Add channel-bindings tests

tests/gss/Makefile.am

@@ -2,7 +2,7 @@
 
 include $(top_srcdir)/Makefile.am.common
 
-noinst_DATA = krb5.conf mech
+noinst_DATA = krb5.conf new_clients_k5.conf mech
 
 SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
 
@@ -12,12 +12,13 @@ check_SCRIPTS = $(SCRIPT_TESTS)
 
 port = 49188
 
-do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; sed \
+do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \
 	-e 's,[@]srcdir[@],$(srcdir),g' \
 	-e "s,[@]srcdirabs[@],$${srcdirabs},g" \
 	-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
 	-e 's,[@]port[@],$(port),g' \
-	-e 's,[@]objdir[@],$(top_builddir)/tests/gss,g'
+	-e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \
+	-e "s,[@]objdirabs[@],$${objdirabs},g"
 
 check-gss: check-gss.in Makefile
 	$(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp && \
@@ -58,6 +59,10 @@ krb5.conf: krb5.conf.in Makefile
 	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
 	mv krb5.conf.tmp krb5.conf
 
+new_clients_k5.conf: new_clients_k5.conf.in Makefile
+	$(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
+	mv new_clients_k5.conf.tmp new_clients_k5.conf
+
 mech: mech.in Makefile
 	$(do_subst) < $(srcdir)/mech.in > mech.tmp && \
 	mv mech.tmp mech
@@ -70,6 +75,7 @@ CLEANFILES= \
 	krb5ccfile-ds \
 	server.keytab \
 	krb5.conf \
+	new_clients_k5.conf \
 	mech \
 	current-db* \
 	*.log \
@@ -91,4 +97,5 @@ EXTRA_DIST = \
 	check-context.in \
 	ntlm-user-file.txt \
 	krb5.conf.in \
+	new_clients_k5.conf.in \
 	mech.in

tests/gss/check-context.in

@@ -312,6 +312,64 @@ done
 
 rm ${keytabfile}.new
 
+echo "====== test channel-bindings."
+
+for mech in krb5 spnego; do
+	echo "${mech}: initiator only bindings" ; > messages.log
+	${context} -v --i-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+		{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+	echo "${mech}: acceptor only bindings" ; > messages.log
+	${context} -v --a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+		{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+	echo "${mech}: matching bindings" ; > messages.log
+	${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+		{ echo "no channel-bound flag"; eval "$testfailed"; }
+
+	echo "${mech}: non matching bindings" ; > messages.log
+	${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
+		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+		{ eval "$testfailed"; }
+
+	echo "${mech}: initiator only bindings (client-aware)" ; > messages.log
+	KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+		--i-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+		{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+	echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log
+	KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+		--a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+		{ eval "$testfailed"; }
+
+	echo "${mech}: matching bindings (client-aware)" ; > messages.log
+	KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+		--i-channel-bindings=abc --a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+		{ echo "no channel-bound flag"; eval "$testfailed"; }
+
+	echo "${mech}: non matching bindings (client-aware)" ; > messages.log
+	KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+		--i-channel-bindings=abc --a-channel-bindings=xyz \
+		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+		{ eval "$testfailed"; }
+
+done
 
 #echo "sasl-digest-md5"
 #${context}  --mech-type=sasl-digest-md5 \

tests/gss/check-negoex.in

@@ -196,7 +196,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
 	${context} --mech-type=${mech} \
 	    --anonymous \
 	    --ret-mech-type=sanon-x25519 \
-	    --channel-bindings=negoex_sanon_test_h5l_se \
+	    --i-channel-bindings=negoex_sanon_test_h5l_se \
+	    --a-channel-bindings=negoex_sanon_test_h5l_se \
 	    --wrapunwrap ${iov} \
 	    host@lucid.test.h5l.se || \
 		{ eval "$testfailed"; }
@@ -205,7 +206,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
 	${context} --mech-type=${mech} \
 	    --client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \
 	    --ret-mech-type=sanon-x25519 \
-	    --channel-bindings=negoex_sanon_test_h5l_se \
+	    --i-channel-bindings=negoex_sanon_test_h5l_se \
+	    --a-channel-bindings=negoex_sanon_test_h5l_se \
 	    --wrapunwrap ${iov} \
 	    host@lucid.test.h5l.se || \
 		{ eval "$testfailed"; }
@@ -213,7 +215,8 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
 	echo "${mech} anon-acceptor ${iov}" ; > messages.log
 	${context} --mech-type=${mech} \
 	    --ret-mech-type=sanon-x25519 \
-	    --channel-bindings=negoex_sanon_test_h5l_se \
+	    --i-channel-bindings=negoex_sanon_test_h5l_se \
+	    --a-channel-bindings=negoex_sanon_test_h5l_se \
 	    --wrapunwrap ${iov} \
 	    WELLKNOWN@ANONYMOUS || \
 		{ eval "$testfailed"; }

tests/gss/new_clients_k5.conf.in

@@ -0,0 +1,4 @@
+include @objdirabs@/krb5.conf
+
+[libdefaults]
+	client_aware_channel_bindings = true