1#!/bin/sh 2# 3# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33# 34# Id 35# 36 37env_setup="@env_setup@" 38srcdir="@srcdir@" 39objdir="@objdir@" 40 41. ${env_setup} 42 43# If there is no useful db support compiled in, disable test 44../db/have-db || exit 77 45 46R=TEST.H5L.SE 47 48port=@port@ 49 50keytabfile=${objdir}/server.keytab 51keytab="FILE:${keytabfile}" 52nokeytab="FILE:no-such-keytab" 53cache="FILE:krb5ccfile" 54 55kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" 56klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache" 57klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" 58kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 59kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 60kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 61ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" 62 63context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" 64 65KRB5_CONFIG="${objdir}/krb5.conf" 66export KRB5_CONFIG 67 68KRB5CCNAME=${cache} 69export KRB5CCNAME 70 71rm -f ${keytabfile} 72rm -f current-db* 73rm -f out-* 74rm -f mkey.file* 75 76> messages.log 77 78echo Creating database 79${kadmin} \ 80 init \ 81 --realm-max-ticket-life=1day \ 82 --realm-max-renewable-life=1month \ 83 ${R} || exit 1 84 85# add both lucid and lucid.test.h5l.se to simulate aliases 86${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1 87${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1 88 89${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1 90${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1 91${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1 92 93 94${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1 95${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1 96# XXX ext should ext aliases too 97${kadmin} ext -k ${keytab} host/short@${R} || exit 1 98${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1 99 100${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 101 102${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 103 104# Create a server principal with no AES 105${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1 106${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1 107${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \ 108 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1 109${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1 110 111echo "Doing database check" 112${kadmin} check ${R} || exit 1 113 114echo u1 > ${objdir}/foopassword 115 116echo Starting kdc 117${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } 118kdcpid=`getpid kdc` 119 120trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 121 122testfailed="echo test failed; cat messages.log; exit 1" 123 124echo "Test gss_acquire_cred_with_password" ; > messages.log 125${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \ 126 host@lucid.test.h5l.se || { eval "$testfailed"; } 127# These must fail (because wrong password) 128${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ 129 host@lucid.test.h5l.se && { eval "$testfailed"; } 130${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \ 131 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 132${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ 133 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 134${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \ 135 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 136${context} --client-name=user1@${R} --client-password=u2 \ 137 --mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \ 138 && { eval "$testfailed"; } 139# gss_acquire_cred_with_password() must not have side-effects 140${klist} && { eval "$testfailed"; } 141 142echo "Getting client initial tickets" ; > messages.log 143${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ 144 { eval "$testfailed"; } 145 146echo "======test unreadable/non existant keytab and its error message" ; > messages.log 147${context} --mech-type=krb5 host@lucid.test.h5l.se || \ 148 { eval "$testfailed"; } 149 150mv ${keytabfile} ${keytabfile}.no 151 152echo "checking non existant keytabfile (krb5)" ; > messages.log 153${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ 154 { eval "$testfailed"; } 155grep ${keytabfile} test_context.log > /dev/null || \ 156 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 157echo "checking non existant keytabfile (spengo)" ; > messages.log 158${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \ 159 { eval "$testfailed"; } 160grep ${keytabfile} test_context.log > /dev/null || \ 161 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 162 163mv ${keytabfile}.no ${keytabfile} 164 165echo "======test naming combinations" 166echo "plain" ; > messages.log 167${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ 168 { eval "$testfailed"; } 169echo "plain w/ short-form hostname" ; > messages.log 170${context} --name-type=hostbased-service host@lucid || \ 171 { eval "$testfailed"; } 172echo "plain (krb5)" ; > messages.log 173${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ 174 { eval "$testfailed"; } 175echo "plain (krb5 realmless)" ; > messages.log 176${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ 177 { eval "$testfailed"; } 178echo "plain (krb5 realmless short-form)" ; > messages.log 179${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \ 180 { eval "$testfailed"; } 181echo "creating short-form princ" 182${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 183${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 184echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log 185#${context} --dns-canon host@lucid.test.h5l.se || \ 186# { eval "$testfailed"; } 187echo "dns canon off (long name)" ; > messages.log 188${context} --no-dns-canon host@lucid.test.h5l.se || \ 189 { eval "$testfailed"; } 190echo "dns canon off (short name)" ; > messages.log 191${context} --no-dns-canon host@lucid || \ 192 { eval "$testfailed"; } 193echo "dns canon off (short name, krb5)" ; > messages.log 194${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ 195 { eval "$testfailed"; } 196echo "dns canon off (short name, krb5)" ; > messages.log 197${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ 198 { eval "$testfailed"; } 199 200echo "======test context building" 201for mech in krb5 krb5iov spnego spnegoiov; do 202 if [ "$mech" = "krb5iov" ] ; then 203 mech="krb5" 204 iov="--iov" 205 fi 206 if [ "$mech" = "spnegoiov" ] ; then 207 mech="spnego" 208 iov="--iov" 209 fi 210 211 echo "${mech} no-mutual ${iov}" ; > messages.log 212 ${context} --mech-type=${mech} \ 213 --wrapunwrap ${iov} \ 214 --name-type=hostbased-service host@lucid.test.h5l.se || \ 215 { eval "$testfailed"; } 216 217 echo "${mech} mutual ${iov}" ; > messages.log 218 ${context} --mech-type=${mech} \ 219 --mutual \ 220 --wrapunwrap ${iov} \ 221 --name-type=hostbased-service host@lucid.test.h5l.se || \ 222 { eval "$testfailed"; } 223 224 echo "${mech} delegate ${iov}" ; > messages.log 225 ${context} --mech-type=${mech} \ 226 --delegate \ 227 --wrapunwrap ${iov} \ 228 --name-type=hostbased-service host@lucid.test.h5l.se || \ 229 { eval "$testfailed"; } 230 231 echo "${mech} mutual delegate ${iov}" ; > messages.log 232 ${context} --mech-type=${mech} \ 233 --mutual --delegate \ 234 --wrapunwrap ${iov} \ 235 --name-type=hostbased-service host@lucid.test.h5l.se || \ 236 { eval "$testfailed"; } 237done 238 239echo "======dce-style" 240for mech in krb5 krb5iov spnego; do 241 iov="" 242 if [ "$mech" = "krb5iov" ] ; then 243 mech="krb5" 244 iov="--iov" 245 fi 246 if [ "$mech" = "spnegoiov" ] ; then 247 mech="spnego" 248 iov="--iov" 249 fi 250 251 echo "${mech}: dce-style ${iov}" ; > messages.log 252 ${context} \ 253 --mech-type=${mech} \ 254 --mutual \ 255 --dce-style \ 256 --wrapunwrap ${iov} \ 257 --name-type=hostbased-service host@lucid.test.h5l.se || \ 258 { eval "$testfailed"; } 259 260done 261 262echo "test gsskrb5_register_acceptor_identity (both positive and negative)" 263 264cp ${keytabfile} ${keytabfile}.new 265for mech in krb5 spnego; do 266 echo "${mech}: acceptor_identity positive" ; > messages.log 267 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ 268 --mech-type=$mech host@lucid.test.h5l.se || \ 269 { eval "$testfailed"; } 270 271 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log 272 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ 273 --mech-type=$mech host@lucid.test.h5l.se || \ 274 { eval "$testfailed"; } 275 276 echo "${mech}: acceptor_identity negative" ; > messages.log 277 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ 278 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ 279 { eval "$testfailed"; } 280done 281 282rm ${keytabfile}.new 283 284 285#echo "sasl-digest-md5" 286#${context} --mech-type=sasl-digest-md5 \ 287# --name-type=hostbased-service \ 288# host@lucid.test.h5l.se || \ 289# { eval "$testfailed"; } 290 291 292echo "====== gss-api session key check" 293 294# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 295coolenctype="aes256-cts-hmac-sha1-96" 296limit_enctype="des3-cbc-sha1" 297 298echo "Getting client initial tickets" ; > messages.log 299${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 300 { eval "$testfailed"; } 301 302 303echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log 304${context} \ 305 --mech-type=krb5 \ 306 --mutual-auth \ 307 --session-enctype=${coolenctype} \ 308 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 309 { eval "$testfailed"; } 310 311echo "Building context on cred, check if its limited still" ; > messages.log 312${context} \ 313 --mech-type=krb5 \ 314 --client-name=user1@${R} \ 315 --limit-enctype="${limit_enctype}" \ 316 --mutual-auth \ 317 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 318 { eval "$testfailed"; } 319 320 321echo "====== ok-as-delegate" 322 323echo "Getting client initial tickets" ; > messages.log 324${kinit} --forwardable \ 325 --password-file=${objdir}/foopassword user1@${R} || \ 326 { eval "$testfailed"; } 327 328echo "ok-as-delegate not used" ; > messages.log 329${context} \ 330 --mech-type=krb5 \ 331 --delegate \ 332 --name-type=hostbased-service host@lucid.test.h5l.se || \ 333 { eval "$testfailed"; } 334 335echo "host without ok-as-delegate with policy-delegate" ; > messages.log 336${context} \ 337 --mech-type=krb5 \ 338 --policy-delegate \ 339 --server-no-delegate \ 340 --name-type=hostbased-service host@lucid.test.h5l.se || \ 341 { eval "$testfailed"; } 342 343echo "ok-as-delegate used by policy" ; > messages.log 344${context} \ 345 --mech-type=krb5 \ 346 --policy-delegate \ 347 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 348 { eval "$testfailed"; } 349 350echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log 351${kinit} --ok-as-delegate --forwardable \ 352 --password-file=${objdir}/foopassword user1@${R} || \ 353 { eval "$testfailed"; } 354 355echo "policy delegate to non delegate host" ; > messages.log 356${context} \ 357 --mech-type=krb5 \ 358 --policy-delegate \ 359 --server-no-delegate \ 360 --name-type=hostbased-service host@lucid.test.h5l.se || \ 361 { eval "$testfailed"; } 362 363echo "ok-as-delegate" ; > messages.log 364${context} \ 365 --mech-type=krb5 \ 366 --delegate \ 367 --name-type=hostbased-service host@lucid.test.h5l.se || \ 368 { eval "$testfailed"; } 369 370echo "======export/import cred" 371 372echo "export-import cred (krb5)" ; > messages.log 373${context} \ 374 --mech-type=krb5 \ 375 --delegate \ 376 --export-import-cred \ 377 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 378 { eval "$testfailed"; } 379 380echo "export-import cred (spnego)" ; > messages.log 381${context} \ 382 --mech-type=spnego \ 383 --delegate \ 384 --export-import-cred \ 385 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 386 { eval "$testfailed"; } 387 388 389echo "======time diffs between client and server" 390 391echo "Getting client initial ticket" ; > messages.log 392${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 393 { eval "$testfailed"; } 394 395echo "No time offset" ; > messages.log 396${context} \ 397 --mech-type=krb5 \ 398 --name-type=hostbased-service host@lucid.test.h5l.se || \ 399 { eval "$testfailed"; } 400 401echo "Getting client initial ticket" ; > messages.log 402${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 403 { eval "$testfailed"; } 404 405echo "Server time offset" ; > messages.log 406${context} \ 407 --mech-type=krb5 \ 408 --mutual-auth \ 409 --server-time-offset=3600 \ 410 --max-loops=3 \ 411 --name-type=hostbased-service host@lucid.test.h5l.se || \ 412 { eval "$testfailed"; } 413 414echo "Server time offset (cached ?)" ; > messages.log 415${context} \ 416 --mech-type=krb5 \ 417 --mutual-auth \ 418 --server-time-offset=3600 \ 419 --max-loops=2 \ 420 --name-type=hostbased-service host@lucid.test.h5l.se || \ 421 { eval "$testfailed"; } 422 423echo "Getting client initial ticket" ; > messages.log 424${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 425 { eval "$testfailed"; } 426# Pre-poplute the cache since tgs-req will fail since our time is wrong 427${kgetcred} host/lucid.test.h5l.se@${R} || \ 428 { eval "$testfailed"; } 429 430echo "Client time offset" ; > messages.log 431${context} \ 432 --mech-type=krb5 \ 433 --mutual-auth \ 434 --client-time-offset=3600 \ 435 --name-type=hostbased-service host@lucid.test.h5l.se || \ 436 { eval "$testfailed"; } 437 438echo "Getting client initial tickets (use-referrals)" ; > messages.log 439${kinit} \ 440 --password-file=${objdir}/foopassword \ 441 --use-referrals user1@${R} || \ 442 { eval "$testfailed"; } 443 444# XXX these tests really need to use somethat that resolve to something 445${context} \ 446 --mech-type=krb5 \ 447 host@short || \ 448 { eval "$testfailed"; } 449 450${context} \ 451 --mech-type=krb5 \ 452 --name-type=krb5-principal-name host/short || \ 453 { eval "$testfailed"; } 454 455${context} \ 456 --mech-type=krb5 \ 457 host@long.test.h5l.se || \ 458 { eval "$testfailed"; } 459 460${context} \ 461 --mech-type=krb5 \ 462 --name-type=krb5-principal-name \ 463 host/long.test.h5l.se || \ 464 { eval "$testfailed"; } 465 466trap "" EXIT 467 468echo "killing kdc (${kdcpid})" 469kill ${kdcpid} 2> /dev/null 470 471exit 0 472 473