From d83321fdf395692d73fe8328b3d11690741dc3b5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 17 May 2020 23:47:46 +0200 Subject: [PATCH] Add channel-bindings tests --- lib/gssapi/test_context.c | 35 +++++++++++++------ tests/gss/Makefile.am | 13 +++++-- tests/gss/check-context.in | 58 ++++++++++++++++++++++++++++++++ tests/gss/check-negoex.in | 9 +++-- tests/gss/new_clients_k5.conf.in | 4 +++ 5 files changed, 102 insertions(+), 17 deletions(-) create mode 100644 tests/gss/new_clients_k5.conf.in diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index fba8df07e..acf93c265 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -72,7 +72,8 @@ static char *limit_enctype_string = NULL; static int version_flag = 0; static int verbose_flag = 0; static int help_flag = 0; -static char *channel_bindings = NULL; +static char *i_channel_bindings = NULL; +static char *a_channel_bindings = NULL; static krb5_context context; static krb5_enctype limit_enctype = 0; @@ -172,8 +173,10 @@ loop(gss_OID mechoid, OM_uint32 flags = 0, ret_cflags, ret_sflags; gss_OID actual_mech_client; gss_OID actual_mech_server; - struct gss_channel_bindings_struct channel_bindings_data; - gss_channel_bindings_t channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS; + struct gss_channel_bindings_struct i_channel_bindings_data = {0}; + struct gss_channel_bindings_struct a_channel_bindings_data = {0}; + gss_channel_bindings_t i_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS; + gss_channel_bindings_t a_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS; *actual_mech = GSS_C_NO_OID; @@ -205,10 +208,15 @@ loop(gss_OID mechoid, input_token.length = 0; input_token.value = NULL; - if (channel_bindings) { - channel_bindings_data.application_data.length = strlen(channel_bindings); - channel_bindings_data.application_data.value = channel_bindings; - channel_bindings_p = &channel_bindings_data; + if (i_channel_bindings) { + i_channel_bindings_data.application_data.length = strlen(i_channel_bindings); + i_channel_bindings_data.application_data.value = i_channel_bindings; + i_channel_bindings_p = &i_channel_bindings_data; + } + if (a_channel_bindings) { + a_channel_bindings_data.application_data.length = strlen(a_channel_bindings); + a_channel_bindings_data.application_data.value = a_channel_bindings; + a_channel_bindings_p = &a_channel_bindings_data; } while (!server_done || !client_done) { @@ -223,7 +231,7 @@ loop(gss_OID mechoid, mechoid, flags, 0, - channel_bindings_p, + i_channel_bindings_p, &input_token, &actual_mech_client, &output_token, @@ -251,7 +259,7 @@ loop(gss_OID mechoid, sctx, GSS_C_NO_CREDENTIAL, &output_token, - channel_bindings_p, + a_channel_bindings_p, &src_name, &actual_mech_server, &input_token, @@ -342,7 +350,7 @@ loop(gss_OID mechoid, printf("server time offset: %d\n", server_time_offset); printf("client time offset: %d\n", client_time_offset); printf("num loops %d\n", num_loops); - printf("flags: "); + printf("cflags: "); if (ret_cflags & GSS_C_DELEG_FLAG) printf("deleg "); if (ret_cflags & GSS_C_MUTUAL_FLAG) @@ -370,6 +378,10 @@ loop(gss_OID mechoid, if (ret_cflags & GSS_C_DELEG_POLICY_FLAG) printf("deleg-policy " ); printf("\n"); + printf("sflags: "); + if (ret_sflags & GSS_C_CHANNEL_BOUND_FLAG) + printf("channel-bound " ); + printf("\n"); } } @@ -668,7 +680,8 @@ static struct getargs args[] = { {"client-name", 0, arg_string, &client_name, "client name", NULL }, {"client-password", 0, arg_string, &client_password, "client password", NULL }, {"anonymous", 0, arg_flag, &anon_flag, "anonymous auth", NULL }, - {"channel-bindings", 0, arg_string, &channel_bindings, "channel binding data", NULL }, + {"i-channel-bindings", 0, arg_string, &i_channel_bindings, "initiator channel binding data", NULL }, + {"a-channel-bindings", 0, arg_string, &a_channel_bindings, "acceptor channel binding data", NULL }, {"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL }, {"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL }, {"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL }, diff --git a/tests/gss/Makefile.am b/tests/gss/Makefile.am index e7c67faf5..ca40ae26b 100644 --- a/tests/gss/Makefile.am +++ b/tests/gss/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -noinst_DATA = krb5.conf mech +noinst_DATA = krb5.conf new_clients_k5.conf mech SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex @@ -12,12 +12,13 @@ check_SCRIPTS = $(SCRIPT_TESTS) port = 49188 -do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; sed \ +do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \ -e 's,[@]srcdir[@],$(srcdir),g' \ -e "s,[@]srcdirabs[@],$${srcdirabs},g" \ -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \ -e 's,[@]port[@],$(port),g' \ - -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' + -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \ + -e "s,[@]objdirabs[@],$${objdirabs},g" check-gss: check-gss.in Makefile $(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp && \ @@ -58,6 +59,10 @@ krb5.conf: krb5.conf.in Makefile $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \ mv krb5.conf.tmp krb5.conf +new_clients_k5.conf: new_clients_k5.conf.in Makefile + $(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \ + mv new_clients_k5.conf.tmp new_clients_k5.conf + mech: mech.in Makefile $(do_subst) < $(srcdir)/mech.in > mech.tmp && \ mv mech.tmp mech @@ -70,6 +75,7 @@ CLEANFILES= \ krb5ccfile-ds \ server.keytab \ krb5.conf \ + new_clients_k5.conf \ mech \ current-db* \ *.log \ @@ -91,4 +97,5 @@ EXTRA_DIST = \ check-context.in \ ntlm-user-file.txt \ krb5.conf.in \ + new_clients_k5.conf.in \ mech.in diff --git a/tests/gss/check-context.in b/tests/gss/check-context.in index 6d5d91352..699e373e6 100644 --- a/tests/gss/check-context.in +++ b/tests/gss/check-context.in @@ -312,6 +312,64 @@ done rm ${keytabfile}.new +echo "====== test channel-bindings." + +for mech in krb5 spnego; do + echo "${mech}: initiator only bindings" ; > messages.log + ${context} -v --i-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: acceptor only bindings" ; > messages.log + ${context} -v --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: matching bindings" ; > messages.log + ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ + { echo "no channel-bound flag"; eval "$testfailed"; } + + echo "${mech}: non matching bindings" ; > messages.log + ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + + echo "${mech}: initiator only bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ + --i-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + + echo "${mech}: matching bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ + --i-channel-bindings=abc --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ + { echo "no channel-bound flag"; eval "$testfailed"; } + + echo "${mech}: non matching bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + --i-channel-bindings=abc --a-channel-bindings=xyz \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + +done #echo "sasl-digest-md5" #${context} --mech-type=sasl-digest-md5 \ diff --git a/tests/gss/check-negoex.in b/tests/gss/check-negoex.in index c4b9b3907..0408bcc1a 100644 --- a/tests/gss/check-negoex.in +++ b/tests/gss/check-negoex.in @@ -196,7 +196,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do ${context} --mech-type=${mech} \ --anonymous \ --ret-mech-type=sanon-x25519 \ - --channel-bindings=negoex_sanon_test_h5l_se \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ host@lucid.test.h5l.se || \ { eval "$testfailed"; } @@ -205,7 +206,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do ${context} --mech-type=${mech} \ --client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \ --ret-mech-type=sanon-x25519 \ - --channel-bindings=negoex_sanon_test_h5l_se \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ host@lucid.test.h5l.se || \ { eval "$testfailed"; } @@ -213,7 +215,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do echo "${mech} anon-acceptor ${iov}" ; > messages.log ${context} --mech-type=${mech} \ --ret-mech-type=sanon-x25519 \ - --channel-bindings=negoex_sanon_test_h5l_se \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ --wrapunwrap ${iov} \ WELLKNOWN@ANONYMOUS || \ { eval "$testfailed"; } diff --git a/tests/gss/new_clients_k5.conf.in b/tests/gss/new_clients_k5.conf.in new file mode 100644 index 000000000..145f8dc46 --- /dev/null +++ b/tests/gss/new_clients_k5.conf.in @@ -0,0 +1,4 @@ +include @objdirabs@/krb5.conf + +[libdefaults] + client_aware_channel_bindings = true