diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 633c4bb48..cdfccce60 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -43,6 +43,7 @@ static char *type_string; static char *mech_string; static char *ret_mech_string; +static char *client_name; static int dns_canon_flag = -1; static int mutual_auth_flag = 0; static int dce_style_flag = 0; @@ -58,10 +59,14 @@ static char *session_enctype_string = NULL; static int client_time_offset = 0; static int server_time_offset = 0; static int max_loops = 0; +static char *limit_enctype_string = NULL; static int version_flag = 0; static int verbose_flag = 0; static int help_flag = 0; +static krb5_context context; +static krb5_enctype limit_enctype = 0; + static struct { const char *name; gss_OID *oid; @@ -452,6 +457,8 @@ static struct getargs args[] = { {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag, "use dns to canonicalize", NULL }, {"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL }, + {"client-name", 0, arg_string, &client_name, "client name", NULL }, + {"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL }, {"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL }, {"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL }, {"iov", 0, arg_flag, &iov_flag, "wrap/unwrap iov", NULL }, @@ -488,10 +495,13 @@ main(int argc, char **argv) gss_ctx_id_t cctx, sctx; void *ctx; gss_OID nameoid, mechoid, actual_mech, actual_mech2; - gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; + gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL; setprogname(argv[0]); + if (krb5_init_context(&context)) + errx(1, "krb5_init_context"); + cctx = sctx = GSS_C_NO_CONTEXT; if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) @@ -531,7 +541,47 @@ main(int argc, char **argv) if (gsskrb5_acceptor_identity) gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); - loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL, + if (client_name) { + gss_buffer_desc cn; + gss_name_t cname; + cn.value = client_name; + cn.length = strlen(client_name); + maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname); + if (maj_stat) + errx(1, "gss_import_name: %s", + gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + + maj_stat = gss_acquire_cred(&min_stat, cname, 0, NULL, + GSS_C_INITIATE, &client_cred, NULL, NULL); + if (GSS_ERROR(maj_stat)) + errx(1, "gss_import_name: %s", + gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + gss_release_name(&min_stat, &cname); + } + + if (limit_enctype_string) { + krb5_error_code ret; + + ret = krb5_string_to_enctype(context, + limit_enctype_string, + &limit_enctype); + if (ret) + krb5_err(context, 1, ret, "krb5_string_to_enctype"); + } + + + if (limit_enctype) { + if (client_cred == NULL) + errx(1, "client_cred missing"); + + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred, + 1, &limit_enctype); + if (maj_stat) + errx(1, "gss_krb5_set_allowable_enctypes: %s", + gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + } + + loop(mechoid, nameoid, argv[0], client_cred, &sctx, &cctx, &actual_mech, &deleg_cred); if (verbose_flag) @@ -549,7 +599,6 @@ main(int argc, char **argv) /* XXX should be actual_mech */ if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) { - krb5_context context; time_t time; gss_buffer_desc authz_data; gss_buffer_desc in, out1, out2; @@ -557,10 +606,6 @@ main(int argc, char **argv) krb5_timestamp now; krb5_error_code ret; - ret = krb5_init_context(&context); - if (ret) - errx(1, "krb5_init_context"); - ret = krb5_timeofday(context, &now); if (ret) errx(1, "krb5_timeofday failed"); @@ -624,6 +669,8 @@ main(int argc, char **argv) if (maj_stat != GSS_S_COMPLETE) keyblock = NULL; + else if (limit_enctype && keyblock->keytype != limit_enctype) + errx(1, "gsskrb5_get_subkey wrong enctype"); maj_stat = gsskrb5_get_subkey(&min_stat, cctx, @@ -635,6 +682,8 @@ main(int argc, char **argv) if (maj_stat != GSS_S_COMPLETE) keyblock2 = NULL; + else if (limit_enctype && keyblock->keytype != limit_enctype) + errx(1, "gsskrb5_get_subkey wrong enctype"); if (keyblock || keyblock2) { if (keyblock == NULL) @@ -679,8 +728,12 @@ main(int argc, char **argv) errx(1, "gsskrb5_get_initiator_subkey failed: %s", gssapi_err(maj_stat, min_stat, actual_mech)); - if (maj_stat == GSS_S_COMPLETE) + if (maj_stat == GSS_S_COMPLETE) { + + if (limit_enctype && keyblock->keytype != limit_enctype) + errx(1, "gsskrb5_get_initiator_subkey wrong enctype"); krb5_free_keyblock(context, keyblock); + } maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, sctx, @@ -689,8 +742,6 @@ main(int argc, char **argv) if (maj_stat == GSS_S_COMPLETE) gss_release_buffer(&min_stat, &authz_data); - krb5_free_context(context); - memset(&out1, 0, sizeof(out1)); memset(&out2, 0, sizeof(out2)); @@ -866,8 +917,9 @@ main(int argc, char **argv) } - empty_release(); + + krb5_free_context(context); return 0; } diff --git a/tests/gss/check-context.in b/tests/gss/check-context.in index f19ad272a..0380c5d6f 100644 --- a/tests/gss/check-context.in +++ b/tests/gss/check-context.in @@ -264,6 +264,7 @@ echo "====== gss-api session key check" # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 coolenctype="aes256-cts-hmac-sha1-96" +limit_enctype="des3-cbc-sha1" echo "Getting client initial tickets" ${kinit} --password-file=${objdir}/foopassword user1@${R} || \ @@ -277,6 +278,16 @@ ${context} \ --name-type=hostbased-service host@no-aes.test.h5l.se || \ { exitcode=1 ; echo "test failed"; } +echo "Building context on cred, check if its limited still" +${context} \ + --mech-type=krb5 \ + --client-name=user1@${R} \ + --limit-enctype="${limit_enctype}" \ + --mutual-auth \ + --name-type=hostbased-service host@no-aes.test.h5l.se || \ + { exitcode=1 ; echo "test failed"; } + + echo "====== ok-as-delegate" echo "Getting client initial tickets"