1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska H��gskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33 34top_builddir="@top_builddir@" 35env_setup="@env_setup@" 36objdir="@objdir@" 37srcdir="@srcdir@" 38 39testfailed="echo test failed; cat messages.log; exit 1" 40 41. ${env_setup} 42 43# If there is no useful db support compiled in, disable test 44${have_db} || exit 77 45 46R=TEST.H5L.SE 47 48port=@port@ 49 50kadmin="${kadmin} -l -r $R" 51kdc="${kdc} --addresses=localhost -P $port" 52 53server=host/datan.test.h5l.se 54cache="FILE:${objdir}/cache.krb5" 55ocache="FILE:${objdir}/ocache.krb5" 56keytabfile=${objdir}/server.keytab 57keytab="FILE:${keytabfile}" 58 59kinit="${kinit} -c $cache ${afs_no_afslog}" 60klist="${klist} -c $cache" 61kdigest="${kdigest} --ccache=$cache" 62 63username=foo 64userpassword=digestpassword 65 66password=foobarbaz 67 68KRB5_CONFIG="${objdir}/krb5.conf" 69export KRB5_CONFIG 70 71rm -f ${keytabfile} 72rm -f current-db* 73rm -f out-* 74rm -f mkey.file* 75 76> messages.log 77 78echo Creating database 79${kadmin} \ 80 init \ 81 --realm-max-ticket-life=1day \ 82 --realm-max-renewable-life=1month \ 83 ${R} || exit 1 84 85${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1 86${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1 87${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 88${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1 89${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 90 91echo "Doing database check" 92${kadmin} check ${R} || exit 1 93 94echo $password > ${objdir}/foopassword 95 96echo "Starting kdc" ; > messages.log 97env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing || 98 { echo "kdc failed to start"; exit 1; } 99kdcpid=`getpid kdc` 100 101trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT 102 103exitcode=0 104 105echo "Getting digest server tickets" 106${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1 107${kdigest} digest-server-init \ 108 --kerberos-realm=${R} \ 109 --type=CHAP > /dev/null || exitcode=1 110 111echo "Trying NTLM" 112 113NTLM_ACCEPTOR_CCACHE="$cache" 114export NTLM_ACCEPTOR_CCACHE 115 116echo "Trying server-init" 117${kdigest} ntlm-server-init \ 118 --kerberos-realm=${R} \ 119 > sdigest-init || exitcode=1 120 121echo "test_ntlm" 122${test_ntlm} || { echo "test_ntlm failed"; exit 1; } 123 124NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" 125export NTLM_USER_FILE 126 127echo "test_context --mech-type=ntlm" 128${test_context} --mech-type=ntlm \ 129 --client-name=foo@TEST \ 130 --name-type=hostbased-service datan@TEST || \ 131 { echo "test_context 1 failed"; exit 1; } 132 133${test_context} --mech-type=ntlm \ 134 --client-name=foo@TEST \ 135 --name-type=hostbased-service datan@host.TEST || \ 136 { echo "test_context 2 failed"; exit 1; } 137 138${test_context} --mech-type=ntlm \ 139 --client-name=foo@TEST \ 140 --name-type=hostbased-service datan@host.test.domain2 || \ 141 { echo "test_context 3 failed"; exit 1; } 142 143echo "Trying SL in NTLM" 144 145 146for type in \ 147 "" \ 148 "--getverifymic" \ 149 "--wrapunwrap" \ 150 "--getverifymic --wrapunwrap" \ 151 ; do 152 153 echo "Trying NTLM type: ${type}" 154 ${test_context} --mech-type=ntlm ${type} \ 155 --client-name=foo@TEST \ 156 --name-type=hostbased-service datan@TEST || \ 157 { echo "test_context 1 failed"; exit 1; } 158 159done 160 161 162echo "Trying CHAP" 163 164${kdigest} digest-server-init \ 165 --kerberos-realm=${R} \ 166 --type=CHAP \ 167 > sdigest-reply || exitcode=1 168 169snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` 170identifier=`grep identifier= sdigest-reply | cut -f2- -d=` 171opaque=`grep opaque= sdigest-reply | cut -f2- -d=` 172 173${kdigest} digest-client-request \ 174 --type=CHAP \ 175 --username="$username" \ 176 --password="$userpassword" \ 177 --opaque="$opaque" \ 178 --server-identifier="$identifier" \ 179 --server-nonce="$snonce" \ 180 > cdigest-reply || exitcode=1 181 182cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` 183 184#echo user: $username 185#echo server-nonce: $snonce 186#echo opaqeue: $opaque 187#echo identifier: $identifier 188 189${kdigest} digest-server-request \ 190 --kerberos-realm=${R} \ 191 --type=CHAP \ 192 --username="$username" \ 193 --opaque="$opaque" \ 194 --client-response="$cresponseData" \ 195 --server-identifier="$identifier" \ 196 --server-nonce="$snonce" \ 197 > s2digest-reply || exitcode=1 198 199status=`grep status= s2digest-reply | cut -f2- -d=` 200 201if test "X$status" = "Xok" ; then 202 echo "CHAP response ok" 203else 204 echo "CHAP response failed" 205 exitcode=1 206fi 207 208cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'` 209 210${kdigest} digest-server-request \ 211 --kerberos-realm=${R} \ 212 --type=CHAP \ 213 --username="$username" \ 214 --opaque="$opaque" \ 215 --client-response="$cresponseData" \ 216 --server-identifier="$identifier" \ 217 --server-nonce="$snonce" \ 218 > s2digest-reply || exitcode=1 219 220status=`grep status= s2digest-reply | cut -f2- -d=` 221 222if test "X$status" = "Xfailed" ; then 223 echo "CHAP response fail as it should" 224else 225 echo "CHAP response succeeded errorously" 226 exitcode=1 227fi 228 229echo "Trying MS-CHAP-V2" 230 231${kdigest} digest-server-init \ 232 --kerberos-realm=${R} \ 233 --type=MS-CHAP-V2 \ 234 > sdigest-reply || exitcode=1 235 236snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` 237opaque=`grep opaque= sdigest-reply | cut -f2- -d=` 238cnonce="21402324255E262A28295F2B3A337C7E" 239 240echo "MS-CHAP-V2 client request" 241${kdigest} digest-client-request \ 242 --type=MS-CHAP-V2 \ 243 --username="$username" \ 244 --password="$userpassword" \ 245 --opaque="$opaque" \ 246 --client-nonce="$cnonce" \ 247 --server-nonce="$snonce" \ 248 > cdigest-reply || exitcode=1 249 250cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` 251cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=` 252ckey=`grep session-key= cdigest-reply | cut -f2- -d=` 253 254${kdigest} digest-server-request \ 255 --kerberos-realm=${R} \ 256 --type=MS-CHAP-V2 \ 257 --username="$username" \ 258 --opaque="$opaque" \ 259 --client-response="$cresponseData" \ 260 --client-nonce="$cnonce" \ 261 --server-nonce="$snonce" \ 262 > s2digest-reply || exitcode=1 263 264status=`grep status= s2digest-reply | cut -f2- -d=` 265sRsp=`grep rsp= s2digest-reply | cut -f2- -d=` 266skey=`grep session-key= s2digest-reply | cut -f2- -d=` 267 268if test "X$sRsp" != "X$cRsp" ; then 269 echo "rsp wrong $sRsp != $cRsp" 270 exitcode=1 271fi 272 273if test "X$skey" != "X$ckey" ; then 274 echo "rsp wrong" 275 exitcode=1 276fi 277 278if test "X$status" = "Xok" ; then 279 echo "MS-CHAP-V2 response ok" 280else 281 echo "MS-CHAP-V2 response failed" 282 exitcode=1 283fi 284 285trap "" EXIT 286 287echo "killing kdc (${kdcpid})" 288sh ${leaks_kill} kdc $kdcpid || exit 1 289 290exit $exitcode 291 292