krb5 commit: Add tests for GSS cred export and import
Greg Hudson
ghudson at MIT.EDU
Tue Sep 11 01:19:11 EDT 2012
https://github.com/krb5/krb5/commit/285374977d233bbdfcdfaaf8642dbc554e3058fe
commit 285374977d233bbdfcdfaaf8642dbc554e3058fe
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Aug 22 14:49:33 2012 -0400
Add tests for GSS cred export and import
ticket: 7354
.gitignore | 1 +
src/tests/gssapi/Makefile.in | 12 ++-
src/tests/gssapi/t_export_cred.c | 214 +++++++++++++++++++++++++++++++++++++
src/tests/gssapi/t_export_cred.py | 50 +++++++++
4 files changed, 273 insertions(+), 4 deletions(-)
diff --git a/.gitignore b/.gitignore
index 7a12334..47af087 100644
--- a/.gitignore
+++ b/.gitignore
@@ -262,6 +262,7 @@ testlog
/src/tests/gssapi/ccrefresh
/src/tests/gssapi/t_accname
/src/tests/gssapi/t_ccselect
+/src/tests/gssapi/t_export_cred
/src/tests/gssapi/t_gssexts
/src/tests/gssapi/t_imp_cred
/src/tests/gssapi/t_imp_name
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 0ad730f..35ff010 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -11,17 +11,19 @@ SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_imp_cred.c \
OBJS= t_accname.o t_ccselect.o t_imp_cred.o t_imp_name.o t_s4u.o \
t_s4u2proxy_krb5.o t_namingexts.o t_gssexts.o t_spnego.o t_saslname.o \
- t_credstore.o t_export_name.o
+ t_credstore.o t_export_name.o t_export_cred.o
all:: t_accname t_ccselect t_imp_cred t_imp_name t_s4u t_s4u2proxy_krb5 \
- t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name
+ t_namingexts t_gssexts t_spnego t_saslname t_credstore t_export_name \
+ t_export_cred
check-pytests:: t_accname t_ccselect t_imp_cred t_inq_cred t_spnego \
- t_s4u2proxy_krb5 t_s4u t_export_name ccinit ccrefresh
+ t_s4u2proxy_krb5 t_s4u t_export_name t_export_cred ccinit ccrefresh
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS)
ccinit: ccinit.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS)
@@ -53,8 +55,10 @@ t_credstore: t_credstore.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o t_credstore t_credstore.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
t_export_name: t_export_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_export_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
+t_export_cred: t_export_cred.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ t_export_cred.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
clean::
$(RM) t_accname t_ccselect t_imp_cred t_imp_name t_inq_cred t_s4u \
t_s4u2proxy_krb5 t_namingexts t_gssexts t_spnego \
- t_saslname t_credstore t_export_name
+ t_saslname t_credstore t_export_name t_export_cred
diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
new file mode 100644
index 0000000..f7ddbc7
--- /dev/null
+++ b/src/tests/gssapi/t_export_cred.c
@@ -0,0 +1,214 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright 2011 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include <gssapi/gssapi_krb5.h>
+
+static gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" };
+static gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" };
+static gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 };
+static gss_OID_set_desc mechset_spnego = { 1, &mech_spnego };
+
+static void
+display_status_1(const char *m, OM_uint32 code, int type)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc msg;
+ OM_uint32 msg_ctx;
+
+ msg_ctx = 0;
+ while (1) {
+ maj_stat = gss_display_status(&min_stat, code,
+ type, GSS_C_NULL_OID,
+ &msg_ctx, &msg);
+ fprintf(stderr, "%s: %s\n", m, (char *)msg.value);
+ (void) gss_release_buffer(&min_stat, &msg);
+
+ if (!msg_ctx)
+ break;
+ }
+}
+
+/* If maj_stat indicates an error, display an error message (containing msg)
+ * and exit. */
+static void
+check_gsserr(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat)
+{
+ if (GSS_ERROR(maj_stat)) {
+ display_status_1(msg, maj_stat, GSS_C_GSS_CODE);
+ display_status_1(msg, min_stat, GSS_C_MECH_CODE);
+ exit(1);
+ }
+}
+
+/* Display an error message and exit. */
+static void
+errout(const char *msg)
+{
+ fprintf(stderr, "%s\n", msg);
+ exit(1);
+}
+
+/* Import a GSSAPI name based on a string of the form 'u:username',
+ * 'p:principalname', or 'h:host at service' (or just 'h:service'). */
+static gss_name_t
+import_name(const char *str)
+{
+ OM_uint32 major, minor;
+ gss_name_t name;
+ gss_buffer_desc buf;
+ gss_OID nametype = NULL;
+
+ if (*str == 'u')
+ nametype = GSS_C_NT_USER_NAME;
+ else if (*str == 'p')
+ nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME;
+ else if (*str == 'h')
+ nametype = GSS_C_NT_HOSTBASED_SERVICE;
+ if (nametype == NULL || str[1] != ':')
+ errout("names must begin with u: or p: or h:");
+ buf.value = (char *)str + 2;
+ buf.length = strlen(str) - 2;
+ major = gss_import_name(&minor, &buf, nametype, &name);
+ check_gsserr("gss_import_name", major, minor);
+ return name;
+}
+
+/* Display a usage error message and exit. */
+static void
+usage(void)
+{
+ fprintf(stderr, "Usage: t_export_cred [-k|-s] [-i initiatorname] "
+ "[-a acceptorname] targetname\n");
+ exit(1);
+}
+
+/* Export *cred to a token, then release *cred and replace it by re-importing
+ * the token. */
+static void
+export_import_cred(gss_cred_id_t *cred)
+{
+ OM_uint32 major, minor;
+ gss_buffer_desc buf;
+
+ major = gss_export_cred(&minor, *cred, &buf);
+ check_gsserr("gss_export_cred", major, minor);
+ (void)gss_release_cred(&minor, cred);
+ major = gss_import_cred(&minor, &buf, cred);
+ check_gsserr("gss_import_cred", major, minor);
+ (void)gss_release_buffer(&minor, &buf);
+}
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 major, minor, flags;
+ gss_name_t initiator_name = GSS_C_NO_NAME, acceptor_name = GSS_C_NO_NAME;
+ gss_name_t target_name;
+ gss_cred_id_t initiator_cred, acceptor_cred, delegated_cred;
+ gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
+ gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT;
+ gss_OID mech = GSS_C_NO_OID;
+ gss_OID_set mechs = GSS_C_NO_OID_SET;
+ gss_buffer_desc token, tmp;
+ char optchar;
+
+ /* Parse arguments. */
+ argv++;
+ while (*argv != NULL && **argv == '-') {
+ optchar = (*argv)[1];
+ argv++;
+ if (optchar == 'i') {
+ if (*argv == NULL)
+ usage();
+ initiator_name = import_name(*argv++);
+ } else if (optchar == 'a') {
+ if (*argv == NULL)
+ usage();
+ acceptor_name = import_name(*argv++);
+ } else if (optchar == 'k') {
+ mech = &mech_krb5;
+ mechs = &mechset_krb5;
+ } else if (optchar == 's') {
+ mech = &mech_spnego;
+ mechs = &mechset_spnego;
+ } else {
+ usage();
+ }
+ }
+ if (*argv == NULL || *(argv + 1) != NULL)
+ usage();
+ target_name = import_name(argv[0]);
+
+ /* Get initiator cred and export/import it. */
+ major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE, mechs,
+ GSS_C_INITIATE, &initiator_cred, NULL, NULL);
+ check_gsserr("gss_acquire_cred(initiator)", major, minor);
+ export_import_cred(&initiator_cred);
+
+ /* Get acceptor cred and export/import it. */
+ major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, mechs,
+ GSS_C_ACCEPT, &acceptor_cred, NULL, NULL);
+ check_gsserr("gss_acquire_cred(acceptor)", major, minor);
+ export_import_cred(&acceptor_cred);
+
+ /* Initiate and accept a security context (one-token exchange only),
+ * delegating credentials. */
+ flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
+ GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ major = gss_init_sec_context(&minor, initiator_cred, &initiator_context,
+ target_name, mech, flags, GSS_C_INDEFINITE,
+ GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER,
+ NULL, &token, NULL, NULL);
+ check_gsserr("gss_init_sec_context", major, minor);
+
+ major = gss_accept_sec_context(&minor, &acceptor_context, acceptor_cred,
+ &token, GSS_C_NO_CHANNEL_BINDINGS,
+ NULL, NULL, &tmp, NULL, NULL,
+ &delegated_cred);
+ check_gsserr("gss_accept_sec_context", major, minor);
+
+ /* Import, release, export, and store delegated creds */
+ export_import_cred(&delegated_cred);
+ major = gss_store_cred(&minor, delegated_cred, GSS_C_INITIATE,
+ GSS_C_NULL_OID, 1, 1, NULL, NULL);
+ check_gsserr("gss_store_cred", major, minor);
+
+ (void)gss_release_name(&minor, &initiator_name);
+ (void)gss_release_name(&minor, &acceptor_name);
+ (void)gss_release_name(&minor, &target_name);
+ (void)gss_release_cred(&minor, &initiator_cred);
+ (void)gss_release_cred(&minor, &acceptor_cred);
+ (void)gss_release_cred(&minor, &delegated_cred);
+ (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
+ (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
+ (void)gss_release_buffer(&minor, &token);
+ (void)gss_release_buffer(&minor, &tmp);
+ return 0;
+}
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
new file mode 100644
index 0000000..3f7b657
--- /dev/null
+++ b/src/tests/gssapi/t_export_cred.py
@@ -0,0 +1,50 @@
+#!/usr/bin/python
+from k5test import *
+
+# Test gss_export_cred and gss_import_cred.
+
+# Make up a filename to hold user's initial credentials.
+def ccache_savefile(realm):
+ return os.path.join(realm.testdir, 'ccache.copy')
+
+# Move user's initial credentials into the save file.
+def ccache_save(realm):
+ os.rename(realm.ccache, ccache_savefile(realm))
+
+# Copy user's initial credentials from the save file into the ccache.
+def ccache_restore(realm):
+ shutil.copyfile(ccache_savefile(realm), realm.ccache)
+
+# Run t_export_cred with the saved ccache and verify that it stores a
+# forwarded cred into the default ccache.
+def check(realm, args):
+ ccache_restore(realm)
+ realm.run_as_client(['./t_export_cred'] + args)
+ output = realm.run_as_client([klist, '-f'])
+ if 'Flags: Ff' not in output:
+ fail('Forwarded tickets not found in ccache after t_export_cred')
+
+# Check a given set of arguments with no specified mech and with krb5
+# and SPNEGO as the specified mech.
+def check_mechs(realm, args):
+ check(realm, args)
+ check(realm, ['-k'] + args)
+ check(realm, ['-s'] + args)
+
+# Make a realm, get forwardable tickets, and save a copy for each test.
+realm = K5Realm(get_creds=False)
+realm.kinit(realm.user_princ, password('user'), ['-f'])
+ccache_save(realm)
+
+# Test with default initiator and acceptor cred.
+tname = 'p:' + realm.host_princ
+check_mechs(realm, [tname])
+
+# Test with principal-named initiator and acceptor cred.
+iname = 'p:' + realm.user_princ
+check_mechs(realm, ['-i', iname, '-a', tname, tname])
+
+# Test with host-based acceptor cred.
+check_mechs(realm, ['-a', 'h:host', tname])
+
+success('gss_export_cred/gss_import_cred tests')
More information about the cvs-krb5
mailing list