krb5 commit: Add tests for GSS IOV and AEAD interfaces
Greg Hudson
ghudson at MIT.EDU
Fri Sep 6 01:14:36 EDT 2013
https://github.com/krb5/krb5/commit/ecd91cd350b2c3880b3f967acfcb00ac1bdac154
commit ecd91cd350b2c3880b3f967acfcb00ac1bdac154
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Sep 4 14:23:27 2013 -0400
Add tests for GSS IOV and AEAD interfaces
Add a new test program t_iov.c which tests various combinations of
wrapping and unwrapping using the IOV and AEAD interfaces. Run it
with and without SPNEGO in each enctype configuration.
src/tests/gssapi/Makefile.in | 12 +-
src/tests/gssapi/deps | 4 +
src/tests/gssapi/t_gssapi.py | 5 +-
src/tests/gssapi/t_iov.c | 471 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 486 insertions(+), 6 deletions(-)
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 04cba07..b40e5b8 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -5,22 +5,22 @@ DEFINES = -DUSE_AUTOCONF_H
SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_credstore.c \
$(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
$(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
- $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_mechs_name.c \
+ $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
$(srcdir)/t_namingexts.c $(srcdir)/t_s4u.c \
$(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
$(srcdir)/t_spnego.c
OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_credstore.o \
t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \
- t_inq_cred.o t_inq_mechs_name.o t_namingexts.o t_oid.o t_s4u.o \
- t_s4u2proxy_krb5.o t_saslname.o t_spnego.o
+ t_inq_cred.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
+ t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
all:: ccinit ccrefresh t_accname t_ccselect t_credstore t_enctypes \
t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
- t_inq_cred t_inq_mechs_name t_namingexts t_s4u t_s4u2proxy_krb5 \
+ t_inq_cred t_inq_mechs_name t_iov t_namingexts t_s4u t_s4u2proxy_krb5 \
t_saslname t_spnego t_oid
check-unix:: t_oid
@@ -28,7 +28,7 @@ check-unix:: t_oid
check-pytests:: ccinit ccrefresh t_accname t_ccselect t_credstore \
t_export_cred t_export_name t_imp_cred t_inq_cred t_inq_mechs_name \
- t_s4u t_s4u2proxy_krb5 t_spnego
+ t_iov t_s4u t_s4u2proxy_krb5 t_spnego
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
@@ -62,6 +62,8 @@ t_inq_cred: t_inq_cred.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS)
t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
+t_iov: t_iov.o $(COMMON_DEPS)
+ $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
t_namingexts: t_namingexts.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
t_s4u: t_s4u.o $(COMMON_DEPS)
diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps
index c576f35..2e74a2a 100644
--- a/src/tests/gssapi/deps
+++ b/src/tests/gssapi/deps
@@ -43,6 +43,10 @@ $(OUTPRE)t_inq_mechs_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
common.h t_inq_mechs_name.c
+$(OUTPRE)t_iov.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
+ common.h t_iov.c
$(OUTPRE)t_namingexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
$(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 5583b02..2b86d3e 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -1,9 +1,12 @@
#!/usr/bin/python
from k5test import *
-# Test krb5 negotiation under SPNEGO for all enctype configurations.
+# Test krb5 negotiation under SPNEGO for all enctype configurations. Also
+# test IOV wrap/unwrap with and without SPNEGO.
for realm in multipass_realms():
realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab])
+ realm.run(['./t_iov', 'p:' + realm.host_princ])
+ realm.run(['./t_iov', '-s', 'p:' + realm.host_princ])
### Test acceptor name behavior.
diff --git a/src/tests/gssapi/t_iov.c b/src/tests/gssapi/t_iov.c
new file mode 100644
index 0000000..8a74b4e
--- /dev/null
+++ b/src/tests/gssapi/t_iov.c
@@ -0,0 +1,471 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/gssapi/t_iov.c - Test program for IOV functions */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stddef.h>
+#include "common.h"
+
+/* Release all library-allocated buffers in iov. */
+static void
+release_iov(gss_iov_buffer_desc *iov, size_t len)
+{
+ OM_uint32 minor;
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ if (GSS_IOV_BUFFER_FLAGS(iov[i].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED)
+ (void)gss_release_buffer(&minor, &iov[i].buffer);
+ }
+}
+
+/* Concatenate iov (except for sign-only buffers) into a contiguous token. */
+static void
+concat_iov(gss_iov_buffer_desc *iov, size_t iovlen, char **buf_out,
+ size_t *len_out)
+{
+ size_t len, i;
+ char *buf;
+
+ /* Concatenate the result into a contiguous buffer. */
+ len = 0;
+ for (i = 0; i < iovlen; i++) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) != GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ len += iov[i].buffer.length;
+ }
+ buf = malloc(len);
+ if (buf == NULL)
+ errout("malloc failed");
+ len = 0;
+ for (i = 0; i < iovlen; i++) {
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
+ continue;
+ memcpy(buf + len, iov[i].buffer.value, iov[i].buffer.length);
+ len += iov[i].buffer.length;
+ }
+ *buf_out = buf;
+ *len_out = len;
+}
+
+static void
+check_encrypted(const char *msg, int conf, const char *buf, const char *plain)
+{
+ int same = memcmp(buf, plain, strlen(plain)) == 0;
+
+ if ((conf && same) || (!conf && !same))
+ errout(msg);
+}
+
+/*
+ * Wrap str in standard form (HEADER | DATA | PADDING | TRAILER) using the
+ * caller-provided array iov, which must have space for four elements. Library
+ * allocation will be used for the header/padding/trailer buffers, so the
+ * caller must check and free them.
+ */
+static void
+wrap_std(gss_ctx_id_t ctx, char *str, gss_iov_buffer_desc *iov, int conf)
+{
+ OM_uint32 minor, major;
+ int oconf;
+
+ /* Lay out iov array. */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.value = str;
+ iov[1].buffer.length = strlen(str);
+ iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+
+ /* Wrap. This will allocate header/padding/trailer buffers as necessary
+ * and encrypt str in place. */
+ major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 4);
+ check_gsserr("gss_wrap_iov(std)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap_iov(std) conf");
+}
+
+/* Create standard tokens using gss_wrap_iov and ctx1, and make sure we can
+ * unwrap them using ctx2 in all of the supported ways. */
+static void
+test_standard_wrap(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
+{
+ OM_uint32 major, minor;
+ gss_iov_buffer_desc iov[4], stiov[2];
+ gss_qop_t qop;
+ gss_buffer_desc input, output;
+ const char *string1 = "The swift brown fox jumped over the lazy dog.";
+ const char *string2 = "Now is the time!";
+ const char *string3 = "x";
+ const char *string4 = "!@#";
+ char data[1024], *fulltoken;
+ size_t len;
+ int oconf;
+ ptrdiff_t offset;
+
+ /* Wrap a standard token and unwrap it using the iov array. */
+ memcpy(data, string1, strlen(string1) + 1);
+ wrap_std(ctx1, data, iov, conf);
+ check_encrypted("gss_wrap_iov(std1) encryption", conf, data, string1);
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
+ check_gsserr("gss_unwrap_iov(std1)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(std1) conf/qop");
+ if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(string1))
+ errout("gss_unwrap_iov(std1) data buffer");
+ if (memcmp(data, string1, iov[1].buffer.length) != 0)
+ errout("gss_unwrap_iov(std1) decryption");
+ release_iov(iov, 4);
+
+ /* Wrap a standard token and unwrap it using gss_unwrap(). */
+ memcpy(data, string2, strlen(string2) + 1);
+ wrap_std(ctx1, data, iov, conf);
+ concat_iov(iov, 4, &fulltoken, &len);
+ input.value = fulltoken;
+ input.length = len;
+ major = gss_unwrap(&minor, ctx2, &input, &output, &oconf, &qop);
+ check_gsserr("gss_unwrap(std2)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap(std2) conf/qop");
+ if (output.length != strlen(string2) ||
+ memcmp(output.value, string2, output.length) != 0)
+ errout("gss_unwrap(std2) decryption");
+ (void)gss_release_buffer(&minor, &output);
+ free(fulltoken);
+ release_iov(iov, 4);
+
+ /* Wrap a standard token and unwrap it using a stream buffer. */
+ memcpy(data, string3, strlen(string3) + 1);
+ wrap_std(ctx1, data, iov, conf);
+ concat_iov(iov, 4, &fulltoken, &len);
+ stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ stiov[0].buffer.value = fulltoken;
+ stiov[0].buffer.length = len;
+ stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
+ check_gsserr("gss_unwrap_iov(std3)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(std3) conf/qop");
+ if (stiov[1].buffer.length != strlen(string3) ||
+ memcmp(stiov[1].buffer.value, string3, strlen(string3)) != 0)
+ errout("gss_unwrap_iov(std3) decryption");
+ offset = (char *)stiov[1].buffer.value - fulltoken;
+ if (offset < 0 || (size_t)offset > len)
+ errout("gss_unwrap_iov(std3) offset");
+ free(fulltoken);
+ release_iov(iov, 4);
+
+ /* Wrap a token using gss_wrap and unwrap it using a stream buffer with
+ * allocation and copying. */
+ input.value = (char *)string4;
+ input.length = strlen(string4);
+ major = gss_wrap(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &input, &oconf,
+ &output);
+ check_gsserr("gss_wrap(std4)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap(std4) conf");
+ stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ stiov[0].buffer = output;
+ stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
+ check_gsserr("gss_unwrap_iov(std4)", major, minor);
+ if (!(GSS_IOV_BUFFER_FLAGS(stiov[1].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
+ errout("gss_unwrap_iov(std4) allocated");
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(std4) conf/qop");
+ if (stiov[1].buffer.length != strlen(string4) ||
+ memcmp(stiov[1].buffer.value, string4, strlen(string4)) != 0)
+ errout("gss_unwrap_iov(std4) decryption");
+ (void)gss_release_buffer(&minor, &output);
+ release_iov(stiov, 2);
+}
+
+/*
+ * Wrap an AEAD token (HEADER | SIGN_ONLY | DATA | PADDING | TRAILER) using the
+ * caller-provided array iov, which must have space for five elements, and the
+ * caller-provided buffer data, which must be big enough to handle the test
+ * inputs. Library allocation will not be used.
+ */
+static void
+wrap_aead(gss_ctx_id_t ctx, const char *sign, const char *wrap,
+ gss_iov_buffer_desc *iov, char *data, int conf)
+{
+ OM_uint32 major, minor;
+ int oconf;
+ char *ptr;
+
+ /* Lay out iov array. */
+ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[1].buffer.value = (char *)sign;
+ iov[1].buffer.length = strlen(sign);
+ iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[2].buffer.value = (char *)wrap;
+ iov[2].buffer.length = strlen(wrap);
+ iov[3].type = GSS_IOV_BUFFER_TYPE_PADDING;
+ iov[4].type = GSS_IOV_BUFFER_TYPE_TRAILER;
+
+ /* Get header/padding/trailer lengths. */
+ major = gss_wrap_iov_length(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf,
+ iov, 5);
+ check_gsserr("gss_wrap_iov_length(aead)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap_iov_length(aead) conf");
+ if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
+ errout("gss_wrap_iov_length(aead) sign-only buffer");
+ if (iov[2].buffer.value != wrap || iov[2].buffer.length != strlen(wrap))
+ errout("gss_wrap_iov_length(aead) data buffer");
+
+ /* Set iov buffer pointers using returned lengths. */
+ iov[0].buffer.value = data;
+ ptr = data + iov[0].buffer.length;
+ memcpy(ptr, wrap, strlen(wrap));
+ iov[2].buffer.value = ptr;
+ ptr += iov[2].buffer.length;
+ iov[3].buffer.value = ptr;
+ ptr += iov[3].buffer.length;
+ iov[4].buffer.value = ptr;
+
+ /* Wrap the AEAD token. */
+ major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 5);
+ check_gsserr("gss_wrap_iov(aead)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap_iov(aead) conf");
+ if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
+ errout("gss_wrap_iov(aead) sign-only buffer");
+ if (iov[2].buffer.length != strlen(wrap))
+ errout("gss_wrap_iov(aead) data buffer");
+ check_encrypted("gss_wrap_iov(aead) encryption", conf, iov[2].buffer.value,
+ wrap);
+}
+
+/* Create AEAD tokens using gss_wrap_iov and ctx1, and make sure we can unwrap
+ * them using ctx2 in all of the supported ways. */
+static void
+test_aead(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
+{
+ OM_uint32 major, minor;
+ gss_iov_buffer_desc iov[5], stiov[3];
+ gss_qop_t qop;
+ gss_buffer_desc input, assoc, output;
+ const char *sign = "This data is only signed.";
+ const char *wrap = "This data is wrapped in-place.";
+ char data[1024], *fulltoken;
+ size_t len;
+ int oconf;
+ ptrdiff_t offset;
+
+ /* Wrap an AEAD token and unwrap it using the IOV array. */
+ wrap_aead(ctx1, sign, wrap, iov, data, conf);
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 5);
+ check_gsserr("gss_unwrap_iov(aead1)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(aead1) conf/qop");
+ if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
+ errout("gss_unwrap_iov(aead1) sign-only buffer");
+ if (iov[2].buffer.length != strlen(wrap) ||
+ memcmp(iov[2].buffer.value, wrap, iov[2].buffer.length) != 0)
+ errout("gss_unwrap_iov(aead1) decryption");
+
+ /* Wrap an AEAD token and unwrap it using gss_unwrap_aead. */
+ wrap_aead(ctx1, sign, wrap, iov, data, conf);
+ concat_iov(iov, 5, &fulltoken, &len);
+ input.value = fulltoken;
+ input.length = len;
+ assoc.value = (char *)sign;
+ assoc.length = strlen(sign);
+ major = gss_unwrap_aead(&minor, ctx2, &input, &assoc, &output, &oconf,
+ &qop);
+ check_gsserr("gss_unwrap_aead(aead2)", major, minor);
+ if (output.length != strlen(wrap) ||
+ memcmp(output.value, wrap, output.length) != 0)
+ errout("gss_unwrap_aead(aead2) decryption");
+ free(fulltoken);
+ (void)gss_release_buffer(&minor, &output);
+
+ /* Wrap an AEAD token and unwrap it using a stream buffer. */
+ wrap_aead(ctx1, sign, wrap, iov, data, conf);
+ concat_iov(iov, 5, &fulltoken, &len);
+ stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ stiov[0].buffer.value = fulltoken;
+ stiov[0].buffer.length = len;
+ stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ stiov[1].buffer.value = (char *)sign;
+ stiov[1].buffer.length = strlen(sign);
+ stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
+ check_gsserr("gss_unwrap_iov(aead3)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(aead3) conf/qop");
+ if (stiov[2].buffer.length != strlen(wrap) ||
+ memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
+ errout("gss_unwrap_iov(aead3) decryption");
+ offset = (char *)stiov[2].buffer.value - fulltoken;
+ if (offset < 0 || (size_t)offset > len)
+ errout("gss_unwrap_iov(aead3) offset");
+ free(fulltoken);
+ release_iov(iov, 4);
+
+ /* Wrap a token using gss_wrap_aead and unwrap it using a stream buffer
+ * with allocation and copying. */
+ input.value = (char *)wrap;
+ input.length = strlen(wrap);
+ assoc.value = (char *)sign;
+ assoc.length = strlen(sign);
+ major = gss_wrap_aead(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &assoc,
+ &input, &oconf, &output);
+ check_gsserr("gss_wrap_aead(aead4)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap(aead4) conf");
+ stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
+ stiov[0].buffer = output;
+ stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ stiov[1].buffer = assoc;
+ stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
+ check_gsserr("gss_unwrap_iov(aead4)", major, minor);
+ if (!(GSS_IOV_BUFFER_FLAGS(stiov[2].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
+ errout("gss_unwrap_iov(aead4) allocated");
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(aead4) conf/qop");
+ if (stiov[2].buffer.length != strlen(wrap) ||
+ memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
+ errout("gss_unwrap_iov(aead4) decryption");
+ (void)gss_release_buffer(&minor, &output);
+ release_iov(stiov, 3);
+}
+
+/* Create a DCE-style token and make sure we can unwrap it. */
+static void
+test_dce(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
+{
+ OM_uint32 major, minor;
+ gss_iov_buffer_desc iov[4];
+ gss_qop_t qop;
+ const char *sign1 = "First data to be signed";
+ const char *sign2 = "Second data to be signed";
+ const char *wrap = "This data must align to 16 bytes";
+ int oconf;
+ char data[1024];
+
+ /* Wrap a SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER token. */
+ memcpy(data, wrap, strlen(wrap) + 1);
+ iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[0].buffer.value = (char *)sign1;
+ iov[0].buffer.length = strlen(sign1);
+ iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[1].buffer.value = data;
+ iov[1].buffer.length = strlen(wrap);
+ iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+ iov[2].buffer.value = (char *)sign2;
+ iov[2].buffer.length = strlen(sign2);
+ iov[3].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ major = gss_wrap_iov(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &oconf, iov,
+ 4);
+ check_gsserr("gss_wrap_iov(dce)", major, minor);
+ if (oconf != conf)
+ errout("gss_wrap_iov(dce) conf");
+ if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
+ errout("gss_wrap_iov(dce) sign1 buffer");
+ if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
+ errout("gss_wrap_iov(dce) data buffer");
+ if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
+ errout("gss_wrap_iov(dce) sign2 buffer");
+ check_encrypted("gss_wrap_iov(dce) encryption", conf, data, wrap);
+
+ /* Make sure we can unwrap it. */
+ major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
+ check_gsserr("gss_unwrap_iov(std1)", major, minor);
+ if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
+ errout("gss_unwrap_iov(std1) conf/qop");
+ if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
+ errout("gss_unwrap_iov(dce) sign1 buffer");
+ if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
+ errout("gss_unwrap_iov(dce) data buffer");
+ if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
+ errout("gss_unwrap_iov(dce) sign2 buffer");
+ if (memcmp(data, wrap, iov[1].buffer.length) != 0)
+ errout("gss_unwrap_iov(dce) decryption");
+ release_iov(iov, 4);
+}
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 minor, flags;
+ gss_OID mech = &mech_krb5;
+ gss_name_t tname;
+ gss_ctx_id_t ictx, actx;
+
+ /* Parse arguments. */
+ argv++;
+ if (*argv != NULL && strcmp(*argv, "-s") == 0) {
+ mech = &mech_spnego;
+ argv++;
+ }
+ if (*argv == NULL || *(argv + 1) != NULL)
+ errout("Usage: t_iov [-s] targetname");
+ tname = import_name(*argv);
+
+ flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
+ establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
+ flags, &ictx, &actx, NULL, NULL, NULL);
+
+ /* Test standard token wrapping and unwrapping in both directions, with and
+ * without confidentiality. */
+ test_standard_wrap(ictx, actx, 0);
+ test_standard_wrap(ictx, actx, 1);
+ test_standard_wrap(actx, ictx, 0);
+ test_standard_wrap(actx, ictx, 1);
+
+ /* Test AEAD wrapping. */
+ test_aead(ictx, actx, 0);
+ test_aead(ictx, actx, 1);
+ test_aead(actx, ictx, 0);
+ test_aead(actx, ictx, 1);
+
+ /* Test DCE wrapping with DCE-style contexts. */
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE;
+ establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
+ flags, &ictx, &actx, NULL, NULL, NULL);
+ test_dce(ictx, actx, 0);
+ test_dce(ictx, actx, 1);
+ test_dce(actx, ictx, 0);
+ test_dce(actx, ictx, 1);
+
+ (void)gss_release_name(&minor, &tname);
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ return 0;
+}
More information about the cvs-krb5
mailing list