From: Greg Hudson Date: Fri, 21 Aug 2015 16:26:17 +0000 (-0400) Subject: Adjust SPNEGO Microsoft krb5 OID tests X-Git-Tag: krb5-1.14-alpha1~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53cc103b176b2141fbe4b92b433a516ac06a1ff4;p=thirdparty%2Fkrb5.git Adjust SPNEGO Microsoft krb5 OID tests In the Microsoft krb5 OID tests in t_spnego.c, use the proper krb5 OID for the framing of the mech token, which better reflects the behavior of Microsoft clients that use the wrong OID. Move the test to a separate function and run it twice, once with an acceptor cred and once without. Also add a comment noting that the reselection test no longer exercises what it was designed to. We can't really fix that until we add gss_acquire_cred_with_cred() or similar. --- diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c index 8ab6e25a76..80df1bf655 100644 --- a/src/tests/gssapi/t_spnego.c +++ b/src/tests/gssapi/t_spnego.c @@ -135,6 +135,63 @@ create_mskrb5_spnego_token(gss_buffer_t ktok, gss_buffer_desc *tok_out) tok_out->length = len; } +/* + * Test that the SPNEGO acceptor code accepts and properly reflects back the + * erroneous Microsoft mech OID in the supportedMech field of the NegTokenResp + * message. Use acred as the verifier cred handle. + */ +static void +test_mskrb_oid(gss_name_t tname, gss_cred_id_t acred) +{ + OM_uint32 major, minor; + gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT; + gss_buffer_desc atok = GSS_C_EMPTY_BUFFER, ktok = GSS_C_EMPTY_BUFFER, stok; + const unsigned char *atok_oid; + + /* + * Our SPNEGO mech no longer acquires creds for the wrong mech OID, so we + * have to construct a SPNEGO token ourselves. + */ + major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname, + &mech_krb5, 0, GSS_C_INDEFINITE, + GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL, &ktok, + NULL, NULL); + check_gsserr("gss_init_sec_context(mskrb)", major, minor); + assert(major == GSS_S_COMPLETE); + create_mskrb5_spnego_token(&ktok, &stok); + + /* + * Look directly at the DER encoding of the response token. Since we + * didn't request mutual authentication, the SPNEGO reply will contain no + * underlying mech token; therefore, the encoding of the correct + * NegotiationToken response is completely predictable: + * + * A1 14 (choice 1, length 20, meaning negTokenResp) + * 30 12 (sequence, length 18) + * A0 03 (context tag 0, length 3) + * 0A 01 00 (enumerated value 0, meaning accept-completed) + * A1 0B (context tag 1, length 11) + * 06 09 (object identifier, length 9) + * 2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID) + * + * So we can just compare the length to 22 and the nine bytes at offset 13 + * to the expected OID. + */ + major = gss_accept_sec_context(&minor, &actx, acred, &stok, + GSS_C_NO_CHANNEL_BINDINGS, NULL, + NULL, &atok, NULL, NULL, NULL); + check_gsserr("gss_accept_sec_context(mskrb)", major, minor); + assert(atok.length == 22); + atok_oid = (unsigned char *)atok.value + 13; + assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0); + + (void)gss_delete_sec_context(&minor, &ictx, NULL); + (void)gss_delete_sec_context(&minor, &actx, NULL); + (void)gss_release_buffer(&minor, &ktok); + (void)gss_release_buffer(&minor, &atok); + free(stok.value); +} + int main(int argc, char *argv[]) { @@ -142,13 +199,11 @@ main(int argc, char *argv[]) gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t initiator_cred_handle = GSS_C_NO_CREDENTIAL; gss_OID_set actual_mechs = GSS_C_NO_OID_SET; - gss_buffer_desc atok = GSS_C_EMPTY_BUFFER, ktok = GSS_C_EMPTY_BUFFER, stok; gss_ctx_id_t initiator_context, acceptor_context; gss_name_t target_name, source_name = GSS_C_NO_NAME; gss_OID mech = GSS_C_NO_OID; gss_OID_desc pref_oids[2]; gss_OID_set_desc pref_mechs; - const unsigned char *atok_oid; if (argc < 2 || argc > 3) { fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]); @@ -168,6 +223,15 @@ main(int argc, char *argv[]) &initiator_cred_handle, NULL, NULL); check_gsserr("gss_acquire_cred(initiator)", major, minor); + /* + * The following test is designed to exercise SPNEGO reselection on the + * client and server. Unfortunately, it no longer does so after tickets + * #8217 and #8021, since SPNEGO now only acquires a single krb5 cred and + * there is no way to expand the underlying creds with gss_set_neg_mechs(). + * To fix this we need gss_acquire_cred_with_cred() or some other way to + * turn a cred with a specifically requested mech set into a SPNEGO cred. + */ + /* Make the initiator prefer IAKERB and offer krb5 as an alternative. */ pref_oids[0] = mech_iakerb; pref_oids[1] = mech_krb5; @@ -195,58 +259,18 @@ main(int argc, char *argv[]) display_canon_name("Source name", source_name, &mech_krb5); display_oid("Source mech", mech); + /* Test acceptance of the erroneous Microsoft krb5 OID, with and without an + * acceptor cred. */ + test_mskrb_oid(target_name, verifier_cred_handle); + test_mskrb_oid(target_name, GSS_C_NO_CREDENTIAL); + (void)gss_delete_sec_context(&minor, &initiator_context, NULL); (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); (void)gss_release_name(&minor, &source_name); + (void)gss_release_name(&minor, &target_name); (void)gss_release_cred(&minor, &initiator_cred_handle); (void)gss_release_cred(&minor, &verifier_cred_handle); (void)gss_release_oid_set(&minor, &actual_mechs); - /* - * Test that the SPNEGO acceptor code properly reflects back the erroneous - * Microsoft mech OID in the supportedMech field of the NegTokenResp - * message. Our SPNEGO mech no longer acquires creds for the wrong mech - * OID, so we have to construct a SPNEGO token ourselves, and then look - * look directly at the DER encoding of the response token. If we don't - * request mutual authentication, the SPNEGO reply will contain no - * underlying mech token, so the encoding of the correct NegotiationToken - * response is completely predictable: - * - * A1 14 (choice 1, length 20, meaning negTokenResp) - * 30 12 (sequence, length 18) - * A0 03 (context tag 0, length 3) - * 0A 01 00 (enumerated value 0, meaning accept-completed) - * A1 0B (context tag 1, length 11) - * 06 09 (object identifier, length 9) - * 2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID) - * - * So we can just compare the length to 22 and the nine bytes at offset 13 - * to the expected OID. - */ - major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, - &initiator_context, target_name, - (gss_OID)gss_mech_krb5_wrong, flags, - GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, - &atok, NULL, &ktok, NULL, NULL); - check_gsserr("gss_init_sec_context", major, minor); - assert(major == GSS_S_COMPLETE); - create_mskrb5_spnego_token(&ktok, &stok); - - major = gss_accept_sec_context(&minor, &acceptor_context, - GSS_C_NO_CREDENTIAL, &stok, - GSS_C_NO_CHANNEL_BINDINGS, NULL, - NULL, &atok, NULL, NULL, NULL); - assert(atok.length == 22); - atok_oid = (unsigned char *)atok.value + 13; - assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0); - check_gsserr("gss_accept_sec_context", major, minor); - - (void)gss_delete_sec_context(&minor, &initiator_context, NULL); - (void)gss_delete_sec_context(&minor, &acceptor_context, NULL); - (void)gss_release_cred(&minor, &initiator_cred_handle); - (void)gss_release_name(&minor, &target_name); - (void)gss_release_buffer(&minor, &ktok); - (void)gss_release_buffer(&minor, &atok); - free(stok.value); return 0; }