lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-07-29 13:01:13 +03:00
Code Activity

feat: add gssapi server callbacks tests

Browse Source 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Gauravsingh Sisodia
2024-06-10 15:51:09 +00:00
committed by Sahana Prasad
parent 965a94b515
commit 3bfa6e8637
9 changed files with 1049 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/libssh/callbacks.h
View File

@ -283,6 +283,7 @@ typedef ssh_channel (*ssh_channel_open_request_session_callback) (ssh_session se
/* /*
* @brief handle the beginning of a GSSAPI authentication, server side. * @brief handle the beginning of a GSSAPI authentication, server side.
* Callback should select the oid and also acquire the server credential.
* @param session current session handler * @param session current session handler
* @param user the username of the client * @param user the username of the client
* @param n_oid number of available oids * @param n_oid number of available oids
@ -365,6 +366,7 @@ struct ssh_server_callbacks_struct {
*/ */
ssh_channel_open_request_session_callback channel_open_request_session_function; ssh_channel_open_request_session_callback channel_open_request_session_function;
/** This function will be called when a new gssapi authentication is attempted. /** This function will be called when a new gssapi authentication is attempted.
* This should select the oid and acquire credential for the server.
*/ */
ssh_gssapi_select_oid_callback gssapi_select_oid_function; ssh_gssapi_select_oid_callback gssapi_select_oid_function;
/** This function will be called when a gssapi token comes in. /** This function will be called when a gssapi token comes in.

3
src/gssapi.c
View File

@ -194,6 +194,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
return ssh_auth_reply_default(session, 0); return ssh_auth_reply_default(session, 0);
} }
} }
/* Default implementation for selecting oid and acquiring credential */
gss_create_empty_oid_set(&min_stat, &both_supported); gss_create_empty_oid_set(&min_stat, &both_supported);
maj_stat = gss_indicate_mechs(&min_stat, &supported); maj_stat = gss_indicate_mechs(&min_stat, &supported);
@ -655,7 +656,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids)
&session->gssapi->client.creds, &session->gssapi->client.creds,
&actual_mechs, NULL); &actual_mechs, NULL);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_DEBUG, ssh_gssapi_log_error(SSH_LOG_WARN,
"acquiring credential", "acquiring credential",
maj_stat, maj_stat,
min_stat); min_stat);

9
tests/client/torture_gssapi_auth.c
View File

@ -177,7 +177,9 @@ torture_gssapi_auth_server_identity(void **state)
"kadmin.local list_principals", "kadmin.local list_principals",
"echo bar | kinit alice"); "echo bar | kinit alice");
ssh_options_set(session, SSH_OPTIONS_GSSAPI_SERVER_IDENTITY, "invalid.libssh.site"); ssh_options_set(session,
SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
"invalid.libssh.site");
rc = ssh_userauth_gssapi(session); rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_ERROR); assert_int_equal(rc, SSH_AUTH_ERROR);
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
@ -191,7 +193,9 @@ torture_gssapi_auth_server_identity(void **state)
"kadmin.local list_principals", "kadmin.local list_principals",
"echo bar | kinit alice"); "echo bar | kinit alice");
ssh_options_set(session, SSH_OPTIONS_GSSAPI_SERVER_IDENTITY, "server.libssh.site"); ssh_options_set(session,
SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
"server.libssh.site");
rc = ssh_userauth_gssapi(session); rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_SUCCESS); assert_int_equal(rc, SSH_AUTH_SUCCESS);
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
@ -243,7 +247,6 @@ torture_gssapi_auth_delegate_creds(void **state)
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
int int
torture_run_tests(void) torture_run_tests(void)
{ {

3
tests/gss/kdcsetup.sh
View File

@ -12,7 +12,7 @@ cat<<EOF > "$WORKDIR"/k/kdc.conf
key_stash_file = $WORKDIR/stash key_stash_file = $WORKDIR/stash
kdc_listen = $(hostname -f) kdc_listen = $(hostname -f)
kdc_tcp_listen = $(hostname -f) kdc_tcp_listen = $(hostname -f)
default_principal_flags = +preauth default_principal_flags = +preauth,+forwardable
} }
[logging] [logging]
kdc = FILE:$WORKDIR/kdc.log kdc = FILE:$WORKDIR/kdc.log
@ -22,6 +22,7 @@ EOF
cat<<EOF > "$WORKDIR"/k/krb5.conf cat<<EOF > "$WORKDIR"/k/krb5.conf
[libdefaults] [libdefaults]
default_realm = LIBSSH.SITE default_realm = LIBSSH.SITE
forwardable = true
[realms] [realms]
LIBSSH.SITE = { LIBSSH.SITE = {

4
tests/server/CMakeLists.txt
View File

@ -17,7 +17,9 @@ set(LIBSSH_SERVER_TESTS
if (WITH_GSSAPI AND GSSAPI_FOUND AND GSSAPI_TESTING) if (WITH_GSSAPI AND GSSAPI_FOUND AND GSSAPI_TESTING)
set(LIBSSH_SERVER_TESTS set(LIBSSH_SERVER_TESTS
${LIBSSH_SERVER_TESTS} ${LIBSSH_SERVER_TESTS}
torture_gssapi_server_auth) torture_gssapi_server_auth
torture_gssapi_server_auth_cb
torture_gssapi_server_delegation)
endif() endif()
include_directories(${libssh_SOURCE_DIR}/include include_directories(${libssh_SOURCE_DIR}/include

139
tests/server/torture_gssapi_server_auth.c
View File

@ -31,8 +31,8 @@ free_test_server_state(void **state)
SAFE_FREE(tss); SAFE_FREE(tss);
} }
static int static void
setup_default_server(void **state) setup_config(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@ -48,10 +48,6 @@ setup_default_server(void **state)
char kdc_env[255] = {0}; char kdc_env[255] = {0};
int rc; int rc;
char pid_str[1024];
pid_t pid;
assert_non_null(state); assert_non_null(state);
tss = (struct test_server_st *)calloc(1, sizeof(struct test_server_st)); tss = (struct test_server_st *)calloc(1, sizeof(struct test_server_st));
@ -135,9 +131,6 @@ setup_default_server(void **state)
ss->max_tries = 3; ss->max_tries = 3;
ss->error = 0; ss->error = 0;
tss->state = s;
tss->ss = ss;
/* Use the default session handling function */ /* Use the default session handling function */
ss->handle_session = default_handle_session_cb; ss->handle_session = default_handle_session_cb;
assert_non_null(ss->handle_session); assert_non_null(ss->handle_session);
@ -145,6 +138,28 @@ setup_default_server(void **state)
/* Do not use global configuration */ /* Do not use global configuration */
ss->parse_global_config = false; ss->parse_global_config = false;
tss->state = s;
tss->ss = ss;
*state = tss;
}
static int
setup_default_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
struct test_server_st *tss = NULL;
char pid_str[1024];
pid_t pid;
int rc;
setup_config(state);
tss = *state;
ss = tss->ss;
s = tss->state;
/* Start the server using the default values */ /* Start the server using the default values */
pid = fork_run_server(ss, free_test_server_state, &tss); pid = fork_run_server(ss, free_test_server_state, &tss);
if (pid < 0) { if (pid < 0) {
@ -257,9 +272,8 @@ session_teardown(void **state)
return 0; return 0;
} }
static void static void
torture_gssapi_server_auth(void **state) torture_gssapi_server_auth_no_client_cred(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s; struct torture_state *s;
@ -290,6 +304,27 @@ torture_gssapi_server_auth(void **state)
rc = ssh_userauth_gssapi(session); rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_DENIED); assert_int_equal(rc, SSH_AUTH_DENIED);
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_auth_invalid_host(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
/* Invalid host principal */ /* Invalid host principal */
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
@ -302,6 +337,27 @@ torture_gssapi_server_auth(void **state)
rc = ssh_userauth_gssapi(session); rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_ERROR); assert_int_equal(rc, SSH_AUTH_ERROR);
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_auth(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
@ -317,11 +373,72 @@ torture_gssapi_server_auth(void **state)
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void
torture_gssapi_auth_server_identity(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
/* Invalid server identity option */
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
"echo bar | kinit alice");
ssh_options_set(session,
SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
"invalid.libssh.site");
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_ERROR);
torture_teardown_kdc_server((void **)&s);
/* Valid server identity option*/
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
"echo bar | kinit alice");
ssh_options_set(session,
SSH_OPTIONS_GSSAPI_SERVER_IDENTITY,
"server.libssh.site");
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
torture_teardown_kdc_server((void **)&s);
}
int int
torture_run_tests(void) torture_run_tests(void)
{ {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth_no_client_cred,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth_invalid_host,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_auth_server_identity,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth, cmocka_unit_test_setup_teardown(torture_gssapi_server_auth,
session_setup, session_setup,
session_teardown), session_teardown),

479
tests/server/torture_gssapi_server_auth_cb.c Normal file
View File

@ -0,0 +1,479 @@
#include "config.h"
#define LIBSSH_STATIC
#include <errno.h>
#include <pwd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <gssapi/gssapi.h>
#include "libssh/libssh.h"
#include "libssh/gssapi.h"
#include "torture.h"
#include "torture_key.h"
#include "test_server.h"
#include "default_cb.h"
#define TORTURE_KNOWN_HOSTS_FILE "libssh_torture_knownhosts"
struct test_server_st {
struct torture_state *state;
struct server_state_st *ss;
char *cwd;
};
static void
free_test_server_state(void **state)
{
struct test_server_st *tss = *state;
torture_free_state(tss->state);
SAFE_FREE(tss);
}
static void
setup_config(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
struct test_server_st *tss = NULL;
char ed25519_hostkey[1024] = {0};
char rsa_hostkey[1024];
char ecdsa_hostkey[1024];
// char trusted_ca_pubkey[1024];
char sshd_path[1024];
char log_file[1024];
char kdc_env[255] = {0};
int rc;
assert_non_null(state);
tss = (struct test_server_st *)calloc(1, sizeof(struct test_server_st));
assert_non_null(tss);
torture_setup_socket_dir((void **)&s);
assert_non_null(s->socket_dir);
assert_non_null(s->gss_dir);
torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
torture_set_env_from_str(kdc_env);
/* Set the default interface for the server */
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
setenv("PAM_WRAPPER", "1", 1);
snprintf(sshd_path, sizeof(sshd_path), "%s/sshd", s->socket_dir);
rc = mkdir(sshd_path, 0755);
assert_return_code(rc, errno);
snprintf(log_file, sizeof(log_file), "%s/sshd/log", s->socket_dir);
snprintf(ed25519_hostkey,
sizeof(ed25519_hostkey),
"%s/sshd/ssh_host_ed25519_key",
s->socket_dir);
torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
snprintf(rsa_hostkey,
sizeof(rsa_hostkey),
"%s/sshd/ssh_host_rsa_key",
s->socket_dir);
torture_write_file(rsa_hostkey, torture_get_testkey(SSH_KEYTYPE_RSA, 0));
snprintf(ecdsa_hostkey,
sizeof(ecdsa_hostkey),
"%s/sshd/ssh_host_ecdsa_key",
s->socket_dir);
torture_write_file(ecdsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
/* Create default server state */
ss = (struct server_state_st *)calloc(1, sizeof(struct server_state_st));
assert_non_null(ss);
ss->address = strdup("127.0.0.10");
assert_non_null(ss->address);
ss->port = 22;
ss->ecdsa_key = strdup(ecdsa_hostkey);
assert_non_null(ss->ecdsa_key);
ss->ed25519_key = strdup(ed25519_hostkey);
assert_non_null(ss->ed25519_key);
ss->rsa_key = strdup(rsa_hostkey);
assert_non_null(ss->rsa_key);
ss->host_key = NULL;
/* Use default username and password (set in default_handle_session_cb) */
ss->expected_username = NULL;
ss->expected_password = NULL;
/* not to mix up the client and server messages */
ss->verbosity = torture_libssh_verbosity();
ss->log_file = strdup(log_file);
ss->auth_methods = SSH_AUTH_METHOD_GSSAPI_MIC;
#ifdef WITH_PCAP
ss->with_pcap = 1;
ss->pcap_file = strdup(s->pcap_file);
assert_non_null(ss->pcap_file);
#endif
/* TODO make configurable */
ss->max_tries = 3;
ss->error = 0;
/* Use the default session handling function */
ss->handle_session = default_handle_session_cb;
assert_non_null(ss->handle_session);
/* Do not use global configuration */
ss->parse_global_config = false;
tss->state = s;
tss->ss = ss;
*state = tss;
}
static ssh_string
select_oid(ssh_session session,
const char *user,
int n_oid,
ssh_string *oids,
void *userdata)
{
/* Choose the first oid */
return oids[0];
}
static int
accept_sec_ctx(ssh_session session,
ssh_string input_token,
ssh_string *output_token,
void *userdata)
{
ssh_string token;
OM_uint32 min_stat;
gss_buffer_desc itoken, otoken = GSS_C_EMPTY_BUFFER;
gss_name_t client_name = GSS_C_NO_NAME;
OM_uint32 ret_flags = 0;
gss_channel_bindings_t input_bindings = GSS_C_NO_CHANNEL_BINDINGS;
itoken.length = ssh_string_len(input_token);
itoken.value = ssh_string_data(input_token);
gss_accept_sec_context(&min_stat,
&session->gssapi->ctx,
session->gssapi->server_creds,
&itoken,
input_bindings,
&client_name,
NULL /*mech_oid*/,
&otoken,
&ret_flags,
NULL /*time*/,
&session->gssapi->client_creds);
if (client_name != GSS_C_NO_NAME) {
session->gssapi->client_name = client_name;
session->gssapi->canonic_user = ssh_gssapi_name_to_char(client_name);
}
token = ssh_string_new(otoken.length);
ssh_string_fill(token, otoken.value, otoken.length);
*output_token = token;
gss_release_buffer(&min_stat, &otoken);
gss_release_name(&min_stat, &client_name);
SSH_STRING_FREE(input_token);
return 0;
}
static int
verify_mic(ssh_session session,
ssh_string mic,
void *mic_buffer,
size_t mic_buffer_size,
void *userdata)
{
/* Verify without checking */
return 0;
}
static int
setup_callback_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
struct test_server_st *tss = NULL;
char pid_str[1024];
pid_t pid;
struct session_data_st sdata = {.channel = NULL,
.auth_attempts = 0,
.authenticated = 0,
.username = SSHD_DEFAULT_USER,
.password = SSHD_DEFAULT_PASSWORD};
int rc;
setup_config(state);
tss = *state;
ss = tss->ss;
s = tss->state;
ss->server_cb = get_default_server_cb();
ss->server_cb->gssapi_select_oid_function = select_oid;
ss->server_cb->gssapi_accept_sec_ctx_function = accept_sec_ctx;
ss->server_cb->gssapi_verify_mic_function = verify_mic;
ss->server_cb->userdata = &sdata;
/* Start the server using the default values */
pid = fork_run_server(ss, free_test_server_state, &tss);
if (pid < 0) {
fail();
}
snprintf(pid_str, sizeof(pid_str), "%d", pid);
torture_write_file(s->srv_pidfile, (const char *)pid_str);
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
unsetenv("PAM_WRAPPER");
/* Wait until the sshd is ready to accept connections */
rc = torture_wait_for_daemon(5);
assert_int_equal(rc, 0);
*state = tss;
return 0;
}
static int
teardown_default_server(void **state)
{
struct torture_state *s;
struct server_state_st *ss;
struct test_server_st *tss;
tss = *state;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
ss = tss->ss;
assert_non_null(ss);
/* This function can be reused */
torture_teardown_sshd_server((void **)&s);
SAFE_FREE(tss->ss->server_cb);
free_server_state(tss->ss);
SAFE_FREE(tss->ss);
SAFE_FREE(tss);
return 0;
}
static int
session_setup(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
int verbosity = torture_libssh_verbosity();
char *cwd = NULL;
bool b = false;
int rc;
assert_non_null(tss);
/* Make sure we do not test the agent */
unsetenv("SSH_AUTH_SOCK");
cwd = torture_get_current_working_dir();
assert_non_null(cwd);
tss->cwd = cwd;
s = tss->state;
assert_non_null(s);
s->ssh.session = ssh_new();
assert_non_null(s->ssh.session);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_USER,
TORTURE_SSH_USER_ALICE);
assert_int_equal(rc, SSH_OK);
/* Make sure no other configuration options from system will get used */
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
assert_ssh_return_code(s->ssh.session, rc);
return 0;
}
static int
session_teardown(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
int rc = 0;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
ssh_disconnect(s->ssh.session);
ssh_free(s->ssh.session);
rc = torture_change_dir(tss->cwd);
assert_int_equal(rc, 0);
SAFE_FREE(tss->cwd);
return 0;
}
static void
torture_gssapi_server_auth_cb_no_client_cred(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
/* No client credential */
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
/* No TGT */
"");
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_DENIED);
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_auth_cb_invalid_host(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
/* Invalid host principal */
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/invalid.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/invalid.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
"echo bar | kinit alice");
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_ERROR);
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_auth_cb(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s;
ssh_session session;
int rc;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
rc = ssh_connect(session);
assert_int_equal(rc, SSH_OK);
/* Valid */
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n"
"kadmin.local addprinc -pw bar alice\n"
"kadmin.local list_principals",
"echo bar | kinit alice");
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_OK);
torture_teardown_kdc_server((void **)&s);
}
int
torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth_cb_no_client_cred,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth_cb_invalid_host,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_auth_cb,
session_setup,
session_teardown),
};
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests,
setup_callback_server,
teardown_default_server);
ssh_finalize();
pthread_exit((void *)&rc);
}

375
tests/server/torture_gssapi_server_delegation.c Normal file
View File

@ -0,0 +1,375 @@
#include "config.h"
#define LIBSSH_STATIC
#include <errno.h>
#include <pwd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <gssapi/gssapi.h>
#include "libssh/libssh.h"
#include "torture.h"
#include "torture_key.h"
#include "test_server.h"
#include "default_cb.h"
#define TORTURE_KNOWN_HOSTS_FILE "libssh_torture_knownhosts"
struct test_server_st {
struct torture_state *state;
struct server_state_st *ss;
char *cwd;
};
static void
free_test_server_state(void **state)
{
struct test_server_st *tss = *state;
torture_free_state(tss->state);
SAFE_FREE(tss);
}
static void
setup_config(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
struct test_server_st *tss = NULL;
char ed25519_hostkey[1024] = {0};
char rsa_hostkey[1024];
char ecdsa_hostkey[1024];
// char trusted_ca_pubkey[1024];
char sshd_path[1024];
char log_file[1024];
char kdc_env[255] = {0};
int rc;
assert_non_null(state);
tss = (struct test_server_st *)calloc(1, sizeof(struct test_server_st));
assert_non_null(tss);
torture_setup_socket_dir((void **)&s);
assert_non_null(s->socket_dir);
assert_non_null(s->gss_dir);
torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
torture_set_env_from_str(kdc_env);
/* Set the default interface for the server */
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
setenv("PAM_WRAPPER", "1", 1);
snprintf(sshd_path, sizeof(sshd_path), "%s/sshd", s->socket_dir);
rc = mkdir(sshd_path, 0755);
assert_return_code(rc, errno);
snprintf(log_file, sizeof(log_file), "%s/sshd/log", s->socket_dir);
snprintf(ed25519_hostkey,
sizeof(ed25519_hostkey),
"%s/sshd/ssh_host_ed25519_key",
s->socket_dir);
torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
snprintf(rsa_hostkey,
sizeof(rsa_hostkey),
"%s/sshd/ssh_host_rsa_key",
s->socket_dir);
torture_write_file(rsa_hostkey, torture_get_testkey(SSH_KEYTYPE_RSA, 0));
snprintf(ecdsa_hostkey,
sizeof(ecdsa_hostkey),
"%s/sshd/ssh_host_ecdsa_key",
s->socket_dir);
torture_write_file(ecdsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
/* Create default server state */
ss = (struct server_state_st *)calloc(1, sizeof(struct server_state_st));
assert_non_null(ss);
ss->address = strdup("127.0.0.10");
assert_non_null(ss->address);
ss->port = 22;
ss->ecdsa_key = strdup(ecdsa_hostkey);
assert_non_null(ss->ecdsa_key);
ss->ed25519_key = strdup(ed25519_hostkey);
assert_non_null(ss->ed25519_key);
ss->rsa_key = strdup(rsa_hostkey);
assert_non_null(ss->rsa_key);
ss->host_key = NULL;
/* Use default username and password (set in default_handle_session_cb) */
ss->expected_username = NULL;
ss->expected_password = NULL;
/* not to mix up the client and server messages */
ss->verbosity = torture_libssh_verbosity();
ss->log_file = strdup(log_file);
ss->auth_methods = SSH_AUTH_METHOD_GSSAPI_MIC;
#ifdef WITH_PCAP
ss->with_pcap = 1;
ss->pcap_file = strdup(s->pcap_file);
assert_non_null(ss->pcap_file);
#endif
/* TODO make configurable */
ss->max_tries = 3;
ss->error = 0;
/* Use the default session handling function */
ss->handle_session = default_handle_session_cb;
assert_non_null(ss->handle_session);
/* Do not use global configuration */
ss->parse_global_config = false;
tss->state = s;
tss->ss = ss;
*state = tss;
}
static int
auth_gssapi_mic(ssh_session session,
UNUSED_PARAM(const char *user),
UNUSED_PARAM(const char *principal),
void *userdata)
{
OM_uint32 min_stat;
ssh_gssapi_creds creds = ssh_gssapi_get_creds(session);
assert_non_null(creds);
gss_release_cred(&min_stat, creds);
return SSH_AUTH_SUCCESS;
}
static int
setup_callback_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
struct test_server_st *tss = NULL;
char pid_str[1024];
pid_t pid;
struct session_data_st sdata = {.channel = NULL,
.auth_attempts = 0,
.authenticated = 0,
.username = SSHD_DEFAULT_USER,
.password = SSHD_DEFAULT_PASSWORD};
int rc;
setup_config(state);
tss = *state;
ss = tss->ss;
s = tss->state;
ss->server_cb = get_default_server_cb();
ss->server_cb->auth_gssapi_mic_function = auth_gssapi_mic;
ss->server_cb->userdata = &sdata;
/* Start the server using the default values */
pid = fork_run_server(ss, free_test_server_state, &tss);
if (pid < 0) {
fail();
}
snprintf(pid_str, sizeof(pid_str), "%d", pid);
torture_write_file(s->srv_pidfile, (const char *)pid_str);
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
unsetenv("PAM_WRAPPER");
/* Wait until the sshd is ready to accept connections */
rc = torture_wait_for_daemon(5);
assert_int_equal(rc, 0);
*state = tss;
return 0;
}
static int
teardown_default_server(void **state)
{
struct torture_state *s;
struct server_state_st *ss;
struct test_server_st *tss;
tss = *state;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
ss = tss->ss;
assert_non_null(ss);
/* This function can be reused */
torture_teardown_sshd_server((void **)&s);
SAFE_FREE(tss->ss->server_cb);
free_server_state(tss->ss);
SAFE_FREE(tss->ss);
SAFE_FREE(tss);
return 0;
}
static int
session_setup(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
int verbosity = torture_libssh_verbosity();
char *cwd = NULL;
bool b = false;
int rc;
assert_non_null(tss);
/* Make sure we do not test the agent */
unsetenv("SSH_AUTH_SOCK");
cwd = torture_get_current_working_dir();
assert_non_null(cwd);
tss->cwd = cwd;
s = tss->state;
assert_non_null(s);
s->ssh.session = ssh_new();
assert_non_null(s->ssh.session);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_USER,
TORTURE_SSH_USER_ALICE);
assert_int_equal(rc, SSH_OK);
/* Make sure no other configuration options from system will get used */
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
assert_ssh_return_code(s->ssh.session, rc);
return 0;
}
static int
session_teardown(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
int rc = 0;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
ssh_disconnect(s->ssh.session);
ssh_free(s->ssh.session);
rc = torture_change_dir(tss->cwd);
assert_int_equal(rc, 0);
SAFE_FREE(tss->cwd);
return 0;
}
static void
torture_gssapi_server_delegate_creds(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
ssh_session session;
int rc;
OM_uint32 maj_stat, min_stat;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
gss_OID_set no_mechs = GSS_C_NO_OID_SET;
int t = 1;
assert_non_null(tss);
s = tss->state;
assert_non_null(s);
session = s->ssh.session;
assert_non_null(session);
ssh_options_set(session, SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS, &t);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
"echo bar | kinit alice");
maj_stat = gss_acquire_cred(&min_stat,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_creds,
&no_mechs,
NULL);
assert_int_equal(GSS_ERROR(maj_stat), 0);
ssh_gssapi_set_creds(session, client_creds);
rc = ssh_userauth_gssapi(session);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
gss_release_cred(&min_stat, &client_creds);
gss_release_oid_set(&min_stat, &no_mechs);
torture_teardown_kdc_server((void **)&s);
}
int
torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_gssapi_server_delegate_creds,
session_setup,
session_teardown),
};
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests,
setup_callback_server,
teardown_default_server);
ssh_finalize();
pthread_exit((void *)&rc);
}

91
tests/torture.c
View File

@ -583,10 +583,7 @@ void torture_setup_socket_dir(void **state)
assert_non_null(s->socket_dir); assert_non_null(s->socket_dir);
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
snprintf(gss_dir, snprintf(gss_dir, sizeof(gss_dir), "%s/gss", s->socket_dir);
sizeof(gss_dir),
"%s/gss",
s->socket_dir);
rc = mkdir(gss_dir, 0755); rc = mkdir(gss_dir, 0755);
assert_return_code(rc, errno); assert_return_code(rc, errno);
s->gss_dir = strdup(gss_dir); s->gss_dir = strdup(gss_dir);
@ -945,17 +942,21 @@ int torture_wait_for_daemon(unsigned int seconds)
void void
torture_set_kdc_env_str(const char *gss_dir, char *env, size_t size) torture_set_kdc_env_str(const char *gss_dir, char *env, size_t size)
{ {
snprintf(env, int rc;
size, rc = snprintf(env,
"KRB5CCNAME=%s/cc " size,
"KRB5_CONFIG=%s/k/krb5.conf " "KRB5CCNAME=%s/cc "
"KRB5_KDC_PROFILE=%s/k " "KRB5_CONFIG=%s/k/krb5.conf "
"KRB5_KTNAME=%s/d/ssh.keytab " "KRB5_KDC_PROFILE=%s/k "
"KRB5RCACHETYPE=none ", "KRB5_KTNAME=%s/d/ssh.keytab "
gss_dir, "KRB5RCACHETYPE=none ",
gss_dir, gss_dir,
gss_dir, gss_dir,
gss_dir); gss_dir,
gss_dir);
if (rc < 0 || rc >= (int)size) {
fail_msg("snprintf failed");
}
} }
void void
@ -965,21 +966,21 @@ torture_set_env_from_str(const char *env)
vars = ssh_tokenize(env, ' '); vars = ssh_tokenize(env, ' ');
if (vars == NULL) { if (vars == NULL) {
fail_msg("bad environment string"); fail_msg("failed to tokenize environment string");
} }
for (int i = 0; vars->tokens[i]; i++) { for (int i = 0; vars->tokens[i]; i++) {
var = ssh_tokenize(vars->tokens[i], '='); var = ssh_tokenize(vars->tokens[i], '=');
if (var == NULL) { if (var == NULL) {
ssh_tokens_free(vars); ssh_tokens_free(vars);
fail_msg("bad environment string"); fail_msg("invalid environment string format");
} }
if (var->tokens[0] != NULL && var->tokens[1] != NULL) { if (var->tokens[0] != NULL && var->tokens[1] != NULL) {
setenv(var->tokens[0], var->tokens[1], 1); setenv(var->tokens[0], var->tokens[1], 1);
} else { } else {
ssh_tokens_free(var); ssh_tokens_free(var);
ssh_tokens_free(vars); ssh_tokens_free(vars);
fail_msg("bad environment string"); fail_msg("invalid environment string format");
} }
ssh_tokens_free(var); ssh_tokens_free(var);
} }
@ -1031,14 +1032,14 @@ void torture_setup_libssh_server(void **state, const char *server_path)
if (s->srv_additional_config != NULL) { if (s->srv_additional_config != NULL) {
printed = snprintf(extra_options, sizeof(extra_options), " %s ", printed = snprintf(extra_options, sizeof(extra_options), " %s ",
s->srv_additional_config); s->srv_additional_config);
if (printed < 0) { if (printed < 0 || printed >= (ssize_t)sizeof(extra_options)) {
fail_msg("Failed to print additional config!"); fail_msg("Failed to print additional config!");
/* Unreachable */ /* Unreachable */
__builtin_unreachable(); __builtin_unreachable();
} }
} else { } else {
printed = snprintf(extra_options, sizeof(extra_options), " "); printed = snprintf(extra_options, sizeof(extra_options), " ");
if (printed < 0) { if (printed < 0 || printed >= (ssize_t)sizeof(extra_options)) {
fail_msg("Failed to print empty additional config!"); fail_msg("Failed to print empty additional config!");
/* Unreachable */ /* Unreachable */
__builtin_unreachable(); __builtin_unreachable();
@ -1068,7 +1069,7 @@ void torture_setup_libssh_server(void **state, const char *server_path)
ld_preload, ld_preload,
force_fips, force_fips,
kdc_env); kdc_env);
if (printed < 0) { if (printed < 0 || printed >= (ssize_t)sizeof(env)) {
fail_msg("Failed to print env!"); fail_msg("Failed to print env!");
/* Unreachable */ /* Unreachable */
__builtin_unreachable(); __builtin_unreachable();
@ -1090,7 +1091,7 @@ void torture_setup_libssh_server(void **state, const char *server_path)
s->srv_config, s->srv_config,
s->log_file ? " -l " : "", s->log_file ? s->log_file : "", s->log_file ? " -l " : "", s->log_file ? s->log_file : "",
extra_options, TORTURE_SSH_SERVER); extra_options, TORTURE_SSH_SERVER);
if (printed < 0) { if (printed < 0 || printed >= (ssize_t)sizeof(start_cmd)) {
fail_msg("Failed to print start command!"); fail_msg("Failed to print start command!");
/* Unreachable */ /* Unreachable */
__builtin_unreachable(); __builtin_unreachable();
@ -1154,14 +1155,17 @@ static int torture_start_sshd_server(void **state)
setenv("NSS_WRAPPER_HOSTNAME", "server.libssh.site", 1); setenv("NSS_WRAPPER_HOSTNAME", "server.libssh.site", 1);
torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env)); torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
#endif #endif
snprintf(sshd_start_cmd, rc = snprintf(sshd_start_cmd,
sizeof(sshd_start_cmd), sizeof(sshd_start_cmd),
"%s " SSHD_EXECUTABLE "%s " SSHD_EXECUTABLE
" -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log", " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
kdc_env, kdc_env,
s->srv_config, s->srv_config,
s->socket_dir, s->socket_dir,
s->socket_dir); s->socket_dir);
if (rc < 0 || rc >= (int)sizeof(sshd_start_cmd)) {
fail_msg("snprintf failed");
}
rc = system(sshd_start_cmd); rc = system(sshd_start_cmd);
assert_return_code(rc, errno); assert_return_code(rc, errno);
@ -1214,7 +1218,10 @@ torture_setup_kdc_server(void **state,
/* Remove the previous files and folders, but keep the same directory /* Remove the previous files and folders, but keep the same directory
* because we pass only one temporary directory to the server */ * because we pass only one temporary directory to the server */
snprintf(command, sizeof(command), "rm -rf %s/*", s->gss_dir); rc = snprintf(command, sizeof(command), "rm -rf %s/*", s->gss_dir);
if (rc < 0 || rc >= (int)sizeof(command)) {
fail_msg("snprintf failed");
}
rc = system(command); rc = system(command);
assert_return_code(rc, errno); assert_return_code(rc, errno);
@ -1230,11 +1237,14 @@ torture_setup_kdc_server(void **state,
torture_write_file(kadmin_file, kadmin_script); torture_write_file(kadmin_file, kadmin_script);
torture_write_file(kinit_file, kinit_script); torture_write_file(kinit_file, kinit_script);
snprintf(command, rc = snprintf(command,
sizeof(command), sizeof(command),
"%s/tests/gss/kdcsetup.sh %s", "%s/tests/gss/kdcsetup.sh %s",
BINARYDIR, BINARYDIR,
s->socket_dir); s->socket_dir);
if (rc < 0 || rc >= (int)sizeof(command)) {
fail_msg("snprintf failed");
}
rc = system(command); rc = system(command);
assert_return_code(rc, errno); assert_return_code(rc, errno);
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
@ -1257,10 +1267,13 @@ torture_teardown_kdc_server(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
int rc; int rc;
char temp[1024] = {0}; char pid_path[1024] = {0};
snprintf(temp, sizeof(temp), "%s/pid", s->gss_dir); rc = snprintf(pid_path, sizeof(pid_path), "%s/pid", s->gss_dir);
rc = torture_terminate_process(temp); if (rc < 0 || rc >= (int)sizeof(pid_path)) {
fail_msg("snprintf failed");
}
rc = torture_terminate_process(pid_path);
assert_return_code(rc, errno); assert_return_code(rc, errno);
} }