1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/crypto_tests/t_fork.c */
/*
* Copyright (C) 2010 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
/*
* Test basic libk5crypto behavior across forks. This is primarily interesting
* for back ends with PKCS11-based constraints, such as the NSS back end.
*/
#include "k5-int.h"
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
static krb5_context ctx = NULL;
static void
t(krb5_error_code code)
{
if (code != 0) {
fprintf(stderr, "Failure: %s\n", krb5_get_error_message(ctx, code));
exit(1);
}
}
static void
prepare_enc_data(krb5_key key, size_t in_len, krb5_enc_data *enc_data)
{
size_t out_len;
t(krb5_c_encrypt_length(ctx, key->keyblock.enctype, in_len, &out_len));
t(alloc_data(&enc_data->ciphertext, out_len));
}
int
main()
{
krb5_error_code ret;
krb5_keyblock kb_aes, kb_rc4;
krb5_key key_aes, key_rc4;
krb5_data state_rc4, plain = string2data("plain"), decrypted;
krb5_enc_data out_aes, out_rc4;
pid_t pid;
int status;
/* Seed the PRNG instead of creating a context, so we don't need
* krb5.conf. */
t(krb5_c_random_seed(ctx, &plain));
/* Create AES and RC4 ciphertexts with random keys. Use cipher state for
* RC4. */
t(krb5_c_make_random_key(ctx, ENCTYPE_AES256_CTS_HMAC_SHA1_96, &kb_aes));
t(krb5_c_make_random_key(ctx, ENCTYPE_ARCFOUR_HMAC, &kb_rc4));
t(krb5_k_create_key(ctx, &kb_aes, &key_aes));
t(krb5_k_create_key(ctx, &kb_rc4, &key_rc4));
prepare_enc_data(key_aes, plain.length, &out_aes);
prepare_enc_data(key_aes, plain.length, &out_rc4);
t(krb5_c_init_state(ctx, &kb_rc4, 0, &state_rc4));
t(krb5_k_encrypt(ctx, key_aes, 0, NULL, &plain, &out_aes));
t(krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4));
/* Fork; continue in both parent and child. */
pid = fork();
assert(pid >= 0);
/* Decrypt the AES message with both key and keyblock. */
t(alloc_data(&decrypted, plain.length));
t(krb5_k_decrypt(ctx, key_aes, 0, NULL, &out_aes, &decrypted));
assert(data_eq(plain, decrypted));
t(krb5_c_decrypt(ctx, &kb_aes, 0, NULL, &out_aes, &decrypted));
assert(data_eq(plain, decrypted));
/*
* Encrypt another RC4 message. This may fail because RC4 cipher state in
* the NSS back end includes a PKCS11 handle which won't work across forks,
* but make sure it fails in the expected manner.
*/
ret = krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4);
assert(ret == 0 || ret == EINVAL);
t(krb5_c_free_state(ctx, &kb_rc4, &state_rc4));
/* If we're the parent, make sure the child succeeded. */
if (pid != 0) {
assert(wait(&status) == pid);
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
fprintf(stderr, "Child failed with status %d\n", status);
return 1;
}
}
return 0;
}
|
