static int version_flag = 0;
static int verbose_flag = 0;
static int help_flag = 0;
-static char *channel_bindings = NULL;
+static char *i_channel_bindings = NULL;
+static char *a_channel_bindings = NULL;
static krb5_context context;
static krb5_enctype limit_enctype = 0;
OM_uint32 flags = 0, ret_cflags, ret_sflags;
gss_OID actual_mech_client;
gss_OID actual_mech_server;
- struct gss_channel_bindings_struct channel_bindings_data;
- gss_channel_bindings_t channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS;
+ struct gss_channel_bindings_struct i_channel_bindings_data = {0};
+ struct gss_channel_bindings_struct a_channel_bindings_data = {0};
+ gss_channel_bindings_t i_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS;
+ gss_channel_bindings_t a_channel_bindings_p = GSS_C_NO_CHANNEL_BINDINGS;
*actual_mech = GSS_C_NO_OID;
input_token.length = 0;
input_token.value = NULL;
- if (channel_bindings) {
- channel_bindings_data.application_data.length = strlen(channel_bindings);
- channel_bindings_data.application_data.value = channel_bindings;
- channel_bindings_p = &channel_bindings_data;
+ if (i_channel_bindings) {
+ i_channel_bindings_data.application_data.length = strlen(i_channel_bindings);
+ i_channel_bindings_data.application_data.value = i_channel_bindings;
+ i_channel_bindings_p = &i_channel_bindings_data;
+ }
+ if (a_channel_bindings) {
+ a_channel_bindings_data.application_data.length = strlen(a_channel_bindings);
+ a_channel_bindings_data.application_data.value = a_channel_bindings;
+ a_channel_bindings_p = &a_channel_bindings_data;
}
while (!server_done || !client_done) {
mechoid,
flags,
0,
- channel_bindings_p,
+ i_channel_bindings_p,
&input_token,
&actual_mech_client,
&output_token,
sctx,
GSS_C_NO_CREDENTIAL,
&output_token,
- channel_bindings_p,
+ a_channel_bindings_p,
&src_name,
&actual_mech_server,
&input_token,
printf("server time offset: %d\n", server_time_offset);
printf("client time offset: %d\n", client_time_offset);
printf("num loops %d\n", num_loops);
- printf("flags: ");
+ printf("cflags: ");
if (ret_cflags & GSS_C_DELEG_FLAG)
printf("deleg ");
if (ret_cflags & GSS_C_MUTUAL_FLAG)
if (ret_cflags & GSS_C_DELEG_POLICY_FLAG)
printf("deleg-policy " );
printf("\n");
+ printf("sflags: ");
+ if (ret_sflags & GSS_C_CHANNEL_BOUND_FLAG)
+ printf("channel-bound " );
+ printf("\n");
}
}
{"client-name", 0, arg_string, &client_name, "client name", NULL },
{"client-password", 0, arg_string, &client_password, "client password", NULL },
{"anonymous", 0, arg_flag, &anon_flag, "anonymous auth", NULL },
- {"channel-bindings", 0, arg_string, &channel_bindings, "channel binding data", NULL },
+ {"i-channel-bindings", 0, arg_string, &i_channel_bindings, "initiator channel binding data", NULL },
+ {"a-channel-bindings", 0, arg_string, &a_channel_bindings, "acceptor channel binding data", NULL },
{"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL },
{"dce-style",0, arg_flag, &dce_style_flag, "dce-style", NULL },
{"wrapunwrap",0, arg_flag, &wrapunwrap_flag, "wrap/unwrap", NULL },
include $(top_srcdir)/Makefile.am.common
-noinst_DATA = krb5.conf mech
+noinst_DATA = krb5.conf new_clients_k5.conf mech
SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
port = 49188
-do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; sed \
+do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \
-e 's,[@]srcdir[@],$(srcdir),g' \
-e "s,[@]srcdirabs[@],$${srcdirabs},g" \
-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
-e 's,[@]port[@],$(port),g' \
- -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g'
+ -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \
+ -e "s,[@]objdirabs[@],$${objdirabs},g"
check-gss: check-gss.in Makefile
$(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp && \
$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
mv krb5.conf.tmp krb5.conf
+new_clients_k5.conf: new_clients_k5.conf.in Makefile
+ $(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
+ mv new_clients_k5.conf.tmp new_clients_k5.conf
+
mech: mech.in Makefile
$(do_subst) < $(srcdir)/mech.in > mech.tmp && \
mv mech.tmp mech
krb5ccfile-ds \
server.keytab \
krb5.conf \
+ new_clients_k5.conf \
mech \
current-db* \
*.log \
check-context.in \
ntlm-user-file.txt \
krb5.conf.in \
+ new_clients_k5.conf.in \
mech.in
rm ${keytabfile}.new
+echo "====== test channel-bindings."
+
+for mech in krb5 spnego; do
+ echo "${mech}: initiator only bindings" ; > messages.log
+ ${context} -v --i-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: acceptor only bindings" ; > messages.log
+ ${context} -v --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: matching bindings" ; > messages.log
+ ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+ { echo "no channel-bound flag"; eval "$testfailed"; }
+
+ echo "${mech}: non matching bindings" ; > messages.log
+ ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+ echo "${mech}: initiator only bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+ --i-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+ --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+ echo "${mech}: matching bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+ --i-channel-bindings=abc --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+ { echo "no channel-bound flag"; eval "$testfailed"; }
+
+ echo "${mech}: non matching bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+ --i-channel-bindings=abc --a-channel-bindings=xyz \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+done
#echo "sasl-digest-md5"
#${context} --mech-type=sasl-digest-md5 \
${context} --mech-type=${mech} \
--anonymous \
--ret-mech-type=sanon-x25519 \
- --channel-bindings=negoex_sanon_test_h5l_se \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
${context} --mech-type=${mech} \
--client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \
--ret-mech-type=sanon-x25519 \
- --channel-bindings=negoex_sanon_test_h5l_se \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
echo "${mech} anon-acceptor ${iov}" ; > messages.log
${context} --mech-type=${mech} \
--ret-mech-type=sanon-x25519 \
- --channel-bindings=negoex_sanon_test_h5l_se \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
WELLKNOWN@ANONYMOUS || \
{ eval "$testfailed"; }
--- /dev/null
+include @objdirabs@/krb5.conf
+
+[libdefaults]
+ client_aware_channel_bindings = true