From: Greg Hudson Date: Wed, 4 Sep 2013 18:23:27 +0000 (-0400) Subject: Add tests for GSS IOV and AEAD interfaces X-Git-Tag: krb5-1.12-alpha1~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ecd91cd350b2c3880b3f967acfcb00ac1bdac154;p=thirdparty%2Fkrb5.git Add tests for GSS IOV and AEAD interfaces Add a new test program t_iov.c which tests various combinations of wrapping and unwrapping using the IOV and AEAD interfaces. Run it with and without SPNEGO in each enctype configuration. --- diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 04cba078bc..b40e5b8470 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -5,22 +5,22 @@ DEFINES = -DUSE_AUTOCONF_H SRCS= $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_credstore.c \ $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ - $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_mechs_name.c \ + $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ $(srcdir)/t_namingexts.c $(srcdir)/t_s4u.c \ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ $(srcdir)/t_spnego.c OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_credstore.o \ t_export_cred.o t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o \ - t_inq_cred.o t_inq_mechs_name.o t_namingexts.o t_oid.o t_s4u.o \ - t_s4u2proxy_krb5.o t_saslname.o t_spnego.o + t_inq_cred.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \ + t_s4u.o t_s4u2proxy_krb5.o t_saslname.o t_spnego.o COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) all:: ccinit ccrefresh t_accname t_ccselect t_credstore t_enctypes \ t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \ - t_inq_cred t_inq_mechs_name t_namingexts t_s4u t_s4u2proxy_krb5 \ + t_inq_cred t_inq_mechs_name t_iov t_namingexts t_s4u t_s4u2proxy_krb5 \ t_saslname t_spnego t_oid check-unix:: t_oid @@ -28,7 +28,7 @@ check-unix:: t_oid check-pytests:: ccinit ccrefresh t_accname t_ccselect t_credstore \ t_export_cred t_export_name t_imp_cred t_inq_cred t_inq_mechs_name \ - t_s4u t_s4u2proxy_krb5 t_spnego + t_iov t_s4u t_s4u2proxy_krb5 t_spnego $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) @@ -62,6 +62,8 @@ t_inq_cred: t_inq_cred.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS) t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS) +t_iov: t_iov.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS) t_namingexts: t_namingexts.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS) t_s4u: t_s4u.o $(COMMON_DEPS) diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps index c576f35b7b..2e74a2acaa 100644 --- a/src/tests/gssapi/deps +++ b/src/tests/gssapi/deps @@ -43,6 +43,10 @@ $(OUTPRE)t_inq_mechs_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ common.h t_inq_mechs_name.c +$(OUTPRE)t_iov.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ + common.h t_iov.c $(OUTPRE)t_namingexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 5583b0247f..2b86d3eafc 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -1,9 +1,12 @@ #!/usr/bin/python from k5test import * -# Test krb5 negotiation under SPNEGO for all enctype configurations. +# Test krb5 negotiation under SPNEGO for all enctype configurations. Also +# test IOV wrap/unwrap with and without SPNEGO. for realm in multipass_realms(): realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab]) + realm.run(['./t_iov', 'p:' + realm.host_princ]) + realm.run(['./t_iov', '-s', 'p:' + realm.host_princ]) ### Test acceptor name behavior. diff --git a/src/tests/gssapi/t_iov.c b/src/tests/gssapi/t_iov.c new file mode 100644 index 0000000000..8a74b4eb28 --- /dev/null +++ b/src/tests/gssapi/t_iov.c @@ -0,0 +1,471 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/t_iov.c - Test program for IOV functions */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include "common.h" + +/* Release all library-allocated buffers in iov. */ +static void +release_iov(gss_iov_buffer_desc *iov, size_t len) +{ + OM_uint32 minor; + size_t i; + + for (i = 0; i < len; i++) { + if (GSS_IOV_BUFFER_FLAGS(iov[i].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED) + (void)gss_release_buffer(&minor, &iov[i].buffer); + } +} + +/* Concatenate iov (except for sign-only buffers) into a contiguous token. */ +static void +concat_iov(gss_iov_buffer_desc *iov, size_t iovlen, char **buf_out, + size_t *len_out) +{ + size_t len, i; + char *buf; + + /* Concatenate the result into a contiguous buffer. */ + len = 0; + for (i = 0; i < iovlen; i++) { + if (GSS_IOV_BUFFER_TYPE(iov[i].type) != GSS_IOV_BUFFER_TYPE_SIGN_ONLY) + len += iov[i].buffer.length; + } + buf = malloc(len); + if (buf == NULL) + errout("malloc failed"); + len = 0; + for (i = 0; i < iovlen; i++) { + if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY) + continue; + memcpy(buf + len, iov[i].buffer.value, iov[i].buffer.length); + len += iov[i].buffer.length; + } + *buf_out = buf; + *len_out = len; +} + +static void +check_encrypted(const char *msg, int conf, const char *buf, const char *plain) +{ + int same = memcmp(buf, plain, strlen(plain)) == 0; + + if ((conf && same) || (!conf && !same)) + errout(msg); +} + +/* + * Wrap str in standard form (HEADER | DATA | PADDING | TRAILER) using the + * caller-provided array iov, which must have space for four elements. Library + * allocation will be used for the header/padding/trailer buffers, so the + * caller must check and free them. + */ +static void +wrap_std(gss_ctx_id_t ctx, char *str, gss_iov_buffer_desc *iov, int conf) +{ + OM_uint32 minor, major; + int oconf; + + /* Lay out iov array. */ + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[1].buffer.value = str; + iov[1].buffer.length = strlen(str); + iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; + iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + + /* Wrap. This will allocate header/padding/trailer buffers as necessary + * and encrypt str in place. */ + major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 4); + check_gsserr("gss_wrap_iov(std)", major, minor); + if (oconf != conf) + errout("gss_wrap_iov(std) conf"); +} + +/* Create standard tokens using gss_wrap_iov and ctx1, and make sure we can + * unwrap them using ctx2 in all of the supported ways. */ +static void +test_standard_wrap(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf) +{ + OM_uint32 major, minor; + gss_iov_buffer_desc iov[4], stiov[2]; + gss_qop_t qop; + gss_buffer_desc input, output; + const char *string1 = "The swift brown fox jumped over the lazy dog."; + const char *string2 = "Now is the time!"; + const char *string3 = "x"; + const char *string4 = "!@#"; + char data[1024], *fulltoken; + size_t len; + int oconf; + ptrdiff_t offset; + + /* Wrap a standard token and unwrap it using the iov array. */ + memcpy(data, string1, strlen(string1) + 1); + wrap_std(ctx1, data, iov, conf); + check_encrypted("gss_wrap_iov(std1) encryption", conf, data, string1); + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4); + check_gsserr("gss_unwrap_iov(std1)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(std1) conf/qop"); + if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(string1)) + errout("gss_unwrap_iov(std1) data buffer"); + if (memcmp(data, string1, iov[1].buffer.length) != 0) + errout("gss_unwrap_iov(std1) decryption"); + release_iov(iov, 4); + + /* Wrap a standard token and unwrap it using gss_unwrap(). */ + memcpy(data, string2, strlen(string2) + 1); + wrap_std(ctx1, data, iov, conf); + concat_iov(iov, 4, &fulltoken, &len); + input.value = fulltoken; + input.length = len; + major = gss_unwrap(&minor, ctx2, &input, &output, &oconf, &qop); + check_gsserr("gss_unwrap(std2)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap(std2) conf/qop"); + if (output.length != strlen(string2) || + memcmp(output.value, string2, output.length) != 0) + errout("gss_unwrap(std2) decryption"); + (void)gss_release_buffer(&minor, &output); + free(fulltoken); + release_iov(iov, 4); + + /* Wrap a standard token and unwrap it using a stream buffer. */ + memcpy(data, string3, strlen(string3) + 1); + wrap_std(ctx1, data, iov, conf); + concat_iov(iov, 4, &fulltoken, &len); + stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; + stiov[0].buffer.value = fulltoken; + stiov[0].buffer.length = len; + stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2); + check_gsserr("gss_unwrap_iov(std3)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(std3) conf/qop"); + if (stiov[1].buffer.length != strlen(string3) || + memcmp(stiov[1].buffer.value, string3, strlen(string3)) != 0) + errout("gss_unwrap_iov(std3) decryption"); + offset = (char *)stiov[1].buffer.value - fulltoken; + if (offset < 0 || (size_t)offset > len) + errout("gss_unwrap_iov(std3) offset"); + free(fulltoken); + release_iov(iov, 4); + + /* Wrap a token using gss_wrap and unwrap it using a stream buffer with + * allocation and copying. */ + input.value = (char *)string4; + input.length = strlen(string4); + major = gss_wrap(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &input, &oconf, + &output); + check_gsserr("gss_wrap(std4)", major, minor); + if (oconf != conf) + errout("gss_wrap(std4) conf"); + stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; + stiov[0].buffer = output; + stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE; + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2); + check_gsserr("gss_unwrap_iov(std4)", major, minor); + if (!(GSS_IOV_BUFFER_FLAGS(stiov[1].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED)) + errout("gss_unwrap_iov(std4) allocated"); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(std4) conf/qop"); + if (stiov[1].buffer.length != strlen(string4) || + memcmp(stiov[1].buffer.value, string4, strlen(string4)) != 0) + errout("gss_unwrap_iov(std4) decryption"); + (void)gss_release_buffer(&minor, &output); + release_iov(stiov, 2); +} + +/* + * Wrap an AEAD token (HEADER | SIGN_ONLY | DATA | PADDING | TRAILER) using the + * caller-provided array iov, which must have space for five elements, and the + * caller-provided buffer data, which must be big enough to handle the test + * inputs. Library allocation will not be used. + */ +static void +wrap_aead(gss_ctx_id_t ctx, const char *sign, const char *wrap, + gss_iov_buffer_desc *iov, char *data, int conf) +{ + OM_uint32 major, minor; + int oconf; + char *ptr; + + /* Lay out iov array. */ + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[1].buffer.value = (char *)sign; + iov[1].buffer.length = strlen(sign); + iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[2].buffer.value = (char *)wrap; + iov[2].buffer.length = strlen(wrap); + iov[3].type = GSS_IOV_BUFFER_TYPE_PADDING; + iov[4].type = GSS_IOV_BUFFER_TYPE_TRAILER; + + /* Get header/padding/trailer lengths. */ + major = gss_wrap_iov_length(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, + iov, 5); + check_gsserr("gss_wrap_iov_length(aead)", major, minor); + if (oconf != conf) + errout("gss_wrap_iov_length(aead) conf"); + if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign)) + errout("gss_wrap_iov_length(aead) sign-only buffer"); + if (iov[2].buffer.value != wrap || iov[2].buffer.length != strlen(wrap)) + errout("gss_wrap_iov_length(aead) data buffer"); + + /* Set iov buffer pointers using returned lengths. */ + iov[0].buffer.value = data; + ptr = data + iov[0].buffer.length; + memcpy(ptr, wrap, strlen(wrap)); + iov[2].buffer.value = ptr; + ptr += iov[2].buffer.length; + iov[3].buffer.value = ptr; + ptr += iov[3].buffer.length; + iov[4].buffer.value = ptr; + + /* Wrap the AEAD token. */ + major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 5); + check_gsserr("gss_wrap_iov(aead)", major, minor); + if (oconf != conf) + errout("gss_wrap_iov(aead) conf"); + if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign)) + errout("gss_wrap_iov(aead) sign-only buffer"); + if (iov[2].buffer.length != strlen(wrap)) + errout("gss_wrap_iov(aead) data buffer"); + check_encrypted("gss_wrap_iov(aead) encryption", conf, iov[2].buffer.value, + wrap); +} + +/* Create AEAD tokens using gss_wrap_iov and ctx1, and make sure we can unwrap + * them using ctx2 in all of the supported ways. */ +static void +test_aead(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf) +{ + OM_uint32 major, minor; + gss_iov_buffer_desc iov[5], stiov[3]; + gss_qop_t qop; + gss_buffer_desc input, assoc, output; + const char *sign = "This data is only signed."; + const char *wrap = "This data is wrapped in-place."; + char data[1024], *fulltoken; + size_t len; + int oconf; + ptrdiff_t offset; + + /* Wrap an AEAD token and unwrap it using the IOV array. */ + wrap_aead(ctx1, sign, wrap, iov, data, conf); + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 5); + check_gsserr("gss_unwrap_iov(aead1)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(aead1) conf/qop"); + if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign)) + errout("gss_unwrap_iov(aead1) sign-only buffer"); + if (iov[2].buffer.length != strlen(wrap) || + memcmp(iov[2].buffer.value, wrap, iov[2].buffer.length) != 0) + errout("gss_unwrap_iov(aead1) decryption"); + + /* Wrap an AEAD token and unwrap it using gss_unwrap_aead. */ + wrap_aead(ctx1, sign, wrap, iov, data, conf); + concat_iov(iov, 5, &fulltoken, &len); + input.value = fulltoken; + input.length = len; + assoc.value = (char *)sign; + assoc.length = strlen(sign); + major = gss_unwrap_aead(&minor, ctx2, &input, &assoc, &output, &oconf, + &qop); + check_gsserr("gss_unwrap_aead(aead2)", major, minor); + if (output.length != strlen(wrap) || + memcmp(output.value, wrap, output.length) != 0) + errout("gss_unwrap_aead(aead2) decryption"); + free(fulltoken); + (void)gss_release_buffer(&minor, &output); + + /* Wrap an AEAD token and unwrap it using a stream buffer. */ + wrap_aead(ctx1, sign, wrap, iov, data, conf); + concat_iov(iov, 5, &fulltoken, &len); + stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; + stiov[0].buffer.value = fulltoken; + stiov[0].buffer.length = len; + stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + stiov[1].buffer.value = (char *)sign; + stiov[1].buffer.length = strlen(sign); + stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA; + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3); + check_gsserr("gss_unwrap_iov(aead3)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(aead3) conf/qop"); + if (stiov[2].buffer.length != strlen(wrap) || + memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0) + errout("gss_unwrap_iov(aead3) decryption"); + offset = (char *)stiov[2].buffer.value - fulltoken; + if (offset < 0 || (size_t)offset > len) + errout("gss_unwrap_iov(aead3) offset"); + free(fulltoken); + release_iov(iov, 4); + + /* Wrap a token using gss_wrap_aead and unwrap it using a stream buffer + * with allocation and copying. */ + input.value = (char *)wrap; + input.length = strlen(wrap); + assoc.value = (char *)sign; + assoc.length = strlen(sign); + major = gss_wrap_aead(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &assoc, + &input, &oconf, &output); + check_gsserr("gss_wrap_aead(aead4)", major, minor); + if (oconf != conf) + errout("gss_wrap(aead4) conf"); + stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; + stiov[0].buffer = output; + stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + stiov[1].buffer = assoc; + stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE; + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3); + check_gsserr("gss_unwrap_iov(aead4)", major, minor); + if (!(GSS_IOV_BUFFER_FLAGS(stiov[2].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED)) + errout("gss_unwrap_iov(aead4) allocated"); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(aead4) conf/qop"); + if (stiov[2].buffer.length != strlen(wrap) || + memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0) + errout("gss_unwrap_iov(aead4) decryption"); + (void)gss_release_buffer(&minor, &output); + release_iov(stiov, 3); +} + +/* Create a DCE-style token and make sure we can unwrap it. */ +static void +test_dce(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf) +{ + OM_uint32 major, minor; + gss_iov_buffer_desc iov[4]; + gss_qop_t qop; + const char *sign1 = "First data to be signed"; + const char *sign2 = "Second data to be signed"; + const char *wrap = "This data must align to 16 bytes"; + int oconf; + char data[1024]; + + /* Wrap a SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER token. */ + memcpy(data, wrap, strlen(wrap) + 1); + iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[0].buffer.value = (char *)sign1; + iov[0].buffer.length = strlen(sign1); + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[1].buffer.value = data; + iov[1].buffer.length = strlen(wrap); + iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[2].buffer.value = (char *)sign2; + iov[2].buffer.length = strlen(sign2); + iov[3].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + major = gss_wrap_iov(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &oconf, iov, + 4); + check_gsserr("gss_wrap_iov(dce)", major, minor); + if (oconf != conf) + errout("gss_wrap_iov(dce) conf"); + if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1)) + errout("gss_wrap_iov(dce) sign1 buffer"); + if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap)) + errout("gss_wrap_iov(dce) data buffer"); + if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2)) + errout("gss_wrap_iov(dce) sign2 buffer"); + check_encrypted("gss_wrap_iov(dce) encryption", conf, data, wrap); + + /* Make sure we can unwrap it. */ + major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4); + check_gsserr("gss_unwrap_iov(std1)", major, minor); + if (oconf != conf || qop != GSS_C_QOP_DEFAULT) + errout("gss_unwrap_iov(std1) conf/qop"); + if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1)) + errout("gss_unwrap_iov(dce) sign1 buffer"); + if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap)) + errout("gss_unwrap_iov(dce) data buffer"); + if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2)) + errout("gss_unwrap_iov(dce) sign2 buffer"); + if (memcmp(data, wrap, iov[1].buffer.length) != 0) + errout("gss_unwrap_iov(dce) decryption"); + release_iov(iov, 4); +} + +int +main(int argc, char *argv[]) +{ + OM_uint32 minor, flags; + gss_OID mech = &mech_krb5; + gss_name_t tname; + gss_ctx_id_t ictx, actx; + + /* Parse arguments. */ + argv++; + if (*argv != NULL && strcmp(*argv, "-s") == 0) { + mech = &mech_spnego; + argv++; + } + if (*argv == NULL || *(argv + 1) != NULL) + errout("Usage: t_iov [-s] targetname"); + tname = import_name(*argv); + + flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG; + establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname, + flags, &ictx, &actx, NULL, NULL, NULL); + + /* Test standard token wrapping and unwrapping in both directions, with and + * without confidentiality. */ + test_standard_wrap(ictx, actx, 0); + test_standard_wrap(ictx, actx, 1); + test_standard_wrap(actx, ictx, 0); + test_standard_wrap(actx, ictx, 1); + + /* Test AEAD wrapping. */ + test_aead(ictx, actx, 0); + test_aead(ictx, actx, 1); + test_aead(actx, ictx, 0); + test_aead(actx, ictx, 1); + + /* Test DCE wrapping with DCE-style contexts. */ + (void)gss_delete_sec_context(&minor, &ictx, NULL); + (void)gss_delete_sec_context(&minor, &actx, NULL); + flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE; + establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname, + flags, &ictx, &actx, NULL, NULL, NULL); + test_dce(ictx, actx, 0); + test_dce(ictx, actx, 1); + test_dce(actx, ictx, 0); + test_dce(actx, ictx, 1); + + (void)gss_release_name(&minor, &tname); + (void)gss_delete_sec_context(&minor, &ictx, NULL); + (void)gss_delete_sec_context(&minor, &actx, NULL); + return 0; +}