diff options
Diffstat (limited to 'crypto/heimdal/tests/kdc/check-kdc.in')
-rw-r--r-- | crypto/heimdal/tests/kdc/check-kdc.in | 413 |
1 files changed, 413 insertions, 0 deletions
diff --git a/crypto/heimdal/tests/kdc/check-kdc.in b/crypto/heimdal/tests/kdc/check-kdc.in new file mode 100644 index 0000000..3a43172 --- /dev/null +++ b/crypto/heimdal/tests/kdc/check-kdc.in @@ -0,0 +1,413 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-kdc.in 22019 2007-10-24 20:47:59Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE +R2=TEST2.H5L.SE + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +server2=host/computer.example.com +cache="FILE:${objdir}/cache.krb5" +ocache="FILE:${objdir}/ocache.krb5" +o2cache="FILE:${objdir}/o2cache.krb5" +icache="FILE:${objdir}/icache.krb5" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +ps="proxy-service@${R}" +aesenctype="aes256-cts-hmac-sha1-96" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kgetcred_imp="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" +ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" +hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" +kimpersonate="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}" +test_renew="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R2} || exit 1 + +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p foo --use-defaults remove@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 +${kadmin} add -p foo --use-defaults ${ps} || exit 1 +${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 +${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 +${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${ps} || exit 1 + +${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 +${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 +${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 + +${kadmin} add -p foo --use-defaults -- -p || exit 1 +${kadmin} delete -- -p || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 +${kadmin} check ${R2} || exit 1 + +echo "Extracting enctypes" +${ktutil} -k ${keytab} list > tempfile || exit 1 +${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ + awk '$1 !~ /1/ { exit 1 }' || exit 1 + +${kadmin} get foo@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'` + +enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` +enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "Getting tickets"; > messages.log +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } +./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Specific enctype"; > messages.log +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } + echo "Getting tickets"; > messages.log + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} +done + + +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client initial tickets for cross realm case"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting cross realm tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server2}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server2}@${R2} +done +${kdestroy} + +echo "try all permutations"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} + done + ${kdestroy} +done + +echo "Getting server initial tickets"; > messages.log +${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} | grep "Principal: ${server}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "initial tickets for deleted user test case"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove@$R || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } +echo "try getting ticket with deleted user"; > messages.log +${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "cross realm case (removed user)"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove2@${R2} || exit 1 +${kgetcred} ${server}@${R} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "rename user"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename2@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename2@${R} || exit 1 + +echo "rename user to another realm"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename@${R2} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename@${R2} || exit 1 + +echo deleting all but aes enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 + +echo deleting all but des enctypes on server-des3 +${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 +${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 + +echo "try all permutations (only aes)"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log + ${kgetcred} ${server}-des3@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}-des3@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + ${kdestroy} --credential=${server}@${R} + ${kdestroy} --credential=${server}-des3@${R} + done + ${kdestroy} +done + +echo deleting all enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket w/o and keys on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo "adding random aes key" +${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket with random aes key on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + +rsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + rsa=no +fi +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +# If we support pkinit and have RSA, lets try that +if test "$pkinit" = yes -a "$rsa" = yes ; then + + for type in "" "--pk-use-enckey"; do + echo "Trying pk-init (principal in certificate) $type"; > messages.log + base="${srcdir}/../../lib/hx509/data" + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (password protected key) $type"; > messages.log + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (proxy cert) $type"; > messages.log + base="${srcdir}/../../lib/hx509/data" + ${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + done +else + echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log +fi + +echo "tickets for impersonate test case"; > messages.log +${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +./ap-req ${ps} ${keytab} ${ocache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo test constrained delegation +${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +./ap-req ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (non forward)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +${kdestroy} + +echo "check renewing" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "kinit -R" +${kinit} -R || \ + { ec=1 ; eval "${testfailed}"; } +echo "check renewing MIT interface" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "test_renew" +env KRB5CCNAME=${cache} ${test_renew} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +trap "" EXIT + +exit $ec |