1#!/bin/sh 2# 3# Copyright (c) 2006 - 2008 Kungliga Tekniska H��gskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33# 34# Id 35# 36 37env_setup="@env_setup@" 38srcdir="@srcdir@" 39objdir="@objdir@" 40 41. ${env_setup} 42 43# If there is no useful db support compiled in, disable test 44../db/have-db || exit 77 45 46R=TEST.H5L.SE 47 48port=@port@ 49 50keytabfile=${objdir}/server.keytab 51keytab="FILE:${keytabfile}" 52nokeytab="FILE:no-such-keytab" 53cache="FILE:krb5ccfile" 54 55kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" 56klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache" 57klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" 58kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 59kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 60kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 61ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" 62 63context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" 64 65KRB5_CONFIG="${objdir}/krb5.conf" 66export KRB5_CONFIG 67 68KRB5CCNAME=${cache} 69export KRB5CCNAME 70 71rm -f ${keytabfile} 72rm -f current-db* 73rm -f out-* 74rm -f mkey.file* 75 76> messages.log 77 78echo Creating database 79${kadmin} \ 80 init \ 81 --realm-max-ticket-life=1day \ 82 --realm-max-renewable-life=1month \ 83 ${R} || exit 1 84 85# add both lucid and lucid.test.h5l.se to simulate aliases 86${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1 87${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1 88 89${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1 90${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1 91${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1 92 93 94${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1 95${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1 96# XXX ext should ext aliases too 97${kadmin} ext -k ${keytab} host/short@${R} || exit 1 98${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1 99 100${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 101 102${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 103 104# Create a server principal with no AES 105${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1 106${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1 107${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \ 108 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1 109${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1 110 111echo "Doing database check" 112${kadmin} check ${R} || exit 1 113 114echo u1 > ${objdir}/foopassword 115 116echo Starting kdc 117${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } 118kdcpid=`getpid kdc` 119 120trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 121 122testfailed="echo test failed; cat messages.log; exit 1" 123 124echo "Test gss_acquire_cred_with_password" ; > messages.log 125${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \ 126 host@lucid.test.h5l.se || { eval "$testfailed"; } 127# These must fail (because wrong password) 128${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ 129 host@lucid.test.h5l.se && { eval "$testfailed"; } 130${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \ 131 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 132${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ 133 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 134${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \ 135 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } 136${context} --client-name=user1@${R} --client-password=u2 \ 137 --mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \ 138 && { eval "$testfailed"; } 139# gss_acquire_cred_with_password() must not have side-effects 140${klist} && { eval "$testfailed"; } 141 142echo "Getting client initial tickets" ; > messages.log 143${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ 144 { eval "$testfailed"; } 145 146echo "======test unreadable/non existant keytab and its error message" ; > messages.log 147${context} --mech-type=krb5 host@lucid.test.h5l.se || \ 148 { eval "$testfailed"; } 149 150mv ${keytabfile} ${keytabfile}.no 151 152echo "checking non existant keytabfile (krb5)" ; > messages.log 153${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ 154 { eval "$testfailed"; } 155echo "checking non existant keytabfile (spengo)" ; > messages.log 156${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \ 157 { eval "$testfailed"; } 158 159mv ${keytabfile}.no ${keytabfile} 160 161echo "======test naming combinations" 162echo "plain" ; > messages.log 163${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ 164 { eval "$testfailed"; } 165echo "plain w/ short-form hostname" ; > messages.log 166${context} --name-type=hostbased-service host@lucid || \ 167 { eval "$testfailed"; } 168echo "plain (krb5)" ; > messages.log 169${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ 170 { eval "$testfailed"; } 171echo "plain (krb5 realmless)" ; > messages.log 172${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ 173 { eval "$testfailed"; } 174echo "plain (krb5 realmless short-form)" ; > messages.log 175${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \ 176 { eval "$testfailed"; } 177echo "creating short-form princ" 178${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 179${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 180echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log 181#${context} --dns-canon host@lucid.test.h5l.se || \ 182# { eval "$testfailed"; } 183echo "dns canon off (long name)" ; > messages.log 184${context} --no-dns-canon host@lucid.test.h5l.se || \ 185 { eval "$testfailed"; } 186echo "dns canon off (short name)" ; > messages.log 187${context} --no-dns-canon host@lucid || \ 188 { eval "$testfailed"; } 189echo "dns canon off (short name, krb5)" ; > messages.log 190${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ 191 { eval "$testfailed"; } 192echo "dns canon off (short name, krb5)" ; > messages.log 193${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ 194 { eval "$testfailed"; } 195 196echo "======test context building" 197for mech in krb5 krb5iov spnego spnegoiov; do 198 if [ "$mech" = "krb5iov" ] ; then 199 mech="krb5" 200 iov="--iov" 201 fi 202 if [ "$mech" = "spnegoiov" ] ; then 203 mech="spnego" 204 iov="--iov" 205 fi 206 207 echo "${mech} no-mutual ${iov}" ; > messages.log 208 ${context} --mech-type=${mech} \ 209 --wrapunwrap ${iov} \ 210 --name-type=hostbased-service host@lucid.test.h5l.se || \ 211 { eval "$testfailed"; } 212 213 echo "${mech} mutual ${iov}" ; > messages.log 214 ${context} --mech-type=${mech} \ 215 --mutual \ 216 --wrapunwrap ${iov} \ 217 --name-type=hostbased-service host@lucid.test.h5l.se || \ 218 { eval "$testfailed"; } 219 220 echo "${mech} delegate ${iov}" ; > messages.log 221 ${context} --mech-type=${mech} \ 222 --delegate \ 223 --wrapunwrap ${iov} \ 224 --name-type=hostbased-service host@lucid.test.h5l.se || \ 225 { eval "$testfailed"; } 226 227 echo "${mech} mutual delegate ${iov}" ; > messages.log 228 ${context} --mech-type=${mech} \ 229 --mutual --delegate \ 230 --wrapunwrap ${iov} \ 231 --name-type=hostbased-service host@lucid.test.h5l.se || \ 232 { eval "$testfailed"; } 233done 234 235echo "======dce-style" 236for mech in krb5 krb5iov spnego; do 237 iov="" 238 if [ "$mech" = "krb5iov" ] ; then 239 mech="krb5" 240 iov="--iov" 241 fi 242 if [ "$mech" = "spnegoiov" ] ; then 243 mech="spnego" 244 iov="--iov" 245 fi 246 247 echo "${mech}: dce-style ${iov}" ; > messages.log 248 ${context} \ 249 --mech-type=${mech} \ 250 --mutual \ 251 --dce-style \ 252 --wrapunwrap ${iov} \ 253 --name-type=hostbased-service host@lucid.test.h5l.se || \ 254 { eval "$testfailed"; } 255 256done 257 258echo "test gsskrb5_register_acceptor_identity (both positive and negative)" 259 260cp ${keytabfile} ${keytabfile}.new 261for mech in krb5 spnego; do 262 echo "${mech}: acceptor_identity positive" ; > messages.log 263 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ 264 --mech-type=$mech host@lucid.test.h5l.se || \ 265 { eval "$testfailed"; } 266 267 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log 268 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ 269 --mech-type=$mech host@lucid.test.h5l.se || \ 270 { eval "$testfailed"; } 271 272 echo "${mech}: acceptor_identity negative" ; > messages.log 273 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ 274 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ 275 { eval "$testfailed"; } 276done 277 278rm ${keytabfile}.new 279 280 281#echo "sasl-digest-md5" 282#${context} --mech-type=sasl-digest-md5 \ 283# --name-type=hostbased-service \ 284# host@lucid.test.h5l.se || \ 285# { eval "$testfailed"; } 286 287 288echo "====== gss-api session key check" 289 290# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 291coolenctype="aes256-cts-hmac-sha1-96" 292limit_enctype="des3-cbc-sha1" 293 294echo "Getting client initial tickets" ; > messages.log 295${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 296 { eval "$testfailed"; } 297 298 299echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log 300${context} \ 301 --mech-type=krb5 \ 302 --mutual-auth \ 303 --session-enctype=${coolenctype} \ 304 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 305 { eval "$testfailed"; } 306 307echo "Building context on cred, check if its limited still" ; > messages.log 308${context} \ 309 --mech-type=krb5 \ 310 --client-name=user1@${R} \ 311 --limit-enctype="${limit_enctype}" \ 312 --mutual-auth \ 313 --name-type=hostbased-service host@no-aes.test.h5l.se || \ 314 { eval "$testfailed"; } 315 316 317echo "====== ok-as-delegate" 318 319echo "Getting client initial tickets" ; > messages.log 320${kinit} --forwardable \ 321 --password-file=${objdir}/foopassword user1@${R} || \ 322 { eval "$testfailed"; } 323 324echo "ok-as-delegate not used" ; > messages.log 325${context} \ 326 --mech-type=krb5 \ 327 --delegate \ 328 --name-type=hostbased-service host@lucid.test.h5l.se || \ 329 { eval "$testfailed"; } 330 331echo "host without ok-as-delegate with policy-delegate" ; > messages.log 332${context} \ 333 --mech-type=krb5 \ 334 --policy-delegate \ 335 --server-no-delegate \ 336 --name-type=hostbased-service host@lucid.test.h5l.se || \ 337 { eval "$testfailed"; } 338 339echo "ok-as-delegate used by policy" ; > messages.log 340${context} \ 341 --mech-type=krb5 \ 342 --policy-delegate \ 343 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 344 { eval "$testfailed"; } 345 346echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log 347${kinit} --ok-as-delegate --forwardable \ 348 --password-file=${objdir}/foopassword user1@${R} || \ 349 { eval "$testfailed"; } 350 351echo "policy delegate to non delegate host" ; > messages.log 352${context} \ 353 --mech-type=krb5 \ 354 --policy-delegate \ 355 --server-no-delegate \ 356 --name-type=hostbased-service host@lucid.test.h5l.se || \ 357 { eval "$testfailed"; } 358 359echo "ok-as-delegate" ; > messages.log 360${context} \ 361 --mech-type=krb5 \ 362 --delegate \ 363 --name-type=hostbased-service host@lucid.test.h5l.se || \ 364 { eval "$testfailed"; } 365 366echo "======export/import cred" 367 368echo "export-import cred (krb5)" ; > messages.log 369${context} \ 370 --mech-type=krb5 \ 371 --delegate \ 372 --export-import-cred \ 373 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 374 { eval "$testfailed"; } 375 376echo "export-import cred (spnego)" ; > messages.log 377${context} \ 378 --mech-type=spnego \ 379 --delegate \ 380 --export-import-cred \ 381 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 382 { eval "$testfailed"; } 383 384 385echo "======time diffs between client and server" 386 387echo "Getting client initial ticket" ; > messages.log 388${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 389 { eval "$testfailed"; } 390 391echo "No time offset" ; > messages.log 392${context} \ 393 --mech-type=krb5 \ 394 --name-type=hostbased-service host@lucid.test.h5l.se || \ 395 { eval "$testfailed"; } 396 397echo "Getting client initial ticket" ; > messages.log 398${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 399 { eval "$testfailed"; } 400 401echo "Server time offset" ; > messages.log 402${context} \ 403 --mech-type=krb5 \ 404 --mutual-auth \ 405 --server-time-offset=3600 \ 406 --max-loops=3 \ 407 --name-type=hostbased-service host@lucid.test.h5l.se || \ 408 { eval "$testfailed"; } 409 410echo "Server time offset (cached ?)" ; > messages.log 411${context} \ 412 --mech-type=krb5 \ 413 --mutual-auth \ 414 --server-time-offset=3600 \ 415 --max-loops=2 \ 416 --name-type=hostbased-service host@lucid.test.h5l.se || \ 417 { eval "$testfailed"; } 418 419echo "Getting client initial ticket" ; > messages.log 420${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 421 { eval "$testfailed"; } 422# Pre-poplute the cache since tgs-req will fail since our time is wrong 423${kgetcred} host/lucid.test.h5l.se@${R} || \ 424 { eval "$testfailed"; } 425 426echo "Client time offset" ; > messages.log 427${context} \ 428 --mech-type=krb5 \ 429 --mutual-auth \ 430 --client-time-offset=3600 \ 431 --name-type=hostbased-service host@lucid.test.h5l.se || \ 432 { eval "$testfailed"; } 433 434echo "Getting client initial tickets (use-referrals)" ; > messages.log 435${kinit} \ 436 --password-file=${objdir}/foopassword \ 437 --use-referrals user1@${R} || \ 438 { eval "$testfailed"; } 439 440# XXX these tests really need to use somethat that resolve to something 441${context} \ 442 --mech-type=krb5 \ 443 host@short || \ 444 { eval "$testfailed"; } 445 446${context} \ 447 --mech-type=krb5 \ 448 --name-type=krb5-principal-name host/short || \ 449 { eval "$testfailed"; } 450 451${context} \ 452 --mech-type=krb5 \ 453 host@long.test.h5l.se || \ 454 { eval "$testfailed"; } 455 456${context} \ 457 --mech-type=krb5 \ 458 --name-type=krb5-principal-name \ 459 host/long.test.h5l.se || \ 460 { eval "$testfailed"; } 461 462trap "" EXIT 463 464echo "killing kdc (${kdcpid})" 465kill ${kdcpid} 2> /dev/null 466 467exit 0 468 469