diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-03-01 14:17:54 +1300 |
---|---|---|
committer | Joseph Sutton <jsutton@samba.org> | 2022-03-01 22:34:34 +0000 |
commit | 51569b3152a952d07fddaa3a70d60c920618c704 (patch) | |
tree | 4e447f5d9eb04c7acadf3cff4547068fc79d2113 /third_party/heimdal/tests/plugin | |
parent | fccf9859786dfb50b317ea2296c2494997f0ae09 (diff) | |
download | samba-51569b3152a952d07fddaa3a70d60c920618c704.tar.gz |
third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'third_party/heimdal/tests/plugin')
-rw-r--r-- | third_party/heimdal/tests/plugin/Makefile.am | 6 | ||||
-rw-r--r-- | third_party/heimdal/tests/plugin/check-pac.in | 6 | ||||
-rw-r--r-- | third_party/heimdal/tests/plugin/kdc_test_plugin.c | 207 | ||||
-rw-r--r-- | third_party/heimdal/tests/plugin/krb5.conf.in | 15 | ||||
-rw-r--r-- | third_party/heimdal/tests/plugin/windc.c | 161 |
5 files changed, 228 insertions, 167 deletions
diff --git a/third_party/heimdal/tests/plugin/Makefile.am b/third_party/heimdal/tests/plugin/Makefile.am index 3fb1a2324b9..5dd43ccb04d 100644 --- a/third_party/heimdal/tests/plugin/Makefile.am +++ b/third_party/heimdal/tests/plugin/Makefile.am @@ -29,10 +29,10 @@ krb5.conf: krb5.conf.in Makefile $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp mv krb5.conf.tmp krb5.conf -lib_LTLIBRARIES = windc.la +lib_LTLIBRARIES = kdc_test_plugin.la -windc_la_SOURCES = windc.c -windc_la_LDFLAGS = -module +kdc_test_plugin_la_SOURCES = kdc_test_plugin.c +kdc_test_plugin_la_LDFLAGS = -module CLEANFILES= \ $(TESTS) \ diff --git a/third_party/heimdal/tests/plugin/check-pac.in b/third_party/heimdal/tests/plugin/check-pac.in index 60ec21a31f3..85bf8cd9a98 100644 --- a/third_party/heimdal/tests/plugin/check-pac.in +++ b/third_party/heimdal/tests/plugin/check-pac.in @@ -108,15 +108,15 @@ echo "Empty log" > messages.log echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT ec=0 -echo "Check that WINDC module was loaded " -grep "windc init" messages.log >/dev/null || \ +echo "Check that KDC plugin module was loaded " +grep "kdc plugin init" messages.log >/dev/null || \ { ec=1 ; eval "${testfailed}"; } echo "Getting client initial tickets"; > messages.log diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c new file mode 100644 index 00000000000..4fcf311fddf --- /dev/null +++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c @@ -0,0 +1,207 @@ +#include <string.h> +#include <krb5_locl.h> +#include <hdb.h> +#include <hx509.h> +#include <kdc.h> +#include <kdc-plugin.h> + +static krb5_error_code KRB5_CALLCONV +init(krb5_context context, void **ctx) +{ + krb5_warnx(context, "kdc plugin init"); + *ctx = NULL; + return 0; +} + +static void KRB5_CALLCONV +fini(void *ctx) +{ +} + +static krb5_error_code KRB5_CALLCONV +pac_generate(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, + hdb_entry *client, + hdb_entry *server, + const krb5_keyblock *pk_replykey, + uint64_t pac_attributes, + krb5_pac *pac) +{ + krb5_error_code ret; + krb5_data data; + + if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED | + KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) { + *pac = NULL; + return 0; + } + + krb5_warnx(context, "pac generate"); + + data.data = "\x00\x01"; + data.length = 2; + + ret = krb5_pac_init(context, pac); + if (ret) + return ret; + + ret = krb5_pac_add_buffer(context, *pac, 1, &data); + if (ret) + return ret; + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +pac_verify(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, + const krb5_principal new_ticket_client, + const krb5_principal delegation_proxy, + hdb_entry * client, + hdb_entry * server, + hdb_entry * krbtgt, + krb5_pac *pac) +{ + krb5_error_code ret; + krb5_data data; + krb5_cksumtype cstype; + uint16_t rodc_id; + krb5_enctype etype; + Key *key; + + krb5_warnx(context, "pac_verify"); + + ret = krb5_pac_get_buffer(context, *pac, 1, &data); + if (ret) + return ret; + krb5_data_free(&data); + + ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id); + if (ret) + return ret; + + if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) { + krb5_warnx(context, "Wrong RODCIdentifier"); + return EINVAL; + } + + ret = krb5_cksumtype_to_enctype(context, cstype, &etype); + if (ret) + return ret; + + ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key); + if (ret) + return ret; + + return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key); +} + +static void logit(const char *what, astgs_request_t r) +{ + krb5_context context = kdc_request_get_context((kdc_request_t)r); + const char *cname = kdc_request_get_cname((kdc_request_t)r); + const char *sname = kdc_request_get_sname((kdc_request_t)r); + + krb5_warnx(context, "%s: client %s server %s", + what, + cname ? cname : "<unknown>", + sname ? sname : "<unknown>"); +} + +static krb5_error_code KRB5_CALLCONV +client_access(void *ctx, astgs_request_t r) +{ + logit("client_access", r); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +finalize_reply(void *ctx, astgs_request_t r) +{ + heim_number_t n; + krb5_error_code ret; + + logit("finalize_reply", r); + + n = heim_number_create(1234); + if (n == NULL) + return ENOMEM; + + ret = kdc_request_set_attribute((kdc_request_t)r, + HSTR("org.h5l.tests.kdc-plugin"), n); + heim_release(n); + + return ret; +} + +static krb5_error_code KRB5_CALLCONV +audit(void *ctx, astgs_request_t r) +{ + krb5_error_code ret = kdc_request_get_error_code((kdc_request_t)r); + heim_number_t n; + + logit("audit", r); + + if (ret) + return 0; /* finalize_reply only called in success */ + + n = kdc_request_get_attribute((kdc_request_t)r, + HSTR("org.h5l.tests.kdc-plugin")); + + heim_assert(n && heim_number_get_int(n) == 1234, + "attribute not passed from finalize_reply"); + + if (n == NULL || heim_number_get_int(n) != 1234) + return EINVAL; /* return value is ignored, but for completeness */ + + return 0; +} + +static krb5plugin_kdc_ftable kdc_plugin = { + KRB5_PLUGIN_KDC_VERSION_10, + init, + fini, + pac_generate, + pac_verify, + client_access, + NULL, /* referral_policy */ + finalize_reply, + audit +}; + +static const krb5plugin_kdc_ftable *const kdc_plugins[] = { + &kdc_plugin +}; + +krb5_error_code KRB5_CALLCONV +kdc_plugin_load(krb5_context context, + krb5_get_instance_func_t *get_instance, + size_t *num_plugins, + const krb5plugin_kdc_ftable *const **plugins); + +static uintptr_t KRB5_CALLCONV +kdc_plugin_get_instance(const char *libname) +{ + if (strcmp(libname, "hdb") == 0) + return hdb_get_instance(libname); + else if (strcmp(libname, "krb5") == 0) + return krb5_get_instance(libname); + + return 0; +} + +krb5_error_code KRB5_CALLCONV +kdc_plugin_load(krb5_context context, + krb5_get_instance_func_t *get_instance, + size_t *num_plugins, + const krb5plugin_kdc_ftable *const **plugins) +{ + *get_instance = kdc_plugin_get_instance; + *num_plugins = sizeof(kdc_plugins) / sizeof(kdc_plugins[0]); + *plugins = kdc_plugins; + + return 0; +} diff --git a/third_party/heimdal/tests/plugin/krb5.conf.in b/third_party/heimdal/tests/plugin/krb5.conf.in index 8ab2f17177c..d188c314b36 100644 --- a/third_party/heimdal/tests/plugin/krb5.conf.in +++ b/third_party/heimdal/tests/plugin/krb5.conf.in @@ -19,6 +19,21 @@ } [kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + synthetic_clients = true + enable_gss_preauth = true + gss_mechanisms_allowed = sanon-x25519 + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + database = { dbname = @objdir@/current-db realm = TEST.H5L.SE diff --git a/third_party/heimdal/tests/plugin/windc.c b/third_party/heimdal/tests/plugin/windc.c deleted file mode 100644 index 357148019ae..00000000000 --- a/third_party/heimdal/tests/plugin/windc.c +++ /dev/null @@ -1,161 +0,0 @@ -#include <string.h> -#include <krb5_locl.h> -#include <hdb.h> -#include <hx509.h> -#include <kdc.h> -#include <windc_plugin.h> - -static krb5_error_code KRB5_CALLCONV -windc_init(krb5_context context, void **ctx) -{ - krb5_warnx(context, "windc init"); - *ctx = NULL; - return 0; -} - -static void KRB5_CALLCONV -windc_fini(void *ctx) -{ -} - -static krb5_error_code KRB5_CALLCONV -pac_generate(void *ctx, krb5_context context, - struct hdb_entry_ex *client, - struct hdb_entry_ex *server, - const krb5_keyblock *pk_replykey, - uint64_t pac_attributes, - krb5_pac *pac) -{ - krb5_error_code ret; - krb5_data data; - - if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED | - KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) { - *pac = NULL; - return 0; - } - - krb5_warnx(context, "pac generate"); - - data.data = "\x00\x01"; - data.length = 2; - - ret = krb5_pac_init(context, pac); - if (ret) - return ret; - - ret = krb5_pac_add_buffer(context, *pac, 1, &data); - if (ret) - return ret; - - return 0; -} - -static krb5_error_code KRB5_CALLCONV -pac_verify(void *ctx, krb5_context context, - const krb5_principal new_ticket_client, - const krb5_principal delegation_proxy, - struct hdb_entry_ex * client, - struct hdb_entry_ex * server, - struct hdb_entry_ex * krbtgt, - krb5_pac *pac) -{ - krb5_error_code ret; - krb5_data data; - krb5_cksumtype cstype; - uint16_t rodc_id; - krb5_enctype etype; - Key *key; - - krb5_warnx(context, "pac_verify"); - - ret = krb5_pac_get_buffer(context, *pac, 1, &data); - if (ret) - return ret; - krb5_data_free(&data); - - ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id); - if (ret) - return ret; - - if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) { - krb5_warnx(context, "Wrong RODCIdentifier"); - return EINVAL; - } - - ret = krb5_cksumtype_to_enctype(context, cstype, &etype); - if (ret) - return ret; - - ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key); - if (ret) - return ret; - - return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key); -} - -static void logit(const char *what, astgs_request_t r) -{ - krb5_warnx(r->context, "%s: client %s server %s", - what, - r->cname ? r->cname : "<unknown>", - r->sname ? r->sname : "<unknown>"); -} - -static krb5_error_code KRB5_CALLCONV -client_access(void *ctx, astgs_request_t r) -{ - logit("client_access", r); - return 0; -} - -static krb5_error_code KRB5_CALLCONV -finalize_reply(void *ctx, astgs_request_t r) -{ - logit("finalize_reply", r); - return 0; -} - -static krb5plugin_windc_ftable windc = { - KRB5_WINDC_PLUGING_MINOR, - windc_init, - windc_fini, - pac_generate, - pac_verify, - client_access, - finalize_reply -}; - -static const krb5plugin_windc_ftable *const windc_plugins[] = { - &windc -}; - -krb5_error_code KRB5_CALLCONV -windc_plugin_load(krb5_context context, - krb5_get_instance_func_t *get_instance, - size_t *num_plugins, - const krb5plugin_windc_ftable *const **plugins); - -static uintptr_t KRB5_CALLCONV -windc_get_instance(const char *libname) -{ - if (strcmp(libname, "hdb") == 0) - return hdb_get_instance(libname); - else if (strcmp(libname, "krb5") == 0) - return krb5_get_instance(libname); - - return 0; -} - -krb5_error_code KRB5_CALLCONV -windc_plugin_load(krb5_context context, - krb5_get_instance_func_t *get_instance, - size_t *num_plugins, - const krb5plugin_windc_ftable *const **plugins) -{ - *get_instance = windc_get_instance; - *num_plugins = sizeof(windc_plugins) / sizeof(windc_plugins[0]); - *plugins = windc_plugins; - - return 0; -} |