check that gss_krb5_set_allowable_enctypes works

This commit is contained in:
Love Hornquist Astrand
2009-11-30 17:19:13 -08:00
parent 87d30c0e23
commit 01a1e1baef
2 changed files with 74 additions and 11 deletions

View File

@@ -43,6 +43,7 @@
static char *type_string;
static char *mech_string;
static char *ret_mech_string;
static char *client_name;
static int dns_canon_flag = -1;
static int mutual_auth_flag = 0;
static int dce_style_flag = 0;
@@ -58,10 +59,14 @@ static char *session_enctype_string = NULL;
static int client_time_offset = 0;
static int server_time_offset = 0;
static int max_loops = 0;
static char *limit_enctype_string = NULL;
static int version_flag = 0;
static int verbose_flag = 0;
static int help_flag = 0;
static krb5_context context;
static krb5_enctype limit_enctype = 0;
static struct {
const char *name;
gss_OID *oid;
@@ -452,6 +457,8 @@ static struct getargs args[] = {
{"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
"use dns to canonicalize", NULL },
{"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL },
{"client-name", 0, arg_string, &client_name, "client name", NULL },
{"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL },
{"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL },
{"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL },
{"iov", 0, arg_flag, &iov_flag, "wrap/unwrap iov", NULL },
@@ -488,10 +495,13 @@ main(int argc, char **argv)
gss_ctx_id_t cctx, sctx;
void *ctx;
gss_OID nameoid, mechoid, actual_mech, actual_mech2;
gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
setprogname(argv[0]);
if (krb5_init_context(&context))
errx(1, "krb5_init_context");
cctx = sctx = GSS_C_NO_CONTEXT;
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
@@ -531,7 +541,47 @@ main(int argc, char **argv)
if (gsskrb5_acceptor_identity)
gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL,
if (client_name) {
gss_buffer_desc cn;
gss_name_t cname;
cn.value = client_name;
cn.length = strlen(client_name);
maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
if (maj_stat)
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
maj_stat = gss_acquire_cred(&min_stat, cname, 0, NULL,
GSS_C_INITIATE, &client_cred, NULL, NULL);
if (GSS_ERROR(maj_stat))
errx(1, "gss_import_name: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
gss_release_name(&min_stat, &cname);
}
if (limit_enctype_string) {
krb5_error_code ret;
ret = krb5_string_to_enctype(context,
limit_enctype_string,
&limit_enctype);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
}
if (limit_enctype) {
if (client_cred == NULL)
errx(1, "client_cred missing");
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
1, &limit_enctype);
if (maj_stat)
errx(1, "gss_krb5_set_allowable_enctypes: %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
}
loop(mechoid, nameoid, argv[0], client_cred,
&sctx, &cctx, &actual_mech, &deleg_cred);
if (verbose_flag)
@@ -549,7 +599,6 @@ main(int argc, char **argv)
/* XXX should be actual_mech */
if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
krb5_context context;
time_t time;
gss_buffer_desc authz_data;
gss_buffer_desc in, out1, out2;
@@ -557,10 +606,6 @@ main(int argc, char **argv)
krb5_timestamp now;
krb5_error_code ret;
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context");
ret = krb5_timeofday(context, &now);
if (ret)
errx(1, "krb5_timeofday failed");
@@ -624,6 +669,8 @@ main(int argc, char **argv)
if (maj_stat != GSS_S_COMPLETE)
keyblock = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
maj_stat = gsskrb5_get_subkey(&min_stat,
cctx,
@@ -635,6 +682,8 @@ main(int argc, char **argv)
if (maj_stat != GSS_S_COMPLETE)
keyblock2 = NULL;
else if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_subkey wrong enctype");
if (keyblock || keyblock2) {
if (keyblock == NULL)
@@ -679,8 +728,12 @@ main(int argc, char **argv)
errx(1, "gsskrb5_get_initiator_subkey failed: %s",
gssapi_err(maj_stat, min_stat, actual_mech));
if (maj_stat == GSS_S_COMPLETE)
if (maj_stat == GSS_S_COMPLETE) {
if (limit_enctype && keyblock->keytype != limit_enctype)
errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
krb5_free_keyblock(context, keyblock);
}
maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
sctx,
@@ -689,8 +742,6 @@ main(int argc, char **argv)
if (maj_stat == GSS_S_COMPLETE)
gss_release_buffer(&min_stat, &authz_data);
krb5_free_context(context);
memset(&out1, 0, sizeof(out1));
memset(&out2, 0, sizeof(out2));
@@ -866,8 +917,9 @@ main(int argc, char **argv)
}
empty_release();
krb5_free_context(context);
return 0;
}

View File

@@ -264,6 +264,7 @@ echo "====== gss-api session key check"
# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
coolenctype="aes256-cts-hmac-sha1-96"
limit_enctype="des3-cbc-sha1"
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
@@ -277,6 +278,16 @@ ${context} \
--name-type=hostbased-service host@no-aes.test.h5l.se || \
{ exitcode=1 ; echo "test failed"; }
echo "Building context on cred, check if its limited still"
${context} \
--mech-type=krb5 \
--client-name=user1@${R} \
--limit-enctype="${limit_enctype}" \
--mutual-auth \
--name-type=hostbased-service host@no-aes.test.h5l.se || \
{ exitcode=1 ; echo "test failed"; }
echo "====== ok-as-delegate"
echo "Getting client initial tickets"