diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-03-15 15:56:34 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2015-07-22 12:22:47 -0400 |
commit | e64140aba967e3d8a785d4f83b1477ed0bdc85bd (patch) | |
tree | fddde1abf876ad9f7392d6eb115f31cf72c5a8ad /src/plugins | |
parent | 24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37 (diff) | |
download | krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.zip krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.gz krb5-e64140aba967e3d8a785d4f83b1477ed0bdc85bd.tar.bz2 |
Test auth indicator functionality
Modify adata.c to handle CAMMAC containers and display auth
indicators. Modify the test preauth module to transmit a list of
indicators (specified by a gic opt) from the clpreauth module to the
kdcpreauth module and assert them to the KDC. Add a new s4u2proxy
test harness in src/tests which can be used to exercise S4U2Proxy
without going through GSSAPI, using a second ccache containing an
existing evidence ticket.
Add tests to t_authdata.py to exercise a variety of ticket issuing
scenarios and verify that the correct auth indicators appear in each
ticket.
ticket: 8157
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/preauth/test/cltest.c | 66 | ||||
-rw-r--r-- | src/plugins/preauth/test/kdctest.c | 29 |
2 files changed, 83 insertions, 12 deletions
diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c index fe63ed9..d101a21 100644 --- a/src/plugins/preauth/test/cltest.c +++ b/src/plugins/preauth/test/cltest.c @@ -32,9 +32,15 @@ /* * This module is used to test preauth interface features. At this time, the - * clpreauth module decrypts a message from the initial KDC padata using the - * reply key and prints it to stdout. (The unencrypted message "no key" can - * also be displayed.) An empty padata message is then sent to the KDC. + * clpreauth module does two things: + * + * - It decrypts a message from the initial KDC padata using the reply key and + * prints it to stdout. (The unencrypted message "no key" can also be + * displayed.) + * + * - It pulls an "indicators" attribute from the gic preauth options and sends + * it to the server, instructing the kdcpreauth module to assert one or more + * space-separated authentication indicators. */ #include "k5-int.h" @@ -44,6 +50,31 @@ static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 }; +struct client_state { + char *indicators; +}; + +static krb5_error_code +test_init(krb5_context context, krb5_clpreauth_moddata *moddata_out) +{ + struct client_state *st; + + st = malloc(sizeof(*st)); + assert(st != NULL); + st->indicators = NULL; + *moddata_out = (krb5_clpreauth_moddata)st; + return 0; +} + +static void +test_fini(krb5_context context, krb5_clpreauth_moddata moddata) +{ + struct client_state *st = (struct client_state *)moddata; + + free(st->indicators); + free(st); +} + static krb5_error_code test_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, @@ -53,17 +84,21 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_prompter_fct prompter, void *prompter_data, krb5_pa_data ***out_pa_data) { + struct client_state *st = (struct client_state *)moddata; krb5_error_code ret; krb5_pa_data **list, *pa; krb5_keyblock *k; krb5_enc_data enc; krb5_data plain; + const char *indstr; if (pa_data->length == 6 && memcmp(pa_data->contents, "no key", 6) == 0) { printf("no key\n"); } else { + /* This fails during s4u_identify_user(), so don't assert. */ ret = cb->get_as_key(context, rock, &k); - assert(!ret); + if (ret) + return ret; ret = alloc_data(&plain, pa_data->length); assert(!ret); enc.enctype = k->enctype; @@ -74,19 +109,35 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, free(plain.data); } + indstr = (st->indicators != NULL) ? st->indicators : ""; list = k5calloc(2, sizeof(*list), &ret); assert(!ret); pa = k5alloc(sizeof(*pa), &ret); assert(!ret); pa->pa_type = TEST_PA_TYPE; - pa->contents = NULL; - pa->length = 0; + pa->contents = (uint8_t *)strdup(indstr); + assert(pa->contents != NULL); + pa->length = strlen(indstr); list[0] = pa; list[1] = NULL; *out_pa_data = list; return 0; } +static krb5_error_code +test_gic_opt(krb5_context kcontext, krb5_clpreauth_moddata moddata, + krb5_get_init_creds_opt *opt, const char *attr, const char *value) +{ + struct client_state *st = (struct client_state *)moddata; + + if (strcmp(attr, "indicators") == 0) { + free(st->indicators); + st->indicators = strdup(value); + assert(st->indicators != NULL); + } + return 0; +} + krb5_error_code clpreauth_test_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); @@ -102,6 +153,9 @@ clpreauth_test_initvt(krb5_context context, int maj_ver, vt = (krb5_clpreauth_vtable)vtable; vt->name = "test"; vt->pa_type_list = pa_types; + vt->init = test_init; + vt->fini = test_fini; vt->process = test_process; + vt->gic_opts = test_gic_opt; return 0; } diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c index ba5125a..c824626 100644 --- a/src/plugins/preauth/test/kdctest.c +++ b/src/plugins/preauth/test/kdctest.c @@ -31,12 +31,17 @@ */ /* - * This module is used to test preauth interface features. Currently, it - * retrieves the "teststring" attribute from the client principal and sends it - * to the client, encrypted in the reply key. (The plain text "no key" is sent - * if there is no reply key; the encrypted message "no attr" is sent if there - * is no string attribute.) Upon receiving padata from the client, it always - * succeeds in preauthenticating the request. + * This module is used to test preauth interface features. Currently, the + * kdcpreauth module does two things: + * + * - It retrieves the "teststring" attribute from the client principal and + * sends it to the client, encrypted in the reply key. (The plain text "no + * key" is sent if there is no reply key; the encrypted message "no attr" is + * sent if there is no string attribute.) + * + * - It receives a space-separated list from the clpreauth module and asserts + * each string as an authentication indicator. It always succeeds in + * pre-authenticating the request. * * To use this module, a test script should: * - Register this module and the corresponding clpreauth module @@ -98,6 +103,18 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { + krb5_error_code ret; + char *str, *ind, *toksave = NULL; + + str = k5memdup0(data->contents, data->length, &ret); + if (ret) + abort(); + ind = strtok_r(str, " ", &toksave); + while (ind != NULL) { + cb->add_auth_indicator(context, rock, ind); + ind = strtok_r(NULL, " ", &toksave); + } + free(str); enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; (*respond)(arg, 0, NULL, NULL, NULL); } |