* Arguments:
*
* service_name (r) the ASCII service name
+ * mech (r) the desired mechanism (or GSS_C_NO_OID)
* server_creds (w) the GSS-API service credentials
*
* Returns: 0 on success, -1 on failure
* The service name is imported with gss_import_name, and service
* credentials are acquired with gss_acquire_cred. If either opertion
* fails, an error message is displayed and -1 is returned; otherwise,
- * 0 is returned.
+ * 0 is returned. If mech is given, credentials are acquired for the
+ * specified mechanism.
*/
static int
-server_acquire_creds(char *service_name, gss_cred_id_t *server_creds)
+server_acquire_creds(char *service_name, gss_OID mech,
+ gss_cred_id_t *server_creds)
{
gss_buffer_desc name_buf;
gss_name_t server_name;
OM_uint32 maj_stat, min_stat;
+ gss_OID_set_desc mechlist;
+ gss_OID_set mechs = GSS_C_NO_OID_SET;
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
return -1;
}
- maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
+ if (mech != GSS_C_NO_OID) {
+ mechlist.count = 1;
+ mechlist.elements = mech;
+ mechs = &mechlist;
+ }
+ maj_stat = gss_acquire_cred(&min_stat, server_name, 0, mechs, GSS_C_ACCEPT,
server_creds, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("acquiring credentials", maj_stat, min_stat);
{
char *service_name;
gss_cred_id_t server_creds;
+ gss_OID mech = GSS_C_NO_OID;
OM_uint32 min_stat;
u_short port = 4444;
int once = 0;
fprintf(stderr, "failed to register keytab\n");
exit(1);
}
+ } else if (strcmp(*argv, "-iakerb") == 0) {
+ mech = (gss_OID)gss_mech_iakerb;
} else
break;
argc--;
service_name = *argv;
- if (server_acquire_creds(service_name, &server_creds) < 0)
+ if (server_acquire_creds(service_name, mech, &server_creds) < 0)
return -1;
if (do_inetd) {
gss_server = os.path.join(appdir, 'gss-server')
# Run a gss-server process and a gss-client process, with additional
-# gss-client flags given by options. Verify that gss-client displayed
-# the expected output for a successful negotiation, and that we
-# obtained credentials for the host service.
-def server_client_test(realm, options):
+# gss-client flags given by options and additional gss-server flags
+# given by server_options. Return the output of gss-client.
+def run_client_server(realm, options, server_options, expected_code=0):
portstr = str(realm.server_port())
- server = realm.start_server([gss_server, '-port', portstr, 'host'],
- 'starting...')
- output = realm.run([gss_client, '-port', portstr] + options +
- [hostname, 'host', 'testmsg'])
- if 'Signature verified.' not in output:
- fail('Expected message not seen in gss-client output')
+ server_args = [gss_server, '-port', portstr] + server_options + ['host']
+ server = realm.start_server(server_args, 'starting...')
+ out = realm.run([gss_client, '-port', portstr] + options +
+ [hostname, 'host', 'testmsg'], expected_code=expected_code)
stop_daemon(server)
+ return out
+
+# Run a gss-server and gss-client process, and verify that gss-client
+# displayed the expected output for a successful negotiation.
+def server_client_test(realm, options, server_options):
+ out = run_client_server(realm, options, server_options)
+ if 'Signature verified.' not in out:
+ fail('Expected message not seen in gss-client output')
# Make up a filename to hold user's initial credentials.
def ccache_savefile(realm):
shutil.copyfile(ccache_savefile(realm), realm.ccache)
# Perform a regular (TGS path) test of the server and client.
-def tgs_test(realm, options):
+def tgs_test(realm, options, server_options=[]):
ccache_restore(realm)
- server_client_test(realm, options)
+ server_client_test(realm, options, server_options)
realm.klist(realm.user_princ, realm.host_princ)
# Perform a test of the server and client with initial credentials
# obtained through gss_acquire_cred_with_password().
-def pw_test(realm, options):
+def pw_test(realm, options, server_options=[]):
if os.path.exists(realm.ccache):
os.remove(realm.ccache)
- server_client_test(realm, options + ['-user', realm.user_princ,
- '-pass', password('user')])
+ options = options + ['-user', realm.user_princ, '-pass', password('user')]
+ server_client_test(realm, options, server_options)
if os.path.exists(realm.ccache):
fail('gss_acquire_cred_with_password created ccache')
+# Perform a test using the wrong password, and make sure that failure
+# occurs during the expected operation (gss_init_sec_context() for
+# IAKERB, gss_aqcuire_cred_with_password() otherwise).
+def wrong_pw_test(realm, options, server_options=[], iakerb=False):
+ options = options + ['-user', realm.user_princ, '-pass', 'wrongpw']
+ out = run_client_server(realm, options, server_options, expected_code=1)
+ failed_op = 'initializing context' if iakerb else 'acquiring creds'
+ if 'GSS-API error ' + failed_op not in out:
+ fail('Expected error not seen in gss-client output')
+
# Perform a test of the server and client with initial credentials
# obtained with the client keytab
-def kt_test(realm, options):
+def kt_test(realm, options, server_options=[]):
if os.path.exists(realm.ccache):
os.remove(realm.ccache)
- server_client_test(realm, options)
+ server_client_test(realm, options, server_options)
realm.klist(realm.user_princ, realm.host_princ)
for realm in multipass_realms():
tgs_test(realm, ['-krb5'])
tgs_test(realm, ['-spnego'])
- tgs_test(realm, ['-iakerb'])
+ tgs_test(realm, ['-iakerb'], ['-iakerb'])
# test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE
tgs_test(realm, ['-dce'])
pw_test(realm, ['-krb5'])
pw_test(realm, ['-spnego'])
- pw_test(realm, ['-iakerb'])
+ pw_test(realm, ['-iakerb'], ['-iakerb'])
pw_test(realm, ['-dce'])
+ wrong_pw_test(realm, ['-krb5'])
+ wrong_pw_test(realm, ['-spnego'])
+ wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True)
+ wrong_pw_test(realm, ['-dce'])
+
realm.extract_keytab(realm.user_princ, realm.client_keytab)
kt_test(realm, ['-krb5'])
kt_test(realm, ['-spnego'])
- kt_test(realm, ['-iakerb'])
+ kt_test(realm, ['-iakerb'], ['-iakerb'])
kt_test(realm, ['-dce'])
success('GSS sample application')
projects / thirdparty / krb5.git / commitdiff
