krb5 commit [krb5-1.14]: Add more gss_inquire_context() tests

Tom Yu tlyu at mit.edu
Mon Oct 26 15:39:40 EDT 2015


https://github.com/krb5/krb5/commit/9bc7e779d56398d523e50517f355cab94a864435
commit 9bc7e779d56398d523e50517f355cab94a864435
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Sep 11 17:58:33 2015 -0400

    Add more gss_inquire_context() tests
    
    Add tests for partial IAKERB and SPNEGO initiators, and for partial
    krb5 (DCE-style), IAKERB, and SPNEGO acceptors.  Make flag checking
    more strict for existing tests.
    
    (cherry picked from commit a705b1160ce7f0c5f23b9859c4c6c707503fbfdc)
    
    ticket: 8244
    version_fixed: 1.14
    status: resolved

 src/tests/gssapi/t_gssapi.py |    2 +-
 src/tests/gssapi/t_inq_ctx.c |  146 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 129 insertions(+), 19 deletions(-)

diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 8093c3d..e23c936 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -218,6 +218,6 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ])
 
 # Test that inquire_context works properly, even on incomplete
 # contexts.
-realm.run(['./t_inq_ctx', 'p:%s' % realm.host_princ])
+realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
 
 success('GSSAPI tests')
diff --git a/src/tests/gssapi/t_inq_ctx.c b/src/tests/gssapi/t_inq_ctx.c
index 6575b7c..ac427a4 100644
--- a/src/tests/gssapi/t_inq_ctx.c
+++ b/src/tests/gssapi/t_inq_ctx.c
@@ -25,6 +25,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <assert.h>
 
 #include "common.h"
@@ -40,9 +41,8 @@
  */
 
 static void
-check_inq_context(const char *header, gss_ctx_id_t context,
-                      int incomplete, OM_uint32 expected_flags,
-                      int expected_locally_init)
+check_inq_context(gss_ctx_id_t context, int incomplete, gss_OID expected_mech,
+                  OM_uint32 expected_flags, int expected_locally_init)
 {
     OM_uint32 major, minor;
     gss_name_t out_init_name, out_accept_name;
@@ -51,7 +51,6 @@ check_inq_context(const char *header, gss_ctx_id_t context,
     OM_uint32 out_flags;
     int out_locally_init;
     int out_open;
-    int mech_is_member;
 
     major = gss_inquire_context(&minor, context, &out_init_name,
                                 &out_accept_name, &out_lifetime,
@@ -59,12 +58,8 @@ check_inq_context(const char *header, gss_ctx_id_t context,
                                 &out_open);
     check_gsserr("gss_inquire_context", major, minor);
 
-    major = gss_test_oid_set_member(&minor, out_mech_type, &mechset_krb5,
-                                    &mech_is_member);
-    check_gsserr("gss_test_oid_set_member", major, minor);
-
-    assert(out_flags & expected_flags);
-    assert(mech_is_member);
+    assert(gss_oid_equal(out_mech_type, expected_mech));
+    assert(out_flags == expected_flags);
     assert(out_locally_init == expected_locally_init);
     if (incomplete) {
         assert(!out_open);
@@ -99,29 +94,144 @@ start_init_context(gss_OID mech, gss_cred_id_t cred, gss_name_t tname,
     (void)gss_release_buffer(&minor, &itok);
 }
 
+/* Call gss_init_sec_context() and gss_accept_sec_context() once to create an
+ * acceptor context. */
+static void
+start_accept_context(gss_OID mech, gss_cred_id_t icred, gss_cred_id_t acred,
+                     gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ctx)
+{
+    OM_uint32 major, minor;
+    gss_ctx_id_t ictx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
+
+    major = gss_init_sec_context(&minor, icred, &ictx, tname, mech, flags,
+                                 GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
+                                 NULL, NULL, &itok, NULL, NULL);
+    check_gsserr("gss_init_sec_context", major, minor);
+
+    *ctx = GSS_C_NO_CONTEXT;
+    major = gss_accept_sec_context(&minor, ctx, acred, &itok,
+                                   GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+                                   &atok, NULL, NULL, NULL);
+    check_gsserr("gss_accept_sec_context", major, minor);
+
+    (void)gss_release_buffer(&minor, &itok);
+    (void)gss_release_buffer(&minor, &atok);
+    (void)gss_delete_sec_context(&minor, &ictx, NULL);
+}
+
+static void
+partial_iakerb_acceptor(const char *username, const char *password,
+                        gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ctx)
+{
+    OM_uint32 major, minor;
+    gss_name_t name;
+    gss_buffer_desc ubuf, pwbuf;
+    gss_OID_set_desc mechlist;
+    gss_cred_id_t icred, acred;
+
+    mechlist.count = 1;
+    mechlist.elements = &mech_iakerb;
+
+    /* Import the username. */
+    ubuf.value = (void *)username;
+    ubuf.length = strlen(username);
+    major = gss_import_name(&minor, &ubuf, GSS_C_NT_USER_NAME, &name);
+    check_gsserr("gss_import_name", major, minor);
+
+    /* Create an IAKERB initiator cred with the username and password. */
+    pwbuf.value = (void *)password;
+    pwbuf.length = strlen(password);
+    major = gss_acquire_cred_with_password(&minor, name, &pwbuf, 0,
+                                           &mechlist, GSS_C_INITIATE, &icred,
+                                           NULL, NULL);
+    check_gsserr("gss_acquire_cred_with_password", major, minor);
+
+    /* Create an acceptor cred with support for IAKERB. */
+    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+                             &mechlist, GSS_C_ACCEPT, &acred, NULL, NULL);
+    check_gsserr("gss_acquire_cred", major, minor);
+
+    /* Begin context establishment to get a partial acceptor context. */
+    start_accept_context(&mech_iakerb, icred, acred, tname, flags, ctx);
+
+    (void)gss_release_name(&minor, &name);
+    (void)gss_release_cred(&minor, &icred);
+    (void)gss_release_cred(&minor, &acred);
+}
+
+/* Create a partially established SPNEGO acceptor. */
+static void
+partial_spnego_acceptor(gss_name_t tname, gss_ctx_id_t *ctx)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok;
+
+    /*
+     * We could construct a fixed SPNEGO initiator token which forces a
+     * renegotiation, but a simpler approach is to pass an empty token to
+     * gss_accept_sec_context(), taking advantage of our compatibility support
+     * for SPNEGO NegHints.
+     */
+    *ctx = GSS_C_NO_CONTEXT;
+    major = gss_accept_sec_context(&minor, ctx, GSS_C_NO_CREDENTIAL, &itok,
+                                   GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+                                   &atok, NULL, NULL, NULL);
+    check_gsserr("gss_accept_sec_context(neghints)", major, minor);
+
+    (void)gss_release_buffer(&minor, &atok);
+}
+
 int
 main(int argc, char *argv[])
 {
-    OM_uint32 minor, flags;
+    OM_uint32 minor, flags, dce_flags;
     gss_name_t tname;
     gss_ctx_id_t ictx, actx;
+    const char *username, *password;
 
-    if (argc != 2) {
-        fprintf(stderr, "Usage: %s targetname\n", argv[0]);
+    if (argc != 4) {
+        fprintf(stderr, "Usage: %s username password targetname\n", argv[0]);
         return 1;
     }
-    tname = import_name(argv[1]);
+    username = argv[1];
+    password = argv[2];
+    tname = import_name(argv[3]);
 
-    flags = GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
+    flags = GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG |
+        GSS_C_INTEG_FLAG;
     start_init_context(&mech_krb5, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
-    check_inq_context("Partial initiator", ictx, 1, flags, 1);
+    check_inq_context(ictx, 1, &mech_krb5, flags | GSS_C_TRANS_FLAG, 1);
+    (void)gss_delete_sec_context(&minor, &ictx, NULL);
+
+    start_init_context(&mech_iakerb, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
+    check_inq_context(ictx, 1, &mech_iakerb, flags, 1);
+    (void)gss_delete_sec_context(&minor, &ictx, NULL);
+
+    start_init_context(&mech_spnego, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
+    check_inq_context(ictx, 1, &mech_spnego, flags, 1);
     (void)gss_delete_sec_context(&minor, &ictx, NULL);
 
+    dce_flags = flags | GSS_C_DCE_STYLE;
+    start_accept_context(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
+                         tname, dce_flags, &actx);
+    check_inq_context(actx, 1, &mech_krb5, dce_flags | GSS_C_TRANS_FLAG, 0);
+    (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+    partial_iakerb_acceptor(username, password, tname, flags, &actx);
+    check_inq_context(actx, 1, &mech_iakerb, 0, 0);
+    (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+    partial_spnego_acceptor(tname, &actx);
+    check_inq_context(actx, 1, &mech_spnego, 0, 0);
+    (void)gss_delete_sec_context(&minor, &actx, NULL);
+
     establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
                        tname, flags, &ictx, &actx, NULL, NULL, NULL);
 
-    check_inq_context("Complete initiator", ictx, 0, flags, 1);
-    check_inq_context("Complete acceptor", actx, 0, flags, 0);
+    check_inq_context(ictx, 0, &mech_krb5, flags | GSS_C_TRANS_FLAG, 1);
+    check_inq_context(actx, 0, &mech_krb5,
+                      flags | GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG, 0);
 
     (void)gss_delete_sec_context(&minor, &ictx, NULL);
     (void)gss_delete_sec_context(&minor, &actx, NULL);


More information about the cvs-krb5 mailing list