oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: add tests for importing and exporting contexts

Browse Source 
Add the --export-import-context flag to test_context, for validating that
security contexts round-trip through GSS_Export_sec_context() and
GSS_Import_sec_context().
This commit is contained in:
Luke Howard
2020-04-14 12:33:25 +10:00
parent 9a9aaa078c
commit 846c839cbf
2 changed files with 64 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
lib/gssapi/test_context.c
View File

@@ -56,7 +56,8 @@ static int getverifymic_flag = 0;
static int deleg_flag = 0; static int deleg_flag = 0;
static int policy_deleg_flag = 0; static int policy_deleg_flag = 0;
static int server_no_deleg_flag = 0; static int server_no_deleg_flag = 0;
static int ei_flag = 0; static int ei_cred_flag = 0;
static int ei_ctx_flag = 0;
static char *client_ccache = NULL; static char *client_ccache = NULL;
static char *client_keytab = NULL; static char *client_keytab = NULL;
static char *gsskrb5_acceptor_identity = NULL; static char *gsskrb5_acceptor_identity = NULL;
@@ -589,7 +590,8 @@ static struct getargs args[] = {
{"policy-delegate",0, arg_flag, &policy_deleg_flag, "policy delegate credential", NULL }, {"policy-delegate",0, arg_flag, &policy_deleg_flag, "policy delegate credential", NULL },
{"server-no-delegate",0, arg_flag, &server_no_deleg_flag, {"server-no-delegate",0, arg_flag, &server_no_deleg_flag,
"server should get a credential", NULL }, "server should get a credential", NULL },
{"export-import-cred",0, arg_flag, &ei_flag, "test export/import cred", NULL }, {"export-import-context",0, arg_flag, &ei_ctx_flag, "test export/import context", NULL },
{"export-import-cred",0, arg_flag, &ei_cred_flag, "test export/import cred", NULL },
{"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL }, {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL },
{"session-enctype", 0, arg_string, &session_enctype_string, "enctype", NULL }, {"session-enctype", 0, arg_string, &session_enctype_string, "enctype", NULL },
{"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL }, {"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL },
@@ -1012,6 +1014,40 @@ main(int argc, char **argv)
getverifymic_flag = 1; getverifymic_flag = 1;
} }
if (ei_ctx_flag) {
gss_buffer_desc ctx_token = GSS_C_EMPTY_BUFFER;
maj_stat = gss_export_sec_context(&min_stat, &cctx, &ctx_token);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export client context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
heim_assert(cctx == GSS_C_NO_CONTEXT,
"gss_export_sec_context did not delete context");
maj_stat = gss_import_sec_context(&min_stat, &ctx_token, &cctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import client context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &ctx_token);
maj_stat = gss_export_sec_context(&min_stat, &sctx, &ctx_token);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "export server context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
heim_assert(sctx == GSS_C_NO_CONTEXT,
"gss_export_sec_context did not delete context");
maj_stat = gss_import_sec_context(&min_stat, &ctx_token, &sctx);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "import server context failed: %s",
gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &ctx_token);
}
if (wrapunwrap_flag) { if (wrapunwrap_flag) {
wrapunwrap(cctx, sctx, 0, actual_mech); wrapunwrap(cctx, sctx, 0, actual_mech);
wrapunwrap(cctx, sctx, 1, actual_mech); wrapunwrap(cctx, sctx, 1, actual_mech);
@@ -1119,7 +1155,6 @@ main(int argc, char **argv)
getverifymic(sctx, cctx, actual_mech); getverifymic(sctx, cctx, actual_mech);
} }
gss_delete_sec_context(&min_stat, &cctx, NULL); gss_delete_sec_context(&min_stat, &cctx, NULL);
gss_delete_sec_context(&min_stat, &sctx, NULL); gss_delete_sec_context(&min_stat, &sctx, NULL);
@@ -1157,16 +1192,16 @@ main(int argc, char **argv)
#endif #endif
/* check export/import */ /* check export/import */
if (ei_flag) { if (ei_cred_flag) {
maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb); maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
if (maj_stat != GSS_S_COMPLETE) if (maj_stat != GSS_S_COMPLETE)
errx(1, "export failed: %s", errx(1, "export cred failed: %s",
gssapi_err(maj_stat, min_stat, NULL)); gssapi_err(maj_stat, min_stat, NULL));
maj_stat = gss_import_cred(&min_stat, &cb, &cred2); maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
if (maj_stat != GSS_S_COMPLETE) if (maj_stat != GSS_S_COMPLETE)
errx(1, "import failed: %s", errx(1, "import cred failed: %s",
gssapi_err(maj_stat, min_stat, NULL)); gssapi_err(maj_stat, min_stat, NULL));
gss_release_buffer(&min_stat, &cb); gss_release_buffer(&min_stat, &cb);

23
tests/gss/check-context.in
View File

@@ -265,6 +265,29 @@ for mech in krb5 krb5iov spnego; do
done done
echo "======export-import-context"
for mech in krb5 krb5iov spnego spnegoiov; do
iov=""
if [ "$mech" = "krb5iov" ] ; then
mech="krb5"
iov="--iov"
fi
if [ "$mech" = "spnegoiov" ] ; then
mech="spnego"
iov="--iov"
fi
echo "${mech}: export-import-context ${iov}" ; > messages.log
${context} \
--mech-type=${mech} \
--mutual \
--export-import-context \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
done
echo "test gsskrb5_register_acceptor_identity (both positive and negative)" echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
cp ${keytabfile} ${keytabfile}.new cp ${keytabfile} ${keytabfile}.new