1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33 34top_builddir="@top_builddir@" 35env_setup="@env_setup@" 36objdir="@objdir@" 37 38. ${env_setup} 39 40KRB5_CONFIG="${1-${objdir}/krb5.conf}" 41export KRB5_CONFIG 42 43testfailed="echo test failed; cat messages.log; exit 1" 44 45# If there is no useful db support compile in, disable test 46${have_db} || exit 77 47 48R=TEST.H5L.SE 49RH=TEST-HTTP.H5L.SE 50R2=TEST2.H5L.SE 51R3=TEST3.H5L.SE 52R4=TEST4.H5L.SE 53R5=SOME-REALM5.FR 54R6=SOME-REALM6.US 55R7=SOME-REALM7.UK 56 57H1=H1.$R 58H2=H2.$R 59H3=H3.$H2 60H4=H4.$H2 61 62r=`echo "$R" | tr '[A-Z]' '[a-z]'` 63h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'` 64h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'` 65h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'` 66h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'` 67 68port=@port@ 69pwport=@pwport@ 70 71kadmin="${kadmin} -l -r $R" 72kadmin5="${kadmin} -l -r $R5" 73kdc="${kdc} --addresses=localhost -P $port" 74kpasswdd="${kpasswdd} --addresses=localhost -p $pwport" 75 76server=host/datan.test.h5l.se 77server2=host/computer.example.com 78serverip=host/10.11.12.13 79serveripname=host/ip.test.h5l.org 80serveripname2=host/10.11.12.14 81alias1=host/datan.example.com 82alias2=host/datan 83aliaskeytab=host/datan 84cache="FILE:${objdir}/cache.krb5" 85ocache="FILE:${objdir}/ocache.krb5" 86o2cache="FILE:${objdir}/o2cache.krb5" 87icache="FILE:${objdir}/icache.krb5" 88keytabfile=${objdir}/server.keytab 89keytab="FILE:${keytabfile}" 90ps="proxy-service@${R}" 91aesenctype="aes256-cts-hmac-sha1-96" 92 93kinit="${kinit} -c $cache ${afs_no_afslog}" 94klist="${klist} -c $cache" 95kgetcred="${kgetcred} -c $cache" 96kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}" 97kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 98kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" 99test_set_kvno0="${test_set_kvno0} -c $cache" 100 101rm -f ${keytabfile} 102rm -f current-db* 103rm -f out-* 104rm -f mkey.file* 105 106> messages.log 107 108echo Creating database 109${kadmin} \ 110 init \ 111 --realm-max-ticket-life=1day \ 112 --realm-max-renewable-life=1month \ 113 ${R} || exit 1 114 115${kadmin} \ 116 init \ 117 --realm-max-ticket-life=1day \ 118 --realm-max-renewable-life=1month \ 119 ${R2} || exit 1 120 121${kadmin} \ 122 init \ 123 --realm-max-ticket-life=1day \ 124 --realm-max-renewable-life=1month \ 125 ${R3} || exit 1 126 127${kadmin} \ 128 init \ 129 --realm-max-ticket-life=1day \ 130 --realm-max-renewable-life=1month \ 131 ${R4} || exit 1 132 133${kadmin5} \ 134 init \ 135 --realm-max-ticket-life=1day \ 136 --realm-max-renewable-life=1month \ 137 ${R5} || exit 1 138 139${kadmin} \ 140 init \ 141 --realm-max-ticket-life=1day \ 142 --realm-max-renewable-life=1month \ 143 ${R6} || exit 1 144 145${kadmin} \ 146 init \ 147 --realm-max-ticket-life=1day \ 148 --realm-max-renewable-life=1month \ 149 ${R7} || exit 1 150 151${kadmin} \ 152 init \ 153 --realm-max-ticket-life=1day \ 154 --realm-max-renewable-life=1month \ 155 ${H1} || exit 1 156 157${kadmin} \ 158 init \ 159 --realm-max-ticket-life=1day \ 160 --realm-max-renewable-life=1month \ 161 ${H2} || exit 1 162 163${kadmin} \ 164 init \ 165 --realm-max-ticket-life=1day \ 166 --realm-max-renewable-life=1month \ 167 ${H3} || exit 1 168 169${kadmin} \ 170 init \ 171 --realm-max-ticket-life=1day \ 172 --realm-max-renewable-life=1month \ 173 ${H4} || exit 1 174 175${kadmin} \ 176 init \ 177 --realm-max-ticket-life=1day \ 178 --realm-max-renewable-life=1month \ 179 ${RH} || exit 1 180 181${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 182${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 183${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 184${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 185 186${kadmin} add -p foo --use-defaults foo@${R} || exit 1 187${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1 188${kadmin} add -p foo --use-defaults foo@${R2} || exit 1 189${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 190${kadmin} add -p foo --use-defaults foo@${R4} || exit 1 191${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 192${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 193${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 194${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 195${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 196${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 197${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1 198${kadmin} add -p foo --use-defaults foo@${H3} || exit 1 199${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1 200${kadmin} add -p foo --use-defaults foo@${H4} || exit 1 201${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1 202${kadmin} add -p bar --use-defaults bar@${R} || exit 1 203${kadmin} add -p foo --use-defaults remove@${R} || exit 1 204${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1 205${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1 206${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1 207${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 208${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 209${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1 210${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1 211${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1 212${kadmin} add -p foo --use-defaults ${ps} || exit 1 213${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 214${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 215${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 216${kadmin} ext -k ${keytab} ${ps} || exit 1 217 218${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 219${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 220${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 221${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 222${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 223${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 224${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} 225${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 226 227${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 228${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 229${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} 230 231${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 232${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 233 234${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1 235${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1 236 237${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1 238${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1 239 240${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1 241${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1 242 243${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1 244${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1 245 246${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1 247${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1 248 249${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 250${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 251 252${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 253${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 254 255${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1 256${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1 257 258${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1 259${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1 260 261${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1 262${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1 263 264${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 265${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 266 267${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1 268${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1 269 270${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1 271${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1 272 273${kadmin} add -p foo --use-defaults foo@${RH} || exit 1 274 275echo "Check parser" 276${kadmin} add -p foo --use-defaults -- -p || exit 1 277${kadmin} delete -- -p || exit 1 278 279echo "Doing database check" 280${kadmin} check ${R} || exit 1 281${kadmin} check ${R2} || exit 1 282${kadmin} check ${R3} || exit 1 283${kadmin} check ${R4} || exit 1 284${kadmin5} check ${R5} || exit 1 285${kadmin} check ${R6} || exit 1 286${kadmin} check ${R7} || exit 1 287${kadmin} check ${H1} || exit 1 288${kadmin} check ${H2} || exit 1 289${kadmin} check ${H3} || exit 1 290${kadmin} check ${H4} || exit 1 291 292echo "Extracting enctypes" 293${ktutil} -k ${keytab} list > tempfile || exit 1 294${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 295 ${EGREP} -v "$server" | # we did cpw for this one 296 awk '$1 !~ /1/ { exit 1 }' || exit 1 297${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 298 ${EGREP} "$server" | head -1 | 299 awk '$1 !~ /3/ { exit 1 }' || exit 1 300 301 302${kadmin} get foo@${R} > tempfile || exit 1 303enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` 304 305enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` 306enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 307 308echo "deleting all but des enctypes on kt-des3 in keytab" 309${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 310for a in ${enctype_sans_des3} ; do 311 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a 312done 313 314echo "checking globbing keys rules" 315${kadmin} get foo/des3-only@${R} > tempfile || exit 1 316enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` 317if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then 318 echo "des3 only is not only des3: $enctypes" 319 exit 1 320fi 321 322${kadmin} get foo/aes-only@${R} > tempfile || exit 1 323enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` 324if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then 325 echo "aes only is not only aes: $enctypes" 326 exit 1 327fi 328 329 330echo foo > ${objdir}/foopassword 331echo notfoo > ${objdir}/notfoopassword 332 333echo Starting kdc ; > messages.log 334env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ 335${kdc} --detach --testing || 336 { echo "kdc failed to start"; exit 1; } 337kdcpid=`getpid kdc` 338 339echo Starting kpasswdd; > messages.log 340env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach || 341 { echo "kpasswdd failed to start"; exit 1; } 342kpasswddpid=`getpid kpasswdd` 343 344 345trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT 346 347ec=0 348 349echo "Getting client initial tickets with wrong password"; > messages.log 350${kinit} --password-file=${objdir}/notfoopassword \ 351 foo@${R} 2>kinit-log.tmp && \ 352 { ec=1 ; eval "${testfailed}"; } 353grep 'Password incorrect' kinit-log.tmp > /dev/null || \ 354 { ec=1 ; eval "${testfailed}"; } 355echo "Getting client initial tickets"; > messages.log 356${kinit} --password-file=${objdir}/foopassword foo@$R || \ 357 { ec=1 ; eval "${testfailed}"; } 358echo "Doing krbtgt key rollover"; > messages.log 359${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 360echo "Getting tickets"; > messages.log 361${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 362echo "Listing tickets"; > messages.log 363${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 364${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 365 { ec=1 ; eval "${testfailed}"; } 366${kdestroy} 367 368echo "Getting client initial tickets (http transport)"; > messages.log 369${kinit} --password-file=${objdir}/foopassword foo@${RH} || \ 370 { ec=1 ; eval "${testfailed}"; } 371${kdestroy} 372 373echo "Testing capaths logic" 374${kinit} --password-file=${objdir}/foopassword \ 375 -e ${aesenctype} -e ${aesenctype} \ 376 foo@$R || \ 377 { ec=1 ; eval "${testfailed}"; } 378 379echo "Getting x-realm tickets with capaths for $R -> $R2" 380${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } 381echo "Getting x-realm tickets with capaths for $R -> $R3" 382${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } 383echo "Getting x-realm tickets with capaths for $R -> $R4" 384${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } 385echo "Getting x-realm tickets with capaths for $R -> $R5" 386${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } 387echo "Getting x-realm tickets with capaths for $R -> $R6" 388${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } 389echo "Getting x-realm tickets with capaths for $R -> $R7" 390${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } 391${kdestroy} 392 393echo "Testing capaths logic (reverse order)" 394${kinit} --password-file=${objdir}/foopassword \ 395 -e ${aesenctype} -e ${aesenctype} \ 396 foo@$R || \ 397 { ec=1 ; eval "${testfailed}"; } 398 399echo "Getting x-realm tickets with capaths for $R -> $R4" 400${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } 401echo "Getting x-realm tickets with capaths for $R -> $R3" 402${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } 403echo "Getting x-realm tickets with capaths for $R -> $R2" 404${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } 405echo "Getting x-realm tickets with capaths for $R -> $R7" 406${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } 407echo "Getting x-realm tickets with capaths for $R -> $R6" 408${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } 409echo "Getting x-realm tickets with capaths for $R -> $R5" 410${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } 411${kdestroy} 412 413echo "Testing hierarchical referral logic" 414${kinit} --password-file=${objdir}/foopassword \ 415 -e ${aesenctype} -e ${aesenctype} \ 416 foo@${H3} || \ 417 { ec=1 ; eval "${testfailed}"; } 418 419echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" 420${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } 421echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" 422${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } 423echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" 424${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } 425${kdestroy} 426 427echo "Testing multi-hop [capaths] referral logic" 428${kinit} --password-file=${objdir}/foopassword \ 429 -e ${aesenctype} -e ${aesenctype} \ 430 foo@${H4} || \ 431 { ec=1 ; eval "${testfailed}"; } 432 433echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1" 434${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; } 435${kdestroy} 436 437echo "Testing forwardable/renewable flag copying in TGS-REQ" 438${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \ 439 { ec=1 ; eval "${testfailed}"; } 440${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 441${klist} -f | grep ${server} | grep FRA > /dev/null || \ 442 { ec=1 ; eval "${testfailed}"; } 443 444 445echo "Specific enctype"; > messages.log 446${kinit} --password-file=${objdir}/foopassword \ 447 -e ${aesenctype} -e ${aesenctype} \ 448 foo@$R || \ 449 { ec=1 ; eval "${testfailed}"; } 450 451for a in $enctypes; do 452 echo "Getting client initial tickets ($a)"; > messages.log 453 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 454 echo "Getting tickets"; > messages.log 455 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 456 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 457 ${kdestroy} 458done 459 460 461echo "Getting client initial tickets"; > messages.log 462${kinit} --password-file=${objdir}/foopassword foo@$R || \ 463 { ec=1 ; eval "${testfailed}"; } 464for a in $enctypes; do 465 echo "Getting tickets ($a)"; > messages.log 466 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 467 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 468 { ec=1 ; eval "${testfailed}"; } 469 ${kdestroy} --credential=${server}@${R} 470done 471${kdestroy} 472 473echo "Getting client initial tickets for cross realm case"; > messages.log 474${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 475for a in $enctypes; do 476 echo "Getting cross realm tickets ($a)"; > messages.log 477 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 478 echo " checking we we got back right ticket" 479 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 480 echo " checking if ticket is useful" 481 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ 482 { ec=1 ; eval "${testfailed}"; } 483 ${kdestroy} --credential=${server2}@${R2} 484done 485${kdestroy} 486 487echo "Trying x-realm TGT with kvno 0 case"; 488${kinit} --password-file=${objdir}/foopassword foo@$R || 489 { ec=1 ; eval "${testfailed}"; } 490${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 491echo "Getting cross realm tickets"; > messages.log 492${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 493${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 494echo "Getting service ticket"; > messages.log 495${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 496${kdestroy} 497 498echo "Trying x-realm TGT with kvno 0 case with key rollover"; 499${kinit} --password-file=${objdir}/foopassword foo@$R || 500 { ec=1 ; eval "${testfailed}"; } 501${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 502echo "Getting cross realm tickets"; > messages.log 503${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 504echo "Rolling over cross realm keys"; > messages.log 505${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } 506${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 507${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } 508${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 509echo "Getting service ticket"; > messages.log 510echo "Start tracing kdc, then hit return" 511${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 512${kdestroy} 513 514echo "Trying x-realm TGT with no kvno case"; 515${kinit} --password-file=${objdir}/foopassword foo@$R || 516 { ec=1 ; eval "${testfailed}"; } 517${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 518echo "Getting cross realm tickets"; > messages.log 519${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 520${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 521echo "Getting service ticket"; > messages.log 522${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 523${kdestroy} 524 525echo "Trying x-realm TGT with no kvno case with key rollover"; 526${kinit} --password-file=${objdir}/foopassword foo@$R || 527 { ec=1 ; eval "${testfailed}"; } 528${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 529echo "Getting cross realm tickets"; > messages.log 530${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 531echo "Rolling over cross realm keys"; > messages.log 532${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } 533${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 534${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } 535${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 536echo "Getting service ticket"; > messages.log 537echo "Start tracing kdc, then hit return" 538${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 539${kdestroy} 540 541echo "try all permutations"; > messages.log 542for a in $enctypes; do 543 echo "Getting client initial tickets ($a)"; > messages.log 544 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ 545 { ec=1 ; eval "${testfailed}"; } 546 for b in $enctypes; do 547 echo "Getting tickets ($a -> $b)"; > messages.log 548 ${kgetcred} -e $b ${server}@${R} || \ 549 { ec=1 ; eval "${testfailed}"; } 550 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 551 { ec=1 ; eval "${testfailed}"; } 552 ${kdestroy} --credential=${server}@${R} 553 done 554 ${kdestroy} 555done 556 557echo "Getting client initial tickets ip based name"; > messages.log 558${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 559echo "Getting ip based name tickets"; > messages.log 560${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } 561echo " checking we we got back right ticket" 562${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 563echo " checking if ticket is useful" 564${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ 565 { ec=1 ; eval "${testfailed}"; } 566${kdestroy} 567 568echo "Getting client initial tickets ip based name (alias)"; > messages.log 569${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 570for a in ${serveripname} ${serveripname2} ; do 571 echo "Getting ip based name tickets (alias) $a"; > messages.log 572 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } 573 echo " checking we we got back right ticket" 574 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 575 echo " checking if ticket is useful" 576 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ 577 { ec=1 ; eval "${testfailed}"; } 578done 579${kdestroy} 580 581echo "Getting server initial tickets"; > messages.log 582${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 583echo "Listing tickets"; > messages.log 584${klist} | grep "Principal: ${server}" > /dev/null || \ 585 { ec=1 ; eval "${testfailed}"; } 586${kdestroy} 587 588echo "Getting key for key that are a subset in keytab compared to kdb" 589${kinit} --keytab=${keytab} kt-des3@${R} 590${klist} | grep "Principal: kt-des3" > /dev/null || \ 591 { ec=1 ; eval "${testfailed}"; } 592${kdestroy} 593 594echo "initial tickets for deleted user test case"; > messages.log 595${kinit} --password-file=${objdir}/foopassword remove@$R || \ 596 { ec=1 ; eval "${testfailed}"; } 597${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 598echo "try getting ticket with deleted user"; > messages.log 599${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 600${kdestroy} 601 602echo "cross realm case (deleted user)"; > messages.log 603${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ 604 { ec=1 ; eval "${testfailed}"; } 605${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 606 { ec=1 ; eval "${testfailed}"; } 607${kadmin} delete remove2@${R2} || exit 1 608${kgetcred} ${server}@${R} 2> /dev/null || \ 609 { ec=1 ; eval "${testfailed}"; } 610${kdestroy} 611 612echo "rename user"; > messages.log 613${kadmin} add -p foo --use-defaults rename@${R} || exit 1 614${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 615 { ec=1 ; eval "${testfailed}"; } 616${kadmin} rename rename@${R} rename2@${R} || exit 1 617${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ 618 { ec=1 ; eval "${testfailed}"; } 619${kdestroy} 620${kadmin} delete rename2@${R} || exit 1 621 622echo "rename user to another realm"; > messages.log 623${kadmin} add -p foo --use-defaults rename@${R} || exit 1 624${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 625 { ec=1 ; eval "${testfailed}"; } 626${kadmin} rename rename@${R} rename@${R2} || exit 1 627${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ 628 { ec=1 ; eval "${testfailed}"; } 629${kdestroy} 630${kadmin} delete rename@${R2} || exit 1 631 632echo deleting all but aes enctypes on krbtgt 633${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 634 635echo deleting all but des enctypes on server-des3 636${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 637${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 638 639echo "try all permutations (only aes)"; > messages.log 640for a in $enctypes; do 641 echo "Getting client initial tickets ($a)"; > messages.log 642 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ 643 { ec=1 ; eval "${testfailed}"; } 644 for b in $enctypes; do 645 echo "Getting tickets ($a -> $b)"; > messages.log 646 ${kgetcred} -e $b ${server}@${R} || \ 647 { ec=1 ; eval "${testfailed}"; } 648 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 649 { ec=1 ; eval "${testfailed}"; } 650 651 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log 652 ${kgetcred} ${server}-des3@${R} || \ 653 { ec=1 ; eval "${testfailed}"; } 654 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ 655 { ec=1 ; eval "${testfailed}"; } 656 657 ${kdestroy} --credential=${server}@${R} 658 ${kdestroy} --credential=${server}-des3@${R} 659 done 660 ${kdestroy} 661done 662 663echo deleting all enctypes on krbtgt 664${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 665 { ec=1 ; eval "${testfailed}"; } 666echo "try initial ticket w/o and keys on krbtgt" 667${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ 668 { ec=1 ; eval "${testfailed}"; } 669echo "adding random aes key" 670${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 671 { ec=1 ; eval "${testfailed}"; } 672echo "try initial ticket with random aes key on krbtgt" 673${kinit} --password-file=${objdir}/foopassword foo@${R} || \ 674 { ec=1 ; eval "${testfailed}"; } 675${kdestroy} 676 677rsa=yes 678ecdsa=yes 679pkinit=no 680if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 681 rsa=no 682fi 683if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 684 rsa=no 685fi 686if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 687 pkinit=yes 688fi 689 690if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 691 ecdsa=no 692fi 693 694 695# If we support pkinit and have RSA, lets try that 696if test "$pkinit" = yes -a "$rsa" = yes ; then 697 698 echo "try anonymous pkinit"; > messages.log 699 ${kinit} --anonymous ${R} || \ 700 { ec=1 ; eval "${testfailed}"; } 701 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 702 ${kdestroy} 703 704 for type in "" "--pk-use-enckey"; do 705 echo "Trying pk-init (principal in certificate) $type"; > messages.log 706 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ 707 { ec=1 ; eval "${testfailed}"; } 708 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 709 ${kdestroy} 710 711 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log 712 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ 713 { ec=1 ; eval "${testfailed}"; } 714 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 715 ${kdestroy} 716 717 echo "Trying pk-init (password protected key) $type"; > messages.log 718 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ 719 { ec=1 ; eval "${testfailed}"; } 720 ${kgetcred} ${server}@${R} || \ 721 { ec=1 ; eval "${testfailed}"; } 722 ${kdestroy} 723 724 echo "Trying pk-init (proxy cert) $type"; > messages.log 725 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ 726 { ec=1 ; eval "${testfailed}"; } 727 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 728 ${kdestroy} 729 730 done 731 732 if test "$ecdsa" = yes > /dev/null ; then 733 echo "Trying pk-init (ec certificate)" 734 > messages.log 735 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ 736 { ec=1 ; eval "${testfailed}"; } 737 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 738 ${kdestroy} 739 grep 'PK-INIT using ecdh' messages.log > /dev/null || \ 740 { ec=1 ; eval "${testfailed}"; } 741 fi 742 743else 744 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log 745fi 746 747echo "tickets for impersonate test case"; > messages.log 748${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ 749 { ec=1 ; eval "${testfailed}"; } 750${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 751 { ec=1 ; eval "${testfailed}"; } 752${test_ap_req} ${ps} ${keytab} ${ocache} || \ 753 { ec=1 ; eval "${testfailed}"; } 754echo " negative check" 755${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 756 { ec=1 ; eval "${testfailed}"; } 757 758echo "test constrained delegation"; > messages.log 759${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 760 { ec=1 ; eval "${testfailed}"; } 761${kgetcred} \ 762 --out-cache=${o2cache} \ 763 --delegation-credential-cache=${ocache} \ 764 ${server}@${R} || \ 765 { ec=1 ; eval "${testfailed}"; } 766echo " try using the credential" 767${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ 768 { ec=1 ; eval "${testfailed}"; } 769echo " negative check" 770${kgetcred} \ 771 --out-cache=${o2cache} \ 772 --delegation-credential-cache=${ocache} \ 773 bar@${R} 2>/dev/null && \ 774 { ec=1 ; eval "${testfailed}"; } 775 776echo "test constrained delegation impersonation (non forward)"; > messages.log 777rm -f ocache.krb5 778${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 779 { ec=1 ; eval "${testfailed}"; } 780${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 781 { ec=1 ; eval "${testfailed}"; } 782 783echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log 784rm -f ocache.krb5 785${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 786 { ec=1 ; eval "${testfailed}"; } 787${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 788 { ec=1 ; eval "${testfailed}"; } 789 790${kdestroy} 791 792echo "check renewing" > messages.log 793${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 794 { ec=1 ; eval "${testfailed}"; } 795echo "kinit -R" 796${kinit} -R || \ 797 { ec=1 ; eval "${testfailed}"; } 798echo "check renewing MIT interface" > messages.log 799${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 800 { ec=1 ; eval "${testfailed}"; } 801echo "test_renew" 802env KRB5CCNAME=${cache} ${test_renew} || \ 803 { ec=1 ; eval "${testfailed}"; } 804${kdestroy} 805 806echo "checking server aliases"; > messages.log 807${kinit} --password-file=${objdir}/foopassword foo@$R || \ 808 { ec=1 ; eval "${testfailed}"; } 809echo "Getting tickets"; > messages.log 810${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } 811${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } 812echo " verify entry in keytab" 813${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ 814 { ec=1 ; eval "${testfailed}"; } 815echo " verify entry in keytab with any" 816${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ 817 { ec=1 ; eval "${testfailed}"; } 818echo " verify failure with alias entry" 819${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ 820 { ec=1 ; eval "${testfailed}"; } 821echo " verify alias entry in keytab with any" 822${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ 823 { ec=1 ; eval "${testfailed}"; } 824${kdestroy} 825 826echo "testing removal of keytab" 827${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } 828test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } 829 830echo "Checking client pw expire"; > messages.log 831${kinit} --password-file=${objdir}/foopassword \ 832 pw-expire@${R} 2>kinit-log.tmp|| \ 833 { ec=1 ; eval "${testfailed}"; } 834grep 'Your password will expire' kinit-log.tmp > /dev/null || \ 835 { ec=1 ; eval "${testfailed}"; } 836echo " kinit passes" 837${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null 838${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \ 839 { ec=1 ; eval "${testfailed}"; } 840echo " test_gic passes" 841${kdestroy} 842 843echo "Checking password expiration" ; > messages.log 844 845kinitpty=${objdir}/foopassword.rkpty 846cat > ${kinitpty} <<EOF 847expect Password 848password foo\n 849expect Password has expired 850expect New password 851password Foobar11\n 852expect password 853password Foobar11\n 854expect Success: Password changed 855EOF 856 857echo "Checking client pw expire"; > messages.log 858${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \ 859 { ec=1 ; eval "${testfailed}"; } 860 861${kdestroy} 862 863 864echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})" 865sh ${leaks_kill} kdc $kdcpid || exit 1 866sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1 867 868trap "" EXIT 869 870exit $ec 871