Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum"
[gd/samba-autobuild/.git] / source4 / torture / krb5 / kdc-canon-heimdal.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Validate the krb5 pac generation routines
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/krb5/proto.h"
27 #include "auth/credentials/credentials.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "source4/auth/kerberos/kerberos.h"
30 #include "source4/auth/kerberos/kerberos_util.h"
31 #include "lib/util/util_net.h"
32 #include "auth/auth.h"
33 #include "auth/auth_sam_reply.h"
34 #include "auth/gensec/gensec.h"
35 #include "param/param.h"
36
37 #define TEST_CANONICALIZE     0x0000001
38 #define TEST_ENTERPRISE       0x0000002
39 #define TEST_UPPER_REALM      0x0000004
40 #define TEST_UPPER_USERNAME   0x0000008
41 #define TEST_NETBIOS_REALM    0x0000010
42 #define TEST_WIN2K            0x0000020
43 #define TEST_UPN              0x0000040
44 #define TEST_S4U2SELF         0x0000080
45 #define TEST_REMOVEDOLLAR     0x0000100
46 #define TEST_AS_REQ_SPN       0x0000200
47 #define TEST_ALL              0x00003FF
48
49 struct test_data {
50         const char *test_name;
51         const char *realm;
52         const char *real_realm;
53         const char *real_domain;
54         const char *username;
55         const char *real_username;
56         bool canonicalize;
57         bool enterprise;
58         bool upper_realm;
59         bool upper_username;
60         bool netbios_realm;
61         bool win2k;
62         bool upn;
63         bool other_upn_suffix;
64         bool s4u2self;
65         bool removedollar;
66         bool as_req_spn;
67         bool spn_is_upn;
68         const char *krb5_service;
69         const char *krb5_hostname;
70 };
71
72 enum test_stage {
73         TEST_AS_REQ = 0,
74         TEST_TGS_REQ_KRBTGT_CANON = 1,
75         TEST_TGS_REQ_CANON = 2,
76         TEST_SELF_TRUST_TGS_REQ = 3,
77         TEST_TGS_REQ = 4,
78         TEST_TGS_REQ_KRBTGT = 5,
79         TEST_TGS_REQ_HOST = 6,
80         TEST_TGS_REQ_HOST_SRV_INST = 7,
81         TEST_TGS_REQ_HOST_SRV_HST = 8,
82         TEST_AS_REQ_SELF = 9,
83         TEST_DONE = 10
84 };
85
86 struct torture_krb5_context {
87         struct smb_krb5_context *smb_krb5_context;
88         struct torture_context *tctx;
89         struct addrinfo *server;
90         struct test_data *test_data;
91         int packet_count;
92         enum test_stage test_stage;
93         AS_REQ as_req;
94         AS_REP as_rep;
95         TGS_REQ tgs_req;
96         TGS_REP tgs_rep;
97 };
98
99 struct pac_data {
100         const char *principal_name;
101 };
102
103 /*
104  * A helper function which avoids touching the local databases to
105  * generate the session info, as we just want to verify the principal
106  * name that we found in the ticket not the full local token
107  */
108 static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
109                                                TALLOC_CTX *mem_ctx,
110                                                struct smb_krb5_context *smb_krb5_context,
111                                                DATA_BLOB *pac_blob,
112                                                const char *principal_name,
113                                                const struct tsocket_address *remote_address,
114                                                uint32_t session_info_flags,
115                                                struct auth_session_info **session_info)
116 {
117         NTSTATUS nt_status;
118         struct auth_user_info_dc *user_info_dc;
119         TALLOC_CTX *tmp_ctx;
120         struct pac_data *pac_data;
121
122         tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
123         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
124
125         auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);
126
127         pac_data->principal_name = talloc_strdup(pac_data, principal_name);
128         if (!pac_data->principal_name) {
129                 talloc_free(tmp_ctx);
130                 return NT_STATUS_NO_MEMORY;
131         }
132
133         nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
134                                                       *pac_blob,
135                                                       smb_krb5_context->krb5_context,
136                                                       &user_info_dc, NULL, NULL);
137         if (!NT_STATUS_IS_OK(nt_status)) {
138                 talloc_free(tmp_ctx);
139                 return nt_status;
140         }
141
142         if (user_info_dc->info->authenticated) {
143                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
144         }
145
146         session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
147         nt_status = auth_generate_session_info(mem_ctx,
148                                                NULL,
149                                                NULL,
150                                                user_info_dc, session_info_flags,
151                                                session_info);
152         if (!NT_STATUS_IS_OK(nt_status)) {
153                 talloc_free(tmp_ctx);
154                 return nt_status;
155         }
156
157         talloc_free(tmp_ctx);
158         return NT_STATUS_OK;
159 }
160
161 /* Check to see if we can pass the PAC across to the NETLOGON server for validation */
162
163 /* Also happens to be a really good one-step verfication of our Kerberos stack */
164
165 static bool test_accept_ticket(struct torture_context *tctx,
166                                struct cli_credentials *credentials,
167                                const char *principal,
168                                DATA_BLOB client_to_server)
169 {
170         NTSTATUS status;
171         struct gensec_security *gensec_server_context;
172         DATA_BLOB server_to_client;
173         struct auth4_context *auth_context;
174         struct auth_session_info *session_info;
175         struct pac_data *pac_data;
176         TALLOC_CTX *tmp_ctx = talloc_new(tctx);
177
178         torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
179
180         auth_context = talloc_zero(tmp_ctx, struct auth4_context);
181         torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
182
183         auth_context->generate_session_info_pac = test_generate_session_info_pac;
184
185         status = gensec_server_start(tctx,
186                                      lpcfg_gensec_settings(tctx, tctx->lp_ctx),
187                                      auth_context, &gensec_server_context);
188         torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
189
190         status = gensec_set_credentials(gensec_server_context, credentials);
191         torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
192
193         status = gensec_start_mech_by_name(gensec_server_context, "krb5");
194         torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_name (server) failed");
195
196         server_to_client = data_blob(NULL, 0);
197
198         /* Do a client-server update dance */
199         status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
200         torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
201
202         /* Extract the PAC using Samba's code */
203
204         status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
205         torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
206
207         pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
208
209         torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
210         torture_assert(tctx, pac_data->principal_name != NULL, "principal_name not present");
211         torture_assert_str_equal(tctx, pac_data->principal_name, principal, "wrong principal name");
212         return true;
213 }
214
215 /*
216  * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND
217  *
218  * Confirm that the outgoing packet meets certain expectations.  This
219  * should be extended to further assert the correct and expected
220  * behaviour of the krb5 libs, so we know what we are sending to the
221  * server.
222  *
223  * Additionally, this CHANGES the request to remove the canonicalize
224  * flag automatically added by the krb5 libs when an enterprise
225  * principal is used, so we can test what the server does in this
226  * combination.
227  *
228  */
229
230 static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_context,
231                                               const krb5_data *send_buf,
232                                               krb5_data *modified_send_buf)
233 {
234         AS_REQ mod_as_req;
235         krb5_error_code k5ret;
236         size_t used;
237         torture_assert_int_equal(test_context->tctx, decode_AS_REQ(send_buf->data, send_buf->length,
238                                                &test_context->as_req, &used),
239                                  0, "decode_AS_REQ for TEST_AS_REQ failed");
240         mod_as_req = test_context->as_req;
241         torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
242         torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno,
243                                  5, "Got wrong as_req->pvno");
244         if (test_context->test_data->canonicalize
245             || test_context->test_data->enterprise) {
246                 torture_assert(test_context->tctx,
247                                test_context->as_req.req_body.kdc_options.canonicalize,
248                                "krb5 libs did not set canonicalize!");
249         } else {
250                 torture_assert_int_equal(test_context->tctx,
251                                          test_context->as_req.req_body.kdc_options.canonicalize,
252                                          false,
253                                          "krb5 libs unexpectedly set canonicalize!");
254         }
255
256         if (test_context->test_data->as_req_spn) {
257                 if (test_context->test_data->upn) {
258                         torture_assert_int_equal(test_context->tctx,
259                                                  test_context->as_req.req_body.cname->name_type,
260                                                  KRB5_NT_PRINCIPAL,
261                                                  "krb5 libs unexpectedly "
262                                                  "did not set principal "
263                                                  "as NT_SRV_HST!");
264                 } else {
265                         torture_assert_int_equal(test_context->tctx,
266                                                  test_context->as_req.req_body.cname->name_type,
267                                                  KRB5_NT_SRV_HST,
268                                                  "krb5 libs unexpectedly "
269                                                  "did not set principal "
270                                                  "as NT_SRV_HST!");
271                 }
272         } else if (test_context->test_data->enterprise) {
273                 torture_assert_int_equal(test_context->tctx,
274                                          test_context->as_req.req_body.cname->name_type,
275                                          KRB5_NT_ENTERPRISE_PRINCIPAL,
276                                          "krb5 libs did not pass principal as enterprise!");
277         } else {
278                 torture_assert_int_equal(test_context->tctx,
279                                          test_context->as_req.req_body.cname->name_type,
280                                          KRB5_NT_PRINCIPAL,
281                                          "krb5 libs unexpectedly set principal as enterprise!");
282         }
283
284         /* Force off canonicalize that was forced on by the krb5 libs */
285         if (test_context->test_data->canonicalize == false && test_context->test_data->enterprise) {
286                 mod_as_req.req_body.kdc_options.canonicalize = false;
287         }
288
289         if (test_context->test_stage == TEST_AS_REQ_SELF) {
290                 /*
291                  * Force the server name to match the client name,
292                  * including the name type.  This isn't possible with
293                  * the krb5 client libs alone
294                  */
295                 mod_as_req.req_body.sname = test_context->as_req.req_body.cname;
296         }
297
298         ASN1_MALLOC_ENCODE(AS_REQ, modified_send_buf->data, modified_send_buf->length,
299                            &mod_as_req, &used, k5ret);
300         torture_assert_int_equal(test_context->tctx,
301                                  k5ret, 0,
302                                  "encode_AS_REQ failed");
303
304         if (test_context->test_stage != TEST_AS_REQ_SELF) {
305                 torture_assert_int_equal(test_context->tctx, used, send_buf->length,
306                                          "re-encode length mismatch");
307         }
308         return true;
309 }
310
311 /*
312  * TEST_AS_REQ - RECV
313  *
314  * Confirm that the reply packet from the KDC meets certain
315  * expectations as part of TEST_AS_REQ.  This uses a packet count to
316  * work out what packet we are up to in the multiple exchanged
317  * triggerd by krb5_get_init_creds_password().
318  *
319  */
320
321 static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context *test_context,
322                                                const krb5_data *recv_buf)
323 {
324         KRB_ERROR error;
325         size_t used;
326         if (test_context->packet_count == 0) {
327                 krb5_error_code k5ret;
328                 /*
329                  * The client libs obtain the salt by attempting to
330                  * authenticate without pre-authentication and getting
331                  * the correct salt with the
332                  * KRB5KDC_ERR_PREAUTH_REQUIRED error.  If we are in
333                  * the test (netbios_realm && upn) that deliberatly
334                  * has an incorrect principal, we check we get the
335                  * correct error.
336                  */
337                 k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length,
338                                          &error, &used);
339                 if (k5ret != 0) {
340                         AS_REP as_rep;
341                         k5ret = decode_AS_REP(recv_buf->data, recv_buf->length,
342                                       &as_rep, &used);
343                         if (k5ret == 0) {
344                                 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
345                                         torture_assert(test_context->tctx, false,
346                                                        "expected to get a KRB_ERROR packet with "
347                                                        "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP");
348                                 } else {
349                                         torture_assert(test_context->tctx, false,
350                                                        "expected to get a KRB_ERROR packet with "
351                                                        "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
352                                 }
353                         } else {
354                                 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
355                                         torture_assert(test_context->tctx, false,
356                                                        "unable to decode as KRB-ERROR or AS-REP, "
357                                                        "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN");
358                                 } else {
359                                         torture_assert(test_context->tctx, false,
360                                                        "unable to decode as KRB-ERROR or AS-REP, "
361                                                        "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
362                                 }
363                         }
364                 }
365                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
366                                          "length mismatch");
367                 torture_assert_int_equal(test_context->tctx, error.pvno, 5,
368                                          "Got wrong error.pvno");
369                 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
370                         torture_assert_int_equal(test_context->tctx,
371                                                  error.error_code,
372                                                  KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
373                                                  "Got wrong error.error_code");
374                 } else if (test_context->test_data->as_req_spn && !test_context->test_data->spn_is_upn) {
375                         torture_assert_int_equal(test_context->tctx,
376                                                  error.error_code,
377                                                  KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
378                                                  "Got wrong error.error_code");
379                 } else {
380                         torture_assert_int_equal(test_context->tctx,
381                                                  error.error_code,
382                                                  KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
383                                                  "Got wrong error.error_code");
384                 }
385
386                 free_KRB_ERROR(&error);
387         } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
388                    && (test_context->packet_count == 1)) {
389                 /*
390                  * The Windows 2012R2 KDC will always respond with
391                  * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
392                  * won't fit, because of the PAC.  (It appears to do
393                  * this always, even if it will).  This triggers the
394                  * client to try again over TCP.
395                  */
396                 torture_assert_int_equal(test_context->tctx,
397                                          used, recv_buf->length,
398                                          "length mismatch");
399                 torture_assert_int_equal(test_context->tctx,
400                                          error.pvno, 5,
401                                          "Got wrong error.pvno");
402                 torture_assert_int_equal(test_context->tctx,
403                                          error.error_code,
404                                          KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
405                                          "Got wrong error.error_code");
406                 free_KRB_ERROR(&error);
407         } else {
408                 /*
409                  * Finally the successful packet.
410                  */
411                 torture_assert_int_equal(test_context->tctx,
412                                          decode_AS_REP(recv_buf->data, recv_buf->length,
413                                                        &test_context->as_rep, &used), 0,
414                                          "decode_AS_REP failed");
415                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
416                                          "length mismatch");
417                 torture_assert_int_equal(test_context->tctx,
418                                          test_context->as_rep.pvno, 5,
419                                          "Got wrong as_rep->pvno");
420                 torture_assert_int_equal(test_context->tctx,
421                                          test_context->as_rep.ticket.tkt_vno, 5,
422                                          "Got wrong as_rep->ticket.tkt_vno");
423                 torture_assert(test_context->tctx,
424                                test_context->as_rep.ticket.enc_part.kvno,
425                                "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
426
427                 /*
428                  * We can confirm that the correct proxy behaviour is
429                  * in use on the KDC by checking the KVNO of the
430                  * krbtgt account returned in the reply.
431                  *
432                  * A packet passed to the full RW DC will not have a
433                  * KVNO in the upper bits, while a packet processed
434                  * locally on the RODC will have these bits filled in
435                  * the msDS-SecondaryKrbTgtNumber
436                  */
437                 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
438                         torture_assert_int_not_equal(test_context->tctx,
439                                                      *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
440                                                      0, "Did not get a RODC number in the KVNO");
441                 } else {
442                         torture_assert_int_equal(test_context->tctx,
443                                                  *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
444                                                  0, "Unexpecedly got a RODC number in the KVNO");
445                 }
446                 free_AS_REP(&test_context->as_rep);
447         }
448         torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
449         free_AS_REQ(&test_context->as_req);
450         return true;
451 }
452
453 /*
454  * TEST_TGS_REQ_KRBTGT_CANON
455  *
456  *
457  * Confirm that the outgoing TGS-REQ packet from krb5_get_creds()
458  * for the krbtgt/realm principal meets certain expectations, like
459  * that the canonicalize bit is not set
460  *
461  */
462
463 static bool torture_krb5_pre_send_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
464 {
465         size_t used;
466         torture_assert_int_equal(test_context->tctx,
467                                  decode_TGS_REQ(send_buf->data, send_buf->length,
468                                                 &test_context->tgs_req, &used),
469                                  0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
470         torture_assert_int_equal(test_context->tctx,
471                                  used, send_buf->length,
472                                  "length mismatch");
473         torture_assert_int_equal(test_context->tctx,
474                                  test_context->tgs_req.pvno, 5,
475                                  "Got wrong as_req->pvno");
476         torture_assert_int_equal(test_context->tctx,
477                                  test_context->tgs_req.req_body.kdc_options.canonicalize,
478                                  true,
479                                  "krb5 libs unexpectedly did not set canonicalize!");
480
481         torture_assert_int_equal(test_context->tctx,
482                                  test_context->tgs_req.req_body.sname->name_type,
483                                  KRB5_NT_PRINCIPAL,
484                                  "Mismatch in name_type between request and expected request");
485
486         torture_assert_str_equal(test_context->tctx,
487                                  test_context->tgs_req.req_body.realm,
488                                  test_context->test_data->real_realm,
489                                  "Mismatch in realm between request and expected request");
490
491         *modified_send_buf = *send_buf;
492         return true;
493 }
494
495 /*
496  * TEST_TGS_REQ_KRBTGT_CANON
497  *
498  * Confirm that the reply TGS-REP packet for krb5_get_creds()
499  * where the client is behaving as if this is a cross-realm trust due
500  * to case or netbios vs dns name differences meets certain
501  * expectations, while canonicalize is set
502  *
503  */
504
505 static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
506 {
507         size_t used;
508         torture_assert_int_equal(test_context->tctx,
509                                  decode_TGS_REP(recv_buf->data, recv_buf->length,
510                                                 &test_context->tgs_rep, &used),
511                                  0,
512                                  "decode_TGS_REP failed");
513         torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
514         torture_assert_int_equal(test_context->tctx,
515                                  test_context->tgs_rep.pvno, 5,
516                                  "Got wrong as_rep->pvno");
517         torture_assert_int_equal(test_context->tctx,
518                                  test_context->tgs_rep.ticket.tkt_vno, 5,
519                                  "Got wrong as_rep->ticket.tkt_vno");
520         torture_assert(test_context->tctx,
521                        test_context->tgs_rep.ticket.enc_part.kvno,
522                        "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
523         torture_assert_str_equal(test_context->tctx,
524                                  test_context->tgs_req.req_body.realm,
525                                  test_context->tgs_rep.ticket.realm,
526                                  "Mismatch in realm between request and ticket response");
527         torture_assert_str_equal(test_context->tctx,
528                                  test_context->tgs_rep.ticket.realm,
529                                  test_context->test_data->real_realm,
530                                  "Mismatch in realm between ticket response and expected ticket response");
531         torture_assert_int_equal(test_context->tctx,
532                                  test_context->tgs_rep.ticket.sname.name_type,
533                                  KRB5_NT_SRV_INST,
534                                  "Mismatch in name_type between ticket response and expected value of KRB5_NT_SRV_INST");
535
536         torture_assert_int_equal(test_context->tctx,
537                                  test_context->tgs_rep.ticket.sname.name_string.len,
538                                  2,
539                                  "Mismatch in name_type between ticket response and expected value, expected krbtgt/REALM@REALM");
540
541         torture_assert_str_equal(test_context->tctx,
542                                  test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt",
543                                  "Mismatch in name between response and expected response, expected krbtgt");
544         torture_assert_str_equal(test_context->tctx,
545                                  test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->real_realm,
546                                  "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM");
547
548         /*
549          * We can confirm that the correct proxy behaviour is
550          * in use on the KDC by checking the KVNO of the
551          * krbtgt account returned in the reply.
552          *
553          * A packet passed to the full RW DC will not have a
554          * KVNO in the upper bits, while a packet processed
555          * locally on the RODC will have these bits filled in
556          * the msDS-SecondaryKrbTgtNumber
557          */
558         if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
559                 torture_assert_int_not_equal(test_context->tctx,
560                                              *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
561                                              0, "Did not get a RODC number in the KVNO");
562         } else {
563                 torture_assert_int_equal(test_context->tctx,
564                                          *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
565                                          0, "Unexpecedly got a RODC number in the KVNO");
566         }
567         free_TGS_REP(&test_context->tgs_rep);
568         torture_assert(test_context->tctx,
569                        test_context->packet_count < 2,
570                        "too many packets");
571         free_TGS_REQ(&test_context->tgs_req);
572         return true;
573 }
574
575 /*
576  * TEST_TGS_REQ_CANON
577  *
578  * Confirm that the outgoing TGS-REQ packet from krb5_get_creds
579  * certain expectations, like that the canonicalize bit is set (this
580  * test is to force that handling) and that if an enterprise name was
581  * requested, that it was sent.
582  *
583  */
584
585 static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context *test_context,
586                                                      const krb5_data *send_buf,
587                                                      krb5_data *modified_send_buf)
588 {
589         size_t used;
590         torture_assert_int_equal(test_context->tctx,
591                                  decode_TGS_REQ(send_buf->data, send_buf->length,
592                                                 &test_context->tgs_req, &used),
593                                  0, "decode_TGS_REQ for TEST_TGS_REQ_CANON test failed");
594         torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
595         torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
596         torture_assert_int_equal(test_context->tctx,
597                                  test_context->tgs_req.req_body.kdc_options.canonicalize,
598                                  true, "krb5 libs unexpectedly did not set canonicalize!");
599
600         if (test_context->test_data->enterprise) {
601                 torture_assert_int_equal(test_context->tctx,
602                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL,
603                                  "Mismatch in name type between request and expected request, expected  KRB5_NT_ENTERPRISE_PRINCIPAL");
604                 torture_assert_str_equal(test_context->tctx,
605                                          test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
606                                  "Mismatch in realm between request and expected request");
607
608         } else if (test_context->test_data->as_req_spn) {
609                 torture_assert_int_equal(test_context->tctx,
610                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_HST,
611                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_SRV_HST");
612                 torture_assert_str_equal(test_context->tctx,
613                                          test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
614                                  "Mismatch in realm between request and expected request");
615
616         } else if (test_context->test_data->canonicalize) {
617                 torture_assert_int_equal(test_context->tctx,
618                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
619                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
620                 torture_assert_str_equal(test_context->tctx,
621                                          test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
622                                  "Mismatch in realm between request and expected request");
623
624         } else {
625                 torture_assert_int_equal(test_context->tctx,
626                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
627                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
628                 torture_assert_str_equal(test_context->tctx,
629                                          test_context->tgs_req.req_body.realm, test_context->test_data->realm,
630                                  "Mismatch in realm between request and expected request");
631
632         }
633
634         *modified_send_buf = *send_buf;
635
636         return true;
637 }
638
639 /*
640  * TEST_TGS_REQ_CANON - RECV
641  *
642  * Confirm that the reply TGS-REP or error packet from the KDC meets
643  * certain expectations as part of TEST_TGS_REQ_CANON.
644  *
645  * This is triggered by krb5_get_creds()
646  *
647  */
648
649 static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
650 {
651         KRB_ERROR error;
652         size_t used;
653
654         /*
655          * If this account did not have a servicePrincipalName, then
656          * we expect a errro packet, not a TGS-REQ
657          */
658         if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
659                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
660                 torture_assert_int_equal(test_context->tctx,
661                                          error.pvno, 5,
662                                          "Got wrong error.pvno");
663                 torture_assert_int_equal(test_context->tctx,
664                                          error.error_code,
665                                          KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
666                                          "Got wrong error.error_code");
667         } else {
668                 torture_assert_int_equal(test_context->tctx,
669                                          decode_TGS_REP(recv_buf->data, recv_buf->length,
670                                                         &test_context->tgs_rep,
671                                                         &used),
672                                          0,
673                                          "decode_TGS_REP failed");
674                 torture_assert_int_equal(test_context->tctx,
675                                          used, recv_buf->length,
676                                          "length mismatch");
677                 torture_assert_int_equal(test_context->tctx,
678                                          test_context->tgs_rep.pvno, 5,
679                                          "Got wrong as_rep->pvno");
680                 torture_assert_int_equal(test_context->tctx,
681                                          test_context->tgs_rep.ticket.tkt_vno, 5,
682                                          "Got wrong as_rep->ticket.tkt_vno");
683                 torture_assert(test_context->tctx,
684                                test_context->tgs_rep.ticket.enc_part.kvno,
685                                "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
686                 torture_assert_str_equal(test_context->tctx,
687                                          test_context->tgs_rep.ticket.realm,
688                                          test_context->test_data->real_realm,
689                                          "Mismatch in realm between ticket response and expected upper case REALM");
690                 torture_assert_int_equal(test_context->tctx,
691                                          test_context->tgs_rep.ticket.sname.name_type,
692                                          test_context->tgs_req.req_body.sname->name_type,
693                                          "Mismatch in name_type between request and ticket response");
694                 torture_assert_int_equal(test_context->tctx,
695                                          test_context->tgs_rep.ticket.sname.name_string.len,
696                                          test_context->tgs_req.req_body.sname->name_string.len,
697                                          "Mismatch in name_string.len between request and ticket response");
698                 torture_assert(test_context->tctx,
699                                test_context->tgs_rep.ticket.sname.name_string.len >= 1,
700                                "name_string.len should be >=1 in ticket response");
701                 torture_assert_str_equal(test_context->tctx,
702                                          test_context->tgs_rep.ticket.sname.name_string.val[0],
703                                          test_context->tgs_req.req_body.sname->name_string.val[0],
704                                          "Mismatch in name between request and expected request");
705                 torture_assert_int_equal(test_context->tctx,
706                                          *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
707                                          0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
708                 free_TGS_REP(&test_context->tgs_rep);
709         }
710         torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets");
711         free_TGS_REQ(&test_context->tgs_req);
712
713         return true;
714 }
715
716 /*
717  * TEST_SELF_TRUST_TGS_REQ
718  *
719  * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
720  * certain expectations, like that the canonicalize bit is set (this
721  * test is to force that handling).
722  *
723  * This test is for the case where the name we ask for, while a valid
724  * alternate name for our own realm is used.  The client acts as if
725  * this is cross-realm trust.
726  *
727  */
728
729 static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context *test_context,
730                                                           const krb5_data *send_buf,
731                                                           krb5_data *modified_send_buf)
732 {
733         size_t used;
734         torture_assert_int_equal(test_context->tctx,
735                                  decode_TGS_REQ(send_buf->data, send_buf->length,
736                                                 &test_context->tgs_req, &used),
737                                  0, "decode_TGS_REQ for TEST_SELF_TRUST_TGS_REQ test failed");
738         torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
739         torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
740
741         if (test_context->test_data->enterprise
742             || (test_context->test_data->spn_is_upn && test_context->test_data->upn)) {
743                 torture_assert_int_equal(test_context->tctx,
744                                          test_context->tgs_req.req_body.kdc_options.canonicalize,
745                                          true,
746                                          "krb5 libs unexpectedly"
747                                          " did not set canonicalize!");
748         } else {
749                 torture_assert_int_equal(test_context->tctx,
750                                          test_context->tgs_req.req_body.kdc_options.canonicalize,
751                                          false,
752                                          "krb5 libs unexpectedly"
753                                          " set canonicalize!");
754         }
755         
756
757         if (test_context->test_data->canonicalize) {
758                 torture_assert_str_equal(test_context->tctx,
759                                          test_context->tgs_req.req_body.realm,
760                                          test_context->test_data->real_realm,
761                                          "Mismatch in realm between request and expected request");
762         } else {
763                 torture_assert_str_equal(test_context->tctx,
764                                          test_context->tgs_req.req_body.realm,
765                                          test_context->test_data->realm,
766                                          "Mismatch in realm between request and expected request");
767         }
768         torture_assert_int_equal(test_context->tctx,
769                                  test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
770                                  "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
771         torture_assert_int_equal(test_context->tctx,
772                                  test_context->tgs_req.req_body.sname->name_string.len, 2,
773                                  "Mismatch in name between request and expected request, expected krbtgt/realm");
774         torture_assert_str_equal(test_context->tctx,
775                                  test_context->tgs_req.req_body.sname->name_string.val[0], "krbtgt",
776                                  "Mismatch in name between request and expected request, expected krbtgt");
777         torture_assert_str_equal(test_context->tctx,
778                                  test_context->tgs_req.req_body.sname->name_string.val[1], test_context->test_data->realm,
779                                  "Mismatch in realm part of cross-realm request principal between request and expected request");
780         *modified_send_buf = *send_buf;
781
782         return true;
783 }
784
785 /*
786  * TEST_SELF_TRUST_TGS_REQ and TEST_TGS_REQ_KRBTGT - RECV
787  *
788  * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(),
789  * where the client is behaving as if this is a cross-realm trust due
790  * to case or netbios vs dns name differences meets certain
791  * expectations.
792  *
793  */
794
795 static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
796 {
797         size_t used;
798         torture_assert_int_equal(test_context->tctx,
799                                  decode_TGS_REP(recv_buf->data, recv_buf->length,
800                                                 &test_context->tgs_rep, &used),
801                                  0,
802                                  "decode_TGS_REP failed");
803         torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
804         torture_assert_int_equal(test_context->tctx,
805                                  test_context->tgs_rep.pvno, 5,
806                                  "Got wrong as_rep->pvno");
807         torture_assert_int_equal(test_context->tctx,
808                                  test_context->tgs_rep.ticket.tkt_vno, 5,
809                                  "Got wrong as_rep->ticket.tkt_vno");
810         torture_assert(test_context->tctx,
811                        test_context->tgs_rep.ticket.enc_part.kvno,
812                        "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
813         torture_assert_str_equal(test_context->tctx,
814                                  test_context->tgs_req.req_body.realm,
815                                  test_context->tgs_rep.ticket.realm,
816                                  "Mismatch in realm between request and ticket response");
817         torture_assert_int_equal(test_context->tctx,
818                                  test_context->tgs_rep.ticket.sname.name_type,
819                                  test_context->tgs_req.req_body.sname->name_type,
820                                  "Mismatch in name_type between request and ticket response");
821
822         torture_assert_int_equal(test_context->tctx,
823                                  test_context->tgs_rep.ticket.sname.name_string.len, 2,
824                                  "Mismatch in name between request and expected request, expected krbtgt/realm");
825         torture_assert_str_equal(test_context->tctx,
826                                  test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt",
827                                  "Mismatch in name between request and expected request, expected krbtgt");
828         torture_assert_str_equal(test_context->tctx,
829                                  test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->realm,
830                                  "Mismatch in realm part of cross-realm request principal between response and expected request");
831         /*
832          * We can confirm that the correct proxy behaviour is
833          * in use on the KDC by checking the KVNO of the
834          * krbtgt account returned in the reply.
835          *
836          * A packet passed to the full RW DC will not have a
837          * KVNO in the upper bits, while a packet processed
838          * locally on the RODC will have these bits filled in
839          * the msDS-SecondaryKrbTgtNumber
840          */
841         if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
842                 torture_assert_int_not_equal(test_context->tctx,
843                                              *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
844                                              0, "Did not get a RODC number in the KVNO");
845         } else {
846                 torture_assert_int_equal(test_context->tctx,
847                                          *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
848                                          0, "Unexpecedly got a RODC number in the KVNO");
849         }
850         free_TGS_REP(&test_context->tgs_rep);
851         torture_assert_int_equal(test_context->tctx,
852                                  test_context->packet_count, 0,
853                                  "too many packets");
854         test_context->packet_count = 0;
855         test_context->test_stage = TEST_TGS_REQ;
856         free_TGS_REQ(&test_context->tgs_req);
857         return true;
858 }
859
860 /*
861  * TEST_TGS_REQ
862  *
863  * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
864  * certain expectations, like that the canonicalize bit is set (this
865  * test is to force that handling) and that if an enterprise name was
866  * requested, that it was sent.
867  *
868  */
869
870 static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
871 {
872         size_t used;
873         torture_assert_int_equal(test_context->tctx,
874                                  decode_TGS_REQ(send_buf->data, send_buf->length,
875                                                 &test_context->tgs_req, &used),
876                                  0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
877         torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
878         torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5,
879                                  "Got wrong as_req->pvno");
880
881         if (test_context->test_data->enterprise
882             && test_context->test_data->s4u2self == false
883             && test_context->test_data->spn_is_upn) {
884                 torture_assert_int_equal(test_context->tctx,
885                                          test_context->tgs_req.req_body.kdc_options.canonicalize,
886                                          true,
887                                          "krb5 libs unexpectedly"
888                                          " did not set canonicalize!");
889         } else {
890                 torture_assert_int_equal(test_context->tctx,
891                                          test_context->tgs_req.req_body.kdc_options.canonicalize,
892                                          false,
893                                          "krb5 libs unexpectedly"
894                                          " set canonicalize!");
895         }
896         
897         if (test_context->test_data->enterprise) {
898                 torture_assert_int_equal(test_context->tctx,
899                                          test_context->tgs_req.req_body.sname->name_type,
900                                          KRB5_NT_ENTERPRISE_PRINCIPAL,
901                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_ENTERPRISE_PRINCIPAL");
902                 torture_assert_str_equal(test_context->tctx,
903                                          test_context->tgs_req.req_body.realm,
904                                          test_context->test_data->real_realm,
905                                          "Mismatch in realm between request and expected request");
906
907         } else if (test_context->test_data->spn_is_upn && test_context->test_data->upn && test_context->test_data->canonicalize) {
908                 torture_assert_int_equal(test_context->tctx,
909                                          test_context->tgs_req.req_body.sname->name_type,
910                                          KRB5_NT_PRINCIPAL,
911                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
912                 torture_assert_str_equal(test_context->tctx,
913                                          test_context->tgs_req.req_body.realm,
914                                          test_context->test_data->real_realm,
915                                          "Mismatch in realm between request and expected request");
916
917         } else if (test_context->test_data->spn_is_upn
918                    && test_context->test_data->as_req_spn
919                    && test_context->test_data->canonicalize == false) {
920                 torture_assert_int_equal(test_context->tctx,
921                                          test_context->tgs_req.req_body.sname->name_type,
922                                          KRB5_NT_SRV_HST,
923                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_SRV_HST");
924                 torture_assert_str_equal(test_context->tctx,
925                                          test_context->tgs_req.req_body.realm,
926                                          test_context->test_data->realm,
927                                          "Mismatch in realm between request and expected request");
928
929         } else {
930                 torture_assert_int_equal(test_context->tctx,
931                                          test_context->tgs_req.req_body.sname->name_type,
932                                          KRB5_NT_PRINCIPAL,
933                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
934                 torture_assert_str_equal(test_context->tctx,
935                                          test_context->tgs_req.req_body.realm,
936                                          test_context->test_data->realm,
937                                          "Mismatch in realm between request and expected request");
938
939         }
940
941         *modified_send_buf = *send_buf;
942
943         return true;
944 }
945
946 /*
947  * TEST_TGS_REQ - RECV
948  *
949  * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), for
950  * the actual target service.
951  *
952  */
953
954 static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
955 {
956         KRB_ERROR error;
957         size_t used;
958         /*
959          * If this account did not have a servicePrincipalName, then
960          * we expect a errro packet, not a TGS-REQ
961          */
962         if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
963                 torture_assert_int_equal(test_context->tctx,
964                                          used, recv_buf->length,
965                                          "length mismatch");
966                 torture_assert_int_equal(test_context->tctx,
967                                          error.pvno, 5,
968                                          "Got wrong error.pvno");
969                 torture_assert_int_equal(test_context->tctx,
970                                          error.error_code,
971                                          KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
972                                          "Got wrong error.error_code");
973         } else {
974                 torture_assert_int_equal(test_context->tctx,
975                                          decode_TGS_REP(recv_buf->data, recv_buf->length,
976                                                         &test_context->tgs_rep, &used),
977                                          0,
978                                          "decode_TGS_REP failed");
979                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
980                                          "length mismatch");
981                 torture_assert_int_equal(test_context->tctx,
982                                          test_context->tgs_rep.pvno, 5,
983                                          "Got wrong as_rep->pvno");
984                 torture_assert_int_equal(test_context->tctx,
985                                          test_context->tgs_rep.ticket.tkt_vno, 5,
986                                          "Got wrong as_rep->ticket.tkt_vno");
987                 torture_assert(test_context->tctx,
988                                test_context->tgs_rep.ticket.enc_part.kvno,
989                                "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
990                 torture_assert_str_equal(test_context->tctx,
991                                          test_context->tgs_rep.ticket.realm,
992                                          test_context->test_data->real_realm,
993                                          "Mismatch in realm between ticket response and expected upper case REALM");
994                 torture_assert_int_equal(test_context->tctx,
995                                          test_context->tgs_req.req_body.sname->name_type,
996                                          test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
997                 torture_assert_int_equal(test_context->tctx,
998                                          *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
999                                          0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
1000                 free_TGS_REP(&test_context->tgs_rep);
1001         }
1002         torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
1003         free_TGS_REQ(&test_context->tgs_req);
1004         test_context->test_stage = TEST_DONE;
1005         return true;
1006 }
1007
1008 /*
1009  * TEST_TGS_REQ_KRBTGT
1010  *
1011  *
1012  * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
1013  * for the krbtgt/realm principal meets certain expectations, like
1014  * that the canonicalize bit is not set
1015  *
1016  */
1017
1018 static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
1019 {
1020         size_t used;
1021         torture_assert_int_equal(test_context->tctx,
1022                                  decode_TGS_REQ(send_buf->data, send_buf->length,
1023                                                 &test_context->tgs_req, &used),
1024                                  0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
1025         torture_assert_int_equal(test_context->tctx,
1026                                  used, send_buf->length,
1027                                  "length mismatch");
1028         torture_assert_int_equal(test_context->tctx,
1029                                  test_context->tgs_req.pvno, 5,
1030                                  "Got wrong as_req->pvno");
1031         torture_assert_int_equal(test_context->tctx,
1032                                  test_context->tgs_req.req_body.kdc_options.canonicalize,
1033                                  false,
1034                                  "krb5 libs unexpectedly set canonicalize!");
1035
1036         torture_assert_str_equal(test_context->tctx,
1037                                  test_context->tgs_req.req_body.realm,
1038                                  test_context->test_data->realm,
1039                                  "Mismatch in realm between request and expected request");
1040
1041         *modified_send_buf = *send_buf;
1042         test_context->test_stage = TEST_DONE;
1043         return true;
1044 }
1045
1046 /*
1047  * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST and TEST_TGS_REQ_HOST_SRV_HST
1048  *
1049  *
1050  * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
1051  * for the krbtgt/realm principal meets certain expectations, like
1052  * that the canonicalize bit is not set
1053  *
1054  */
1055
1056 static bool torture_krb5_pre_send_tgs_req_host_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
1057 {
1058         size_t used;
1059         torture_assert_int_equal(test_context->tctx,
1060                                  decode_TGS_REQ(send_buf->data, send_buf->length,
1061                                                 &test_context->tgs_req, &used),
1062                                  0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
1063         torture_assert_int_equal(test_context->tctx,
1064                                  used, send_buf->length,
1065                                  "length mismatch");
1066         torture_assert_int_equal(test_context->tctx,
1067                                  test_context->tgs_req.pvno, 5,
1068                                  "Got wrong as_req->pvno");
1069         torture_assert_int_equal(test_context->tctx,
1070                                  test_context->tgs_req.req_body.sname->name_string.len, 2,
1071                                  "Mismatch in name between request and expected request, expected krbtgt/realm");
1072                 torture_assert_int_equal(test_context->tctx,
1073                                          test_context->tgs_req.req_body.kdc_options.canonicalize,
1074                                          true,
1075                                          "krb5 libs unexpectedly did not set canonicalize!");
1076
1077         if (test_context->test_stage == TEST_TGS_REQ_HOST_SRV_INST) {
1078                 torture_assert_int_equal(test_context->tctx,
1079                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_INST,
1080                                          "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_INST");
1081                 torture_assert_str_equal(test_context->tctx,
1082                                          test_context->tgs_req.req_body.sname->name_string.val[0],
1083                                          strupper_talloc(test_context, test_context->test_data->krb5_service),
1084                                          "Mismatch in name between request and expected request, expected service");
1085                 torture_assert_str_equal(test_context->tctx,
1086                                          test_context->tgs_req.req_body.sname->name_string.val[1],
1087                                          test_context->test_data->krb5_hostname,
1088                                          "Mismatch in hostname part between request and expected request");
1089
1090         } else if (test_context->test_stage == TEST_TGS_REQ_HOST_SRV_HST) {
1091
1092                 torture_assert_int_equal(test_context->tctx,
1093                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_HST,
1094                                          "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_HST");
1095                 torture_assert_str_equal(test_context->tctx,
1096                                          test_context->tgs_req.req_body.sname->name_string.val[0],
1097                                          test_context->test_data->krb5_service,
1098                                          "Mismatch in name between request and expected request, expected service");
1099                 torture_assert_str_equal(test_context->tctx,
1100                                          test_context->tgs_req.req_body.sname->name_string.val[1],
1101                                          strupper_talloc(test_context, test_context->test_data->krb5_hostname),
1102                                          "Mismatch in hostname part between request and expected request");
1103
1104         } else {
1105                 torture_assert_int_equal(test_context->tctx,
1106                                          test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
1107                                          "Mismatch in name type between request and expected request, expected  KRB5_NT_PRINCIPAL");
1108                 torture_assert_str_equal(test_context->tctx,
1109                                          test_context->tgs_req.req_body.sname->name_string.val[0],
1110                                          test_context->test_data->krb5_service,
1111                                          "Mismatch in name between request and expected request, expected service");
1112                 torture_assert_str_equal(test_context->tctx,
1113                                          test_context->tgs_req.req_body.sname->name_string.val[1],
1114                                          test_context->test_data->krb5_hostname,
1115                                          "Mismatch in hostname part between request and expected request");
1116
1117         }
1118         torture_assert_str_equal(test_context->tctx,
1119                                  test_context->tgs_req.req_body.realm,
1120                                  test_context->test_data->real_realm,
1121                                  "Mismatch in realm between request and expected request");
1122
1123         *modified_send_buf = *send_buf;
1124         return true;
1125 }
1126
1127 /*
1128  * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST - RECV
1129  *
1130  * Confirm that the reply TGS-REP packet for krb5_mk_req(), for
1131  * the actual target service, as a SPN, not a any other name type.
1132  *
1133  */
1134
1135 static bool torture_krb5_post_recv_tgs_req_host_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
1136 {
1137         size_t used;
1138         torture_assert_int_equal(test_context->tctx,
1139                                  decode_TGS_REP(recv_buf->data, recv_buf->length,
1140                                                 &test_context->tgs_rep, &used),
1141                                  0,
1142                                  "decode_TGS_REP failed");
1143         torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
1144                                  "length mismatch");
1145         torture_assert_int_equal(test_context->tctx,
1146                                  test_context->tgs_rep.pvno, 5,
1147                                  "Got wrong as_rep->pvno");
1148         torture_assert_int_equal(test_context->tctx,
1149                                  test_context->tgs_rep.ticket.tkt_vno, 5,
1150                                  "Got wrong as_rep->ticket.tkt_vno");
1151         torture_assert(test_context->tctx,
1152                        test_context->tgs_rep.ticket.enc_part.kvno,
1153                        "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
1154         torture_assert_str_equal(test_context->tctx,
1155                                  test_context->tgs_rep.ticket.realm,
1156                                  test_context->test_data->real_realm,
1157                                  "Mismatch in realm between ticket response and expected upper case REALM");
1158         torture_assert_int_equal(test_context->tctx,
1159                                  test_context->tgs_req.req_body.sname->name_type,
1160                                  test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
1161         torture_assert_int_equal(test_context->tctx,
1162                                  test_context->tgs_rep.ticket.sname.name_string.len, 2,
1163                                  "Mismatch in name between request and expected request, expected service/hostname");
1164         torture_assert_str_equal(test_context->tctx,
1165                                  test_context->tgs_rep.ticket.sname.name_string.val[0],
1166                                  test_context->tgs_req.req_body.sname->name_string.val[0],
1167                                  "Mismatch in name between request and expected request, expected service/hostname");
1168         torture_assert_str_equal(test_context->tctx,
1169                                  test_context->tgs_rep.ticket.sname.name_string.val[1],
1170                                  test_context->tgs_req.req_body.sname->name_string.val[1],
1171                                  "Mismatch in name between request and expected request, expected service/hostname");
1172
1173         torture_assert_int_equal(test_context->tctx,
1174                                  *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
1175                                  0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
1176         free_TGS_REP(&test_context->tgs_rep);
1177
1178         torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
1179         return true;
1180 }
1181
1182 /*
1183  * TEST_AS_REQ_SELF - RECV
1184  *
1185  * Confirm that the reply packet from the KDC meets certain
1186  * expectations as part of TEST_AS_REQ.  This uses a packet count to
1187  * work out what packet we are up to in the multiple exchanged
1188  * triggerd by krb5_get_init_creds_password().
1189  *
1190  */
1191
1192 static bool torture_krb5_post_recv_as_req_self_test(struct torture_krb5_context *test_context,
1193                                                     const krb5_data *recv_buf)
1194 {
1195         KRB_ERROR error;
1196         size_t used;
1197         if (test_context->packet_count == 0) {
1198                 krb5_error_code k5ret;
1199                 /*
1200                  * The client libs obtain the salt by attempting to
1201                  * authenticate without pre-authentication and getting
1202                  * the correct salt with the
1203                  * KRB5KDC_ERR_PREAUTH_REQUIRED error.  If we are in
1204                  * the test (netbios_realm && upn) that deliberatly
1205                  * has an incorrect principal, we check we get the
1206                  * correct error.
1207                  */
1208                 k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length,
1209                                          &error, &used);
1210                 if (k5ret != 0) {
1211                         AS_REP as_rep;
1212                         k5ret = decode_AS_REP(recv_buf->data, recv_buf->length,
1213                                       &as_rep, &used);
1214                         if (k5ret == 0) {
1215                                 if (torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
1216                                     || (test_context->test_data->upn == true)) {
1217                                         torture_assert(test_context->tctx, false,
1218                                                        "expected to get a KRB_ERROR packet with "
1219                                                        "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
1220                                 } else {
1221                                         torture_assert(test_context->tctx, false,
1222                                                        "expected to get a KRB_ERROR packet with "
1223                                                        "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
1224                                 }
1225                         } else {
1226                                 if (torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
1227                                     || (test_context->test_data->upn == true)) {
1228                                         torture_assert(test_context->tctx, false,
1229                                                        "unable to decode as KRB-ERROR or AS-REP, "
1230                                                        "expected to get a KRB_ERROR packet with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED");
1231                                 } else {
1232                                         torture_assert(test_context->tctx, false,
1233                                                        "unable to decode as KRB-ERROR or AS-REP, "
1234                                                        "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
1235                                 }
1236                         }
1237                 }
1238                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
1239                                          "length mismatch");
1240                 torture_assert_int_equal(test_context->tctx, error.pvno, 5,
1241                                          "Got wrong error.pvno");
1242                 if ((torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
1243                      || (test_context->test_data->upn == true))
1244                     && error.error_code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE) {
1245                         /*
1246                          * IGNORE
1247                          *
1248                          * This case is because Samba's Heimdal KDC
1249                          * checks server and client accounts before
1250                          * checking for pre-authentication.
1251                          */
1252                 } else {
1253                         torture_assert_int_equal(test_context->tctx,
1254                                                  error.error_code,
1255                                                  KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
1256                                                  "Got wrong error.error_code");
1257                 }
1258
1259                 free_KRB_ERROR(&error);
1260         } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
1261                    && (test_context->packet_count == 1)) {
1262                 /*
1263                  * The Windows 2012R2 KDC will always respond with
1264                  * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
1265                  * won't fit, because of the PAC.  (It appears to do
1266                  * this always, even if it will).  This triggers the
1267                  * client to try again over TCP.
1268                  */
1269                 torture_assert_int_equal(test_context->tctx,
1270                                          used, recv_buf->length,
1271                                          "length mismatch");
1272                 torture_assert_int_equal(test_context->tctx,
1273                                          error.pvno, 5,
1274                                          "Got wrong error.pvno");
1275                 if ((torture_setting_bool(test_context->tctx, "expect_machine_account", false)
1276                      && ((test_context->test_data->upn == false)
1277                          || (test_context->test_data->as_req_spn &&
1278                              test_context->test_data->spn_is_upn)
1279                          || (test_context->test_data->enterprise == false &&
1280                              test_context->test_data->upn &&
1281                             test_context->test_data->spn_is_upn)))) {
1282                         torture_assert_int_equal(test_context->tctx,
1283                                                  error.error_code,
1284                                                  KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
1285                                                  "Got wrong error.error_code");
1286                 } else {
1287                         torture_assert_int_equal(test_context->tctx,
1288                                                  error.error_code,
1289                                                  KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
1290                                                  "Got wrong error.error_code");
1291                 }
1292                 free_KRB_ERROR(&error);
1293         } else {
1294                 /*
1295                  * Finally the successful packet.
1296                  */
1297                 torture_assert_int_equal(test_context->tctx,
1298                                          decode_AS_REP(recv_buf->data, recv_buf->length,
1299                                                        &test_context->as_rep, &used), 0,
1300                                          "decode_AS_REP failed");
1301                 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
1302                                          "length mismatch");
1303                 torture_assert_int_equal(test_context->tctx,
1304                                          test_context->as_rep.pvno, 5,
1305                                          "Got wrong as_rep->pvno");
1306                 torture_assert_int_equal(test_context->tctx,
1307                                          test_context->as_rep.ticket.tkt_vno, 5,
1308                                          "Got wrong as_rep->ticket.tkt_vno");
1309                 torture_assert(test_context->tctx,
1310                                test_context->as_rep.ticket.enc_part.kvno,
1311                                "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
1312
1313                 /*
1314                  * We do not expect an RODC number here in the KVNO,
1315                  * as this is a ticket to the user's own account.
1316                  */
1317                 torture_assert_int_equal(test_context->tctx,
1318                                          *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
1319                                          0, "Unexpecedly got a RODC number in the KVNO");
1320                 free_AS_REP(&test_context->as_rep);
1321         }
1322         torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
1323         free_AS_REQ(&test_context->as_req);
1324         return true;
1325 }
1326
1327 /*
1328  * This function is set in torture_krb5_init_context_canon as krb5
1329  * send_and_recv function.  This allows us to override what server the
1330  * test is aimed at, and to inspect the packets just before they are
1331  * sent to the network, and before they are processed on the recv
1332  * side.
1333  *
1334  * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
1335  * functions are implement the actual tests.
1336  *
1337  * When this asserts, the caller will get a spurious 'cannot contact
1338  * any KDC' message.
1339  *
1340  */
1341 static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context context,
1342                                                                    void *data, /* struct torture_krb5_context */
1343                                                                    krb5_krbhst_info *hi,
1344                                                                    time_t timeout,
1345                                                                    const krb5_data *send_buf,
1346                                                                    krb5_data *recv_buf)
1347 {
1348         krb5_error_code k5ret;
1349         bool ok = false;
1350         krb5_data modified_send_buf;
1351
1352         struct torture_krb5_context *test_context
1353                 = talloc_get_type_abort(data, struct torture_krb5_context);
1354
1355         switch (test_context->test_stage) {
1356         case TEST_DONE:
1357                 torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs");
1358                 return EINVAL;
1359         case TEST_AS_REQ:
1360                 ok = torture_krb5_pre_send_as_req_test(test_context, send_buf,
1361                                                               &modified_send_buf);
1362                 break;
1363         case TEST_TGS_REQ_KRBTGT_CANON:
1364                 ok = torture_krb5_pre_send_tgs_req_krbtgt_canon_test(test_context, send_buf,
1365                                                                      &modified_send_buf);
1366                 break;
1367         case TEST_TGS_REQ_CANON:
1368                 ok = torture_krb5_pre_send_tgs_req_canon_test(test_context, send_buf,
1369                                                               &modified_send_buf);
1370                 break;
1371         case TEST_SELF_TRUST_TGS_REQ:
1372                 ok = torture_krb5_pre_send_self_trust_tgs_req_test(test_context, send_buf,
1373                                                                    &modified_send_buf);
1374                 break;
1375         case TEST_TGS_REQ:
1376                 ok = torture_krb5_pre_send_tgs_req_test(test_context, send_buf,
1377                                                         &modified_send_buf);
1378                 break;
1379         case TEST_TGS_REQ_KRBTGT:
1380                 ok = torture_krb5_pre_send_tgs_req_krbtgt_test(test_context, send_buf,
1381                                                                &modified_send_buf);
1382                 break;
1383         case TEST_TGS_REQ_HOST:
1384         case TEST_TGS_REQ_HOST_SRV_INST:
1385         case TEST_TGS_REQ_HOST_SRV_HST:
1386                 ok = torture_krb5_pre_send_tgs_req_host_test(test_context, send_buf,
1387                                                              &modified_send_buf);
1388                 break;
1389         case TEST_AS_REQ_SELF:
1390                 ok = torture_krb5_pre_send_as_req_test(test_context, send_buf,
1391                                                        &modified_send_buf);
1392                 break;
1393         }
1394         if (ok == false) {
1395                 return EINVAL;
1396         }
1397
1398         k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
1399                                                    hi, timeout, &modified_send_buf,
1400                                                    recv_buf);
1401         if (k5ret != 0) {
1402                 return k5ret;
1403         }
1404
1405         switch (test_context->test_stage) {
1406         case TEST_DONE:
1407                 torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs");
1408                 return EINVAL;
1409         case TEST_AS_REQ:
1410                 ok = torture_krb5_post_recv_as_req_test(test_context, recv_buf);
1411                 break;
1412         case TEST_TGS_REQ_KRBTGT_CANON:
1413                 ok = torture_krb5_post_recv_tgs_req_krbtgt_canon_test(test_context, recv_buf);
1414                 break;
1415         case TEST_TGS_REQ_CANON:
1416                 ok = torture_krb5_post_recv_tgs_req_canon_test(test_context, recv_buf);
1417                 break;
1418         case TEST_SELF_TRUST_TGS_REQ:
1419                 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
1420                 break;
1421         case TEST_TGS_REQ:
1422                 ok = torture_krb5_post_recv_tgs_req_test(test_context, recv_buf);
1423                 break;
1424         case TEST_TGS_REQ_KRBTGT:
1425                 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
1426                 break;
1427         case TEST_TGS_REQ_HOST:
1428         case TEST_TGS_REQ_HOST_SRV_INST:
1429         case TEST_TGS_REQ_HOST_SRV_HST:
1430                 ok = torture_krb5_post_recv_tgs_req_host_test(test_context, recv_buf);
1431                 break;
1432         case TEST_AS_REQ_SELF:
1433                 ok = torture_krb5_post_recv_as_req_self_test(test_context, recv_buf);
1434                 break;
1435         }
1436         if (ok == false) {
1437                 KRB_ERROR error;
1438                 size_t used;
1439                 torture_warning(test_context->tctx, "Packet of length %llu failed post-recv checks in test stage %d", (unsigned long long)recv_buf->length, test_context->test_stage);
1440                 if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
1441                         torture_warning(test_context->tctx,
1442                                         "STAGE: %d Unexpectedly got a KRB-ERROR packet "
1443                                         "with error code %d (%s)",
1444                                         test_context->test_stage,
1445                                         error.error_code,
1446                                         error_message(error.error_code + KRB5KDC_ERR_NONE));
1447                         free_KRB_ERROR(&error);
1448                 }
1449                 return EINVAL;
1450         }
1451
1452         test_context->packet_count++;
1453
1454         return k5ret;
1455 }
1456
1457 static int test_context_destructor(struct torture_krb5_context *test_context)
1458 {
1459         freeaddrinfo(test_context->server);
1460         return 0;
1461 }
1462
1463
1464 static bool torture_krb5_init_context_canon(struct torture_context *tctx,
1465                                              struct test_data *test_data,
1466                                              struct torture_krb5_context **torture_krb5_context)
1467 {
1468         const char *host = torture_setting_string(tctx, "host", NULL);
1469         krb5_error_code k5ret;
1470         bool ok;
1471
1472         struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
1473         torture_assert(tctx, test_context != NULL, "Failed to allocate");
1474
1475         test_context->test_data = test_data;
1476         test_context->tctx = tctx;
1477
1478         k5ret = smb_krb5_init_context(test_context, tctx->lp_ctx, &test_context->smb_krb5_context);
1479         torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
1480
1481         ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
1482         torture_assert(tctx, ok, "Failed to parse target server");
1483
1484         talloc_set_destructor(test_context, test_context_destructor);
1485
1486         set_sockaddr_port(test_context->server->ai_addr, 88);
1487
1488         k5ret = krb5_set_send_to_kdc_func(test_context->smb_krb5_context->krb5_context,
1489                                           smb_krb5_send_and_recv_func_canon_override,
1490                                           test_context);
1491         torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
1492         *torture_krb5_context = test_context;
1493         return true;
1494 }
1495
1496
1497 static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *tcase_data)
1498 {
1499         krb5_error_code k5ret;
1500         krb5_get_init_creds_opt *krb_options = NULL;
1501         struct test_data *test_data = talloc_get_type_abort(tcase_data, struct test_data);
1502         krb5_principal principal;
1503         krb5_principal krbtgt_other;
1504         krb5_principal expected_principal;
1505         const char *principal_string = NULL;
1506         char *krbtgt_other_string;
1507         int principal_flags;
1508         const char *expected_principal_string = NULL;
1509         char *expected_unparse_principal_string;
1510         int expected_principal_flags;
1511         char *got_principal_string;
1512         char *assertion_message;
1513         const char *password = cli_credentials_get_password(
1514                         popt_get_cmdline_credentials());
1515         krb5_context k5_context;
1516         struct torture_krb5_context *test_context;
1517         bool ok;
1518         krb5_creds my_creds;
1519         krb5_creds *server_creds;
1520         krb5_ccache ccache;
1521         krb5_auth_context auth_context;
1522         char *cc_name;
1523         krb5_data in_data, enc_ticket;
1524         krb5_get_creds_opt opt;
1525
1526         const char *spn = NULL;
1527         const char *spn_real_realm = NULL;
1528         const char *upn = torture_setting_string(tctx, "krb5-upn", "");
1529         test_data->krb5_service = torture_setting_string(tctx, "krb5-service", "host");
1530         test_data->krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
1531
1532         /*
1533          * If we have not passed a UPN on the command line,
1534          * then skip the UPN tests.
1535          */
1536         if (test_data->upn && upn[0] == '\0') {
1537                 torture_skip(tctx, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
1538         }
1539
1540         /*
1541          * If we have not passed a SPN on the command line,
1542          * then skip the SPN tests.
1543          */
1544         if (test_data->as_req_spn && test_data->krb5_hostname[0] == '\0') {
1545                 torture_skip(tctx, "This test needs a hostname specified as --option=torture:krb5-hostname=hostname.example.com and optionally --option=torture:krb5-service=service (defaults to host) to run");
1546         }
1547
1548         if (test_data->removedollar &&
1549             !torture_setting_bool(tctx, "run_removedollar_test", false))
1550         {
1551                 torture_skip(tctx, "--option=torture:run_removedollar_test=true not specified");
1552         }
1553
1554         if (test_data->netbios_realm) {
1555                 test_data->realm = test_data->real_domain;
1556         } else {
1557                 test_data->realm = test_data->real_realm;
1558         }
1559
1560         if (test_data->upn) {
1561                 char *p;
1562                 test_data->username = talloc_strdup(test_data, upn);
1563                 p = strchr(test_data->username, '@');
1564                 if (p) {
1565                         *p = '\0';
1566                         p++;
1567                 }
1568                 /*
1569                  * Test the UPN behaviour carefully.  We can
1570                  * test in two different modes, depending on
1571                  * what UPN has been set up for us.
1572                  *
1573                  * If the UPN is in our realm, then we do all the tests with this name also.
1574                  *
1575                  * If the UPN is not in our realm, then we
1576                  * expect the tests that replace the realm to
1577                  * fail (as it won't match)
1578                  */
1579                 if (strcasecmp(p, test_data->real_realm) != 0) {
1580                         test_data->other_upn_suffix = true;
1581                 } else {
1582                         test_data->other_upn_suffix = false;
1583                 }
1584
1585                 /*
1586                  * This lets us test the combination of the UPN prefix
1587                  * with a valid domain, without adding even more
1588                  * combinations
1589                  */
1590                 if (test_data->netbios_realm == false) {
1591                         test_data->realm = p;
1592                 }
1593         }
1594
1595         ok = torture_krb5_init_context_canon(tctx, test_data, &test_context);
1596         torture_assert(tctx, ok, "torture_krb5_init_context failed");
1597         k5_context = test_context->smb_krb5_context->krb5_context;
1598
1599         if (test_data->upper_realm) {
1600                 test_data->realm = strupper_talloc(test_data, test_data->realm);
1601         } else {
1602                 test_data->realm = strlower_talloc(test_data, test_data->realm);
1603         }
1604         if (test_data->upper_username) {
1605                 test_data->username = strupper_talloc(test_data, test_data->username);
1606         } else {
1607                 test_data->username = talloc_strdup(test_data, test_data->username);
1608         }
1609
1610         if (test_data->removedollar) {
1611                 char *p;
1612
1613                 p = strchr_m(test_data->username, '$');
1614                 torture_assert(tctx, p != NULL, talloc_asprintf(tctx,
1615                                "username[%s] contains no '$'\n",
1616                                test_data->username));
1617                 *p = '\0';
1618         }
1619
1620         spn = talloc_asprintf(test_data, "%s/%s@%s",
1621                               test_data->krb5_service,
1622                               test_data->krb5_hostname,
1623                               test_data->realm);
1624
1625         spn_real_realm = talloc_asprintf(test_data, "%s/%s@%s",
1626                                          test_data->krb5_service,
1627                                          test_data->krb5_hostname,
1628                                          test_data->real_realm);
1629
1630         if (test_data->as_req_spn) {
1631                 if (test_data->enterprise) {
1632                         torture_skip(tctx,
1633                                      "This test combination "
1634                                      "is skipped intentionally");
1635                 }
1636                 principal_string = spn;
1637         } else {
1638                 principal_string = talloc_asprintf(test_data,
1639                                                    "%s@%s",
1640                                                    test_data->username,
1641                                                    test_data->realm);
1642                 
1643         }
1644
1645         test_data->spn_is_upn
1646                 = (strcasecmp(upn, spn) == 0);
1647                                 
1648         /*
1649          * If we are set to canonicalize, we get back the fixed UPPER
1650          * case realm, and the real username (ie matching LDAP
1651          * samAccountName)
1652          *
1653          * Otherwise, if we are set to enterprise, we
1654          * get back the whole principal as-sent
1655          *
1656          * Finally, if we are not set to canonicalize, we get back the
1657          * fixed UPPER case realm, but the as-sent username
1658          */
1659         if (test_data->as_req_spn && !test_data->spn_is_upn) {
1660                 expected_principal_string = spn;
1661         } else if (test_data->canonicalize) {
1662                 expected_principal_string = talloc_asprintf(test_data,
1663                                                             "%s@%s",
1664                                                             test_data->real_username,
1665                                                             test_data->real_realm);
1666         } else if (test_data->enterprise) {
1667                 expected_principal_string = principal_string;
1668         } else if (test_data->as_req_spn && test_data->spn_is_upn) {
1669                 expected_principal_string = spn_real_realm;
1670         } else {
1671                 expected_principal_string = talloc_asprintf(test_data,
1672                                                             "%s@%s",
1673                                                             test_data->username,
1674                                                             test_data->real_realm);
1675         }
1676
1677         if (test_data->enterprise) {
1678                 principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1679         } else {
1680                 if (test_data->upn && test_data->other_upn_suffix) {
1681                         torture_skip(tctx, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
1682                 }
1683                 principal_flags = 0;
1684         }
1685
1686         if (test_data->canonicalize) {
1687                 expected_principal_flags = 0;
1688         } else {
1689                 expected_principal_flags = principal_flags;
1690         }
1691
1692         torture_assert_int_equal(tctx,
1693                                  krb5_parse_name_flags(k5_context,
1694                                                        principal_string,
1695                                                        principal_flags,
1696                                                        &principal),
1697                                          0, "krb5_parse_name_flags failed");
1698         torture_assert_int_equal(tctx,
1699                                  krb5_parse_name_flags(k5_context,
1700                                                        expected_principal_string,
1701                                                        expected_principal_flags,
1702                                                        &expected_principal),
1703                                  0, "krb5_parse_name_flags failed");
1704         
1705         if (test_data->as_req_spn) {
1706                 if (test_data->upn) {
1707                         krb5_principal_set_type(k5_context,
1708                                                 principal,
1709                                                 KRB5_NT_PRINCIPAL);
1710                         krb5_principal_set_type(k5_context,
1711                                                 expected_principal,
1712                                                 KRB5_NT_PRINCIPAL);
1713                 } else {
1714                         krb5_principal_set_type(k5_context,
1715                                                 principal,
1716                                                 KRB5_NT_SRV_HST);
1717                         krb5_principal_set_type(k5_context,
1718                                                 expected_principal,
1719                                                 KRB5_NT_SRV_HST);
1720                 }
1721         }
1722         
1723         torture_assert_int_equal(tctx,
1724                                  krb5_unparse_name(k5_context,
1725                                                    expected_principal,
1726                                                    &expected_unparse_principal_string),
1727                                  0, "krb5_unparse_name failed");
1728         /*
1729          * Prepare a AS-REQ and run the TEST_AS_REQ tests
1730          *
1731          */
1732
1733         test_context->test_stage = TEST_AS_REQ;
1734         test_context->packet_count = 0;
1735
1736         /*
1737          * Set the canonicalize flag if this test requires it
1738          */
1739         torture_assert_int_equal(tctx,
1740                                  krb5_get_init_creds_opt_alloc(k5_context, &krb_options),
1741                                  0, "krb5_get_init_creds_opt_alloc failed");
1742
1743         torture_assert_int_equal(tctx,
1744                                  krb5_get_init_creds_opt_set_canonicalize(k5_context,
1745                                                                           krb_options,
1746                                                                           test_data->canonicalize),
1747                                  0, "krb5_get_init_creds_opt_set_canonicalize failed");
1748
1749         torture_assert_int_equal(tctx,
1750                                  krb5_get_init_creds_opt_set_win2k(k5_context,
1751                                                                    krb_options,
1752                                                                    test_data->win2k),
1753                                  0, "krb5_get_init_creds_opt_set_win2k failed");
1754
1755         k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
1756                                              password, NULL, NULL, 0,
1757                                              NULL, krb_options);
1758
1759         if (test_data->netbios_realm && test_data->upn) {
1760                 torture_assert_int_equal(tctx, k5ret,
1761                                          KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
1762                                          "Got wrong error_code from krb5_get_init_creds_password");
1763                 /* We can't proceed with more checks */
1764                 return true;
1765         } else if (test_context->test_data->as_req_spn
1766                    && !test_context->test_data->spn_is_upn) {
1767                 torture_assert_int_equal(tctx, k5ret,
1768                                          KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
1769                                          "Got wrong error_code from "
1770                                          "krb5_get_init_creds_password");
1771                 /* We can't proceed with more checks */
1772                 return true;
1773         } else {
1774                 assertion_message = talloc_asprintf(tctx,
1775                                                     "krb5_get_init_creds_password for %s failed: %s",
1776                                                     principal_string,
1777                                                     smb_get_krb5_error_message(k5_context, k5ret, tctx));
1778                 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1779         }
1780
1781         torture_assert(tctx,
1782                        test_context->packet_count > 1,
1783                        "Expected krb5_get_init_creds_password to send more packets");
1784
1785         /*
1786          * Assert that the reply was with the correct type of
1787          * principal, depending on the flags we set
1788          */
1789         if (test_data->canonicalize == false && test_data->enterprise) {
1790                 torture_assert_int_equal(tctx,
1791                                          krb5_principal_get_type(k5_context,
1792                                                                  my_creds.client),
1793                                          KRB5_NT_ENTERPRISE_PRINCIPAL,
1794                                          "smb_krb5_init_context gave incorrect client->name.name_type");
1795         } else if (test_data->canonicalize == false && test_data->as_req_spn) {
1796                 torture_assert_int_equal(tctx,
1797                                          krb5_principal_get_type(k5_context,
1798                                                                  my_creds.client),
1799                                          KRB5_NT_SRV_HST,
1800                                          "smb_krb5_init_context gave incorrect client->name.name_type");
1801         } else {
1802                 torture_assert_int_equal(tctx,
1803                                          krb5_principal_get_type(k5_context,
1804                                                                  my_creds.client),
1805                                          KRB5_NT_PRINCIPAL,
1806                                          "smb_krb5_init_context gave incorrect client->name.name_type");
1807         }
1808
1809         torture_assert_int_equal(tctx,
1810                                  krb5_unparse_name(k5_context,
1811                                                    my_creds.client, &got_principal_string), 0,
1812                                  "krb5_unparse_name failed");
1813
1814         assertion_message = talloc_asprintf(tctx,
1815                                             "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1816                                             got_principal_string, expected_principal_string);
1817         krb5_free_unparsed_name(k5_context, got_principal_string);
1818
1819         torture_assert(tctx, krb5_principal_compare(k5_context,
1820                                                     my_creds.client, expected_principal),
1821                        assertion_message);
1822
1823
1824         torture_assert_int_equal(tctx,
1825                                  krb5_principal_get_type(k5_context,
1826                                                          my_creds.server), KRB5_NT_SRV_INST,
1827                                  "smb_krb5_init_context gave incorrect server->name.name_type");
1828
1829         torture_assert_int_equal(tctx,
1830                                  krb5_principal_get_num_comp(k5_context,
1831                                                              my_creds.server), 2,
1832                                  "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
1833
1834         torture_assert_str_equal(tctx,
1835                                  krb5_principal_get_comp_string(k5_context,
1836                                                                 my_creds.server, 0),
1837                                  "krbtgt",
1838                                  "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
1839
1840         if (test_data->canonicalize || test_data->enterprise) {
1841                 torture_assert_str_equal(tctx,
1842                                          krb5_principal_get_comp_string(k5_context,
1843                                                                         my_creds.server, 1),
1844                                          test_data->real_realm,
1845
1846                                          "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1847         } else {
1848                 torture_assert_str_equal(tctx,
1849                                          krb5_principal_get_comp_string(k5_context,
1850                                                                         my_creds.server, 1),
1851                                          test_data->realm,
1852
1853                                          "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1854         }
1855         torture_assert_str_equal(tctx,
1856                                  krb5_principal_get_realm(k5_context,
1857                                                           my_creds.server),
1858                                  test_data->real_realm,
1859                                  "smb_krb5_init_context gave incorrect my_creds.server->realm");
1860
1861         /* Store the result of the 'kinit' above into a memory ccache */
1862         cc_name = talloc_asprintf(tctx, "MEMORY:%s", test_data->test_name);
1863         torture_assert_int_equal(tctx, krb5_cc_resolve(k5_context, cc_name,
1864                                                        &ccache),
1865                                  0, "krb5_cc_resolve failed");
1866
1867         torture_assert_int_equal(tctx, krb5_cc_initialize(k5_context,
1868                                                           ccache, my_creds.client),
1869                                  0, "krb5_cc_initialize failed");
1870
1871         torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
1872                                                           ccache, &my_creds),
1873                                  0, "krb5_cc_store_cred failed");
1874
1875         /*
1876          * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
1877          *
1878          * This tests krb5_get_creds behaviour, which allows us to set
1879          * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal
1880          */
1881
1882         krbtgt_other_string = talloc_asprintf(test_data, "krbtgt/%s@%s", test_data->real_domain, test_data->real_realm);
1883         torture_assert_int_equal(tctx,
1884                                  krb5_make_principal(k5_context, &krbtgt_other,
1885                                                      test_data->real_realm, "krbtgt",
1886                                                      test_data->real_domain, NULL),
1887                                  0, "krb5_make_principal failed");
1888
1889         test_context->test_stage = TEST_TGS_REQ_KRBTGT_CANON;
1890         test_context->packet_count = 0;
1891
1892         torture_assert_int_equal(tctx,
1893                                  krb5_get_creds_opt_alloc(k5_context, &opt),
1894                                  0, "krb5_get_creds_opt_alloc");
1895
1896         krb5_get_creds_opt_add_options(k5_context,
1897                                        opt,
1898                                        KRB5_GC_CANONICALIZE);
1899
1900         krb5_get_creds_opt_add_options(k5_context,
1901                                        opt,
1902                                        KRB5_GC_NO_STORE);
1903
1904         /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
1905         k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
1906
1907         if (test_data->canonicalize == false && test_data->enterprise == false
1908             && test_data->netbios_realm && test_data->upper_realm) {
1909                 /*
1910                  * In these situations, the code above does store a
1911                  * principal in the credentials cache matching what
1912                  * krb5_get_creds() needs, so the test succeds, with no packets.
1913                  *
1914                  */
1915                 assertion_message = talloc_asprintf(tctx,
1916                                                     "krb5_get_creds for %s failed with: %s",
1917                                                     krbtgt_other_string,
1918                                                     smb_get_krb5_error_message(k5_context, k5ret,
1919                                                                                tctx));
1920
1921                 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1922                 torture_assert_int_equal(tctx,
1923                                          test_context->packet_count,
1924                                          0, "Expected krb5_get_creds not to send packets");
1925         } else if (test_data->canonicalize == false && test_data->enterprise == false
1926                    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
1927                 torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
1928                                          "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1929         } else {
1930
1931                 /*
1932                  * In these situations, the code above does not store a
1933                  * principal in the credentials cache matching what
1934                  * krb5_get_creds() needs without talking to the KDC, so the
1935                  * test fails with looping detected because when we set
1936                  * canonicalize we confuse the client libs.
1937                  *
1938                  */
1939                 assertion_message = talloc_asprintf(tctx,
1940                                                     "krb5_get_creds for %s should have failed with looping detected: %s",
1941                                                     krbtgt_other_string,
1942                                                     smb_get_krb5_error_message(k5_context, k5ret,
1943                                                                                tctx));
1944
1945                 torture_assert_int_equal(tctx, k5ret, KRB5_GET_IN_TKT_LOOP, assertion_message);
1946                 torture_assert_int_equal(tctx,
1947                                          test_context->packet_count,
1948                                          2, "Expected krb5_get_creds to send packets");
1949         }
1950
1951         /*
1952          * Prepare a TGS-REQ and run the TEST_TGS_REQ_CANON tests
1953          *
1954          * This tests krb5_get_creds behaviour, which allows us to set
1955          * the KRB5_GC_CANONICALIZE option
1956          */
1957
1958         test_context->test_stage = TEST_TGS_REQ_CANON;
1959         test_context->packet_count = 0;
1960
1961         torture_assert_int_equal(tctx,
1962                                  krb5_get_creds_opt_alloc(k5_context, &opt),
1963                                  0, "krb5_get_creds_opt_alloc");
1964
1965         krb5_get_creds_opt_add_options(k5_context,
1966                                        opt,
1967                                        KRB5_GC_CANONICALIZE);
1968
1969         krb5_get_creds_opt_add_options(k5_context,
1970                                        opt,
1971                                        KRB5_GC_NO_STORE);
1972
1973         if (test_data->s4u2self) {
1974                 torture_assert_int_equal(tctx,
1975                                          krb5_get_creds_opt_set_impersonate(k5_context,
1976                                                                             opt,
1977                                                                             principal),
1978                                          0, "krb5_get_creds_opt_set_impersonate failed");
1979         }
1980
1981         /* Confirm if we can get a ticket to our own name */
1982         k5ret = krb5_get_creds(k5_context, opt, ccache, principal, &server_creds);
1983
1984         /*
1985          * In these situations, the code above does not store a
1986          * principal in the credentials cache matching what
1987          * krb5_get_creds() needs, so the test fails.
1988          *
1989          */
1990         if (test_data->canonicalize == false && test_data->enterprise == false
1991             && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
1992                 torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
1993                                          "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1994         } else {
1995                 assertion_message = talloc_asprintf(tctx,
1996                                                     "krb5_get_creds for %s failed: %s",
1997                                                     principal_string,
1998                                                     smb_get_krb5_error_message(k5_context, k5ret,
1999                                                                                tctx));
2000
2001                 /*
2002                  * Only machine accounts (strictly, accounts with a
2003                  * servicePrincipalName) can expect this test to succeed
2004                  */
2005                 if (torture_setting_bool(tctx, "expect_machine_account", false)
2006                     && (test_data->enterprise
2007                         || test_data->spn_is_upn
2008                         || test_data->upn == false)) {
2009                         torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2010                         torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
2011                                                                           ccache, server_creds),
2012                                                  0, "krb5_cc_store_cred failed");
2013
2014                         torture_assert_int_equal(tctx,
2015                                                  krb5_free_creds(k5_context,
2016                                                                  server_creds),
2017                                                  0, "krb5_free_cred_contents failed");
2018
2019                 } else {
2020                         torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
2021                                                  assertion_message);
2022                 }
2023
2024                 torture_assert_int_equal(tctx,
2025                                          test_context->packet_count,
2026                                          1, "Expected krb5_get_creds to send packets");
2027         }
2028
2029         /*
2030          * Confirm gettting a ticket to pass to the server, running
2031          * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage.
2032          *
2033          * This triggers the client to attempt to get a
2034          * cross-realm ticket between the alternate names of
2035          * the server, and we need to confirm that behaviour.
2036          *
2037          */
2038
2039         /*
2040          * This tries to guess when the krb5 libs will ask for a
2041          * cross-realm ticket, and when they will just ask the KDC
2042          * directly.
2043          */
2044         if (test_context->test_data->canonicalize == false
2045             || test_context->test_data->enterprise
2046             || (test_context->test_data->spn_is_upn && test_context->test_data->upn)
2047             || (test_context->test_data->upper_realm
2048                 && test_context->test_data->netbios_realm == false)) {
2049                 test_context->test_stage = TEST_TGS_REQ;
2050         } else {
2051                 test_context->test_stage = TEST_SELF_TRUST_TGS_REQ;
2052         }
2053
2054         test_context->packet_count = 0;
2055         torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
2056                                  0, "krb5_auth_con_init failed");
2057
2058         in_data.length = 0;
2059         k5ret = krb5_mk_req_exact(k5_context,
2060                                   &auth_context,
2061                                   AP_OPTS_USE_SUBKEY,
2062                                   principal,
2063                                   &in_data, ccache,
2064                                   &enc_ticket);
2065         assertion_message = talloc_asprintf(tctx,
2066                                             "krb5_mk_req_exact for %s failed: %s",
2067                                             principal_string,
2068                                             smb_get_krb5_error_message(k5_context, k5ret, tctx));
2069
2070         /*
2071          * Only machine accounts (strictly, accounts with a
2072          * servicePrincipalName) can expect this test to succeed
2073          */
2074         if (torture_setting_bool(tctx, "expect_machine_account", false)
2075             && (test_data->enterprise ||
2076                 (test_context->test_data->as_req_spn 
2077                  || test_context->test_data->spn_is_upn)
2078                 || test_data->upn == false)) {
2079                 DATA_BLOB client_to_server;
2080                 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2081                 client_to_server = data_blob_const(enc_ticket.data, enc_ticket.length);
2082
2083                 /* This is very weird */
2084                 if (test_data->canonicalize == false
2085                     && test_context->test_data->as_req_spn
2086                     && test_context->test_data->spn_is_upn
2087                     && test_context->test_data->s4u2self) {
2088                         
2089                         torture_assert(tctx,
2090                                        test_accept_ticket(tctx,
2091                                                           popt_get_cmdline_credentials(),
2092                                                           spn_real_realm,
2093                                                           client_to_server),
2094                                        "test_accept_ticket failed - failed to accept the ticket we just created");
2095                 } else if (test_data->canonicalize == true
2096                     && test_context->test_data->as_req_spn
2097                     && test_context->test_data->spn_is_upn
2098                     && test_context->test_data->s4u2self) {
2099                         
2100                         torture_assert(tctx,
2101                                        test_accept_ticket(tctx,
2102                                                           popt_get_cmdline_credentials(),
2103                                                           spn,
2104                                                           client_to_server),
2105                                        "test_accept_ticket failed - failed to accept the ticket we just created");
2106                 } else if (test_data->canonicalize == true
2107                            && test_data->enterprise == false
2108                            && test_context->test_data->upn
2109                            && test_context->test_data->spn_is_upn
2110                            && test_context->test_data->s4u2self) {
2111                         
2112                         torture_assert(tctx,
2113                                        test_accept_ticket(tctx,
2114                                                           popt_get_cmdline_credentials(),
2115                                                           principal_string,
2116                                                           client_to_server),
2117                                        "test_accept_ticket failed - failed to accept the ticket we just created");
2118                 } else if (test_data->canonicalize == false
2119                            && test_data->enterprise == false
2120                            && test_context->test_data->upn
2121                            && test_context->test_data->spn_is_upn
2122                            && test_context->test_data->s4u2self) {
2123                         
2124                         const char *accept_expected_principal_string
2125                                 = talloc_asprintf(test_data,
2126                                                   "%s@%s",
2127                                                   test_data->username,
2128                                                   test_data->real_realm);
2129                         
2130                         torture_assert(tctx,
2131                                        test_accept_ticket(tctx,
2132                                                           popt_get_cmdline_credentials(),
2133                                                           accept_expected_principal_string,
2134                                                           client_to_server),
2135                                        "test_accept_ticket failed - failed to accept the ticket we just created");
2136                 } else {
2137                 
2138                         torture_assert(tctx,
2139                                        test_accept_ticket(tctx,
2140                                                           popt_get_cmdline_credentials(),
2141                                                           expected_unparse_principal_string,
2142                                                           client_to_server),
2143                                        "test_accept_ticket failed - failed to accept the ticket we just created");
2144                 }
2145                 krb5_data_free(&enc_ticket);
2146         } else {
2147                 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
2148                                          assertion_message);
2149         }
2150
2151         /*
2152          * Only in these cases would the above code have needed to
2153          * send packets to the network
2154          */
2155         if (test_data->canonicalize == false && test_data->enterprise == false
2156             && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
2157                 torture_assert(tctx,
2158                                test_context->packet_count > 0,
2159                                "Expected krb5_mk_req_exact to send packets");
2160         }
2161
2162         /*
2163          * Confirm gettting a ticket to pass to the server, running
2164          * the TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST stage
2165          *
2166          * This triggers the client to attempt to get a
2167          * cross-realm ticket between the alternate names of
2168          * the server, and we need to confirm that behaviour.
2169          *
2170          */
2171
2172         if (*test_data->krb5_service && *test_data->krb5_hostname) {
2173                 bool implied_canonicalize;
2174                 krb5_principal host_principal_srv_inst;
2175                 /*
2176                  * This tries to guess when the krb5 libs will ask for a
2177                  * cross-realm ticket, and when they will just ask the KDC
2178                  * directly.
2179                  */
2180                 test_context->test_stage = TEST_TGS_REQ_HOST;
2181                 test_context->packet_count = 0;
2182                 torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
2183                                          0, "krb5_auth_con_init failed");
2184
2185                 in_data.length = 0;
2186                 k5ret = krb5_mk_req(k5_context,
2187                                     &auth_context,
2188                                     0,
2189                                     test_data->krb5_service,
2190                                     test_data->krb5_hostname,
2191                                     &in_data, ccache,
2192                                     &enc_ticket);
2193
2194                 implied_canonicalize = test_data->canonicalize;
2195                 if (test_data->spn_is_upn && (test_data->upn || test_data->as_req_spn)) {
2196                         implied_canonicalize = true;
2197                 }
2198                 if (test_data->enterprise) {
2199                         implied_canonicalize = true;
2200                 }
2201
2202                 if (implied_canonicalize == false
2203                     && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
2204                         torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
2205                                                  "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2206                 } else if (test_data->spn_is_upn
2207                            && test_data->canonicalize == false
2208                            && test_data->enterprise == false
2209                            && test_data->upper_realm == false
2210                            && test_data->upper_username == true
2211                            && test_data->upn) {
2212                         torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
2213                                                  "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2214                 } else {
2215                         assertion_message = talloc_asprintf(tctx,
2216                                                             "krb5_mk_req for %s/%s failed: %s",
2217                                                             test_data->krb5_service,
2218                                                             test_data->krb5_hostname,
2219                                                             smb_get_krb5_error_message(k5_context, k5ret, tctx));
2220
2221                         torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2222
2223                         if (test_data->spn_is_upn == false) {
2224                                 /*
2225                                  * Only in these cases would the above
2226                                  * code have needed to send packets to
2227                                  * the network
2228                                  */
2229                                 torture_assert(tctx,
2230                                                test_context->packet_count > 0,
2231                                                "Expected krb5_get_creds to send packets");
2232                         }
2233                 }
2234
2235
2236                 test_context->test_stage = TEST_TGS_REQ_HOST_SRV_INST;
2237                 test_context->packet_count = 0;
2238
2239                 torture_assert_int_equal(tctx,
2240                                          krb5_make_principal(k5_context, &host_principal_srv_inst,
2241                                                              test_data->real_realm,
2242                                                              strupper_talloc(tctx, test_data->krb5_service),
2243                                                              test_data->krb5_hostname,
2244                                                              NULL),
2245                                          0, "krb5_make_principal failed");
2246
2247                 krb5_principal_set_type(k5_context, host_principal_srv_inst, KRB5_NT_SRV_INST);
2248
2249                 torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
2250                                          0, "krb5_auth_con_init failed");
2251
2252                 in_data.length = 0;
2253                 k5ret = krb5_mk_req_exact(k5_context,
2254                                           &auth_context,
2255                                           0,
2256                                           host_principal_srv_inst,
2257                                           &in_data, ccache,
2258                                           &enc_ticket);
2259                 krb5_free_principal(k5_context, host_principal_srv_inst);
2260                 if (test_data->canonicalize == false && test_data->enterprise == false
2261                     && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
2262                         torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
2263                                                  "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2264                 } else {
2265                         assertion_message = talloc_asprintf(tctx,
2266                                                             "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
2267                                                             test_data->krb5_service,
2268                                                             test_data->krb5_hostname,
2269                                                             smb_get_krb5_error_message(k5_context, k5ret, tctx));
2270
2271                         torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2272                         /*
2273                          * Only in these cases would the above code have needed to
2274                          * send packets to the network
2275                          */
2276                         torture_assert(tctx,
2277                                        test_context->packet_count > 0,
2278                                        "Expected krb5_get_creds to send packets");
2279                 }
2280
2281
2282                 test_context->test_stage = TEST_TGS_REQ_HOST_SRV_HST;
2283                 test_context->packet_count = 0;
2284
2285                 torture_assert_int_equal(tctx,
2286                                          krb5_make_principal(k5_context, &host_principal_srv_inst,
2287                                                              test_data->real_realm,
2288                                                              test_data->krb5_service,
2289                                                              strupper_talloc(tctx, test_data->krb5_hostname),
2290                                                              NULL),
2291                                          0, "krb5_make_principal failed");
2292
2293                 krb5_principal_set_type(k5_context, host_principal_srv_inst, KRB5_NT_SRV_HST);
2294
2295                 torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
2296                                          0, "krb5_auth_con_init failed");
2297
2298                 in_data.length = 0;
2299                 k5ret = krb5_mk_req_exact(k5_context,
2300                                           &auth_context,
2301                                           0,
2302                                           host_principal_srv_inst,
2303                                           &in_data, ccache,
2304                                           &enc_ticket);
2305                 krb5_free_principal(k5_context, host_principal_srv_inst);
2306                 if (test_data->canonicalize == false && test_data->enterprise == false
2307                     && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
2308                         torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
2309                                                  "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2310                 } else {
2311                         assertion_message = talloc_asprintf(tctx,
2312                                                             "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
2313                                                             test_data->krb5_service,
2314                                                             test_data->krb5_hostname,
2315                                                             smb_get_krb5_error_message(k5_context, k5ret, tctx));
2316
2317                         torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2318                         /*
2319                          * Only in these cases would the above code have needed to
2320                          * send packets to the network
2321                          */
2322                         torture_assert(tctx,
2323                                        test_context->packet_count > 0,
2324                                        "Expected krb5_get_creds to send packets");
2325                 }
2326         }
2327
2328         /*
2329          * Confirm gettting a ticket for the same krbtgt/realm that we
2330          * got back with the initial ticket, running the
2331          * TEST_TGS_REQ_KRBTGT stage.
2332          *
2333          */
2334
2335         test_context->test_stage = TEST_TGS_REQ_KRBTGT;
2336         test_context->packet_count = 0;
2337
2338         in_data.length = 0;
2339         k5ret = krb5_mk_req_exact(k5_context,
2340                                   &auth_context,
2341                                   0,
2342                                   my_creds.server,
2343                                   &in_data, ccache,
2344                                   &enc_ticket);
2345
2346         assertion_message = talloc_asprintf(tctx,
2347                                             "krb5_mk_req_exact for %s failed: %s",
2348                                             principal_string,
2349                                             smb_get_krb5_error_message(k5_context, k5ret, tctx));
2350         torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2351
2352         /*
2353          * Confirm gettting a ticket for our own principal that we
2354          * got back with the initial ticket, running the
2355          * TEST_AS_REQ_SELF stage.
2356          *
2357          */
2358         test_context->test_stage = TEST_AS_REQ_SELF;
2359         test_context->packet_count = 0;
2360
2361         k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
2362                                              password, NULL, NULL, 0,
2363                                              principal_string, krb_options);
2364
2365         if (torture_setting_bool(test_context->tctx, "expect_machine_account", false)
2366             && (test_data->upn == false || (test_data->enterprise == false && test_data->upn == true && test_data->spn_is_upn))) {
2367                 assertion_message = talloc_asprintf(tctx,
2368                                                     "krb5_get_init_creds_password for %s failed: %s",
2369                                                     principal_string,
2370                                                     smb_get_krb5_error_message(k5_context, k5ret, tctx));
2371                 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
2372                 torture_assert(tctx,
2373                                test_context->packet_count >= 2,
2374                                "Expected krb5_get_init_creds_password to send more packets");
2375
2376         } else {
2377                 assertion_message = talloc_asprintf(tctx,
2378                                                     "Got wrong error_code from krb5_get_init_creds_password, expected KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN trying to get a ticket to %s for %s", principal_string, principal_string);
2379                 torture_assert_int_equal(tctx, k5ret,
2380                                          KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
2381                                          assertion_message);
2382                 torture_assert(tctx,
2383                                test_context->packet_count >= 1,
2384                                "Expected krb5_get_init_creds_password to send more packets");
2385
2386                 /* We can't proceed with more checks */
2387                 return true;
2388         }
2389
2390         /*
2391          * Assert that the reply was with the correct type of
2392          * principal, depending on the flags we set
2393          */
2394         if (test_data->as_req_spn && test_data->spn_is_upn && test_data->canonicalize == false) {
2395                 torture_assert_int_equal(tctx,
2396                                          krb5_principal_get_type(k5_context,
2397                                                                  my_creds.client),
2398                                          KRB5_NT_SRV_HST,
2399                                          "smb_krb5_init_context gave incorrect client->name.name_type");
2400                 torture_assert_int_equal(tctx,
2401                                          krb5_principal_get_type(k5_context,
2402                                                                  my_creds.server),
2403                                          KRB5_NT_SRV_HST,
2404                                          "smb_krb5_init_context gave incorrect server->name.name_type");
2405         } else if (test_data->canonicalize == false && test_data->enterprise) {
2406                 torture_assert_int_equal(tctx,
2407                                          krb5_principal_get_type(k5_context,
2408                                                                  my_creds.client),
2409                                          KRB5_NT_ENTERPRISE_PRINCIPAL,
2410                                          "smb_krb5_init_context gave incorrect client->name.name_type");
2411                 torture_assert_int_equal(tctx,
2412                                          krb5_principal_get_type(k5_context,
2413                                                                  my_creds.server),
2414                                          KRB5_NT_ENTERPRISE_PRINCIPAL,
2415                                          "smb_krb5_init_context gave incorrect server->name.name_type");
2416         } else {
2417                 torture_assert_int_equal(tctx,
2418                                          krb5_principal_get_type(k5_context,
2419                                                                  my_creds.client),
2420                                          KRB5_NT_PRINCIPAL,
2421                                          "smb_krb5_init_context gave incorrect client->name.name_type");
2422                 torture_assert_int_equal(tctx,
2423                                          krb5_principal_get_type(k5_context,
2424                                                                  my_creds.server),
2425                                          KRB5_NT_PRINCIPAL,
2426                                          "smb_krb5_init_context gave incorrect server->name.name_type");
2427         }
2428
2429         torture_assert_int_equal(tctx,
2430                                  krb5_unparse_name(k5_context,
2431                                                    my_creds.client, &got_principal_string), 0,
2432                                  "krb5_unparse_name failed");
2433
2434         assertion_message = talloc_asprintf(tctx,
2435                                             "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
2436                                             got_principal_string, expected_principal_string);
2437         krb5_free_unparsed_name(k5_context, got_principal_string);
2438
2439         torture_assert(tctx, krb5_principal_compare(k5_context,
2440                                                     my_creds.client, expected_principal),
2441                        assertion_message);
2442
2443         torture_assert_int_equal(tctx,
2444                                  krb5_unparse_name(k5_context,
2445                                                    my_creds.client, &got_principal_string), 0,
2446                                  "krb5_unparse_name failed");
2447
2448         assertion_message = talloc_asprintf(tctx,
2449                                             "krb5_get_init_creds_password returned a different server principal %s to what was expected %s",
2450                                             got_principal_string, expected_principal_string);
2451         krb5_free_unparsed_name(k5_context, got_principal_string);
2452
2453         torture_assert(tctx, krb5_principal_compare(k5_context,
2454                                                     my_creds.server, expected_principal),
2455                        assertion_message);
2456
2457         krb5_free_principal(k5_context, principal);
2458         krb5_get_init_creds_opt_free(k5_context, krb_options);
2459
2460         torture_assert_int_equal(tctx, krb5_free_cred_contents(k5_context, &my_creds),
2461                                  0, "krb5_free_cred_contents failed");
2462
2463         return true;
2464 }
2465
2466 struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
2467 {
2468         unsigned int i;
2469         struct torture_suite *suite = torture_suite_create(mem_ctx, "canon");
2470         suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
2471
2472         for (i = 0; i < TEST_ALL; i++) {
2473                 char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s.%s",
2474                                              (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
2475                                              (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
2476                                              (i & TEST_UPPER_REALM) ? "uc-realm" : "lc-realm",
2477                                              (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
2478                                              (i & TEST_NETBIOS_REALM) ? "netbios-realm" : "krb5-realm",
2479                                              (i & TEST_WIN2K) ? "win2k" : "no-win2k",
2480                                              (i & TEST_UPN) ? "upn" :
2481                                              ((i & TEST_AS_REQ_SPN) ? "spn" : 
2482                                               ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname")),
2483                                              (i & TEST_S4U2SELF) ? "s4u2self" : "normal");
2484                 struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name);
2485
2486                 struct test_data *test_data = talloc_zero(suite, struct test_data);
2487                 if (i & TEST_UPN) {
2488                         if (i & TEST_AS_REQ_SPN) {
2489                                 continue;
2490                         }
2491                 }
2492                 if ((i & TEST_UPN) || (i & TEST_AS_REQ_SPN)) {
2493                         if (i & TEST_REMOVEDOLLAR) {
2494                                 continue;
2495                         }
2496                 }
2497                 
2498                 test_data->test_name = name;
2499                 test_data->real_realm
2500                         = strupper_talloc(test_data,
2501                                 cli_credentials_get_realm(
2502                                         popt_get_cmdline_credentials()));
2503                 test_data->real_domain = cli_credentials_get_domain(
2504                                                 popt_get_cmdline_credentials());
2505                 test_data->username = cli_credentials_get_username(
2506                                                 popt_get_cmdline_credentials());
2507                 test_data->real_username = cli_credentials_get_username(
2508                                                 popt_get_cmdline_credentials());
2509                 test_data->canonicalize = (i & TEST_CANONICALIZE) != 0;
2510                 test_data->enterprise = (i & TEST_ENTERPRISE) != 0;
2511                 test_data->upper_realm = (i & TEST_UPPER_REALM) != 0;
2512                 test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0;
2513                 test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
2514                 test_data->win2k = (i & TEST_WIN2K) != 0;
2515                 test_data->upn = (i & TEST_UPN) != 0;
2516                 test_data->s4u2self = (i & TEST_S4U2SELF) != 0;
2517                 test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0;
2518                 test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0;
2519                 torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon,
2520