krb5 commit: Allow gss_inquire_context on partial krb5 contexts
Greg Hudson
ghudson at mit.edu
Mon Jun 29 23:01:58 EDT 2015
https://github.com/krb5/krb5/commit/9f095e1aab582e5a94c93d587f6d09e9d8f7479e
commit 9f095e1aab582e5a94c93d587f6d09e9d8f7479e
Author: Solly Ross <sross at redhat.com>
Date: Mon Jun 8 14:06:18 2015 -0400
Allow gss_inquire_context on partial krb5 contexts
RFC 2743 states that gss_inquire_context() must always return flags,
locally_initiated, and open even if a context is not yet fully
established. Additionally, a partially established context may also
return mech_type.
Previously, the krb5 mech raised an error for inquire_context on
partially completed contexts. It now follows the rules layed out in
RFC 2743.
Add a new test program to verify that gss_inquire_context() works
correctly on both in-progress and established contexts.
[ghudson at mit.edu: minor style changes and commit message edits]
ticket: 8025
.gitignore | 1 +
src/lib/gssapi/krb5/inq_context.c | 90 ++++++++++++---------
src/lib/gssapi/mechglue/g_inq_context.c | 5 +-
src/tests/gssapi/Makefile.in | 17 +++--
src/tests/gssapi/t_gssapi.py | 4 +
src/tests/gssapi/t_inq_ctx.c | 131 +++++++++++++++++++++++++++++++
6 files changed, 202 insertions(+), 46 deletions(-)
diff --git a/.gitignore b/.gitignore
index c70cc29..d9ceb21 100644
--- a/.gitignore
+++ b/.gitignore
@@ -307,6 +307,7 @@ testlog
/src/tests/gssapi/t_s4u2proxy_krb5
/src/tests/gssapi/t_saslname
/src/tests/gssapi/t_spnego
+/src/tests/gssapi/t_inq_ctx
/src/tests/hammer/kdc5_hammer
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index 096df2a..cc06a93 100644
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -104,55 +104,66 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
*acceptor_name = (gss_name_t) NULL;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
-
- if (ctx->terminated || !ctx->established) {
- *minor_status = KG_CTX_INCOMPLETE;
- return(GSS_S_NO_CONTEXT);
- }
-
- initiator = NULL;
- acceptor = NULL;
context = ctx->k5_context;
- if ((code = krb5_timeofday(context, &now))) {
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
- }
-
- if ((lifetime = ctx->krb_times.endtime - now) < 0)
- lifetime = 0;
+ /* RFC 2743 states that a partially completed context must return
+ * flags, locally_initiated, and open, and *may* return mech_type. */
+ if (ctx->established) {
+ initiator = NULL;
+ acceptor = NULL;
- if (initiator_name) {
- if ((code = kg_duplicate_name(context,
- ctx->initiate ? ctx->here : ctx->there,
- &initiator))) {
+ if ((code = krb5_timeofday(context, &now))) {
*minor_status = code;
save_error_info(*minor_status, context);
return(GSS_S_FAILURE);
}
- }
- if (acceptor_name) {
- if ((code = kg_duplicate_name(context,
- ctx->initiate ? ctx->there : ctx->here,
- &acceptor))) {
- if (initiator)
- kg_release_name(context, &initiator);
- *minor_status = code;
- save_error_info(*minor_status, context);
- return(GSS_S_FAILURE);
+ if ((lifetime = ctx->krb_times.endtime - now) < 0)
+ lifetime = 0;
+
+ if (initiator_name) {
+ code = kg_duplicate_name(context,
+ ctx->initiate ? ctx->here : ctx->there,
+ &initiator);
+ if (code) {
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
}
- }
- if (initiator_name)
- *initiator_name = (gss_name_t) initiator;
+ if (acceptor_name) {
+ code = kg_duplicate_name(context,
+ ctx->initiate ? ctx->there : ctx->here,
+ &acceptor);
+ if (code) {
+ if (initiator)
+ kg_release_name(context, &initiator);
+ *minor_status = code;
+ save_error_info(*minor_status, context);
+ return(GSS_S_FAILURE);
+ }
+ }
- if (acceptor_name)
- *acceptor_name = (gss_name_t) acceptor;
+ if (initiator_name)
+ *initiator_name = (gss_name_t) initiator;
- if (lifetime_rec)
- *lifetime_rec = lifetime;
+ if (acceptor_name)
+ *acceptor_name = (gss_name_t) acceptor;
+
+ if (lifetime_rec)
+ *lifetime_rec = lifetime;
+ } else {
+ lifetime = 0;
+ if (initiator_name)
+ *initiator_name = GSS_C_NO_NAME;
+
+ if (acceptor_name)
+ *acceptor_name = GSS_C_NO_NAME;
+
+ if (lifetime_rec)
+ *lifetime_rec = 0;
+ }
if (mech_type)
*mech_type = (gss_OID) ctx->mech_used;
@@ -167,7 +178,10 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
*opened = ctx->established;
*minor_status = 0;
- return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ if (ctx->established)
+ return((lifetime == 0)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+ else
+ return GSS_S_COMPLETE;
}
OM_uint32
diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c
index d3fb343..6f1c71e 100644
--- a/src/lib/gssapi/mechglue/g_inq_context.c
+++ b/src/lib/gssapi/mechglue/g_inq_context.c
@@ -130,6 +130,7 @@ gss_inquire_context(
/* need to convert names */
if (src_name) {
+ if (localSourceName) {
status = gssint_convert_name_to_union_name(minor_status, mech,
localSourceName, src_name);
@@ -138,7 +139,9 @@ gss_inquire_context(
mech->gss_release_name(&temp_minor, &localTargName);
return (status);
}
-
+ } else {
+ *src_name = GSS_C_NO_NAME;
+ }
}
if (targ_name) {
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index a04cbb1..9fe5ed5 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -13,7 +13,7 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
$(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c $(srcdir)/t_err.c \
$(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
$(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
- $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c \
+ $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
$(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \
$(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \
@@ -22,16 +22,16 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \
t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \
t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
- t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o t_pcontok.o t_prf.o \
- t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o
+ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
+ t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
all:: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \
t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
- t_invalid t_inq_cred t_inq_mechs_name t_iov t_namingexts t_oid \
- t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego
+ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \
+ t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego
check-unix:: t_oid
$(RUN_SETUP) $(VALGRIND) ./t_invalid
@@ -40,7 +40,8 @@ check-unix:: t_oid
check-pytests:: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \
t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
- t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 t_spnego
+ t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
+ t_spnego
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
@@ -78,6 +79,8 @@ t_invalid: t_invalid.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_invalid.o $(COMMON_LIBS)
t_inq_cred: t_inq_cred.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS)
+t_inq_ctx: t_inq_ctx.o $(COMMON_DEPS)
+ $(CC_LINK) -o $@ t_inq_ctx.o $(COMMON_LIBS)
t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
t_iov: t_iov.o $(COMMON_DEPS)
@@ -102,6 +105,6 @@ t_spnego: t_spnego.o $(COMMON_DEPS)
clean::
$(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore
$(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred
- $(RM) t_imp_name t_invalid t_inq_cred t_inq_mechs_name t_iov
+ $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
$(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
$(RM) t_saslname t_spnego
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index c8c9034..8093c3d 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -216,4 +216,8 @@ realm.run(['./t_err', 'p:' + realm.host_princ])
# Test the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option.
realm.run(['./t_ciflags', 'p:' + realm.host_princ])
+# Test that inquire_context works properly, even on incomplete
+# contexts.
+realm.run(['./t_inq_ctx', 'p:%s' % realm.host_princ])
+
success('GSSAPI tests')
diff --git a/src/tests/gssapi/t_inq_ctx.c b/src/tests/gssapi/t_inq_ctx.c
new file mode 100644
index 0000000..6575b7c
--- /dev/null
+++ b/src/tests/gssapi/t_inq_ctx.c
@@ -0,0 +1,131 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright 2015 Red Hat, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation files
+ * (the "Software"), to deal in the Software without restriction,
+ * including without limitation the rights to use, copy, modify, merge,
+ * publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include "common.h"
+
+
+/*
+ * Test program for inquiring about a security context, intented to be run from
+ * a Python test script. Partially establishes a context to test inquiring
+ * about an incomplete context, and then establishes full contexts and inquires
+ * them. Exits with status 0 if all operations are successful, or 1 if not.
+ *
+ * Usage: ./t_inq_ctx target_name
+ */
+
+static void
+check_inq_context(const char *header, gss_ctx_id_t context,
+ int incomplete, OM_uint32 expected_flags,
+ int expected_locally_init)
+{
+ OM_uint32 major, minor;
+ gss_name_t out_init_name, out_accept_name;
+ OM_uint32 out_lifetime;
+ gss_OID out_mech_type;
+ OM_uint32 out_flags;
+ int out_locally_init;
+ int out_open;
+ int mech_is_member;
+
+ major = gss_inquire_context(&minor, context, &out_init_name,
+ &out_accept_name, &out_lifetime,
+ &out_mech_type, &out_flags, &out_locally_init,
+ &out_open);
+ check_gsserr("gss_inquire_context", major, minor);
+
+ major = gss_test_oid_set_member(&minor, out_mech_type, &mechset_krb5,
+ &mech_is_member);
+ check_gsserr("gss_test_oid_set_member", major, minor);
+
+ assert(out_flags & expected_flags);
+ assert(mech_is_member);
+ assert(out_locally_init == expected_locally_init);
+ if (incomplete) {
+ assert(!out_open);
+ assert(out_lifetime == 0);
+ assert(out_init_name == GSS_C_NO_NAME);
+ assert(out_accept_name == GSS_C_NO_NAME);
+ } else {
+ assert(out_open);
+ assert(out_lifetime > 0);
+ assert(out_init_name != GSS_C_NO_NAME);
+ assert(out_accept_name != GSS_C_NO_NAME);
+ }
+
+ (void)gss_release_name(&minor, &out_accept_name);
+ (void)gss_release_name(&minor, &out_init_name);
+}
+
+/* Call gss_init_sec_context() once to create an initiator context (which will
+ * be partial if flags includes GSS_C_MUTUAL_FLAG and the mech is krb5). */
+static void
+start_init_context(gss_OID mech, gss_cred_id_t cred, gss_name_t tname,
+ OM_uint32 flags, gss_ctx_id_t *ctx)
+{
+ OM_uint32 major, minor;
+ gss_buffer_desc itok = GSS_C_EMPTY_BUFFER;
+
+ *ctx = GSS_C_NO_CONTEXT;
+ major = gss_init_sec_context(&minor, cred, ctx, tname, mech, flags,
+ GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
+ NULL, NULL, &itok, NULL, NULL);
+ check_gsserr("gss_init_sec_context", major, minor);
+ (void)gss_release_buffer(&minor, &itok);
+}
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 minor, flags;
+ gss_name_t tname;
+ gss_ctx_id_t ictx, actx;
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s targetname\n", argv[0]);
+ return 1;
+ }
+ tname = import_name(argv[1]);
+
+ flags = GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
+ start_init_context(&mech_krb5, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
+ check_inq_context("Partial initiator", ictx, 1, flags, 1);
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+
+ establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
+ tname, flags, &ictx, &actx, NULL, NULL, NULL);
+
+ check_inq_context("Complete initiator", ictx, 0, flags, 1);
+ check_inq_context("Complete acceptor", actx, 0, flags, 0);
+
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+ (void)gss_release_name(&minor, &tname);
+ return 0;
+}
More information about the cvs-krb5
mailing list