gss: SAnon - the Simple Anonymous GSS-API mechanism
Add support for SAnon, a simple key agreement protocol that provides no authentication of initiator or acceptor using x25519 ECDH key exchange. See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol description.
This commit is contained in:
Luke Howard
committed by
Nicolas Williams
Nicolas Williams
parent
beda11a079
commit
4a7eb74374
@@ -125,22 +125,25 @@ ${acquire_cred} \
|
||||
|
||||
echo "keytab w/ wrong name"
|
||||
${acquire_cred} \
|
||||
--acquire-type=accept \
|
||||
--acquire-type=accept --kerberos \
|
||||
--acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
|
||||
|
||||
echo "init using keytab"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--acquire-type=initiate \
|
||||
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
|
||||
|
||||
echo "init using keytab (loop 10)"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--acquire-type=initiate \
|
||||
--loops=10 \
|
||||
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
|
||||
|
||||
echo "init using keytab (loop 10, target)"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--acquire-type=initiate \
|
||||
--loops=10 \
|
||||
--target=host@host.test.h5l.se \
|
||||
@@ -163,6 +166,7 @@ ${acquire_cred} \
|
||||
|
||||
echo "init using existing cc"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--name-type=user-name \
|
||||
--acquire-type=initiate \
|
||||
--acquire-name=user || exit 1
|
||||
@@ -171,12 +175,14 @@ KRB5CCNAME=${nocache}
|
||||
|
||||
echo "fail init using existing cc"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--name-type=user-name \
|
||||
--acquire-type=initiate \
|
||||
--acquire-name=user 2>/dev/null && exit 1
|
||||
|
||||
echo "use gss_krb5_ccache_name for user"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--name-type=user-name \
|
||||
--ccache=${cache} \
|
||||
--acquire-type=initiate \
|
||||
@@ -194,11 +200,13 @@ KRB5_KTNAME="${keytab}"
|
||||
|
||||
echo "init using keytab"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--acquire-type=initiate \
|
||||
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
|
||||
|
||||
echo "init using keytab (ccache)"
|
||||
${acquire_cred} \
|
||||
--kerberos \
|
||||
--acquire-type=initiate \
|
||||
--ccache=${cache} \
|
||||
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
|
||||
|
||||
@@ -130,17 +130,17 @@ ${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
|
||||
host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \
|
||||
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \
|
||||
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \
|
||||
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 \
|
||||
--mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \
|
||||
--mech-types=krb5,ntlm --mech-type=krb5 host@lucid.test.h5l.se \
|
||||
&& { eval "$testfailed"; }
|
||||
# gss_acquire_cred_with_password() must not have side-effects
|
||||
${klist} && { eval "$testfailed"; }
|
||||
@@ -161,7 +161,8 @@ ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
|
||||
grep ${keytabfile} test_context.log > /dev/null || \
|
||||
{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
|
||||
echo "checking non existant keytabfile (spengo)" ; > messages.log
|
||||
${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
|
||||
${context} --mech-type=spnego --mech-types=spnego,krb5 \
|
||||
host@lucid.test.h5l.se > test_context.log 2>&1 && \
|
||||
{ eval "$testfailed"; }
|
||||
grep ${keytabfile} test_context.log > /dev/null || \
|
||||
{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
|
||||
|
||||
@@ -178,6 +178,88 @@ echo "test_negoex_1 alert from initiator to acceptor"
|
||||
host@host.test.h5l.se || \
|
||||
{ exitcode=1 ; echo test failed; }
|
||||
|
||||
unset GSS_MECH_CONFIG
|
||||
|
||||
echo "======test context building for sanon-x25519"
|
||||
for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
|
||||
iov=""
|
||||
if [ "$mech" = "sanon-x25519iov" ] ; then
|
||||
mech="sanon-x25519"
|
||||
iov="--iov"
|
||||
fi
|
||||
if [ "$mech" = "spnegoiov" ] ; then
|
||||
mech="spnego"
|
||||
iov="--iov"
|
||||
fi
|
||||
|
||||
echo "${mech} anon-flag ${iov}" ; > messages.log
|
||||
${context} --mech-type=${mech} \
|
||||
--anonymous \
|
||||
--ret-mech-type=sanon-x25519 \
|
||||
--channel-bindings=negoex_sanon_test_h5l_se \
|
||||
--wrapunwrap ${iov} \
|
||||
host@lucid.test.h5l.se || \
|
||||
{ eval "$testfailed"; }
|
||||
|
||||
echo "${mech} anon-initiator ${iov}" ; > messages.log
|
||||
${context} --mech-type=${mech} \
|
||||
--client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \
|
||||
--ret-mech-type=sanon-x25519 \
|
||||
--channel-bindings=negoex_sanon_test_h5l_se \
|
||||
--wrapunwrap ${iov} \
|
||||
host@lucid.test.h5l.se || \
|
||||
{ eval "$testfailed"; }
|
||||
|
||||
echo "${mech} anon-acceptor ${iov}" ; > messages.log
|
||||
${context} --mech-type=${mech} \
|
||||
--ret-mech-type=sanon-x25519 \
|
||||
--channel-bindings=negoex_sanon_test_h5l_se \
|
||||
--wrapunwrap ${iov} \
|
||||
WELLKNOWN@ANONYMOUS || \
|
||||
{ eval "$testfailed"; }
|
||||
done
|
||||
|
||||
echo "======export-import-context for sanon-x25519"
|
||||
for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
|
||||
iov=""
|
||||
if [ "$mech" = "sanon-x25519iov" ] ; then
|
||||
mech="sanon-x25519"
|
||||
iov="--iov"
|
||||
fi
|
||||
if [ "$mech" = "spnegoiov" ] ; then
|
||||
mech="spnego"
|
||||
iov="--iov"
|
||||
fi
|
||||
|
||||
echo "${mech}: export-import-context ${iov}" ; > messages.log
|
||||
${context} \
|
||||
--mech-type=${mech} \
|
||||
--anonymous \
|
||||
--export-import-context \
|
||||
--wrapunwrap ${iov} \
|
||||
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
||||
{ eval "$testfailed"; }
|
||||
|
||||
done
|
||||
|
||||
echo "======dce-style for sanon-x25519"
|
||||
for mech in spnego spnegoiov; do
|
||||
iov=""
|
||||
if [ "$mech" = "spnegoiov" ] ; then
|
||||
mech="spnego"
|
||||
iov="--iov"
|
||||
fi
|
||||
|
||||
echo "${mech}: dce-style ${iov}" ; > messages.log
|
||||
${context} \
|
||||
--mech-type=${mech} \
|
||||
--anonymous --dce-style \
|
||||
--wrapunwrap ${iov} \
|
||||
--name-type=hostbased-service host@lucid.test.h5l.se || \
|
||||
{ eval "$testfailed"; }
|
||||
|
||||
done
|
||||
|
||||
trap "" EXIT
|
||||
|
||||
exit $exitcode
|
||||
|
||||
Reference in New Issue
Block a user