2 Unix SMB/CIFS implementation.
4 Validate the krb5 pac generation routines
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/krb5/proto.h"
27 #include "auth/credentials/credentials.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "source4/auth/kerberos/kerberos.h"
30 #include "source4/auth/kerberos/kerberos_util.h"
31 #include "lib/util/util_net.h"
33 #define TEST_CANONICALIZE 0x0000001
34 #define TEST_ENTERPRISE 0x0000002
35 #define TEST_UPPER_REALM 0x0000004
36 #define TEST_UPPER_USERNAME 0x0000008
37 #define TEST_NETBIOS_REALM 0x0000010
38 #define TEST_WIN2K 0x0000020
39 #define TEST_UPN 0x0000040
40 #define TEST_ALL 0x000007F
43 const char *test_name
;
45 const char *real_realm
;
46 const char *real_domain
;
48 const char *real_username
;
56 bool other_upn_suffix
;
61 TEST_TGS_REQ_KRBTGT_CANON
,
63 TEST_SELF_TRUST_TGS_REQ
,
70 struct torture_krb5_context
{
71 struct smb_krb5_context
*smb_krb5_context
;
72 struct torture_context
*tctx
;
73 struct addrinfo
*server
;
74 struct test_data
*test_data
;
76 enum test_stage test_stage
;
85 * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND
87 * Confirm that the outgoing packet meets certain expectations. This
88 * should be extended to further assert the correct and expected
89 * behaviour of the krb5 libs, so we know what we are sending to the
92 * Additionally, this CHANGES the request to remove the canonicalize
93 * flag automatically added by the krb5 libs when an enterprise
94 * principal is used, so we can test what the server does in this
99 static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context
*test_context
,
100 const krb5_data
*send_buf
,
101 krb5_data
*modified_send_buf
)
104 krb5_error_code k5ret
;
106 torture_assert_int_equal(test_context
->tctx
, decode_AS_REQ(send_buf
->data
, send_buf
->length
,
107 &test_context
->as_req
, &used
),
108 0, "decode_AS_REQ for TEST_AS_REQ failed");
109 mod_as_req
= test_context
->as_req
;
110 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
111 torture_assert_int_equal(test_context
->tctx
, test_context
->as_req
.pvno
,
112 5, "Got wrong as_req->pvno");
113 if (test_context
->test_data
->canonicalize
|| test_context
->test_data
->enterprise
) {
114 torture_assert(test_context
->tctx
,
115 test_context
->as_req
.req_body
.kdc_options
.canonicalize
,
116 "krb5 libs did not set canonicalize!");
118 torture_assert_int_equal(test_context
->tctx
,
119 test_context
->as_req
.req_body
.kdc_options
.canonicalize
,
121 "krb5 libs unexpectedly set canonicalize!");
124 if (test_context
->test_data
->enterprise
) {
125 torture_assert_int_equal(test_context
->tctx
,
126 test_context
->as_req
.req_body
.cname
->name_type
,
127 KRB5_NT_ENTERPRISE_PRINCIPAL
,
128 "krb5 libs did not pass principal as enterprise!");
130 torture_assert_int_equal(test_context
->tctx
,
131 test_context
->as_req
.req_body
.cname
->name_type
,
133 "krb5 libs unexpectedly set principal as enterprise!");
136 /* Force off canonicalize that was forced on by the krb5 libs */
137 if (test_context
->test_data
->canonicalize
== false && test_context
->test_data
->enterprise
) {
138 mod_as_req
.req_body
.kdc_options
.canonicalize
= false;
141 if (test_context
->test_stage
== TEST_AS_REQ_SELF
) {
143 * Force the server name to match the client name,
144 * including the name type. This isn't possible with
145 * the krb5 client libs alone
147 mod_as_req
.req_body
.sname
= test_context
->as_req
.req_body
.cname
;
150 ASN1_MALLOC_ENCODE(AS_REQ
, modified_send_buf
->data
, modified_send_buf
->length
,
151 &mod_as_req
, &used
, k5ret
);
152 torture_assert_int_equal(test_context
->tctx
,
154 "encode_AS_REQ failed");
156 if (test_context
->test_stage
!= TEST_AS_REQ_SELF
) {
157 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
,
158 "re-encode length mismatch");
166 * Confirm that the reply packet from the KDC meets certain
167 * expectations as part of TEST_AS_REQ. This uses a packet count to
168 * work out what packet we are up to in the multiple exchanged
169 * triggerd by krb5_get_init_creds_password().
173 static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context
*test_context
,
174 const krb5_data
*recv_buf
)
178 if (test_context
->packet_count
== 0) {
179 krb5_error_code k5ret
;
181 * The client libs obtain the salt by attempting to
182 * authenticate without pre-authentication and getting
183 * the correct salt with the
184 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
185 * the test (netbios_realm && upn) that deliberatly
186 * has an incorrect principal, we check we get the
189 k5ret
= decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
,
193 k5ret
= decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
196 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
197 torture_assert(test_context
->tctx
, false,
198 "expected to get a KRB_ERROR packet with "
199 "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP");
201 torture_assert(test_context
->tctx
, false,
202 "expected to get a KRB_ERROR packet with "
203 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
206 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
207 torture_assert(test_context
->tctx
, false,
208 "unable to decode as KRB-ERROR or AS-REP, "
209 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN");
211 torture_assert(test_context
->tctx
, false,
212 "unable to decode as KRB-ERROR or AS-REP, "
213 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
217 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
219 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5,
220 "Got wrong error.pvno");
221 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
222 torture_assert_int_equal(test_context
->tctx
,
224 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
225 "Got wrong error.error_code");
227 torture_assert_int_equal(test_context
->tctx
,
229 KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
230 "Got wrong error.error_code");
233 free_KRB_ERROR(&error
);
234 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
235 && (test_context
->packet_count
== 1)) {
237 * The Windows 2012R2 KDC will always respond with
238 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
239 * won't fit, because of the PAC. (It appears to do
240 * this always, even if it will). This triggers the
241 * client to try again over TCP.
243 torture_assert_int_equal(test_context
->tctx
,
244 used
, recv_buf
->length
,
246 torture_assert_int_equal(test_context
->tctx
,
248 "Got wrong error.pvno");
249 torture_assert_int_equal(test_context
->tctx
,
251 KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
252 "Got wrong error.error_code");
253 free_KRB_ERROR(&error
);
256 * Finally the successful packet.
258 torture_assert_int_equal(test_context
->tctx
,
259 decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
260 &test_context
->as_rep
, &used
), 0,
261 "decode_AS_REP failed");
262 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
264 torture_assert_int_equal(test_context
->tctx
,
265 test_context
->as_rep
.pvno
, 5,
266 "Got wrong as_rep->pvno");
267 torture_assert_int_equal(test_context
->tctx
,
268 test_context
->as_rep
.ticket
.tkt_vno
, 5,
269 "Got wrong as_rep->ticket.tkt_vno");
270 torture_assert(test_context
->tctx
,
271 test_context
->as_rep
.ticket
.enc_part
.kvno
,
272 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
275 * We can confirm that the correct proxy behaviour is
276 * in use on the KDC by checking the KVNO of the
277 * krbtgt account returned in the reply.
279 * A packet passed to the full RW DC will not have a
280 * KVNO in the upper bits, while a packet processed
281 * locally on the RODC will have these bits filled in
282 * the msDS-SecondaryKrbTgtNumber
284 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
285 torture_assert_int_not_equal(test_context
->tctx
,
286 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
287 0, "Did not get a RODC number in the KVNO");
289 torture_assert_int_equal(test_context
->tctx
,
290 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
291 0, "Unexpecedly got a RODC number in the KVNO");
293 free_AS_REP(&test_context
->as_rep
);
295 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
296 free_AS_REQ(&test_context
->as_req
);
301 * TEST_TGS_REQ_KRBTGT_CANON
304 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds()
305 * for the krbtgt/realm principal meets certain expectations, like
306 * that the canonicalize bit is not set
310 static bool torture_krb5_pre_send_tgs_req_krbtgt_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
313 torture_assert_int_equal(test_context
->tctx
,
314 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
315 &test_context
->tgs_req
, &used
),
316 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
317 torture_assert_int_equal(test_context
->tctx
,
318 used
, send_buf
->length
,
320 torture_assert_int_equal(test_context
->tctx
,
321 test_context
->tgs_req
.pvno
, 5,
322 "Got wrong as_req->pvno");
323 torture_assert_int_equal(test_context
->tctx
,
324 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
326 "krb5 libs unexpectedly did not set canonicalize!");
328 torture_assert_int_equal(test_context
->tctx
,
329 test_context
->tgs_req
.req_body
.sname
->name_type
,
331 "Mismatch in name_type between request and expected request");
333 torture_assert_str_equal(test_context
->tctx
,
334 test_context
->tgs_req
.req_body
.realm
,
335 test_context
->test_data
->real_realm
,
336 "Mismatch in realm between request and expected request");
338 *modified_send_buf
= *send_buf
;
343 * TEST_TGS_REQ_KRBTGT_CANON
345 * Confirm that the reply TGS-REP packet for krb5_get_creds()
346 * where the client is behaving as if this is a cross-realm trust due
347 * to case or netbios vs dns name differences meets certain
348 * expectations, while canonicalize is set
352 static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
355 torture_assert_int_equal(test_context
->tctx
,
356 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
357 &test_context
->tgs_rep
, &used
),
359 "decode_TGS_REP failed");
360 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
361 torture_assert_int_equal(test_context
->tctx
,
362 test_context
->tgs_rep
.pvno
, 5,
363 "Got wrong as_rep->pvno");
364 torture_assert_int_equal(test_context
->tctx
,
365 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
366 "Got wrong as_rep->ticket.tkt_vno");
367 torture_assert(test_context
->tctx
,
368 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
369 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
370 torture_assert_str_equal(test_context
->tctx
,
371 test_context
->tgs_req
.req_body
.realm
,
372 test_context
->tgs_rep
.ticket
.realm
,
373 "Mismatch in realm between request and ticket response");
374 torture_assert_str_equal(test_context
->tctx
,
375 test_context
->tgs_rep
.ticket
.realm
,
376 test_context
->test_data
->real_realm
,
377 "Mismatch in realm between ticket response and expected ticket response");
378 torture_assert_int_equal(test_context
->tctx
,
379 test_context
->tgs_rep
.ticket
.sname
.name_type
,
381 "Mismatch in name_type between ticket response and expected value of KRB5_NT_SRV_INST");
383 torture_assert_int_equal(test_context
->tctx
,
384 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
,
386 "Mismatch in name_type between ticket response and expected value, expected krbtgt/REALM@REALM");
388 torture_assert_str_equal(test_context
->tctx
,
389 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0], "krbtgt",
390 "Mismatch in name between reponse and expected response, expected krbtgt");
391 torture_assert_str_equal(test_context
->tctx
,
392 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[1], test_context
->test_data
->real_realm
,
393 "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM");
396 * We can confirm that the correct proxy behaviour is
397 * in use on the KDC by checking the KVNO of the
398 * krbtgt account returned in the reply.
400 * A packet passed to the full RW DC will not have a
401 * KVNO in the upper bits, while a packet processed
402 * locally on the RODC will have these bits filled in
403 * the msDS-SecondaryKrbTgtNumber
405 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
406 torture_assert_int_not_equal(test_context
->tctx
,
407 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
408 0, "Did not get a RODC number in the KVNO");
410 torture_assert_int_equal(test_context
->tctx
,
411 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
412 0, "Unexpecedly got a RODC number in the KVNO");
414 free_TGS_REP(&test_context
->tgs_rep
);
415 torture_assert(test_context
->tctx
,
416 test_context
->packet_count
< 2,
418 free_TGS_REQ(&test_context
->tgs_req
);
425 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds
426 * certain expectations, like that the canonicalize bit is set (this
427 * test is to force that handling) and that if an enterprise name was
428 * requested, that it was sent.
432 static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context
*test_context
,
433 const krb5_data
*send_buf
,
434 krb5_data
*modified_send_buf
)
437 torture_assert_int_equal(test_context
->tctx
,
438 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
439 &test_context
->tgs_req
, &used
),
440 0, "decode_TGS_REQ for TEST_TGS_REQ_CANON test failed");
441 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
442 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5, "Got wrong as_req->pvno");
443 torture_assert_int_equal(test_context
->tctx
,
444 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
445 true, "krb5 libs unexpectedly did not set canonicalize!");
447 if (test_context
->test_data
->enterprise
) {
448 torture_assert_int_equal(test_context
->tctx
,
449 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_ENTERPRISE_PRINCIPAL
,
450 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
451 torture_assert_str_equal(test_context
->tctx
,
452 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->real_realm
,
453 "Mismatch in realm between request and expected request");
455 } else if (test_context
->test_data
->canonicalize
) {
456 torture_assert_int_equal(test_context
->tctx
,
457 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
458 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
459 torture_assert_str_equal(test_context
->tctx
,
460 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->real_realm
,
461 "Mismatch in realm between request and expected request");
464 torture_assert_int_equal(test_context
->tctx
,
465 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
466 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
467 torture_assert_str_equal(test_context
->tctx
,
468 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->realm
,
469 "Mismatch in realm between request and expected request");
473 *modified_send_buf
= *send_buf
;
479 * TEST_TGS_REQ_CANON - RECV
481 * Confirm that the reply TGS-REP or error packet from the KDC meets
482 * certain expectations as part of TEST_TGS_REQ_CANON.
484 * This is triggered by krb5_get_creds()
488 static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
494 * If this account did not have a servicePrincipalName, then
495 * we expect a errro packet, not a TGS-REQ
497 if (decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0) {
498 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
499 torture_assert_int_equal(test_context
->tctx
,
501 "Got wrong error.pvno");
502 torture_assert_int_equal(test_context
->tctx
,
504 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
505 "Got wrong error.error_code");
507 torture_assert_int_equal(test_context
->tctx
,
508 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
509 &test_context
->tgs_rep
,
512 "decode_TGS_REP failed");
513 torture_assert_int_equal(test_context
->tctx
,
514 used
, recv_buf
->length
,
516 torture_assert_int_equal(test_context
->tctx
,
517 test_context
->tgs_rep
.pvno
, 5,
518 "Got wrong as_rep->pvno");
519 torture_assert_int_equal(test_context
->tctx
,
520 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
521 "Got wrong as_rep->ticket.tkt_vno");
522 torture_assert(test_context
->tctx
,
523 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
524 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
525 torture_assert_str_equal(test_context
->tctx
,
526 test_context
->tgs_rep
.ticket
.realm
,
527 test_context
->test_data
->real_realm
,
528 "Mismatch in realm between ticket response and expected upper case REALM");
529 torture_assert_int_equal(test_context
->tctx
,
530 test_context
->tgs_rep
.ticket
.sname
.name_type
,
531 test_context
->tgs_req
.req_body
.sname
->name_type
,
532 "Mismatch in name_type between request and ticket response");
533 torture_assert_int_equal(test_context
->tctx
,
534 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
,
535 test_context
->tgs_req
.req_body
.sname
->name_string
.len
,
536 "Mismatch in name_string.len between request and ticket response");
537 torture_assert(test_context
->tctx
,
538 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
>= 1,
539 "name_string.len should be >=1 in ticket response");
540 torture_assert_str_equal(test_context
->tctx
,
541 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0],
542 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
543 "Mismatch in name between request and expected request");
544 torture_assert_int_equal(test_context
->tctx
,
545 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
546 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
547 free_TGS_REP(&test_context
->tgs_rep
);
549 torture_assert(test_context
->tctx
, test_context
->packet_count
== 0, "too many packets");
550 free_TGS_REQ(&test_context
->tgs_req
);
556 * TEST_SELF_TRUST_TGS_REQ
558 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
559 * certain expectations, like that the canonicalize bit is set (this
560 * test is to force that handling).
562 * This test is for the case where the name we ask for, while a valid
563 * alternate name for our own realm is used. The client acts as if
564 * this is cross-realm trust.
568 static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context
*test_context
,
569 const krb5_data
*send_buf
,
570 krb5_data
*modified_send_buf
)
573 torture_assert_int_equal(test_context
->tctx
,
574 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
575 &test_context
->tgs_req
, &used
),
576 0, "decode_TGS_REQ for TEST_SELF_TRUST_TGS_REQ test failed");
577 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
578 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5, "Got wrong as_req->pvno");
579 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
, false, "krb5 libs unexpectedly set canonicalize!");
581 if (test_context
->test_data
->canonicalize
) {
582 torture_assert_str_equal(test_context
->tctx
,
583 test_context
->tgs_req
.req_body
.realm
,
584 test_context
->test_data
->real_realm
,
585 "Mismatch in realm between request and expected request");
587 torture_assert_str_equal(test_context
->tctx
,
588 test_context
->tgs_req
.req_body
.realm
,
589 test_context
->test_data
->realm
,
590 "Mismatch in realm between request and expected request");
592 torture_assert_int_equal(test_context
->tctx
,
593 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
594 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
595 torture_assert_int_equal(test_context
->tctx
,
596 test_context
->tgs_req
.req_body
.sname
->name_string
.len
, 2,
597 "Mismatch in name between request and expected request, expected krbtgt/realm");
598 torture_assert_str_equal(test_context
->tctx
,
599 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0], "krbtgt",
600 "Mismatch in name between request and expected request, expected krbtgt");
601 torture_assert_str_equal(test_context
->tctx
,
602 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1], test_context
->test_data
->realm
,
603 "Mismatch in realm part of cross-realm request principal between request and expected request");
604 *modified_send_buf
= *send_buf
;
610 * TEST_SELF_TRUST_TGS_REQ and TEST_TGS_REQ_KRBTGT - RECV
612 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(),
613 * where the client is behaving as if this is a cross-realm trust due
614 * to case or netbios vs dns name differences meets certain
619 static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
622 torture_assert_int_equal(test_context
->tctx
,
623 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
624 &test_context
->tgs_rep
, &used
),
626 "decode_TGS_REP failed");
627 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
628 torture_assert_int_equal(test_context
->tctx
,
629 test_context
->tgs_rep
.pvno
, 5,
630 "Got wrong as_rep->pvno");
631 torture_assert_int_equal(test_context
->tctx
,
632 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
633 "Got wrong as_rep->ticket.tkt_vno");
634 torture_assert(test_context
->tctx
,
635 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
636 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
637 torture_assert_str_equal(test_context
->tctx
,
638 test_context
->tgs_req
.req_body
.realm
,
639 test_context
->tgs_rep
.ticket
.realm
,
640 "Mismatch in realm between request and ticket response");
641 torture_assert_int_equal(test_context
->tctx
,
642 test_context
->tgs_rep
.ticket
.sname
.name_type
,
643 test_context
->tgs_req
.req_body
.sname
->name_type
,
644 "Mismatch in name_type between request and ticket response");
646 torture_assert_int_equal(test_context
->tctx
,
647 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
, 2,
648 "Mismatch in name between request and expected request, expected krbtgt/realm");
649 torture_assert_str_equal(test_context
->tctx
,
650 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0], "krbtgt",
651 "Mismatch in name between request and expected request, expected krbtgt");
652 torture_assert_str_equal(test_context
->tctx
,
653 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[1], test_context
->test_data
->realm
,
654 "Mismatch in realm part of cross-realm request principal between response and expected request");
656 * We can confirm that the correct proxy behaviour is
657 * in use on the KDC by checking the KVNO of the
658 * krbtgt account returned in the reply.
660 * A packet passed to the full RW DC will not have a
661 * KVNO in the upper bits, while a packet processed
662 * locally on the RODC will have these bits filled in
663 * the msDS-SecondaryKrbTgtNumber
665 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
666 torture_assert_int_not_equal(test_context
->tctx
,
667 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
668 0, "Did not get a RODC number in the KVNO");
670 torture_assert_int_equal(test_context
->tctx
,
671 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
672 0, "Unexpecedly got a RODC number in the KVNO");
674 free_TGS_REP(&test_context
->tgs_rep
);
675 torture_assert_int_equal(test_context
->tctx
,
676 test_context
->packet_count
, 0,
678 test_context
->packet_count
= 0;
679 test_context
->test_stage
= TEST_TGS_REQ
;
680 free_TGS_REQ(&test_context
->tgs_req
);
687 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
688 * certain expectations, like that the canonicalize bit is set (this
689 * test is to force that handling) and that if an enterprise name was
690 * requested, that it was sent.
694 static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
697 torture_assert_int_equal(test_context
->tctx
,
698 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
699 &test_context
->tgs_req
, &used
),
700 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
701 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
702 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5,
703 "Got wrong as_req->pvno");
704 torture_assert_int_equal(test_context
->tctx
,
705 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
707 "krb5 libs unexpectedly set canonicalize!");
709 if (test_context
->test_data
->enterprise
) {
710 torture_assert_int_equal(test_context
->tctx
,
711 test_context
->tgs_req
.req_body
.sname
->name_type
,
712 KRB5_NT_ENTERPRISE_PRINCIPAL
,
713 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
714 torture_assert_str_equal(test_context
->tctx
,
715 test_context
->tgs_req
.req_body
.realm
,
716 test_context
->test_data
->real_realm
,
717 "Mismatch in realm between request and expected request");
720 torture_assert_int_equal(test_context
->tctx
,
721 test_context
->tgs_req
.req_body
.sname
->name_type
,
723 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
724 torture_assert_str_equal(test_context
->tctx
,
725 test_context
->tgs_req
.req_body
.realm
,
726 test_context
->test_data
->realm
,
727 "Mismatch in realm between request and expected request");
731 *modified_send_buf
= *send_buf
;
737 * TEST_TGS_REQ - RECV
739 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), for
740 * the actual target service.
744 static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
749 * If this account did not have a servicePrincipalName, then
750 * we expect a errro packet, not a TGS-REQ
752 if (decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0) {
753 torture_assert_int_equal(test_context
->tctx
,
754 used
, recv_buf
->length
,
756 torture_assert_int_equal(test_context
->tctx
,
758 "Got wrong error.pvno");
759 torture_assert_int_equal(test_context
->tctx
,
761 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
762 "Got wrong error.error_code");
764 torture_assert_int_equal(test_context
->tctx
,
765 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
766 &test_context
->tgs_rep
, &used
),
768 "decode_TGS_REP failed");
769 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
771 torture_assert_int_equal(test_context
->tctx
,
772 test_context
->tgs_rep
.pvno
, 5,
773 "Got wrong as_rep->pvno");
774 torture_assert_int_equal(test_context
->tctx
,
775 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
776 "Got wrong as_rep->ticket.tkt_vno");
777 torture_assert(test_context
->tctx
,
778 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
779 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
780 torture_assert_str_equal(test_context
->tctx
,
781 test_context
->tgs_rep
.ticket
.realm
,
782 test_context
->test_data
->real_realm
,
783 "Mismatch in realm between ticket response and expected upper case REALM");
784 torture_assert_int_equal(test_context
->tctx
,
785 test_context
->tgs_req
.req_body
.sname
->name_type
,
786 test_context
->tgs_rep
.ticket
.sname
.name_type
, "Mismatch in name_type between request and ticket response");
787 torture_assert_int_equal(test_context
->tctx
,
788 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
789 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
790 free_TGS_REP(&test_context
->tgs_rep
);
792 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
793 free_TGS_REQ(&test_context
->tgs_req
);
794 test_context
->test_stage
= TEST_DONE
;
799 * TEST_TGS_REQ_KRBTGT
802 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
803 * for the krbtgt/realm principal meets certain expectations, like
804 * that the canonicalize bit is not set
808 static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
811 torture_assert_int_equal(test_context
->tctx
,
812 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
813 &test_context
->tgs_req
, &used
),
814 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
815 torture_assert_int_equal(test_context
->tctx
,
816 used
, send_buf
->length
,
818 torture_assert_int_equal(test_context
->tctx
,
819 test_context
->tgs_req
.pvno
, 5,
820 "Got wrong as_req->pvno");
821 torture_assert_int_equal(test_context
->tctx
,
822 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
824 "krb5 libs unexpectedly set canonicalize!");
826 torture_assert_str_equal(test_context
->tctx
,
827 test_context
->tgs_req
.req_body
.realm
,
828 test_context
->test_data
->realm
,
829 "Mismatch in realm between request and expected request");
831 *modified_send_buf
= *send_buf
;
832 test_context
->test_stage
= TEST_DONE
;
837 * TEST_AS_REQ_SELF - RECV
839 * Confirm that the reply packet from the KDC meets certain
840 * expectations as part of TEST_AS_REQ. This uses a packet count to
841 * work out what packet we are up to in the multiple exchanged
842 * triggerd by krb5_get_init_creds_password().
846 static bool torture_krb5_post_recv_as_req_self_test(struct torture_krb5_context
*test_context
,
847 const krb5_data
*recv_buf
)
851 if (test_context
->packet_count
== 0) {
852 krb5_error_code k5ret
;
854 * The client libs obtain the salt by attempting to
855 * authenticate without pre-authentication and getting
856 * the correct salt with the
857 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
858 * the test (netbios_realm && upn) that deliberatly
859 * has an incorrect principal, we check we get the
862 k5ret
= decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
,
866 k5ret
= decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
869 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
870 || (test_context
->test_data
->upn
== true)) {
871 torture_assert(test_context
->tctx
, false,
872 "expected to get a KRB_ERROR packet with "
873 "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
875 torture_assert(test_context
->tctx
, false,
876 "expected to get a KRB_ERROR packet with "
877 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
880 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
881 || (test_context
->test_data
->upn
== true)) {
882 torture_assert(test_context
->tctx
, false,
883 "unable to decode as KRB-ERROR or AS-REP, "
884 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED");
886 torture_assert(test_context
->tctx
, false,
887 "unable to decode as KRB-ERROR or AS-REP, "
888 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
892 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
894 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5,
895 "Got wrong error.pvno");
896 if ((torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
897 || (test_context
->test_data
->upn
== true))
898 && error
.error_code
== KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
) {
902 * This case is because Samba's Heimdal KDC
903 * checks server and client accounts before
904 * checking for pre-authentication.
907 torture_assert_int_equal(test_context
->tctx
,
909 KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
910 "Got wrong error.error_code");
913 free_KRB_ERROR(&error
);
914 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
915 && (test_context
->packet_count
== 1)) {
917 * The Windows 2012R2 KDC will always respond with
918 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
919 * won't fit, because of the PAC. (It appears to do
920 * this always, even if it will). This triggers the
921 * client to try again over TCP.
923 torture_assert_int_equal(test_context
->tctx
,
924 used
, recv_buf
->length
,
926 torture_assert_int_equal(test_context
->tctx
,
928 "Got wrong error.pvno");
929 if ((torture_setting_bool(test_context
->tctx
, "expect_machine_account", false)
930 && (test_context
->test_data
->upn
== false))) {
931 torture_assert_int_equal(test_context
->tctx
,
933 KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
934 "Got wrong error.error_code");
936 torture_assert_int_equal(test_context
->tctx
,
938 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
939 "Got wrong error.error_code");
941 free_KRB_ERROR(&error
);
944 * Finally the successful packet.
946 torture_assert_int_equal(test_context
->tctx
,
947 decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
948 &test_context
->as_rep
, &used
), 0,
949 "decode_AS_REP failed");
950 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
952 torture_assert_int_equal(test_context
->tctx
,
953 test_context
->as_rep
.pvno
, 5,
954 "Got wrong as_rep->pvno");
955 torture_assert_int_equal(test_context
->tctx
,
956 test_context
->as_rep
.ticket
.tkt_vno
, 5,
957 "Got wrong as_rep->ticket.tkt_vno");
958 torture_assert(test_context
->tctx
,
959 test_context
->as_rep
.ticket
.enc_part
.kvno
,
960 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
963 * We do not expect an RODC number here in the KVNO,
964 * as this is a ticket to the user's own account.
966 torture_assert_int_equal(test_context
->tctx
,
967 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
968 0, "Unexpecedly got a RODC number in the KVNO");
969 free_AS_REP(&test_context
->as_rep
);
971 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
972 free_AS_REQ(&test_context
->as_req
);
977 * This function is set in torture_krb5_init_context_canon as krb5
978 * send_and_recv function. This allows us to override what server the
979 * test is aimed at, and to inspect the packets just before they are
980 * sent to the network, and before they are processed on the recv
983 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
984 * functions are implement the actual tests.
986 * When this asserts, the caller will get a spurious 'cannot contact
990 static krb5_error_code
smb_krb5_send_and_recv_func_canon_override(krb5_context context
,
991 void *data
, /* struct torture_krb5_context */
992 krb5_krbhst_info
*hi
,
994 const krb5_data
*send_buf
,
997 krb5_error_code k5ret
;
999 krb5_data modified_send_buf
;
1001 struct torture_krb5_context
*test_context
1002 = talloc_get_type_abort(data
, struct torture_krb5_context
);
1004 switch (test_context
->test_stage
) {
1006 torture_warning(test_context
->tctx
, "Unexpected outgoing packet from krb5 libs");
1009 ok
= torture_krb5_pre_send_as_req_test(test_context
, send_buf
,
1010 &modified_send_buf
);
1012 case TEST_TGS_REQ_KRBTGT_CANON
:
1013 ok
= torture_krb5_pre_send_tgs_req_krbtgt_canon_test(test_context
, send_buf
,
1014 &modified_send_buf
);
1016 case TEST_TGS_REQ_CANON
:
1017 ok
= torture_krb5_pre_send_tgs_req_canon_test(test_context
, send_buf
,
1018 &modified_send_buf
);
1020 case TEST_SELF_TRUST_TGS_REQ
:
1021 ok
= torture_krb5_pre_send_self_trust_tgs_req_test(test_context
, send_buf
,
1022 &modified_send_buf
);
1025 ok
= torture_krb5_pre_send_tgs_req_test(test_context
, send_buf
,
1026 &modified_send_buf
);
1028 case TEST_TGS_REQ_KRBTGT
:
1029 ok
= torture_krb5_pre_send_tgs_req_krbtgt_test(test_context
, send_buf
,
1030 &modified_send_buf
);
1032 case TEST_AS_REQ_SELF
:
1033 ok
= torture_krb5_pre_send_as_req_test(test_context
, send_buf
,
1034 &modified_send_buf
);
1041 k5ret
= smb_krb5_send_and_recv_func_forced(context
, test_context
->server
,
1042 hi
, timeout
, &modified_send_buf
,
1048 switch (test_context
->test_stage
) {
1050 torture_warning(test_context
->tctx
, "Unexpected outgoing packet from krb5 libs");
1053 ok
= torture_krb5_post_recv_as_req_test(test_context
, recv_buf
);
1055 case TEST_TGS_REQ_KRBTGT_CANON
:
1056 ok
= torture_krb5_post_recv_tgs_req_krbtgt_canon_test(test_context
, recv_buf
);
1058 case TEST_TGS_REQ_CANON
:
1059 ok
= torture_krb5_post_recv_tgs_req_canon_test(test_context
, recv_buf
);
1061 case TEST_SELF_TRUST_TGS_REQ
:
1062 ok
= torture_krb5_post_recv_self_trust_tgs_req_test(test_context
, recv_buf
);
1065 ok
= torture_krb5_post_recv_tgs_req_test(test_context
, recv_buf
);
1067 case TEST_TGS_REQ_KRBTGT
:
1068 ok
= torture_krb5_post_recv_self_trust_tgs_req_test(test_context
, recv_buf
);
1070 case TEST_AS_REQ_SELF
:
1071 ok
= torture_krb5_post_recv_as_req_self_test(test_context
, recv_buf
);
1078 test_context
->packet_count
++;
1083 static int test_context_destructor(struct torture_krb5_context
*test_context
)
1085 freeaddrinfo(test_context
->server
);
1090 static bool torture_krb5_init_context_canon(struct torture_context
*tctx
,
1091 struct test_data
*test_data
,
1092 struct torture_krb5_context
**torture_krb5_context
)
1094 const char *host
= torture_setting_string(tctx
, "host", NULL
);
1095 krb5_error_code k5ret
;
1098 struct torture_krb5_context
*test_context
= talloc_zero(tctx
, struct torture_krb5_context
);
1099 torture_assert(tctx
, test_context
!= NULL
, "Failed to allocate");
1101 test_context
->test_data
= test_data
;
1102 test_context
->tctx
= tctx
;
1104 k5ret
= smb_krb5_init_context(test_context
, tctx
->lp_ctx
, &test_context
->smb_krb5_context
);
1105 torture_assert_int_equal(tctx
, k5ret
, 0, "smb_krb5_init_context failed");
1107 ok
= interpret_string_addr_internal(&test_context
->server
, host
, AI_NUMERICHOST
);
1108 torture_assert(tctx
, ok
, "Failed to parse target server");
1110 talloc_set_destructor(test_context
, test_context_destructor
);
1112 set_sockaddr_port(test_context
->server
->ai_addr
, 88);
1114 k5ret
= krb5_set_send_to_kdc_func(test_context
->smb_krb5_context
->krb5_context
,
1115 smb_krb5_send_and_recv_func_canon_override
,
1117 torture_assert_int_equal(tctx
, k5ret
, 0, "krb5_set_send_to_kdc_func failed");
1118 *torture_krb5_context
= test_context
;
1123 static bool torture_krb5_as_req_canon(struct torture_context
*tctx
, const void *tcase_data
)
1125 krb5_error_code k5ret
;
1126 krb5_get_init_creds_opt
*krb_options
= NULL
;
1127 struct test_data
*test_data
= talloc_get_type_abort(tcase_data
, struct test_data
);
1128 krb5_principal principal
;
1129 krb5_principal krbtgt_other
;
1130 krb5_principal expected_principal
;
1131 char *principal_string
;
1132 char *krbtgt_other_string
;
1133 int principal_flags
;
1134 char *expected_principal_string
;
1135 int expected_principal_flags
;
1136 char *got_principal_string
;
1137 char *assertion_message
;
1138 const char *password
= cli_credentials_get_password(cmdline_credentials
);
1139 krb5_context k5_context
;
1140 struct torture_krb5_context
*test_context
;
1142 krb5_creds my_creds
;
1143 krb5_creds
*server_creds
;
1145 krb5_auth_context auth_context
;
1147 krb5_data in_data
, enc_ticket
;
1148 krb5_get_creds_opt opt
;
1150 const char *upn
= torture_setting_string(tctx
, "krb5-upn", "");
1153 * If we have not passed a UPN on the command line,
1154 * then skip the UPN tests.
1156 if (test_data
->upn
&& upn
[0] == '\0') {
1157 torture_skip(tctx
, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
1160 if (test_data
->netbios_realm
) {
1161 test_data
->realm
= test_data
->real_domain
;
1163 test_data
->realm
= test_data
->real_realm
;
1166 if (test_data
->upn
) {
1168 test_data
->username
= talloc_strdup(test_data
, upn
);
1169 p
= strchr(test_data
->username
, '@');
1175 * Test the UPN behaviour carefully. We can
1176 * test in two different modes, depending on
1177 * what UPN has been set up for us.
1179 * If the UPN is in our realm, then we do all the tests with this name also.
1181 * If the UPN is not in our realm, then we
1182 * expect the tests that replace the realm to
1183 * fail (as it won't match)
1185 if (strcasecmp(p
, test_data
->real_realm
) != 0) {
1186 test_data
->other_upn_suffix
= true;
1188 test_data
->other_upn_suffix
= false;
1192 * This lets us test the combination of the UPN prefix
1193 * with a valid domain, without adding even more
1196 if (test_data
->netbios_realm
== false) {
1197 test_data
->realm
= p
;
1201 ok
= torture_krb5_init_context_canon(tctx
, test_data
, &test_context
);
1202 torture_assert(tctx
, ok
, "torture_krb5_init_context failed");
1203 k5_context
= test_context
->smb_krb5_context
->krb5_context
;
1205 if (test_data
->upper_realm
) {
1206 test_data
->realm
= strupper_talloc(test_data
, test_data
->realm
);
1208 test_data
->realm
= strlower_talloc(test_data
, test_data
->realm
);
1210 if (test_data
->upper_username
) {
1211 test_data
->username
= strupper_talloc(test_data
, test_data
->username
);
1213 test_data
->username
= talloc_strdup(test_data
, test_data
->username
);
1216 principal_string
= talloc_asprintf(test_data
, "%s@%s", test_data
->username
, test_data
->realm
);
1219 * If we are set to canonicalize, we get back the fixed UPPER
1220 * case realm, and the real username (ie matching LDAP
1223 * Otherwise, if we are set to enterprise, we
1224 * get back the whole principal as-sent
1226 * Finally, if we are not set to canonicalize, we get back the
1227 * fixed UPPER case realm, but the as-sent username
1229 if (test_data
->canonicalize
) {
1230 expected_principal_string
= talloc_asprintf(test_data
,
1232 test_data
->real_username
,
1233 test_data
->real_realm
);
1234 } else if (test_data
->enterprise
) {
1235 expected_principal_string
= principal_string
;
1237 expected_principal_string
= talloc_asprintf(test_data
,
1239 test_data
->username
,
1240 test_data
->real_realm
);
1243 if (test_data
->enterprise
) {
1244 principal_flags
= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
1246 if (test_data
->upn
&& test_data
->other_upn_suffix
) {
1247 torture_skip(tctx
, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
1249 principal_flags
= 0;
1252 if (test_data
->canonicalize
) {
1253 expected_principal_flags
= 0;
1255 expected_principal_flags
= principal_flags
;
1258 torture_assert_int_equal(tctx
,
1259 krb5_parse_name_flags(k5_context
,
1263 0, "krb5_parse_name_flags failed");
1264 torture_assert_int_equal(tctx
,
1265 krb5_parse_name_flags(k5_context
,
1266 expected_principal_string
,
1267 expected_principal_flags
,
1268 &expected_principal
),
1269 0, "krb5_parse_name_flags failed");
1272 * Prepare a AS-REQ and run the TEST_AS_REQ tests
1276 test_context
->test_stage
= TEST_AS_REQ
;
1277 test_context
->packet_count
= 0;
1280 * Set the canonicalize flag if this test requires it
1282 torture_assert_int_equal(tctx
,
1283 krb5_get_init_creds_opt_alloc(k5_context
, &krb_options
),
1284 0, "krb5_get_init_creds_opt_alloc failed");
1286 torture_assert_int_equal(tctx
,
1287 krb5_get_init_creds_opt_set_canonicalize(k5_context
,
1289 test_data
->canonicalize
),
1290 0, "krb5_get_init_creds_opt_set_canonicalize failed");
1292 torture_assert_int_equal(tctx
,
1293 krb5_get_init_creds_opt_set_win2k(k5_context
,
1296 0, "krb5_get_init_creds_opt_set_win2k failed");
1298 k5ret
= krb5_get_init_creds_password(k5_context
, &my_creds
, principal
,
1299 password
, NULL
, NULL
, 0,
1302 if (test_data
->netbios_realm
&& test_data
->upn
) {
1303 torture_assert_int_equal(tctx
, k5ret
,
1304 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
,
1305 "Got wrong error_code from krb5_get_init_creds_password");
1306 /* We can't proceed with more checks */
1309 assertion_message
= talloc_asprintf(tctx
,
1310 "krb5_get_init_creds_password for %s failed: %s",
1312 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1313 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1316 torture_assert(tctx
,
1317 test_context
->packet_count
> 1,
1318 "Expected krb5_get_init_creds_password to send more packets");
1321 * Assert that the reply was with the correct type of
1322 * principal, depending on the flags we set
1324 if (test_data
->canonicalize
== false && test_data
->enterprise
) {
1325 torture_assert_int_equal(tctx
,
1326 krb5_principal_get_type(k5_context
,
1328 KRB5_NT_ENTERPRISE_PRINCIPAL
,
1329 "smb_krb5_init_context gave incorrect client->name.name_type");
1331 torture_assert_int_equal(tctx
,
1332 krb5_principal_get_type(k5_context
,
1335 "smb_krb5_init_context gave incorrect client->name.name_type");
1338 torture_assert_int_equal(tctx
,
1339 krb5_unparse_name(k5_context
,
1340 my_creds
.client
, &got_principal_string
), 0,
1341 "krb5_unparse_name failed");
1343 assertion_message
= talloc_asprintf(tctx
,
1344 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1345 got_principal_string
, expected_principal_string
);
1346 krb5_free_unparsed_name(k5_context
, got_principal_string
);
1348 torture_assert(tctx
, krb5_principal_compare(k5_context
,
1349 my_creds
.client
, expected_principal
),
1353 torture_assert_int_equal(tctx
,
1354 krb5_principal_get_type(k5_context
,
1355 my_creds
.server
), KRB5_NT_SRV_INST
,
1356 "smb_krb5_init_context gave incorrect server->name.name_type");
1358 torture_assert_int_equal(tctx
,
1359 krb5_principal_get_num_comp(k5_context
,
1360 my_creds
.server
), 2,
1361 "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
1363 torture_assert_str_equal(tctx
,
1364 krb5_principal_get_comp_string(k5_context
,
1365 my_creds
.server
, 0),
1367 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
1369 if (test_data
->canonicalize
|| test_data
->enterprise
) {
1370 torture_assert_str_equal(tctx
,
1371 krb5_principal_get_comp_string(k5_context
,
1372 my_creds
.server
, 1),
1373 test_data
->real_realm
,
1375 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1377 torture_assert_str_equal(tctx
,
1378 krb5_principal_get_comp_string(k5_context
,
1379 my_creds
.server
, 1),
1382 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1384 torture_assert_str_equal(tctx
,
1385 krb5_principal_get_realm(k5_context
,
1387 test_data
->real_realm
,
1388 "smb_krb5_init_context gave incorrect my_creds.server->realm");
1390 /* Store the result of the 'kinit' above into a memory ccache */
1391 cc_name
= talloc_asprintf(tctx
, "MEMORY:%s", test_data
->test_name
);
1392 torture_assert_int_equal(tctx
, krb5_cc_resolve(k5_context
, cc_name
,
1394 0, "krb5_cc_resolve failed");
1396 torture_assert_int_equal(tctx
, krb5_cc_initialize(k5_context
,
1397 ccache
, my_creds
.client
),
1398 0, "krb5_cc_initialize failed");
1400 torture_assert_int_equal(tctx
, krb5_cc_store_cred(k5_context
,
1402 0, "krb5_cc_store_cred failed");
1405 * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
1407 * This tests krb5_get_creds behaviour, which allows us to set
1408 * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal
1411 krbtgt_other_string
= talloc_asprintf(test_data
, "krbtgt/%s@%s", test_data
->real_domain
, test_data
->real_realm
);
1412 torture_assert_int_equal(tctx
,
1413 krb5_make_principal(k5_context
, &krbtgt_other
,
1414 test_data
->real_realm
, "krbtgt",
1415 test_data
->real_domain
, NULL
),
1416 0, "krb5_make_principal failed");
1418 test_context
->test_stage
= TEST_TGS_REQ_KRBTGT_CANON
;
1419 test_context
->packet_count
= 0;
1421 torture_assert_int_equal(tctx
,
1422 krb5_get_creds_opt_alloc(k5_context
, &opt
),
1423 0, "krb5_get_creds_opt_alloc");
1425 krb5_get_creds_opt_add_options(k5_context
,
1427 KRB5_GC_CANONICALIZE
);
1429 krb5_get_creds_opt_add_options(k5_context
,
1433 /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
1434 k5ret
= krb5_get_creds(k5_context
, opt
, ccache
, krbtgt_other
, &server_creds
);
1436 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1437 && test_data
->netbios_realm
&& test_data
->upper_realm
) {
1439 * In these situations, the code above does store a
1440 * principal in the credentials cache matching what
1441 * krb5_get_creds() needs, so the test succeds, with no packets.
1444 assertion_message
= talloc_asprintf(tctx
,
1445 "krb5_get_creds for %s failed with: %s",
1446 krbtgt_other_string
,
1447 smb_get_krb5_error_message(k5_context
, k5ret
,
1450 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1451 torture_assert_int_equal(tctx
,
1452 test_context
->packet_count
,
1453 0, "Expected krb5_get_creds not to send packets");
1454 } else if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1455 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1456 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
1457 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1461 * In these situations, the code above does not store a
1462 * principal in the credentials cache matching what
1463 * krb5_get_creds() needs without talking to the KDC, so the
1464 * test fails with looping detected because when we set
1465 * canonicalize we confuse the client libs.
1468 assertion_message
= talloc_asprintf(tctx
,
1469 "krb5_get_creds for %s should have failed with looping detected: %s",
1470 krbtgt_other_string
,
1471 smb_get_krb5_error_message(k5_context
, k5ret
,
1474 torture_assert_int_equal(tctx
, k5ret
, KRB5_GET_IN_TKT_LOOP
, assertion_message
);
1475 torture_assert_int_equal(tctx
,
1476 test_context
->packet_count
,
1477 2, "Expected krb5_get_creds to send packets");
1481 * Prepare a TGS-REQ and run the TEST_TGS_REQ_CANON tests
1483 * This tests krb5_get_creds behaviour, which allows us to set
1484 * the KRB5_GC_CANONICALIZE option
1487 test_context
->test_stage
= TEST_TGS_REQ_CANON
;
1488 test_context
->packet_count
= 0;
1490 torture_assert_int_equal(tctx
,
1491 krb5_get_creds_opt_alloc(k5_context
, &opt
),
1492 0, "krb5_get_creds_opt_alloc");
1494 krb5_get_creds_opt_add_options(k5_context
,
1496 KRB5_GC_CANONICALIZE
);
1498 krb5_get_creds_opt_add_options(k5_context
,
1502 /* Confirm if we can get a ticket to our own name */
1503 k5ret
= krb5_get_creds(k5_context
, opt
, ccache
, principal
, &server_creds
);
1506 * In these situations, the code above does not store a
1507 * principal in the credentials cache matching what
1508 * krb5_get_creds() needs, so the test fails.
1511 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1512 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1513 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
1514 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1516 assertion_message
= talloc_asprintf(tctx
,
1517 "krb5_get_creds for %s failed: %s",
1519 smb_get_krb5_error_message(k5_context
, k5ret
,
1523 * Only machine accounts (strictly, accounts with a
1524 * servicePrincipalName) can expect this test to succeed
1526 if (torture_setting_bool(tctx
, "expect_machine_account", false)
1527 && (test_data
->enterprise
|| test_data
->upn
== false)) {
1528 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1529 torture_assert_int_equal(tctx
, krb5_cc_store_cred(k5_context
,
1530 ccache
, server_creds
),
1531 0, "krb5_cc_store_cred failed");
1533 torture_assert_int_equal(tctx
,
1534 krb5_free_creds(k5_context
,
1536 0, "krb5_free_cred_contents failed");
1539 torture_assert_int_equal(tctx
, k5ret
, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
1543 torture_assert_int_equal(tctx
,
1544 test_context
->packet_count
,
1545 1, "Expected krb5_get_creds to send packets");
1549 * Confirm gettting a ticket to pass to the server, running
1550 * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage.
1552 * This triggers the client to attempt to get a
1553 * cross-realm ticket between the alternate names of
1554 * the server, and we need to confirm that behaviour.
1559 * This tries to guess when the krb5 libs will ask for a
1560 * cross-realm ticket, and when they will just ask the KDC
1563 if (test_context
->test_data
->canonicalize
== false
1564 || test_context
->test_data
->enterprise
1565 || (test_context
->test_data
->upper_realm
1566 && test_context
->test_data
->netbios_realm
== false)) {
1567 test_context
->test_stage
= TEST_TGS_REQ
;
1569 test_context
->test_stage
= TEST_SELF_TRUST_TGS_REQ
;
1572 test_context
->packet_count
= 0;
1573 torture_assert_int_equal(tctx
, krb5_auth_con_init(k5_context
, &auth_context
),
1574 0, "krb5_auth_con_init failed");
1577 k5ret
= krb5_mk_req_exact(k5_context
,
1583 assertion_message
= talloc_asprintf(tctx
,
1584 "krb5_mk_req_exact for %s failed: %s",
1586 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1589 * Only machine accounts (strictly, accounts with a
1590 * servicePrincipalName) can expect this test to succeed
1592 if (torture_setting_bool(tctx
, "expect_machine_account", false) && (test_data
->enterprise
|| test_data
->upn
== false)) {
1593 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1595 torture_assert_int_equal(tctx
, k5ret
, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
1600 * Only in these cases would the above code have needed to
1601 * send packets to the network
1603 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1604 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1605 torture_assert(tctx
,
1606 test_context
->packet_count
> 0,
1607 "Expected krb5_get_creds to send packets");
1611 * Confirm gettting a ticket for the same krbtgt/realm that we
1612 * got back with the initial ticket, running the
1613 * TEST_TGS_REQ_KRBTGT stage.
1617 test_context
->test_stage
= TEST_TGS_REQ_KRBTGT
;
1618 test_context
->packet_count
= 0;
1621 k5ret
= krb5_mk_req_exact(k5_context
,
1628 assertion_message
= talloc_asprintf(tctx
,
1629 "krb5_mk_req_exact for %s failed: %s",
1631 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1632 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1635 * Confirm gettting a ticket for our own principal that we
1636 * got back with the initial ticket, running the
1637 * TEST_AS_REQ_SELF stage.
1640 test_context
->test_stage
= TEST_AS_REQ_SELF
;
1641 test_context
->packet_count
= 0;
1643 k5ret
= krb5_get_init_creds_password(k5_context
, &my_creds
, principal
,
1644 password
, NULL
, NULL
, 0,
1645 principal_string
, krb_options
);
1647 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) && (test_data
->upn
== false)) {
1648 assertion_message
= talloc_asprintf(tctx
,
1649 "krb5_get_init_creds_password for %s failed: %s",
1651 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1652 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1653 torture_assert(tctx
,
1654 test_context
->packet_count
>= 2,
1655 "Expected krb5_get_init_creds_password to send more packets");
1658 assertion_message
= talloc_asprintf(tctx
,
1659 "Got wrong error_code from krb5_get_init_creds_password, expected KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN trying to get a ticket to %s for %s", principal_string
, principal_string
);
1660 torture_assert_int_equal(tctx
, k5ret
,
1661 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
1663 torture_assert(tctx
,
1664 test_context
->packet_count
>= 1,
1665 "Expected krb5_get_init_creds_password to send more packets");
1667 /* We can't proceed with more checks */
1672 * Assert that the reply was with the correct type of
1673 * principal, depending on the flags we set
1675 if (test_data
->canonicalize
== false && test_data
->enterprise
) {
1676 torture_assert_int_equal(tctx
,
1677 krb5_principal_get_type(k5_context
,
1679 KRB5_NT_ENTERPRISE_PRINCIPAL
,
1680 "smb_krb5_init_context gave incorrect client->name.name_type");
1681 torture_assert_int_equal(tctx
,
1682 krb5_principal_get_type(k5_context
,
1684 KRB5_NT_ENTERPRISE_PRINCIPAL
,
1685 "smb_krb5_init_context gave incorrect server->name.name_type");
1687 torture_assert_int_equal(tctx
,
1688 krb5_principal_get_type(k5_context
,
1691 "smb_krb5_init_context gave incorrect client->name.name_type");
1692 torture_assert_int_equal(tctx
,
1693 krb5_principal_get_type(k5_context
,
1696 "smb_krb5_init_context gave incorrect server->name.name_type");
1699 torture_assert_int_equal(tctx
,
1700 krb5_unparse_name(k5_context
,
1701 my_creds
.client
, &got_principal_string
), 0,
1702 "krb5_unparse_name failed");
1704 assertion_message
= talloc_asprintf(tctx
,
1705 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1706 got_principal_string
, expected_principal_string
);
1707 krb5_free_unparsed_name(k5_context
, got_principal_string
);
1709 torture_assert(tctx
, krb5_principal_compare(k5_context
,
1710 my_creds
.client
, expected_principal
),
1713 torture_assert_int_equal(tctx
,
1714 krb5_unparse_name(k5_context
,
1715 my_creds
.client
, &got_principal_string
), 0,
1716 "krb5_unparse_name failed");
1718 assertion_message
= talloc_asprintf(tctx
,
1719 "krb5_get_init_creds_password returned a different server principal %s to what was expected %s",
1720 got_principal_string
, expected_principal_string
);
1721 krb5_free_unparsed_name(k5_context
, got_principal_string
);
1723 torture_assert(tctx
, krb5_principal_compare(k5_context
,
1724 my_creds
.client
, expected_principal
),
1727 krb5_free_principal(k5_context
, principal
);
1728 krb5_get_init_creds_opt_free(k5_context
, krb_options
);
1730 torture_assert_int_equal(tctx
, krb5_free_cred_contents(k5_context
, &my_creds
),
1731 0, "krb5_free_cred_contents failed");
1736 struct torture_suite
*torture_krb5_canon(TALLOC_CTX
*mem_ctx
)
1739 struct torture_suite
*suite
= torture_suite_create(mem_ctx
, "canon");
1740 suite
->description
= talloc_strdup(suite
, "Kerberos Canonicalisation tests");
1742 for (i
= 0; i
< TEST_ALL
; i
++) {
1743 char *name
= talloc_asprintf(suite
, "%s.%s.%s.%s.%s.%s.%s",
1744 (i
& TEST_CANONICALIZE
) ? "canon" : "no-canon",
1745 (i
& TEST_ENTERPRISE
) ? "enterprise" : "no-enterprise",
1746 (i
& TEST_UPPER_REALM
) ? "uc-realm" : "lc-realm",
1747 (i
& TEST_UPPER_USERNAME
) ? "uc-user" : "lc-user",
1748 (i
& TEST_NETBIOS_REALM
) ? "netbios-realm" : "krb5-realm",
1749 (i
& TEST_WIN2K
) ? "win2k" : "no-win2k",
1750 (i
& TEST_UPN
) ? "upn" : "no-upn");
1752 struct test_data
*test_data
= talloc_zero(suite
, struct test_data
);
1754 test_data
->test_name
= name
;
1755 test_data
->real_realm
1756 = strupper_talloc(test_data
, cli_credentials_get_realm(cmdline_credentials
));
1757 test_data
->real_domain
= cli_credentials_get_domain(cmdline_credentials
);
1758 test_data
->username
= cli_credentials_get_username(cmdline_credentials
);
1759 test_data
->real_username
= cli_credentials_get_username(cmdline_credentials
);
1760 test_data
->canonicalize
= (i
& TEST_CANONICALIZE
) != 0;
1761 test_data
->enterprise
= (i
& TEST_ENTERPRISE
) != 0;
1762 test_data
->upper_realm
= (i
& TEST_UPPER_REALM
) != 0;
1763 test_data
->upper_username
= (i
& TEST_UPPER_USERNAME
) != 0;
1764 test_data
->netbios_realm
= (i
& TEST_NETBIOS_REALM
) != 0;
1765 test_data
->win2k
= (i
& TEST_WIN2K
) != 0;
1766 test_data
->upn
= (i
& TEST_UPN
) != 0;
1767 torture_suite_add_simple_tcase_const(suite
, name
, torture_krb5_as_req_canon
,