSS_S_COMPLETE; + (void)gss_release_oid_set(&minor, &mech_attrs); + (void)gss_release_oid_set(&minor, &known_attrs); } -static -OM_uint32 dumpMechAttrs(OM_uint32 *minor, gss_OID mech) +static void +dump_mech_attrs(gss_OID mech) { - OM_uint32 major, tmpMinor; + OM_uint32 major, minor; gss_OID_set mech_attrs = GSS_C_NO_OID_SET; gss_OID_set known_attrs = GSS_C_NO_OID_SET; size_t i; - major = gss_inquire_attrs_for_mech(minor, mech, &mech_attrs, &known_attrs); - if (GSS_ERROR(major)) { - displayStatus("gss_inquire_attrs_for_mech", major, *minor); - return major; - } + major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs, + &known_attrs); + check_gsserr("gss_inquire_attrs_for_mech", major, minor); printf("Mech attrs: "); @@ -118,39 +82,32 @@ OM_uint32 dumpMechAttrs(OM_uint32 *minor, gss_OID mech) gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER; gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER; - major = gss_display_mech_attr(minor, &mech_attrs->elements[i], + major = gss_display_mech_attr(&minor, &mech_attrs->elements[i], &name, &short_desc, &long_desc); - if (GSS_ERROR(major)) { - displayStatus("gss_display_mech_attr", major, *minor); - continue; - } + check_gsserr("gss_display_mech_attr", major, minor); printf("%.*s ", (int)name.length, (char *)name.value); - gss_release_buffer(minor, &name); - gss_release_buffer(minor, &short_desc); - gss_release_buffer(minor, &long_desc); + (void)gss_release_buffer(&minor, &name); + (void)gss_release_buffer(&minor, &short_desc); + (void)gss_release_buffer(&minor, &long_desc); } printf("\n"); - gss_release_oid_set(&tmpMinor, &mech_attrs); - gss_release_oid_set(&tmpMinor, &known_attrs); - - return GSS_S_COMPLETE; + (void)gss_release_oid_set(&minor, &mech_attrs); + (void)gss_release_oid_set(&minor, &known_attrs); } -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { gss_OID_set mechs; OM_uint32 major, minor; size_t i; major = gss_indicate_mechs(&minor, &mechs); - if (GSS_ERROR(major)) { - displayStatus("gss_indicate_mechs", major, minor); - return major; - } - + check_gsserr("gss_indicate_mechs", major, minor); if (mechs->count > 0) - dumpKnownMechAttrs(&minor, mechs->elements); + dump_known_mech_attrs(mechs->elements); + for (i = 0; i < mechs->count; i++) { gss_buffer_desc oidstr = GSS_C_EMPTY_BUFFER; gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER; @@ -180,30 +137,29 @@ int main(int argc, char *argv[]) (char *)mech_name.value); printf("Mech desc : %.*s\n", (int)mech_description.length, (char *)mech_description.value); - dumpMechAttrs(&minor, &mechs->elements[i]); + dump_mech_attrs(&mechs->elements[i]); printf("-------------------------------------------------------------" "-----------------\n"); - if (GSS_ERROR(gss_inquire_mech_for_saslname(&minor, &sasl_mech_name, - &oid))) { - displayStatus("gss_inquire_mech_for_saslname", major, minor); - } else if (oid == GSS_C_NO_OID || - (oid->length != mechs->elements[i].length && - memcmp(oid->elements, mechs->elements[i].elements, - oid->length) != 0)) { - gss_release_buffer(&minor, &oidstr); - (void) gss_oid_to_str(&minor, oid, &oidstr); + major = gss_inquire_mech_for_saslname(&minor, &sasl_mech_name, &oid); + check_gsserr("gss_inquire_mech_for_saslname", major, minor); + + if (oid == GSS_C_NO_OID || + (oid->length != mechs->elements[i].length && + memcmp(oid->elements, mechs->elements[i].elements, + oid->length) != 0)) { + (void)gss_release_buffer(&minor, &oidstr); + (void)gss_oid_to_str(&minor, oid, &oidstr); fprintf(stderr, "Got different OID %.*s for mechanism %.*s\n", (int)oidstr.length, (char *)oidstr.value, (int)sasl_mech_name.length, (char *)sasl_mech_name.value); } - gss_release_buffer(&minor, &oidstr); - gss_release_buffer(&minor, &sasl_mech_name); - gss_release_buffer(&minor, &mech_name); - gss_release_buffer(&minor, &mech_description); + (void)gss_release_buffer(&minor, &oidstr); + (void)gss_release_buffer(&minor, &sasl_mech_name); + (void)gss_release_buffer(&minor, &mech_name); + (void)gss_release_buffer(&minor, &mech_description); } - gss_release_oid_set(&minor, &mechs); - - return GSS_ERROR(major) ? 1 : 0; + (void)gss_release_oid_set(&minor, &mechs); + return 0; } diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c index adb5737ab..aee80d446 100644 --- a/src/tests/gssapi/t_spnego.c +++ b/src/tests/gssapi/t_spnego.c @@ -28,7 +28,7 @@ #include <stdlib.h> #include <string.h> -#include <gssapi/gssapi_krb5.h> +#include "common.h" /* * Test program for SPNEGO and gss_set_neg_mechs @@ -39,224 +39,65 @@ * ./t_spnego host/test.host@REALM testhost.keytab */ -static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" }; - -static void displayStatus_1(m, code, type) - char *m; - OM_uint32 code; - int type; -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%s: %s\n", m, (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } -} - -static void displayStatus(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; -{ - displayStatus_1(msg, maj_stat, GSS_C_GSS_CODE); - displayStatus_1(msg, min_stat, GSS_C_MECH_CODE); -} - -static OM_uint32 -displayCanonName(OM_uint32 *minor, gss_name_t name, char *tag) -{ - gss_name_t canon; - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_canonicalize_name(minor, name, - (gss_OID)gss_mech_krb5, &canon); - if (GSS_ERROR(major)) { - displayStatus("gss_canonicalize_name", major, *minor); - return major; - } - - major = gss_display_name(minor, canon, &buf, NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_display_name", major, *minor); - gss_release_name(&tmp_minor, &canon); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - gss_release_name(&tmp_minor, &canon); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -displayOID(OM_uint32 *minor, gss_OID oid, char *tag) +int +main(int argc, char *argv[]) { - OM_uint32 major, tmp_minor; - gss_buffer_desc buf; - - major = gss_oid_to_str(minor, oid, &buf); - if (GSS_ERROR(major)) { - displayStatus("gss_oid_to_str", major, *minor); - return major; - } - - printf("%s:\t%s\n", tag, (char *)buf.value); - - gss_release_buffer(&tmp_minor, &buf); - - return GSS_S_COMPLETE; -} - -static OM_uint32 -initAcceptSecContext(OM_uint32 *minor, - gss_name_t target_name, - gss_cred_id_t verifier_cred_handle) -{ - OM_uint32 major; - gss_buffer_desc token, tmp; + OM_uint32 minor, major; + gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL; + gss_OID_set actual_mechs = GSS_C_NO_OID_SET; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER; gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT; gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT; - gss_name_t source_name = GSS_C_NO_NAME; + gss_name_t target_name, source_name = GSS_C_NO_NAME; OM_uint32 time_rec; gss_OID mech = GSS_C_NO_OID; - token.value = NULL; - token.length = 0; - - tmp.value = NULL; - tmp.length = 0; - - major = gss_init_sec_context(minor, - GSS_C_NO_CREDENTIAL, - &initiator_context, - target_name, - &spnego_mech, - GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, - GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, - GSS_C_NO_BUFFER, - NULL, - &token, - NULL, - &time_rec); - - if (GSS_ERROR(major)) { - displayStatus("gss_init_sec_context", major, *minor); - return major; - } - - (void) gss_delete_sec_context(minor, &initiator_context, NULL); - - major = gss_accept_sec_context(minor, - &acceptor_context, - verifier_cred_handle, - &token, - GSS_C_NO_CHANNEL_BINDINGS, - &source_name, - &mech, - &tmp, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major)) - displayStatus("gss_accept_sec_context", major, *minor); - else { - displayCanonName(minor, source_name, "Source name"); - displayOID(minor, mech, "Source mech"); - } - - (void) gss_release_name(minor, &source_name); - (void) gss_delete_sec_context(minor, &acceptor_context, NULL); - (void) gss_release_buffer(minor, &token); - (void) gss_release_buffer(minor, &tmp); - (void) gss_release_oid(minor, &mech); - - return major; -} - -int main(int argc, char *argv[]) -{ - OM_uint32 minor, major; - gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL; - gss_OID_set_desc mechs; - gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc buf; - gss_name_t target_name; - if (argc < 2 || argc > 3) { fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]); exit(1); } - buf.value = argv[1]; - buf.length = strlen((char *)buf.value); - major = gss_import_name(&minor, &buf, - (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - if (GSS_ERROR(major)) { - displayStatus("gss_import_name(target_name)", major, minor); - goto out; - } + target_name = import_name(argv[1]); - if (argc > 2) { + if (argc >= 3) { major = krb5_gss_register_acceptor_identity(argv[2]); - if (GSS_ERROR(major)) { - displayStatus("krb5_gss_register_acceptor_identity", - major, minor); - goto out; - } + check_gsserr("krb5_gss_register_acceptor_identity", major, 0); } - mechs.elements = &spnego_mech; - mechs.count = 1; - - /* get default acceptor cred */ - major = gss_acquire_cred(&minor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mechs, - GSS_C_ACCEPT, - &verifier_cred_handle, - &actual_mechs, - NULL); - if (GSS_ERROR(major)) { - displayStatus("gss_acquire_cred", major, minor); - goto out; - } + /* Get default acceptor cred. */ + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, + &mechset_spnego, GSS_C_ACCEPT, + &verifier_cred_handle, &actual_mechs, NULL); + check_gsserr("gss_acquire_cred", major, minor); /* Restrict the acceptor to krb5, to exercise the neg_mechs logic. */ - mechs.elements = (gss_OID)gss_mech_krb5; - mechs.count = 1; - major = gss_set_neg_mechs(&minor, verifier_cred_handle, &mechs); - if (GSS_ERROR(major)) { - displayStatus("gss_set_neg_mechs", major, minor); - goto out; - } - - major = initAcceptSecContext(&minor, target_name, verifier_cred_handle); - if (GSS_ERROR(major)) - goto out; - - printf("\n"); + major = gss_set_neg_mechs(&minor, verifier_cred_handle, &mechset_krb5); + check_gsserr("gss_set_neg_mechs", major, minor); -out: - (void) gss_release_cred(&minor, &verifier_cred_handle); - (void) gss_release_oid_set(&minor, &actual_mechs); - (void) gss_release_name(&minor, &target_name); - - return GSS_ERROR(major) ? 1 : 0; + major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, + &initiator_context, target_name, &mech_spnego, + GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, + GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, + GSS_C_NO_BUFFER, NULL, &token, NULL, + &time_rec); + check_gsserr("gss_init_sec_context", major, minor); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); + + major = gss_accept_sec_context(&minor, &acceptor_context, + verifier_cred_handle, &token, + GSS_C_NO_CHANNEL_BINDINGS, &source_name, + &mech, &tmp, NULL, &time_rec, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + + display_canon_name("Source name", source_name, &mech_krb5); + display_oid("Source mech", mech); + + (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); + (void)gss_release_name(&minor, &source_name); + (void)gss_release_name(&minor, &target_name); + (void)gss_release_buffer(&minor, &token); + (void)gss_release_buffer(&minor, &tmp); + (void)gss_release_cred(&minor, &verifier_cred_handle); + (void)gss_release_oid_set(&minor, &actual_mechs); + return 0; } |