krb5: Add SOCKS4a test
This commit is contained in:
Nicolas Williams
+37
-21
@@ -436,7 +436,9 @@ send_stream(krb5_context context, struct host *host)
|
||||
{
|
||||
ssize_t len;
|
||||
|
||||
_krb5_debug(context, 5, "send_stream: fd=%d len=%lu", host->fd, (unsigned long)host->data.length);
|
||||
len = krb5_net_write(context, &host->fd, host->data.data, host->data.length);
|
||||
_krb5_debug(context, 5, "send_stream: wrote %ld bytes", (long)len);
|
||||
|
||||
if (len < 0)
|
||||
return errno;
|
||||
@@ -458,8 +460,13 @@ recv_stream(krb5_context context, struct host *host)
|
||||
ssize_t sret;
|
||||
int nbytes;
|
||||
|
||||
if (rk_SOCK_IOCTL(host->fd, FIONREAD, &nbytes) != 0 || nbytes <= 0)
|
||||
if (rk_SOCK_IOCTL(host->fd, FIONREAD, &nbytes) != 0 || nbytes <= 0) {
|
||||
_krb5_debug(context, 5, "recv_stream: FIONREAD failed or nbytes=%d, oldlen=%lu",
|
||||
nbytes, (unsigned long)host->data.length);
|
||||
return HEIM_NET_CONN_REFUSED;
|
||||
}
|
||||
_krb5_debug(context, 5, "recv_stream: fd=%d FIONREAD=%d oldlen=%lu",
|
||||
host->fd, nbytes, (unsigned long)host->data.length);
|
||||
|
||||
if (context->max_msg_size - host->data.length < nbytes) {
|
||||
krb5_set_error_message(context, KRB5KRB_ERR_FIELD_TOOLONG,
|
||||
@@ -476,10 +483,13 @@ recv_stream(krb5_context context, struct host *host)
|
||||
|
||||
sret = krb5_net_read(context, &host->fd, ((uint8_t *)host->data.data) + oldlen, nbytes);
|
||||
if (sret <= 0) {
|
||||
_krb5_debug(context, 5, "recv_stream: krb5_net_read returned %ld, errno=%d", (long)sret, errno);
|
||||
ret = errno;
|
||||
return ret;
|
||||
}
|
||||
host->data.length = oldlen + sret;
|
||||
_krb5_debug(context, 5, "recv_stream: read %ld bytes, total len=%lu",
|
||||
(long)sret, (unsigned long)host->data.length);
|
||||
/* zero terminate for http transport */
|
||||
((uint8_t *)host->data.data)[host->data.length] = '\0';
|
||||
|
||||
@@ -749,7 +759,10 @@ recv_tcp(krb5_context context, struct host *host, krb5_data *data)
|
||||
return -1;
|
||||
|
||||
_krb5_get_int(host->data.data, &pktlen, 4);
|
||||
|
||||
|
||||
_krb5_debug(context, 5, "recv_tcp: len=%lu pktlen=%lu",
|
||||
(unsigned long)host->data.length, pktlen);
|
||||
|
||||
if (pktlen > host->data.length - 4)
|
||||
return -1;
|
||||
|
||||
@@ -758,7 +771,7 @@ recv_tcp(krb5_context context, struct host *host, krb5_data *data)
|
||||
|
||||
*data = host->data;
|
||||
krb5_data_zero(&host->data);
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -891,9 +904,28 @@ eval_host_state(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (readable) {
|
||||
/* check if there is anything to send */
|
||||
if (writeable && host->state == CONNECTED) {
|
||||
|
||||
debug_host(context, 5, host, "reading packet");
|
||||
ctx->stats.sent_packets++;
|
||||
|
||||
debug_host(context, 5, host, "writing packet fd=%d data_len=%lu",
|
||||
host->fd, (unsigned long)host->data.length);
|
||||
|
||||
ret = host->fun->send_fn(context, host);
|
||||
if (ret == -1) {
|
||||
/* not done yet */
|
||||
} else if (ret) {
|
||||
host_dead(context, host, "host dead, write failed");
|
||||
} else {
|
||||
host->state = WAITING_REPLY;
|
||||
return 0; /* wait for next select before reading */
|
||||
}
|
||||
}
|
||||
|
||||
if (readable && host->state == WAITING_REPLY) {
|
||||
|
||||
debug_host(context, 5, host, "reading packet fd=%d", host->fd);
|
||||
|
||||
ret = host->fun->recv_fn(context, host, &ctx->response);
|
||||
if (ret == -1) {
|
||||
@@ -907,22 +939,6 @@ eval_host_state(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
/* check if there is anything to send, state might DEAD after read */
|
||||
if (writeable && host->state == CONNECTED) {
|
||||
|
||||
ctx->stats.sent_packets++;
|
||||
|
||||
debug_host(context, 5, host, "writing packet");
|
||||
|
||||
ret = host->fun->send_fn(context, host);
|
||||
if (ret == -1) {
|
||||
/* not done yet */
|
||||
} else if (ret) {
|
||||
host_dead(context, host, "host dead, write failed");
|
||||
} else
|
||||
host->state = WAITING_REPLY;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -358,7 +358,7 @@ static void
|
||||
handleclient(int clientfd, int argc, char **argv)
|
||||
{
|
||||
struct socks4a_request req;
|
||||
struct socks4a_request reply;
|
||||
struct socks4a_reply reply;
|
||||
const char *user, *host;
|
||||
uint16_t port;
|
||||
char portstr[sizeof("65536")];
|
||||
|
||||
@@ -43,6 +43,7 @@ SCRIPT_TESTS = \
|
||||
check-httpkadmind \
|
||||
check-iprop \
|
||||
check-referral \
|
||||
check-socks \
|
||||
check-tester \
|
||||
check-uu
|
||||
|
||||
@@ -192,6 +193,11 @@ check-referral: check-referral.in Makefile
|
||||
$(chmod) +x check-referral.tmp && \
|
||||
mv check-referral.tmp check-referral
|
||||
|
||||
check-socks: check-socks.in Makefile
|
||||
$(do_subst) < $(srcdir)/check-socks.in > check-socks.tmp && \
|
||||
$(chmod) +x check-socks.tmp && \
|
||||
mv check-socks.tmp check-socks
|
||||
|
||||
check-kpasswdd: check-kpasswdd.in Makefile
|
||||
$(do_subst) < $(srcdir)/check-kpasswdd.in > check-kpasswdd.tmp && \
|
||||
$(chmod) +x check-kpasswdd.tmp && \
|
||||
@@ -360,6 +366,7 @@ CLEANFILES= \
|
||||
krb5-httpkadmind.conf \
|
||||
krb5-slave2.conf \
|
||||
krb5-slave.conf \
|
||||
krb5-socks.conf \
|
||||
krb5-weak.conf \
|
||||
krb5.conf \
|
||||
krb5.conf.keys \
|
||||
@@ -380,6 +387,7 @@ CLEANFILES= \
|
||||
sdb \
|
||||
server.keytab \
|
||||
signal \
|
||||
socksdrawer.out \
|
||||
signal2 \
|
||||
signal3 \
|
||||
tempfile \
|
||||
@@ -409,6 +417,7 @@ EXTRA_DIST = \
|
||||
check-old-heimdal-client.in \
|
||||
check-pkinit.in \
|
||||
check-referral.in \
|
||||
check-socks.in \
|
||||
check-tester.in \
|
||||
check-uu.in \
|
||||
donotexists.txt \
|
||||
|
||||
@@ -0,0 +1,176 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2025 Kungliga Tekniska Högskolan
|
||||
# (Royal Institute of Technology, Stockholm, Sweden).
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the Institute nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software
|
||||
# without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
|
||||
top_builddir="@top_builddir@"
|
||||
env_setup="@env_setup@"
|
||||
objdir="@objdir@"
|
||||
|
||||
. ${env_setup}
|
||||
|
||||
# Use the main krb5.conf for KDC and admin operations
|
||||
KRB5_CONFIG="${objdir}/krb5.conf"
|
||||
export KRB5_CONFIG
|
||||
|
||||
testfailed="echo test failed; cat messages.log; exit 1"
|
||||
|
||||
# If there is no useful db support compiled in, disable test
|
||||
${have_db} || exit 77
|
||||
|
||||
R=TEST.H5L.SE
|
||||
|
||||
port=@port@
|
||||
|
||||
kadmin="${kadmin} -l -A -r $R"
|
||||
kdc="${kdc} --addresses=localhost -P $port"
|
||||
socksdrawer="${top_builddir}/lib/krb5/socksdrawer"
|
||||
|
||||
cache="FILE:${objdir}/cache.krb5"
|
||||
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
||||
|
||||
rm -f current-db*
|
||||
rm -f out-*
|
||||
rm -f mkey.file*
|
||||
|
||||
> messages.log
|
||||
|
||||
echo "Creating database"
|
||||
${kadmin} <<EOF || exit 1
|
||||
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
|
||||
add -p foo --use-defaults foo@${R}
|
||||
EOF
|
||||
|
||||
echo "Doing database check"
|
||||
${kadmin} check ${R} || exit 1
|
||||
|
||||
echo foo > ${objdir}/foopassword
|
||||
|
||||
echo "Starting kdc"
|
||||
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
|
||||
kdcpid=`getpid kdc`
|
||||
|
||||
# First verify that kinit works without SOCKS (using main krb5.conf)
|
||||
echo "Verifying kinit works without SOCKS proxy"
|
||||
${kinit} -c ${cache} ${afs_no_afslog} --password-file=${objdir}/foopassword foo@${R} || \
|
||||
{ echo "kinit without proxy failed - test setup is broken"; cat messages.log; exit 1; }
|
||||
${kdestroy} -c ${cache} ${afs_no_unlog}
|
||||
echo "kinit without SOCKS proxy succeeded"
|
||||
|
||||
sockspid=
|
||||
|
||||
cleanup() {
|
||||
echo "Cleaning up"
|
||||
if [ -n "${kdcpid}" ]; then
|
||||
kill -9 ${kdcpid} 2>/dev/null
|
||||
fi
|
||||
if [ -n "${sockspid}" ]; then
|
||||
kill -9 ${sockspid} 2>/dev/null
|
||||
fi
|
||||
trap '' EXIT INT TERM
|
||||
cat messages.log
|
||||
exit 1
|
||||
}
|
||||
trap cleanup EXIT INT TERM
|
||||
|
||||
ec=0
|
||||
|
||||
# Start socksdrawer in the background
|
||||
# Arguments: listenport matchhost matchport matchuser host port
|
||||
# Use a fake KDC hostname (kdc.invalid) to prove the proxy is being used
|
||||
# The proxy will map kdc.invalid:54321 -> localhost:${port}
|
||||
echo "Starting socksdrawer"
|
||||
${socksdrawer} 0 kdc.invalid 54321 foo@${R} localhost ${port} > ${objdir}/socksdrawer.out &
|
||||
sockspid=$!
|
||||
sleep 1
|
||||
|
||||
# Read the port number that socksdrawer chose
|
||||
socksport=`cat ${objdir}/socksdrawer.out`
|
||||
if [ -z "${socksport}" ]; then
|
||||
echo "Failed to get SOCKS port from socksdrawer"
|
||||
ec=1
|
||||
eval "${testfailed}"
|
||||
fi
|
||||
echo "socksdrawer listening on port ${socksport}"
|
||||
|
||||
# Create krb5-socks.conf with socks4a_proxy for client operations
|
||||
# Use kdc.invalid:54321 as the KDC - this only works through the proxy
|
||||
cat > ${objdir}/krb5-socks.conf <<EOF
|
||||
[libdefaults]
|
||||
default_realm = TEST.H5L.SE
|
||||
no-addresses = TRUE
|
||||
allow_weak_crypto = false
|
||||
dns_lookup_kdc = no
|
||||
dns_lookup_realm = no
|
||||
socks4a_proxy = 127.0.0.1:${socksport}
|
||||
|
||||
[realms]
|
||||
TEST.H5L.SE = {
|
||||
kdc = tcp/kdc.invalid:54321
|
||||
}
|
||||
|
||||
[logging]
|
||||
kdc = 0-/FILE:${objdir}/messages.log
|
||||
krb5 = 0-/FILE:${objdir}/messages.log
|
||||
default = 0-/FILE:${objdir}/messages.log
|
||||
EOF
|
||||
|
||||
# Use the SOCKS-enabled config for client operations
|
||||
KRB5_CONFIG="${objdir}/krb5-socks.conf"
|
||||
export KRB5_CONFIG
|
||||
|
||||
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
||||
klist="${klist} -c $cache"
|
||||
|
||||
echo "Getting initial tickets through SOCKS4a proxy"
|
||||
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
||||
{ ec=1; eval "${testfailed}"; }
|
||||
|
||||
echo "Verifying tickets"
|
||||
${klist} || { ec=1; eval "${testfailed}"; }
|
||||
|
||||
echo "Destroying tickets"
|
||||
${kdestroy} || { ec=1; eval "${testfailed}"; }
|
||||
|
||||
echo "Killing socksdrawer"
|
||||
kill ${sockspid} 2>/dev/null
|
||||
sockspid=
|
||||
|
||||
echo "Test that kinit fails without proxy running"
|
||||
${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
|
||||
{ echo "kinit should have failed without proxy"; ec=1; eval "${testfailed}"; }
|
||||
|
||||
echo "Killing kdc (${kdcpid})"
|
||||
sh ${leaks_kill} kdc $kdcpid || exit 1
|
||||
|
||||
trap "" EXIT
|
||||
|
||||
exit $ec
|
||||
Reference in New Issue
Block a user