2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of KTH nor the names of its contributors may be
18 * used to endorse or promote products derived from this software without
19 * specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 #include "krb5/gsskrb5_locl.h"
37 #include "test_common.h"
39 RCSID("$Id: test_context.c 20075 2007-01-31 06:05:19Z lha $");
41 static char *type_string;
42 static char *mech_string;
43 static char *ret_mech_string;
44 static int dns_canon_flag = -1;
45 static int mutual_auth_flag = 0;
46 static int dce_style_flag = 0;
47 static int wrapunwrap_flag = 0;
48 static int getverifymic_flag = 0;
49 static int deleg_flag = 0;
50 static int version_flag = 0;
51 static int verbose_flag = 0;
52 static int help_flag = 0;
58 { "krb5", &GSS_KRB5_MECHANISM },
59 { "spnego", &GSS_SPNEGO_MECHANISM },
60 { "ntlm", &GSS_NTLM_MECHANISM },
61 { "sasl-digest-md5", &GSS_SASL_DIGEST_MD5_MECHANISM }
65 string_to_oid(const char *name)
68 for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
69 if (strcasecmp(name, o2n[i].name) == 0)
71 errx(1, "name %s not unknown", name);
75 oid_to_string(const gss_OID oid)
78 for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
79 if (gss_oid_equal(oid, *o2n[i].oid))
86 gss_OID nameoid, const char *target,
87 gss_cred_id_t init_cred,
88 gss_ctx_id_t *sctx, gss_ctx_id_t *cctx,
90 gss_cred_id_t *deleg_cred)
92 int server_done = 0, client_done = 0;
93 OM_uint32 maj_stat, min_stat;
94 gss_name_t gss_target_name;
95 gss_buffer_desc input_token, output_token;
96 OM_uint32 flags = 0, ret_cflags, ret_sflags;
97 gss_OID actual_mech_client;
98 gss_OID actual_mech_server;
100 *actual_mech = GSS_C_NO_OID;
102 flags |= GSS_C_INTEG_FLAG;
103 flags |= GSS_C_CONF_FLAG;
105 if (mutual_auth_flag)
106 flags |= GSS_C_MUTUAL_FLAG;
108 flags |= GSS_C_DCE_STYLE;
110 flags |= GSS_C_DELEG_FLAG;
112 input_token.value = rk_UNCONST(target);
113 input_token.length = strlen(target);
115 maj_stat = gss_import_name(&min_stat,
119 if (GSS_ERROR(maj_stat))
120 err(1, "import name creds failed with: %d", maj_stat);
122 input_token.length = 0;
123 input_token.value = NULL;
125 while (!server_done || !client_done) {
127 maj_stat = gss_init_sec_context(&min_stat,
140 if (GSS_ERROR(maj_stat))
141 errx(1, "init_sec_context: %s",
142 gssapi_err(maj_stat, min_stat, mechoid));
143 if (maj_stat & GSS_S_CONTINUE_NEEDED)
148 if (client_done && server_done)
151 if (input_token.length != 0)
152 gss_release_buffer(&min_stat, &input_token);
154 maj_stat = gss_accept_sec_context(&min_stat,
158 GSS_C_NO_CHANNEL_BINDINGS,
165 if (GSS_ERROR(maj_stat))
166 errx(1, "accept_sec_context: %s",
167 gssapi_err(maj_stat, min_stat, actual_mech_server));
170 printf("%.*s", (int)input_token.length, (char *)input_token.value);
172 if (output_token.length != 0)
173 gss_release_buffer(&min_stat, &output_token);
175 if (maj_stat & GSS_S_CONTINUE_NEEDED)
180 if (output_token.length != 0)
181 gss_release_buffer(&min_stat, &output_token);
182 if (input_token.length != 0)
183 gss_release_buffer(&min_stat, &input_token);
184 gss_release_name(&min_stat, &gss_target_name);
186 if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0)
187 errx(1, "mech mismatch");
188 *actual_mech = actual_mech_server;
192 wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
194 gss_buffer_desc input_token, output_token, output_token2;
195 OM_uint32 min_stat, maj_stat;
200 input_token.value = "foo";
201 input_token.length = 3;
203 maj_stat = gss_wrap(&min_stat, cctx, flags, 0, &input_token,
204 &conf_state, &output_token);
205 if (maj_stat != GSS_S_COMPLETE)
206 errx(1, "gss_wrap failed: %s",
207 gssapi_err(maj_stat, min_stat, mechoid));
209 maj_stat = gss_unwrap(&min_stat, sctx, &output_token,
210 &output_token2, &conf_state, &qop_state);
211 if (maj_stat != GSS_S_COMPLETE)
212 errx(1, "gss_unwrap failed: %s",
213 gssapi_err(maj_stat, min_stat, mechoid));
217 getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
219 gss_buffer_desc input_token, output_token;
220 OM_uint32 min_stat, maj_stat;
223 input_token.value = "bar";
224 input_token.length = 3;
226 maj_stat = gss_get_mic(&min_stat, cctx, 0, &input_token,
228 if (maj_stat != GSS_S_COMPLETE)
229 errx(1, "gss_get_mic failed: %s",
230 gssapi_err(maj_stat, min_stat, mechoid));
232 maj_stat = gss_verify_mic(&min_stat, sctx, &input_token,
233 &output_token, &qop_state);
234 if (maj_stat != GSS_S_COMPLETE)
235 errx(1, "gss_verify_mic failed: %s",
236 gssapi_err(maj_stat, min_stat, mechoid));
244 static struct getargs args[] = {
245 {"name-type",0, arg_string, &type_string, "type of name", NULL },
246 {"mech-type",0, arg_string, &mech_string, "type of mech", NULL },
247 {"ret-mech-type",0, arg_string, &ret_mech_string,
248 "type of return mech", NULL },
249 {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
250 "use dns to canonicalize", NULL },
251 {"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL },
252 {"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL },
253 {"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL },
254 {"getverifymic",0, arg_flag, &getverifymic_flag,
255 "get and verify mic", NULL },
256 {"delegate",0, arg_flag, &deleg_flag, "delegate credential", NULL },
257 {"version", 0, arg_flag, &version_flag, "print version", NULL },
258 {"verbose", 'v', arg_flag, &verbose_flag, "verbose", NULL },
259 {"help", 0, arg_flag, &help_flag, NULL, NULL }
265 arg_printusage (args, sizeof(args)/sizeof(*args),
266 NULL, "service@host");
271 main(int argc, char **argv)
274 OM_uint32 min_stat, maj_stat;
275 gss_ctx_id_t cctx, sctx;
277 gss_OID nameoid, mechoid, actual_mech;
278 gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
280 setprogname(argv[0]);
282 cctx = sctx = GSS_C_NO_CONTEXT;
284 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
301 if (dns_canon_flag != -1)
302 gsskrb5_set_dns_canonicalize(dns_canon_flag);
304 if (type_string == NULL)
305 nameoid = GSS_C_NT_HOSTBASED_SERVICE;
306 else if (strcmp(type_string, "hostbased-service") == 0)
307 nameoid = GSS_C_NT_HOSTBASED_SERVICE;
308 else if (strcmp(type_string, "krb5-principal-name") == 0)
309 nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
311 errx(1, "%s not suppported", type_string);
313 if (mech_string == NULL)
314 mechoid = GSS_KRB5_MECHANISM;
316 mechoid = string_to_oid(mech_string);
318 loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL,
319 &sctx, &cctx, &actual_mech, &deleg_cred);
322 printf("resulting mech: %s\n", oid_to_string(actual_mech));
324 if (ret_mech_string) {
327 retoid = string_to_oid(ret_mech_string);
329 if (gss_oid_equal(retoid, actual_mech) == 0)
330 errx(1, "actual_mech mech is not the expected type %s",
334 /* XXX should be actual_mech */
335 if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
336 krb5_context context;
338 gss_buffer_desc authz_data;
339 gss_buffer_desc in, out1, out2;
340 krb5_keyblock *keyblock, *keyblock2;
344 ret = krb5_init_context(&context);
346 errx(1, "krb5_init_context");
348 ret = krb5_timeofday(context, &now);
350 errx(1, "krb5_timeofday failed");
353 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
357 if (maj_stat != GSS_S_COMPLETE)
358 errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
359 gssapi_err(maj_stat, min_stat, actual_mech));
362 maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
363 if (maj_stat != GSS_S_COMPLETE)
364 errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
365 gssapi_err(maj_stat, min_stat, actual_mech));
368 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
372 if (maj_stat != GSS_S_COMPLETE)
373 errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
374 gssapi_err(maj_stat, min_stat, actual_mech));
375 maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
376 if (maj_stat != GSS_S_COMPLETE)
377 errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
378 gssapi_err(maj_stat, min_stat, actual_mech));
380 maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
383 if (maj_stat != GSS_S_COMPLETE)
384 errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
385 gssapi_err(maj_stat, min_stat, actual_mech));
387 skew = abs(time - now);
388 if (skew > krb5_get_max_time_skew(context)) {
389 errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
390 "time skew too great %llu > %llu",
391 (unsigned long long)skew,
392 (unsigned long long)krb5_get_max_time_skew(context));
395 maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
398 if (maj_stat != GSS_S_COMPLETE)
399 errx(1, "gsskrb5_export_service_keyblock failed: %s",
400 gssapi_err(maj_stat, min_stat, actual_mech));
402 krb5_free_keyblock(context, keyblock);
404 maj_stat = gsskrb5_get_subkey(&min_stat,
407 if (maj_stat != GSS_S_COMPLETE
408 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
409 errx(1, "gsskrb5_get_subkey server failed: %s",
410 gssapi_err(maj_stat, min_stat, actual_mech));
412 if (maj_stat != GSS_S_COMPLETE)
415 maj_stat = gsskrb5_get_subkey(&min_stat,
418 if (maj_stat != GSS_S_COMPLETE
419 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
420 errx(1, "gsskrb5_get_subkey client failed: %s",
421 gssapi_err(maj_stat, min_stat, actual_mech));
423 if (maj_stat != GSS_S_COMPLETE)
426 if (keyblock || keyblock2) {
427 if (keyblock == NULL)
428 errx(1, "server missing token keyblock");
429 if (keyblock2 == NULL)
430 errx(1, "client missing token keyblock");
432 if (keyblock->keytype != keyblock2->keytype)
433 errx(1, "enctype mismatch");
434 if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
435 errx(1, "key length mismatch");
436 if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
437 keyblock2->keyvalue.length) != 0)
438 errx(1, "key data mismatch");
442 krb5_free_keyblock(context, keyblock);
444 krb5_free_keyblock(context, keyblock2);
446 maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
449 if (maj_stat != GSS_S_COMPLETE
450 && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
451 errx(1, "gsskrb5_get_initiator_subkey failed: %s",
452 gssapi_err(maj_stat, min_stat, actual_mech));
454 if (maj_stat == GSS_S_COMPLETE)
455 krb5_free_keyblock(context, keyblock);
457 maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
461 if (maj_stat == GSS_S_COMPLETE)
462 gss_release_buffer(&min_stat, &authz_data);
464 krb5_free_context(context);
467 memset(&out1, 0, sizeof(out1));
468 memset(&out2, 0, sizeof(out2));
473 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
475 gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
478 if (out1.length != out2.length)
479 errx(1, "prf len mismatch");
480 if (memcmp(out1.value, out2.value, out1.length) != 0)
481 errx(1, "prf data mismatch");
483 gss_release_buffer(&min_stat, &out1);
485 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
488 if (out1.length != out2.length)
489 errx(1, "prf len mismatch");
490 if (memcmp(out1.value, out2.value, out1.length) != 0)
491 errx(1, "prf data mismatch");
493 gss_release_buffer(&min_stat, &out1);
494 gss_release_buffer(&min_stat, &out2);
499 gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
501 gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
504 if (out1.length != out2.length)
505 errx(1, "prf len mismatch");
506 if (memcmp(out1.value, out2.value, out1.length) != 0)
507 errx(1, "prf data mismatch");
509 gss_release_buffer(&min_stat, &out1);
510 gss_release_buffer(&min_stat, &out2);
513 getverifymic_flag = 1;
516 if (wrapunwrap_flag) {
517 wrapunwrap(cctx, sctx, actual_mech);
518 wrapunwrap(cctx, sctx, actual_mech);
519 wrapunwrap(sctx, cctx, actual_mech);
520 wrapunwrap(sctx, cctx, actual_mech);
522 if (getverifymic_flag) {
523 getverifymic(cctx, sctx, actual_mech);
524 getverifymic(cctx, sctx, actual_mech);
525 getverifymic(sctx, cctx, actual_mech);
526 getverifymic(sctx, cctx, actual_mech);
529 gss_delete_sec_context(&min_stat, &cctx, NULL);
530 gss_delete_sec_context(&min_stat, &sctx, NULL);
532 if (deleg_cred != GSS_C_NO_CREDENTIAL) {
534 loop(mechoid, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech, NULL);
536 gss_delete_sec_context(&min_stat, &cctx, NULL);
537 gss_delete_sec_context(&min_stat, &sctx, NULL);
projects / FreeBSD / releng / 9.2.git / blob