xref: /minix3/crypto/external/bsd/heimdal/dist/tests/gss/check-context.in (revision ebfedea0ce5bbe81e252ddf32d732e40fb633fae) 
1#!/bin/sh
2#
3# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4# (Royal Institute of Technology, Stockholm, Sweden).
5# All rights reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10#
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13#
14# 2. Redistributions in binary form must reproduce the above copyright
15#    notice, this list of conditions and the following disclaimer in the
16#    documentation and/or other materials provided with the distribution.
17#
18# 3. Neither the name of the Institute nor the names of its contributors
19#    may be used to endorse or promote products derived from this software
20#    without specific prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32# SUCH DAMAGE.
33#
34# Id
35#
36
37srcdir="@srcdir@"
38objdir="@objdir@"
39
40# If there is no useful db support compile in, disable test
41../db/have-db || exit 77
42
43R=TEST.H5L.SE
44
45port=@port@
46
47keytabfile=${objdir}/server.keytab
48keytab="FILE:${keytabfile}"
49nokeytab="FILE:no-such-keytab"
50cache="FILE:krb5ccfile"
51
52kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
58
59context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
60
61KRB5_CONFIG="${objdir}/krb5.conf"
62export KRB5_CONFIG
63
64KRB5CCNAME=${cache}
65export KRB5CCNAME
66
67rm -f ${keytabfile}
68rm -f current-db*
69rm -f out-*
70rm -f mkey.file*
71
72> messages.log
73
74echo Creating database
75${kadmin} \
76    init \
77    --realm-max-ticket-life=1day \
78    --realm-max-renewable-life=1month \
79    ${R} || exit 1
80
81# add both lucid and lucid.test.h5l.se to simulate aliases
82${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
85${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
86
87${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
88${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
89${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
90
91
92${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
93${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
94# XXX ext should ext aliases too
95${kadmin} ext -k ${keytab} host/short@${R} || exit 1
96${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
97
98${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
99
100${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
101
102# Create a server principal with no AES
103${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
104${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
105${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
106    aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
107${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
108
109echo "Doing database check"
110${kadmin} check ${R} || exit 1
111
112echo u1 > ${objdir}/foopassword
113
114echo Starting kdc
115${kdc} &
116kdcpid=$!
117
118sh ${srcdir}/../kdc/wait-kdc.sh
119if [ "$?" != 0 ] ; then
120    kill ${kdcpid}
121    exit 1
122fi
123
124trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
125
126testfailed="echo test failed; cat messages.log; exit 1"
127
128echo "Getting client initial tickets" ; > messages.log
129${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
130	{ eval "$testfailed"; }
131
132echo "======test unreadable/non existant keytab and its error message" ; > messages.log
133${context} --mech-type=krb5 host@lucid.test.h5l.se || \
134	{ eval "$testfailed"; }
135
136mv ${keytabfile} ${keytabfile}.no
137
138echo "checking non existant keytabfile (krb5)" ; > messages.log
139${context} --mech-type=krb5 host@lucid.test.h5l.se  > test_context.log 2>&1 && \
140	{ eval "$testfailed"; }
141grep ${keytabfile} test_context.log > /dev/null || \
142	{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
143echo "checking non existant keytabfile (spengo)" ; > messages.log
144${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
145	{ eval "$testfailed"; }
146grep ${keytabfile} test_context.log > /dev/null || \
147	{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
148
149mv ${keytabfile}.no ${keytabfile}
150
151echo "======test naming combinations"
152echo "plain"  ; > messages.log
153${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
154	{ eval "$testfailed"; }
155echo "plain (krb5)" ; > messages.log
156${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
157	{ eval "$testfailed"; }
158echo "plain (krb5 realmless)" ; > messages.log
159${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
160	{ eval "$testfailed"; }
161echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
162#${context} --dns-canon host@lucid.test.h5l.se || \
163#	{ eval "$testfailed"; }
164echo "dns canon off (long name)" ; > messages.log
165${context} --no-dns-canon host@lucid.test.h5l.se || \
166	{ eval "$testfailed"; }
167echo "dns canon off (short name)" ; > messages.log
168${context} --no-dns-canon host@lucid || \
169	{ eval "$testfailed"; }
170echo "dns canon off (short name, krb5)" ; > messages.log
171${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
172	{ eval "$testfailed"; }
173echo "dns canon off (short name, krb5)" ; > messages.log
174${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid || \
175	{ eval "$testfailed"; }
176
177echo "======test context building"
178for mech in krb5 krb5iov spnego spnegoiov; do
179	if [ "$mech" = "krb5iov" ] ; then
180	    mech="krb5"
181	    iov="--iov"
182	fi
183	if [ "$mech" = "spnegoiov" ] ; then
184	    mech="spnego"
185	    iov="--iov"
186	fi
187
188	echo "${mech} no-mutual ${iov}" ; > messages.log
189	${context} --mech-type=${mech} \
190	    --wrapunwrap ${iov} \
191	    --name-type=hostbased-service host@lucid.test.h5l.se || \
192		{ eval "$testfailed"; }
193
194	echo "${mech} mutual ${iov}" ; > messages.log
195	${context} --mech-type=${mech} \
196	    --mutual \
197	    --wrapunwrap ${iov} \
198	    --name-type=hostbased-service host@lucid.test.h5l.se || \
199		{ eval "$testfailed"; }
200
201	echo "${mech} delegate ${iov}" ; > messages.log
202	${context} --mech-type=${mech} \
203	    --delegate \
204	    --wrapunwrap ${iov} \
205	    --name-type=hostbased-service host@lucid.test.h5l.se || \
206		{ eval "$testfailed"; }
207
208	echo "${mech} mutual delegate ${iov}" ; > messages.log
209	${context} --mech-type=${mech} \
210	    --mutual --delegate \
211	    --wrapunwrap ${iov} \
212	    --name-type=hostbased-service host@lucid.test.h5l.se || \
213		{ eval "$testfailed"; }
214done
215
216echo "======dce-style"
217for mech in krb5 krb5iov spnego; do
218	iov=""
219	if [ "$mech" = "krb5iov" ] ; then
220	    mech="krb5"
221	    iov="--iov"
222	fi
223	if [ "$mech" = "spnegoiov" ] ; then
224	    mech="spnego"
225	    iov="--iov"
226	fi
227
228	echo "${mech}: dce-style ${iov}" ; > messages.log
229	${context} \
230	    --mech-type=${mech} \
231	    --mutual \
232	    --dce-style \
233	    --wrapunwrap ${iov} \
234	    --name-type=hostbased-service host@lucid.test.h5l.se || \
235	    { eval "$testfailed"; }
236
237done
238
239echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
240
241cp ${keytabfile} ${keytabfile}.new
242for mech in krb5 spnego; do
243	echo "${mech}: acceptor_identity positive" ; > messages.log
244	${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
245		--mech-type=$mech host@lucid.test.h5l.se || \
246		{ eval "$testfailed"; }
247
248	echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
249	${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
250		--mech-type=$mech host@lucid.test.h5l.se || \
251		{ eval "$testfailed"; }
252
253	echo "${mech}: acceptor_identity negative" ; > messages.log
254	${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
255		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
256		{ eval "$testfailed"; }
257done
258
259rm ${keytabfile}.new
260
261
262#echo "sasl-digest-md5"
263#${context}  --mech-type=sasl-digest-md5 \
264#    --name-type=hostbased-service \
265#    host@lucid.test.h5l.se || \
266#	{ eval "$testfailed"; }
267
268
269echo "====== gss-api session key check"
270
271# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
272coolenctype="aes256-cts-hmac-sha1-96"
273limit_enctype="des3-cbc-sha1"
274
275echo "Getting client initial tickets" ; > messages.log
276${kinit} --password-file=${objdir}/foopassword user1@${R} || \
277	{ eval "$testfailed"; }
278
279
280echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
281${context} \
282    --mech-type=krb5 \
283    --mutual-auth \
284    --session-enctype=${coolenctype} \
285    --name-type=hostbased-service host@no-aes.test.h5l.se || \
286	{ eval "$testfailed"; }
287
288echo "Building context on cred, check if its limited still" ; > messages.log
289${context} \
290    --mech-type=krb5 \
291    --client-name=user1@${R} \
292    --limit-enctype="${limit_enctype}" \
293    --mutual-auth \
294    --name-type=hostbased-service host@no-aes.test.h5l.se || \
295	{ eval "$testfailed"; }
296
297
298echo "====== ok-as-delegate"
299
300echo "Getting client initial tickets" ; > messages.log
301${kinit} --forwardable \
302    --password-file=${objdir}/foopassword user1@${R} || \
303	{ eval "$testfailed"; }
304
305echo "ok-as-delegate not used" ; > messages.log
306${context} \
307    --mech-type=krb5 \
308    --delegate \
309    --name-type=hostbased-service host@lucid.test.h5l.se || \
310	{ eval "$testfailed"; }
311
312echo "host without ok-as-delegate with policy-delegate" ; > messages.log
313${context} \
314    --mech-type=krb5 \
315    --policy-delegate \
316    --server-no-delegate \
317    --name-type=hostbased-service host@lucid.test.h5l.se || \
318	{ eval "$testfailed"; }
319
320echo "ok-as-delegate used by policy" ; > messages.log
321${context} \
322    --mech-type=krb5 \
323    --policy-delegate \
324    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
325	{ eval "$testfailed"; }
326
327echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
328${kinit} --ok-as-delegate  --forwardable \
329    --password-file=${objdir}/foopassword user1@${R} || \
330	{ eval "$testfailed"; }
331
332echo "policy delegate to non delegate host" ; > messages.log
333${context} \
334    --mech-type=krb5 \
335    --policy-delegate \
336    --server-no-delegate \
337    --name-type=hostbased-service host@lucid.test.h5l.se || \
338	{ eval "$testfailed"; }
339
340echo "ok-as-delegate" ; > messages.log
341${context} \
342    --mech-type=krb5 \
343    --delegate \
344    --name-type=hostbased-service host@lucid.test.h5l.se || \
345	{ eval "$testfailed"; }
346
347echo "======export/import cred"
348
349echo "export-import cred (krb5)" ; > messages.log
350${context} \
351    --mech-type=krb5 \
352    --delegate \
353    --export-import-cred \
354    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
355	{ eval "$testfailed"; }
356
357echo "export-import cred (spnego)" ; > messages.log
358${context} \
359    --mech-type=spnego \
360    --delegate \
361    --export-import-cred \
362    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
363	{ eval "$testfailed"; }
364
365
366echo "======time diffs between client and server"
367
368echo "Getting client initial ticket" ; > messages.log
369${kinit} --password-file=${objdir}/foopassword user1@${R} || \
370	{ eval "$testfailed"; }
371
372echo "No time offset" ; > messages.log
373${context} \
374    --mech-type=krb5 \
375    --name-type=hostbased-service host@lucid.test.h5l.se || \
376	{ eval "$testfailed"; }
377
378echo "Getting client initial ticket" ; > messages.log
379${kinit} --password-file=${objdir}/foopassword user1@${R} || \
380	{ eval "$testfailed"; }
381
382echo "Server time offset" ; > messages.log
383${context} \
384    --mech-type=krb5 \
385    --mutual-auth \
386    --server-time-offset=3600 \
387    --max-loops=3 \
388    --name-type=hostbased-service host@lucid.test.h5l.se || \
389	{ eval "$testfailed"; }
390
391echo "Server time offset (cached ?)" ; > messages.log
392${context} \
393    --mech-type=krb5 \
394    --mutual-auth \
395    --server-time-offset=3600 \
396    --max-loops=2 \
397    --name-type=hostbased-service host@lucid.test.h5l.se || \
398	{ eval "$testfailed"; }
399
400echo "Getting client initial ticket" ; > messages.log
401${kinit} --password-file=${objdir}/foopassword user1@${R} || \
402	{ eval "$testfailed"; }
403# Pre-poplute the cache since tgs-req will fail since our time is wrong
404${kgetcred} host/lucid.test.h5l.se@${R} || \
405	{ eval "$testfailed"; }
406
407echo "Client time offset" ; > messages.log
408${context} \
409    --mech-type=krb5 \
410    --mutual-auth \
411    --client-time-offset=3600 \
412    --name-type=hostbased-service host@lucid.test.h5l.se || \
413	{ eval "$testfailed"; }
414
415echo "Getting client initial tickets (use-referrals)" ; > messages.log
416${kinit} \
417    --password-file=${objdir}/foopassword \
418    --use-referrals user1@${R} || \
419	{ eval "$testfailed"; }
420
421# XXX these tests really need to use somethat that resolve to something
422${context} \
423    --mech-type=krb5 \
424    host@short || \
425	{ eval "$testfailed"; }
426
427${context} \
428    --mech-type=krb5 \
429    --name-type=krb5-principal-name host/short || \
430	{ eval "$testfailed"; }
431
432${context} \
433    --mech-type=krb5 \
434    host@long.test.h5l.se || \
435	{ eval "$testfailed"; }
436
437${context} \
438    --mech-type=krb5 \
439    --name-type=krb5-principal-name \
440    host/long.test.h5l.se || \
441	{ eval "$testfailed"; }
442
443trap "" EXIT
444
445echo "killing kdc (${kdcpid})"
446kill ${kdcpid} 2> /dev/null
447
448exit 0
449
450