1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* tests/gssapi/t_add_cred.c - gss_add_cred() tests */
/*
* Copyright (C) 2018 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This program tests the mechglue behavior of gss_add_cred(). It relies on a
* krb5 keytab and credentials being present so that initiator and acceptor
* credentials can be acquired, but does not use them to initiate or accept any
* requests.
*/
#include <stdio.h>
#include <assert.h>
#include "common.h"
int
main()
{
OM_uint32 minor, major;
gss_cred_id_t cred1, cred2;
gss_cred_usage_t usage;
gss_name_t name;
/* Check that we get the expected error if we pass neither an input nor an
* output cred handle. */
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
&mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, NULL, NULL, NULL, NULL);
assert(major == (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED));
/* Regression test for #8737: make sure that desired_name is honored when
* creating a credential by passing in a non-matching name. */
name = import_name("p:does/not/match@WRONG_REALM");
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, name, &mech_krb5,
GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
&cred1, NULL, NULL, NULL);
assert(major == GSS_S_NO_CRED);
gss_release_name(&minor, &name);
/* Create cred1 with a krb5 initiator cred by passing an output handle but
* no input handle. */
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
&mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL);
assert(major == GSS_S_COMPLETE);
/* Verify that cred1 has the expected mechanism creds. */
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_NO_CRED);
/* Check that we get the expected error if we try to add another krb5 mech
* cred to cred1. */
major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_krb5,
GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
NULL, NULL, NULL, NULL);
assert(major == GSS_S_DUPLICATE_ELEMENT);
/* Add an IAKERB acceptor mech cred to cred1. */
major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb,
GSS_C_ACCEPT, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
NULL, NULL, NULL, NULL);
assert(major == GSS_S_COMPLETE);
/* Verify cred1 mechanism creds. */
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
/* Start over with another new cred. */
gss_release_cred(&minor, &cred1);
major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
&mech_krb5, GSS_C_ACCEPT, GSS_C_INDEFINITE,
GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL);
assert(major == GSS_S_COMPLETE);
/* Create an expanded cred by passing both an output handle and an input
* handle. */
major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb,
GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
&cred2, NULL, NULL, NULL);
assert(major == GSS_S_COMPLETE);
/* Verify mechanism creds in cred1 and cred2. */
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_NO_CRED);
major = gss_inquire_cred_by_mech(&minor, cred2, &mech_krb5, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
major = gss_inquire_cred_by_mech(&minor, cred2, &mech_iakerb, NULL, NULL,
NULL, &usage);
assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
gss_release_cred(&minor, &cred1);
gss_release_cred(&minor, &cred2);
return 0;
}
|
