Test auth indicator functionality

Modify adata.c to handle CAMMAC containers and display auth indicators. Modify the test preauth module to transmit a list of indicators (specified by a gic opt) from the clpreauth module to the kdcpreauth module and assert them to the KDC. Add a new s4u2proxy test harness in src/tests which can be used to exercise S4U2Proxy without going through GSSAPI, using a second ccache containing an existing evidence ticket. Add tests to t_authdata.py to exercise a variety of ticket issuing scenarios and verify that the correct auth indicators appear in each ticket. ticket: 8157
author: Greg Hudson <ghudson@mit.edu> 2015-03-15 15:56:34 -0400
committer: Greg Hudson <ghudson@mit.edu> 2015-07-22 12:22:47 -0400
commit: e64140aba967e3d8a785d4f83b1477ed0bdc85bd (patch)
tree: fddde1abf876ad9f7392d6eb115f31cf72c5a8ad /src/plugins
parent: 24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37 (diff)
download: krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.zip
krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.gz
krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.bz2
2 files changed, 83 insertions, 12 deletions
diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c
index fe63ed9..d101a21 100644
--- a/src/plugins/preauth/test/cltest.c
+++ b/src/plugins/preauth/test/cltest.c
@@ -32,9 +32,15 @@
 
 /*
  * This module is used to test preauth interface features.  At this time, the
- * clpreauth module decrypts a message from the initial KDC padata using the
- * reply key and prints it to stdout.  (The unencrypted message "no key" can
- * also be displayed.)  An empty padata message is then sent to the KDC.
+ * clpreauth module does two things:
+ *
+ * - It decrypts a message from the initial KDC padata using the reply key and
+ *   prints it to stdout.  (The unencrypted message "no key" can also be
+ *   displayed.)
+ *
+ * - It pulls an "indicators" attribute from the gic preauth options and sends
+ *   it to the server, instructing the kdcpreauth module to assert one or more
+ *   space-separated authentication indicators.
  */
 
 #include "k5-int.h"
@@ -44,6 +50,31 @@
 
 static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 };
 
+struct client_state {
+    char *indicators;
+};
+
+static krb5_error_code
+test_init(krb5_context context, krb5_clpreauth_moddata *moddata_out)
+{
+    struct client_state *st;
+
+    st = malloc(sizeof(*st));
+    assert(st != NULL);
+    st->indicators = NULL;
+    *moddata_out = (krb5_clpreauth_moddata)st;
+    return 0;
+}
+
+static void
+test_fini(krb5_context context, krb5_clpreauth_moddata moddata)
+{
+    struct client_state *st = (struct client_state *)moddata;
+
+    free(st->indicators);
+    free(st);
+}
+
 static krb5_error_code
 test_process(krb5_context context, krb5_clpreauth_moddata moddata,
              krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
@@ -53,17 +84,21 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata,
              krb5_prompter_fct prompter, void *prompter_data,
              krb5_pa_data ***out_pa_data)
 {
+    struct client_state *st = (struct client_state *)moddata;
     krb5_error_code ret;
     krb5_pa_data **list, *pa;
     krb5_keyblock *k;
     krb5_enc_data enc;
     krb5_data plain;
+    const char *indstr;
 
     if (pa_data->length == 6 && memcmp(pa_data->contents, "no key", 6) == 0) {
         printf("no key\n");
     } else {
+        /* This fails during s4u_identify_user(), so don't assert. */
         ret = cb->get_as_key(context, rock, &k);
-        assert(!ret);
+        if (ret)
+            return ret;
         ret = alloc_data(&plain, pa_data->length);
         assert(!ret);
         enc.enctype = k->enctype;
@@ -74,19 +109,35 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata,
         free(plain.data);
     }
 
+    indstr = (st->indicators != NULL) ? st->indicators : "";
     list = k5calloc(2, sizeof(*list), &ret);
     assert(!ret);
     pa = k5alloc(sizeof(*pa), &ret);
     assert(!ret);
     pa->pa_type = TEST_PA_TYPE;
-    pa->contents = NULL;
-    pa->length = 0;
+    pa->contents = (uint8_t *)strdup(indstr);
+    assert(pa->contents != NULL);
+    pa->length = strlen(indstr);
     list[0] = pa;
     list[1] = NULL;
     *out_pa_data = list;
     return 0;
 }
 
+static krb5_error_code
+test_gic_opt(krb5_context kcontext, krb5_clpreauth_moddata moddata,
+             krb5_get_init_creds_opt *opt, const char *attr, const char *value)
+{
+    struct client_state *st = (struct client_state *)moddata;
+
+    if (strcmp(attr, "indicators") == 0) {
+        free(st->indicators);
+        st->indicators = strdup(value);
+        assert(st->indicators != NULL);
+    }
+    return 0;
+}
+
 krb5_error_code
 clpreauth_test_initvt(krb5_context context, int maj_ver,
                             int min_ver, krb5_plugin_vtable vtable);
@@ -102,6 +153,9 @@ clpreauth_test_initvt(krb5_context context, int maj_ver,
     vt = (krb5_clpreauth_vtable)vtable;
     vt->name = "test";
     vt->pa_type_list = pa_types;
+    vt->init = test_init;
+    vt->fini = test_fini;
     vt->process = test_process;
+    vt->gic_opts = test_gic_opt;
     return 0;
 }
diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c
index ba5125a..c824626 100644
--- a/src/plugins/preauth/test/kdctest.c
+++ b/src/plugins/preauth/test/kdctest.c
@@ -31,12 +31,17 @@
  */
 
 /*
- * This module is used to test preauth interface features.  Currently, it
- * retrieves the "teststring" attribute from the client principal and sends it
- * to the client, encrypted in the reply key.  (The plain text "no key" is sent
- * if there is no reply key; the encrypted message "no attr" is sent if there
- * is no string attribute.)  Upon receiving padata from the client, it always
- * succeeds in preauthenticating the request.
+ * This module is used to test preauth interface features.  Currently, the
+ * kdcpreauth module does two things:
+ *
+ * - It retrieves the "teststring" attribute from the client principal and
+ *   sends it to the client, encrypted in the reply key.  (The plain text "no
+ *   key" is sent if there is no reply key; the encrypted message "no attr" is
+ *   sent if there is no string attribute.)
+ *
+ * - It receives a space-separated list from the clpreauth module and asserts
+ *   each string as an authentication indicator.  It always succeeds in
+ *   pre-authenticating the request.
  *
  * To use this module, a test script should:
  * - Register this module and the corresponding clpreauth module
@@ -98,6 +103,18 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
             krb5_kdcpreauth_moddata moddata,
             krb5_kdcpreauth_verify_respond_fn respond, void *arg)
 {
+    krb5_error_code ret;
+    char *str, *ind, *toksave = NULL;
+
+    str = k5memdup0(data->contents, data->length, &ret);
+    if (ret)
+        abort();
+    ind = strtok_r(str, " ", &toksave);
+    while (ind != NULL) {
+        cb->add_auth_indicator(context, rock, ind);
+        ind = strtok_r(NULL, " ", &toksave);
+    }
+    free(str);
     enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
     (*respond)(arg, 0, NULL, NULL, NULL);
 }
author	Greg Hudson <ghudson@mit.edu>	2015-03-15 15:56:34 -0400
committer	Greg Hudson <ghudson@mit.edu>	2015-07-22 12:22:47 -0400
commit	e64140aba967e3d8a785d4f83b1477ed0bdc85bd (patch)
tree	fddde1abf876ad9f7392d6eb115f31cf72c5a8ad /src/plugins
parent	24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37 (diff)
download	krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.zip krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.gz krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.bz2