krb5 commit: Adjust SPNEGO Microsoft krb5 OID tests
Greg Hudson
ghudson at mit.edu
Tue Aug 25 00:20:34 EDT 2015
https://github.com/krb5/krb5/commit/53cc103b176b2141fbe4b92b433a516ac06a1ff4
commit 53cc103b176b2141fbe4b92b433a516ac06a1ff4
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Aug 21 12:26:17 2015 -0400
Adjust SPNEGO Microsoft krb5 OID tests
In the Microsoft krb5 OID tests in t_spnego.c, use the proper krb5 OID
for the framing of the mech token, which better reflects the behavior
of Microsoft clients that use the wrong OID. Move the test to a
separate function and run it twice, once with an acceptor cred and
once without.
Also add a comment noting that the reselection test no longer
exercises what it was designed to. We can't really fix that until we
add gss_acquire_cred_with_cred() or similar.
src/tests/gssapi/t_spnego.c | 120 ++++++++++++++++++++++++++-----------------
1 files changed, 72 insertions(+), 48 deletions(-)
diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c
index 8ab6e25..80df1bf 100644
--- a/src/tests/gssapi/t_spnego.c
+++ b/src/tests/gssapi/t_spnego.c
@@ -135,6 +135,63 @@ create_mskrb5_spnego_token(gss_buffer_t ktok, gss_buffer_desc *tok_out)
tok_out->length = len;
}
+/*
+ * Test that the SPNEGO acceptor code accepts and properly reflects back the
+ * erroneous Microsoft mech OID in the supportedMech field of the NegTokenResp
+ * message. Use acred as the verifier cred handle.
+ */
+static void
+test_mskrb_oid(gss_name_t tname, gss_cred_id_t acred)
+{
+ OM_uint32 major, minor;
+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
+ gss_buffer_desc atok = GSS_C_EMPTY_BUFFER, ktok = GSS_C_EMPTY_BUFFER, stok;
+ const unsigned char *atok_oid;
+
+ /*
+ * Our SPNEGO mech no longer acquires creds for the wrong mech OID, so we
+ * have to construct a SPNEGO token ourselves.
+ */
+ major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
+ &mech_krb5, 0, GSS_C_INDEFINITE,
+ GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL, &ktok,
+ NULL, NULL);
+ check_gsserr("gss_init_sec_context(mskrb)", major, minor);
+ assert(major == GSS_S_COMPLETE);
+ create_mskrb5_spnego_token(&ktok, &stok);
+
+ /*
+ * Look directly at the DER encoding of the response token. Since we
+ * didn't request mutual authentication, the SPNEGO reply will contain no
+ * underlying mech token; therefore, the encoding of the correct
+ * NegotiationToken response is completely predictable:
+ *
+ * A1 14 (choice 1, length 20, meaning negTokenResp)
+ * 30 12 (sequence, length 18)
+ * A0 03 (context tag 0, length 3)
+ * 0A 01 00 (enumerated value 0, meaning accept-completed)
+ * A1 0B (context tag 1, length 11)
+ * 06 09 (object identifier, length 9)
+ * 2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID)
+ *
+ * So we can just compare the length to 22 and the nine bytes at offset 13
+ * to the expected OID.
+ */
+ major = gss_accept_sec_context(&minor, &actx, acred, &stok,
+ GSS_C_NO_CHANNEL_BINDINGS, NULL,
+ NULL, &atok, NULL, NULL, NULL);
+ check_gsserr("gss_accept_sec_context(mskrb)", major, minor);
+ assert(atok.length == 22);
+ atok_oid = (unsigned char *)atok.value + 13;
+ assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0);
+
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ (void)gss_release_buffer(&minor, &ktok);
+ (void)gss_release_buffer(&minor, &atok);
+ free(stok.value);
+}
+
int
main(int argc, char *argv[])
{
@@ -142,13 +199,11 @@ main(int argc, char *argv[])
gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL;
gss_cred_id_t initiator_cred_handle = GSS_C_NO_CREDENTIAL;
gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
- gss_buffer_desc atok = GSS_C_EMPTY_BUFFER, ktok = GSS_C_EMPTY_BUFFER, stok;
gss_ctx_id_t initiator_context, acceptor_context;
gss_name_t target_name, source_name = GSS_C_NO_NAME;
gss_OID mech = GSS_C_NO_OID;
gss_OID_desc pref_oids[2];
gss_OID_set_desc pref_mechs;
- const unsigned char *atok_oid;
if (argc < 2 || argc > 3) {
fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]);
@@ -168,6 +223,15 @@ main(int argc, char *argv[])
&initiator_cred_handle, NULL, NULL);
check_gsserr("gss_acquire_cred(initiator)", major, minor);
+ /*
+ * The following test is designed to exercise SPNEGO reselection on the
+ * client and server. Unfortunately, it no longer does so after tickets
+ * #8217 and #8021, since SPNEGO now only acquires a single krb5 cred and
+ * there is no way to expand the underlying creds with gss_set_neg_mechs().
+ * To fix this we need gss_acquire_cred_with_cred() or some other way to
+ * turn a cred with a specifically requested mech set into a SPNEGO cred.
+ */
+
/* Make the initiator prefer IAKERB and offer krb5 as an alternative. */
pref_oids[0] = mech_iakerb;
pref_oids[1] = mech_krb5;
@@ -195,58 +259,18 @@ main(int argc, char *argv[])
display_canon_name("Source name", source_name, &mech_krb5);
display_oid("Source mech", mech);
+ /* Test acceptance of the erroneous Microsoft krb5 OID, with and without an
+ * acceptor cred. */
+ test_mskrb_oid(target_name, verifier_cred_handle);
+ test_mskrb_oid(target_name, GSS_C_NO_CREDENTIAL);
+
(void)gss_delete_sec_context(&minor, &initiator_context, NULL);
(void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
(void)gss_release_name(&minor, &source_name);
+ (void)gss_release_name(&minor, &target_name);
(void)gss_release_cred(&minor, &initiator_cred_handle);
(void)gss_release_cred(&minor, &verifier_cred_handle);
(void)gss_release_oid_set(&minor, &actual_mechs);
- /*
- * Test that the SPNEGO acceptor code properly reflects back the erroneous
- * Microsoft mech OID in the supportedMech field of the NegTokenResp
- * message. Our SPNEGO mech no longer acquires creds for the wrong mech
- * OID, so we have to construct a SPNEGO token ourselves, and then look
- * look directly at the DER encoding of the response token. If we don't
- * request mutual authentication, the SPNEGO reply will contain no
- * underlying mech token, so the encoding of the correct NegotiationToken
- * response is completely predictable:
- *
- * A1 14 (choice 1, length 20, meaning negTokenResp)
- * 30 12 (sequence, length 18)
- * A0 03 (context tag 0, length 3)
- * 0A 01 00 (enumerated value 0, meaning accept-completed)
- * A1 0B (context tag 1, length 11)
- * 06 09 (object identifier, length 9)
- * 2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID)
- *
- * So we can just compare the length to 22 and the nine bytes at offset 13
- * to the expected OID.
- */
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL,
- &initiator_context, target_name,
- (gss_OID)gss_mech_krb5_wrong, flags,
- GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
- &atok, NULL, &ktok, NULL, NULL);
- check_gsserr("gss_init_sec_context", major, minor);
- assert(major == GSS_S_COMPLETE);
- create_mskrb5_spnego_token(&ktok, &stok);
-
- major = gss_accept_sec_context(&minor, &acceptor_context,
- GSS_C_NO_CREDENTIAL, &stok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL,
- NULL, &atok, NULL, NULL, NULL);
- assert(atok.length == 22);
- atok_oid = (unsigned char *)atok.value + 13;
- assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0);
- check_gsserr("gss_accept_sec_context", major, minor);
-
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- (void)gss_release_cred(&minor, &initiator_cred_handle);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_buffer(&minor, &ktok);
- (void)gss_release_buffer(&minor, &atok);
- free(stok.value);
return 0;
}
More information about the cvs-krb5
mailing list