$(srcdir)/t_kperf.c \
$(srcdir)/t_short.c \
$(srcdir)/t_str2key.c \
+ $(srcdir)/t_fork.c \
$(srcdir)/ytest.c
##DOSBUILDTOP = ..\..\..
aes-test \
camellia-test \
t_mddriver4 t_mddriver \
- t_crc t_cts t_short t_str2key t_camellia_ccm
+ t_crc t_cts t_short t_str2key t_fork t_camellia_ccm
$(RUN_SETUP) $(VALGRIND) ./t_nfold
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output
$(RUN_SETUP) $(VALGRIND) $(C)t_mddriver -x
$(RUN_SETUP) $(VALGRIND) ./t_short
$(RUN_SETUP) $(VALGRIND) ./t_str2key
+ $(RUN_SETUP) $(VALGRIND) ./t_fork
$(RUN_SETUP) $(VALGRIND) ./t_camellia_ccm
t_str2key$(EXEEXT): t_str2key.$(OBJEXT) $(SUPPORT_DEPLIB)
$(CC_LINK) -o $@ t_str2key.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
+t_fork$(EXEEXT): t_fork.$(OBJEXT) $(SUPPORT_DEPLIB)
+ $(CC_LINK) -o $@ t_fork.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
+
t_camellia_ccm$(EXEEXT): t_camellia_ccm.$(OBJEXT) $(SUPPORT_DEPLIB)
$(CC_LINK) -o $@ t_camellia_ccm.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \
t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o \
t_kperf.o t_kperf t_short t_short.o t_str2key t_str2key.o \
- t_camellia_ccm t_camellia_ccm.o \
+ t_fork t_fork.o t_camellia_ccm t_camellia_ccm.o \
t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT)
-$(RM) t_prng.output
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/crypto_tests/t_fork.c */
+/*
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Test basic libk5crypto behavior across forks. This is primarily interesting
+ * for back ends with PKCS11-based constraints, such as the NSS back end.
+ */
+
+#include "k5-int.h"
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+static krb5_context ctx;
+
+static void
+t(krb5_error_code code)
+{
+ if (code != 0) {
+ fprintf(stderr, "Failure: %s\n", krb5_get_error_message(ctx, code));
+ exit(1);
+ }
+}
+
+static void
+prepare_enc_data(krb5_key key, size_t in_len, krb5_enc_data *enc_data)
+{
+ size_t out_len;
+
+ t(krb5_c_encrypt_length(ctx, key->keyblock.enctype, in_len, &out_len));
+ t(alloc_data(&enc_data->ciphertext, out_len));
+}
+
+int
+main()
+{
+ krb5_error_code ret;
+ krb5_keyblock kb_aes, kb_rc4;
+ krb5_key key_aes, key_rc4;
+ krb5_data state_rc4, plain = string2data("plain"), decrypted;
+ krb5_enc_data out_aes, out_rc4;
+ pid_t pid;
+ int status;
+
+ /* Create AES and RC4 ciphertexts with random keys. Use cipher state for
+ * RC4. */
+ t(krb5_init_context(&ctx));
+ t(krb5_c_make_random_key(ctx, ENCTYPE_AES256_CTS_HMAC_SHA1_96, &kb_aes));
+ t(krb5_c_make_random_key(ctx, ENCTYPE_ARCFOUR_HMAC, &kb_rc4));
+ t(krb5_k_create_key(ctx, &kb_aes, &key_aes));
+ t(krb5_k_create_key(ctx, &kb_rc4, &key_rc4));
+ prepare_enc_data(key_aes, plain.length, &out_aes);
+ prepare_enc_data(key_aes, plain.length, &out_rc4);
+ t(krb5_c_init_state(ctx, &kb_rc4, 0, &state_rc4));
+ t(krb5_k_encrypt(ctx, key_aes, 0, NULL, &plain, &out_aes));
+ t(krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4));
+
+ /* Fork; continue in both parent and child. */
+ pid = fork();
+ assert(pid >= 0);
+
+ /* Decrypt the AES message with both key and keyblock. */
+ t(alloc_data(&decrypted, plain.length));
+ t(krb5_k_decrypt(ctx, key_aes, 0, NULL, &out_aes, &decrypted));
+ assert(data_eq(plain, decrypted));
+ t(krb5_c_decrypt(ctx, &kb_aes, 0, NULL, &out_aes, &decrypted));
+ assert(data_eq(plain, decrypted));
+
+ /*
+ * Encrypt another RC4 message. This may fail because RC4 cipher state in
+ * the NSS back end includes a PKCS11 handle which won't work across forks,
+ * but make sure it fails in the expected manner.
+ */
+ ret = krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4);
+ assert(ret == 0 || ret == EINVAL);
+ t(krb5_c_free_state(ctx, &kb_rc4, &state_rc4));
+
+ /* If we're the parent, make sure the child succeeded. */
+ if (pid != 0) {
+ assert(wait(&status) == pid);
+ if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+ fprintf(stderr, "Child failed with status %d\n", status);
+ return 1;
+ }
+ }
+
+ return 0;
+}