-/*
+/*
Unix SMB/CIFS implementation.
Validate the krb5 pac generation routines
-
+
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
bool removedollar;
const char *krb5_service;
const char *krb5_hostname;
-};
+};
enum test_stage {
TEST_AS_REQ = 0,
return true;
}
-/*
+/*
* This function is set in torture_krb5_init_context_canon as krb5
* send_and_recv function. This allows us to override what server the
* test is aimed at, and to inspect the packets just before they are
}
k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
- hi, timeout, &modified_send_buf,
+ hi, timeout, &modified_send_buf,
recv_buf);
if (k5ret != 0) {
return k5ret;
size_t used;
torture_warning(test_context->tctx, "Packet of length %llu failed post-recv checks in test stage %d", (unsigned long long)recv_buf->length, test_context->test_stage);
if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
- torture_warning(test_context->tctx,
+ torture_warning(test_context->tctx,
"STAGE: %d Unexpectedly got a KRB-ERROR packet "
"with error code %d (%s)",
test_context->test_stage,
}
test_context->packet_count++;
-
+
return k5ret;
}
freeaddrinfo(test_context->server);
return 0;
}
-
+
static bool torture_krb5_init_context_canon(struct torture_context *tctx,
struct test_data *test_data,
test_context->test_data = test_data;
test_context->tctx = tctx;
-
+
k5ret = smb_krb5_init_context(test_context, tctx->lp_ctx, &test_context->smb_krb5_context);
torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
torture_assert(tctx, ok, "Failed to parse target server");
talloc_set_destructor(test_context, test_context_destructor);
-
+
set_sockaddr_port(test_context->server->ai_addr, 88);
k5ret = krb5_set_send_to_kdc_func(test_context->smb_krb5_context->krb5_context,
char *cc_name;
krb5_data in_data, enc_ticket;
krb5_get_creds_opt opt;
-
+
const char *upn = torture_setting_string(tctx, "krb5-upn", "");
test_data->krb5_service = torture_setting_string(tctx, "krb5-service", "host");
test_data->krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
- /*
+ /*
* If we have not passed a UPN on the command line,
* then skip the UPN tests.
*/
*p = '\0';
p++;
}
- /*
+ /*
* Test the UPN behaviour carefully. We can
* test in two different modes, depending on
* what UPN has been set up for us.
*
- * If the UPN is in our realm, then we do all the tests with this name also.
+ * If the UPN is in our realm, then we do all the tests with this name also.
*
* If the UPN is not in our realm, then we
* expect the tests that replace the realm to
test_data->other_upn_suffix = false;
}
- /*
+ /*
* This lets us test the combination of the UPN prefix
* with a valid domain, without adding even more
- * combinations
+ * combinations
*/
if (test_data->netbios_realm == false) {
test_data->realm = p;
ok = torture_krb5_init_context_canon(tctx, test_data, &test_context);
torture_assert(tctx, ok, "torture_krb5_init_context failed");
k5_context = test_context->smb_krb5_context->krb5_context;
-
+
if (test_data->upper_realm) {
test_data->realm = strupper_talloc(test_data, test_data->realm);
} else {
}
principal_string = talloc_asprintf(test_data, "%s@%s", test_data->username, test_data->realm);
-
- /*
+
+ /*
* If we are set to canonicalize, we get back the fixed UPPER
* case realm, and the real username (ie matching LDAP
- * samAccountName)
+ * samAccountName)
*
* Otherwise, if we are set to enterprise, we
- * get back the whole principal as-sent
+ * get back the whole principal as-sent
*
* Finally, if we are not set to canonicalize, we get back the
* fixed UPPER case realm, but the as-sent username
test_data->username,
test_data->real_realm);
}
-
+
if (test_data->enterprise) {
principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
} else {
test_context->test_stage = TEST_AS_REQ;
test_context->packet_count = 0;
- /*
+ /*
* Set the canonicalize flag if this test requires it
*/
torture_assert_int_equal(tctx,
krb5_get_init_creds_opt_alloc(k5_context, &krb_options),
0, "krb5_get_init_creds_opt_alloc failed");
-
+
torture_assert_int_equal(tctx,
krb5_get_init_creds_opt_set_canonicalize(k5_context,
krb_options,
k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
password, NULL, NULL, 0,
NULL, krb_options);
-
+
if (test_data->netbios_realm && test_data->upn) {
torture_assert_int_equal(tctx, k5ret,
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
smb_get_krb5_error_message(k5_context, k5ret, tctx));
torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
}
-
+
torture_assert(tctx,
test_context->packet_count > 1,
"Expected krb5_get_init_creds_password to send more packets");
test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0;
torture_suite_add_simple_tcase_const(suite, name, torture_krb5_as_req_canon,
test_data);
-
+
}
return suite;
}
-/*
+/*
Unix SMB/CIFS implementation.
Validate the krb5 pac generation routines
-
+
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
free_AS_REQ(&test_context->as_req);
break;
- /*
+ /*
* Confirm correct error codes when we ask for the PAC. This behaviour is rather odd...
*/
case TORTURE_KRB5_TEST_PAC_REQUEST:
free_AS_REQ(&test_context->as_req);
break;
- /*
+ /*
* Confirm correct error codes when we deliberatly send the wrong password
*/
case TORTURE_KRB5_TEST_BREAK_PW:
free_AS_REQ(&test_context->as_req);
break;
- /*
+ /*
* Confirm correct error codes when we deliberatly skew the client clock
*/
case TORTURE_KRB5_TEST_CLOCK_SKEW:
}
-/*
+/*
* This function is set in torture_krb5_init_context as krb5
* send_and_recv function. This allows us to override what server the
* test is aimed at, and to inspect the packets just before they are
{
krb5_error_code k5ret;
bool ok;
-
+
struct torture_krb5_context *test_context
= talloc_get_type_abort(data, struct torture_krb5_context);
if (ok == false) {
return EINVAL;
}
-
+
k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
hi, timeout, send_buf, recv_buf);
if (k5ret != 0) {
}
test_context->packet_count++;
-
+
return k5ret;
}
freeaddrinfo(test_context->server);
return 0;
}
-
+
static bool torture_krb5_init_context(struct torture_context *tctx,
enum torture_krb5_test test,
test_context->test = test;
test_context->tctx = tctx;
-
+
k5ret = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
torture_assert(tctx, ok, "Failed to parse target server");
talloc_set_destructor(test_context, test_context_destructor);
-
+
set_sockaddr_port(test_context->server->ai_addr, 88);
k5ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
const char *error_string;
const char *password = cli_credentials_get_password(credentials);
krb5_get_init_creds_opt *krb_options = NULL;
-
+
ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
torture_assert(tctx, ok, "torture_krb5_init_context failed");
-
+
k5ret = principal_from_credentials(tctx, credentials, smb_krb5_context,
&principal, &obtained, &error_string);
torture_assert_int_equal(tctx, k5ret, 0, error_string);
torture_assert_int_equal(tctx,
krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
0, "krb5_get_init_creds_opt_alloc failed");
-
+
torture_assert_int_equal(tctx,
krb5_get_init_creds_opt_set_pac_request(smb_krb5_context->krb5_context, krb_options, true),
0, "krb5_get_init_creds_opt_set_pac_request failed");
break;
-
+
case TORTURE_KRB5_TEST_BREAK_PW:
password = "NOT the password";
break;
password, NULL, NULL, 0,
NULL, krb_options);
krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
-
+
switch (test)
{
case TORTURE_KRB5_TEST_PLAIN:
suite->description = talloc_strdup(suite, "Kerberos tests");
kdc_suite->description = talloc_strdup(kdc_suite, "Kerberos KDC tests");
- torture_suite_add_simple_test(kdc_suite, "as-req-cmdline",
+ torture_suite_add_simple_test(kdc_suite, "as-req-cmdline",
torture_krb5_as_req_cmdline);
- torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
+ torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
torture_krb5_as_req_pac_request);
- torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
+ torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
torture_krb5_as_req_break_pw);
- torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
+ torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
torture_krb5_as_req_clock_skew);
torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));