search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
torture-krb5: Split out TEST_AS_REQ_SELF recv testing routine
[Samba.git] / source4 / torture / krb5 / kdc-canon.c
blobc904a3690bff0d0763ca0b2a0c578784c921f75d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Validate the krb5 pac generation routines
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/krb5/proto.h"
27 #include "auth/credentials/credentials.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "source4/auth/kerberos/kerberos.h"
30 #include "source4/auth/kerberos/kerberos_util.h"
31 #include "lib/util/util_net.h"
32
33 #define TEST_CANONICALIZE 0x0000001
34 #define TEST_ENTERPRISE 0x0000002
35 #define TEST_UPPER_REALM 0x0000004
36 #define TEST_UPPER_USERNAME 0x0000008
37 #define TEST_NETBIOS_REALM 0x0000010
38 #define TEST_WIN2K 0x0000020
39 #define TEST_UPN 0x0000040
40 #define TEST_ALL 0x000007F
41
42 struct test_data {
43 const char *test_name;
44 const char *realm;
45 const char *real_realm;
46 const char *real_domain;
47 const char *username;
48 const char *real_username;
49 bool canonicalize;
50 bool enterprise;
51 bool upper_realm;
52 bool upper_username;
53 bool netbios_realm;
54 bool win2k;
55 bool upn;
56 bool other_upn_suffix;
57 };
58
59 enum test_stage {
60 TEST_AS_REQ = 0,
61 TEST_TGS_REQ_KRBTGT_CANON,
62 TEST_TGS_REQ_CANON,
63 TEST_SELF_TRUST_TGS_REQ,
64 TEST_TGS_REQ,
65 TEST_TGS_REQ_KRBTGT,
66 TEST_AS_REQ_SELF,
67 TEST_DONE
68 };
69
70 struct torture_krb5_context {
71 struct smb_krb5_context *smb_krb5_context;
72 struct torture_context *tctx;
73 struct addrinfo *server;
74 struct test_data *test_data;
75 int packet_count;
76 enum test_stage test_stage;
77 AS_REQ as_req;
78 AS_REP as_rep;
79 TGS_REQ tgs_req;
80 TGS_REP tgs_rep;
81 };
82
83
84 /*
85 * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND
86 *
87 * Confirm that the outgoing packet meets certain expectations. This
88 * should be extended to further assert the correct and expected
89 * behaviour of the krb5 libs, so we know what we are sending to the
90 * server.
91 *
92 * Additionally, this CHANGES the request to remove the canonicalize
93 * flag automatically added by the krb5 libs when an enterprise
94 * principal is used, so we can test what the server does in this
95 * combination.
96 *
97 */
98
99 static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_context,
100 const krb5_data *send_buf,
101 krb5_data *modified_send_buf)
102 {
103 AS_REQ mod_as_req;
104 krb5_error_code k5ret;
105 size_t used;
106 torture_assert_int_equal(test_context->tctx, decode_AS_REQ(send_buf->data, send_buf->length,
107 &test_context->as_req, &used),
108 0, "decode_AS_REQ for TEST_AS_REQ failed");
109 mod_as_req = test_context->as_req;
110 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
111 torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno,
112 5, "Got wrong as_req->pvno");
113 if (test_context->test_data->canonicalize || test_context->test_data->enterprise) {
114 torture_assert(test_context->tctx,
115 test_context->as_req.req_body.kdc_options.canonicalize,
116 "krb5 libs did not set canonicalize!");
117 } else {
118 torture_assert_int_equal(test_context->tctx,
119 test_context->as_req.req_body.kdc_options.canonicalize,
120 false,
121 "krb5 libs unexpectedly set canonicalize!");
122 }
123
124 if (test_context->test_data->enterprise) {
125 torture_assert_int_equal(test_context->tctx,
126 test_context->as_req.req_body.cname->name_type,
127 KRB5_NT_ENTERPRISE_PRINCIPAL,
128 "krb5 libs did not pass principal as enterprise!");
129 } else {
130 torture_assert_int_equal(test_context->tctx,
131 test_context->as_req.req_body.cname->name_type,
132 KRB5_NT_PRINCIPAL,
133 "krb5 libs unexpectedly set principal as enterprise!");
134 }
135
136 /* Force off canonicalize that was forced on by the krb5 libs */
137 if (test_context->test_data->canonicalize == false && test_context->test_data->enterprise) {
138 mod_as_req.req_body.kdc_options.canonicalize = false;
139 }
140
141 if (test_context->test_stage == TEST_AS_REQ_SELF) {
142 /*
143 * Force the server name to match the client name,
144 * including the name type. This isn't possible with
145 * the krb5 client libs alone
146 */
147 mod_as_req.req_body.sname = test_context->as_req.req_body.cname;
148 }
149
150 ASN1_MALLOC_ENCODE(AS_REQ, modified_send_buf->data, modified_send_buf->length,
151 &mod_as_req, &used, k5ret);
152 torture_assert_int_equal(test_context->tctx,
153 k5ret, 0,
154 "encode_AS_REQ failed");
155
156 if (test_context->test_stage != TEST_AS_REQ_SELF) {
157 torture_assert_int_equal(test_context->tctx, used, send_buf->length,
158 "re-encode length mismatch");
159 }
160 return true;
161 }
162
163 /*
164 * TEST_AS_REQ - RECV
165 *
166 * Confirm that the reply packet from the KDC meets certain
167 * expectations as part of TEST_AS_REQ. This uses a packet count to
168 * work out what packet we are up to in the multiple exchanged
169 * triggerd by krb5_get_init_creds_password().
170 *
171 */
172
173 static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context *test_context,
174 const krb5_data *recv_buf)
175 {
176 KRB_ERROR error;
177 size_t used;
178 if (test_context->packet_count == 0) {
179 krb5_error_code k5ret;
180 /*
181 * The client libs obtain the salt by attempting to
182 * authenticate without pre-authentication and getting
183 * the correct salt with the
184 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
185 * the test (netbios_realm && upn) that deliberatly
186 * has an incorrect principal, we check we get the
187 * correct error.
188 */
189 k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length,
190 &error, &used);
191 if (k5ret != 0) {
192 AS_REP as_rep;
193 k5ret = decode_AS_REP(recv_buf->data, recv_buf->length,
194 &as_rep, &used);
195 if (k5ret == 0) {
196 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
197 torture_assert(test_context->tctx, false,
198 "expected to get a KRB_ERROR packet with "
199 "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP");
200 } else {
201 torture_assert(test_context->tctx, false,
202 "expected to get a KRB_ERROR packet with "
203 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
204 }
205 } else {
206 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
207 torture_assert(test_context->tctx, false,
208 "unable to decode as KRB-ERROR or AS-REP, "
209 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN");
210 } else {
211 torture_assert(test_context->tctx, false,
212 "unable to decode as KRB-ERROR or AS-REP, "
213 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
214 }
215 }
216 }
217 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
218 "length mismatch");
219 torture_assert_int_equal(test_context->tctx, error.pvno, 5,
220 "Got wrong error.pvno");
221 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
222 torture_assert_int_equal(test_context->tctx,
223 error.error_code,
224 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
225 "Got wrong error.error_code");
226 } else {
227 torture_assert_int_equal(test_context->tctx,
228 error.error_code,
229 KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
230 "Got wrong error.error_code");
231 }
232
233 free_KRB_ERROR(&error);
234 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
235 && (test_context->packet_count == 1)) {
236 /*
237 * The Windows 2012R2 KDC will always respond with
238 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
239 * won't fit, because of the PAC. (It appears to do
240 * this always, even if it will). This triggers the
241 * client to try again over TCP.
242 */
243 torture_assert_int_equal(test_context->tctx,
244 used, recv_buf->length,
245 "length mismatch");
246 torture_assert_int_equal(test_context->tctx,
247 error.pvno, 5,
248 "Got wrong error.pvno");
249 torture_assert_int_equal(test_context->tctx,
250 error.error_code,
251 KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
252 "Got wrong error.error_code");
253 free_KRB_ERROR(&error);
254 } else {
255 /*
256 * Finally the successful packet.
257 */
258 torture_assert_int_equal(test_context->tctx,
259 decode_AS_REP(recv_buf->data, recv_buf->length,
260 &test_context->as_rep, &used), 0,
261 "decode_AS_REP failed");
262 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
263 "length mismatch");
264 torture_assert_int_equal(test_context->tctx,
265 test_context->as_rep.pvno, 5,
266 "Got wrong as_rep->pvno");
267 torture_assert_int_equal(test_context->tctx,
268 test_context->as_rep.ticket.tkt_vno, 5,
269 "Got wrong as_rep->ticket.tkt_vno");
270 torture_assert(test_context->tctx,
271 test_context->as_rep.ticket.enc_part.kvno,
272 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
273
274 /*
275 * We can confirm that the correct proxy behaviour is
276 * in use on the KDC by checking the KVNO of the
277 * krbtgt account returned in the reply.
278 *
279 * A packet passed to the full RW DC will not have a
280 * KVNO in the upper bits, while a packet processed
281 * locally on the RODC will have these bits filled in
282 * the msDS-SecondaryKrbTgtNumber
283 */
284 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
285 torture_assert_int_not_equal(test_context->tctx,
286 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
287 0, "Did not get a RODC number in the KVNO");
288 } else {
289 torture_assert_int_equal(test_context->tctx,
290 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
291 0, "Unexpecedly got a RODC number in the KVNO");
292 }
293 free_AS_REP(&test_context->as_rep);
294 }
295 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
296 free_AS_REQ(&test_context->as_req);
297 return true;
298 }
299
300 /*
301 * TEST_TGS_REQ_KRBTGT_CANON
302 *
303 *
304 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds()
305 * for the krbtgt/realm principal meets certain expectations, like
306 * that the canonicalize bit is not set
307 *
308 */
309
310 static bool torture_krb5_pre_send_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
311 {
312 size_t used;
313 torture_assert_int_equal(test_context->tctx,
314 decode_TGS_REQ(send_buf->data, send_buf->length,
315 &test_context->tgs_req, &used),
316 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
317 torture_assert_int_equal(test_context->tctx,
318 used, send_buf->length,
319 "length mismatch");
320 torture_assert_int_equal(test_context->tctx,
321 test_context->tgs_req.pvno, 5,
322 "Got wrong as_req->pvno");
323 torture_assert_int_equal(test_context->tctx,
324 test_context->tgs_req.req_body.kdc_options.canonicalize,
325 true,
326 "krb5 libs unexpectedly did not set canonicalize!");
327
328 torture_assert_int_equal(test_context->tctx,
329 test_context->tgs_req.req_body.sname->name_type,
330 KRB5_NT_PRINCIPAL,
331 "Mismatch in name_type between request and expected request");
332
333 torture_assert_str_equal(test_context->tctx,
334 test_context->tgs_req.req_body.realm,
335 test_context->test_data->real_realm,
336 "Mismatch in realm between request and expected request");
337
338 *modified_send_buf = *send_buf;
339 return true;
340 }
341
342 /*
343 * TEST_TGS_REQ_KRBTGT_CANON
344 *
345 * Confirm that the reply TGS-REP packet for krb5_get_creds()
346 * where the client is behaving as if this is a cross-realm trust due
347 * to case or netbios vs dns name differences meets certain
348 * expectations, while canonicalize is set
349 *
350 */
351
352 static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
353 {
354 size_t used;
355 torture_assert_int_equal(test_context->tctx,
356 decode_TGS_REP(recv_buf->data, recv_buf->length,
357 &test_context->tgs_rep, &used),
358 0,
359 "decode_TGS_REP failed");
360 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
361 torture_assert_int_equal(test_context->tctx,
362 test_context->tgs_rep.pvno, 5,
363 "Got wrong as_rep->pvno");
364 torture_assert_int_equal(test_context->tctx,
365 test_context->tgs_rep.ticket.tkt_vno, 5,
366 "Got wrong as_rep->ticket.tkt_vno");
367 torture_assert(test_context->tctx,
368 test_context->tgs_rep.ticket.enc_part.kvno,
369 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
370 torture_assert_str_equal(test_context->tctx,
371 test_context->tgs_req.req_body.realm,
372 test_context->tgs_rep.ticket.realm,
373 "Mismatch in realm between request and ticket response");
374 torture_assert_str_equal(test_context->tctx,
375 test_context->tgs_rep.ticket.realm,
376 test_context->test_data->real_realm,
377 "Mismatch in realm between ticket response and expected ticket response");
378 torture_assert_int_equal(test_context->tctx,
379 test_context->tgs_rep.ticket.sname.name_type,
380 KRB5_NT_SRV_INST,
381 "Mismatch in name_type between ticket response and expected value of KRB5_NT_SRV_INST");
382
383 torture_assert_int_equal(test_context->tctx,
384 test_context->tgs_rep.ticket.sname.name_string.len,
385 2,
386 "Mismatch in name_type between ticket response and expected value, expected krbtgt/REALM@REALM");
387
388 torture_assert_str_equal(test_context->tctx,
389 test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt",
390 "Mismatch in name between reponse and expected response, expected krbtgt");
391 torture_assert_str_equal(test_context->tctx,
392 test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->real_realm,
393 "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM");
394
395 /*
396 * We can confirm that the correct proxy behaviour is
397 * in use on the KDC by checking the KVNO of the
398 * krbtgt account returned in the reply.
399 *
400 * A packet passed to the full RW DC will not have a
401 * KVNO in the upper bits, while a packet processed
402 * locally on the RODC will have these bits filled in
403 * the msDS-SecondaryKrbTgtNumber
404 */
405 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
406 torture_assert_int_not_equal(test_context->tctx,
407 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
408 0, "Did not get a RODC number in the KVNO");
409 } else {
410 torture_assert_int_equal(test_context->tctx,
411 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
412 0, "Unexpecedly got a RODC number in the KVNO");
413 }
414 free_TGS_REP(&test_context->tgs_rep);
415 torture_assert(test_context->tctx,
416 test_context->packet_count < 2,
417 "too many packets");
418 free_TGS_REQ(&test_context->tgs_req);
419 return true;
420 }
421
422 /*
423 * TEST_TGS_REQ_CANON
424 *
425 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds
426 * certain expectations, like that the canonicalize bit is set (this
427 * test is to force that handling) and that if an enterprise name was
428 * requested, that it was sent.
429 *
430 */
431
432 static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context *test_context,
433 const krb5_data *send_buf,
434 krb5_data *modified_send_buf)
435 {
436 size_t used;
437 torture_assert_int_equal(test_context->tctx,
438 decode_TGS_REQ(send_buf->data, send_buf->length,
439 &test_context->tgs_req, &used),
440 0, "decode_TGS_REQ for TEST_TGS_REQ_CANON test failed");
441 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
442 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
443 torture_assert_int_equal(test_context->tctx,
444 test_context->tgs_req.req_body.kdc_options.canonicalize,
445 true, "krb5 libs unexpectedly did not set canonicalize!");
446
447 if (test_context->test_data->enterprise) {
448 torture_assert_int_equal(test_context->tctx,
449 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL,
450 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
451 torture_assert_str_equal(test_context->tctx,
452 test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
453 "Mismatch in realm between request and expected request");
454
455 } else if (test_context->test_data->canonicalize) {
456 torture_assert_int_equal(test_context->tctx,
457 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
458 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
459 torture_assert_str_equal(test_context->tctx,
460 test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
461 "Mismatch in realm between request and expected request");
462
463 } else {
464 torture_assert_int_equal(test_context->tctx,
465 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
466 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
467 torture_assert_str_equal(test_context->tctx,
468 test_context->tgs_req.req_body.realm, test_context->test_data->realm,
469 "Mismatch in realm between request and expected request");
470
471 }
472
473 *modified_send_buf = *send_buf;
474
475 return true;
476 }
477
478 /*
479 * TEST_TGS_REQ_CANON - RECV
480 *
481 * Confirm that the reply TGS-REP or error packet from the KDC meets
482 * certain expectations as part of TEST_TGS_REQ_CANON.
483 *
484 * This is triggered by krb5_get_creds()
485 *
486 */
487
488 static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
489 {
490 KRB_ERROR error;
491 size_t used;
492
493 /*
494 * If this account did not have a servicePrincipalName, then
495 * we expect a errro packet, not a TGS-REQ
496 */
497 if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
498 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
499 torture_assert_int_equal(test_context->tctx,
500 error.pvno, 5,
501 "Got wrong error.pvno");
502 torture_assert_int_equal(test_context->tctx,
503 error.error_code,
504 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
505 "Got wrong error.error_code");
506 } else {
507 torture_assert_int_equal(test_context->tctx,
508 decode_TGS_REP(recv_buf->data, recv_buf->length,
509 &test_context->tgs_rep,
510 &used),
511 0,
512 "decode_TGS_REP failed");
513 torture_assert_int_equal(test_context->tctx,
514 used, recv_buf->length,
515 "length mismatch");
516 torture_assert_int_equal(test_context->tctx,
517 test_context->tgs_rep.pvno, 5,
518 "Got wrong as_rep->pvno");
519 torture_assert_int_equal(test_context->tctx,
520 test_context->tgs_rep.ticket.tkt_vno, 5,
521 "Got wrong as_rep->ticket.tkt_vno");
522 torture_assert(test_context->tctx,
523 test_context->tgs_rep.ticket.enc_part.kvno,
524 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
525 torture_assert_str_equal(test_context->tctx,
526 test_context->tgs_rep.ticket.realm,
527 test_context->test_data->real_realm,
528 "Mismatch in realm between ticket response and expected upper case REALM");
529 torture_assert_int_equal(test_context->tctx,
530 test_context->tgs_rep.ticket.sname.name_type,
531 test_context->tgs_req.req_body.sname->name_type,
532 "Mismatch in name_type between request and ticket response");
533 torture_assert_int_equal(test_context->tctx,
534 test_context->tgs_rep.ticket.sname.name_string.len,
535 test_context->tgs_req.req_body.sname->name_string.len,
536 "Mismatch in name_string.len between request and ticket response");
537 torture_assert(test_context->tctx,
538 test_context->tgs_rep.ticket.sname.name_string.len >= 1,
539 "name_string.len should be >=1 in ticket response");
540 torture_assert_str_equal(test_context->tctx,
541 test_context->tgs_rep.ticket.sname.name_string.val[0],
542 test_context->tgs_req.req_body.sname->name_string.val[0],
543 "Mismatch in name between request and expected request");
544 torture_assert_int_equal(test_context->tctx,
545 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
546 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
547 free_TGS_REP(&test_context->tgs_rep);
548 }
549 torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets");
550 free_TGS_REQ(&test_context->tgs_req);
551
552 return true;
553 }
554
555 /*
556 * TEST_SELF_TRUST_TGS_REQ
557 *
558 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
559 * certain expectations, like that the canonicalize bit is set (this
560 * test is to force that handling).
561 *
562 * This test is for the case where the name we ask for, while a valid
563 * alternate name for our own realm is used. The client acts as if
564 * this is cross-realm trust.
565 *
566 */
567
568 static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context *test_context,
569 const krb5_data *send_buf,
570 krb5_data *modified_send_buf)
571 {
572 size_t used;
573 torture_assert_int_equal(test_context->tctx,
574 decode_TGS_REQ(send_buf->data, send_buf->length,
575 &test_context->tgs_req, &used),
576 0, "decode_TGS_REQ for TEST_SELF_TRUST_TGS_REQ test failed");
577 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
578 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
579 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.req_body.kdc_options.canonicalize, false, "krb5 libs unexpectedly set canonicalize!");
580
581 if (test_context->test_data->canonicalize) {
582 torture_assert_str_equal(test_context->tctx,
583 test_context->tgs_req.req_body.realm,
584 test_context->test_data->real_realm,
585 "Mismatch in realm between request and expected request");
586 } else {
587 torture_assert_str_equal(test_context->tctx,
588 test_context->tgs_req.req_body.realm,
589 test_context->test_data->realm,
590 "Mismatch in realm between request and expected request");
591 }
592 torture_assert_int_equal(test_context->tctx,
593 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
594 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
595 torture_assert_int_equal(test_context->tctx,
596 test_context->tgs_req.req_body.sname->name_string.len, 2,
597 "Mismatch in name between request and expected request, expected krbtgt/realm");
598 torture_assert_str_equal(test_context->tctx,
599 test_context->tgs_req.req_body.sname->name_string.val[0], "krbtgt",
600 "Mismatch in name between request and expected request, expected krbtgt");
601 torture_assert_str_equal(test_context->tctx,
602 test_context->tgs_req.req_body.sname->name_string.val[1], test_context->test_data->realm,
603 "Mismatch in realm part of cross-realm request principal between request and expected request");
604 *modified_send_buf = *send_buf;
605
606 return true;
607 }
608
609 /*
610 * TEST_SELF_TRUST_TGS_REQ and TEST_TGS_REQ_KRBTGT - RECV
611 *
612 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(),
613 * where the client is behaving as if this is a cross-realm trust due
614 * to case or netbios vs dns name differences meets certain
615 * expectations.
616 *
617 */
618
619 static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
620 {
621 size_t used;
622 torture_assert_int_equal(test_context->tctx,
623 decode_TGS_REP(recv_buf->data, recv_buf->length,
624 &test_context->tgs_rep, &used),
625 0,
626 "decode_TGS_REP failed");
627 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
628 torture_assert_int_equal(test_context->tctx,
629 test_context->tgs_rep.pvno, 5,
630 "Got wrong as_rep->pvno");
631 torture_assert_int_equal(test_context->tctx,
632 test_context->tgs_rep.ticket.tkt_vno, 5,
633 "Got wrong as_rep->ticket.tkt_vno");
634 torture_assert(test_context->tctx,
635 test_context->tgs_rep.ticket.enc_part.kvno,
636 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
637 torture_assert_str_equal(test_context->tctx,
638 test_context->tgs_req.req_body.realm,
639 test_context->tgs_rep.ticket.realm,
640 "Mismatch in realm between request and ticket response");
641 torture_assert_int_equal(test_context->tctx,
642 test_context->tgs_rep.ticket.sname.name_type,
643 test_context->tgs_req.req_body.sname->name_type,
644 "Mismatch in name_type between request and ticket response");
645
646 torture_assert_int_equal(test_context->tctx,
647 test_context->tgs_rep.ticket.sname.name_string.len, 2,
648 "Mismatch in name between request and expected request, expected krbtgt/realm");
649 torture_assert_str_equal(test_context->tctx,
650 test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt",
651 "Mismatch in name between request and expected request, expected krbtgt");
652 torture_assert_str_equal(test_context->tctx,
653 test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->realm,
654 "Mismatch in realm part of cross-realm request principal between response and expected request");
655 /*
656 * We can confirm that the correct proxy behaviour is
657 * in use on the KDC by checking the KVNO of the
658 * krbtgt account returned in the reply.
659 *
660 * A packet passed to the full RW DC will not have a
661 * KVNO in the upper bits, while a packet processed
662 * locally on the RODC will have these bits filled in
663 * the msDS-SecondaryKrbTgtNumber
664 */
665 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
666 torture_assert_int_not_equal(test_context->tctx,
667 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
668 0, "Did not get a RODC number in the KVNO");
669 } else {
670 torture_assert_int_equal(test_context->tctx,
671 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
672 0, "Unexpecedly got a RODC number in the KVNO");
673 }
674 free_TGS_REP(&test_context->tgs_rep);
675 torture_assert_int_equal(test_context->tctx,
676 test_context->packet_count, 0,
677 "too many packets");
678 test_context->packet_count = 0;
679 test_context->test_stage = TEST_TGS_REQ;
680 free_TGS_REQ(&test_context->tgs_req);
681 return true;
682 }
683
684 /*
685 * TEST_TGS_REQ
686 *
687 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
688 * certain expectations, like that the canonicalize bit is set (this
689 * test is to force that handling) and that if an enterprise name was
690 * requested, that it was sent.
691 *
692 */
693
694 static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
695 {
696 size_t used;
697 torture_assert_int_equal(test_context->tctx,
698 decode_TGS_REQ(send_buf->data, send_buf->length,
699 &test_context->tgs_req, &used),
700 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
701 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
702 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5,
703 "Got wrong as_req->pvno");
704 torture_assert_int_equal(test_context->tctx,
705 test_context->tgs_req.req_body.kdc_options.canonicalize,
706 false,
707 "krb5 libs unexpectedly set canonicalize!");
708
709 if (test_context->test_data->enterprise) {
710 torture_assert_int_equal(test_context->tctx,
711 test_context->tgs_req.req_body.sname->name_type,
712 KRB5_NT_ENTERPRISE_PRINCIPAL,
713 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
714 torture_assert_str_equal(test_context->tctx,
715 test_context->tgs_req.req_body.realm,
716 test_context->test_data->real_realm,
717 "Mismatch in realm between request and expected request");
718
719 } else {
720 torture_assert_int_equal(test_context->tctx,
721 test_context->tgs_req.req_body.sname->name_type,
722 KRB5_NT_PRINCIPAL,
723 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
724 torture_assert_str_equal(test_context->tctx,
725 test_context->tgs_req.req_body.realm,
726 test_context->test_data->realm,
727 "Mismatch in realm between request and expected request");
728
729 }
730
731 *modified_send_buf = *send_buf;
732
733 return true;
734 }
735
736 /*
737 * TEST_TGS_REQ - RECV
738 *
739 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), for
740 * the actual target service.
741 *
742 */
743
744 static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
745 {
746 KRB_ERROR error;
747 size_t used;
748 /*
749 * If this account did not have a servicePrincipalName, then
750 * we expect a errro packet, not a TGS-REQ
751 */
752 if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
753 torture_assert_int_equal(test_context->tctx,
754 used, recv_buf->length,
755 "length mismatch");
756 torture_assert_int_equal(test_context->tctx,
757 error.pvno, 5,
758 "Got wrong error.pvno");
759 torture_assert_int_equal(test_context->tctx,
760 error.error_code,
761 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
762 "Got wrong error.error_code");
763 } else {
764 torture_assert_int_equal(test_context->tctx,
765 decode_TGS_REP(recv_buf->data, recv_buf->length,
766 &test_context->tgs_rep, &used),
767 0,
768 "decode_TGS_REP failed");
769 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
770 "length mismatch");
771 torture_assert_int_equal(test_context->tctx,
772 test_context->tgs_rep.pvno, 5,
773 "Got wrong as_rep->pvno");
774 torture_assert_int_equal(test_context->tctx,
775 test_context->tgs_rep.ticket.tkt_vno, 5,
776 "Got wrong as_rep->ticket.tkt_vno");
777 torture_assert(test_context->tctx,
778 test_context->tgs_rep.ticket.enc_part.kvno,
779 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
780 torture_assert_str_equal(test_context->tctx,
781 test_context->tgs_rep.ticket.realm,
782 test_context->test_data->real_realm,
783 "Mismatch in realm between ticket response and expected upper case REALM");
784 torture_assert_int_equal(test_context->tctx,
785 test_context->tgs_req.req_body.sname->name_type,
786 test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
787 torture_assert_int_equal(test_context->tctx,
788 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
789 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
790 free_TGS_REP(&test_context->tgs_rep);
791 }
792 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
793 free_TGS_REQ(&test_context->tgs_req);
794 test_context->test_stage = TEST_DONE;
795 return true;
796 }
797
798 /*
799 * TEST_TGS_REQ_KRBTGT
800 *
801 *
802 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
803 * for the krbtgt/realm principal meets certain expectations, like
804 * that the canonicalize bit is not set
805 *
806 */
807
808 static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
809 {
810 size_t used;
811 torture_assert_int_equal(test_context->tctx,
812 decode_TGS_REQ(send_buf->data, send_buf->length,
813 &test_context->tgs_req, &used),
814 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
815 torture_assert_int_equal(test_context->tctx,
816 used, send_buf->length,
817 "length mismatch");
818 torture_assert_int_equal(test_context->tctx,
819 test_context->tgs_req.pvno, 5,
820 "Got wrong as_req->pvno");
821 torture_assert_int_equal(test_context->tctx,
822 test_context->tgs_req.req_body.kdc_options.canonicalize,
823 false,
824 "krb5 libs unexpectedly set canonicalize!");
825
826 torture_assert_str_equal(test_context->tctx,
827 test_context->tgs_req.req_body.realm,
828 test_context->test_data->realm,
829 "Mismatch in realm between request and expected request");
830
831 *modified_send_buf = *send_buf;
832 test_context->test_stage = TEST_DONE;
833 return true;
834 }
835
836 /*
837 * TEST_AS_REQ_SELF - RECV
838 *
839 * Confirm that the reply packet from the KDC meets certain
840 * expectations as part of TEST_AS_REQ. This uses a packet count to
841 * work out what packet we are up to in the multiple exchanged
842 * triggerd by krb5_get_init_creds_password().
843 *
844 */
845
846 static bool torture_krb5_post_recv_as_req_self_test(struct torture_krb5_context *test_context,
847 const krb5_data *recv_buf)
848 {
849 KRB_ERROR error;
850 size_t used;
851 if (test_context->packet_count == 0) {
852 krb5_error_code k5ret;
853 /*
854 * The client libs obtain the salt by attempting to
855 * authenticate without pre-authentication and getting
856 * the correct salt with the
857 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
858 * the test (netbios_realm && upn) that deliberatly
859 * has an incorrect principal, we check we get the
860 * correct error.
861 */
862 k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length,
863 &error, &used);
864 if (k5ret != 0) {
865 AS_REP as_rep;
866 k5ret = decode_AS_REP(recv_buf->data, recv_buf->length,
867 &as_rep, &used);
868 if (k5ret == 0) {
869 if (torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
870 || (test_context->test_data->upn == true)) {
871 torture_assert(test_context->tctx, false,
872 "expected to get a KRB_ERROR packet with "
873 "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
874 } else {
875 torture_assert(test_context->tctx, false,
876 "expected to get a KRB_ERROR packet with "
877 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
878 }
879 } else {
880 if (torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
881 || (test_context->test_data->upn == true)) {
882 torture_assert(test_context->tctx, false,
883 "unable to decode as KRB-ERROR or AS-REP, "
884 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED");
885 } else {
886 torture_assert(test_context->tctx, false,
887 "unable to decode as KRB-ERROR or AS-REP, "
888 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
889 }
890 }
891 }
892 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
893 "length mismatch");
894 torture_assert_int_equal(test_context->tctx, error.pvno, 5,
895 "Got wrong error.pvno");
896 if ((torture_setting_bool(test_context->tctx, "expect_machine_account", false) == false
897 || (test_context->test_data->upn == true))
898 && error.error_code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE) {
899 /*
900 * IGNORE
901 *
902 * This case is because Samba's Heimdal KDC
903 * checks server and client accounts before
904 * checking for pre-authentication.
905 */
906 } else {
907 torture_assert_int_equal(test_context->tctx,
908 error.error_code,
909 KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
910 "Got wrong error.error_code");
911 }
912
913 free_KRB_ERROR(&error);
914 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
915 && (test_context->packet_count == 1)) {
916 /*
917 * The Windows 2012R2 KDC will always respond with
918 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
919 * won't fit, because of the PAC. (It appears to do
920 * this always, even if it will). This triggers the
921 * client to try again over TCP.
922 */
923 torture_assert_int_equal(test_context->tctx,
924 used, recv_buf->length,
925 "length mismatch");
926 torture_assert_int_equal(test_context->tctx,
927 error.pvno, 5,
928 "Got wrong error.pvno");
929 if ((torture_setting_bool(test_context->tctx, "expect_machine_account", false)
930 && (test_context->test_data->upn == false))) {
931 torture_assert_int_equal(test_context->tctx,
932 error.error_code,
933 KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
934 "Got wrong error.error_code");
935 } else {
936 torture_assert_int_equal(test_context->tctx,
937 error.error_code,
938 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
939 "Got wrong error.error_code");
940 }
941 free_KRB_ERROR(&error);
942 } else {
943 /*
944 * Finally the successful packet.
945 */
946 torture_assert_int_equal(test_context->tctx,
947 decode_AS_REP(recv_buf->data, recv_buf->length,
948 &test_context->as_rep, &used), 0,
949 "decode_AS_REP failed");
950 torture_assert_int_equal(test_context->tctx, used, recv_buf->length,
951 "length mismatch");
952 torture_assert_int_equal(test_context->tctx,
953 test_context->as_rep.pvno, 5,
954 "Got wrong as_rep->pvno");
955 torture_assert_int_equal(test_context->tctx,
956 test_context->as_rep.ticket.tkt_vno, 5,
957 "Got wrong as_rep->ticket.tkt_vno");
958 torture_assert(test_context->tctx,
959 test_context->as_rep.ticket.enc_part.kvno,
960 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
961
962 /*
963 * We do not expect an RODC number here in the KVNO,
964 * as this is a ticket to the user's own account.
965 */
966 torture_assert_int_equal(test_context->tctx,
967 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
968 0, "Unexpecedly got a RODC number in the KVNO");
969 free_AS_REP(&test_context->as_rep);
970 }
971 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
972 free_AS_REQ(&test_context->as_req);
973 return true;
974 }
975
976 /*
977 * This function is set in torture_krb5_init_context_canon as krb5
978 * send_and_recv function. This allows us to override what server the
979 * test is aimed at, and to inspect the packets just before they are
980 * sent to the network, and before they are processed on the recv
981 * side.
982 *
983 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
984 * functions are implement the actual tests.
985 *
986 * When this asserts, the caller will get a spurious 'cannot contact
987 * any KDC' message.
988 *
989 */
990 static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context context,
991 void *data, /* struct torture_krb5_context */
992 krb5_krbhst_info *hi,
993 time_t timeout,
994 const krb5_data *send_buf,
995 krb5_data *recv_buf)
996 {
997 krb5_error_code k5ret;
998 bool ok = false;
999 krb5_data modified_send_buf;
1000
1001 struct torture_krb5_context *test_context
1002 = talloc_get_type_abort(data, struct torture_krb5_context);
1003
1004 switch (test_context->test_stage) {
1005 case TEST_DONE:
1006 torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs");
1007 return EINVAL;
1008 case TEST_AS_REQ:
1009 ok = torture_krb5_pre_send_as_req_test(test_context, send_buf,
1010 &modified_send_buf);
1011 break;
1012 case TEST_TGS_REQ_KRBTGT_CANON:
1013 ok = torture_krb5_pre_send_tgs_req_krbtgt_canon_test(test_context, send_buf,
1014 &modified_send_buf);
1015 break;
1016 case TEST_TGS_REQ_CANON:
1017 ok = torture_krb5_pre_send_tgs_req_canon_test(test_context, send_buf,
1018 &modified_send_buf);
1019 break;
1020 case TEST_SELF_TRUST_TGS_REQ:
1021 ok = torture_krb5_pre_send_self_trust_tgs_req_test(test_context, send_buf,
1022 &modified_send_buf);
1023 break;
1024 case TEST_TGS_REQ:
1025 ok = torture_krb5_pre_send_tgs_req_test(test_context, send_buf,
1026 &modified_send_buf);
1027 break;
1028 case TEST_TGS_REQ_KRBTGT:
1029 ok = torture_krb5_pre_send_tgs_req_krbtgt_test(test_context, send_buf,
1030 &modified_send_buf);
1031 break;
1032 case TEST_AS_REQ_SELF:
1033 ok = torture_krb5_pre_send_as_req_test(test_context, send_buf,
1034 &modified_send_buf);
1035 break;
1036 }
1037 if (ok == false) {
1038 return EINVAL;
1039 }
1040
1041 k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
1042 hi, timeout, &modified_send_buf,
1043 recv_buf);
1044 if (k5ret != 0) {
1045 return k5ret;
1046 }
1047
1048 switch (test_context->test_stage) {
1049 case TEST_DONE:
1050 torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs");
1051 return EINVAL;
1052 case TEST_AS_REQ:
1053 ok = torture_krb5_post_recv_as_req_test(test_context, recv_buf);
1054 break;
1055 case TEST_TGS_REQ_KRBTGT_CANON:
1056 ok = torture_krb5_post_recv_tgs_req_krbtgt_canon_test(test_context, recv_buf);
1057 break;
1058 case TEST_TGS_REQ_CANON:
1059 ok = torture_krb5_post_recv_tgs_req_canon_test(test_context, recv_buf);
1060 break;
1061 case TEST_SELF_TRUST_TGS_REQ:
1062 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
1063 break;
1064 case TEST_TGS_REQ:
1065 ok = torture_krb5_post_recv_tgs_req_test(test_context, recv_buf);
1066 break;
1067 case TEST_TGS_REQ_KRBTGT:
1068 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
1069 break;
1070 case TEST_AS_REQ_SELF:
1071 ok = torture_krb5_post_recv_as_req_self_test(test_context, recv_buf);
1072 break;
1073 }
1074 if (ok == false) {
1075 return EINVAL;
1076 }
1077
1078 test_context->packet_count++;
1079
1080 return k5ret;
1081 }
1082
1083 static int test_context_destructor(struct torture_krb5_context *test_context)
1084 {
1085 freeaddrinfo(test_context->server);
1086 return 0;
1087 }
1088
1089
1090 static bool torture_krb5_init_context_canon(struct torture_context *tctx,
1091 struct test_data *test_data,
1092 struct torture_krb5_context **torture_krb5_context)
1093 {
1094 const char *host = torture_setting_string(tctx, "host", NULL);
1095 krb5_error_code k5ret;
1096 bool ok;
1097
1098 struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
1099 torture_assert(tctx, test_context != NULL, "Failed to allocate");
1100
1101 test_context->test_data = test_data;
1102 test_context->tctx = tctx;
1103
1104 k5ret = smb_krb5_init_context(test_context, tctx->lp_ctx, &test_context->smb_krb5_context);
1105 torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
1106
1107 ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
1108 torture_assert(tctx, ok, "Failed to parse target server");
1109
1110 talloc_set_destructor(test_context, test_context_destructor);
1111
1112 set_sockaddr_port(test_context->server->ai_addr, 88);
1113
1114 k5ret = krb5_set_send_to_kdc_func(test_context->smb_krb5_context->krb5_context,
1115 smb_krb5_send_and_recv_func_canon_override,
1116 test_context);
1117 torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
1118 *torture_krb5_context = test_context;
1119 return true;
1120 }
1121
1122
1123 static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *tcase_data)
1124 {
1125 krb5_error_code k5ret;
1126 krb5_get_init_creds_opt *krb_options = NULL;
1127 struct test_data *test_data = talloc_get_type_abort(tcase_data, struct test_data);
1128 krb5_principal principal;
1129 krb5_principal krbtgt_other;
1130 krb5_principal expected_principal;
1131 char *principal_string;
1132 char *krbtgt_other_string;
1133 int principal_flags;
1134 char *expected_principal_string;
1135 int expected_principal_flags;
1136 char *got_principal_string;
1137 char *assertion_message;
1138 const char *password = cli_credentials_get_password(cmdline_credentials);
1139 krb5_context k5_context;
1140 struct torture_krb5_context *test_context;
1141 bool ok;
1142 krb5_creds my_creds;
1143 krb5_creds *server_creds;
1144 krb5_ccache ccache;
1145 krb5_auth_context auth_context;
1146 char *cc_name;
1147 krb5_data in_data, enc_ticket;
1148 krb5_get_creds_opt opt;
1149
1150 const char *upn = torture_setting_string(tctx, "krb5-upn", "");
1151
1152 /*
1153 * If we have not passed a UPN on the command line,
1154 * then skip the UPN tests.
1155 */
1156 if (test_data->upn && upn[0] == '\0') {
1157 torture_skip(tctx, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
1158 }
1159
1160 if (test_data->netbios_realm) {
1161 test_data->realm = test_data->real_domain;
1162 } else {
1163 test_data->realm = test_data->real_realm;
1164 }
1165
1166 if (test_data->upn) {
1167 char *p;
1168 test_data->username = talloc_strdup(test_data, upn);
1169 p = strchr(test_data->username, '@');
1170 if (p) {
1171 *p = '\0';
1172 p++;
1173 }
1174 /*
1175 * Test the UPN behaviour carefully. We can
1176 * test in two different modes, depending on
1177 * what UPN has been set up for us.
1178 *
1179 * If the UPN is in our realm, then we do all the tests with this name also.
1180 *
1181 * If the UPN is not in our realm, then we
1182 * expect the tests that replace the realm to
1183 * fail (as it won't match)
1184 */
1185 if (strcasecmp(p, test_data->real_realm) != 0) {
1186 test_data->other_upn_suffix = true;
1187 } else {
1188 test_data->other_upn_suffix = false;
1189 }
1190
1191 /*
1192 * This lets us test the combination of the UPN prefix
1193 * with a valid domain, without adding even more
1194 * combinations
1195 */
1196 if (test_data->netbios_realm == false) {
1197 test_data->realm = p;
1198 }
1199 }
1200
1201 ok = torture_krb5_init_context_canon(tctx, test_data, &test_context);
1202 torture_assert(tctx, ok, "torture_krb5_init_context failed");
1203 k5_context = test_context->smb_krb5_context->krb5_context;
1204
1205 if (test_data->upper_realm) {
1206 test_data->realm = strupper_talloc(test_data, test_data->realm);
1207 } else {
1208 test_data->realm = strlower_talloc(test_data, test_data->realm);
1209 }
1210 if (test_data->upper_username) {
1211 test_data->username = strupper_talloc(test_data, test_data->username);
1212 } else {
1213 test_data->username = talloc_strdup(test_data, test_data->username);
1214 }
1215
1216 principal_string = talloc_asprintf(test_data, "%s@%s", test_data->username, test_data->realm);
1217
1218 /*
1219 * If we are set to canonicalize, we get back the fixed UPPER
1220 * case realm, and the real username (ie matching LDAP
1221 * samAccountName)
1222 *
1223 * Otherwise, if we are set to enterprise, we
1224 * get back the whole principal as-sent
1225 *
1226 * Finally, if we are not set to canonicalize, we get back the
1227 * fixed UPPER case realm, but the as-sent username
1228 */
1229 if (test_data->canonicalize) {
1230 expected_principal_string = talloc_asprintf(test_data,
1231 "%s@%s",
1232 test_data->real_username,
1233 test_data->real_realm);
1234 } else if (test_data->enterprise) {
1235 expected_principal_string = principal_string;
1236 } else {
1237 expected_principal_string = talloc_asprintf(test_data,
1238 "%s@%s",
1239 test_data->username,
1240 test_data->real_realm);
1241 }
1242
1243 if (test_data->enterprise) {
1244 principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1245 } else {
1246 if (test_data->upn && test_data->other_upn_suffix) {
1247 torture_skip(tctx, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
1248 }
1249 principal_flags = 0;
1250 }
1251
1252 if (test_data->canonicalize) {
1253 expected_principal_flags = 0;
1254 } else {
1255 expected_principal_flags = principal_flags;
1256 }
1257
1258 torture_assert_int_equal(tctx,
1259 krb5_parse_name_flags(k5_context,
1260 principal_string,
1261 principal_flags,
1262 &principal),
1263 0, "krb5_parse_name_flags failed");
1264 torture_assert_int_equal(tctx,
1265 krb5_parse_name_flags(k5_context,
1266 expected_principal_string,
1267 expected_principal_flags,
1268 &expected_principal),
1269 0, "krb5_parse_name_flags failed");
1270
1271 /*
1272 * Prepare a AS-REQ and run the TEST_AS_REQ tests
1273 *
1274 */
1275
1276 test_context->test_stage = TEST_AS_REQ;
1277 test_context->packet_count = 0;
1278
1279 /*
1280 * Set the canonicalize flag if this test requires it
1281 */
1282 torture_assert_int_equal(tctx,
1283 krb5_get_init_creds_opt_alloc(k5_context, &krb_options),
1284 0, "krb5_get_init_creds_opt_alloc failed");
1285
1286 torture_assert_int_equal(tctx,
1287 krb5_get_init_creds_opt_set_canonicalize(k5_context,
1288 krb_options,
1289 test_data->canonicalize),
1290 0, "krb5_get_init_creds_opt_set_canonicalize failed");
1291
1292 torture_assert_int_equal(tctx,
1293 krb5_get_init_creds_opt_set_win2k(k5_context,
1294 krb_options,
1295 test_data->win2k),
1296 0, "krb5_get_init_creds_opt_set_win2k failed");
1297
1298 k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
1299 password, NULL, NULL, 0,
1300 NULL, krb_options);
1301
1302 if (test_data->netbios_realm && test_data->upn) {
1303 torture_assert_int_equal(tctx, k5ret,
1304 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
1305 "Got wrong error_code from krb5_get_init_creds_password");
1306 /* We can't proceed with more checks */
1307 return true;
1308 } else {
1309 assertion_message = talloc_asprintf(tctx,
1310 "krb5_get_init_creds_password for %s failed: %s",
1311 principal_string,
1312 smb_get_krb5_error_message(k5_context, k5ret, tctx));
1313 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1314 }
1315
1316 torture_assert(tctx,
1317 test_context->packet_count > 1,
1318 "Expected krb5_get_init_creds_password to send more packets");
1319
1320 /*
1321 * Assert that the reply was with the correct type of
1322 * principal, depending on the flags we set
1323 */
1324 if (test_data->canonicalize == false && test_data->enterprise) {
1325 torture_assert_int_equal(tctx,
1326 krb5_principal_get_type(k5_context,
1327 my_creds.client),
1328 KRB5_NT_ENTERPRISE_PRINCIPAL,
1329 "smb_krb5_init_context gave incorrect client->name.name_type");
1330 } else {
1331 torture_assert_int_equal(tctx,
1332 krb5_principal_get_type(k5_context,
1333 my_creds.client),
1334 KRB5_NT_PRINCIPAL,
1335 "smb_krb5_init_context gave incorrect client->name.name_type");
1336 }
1337
1338 torture_assert_int_equal(tctx,
1339 krb5_unparse_name(k5_context,
1340 my_creds.client, &got_principal_string), 0,
1341 "krb5_unparse_name failed");
1342
1343 assertion_message = talloc_asprintf(tctx,
1344 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1345 got_principal_string, expected_principal_string);
1346 krb5_free_unparsed_name(k5_context, got_principal_string);
1347
1348 torture_assert(tctx, krb5_principal_compare(k5_context,
1349 my_creds.client, expected_principal),
1350 assertion_message);
1351
1352
1353 torture_assert_int_equal(tctx,
1354 krb5_principal_get_type(k5_context,
1355 my_creds.server), KRB5_NT_SRV_INST,
1356 "smb_krb5_init_context gave incorrect server->name.name_type");
1357
1358 torture_assert_int_equal(tctx,
1359 krb5_principal_get_num_comp(k5_context,
1360 my_creds.server), 2,
1361 "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
1362
1363 torture_assert_str_equal(tctx,
1364 krb5_principal_get_comp_string(k5_context,
1365 my_creds.server, 0),
1366 "krbtgt",
1367 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
1368
1369 if (test_data->canonicalize || test_data->enterprise) {
1370 torture_assert_str_equal(tctx,
1371 krb5_principal_get_comp_string(k5_context,
1372 my_creds.server, 1),
1373 test_data->real_realm,
1374
1375 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1376 } else {
1377 torture_assert_str_equal(tctx,
1378 krb5_principal_get_comp_string(k5_context,
1379 my_creds.server, 1),
1380 test_data->realm,
1381
1382 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1383 }
1384 torture_assert_str_equal(tctx,
1385 krb5_principal_get_realm(k5_context,
1386 my_creds.server),
1387 test_data->real_realm,
1388 "smb_krb5_init_context gave incorrect my_creds.server->realm");
1389
1390 /* Store the result of the 'kinit' above into a memory ccache */
1391 cc_name = talloc_asprintf(tctx, "MEMORY:%s", test_data->test_name);
1392 torture_assert_int_equal(tctx, krb5_cc_resolve(k5_context, cc_name,
1393 &ccache),
1394 0, "krb5_cc_resolve failed");
1395
1396 torture_assert_int_equal(tctx, krb5_cc_initialize(k5_context,
1397 ccache, my_creds.client),
1398 0, "krb5_cc_initialize failed");
1399
1400 torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
1401 ccache, &my_creds),
1402 0, "krb5_cc_store_cred failed");
1403
1404 /*
1405 * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
1406 *
1407 * This tests krb5_get_creds behaviour, which allows us to set
1408 * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal
1409 */
1410
1411 krbtgt_other_string = talloc_asprintf(test_data, "krbtgt/%s@%s", test_data->real_domain, test_data->real_realm);
1412 torture_assert_int_equal(tctx,
1413 krb5_make_principal(k5_context, &krbtgt_other,
1414 test_data->real_realm, "krbtgt",
1415 test_data->real_domain, NULL),
1416 0, "krb5_make_principal failed");
1417
1418 test_context->test_stage = TEST_TGS_REQ_KRBTGT_CANON;
1419 test_context->packet_count = 0;
1420
1421 torture_assert_int_equal(tctx,
1422 krb5_get_creds_opt_alloc(k5_context, &opt),
1423 0, "krb5_get_creds_opt_alloc");
1424
1425 krb5_get_creds_opt_add_options(k5_context,
1426 opt,
1427 KRB5_GC_CANONICALIZE);
1428
1429 krb5_get_creds_opt_add_options(k5_context,
1430 opt,
1431 KRB5_GC_NO_STORE);
1432
1433 /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
1434 k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
1435
1436 if (test_data->canonicalize == false && test_data->enterprise == false
1437 && test_data->netbios_realm && test_data->upper_realm) {
1438 /*
1439 * In these situations, the code above does store a
1440 * principal in the credentials cache matching what
1441 * krb5_get_creds() needs, so the test succeds, with no packets.
1442 *
1443 */
1444 assertion_message = talloc_asprintf(tctx,
1445 "krb5_get_creds for %s failed with: %s",
1446 krbtgt_other_string,
1447 smb_get_krb5_error_message(k5_context, k5ret,
1448 tctx));
1449
1450 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1451 torture_assert_int_equal(tctx,
1452 test_context->packet_count,
1453 0, "Expected krb5_get_creds not to send packets");
1454 } else if (test_data->canonicalize == false && test_data->enterprise == false
1455 && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
1456 torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
1457 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1458 } else {
1459
1460 /*
1461 * In these situations, the code above does not store a
1462 * principal in the credentials cache matching what
1463 * krb5_get_creds() needs without talking to the KDC, so the
1464 * test fails with looping detected because when we set
1465 * canonicalize we confuse the client libs.
1466 *
1467 */
1468 assertion_message = talloc_asprintf(tctx,
1469 "krb5_get_creds for %s should have failed with looping detected: %s",
1470 krbtgt_other_string,
1471 smb_get_krb5_error_message(k5_context, k5ret,
1472 tctx));
1473
1474 torture_assert_int_equal(tctx, k5ret, KRB5_GET_IN_TKT_LOOP, assertion_message);
1475 torture_assert_int_equal(tctx,
1476 test_context->packet_count,
1477 2, "Expected krb5_get_creds to send packets");
1478 }
1479
1480 /*
1481 * Prepare a TGS-REQ and run the TEST_TGS_REQ_CANON tests
1482 *
1483 * This tests krb5_get_creds behaviour, which allows us to set
1484 * the KRB5_GC_CANONICALIZE option
1485 */
1486
1487 test_context->test_stage = TEST_TGS_REQ_CANON;
1488 test_context->packet_count = 0;
1489
1490 torture_assert_int_equal(tctx,
1491 krb5_get_creds_opt_alloc(k5_context, &opt),
1492 0, "krb5_get_creds_opt_alloc");
1493
1494 krb5_get_creds_opt_add_options(k5_context,
1495 opt,
1496 KRB5_GC_CANONICALIZE);
1497
1498 krb5_get_creds_opt_add_options(k5_context,
1499 opt,
1500 KRB5_GC_NO_STORE);
1501
1502 /* Confirm if we can get a ticket to our own name */
1503 k5ret = krb5_get_creds(k5_context, opt, ccache, principal, &server_creds);
1504
1505 /*
1506 * In these situations, the code above does not store a
1507 * principal in the credentials cache matching what
1508 * krb5_get_creds() needs, so the test fails.
1509 *
1510 */
1511 if (test_data->canonicalize == false && test_data->enterprise == false
1512 && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
1513 torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
1514 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1515 } else {
1516 assertion_message = talloc_asprintf(tctx,
1517 "krb5_get_creds for %s failed: %s",
1518 principal_string,
1519 smb_get_krb5_error_message(k5_context, k5ret,
1520 tctx));
1521
1522 /*
1523 * Only machine accounts (strictly, accounts with a
1524 * servicePrincipalName) can expect this test to succeed
1525 */
1526 if (torture_setting_bool(tctx, "expect_machine_account", false)
1527 && (test_data->enterprise || test_data->upn == false)) {
1528 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1529 torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
1530 ccache, server_creds),
1531 0, "krb5_cc_store_cred failed");
1532
1533 torture_assert_int_equal(tctx,
1534 krb5_free_creds(k5_context,
1535 server_creds),
1536 0, "krb5_free_cred_contents failed");
1537
1538 } else {
1539 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
1540 assertion_message);
1541 }
1542
1543 torture_assert_int_equal(tctx,
1544 test_context->packet_count,
1545 1, "Expected krb5_get_creds to send packets");
1546 }
1547
1548 /*
1549 * Confirm gettting a ticket to pass to the server, running
1550 * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage.
1551 *
1552 * This triggers the client to attempt to get a
1553 * cross-realm ticket between the alternate names of
1554 * the server, and we need to confirm that behaviour.
1555 *
1556 */
1557
1558 /*
1559 * This tries to guess when the krb5 libs will ask for a
1560 * cross-realm ticket, and when they will just ask the KDC
1561 * directly.
1562 */
1563 if (test_context->test_data->canonicalize == false
1564 || test_context->test_data->enterprise
1565 || (test_context->test_data->upper_realm
1566 && test_context->test_data->netbios_realm == false)) {
1567 test_context->test_stage = TEST_TGS_REQ;
1568 } else {
1569 test_context->test_stage = TEST_SELF_TRUST_TGS_REQ;
1570 }
1571
1572 test_context->packet_count = 0;
1573 torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
1574 0, "krb5_auth_con_init failed");
1575
1576 in_data.length = 0;
1577 k5ret = krb5_mk_req_exact(k5_context,
1578 &auth_context,
1579 0,
1580 principal,
1581 &in_data, ccache,
1582 &enc_ticket);
1583 assertion_message = talloc_asprintf(tctx,
1584 "krb5_mk_req_exact for %s failed: %s",
1585 principal_string,
1586 smb_get_krb5_error_message(k5_context, k5ret, tctx));
1587
1588 /*
1589 * Only machine accounts (strictly, accounts with a
1590 * servicePrincipalName) can expect this test to succeed
1591 */
1592 if (torture_setting_bool(tctx, "expect_machine_account", false) && (test_data->enterprise || test_data->upn == false)) {
1593 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1594 } else {
1595 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
1596 assertion_message);
1597 }
1598
1599 /*
1600 * Only in these cases would the above code have needed to
1601 * send packets to the network
1602 */
1603 if (test_data->canonicalize == false && test_data->enterprise == false
1604 && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
1605 torture_assert(tctx,
1606 test_context->packet_count > 0,
1607 "Expected krb5_get_creds to send packets");
1608 }
1609
1610 /*
1611 * Confirm gettting a ticket for the same krbtgt/realm that we
1612 * got back with the initial ticket, running the
1613 * TEST_TGS_REQ_KRBTGT stage.
1614 *
1615 */
1616
1617 test_context->test_stage = TEST_TGS_REQ_KRBTGT;
1618 test_context->packet_count = 0;
1619
1620 in_data.length = 0;
1621 k5ret = krb5_mk_req_exact(k5_context,
1622 &auth_context,
1623 0,
1624 my_creds.server,
1625 &in_data, ccache,
1626 &enc_ticket);
1627
1628 assertion_message = talloc_asprintf(tctx,
1629 "krb5_mk_req_exact for %s failed: %s",
1630 principal_string,
1631 smb_get_krb5_error_message(k5_context, k5ret, tctx));
1632 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1633
1634 /*
1635 * Confirm gettting a ticket for our own principal that we
1636 * got back with the initial ticket, running the
1637 * TEST_AS_REQ_SELF stage.
1638 *
1639 */
1640 test_context->test_stage = TEST_AS_REQ_SELF;
1641 test_context->packet_count = 0;
1642
1643 k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
1644 password, NULL, NULL, 0,
1645 principal_string, krb_options);
1646
1647 if (torture_setting_bool(test_context->tctx, "expect_machine_account", false) && (test_data->upn == false)) {
1648 assertion_message = talloc_asprintf(tctx,
1649 "krb5_get_init_creds_password for %s failed: %s",
1650 principal_string,
1651 smb_get_krb5_error_message(k5_context, k5ret, tctx));
1652 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
1653 torture_assert(tctx,
1654 test_context->packet_count >= 2,
1655 "Expected krb5_get_init_creds_password to send more packets");
1656
1657 } else {
1658 assertion_message = talloc_asprintf(tctx,
1659 "Got wrong error_code from krb5_get_init_creds_password, expected KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN trying to get a ticket to %s for %s", principal_string, principal_string);
1660 torture_assert_int_equal(tctx, k5ret,
1661 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
1662 assertion_message);
1663 torture_assert(tctx,
1664 test_context->packet_count >= 1,
1665 "Expected krb5_get_init_creds_password to send more packets");
1666
1667 /* We can't proceed with more checks */
1668 return true;
1669 }
1670
1671 /*
1672 * Assert that the reply was with the correct type of
1673 * principal, depending on the flags we set
1674 */
1675 if (test_data->canonicalize == false && test_data->enterprise) {
1676 torture_assert_int_equal(tctx,
1677 krb5_principal_get_type(k5_context,
1678 my_creds.client),
1679 KRB5_NT_ENTERPRISE_PRINCIPAL,
1680 "smb_krb5_init_context gave incorrect client->name.name_type");
1681 torture_assert_int_equal(tctx,
1682 krb5_principal_get_type(k5_context,
1683 my_creds.server),
1684 KRB5_NT_ENTERPRISE_PRINCIPAL,
1685 "smb_krb5_init_context gave incorrect server->name.name_type");
1686 } else {
1687 torture_assert_int_equal(tctx,
1688 krb5_principal_get_type(k5_context,
1689 my_creds.client),
1690 KRB5_NT_PRINCIPAL,
1691 "smb_krb5_init_context gave incorrect client->name.name_type");
1692 torture_assert_int_equal(tctx,
1693 krb5_principal_get_type(k5_context,
1694 my_creds.server),
1695 KRB5_NT_PRINCIPAL,
1696 "smb_krb5_init_context gave incorrect server->name.name_type");
1697 }
1698
1699 torture_assert_int_equal(tctx,
1700 krb5_unparse_name(k5_context,
1701 my_creds.client, &got_principal_string), 0,
1702 "krb5_unparse_name failed");
1703
1704 assertion_message = talloc_asprintf(tctx,
1705 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1706 got_principal_string, expected_principal_string);
1707 krb5_free_unparsed_name(k5_context, got_principal_string);
1708
1709 torture_assert(tctx, krb5_principal_compare(k5_context,
1710 my_creds.client, expected_principal),
1711 assertion_message);
1712
1713 torture_assert_int_equal(tctx,
1714 krb5_unparse_name(k5_context,
1715 my_creds.client, &got_principal_string), 0,
1716 "krb5_unparse_name failed");
1717
1718 assertion_message = talloc_asprintf(tctx,
1719 "krb5_get_init_creds_password returned a different server principal %s to what was expected %s",
1720 got_principal_string, expected_principal_string);
1721 krb5_free_unparsed_name(k5_context, got_principal_string);
1722
1723 torture_assert(tctx, krb5_principal_compare(k5_context,
1724 my_creds.client, expected_principal),
1725 assertion_message);
1726
1727 krb5_free_principal(k5_context, principal);
1728 krb5_get_init_creds_opt_free(k5_context, krb_options);
1729
1730 torture_assert_int_equal(tctx, krb5_free_cred_contents(k5_context, &my_creds),
1731 0, "krb5_free_cred_contents failed");
1732
1733 return true;
1734 }
1735
1736 struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
1737 {
1738 unsigned int i;
1739 struct torture_suite *suite = torture_suite_create(mem_ctx, "canon");
1740 suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
1741
1742 for (i = 0; i < TEST_ALL; i++) {
1743 char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s",
1744 (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
1745 (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
1746 (i & TEST_UPPER_REALM) ? "uc-realm" : "lc-realm",
1747 (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
1748 (i & TEST_NETBIOS_REALM) ? "netbios-realm" : "krb5-realm",
1749 (i & TEST_WIN2K) ? "win2k" : "no-win2k",
1750 (i & TEST_UPN) ? "upn" : "no-upn");
1751
1752 struct test_data *test_data = talloc_zero(suite, struct test_data);
1753
1754 test_data->test_name = name;
1755 test_data->real_realm
1756 = strupper_talloc(test_data, cli_credentials_get_realm(cmdline_credentials));
1757 test_data->real_domain = cli_credentials_get_domain(cmdline_credentials);
1758 test_data->username = cli_credentials_get_username(cmdline_credentials);
1759 test_data->real_username = cli_credentials_get_username(cmdline_credentials);
1760 test_data->canonicalize = (i & TEST_CANONICALIZE) != 0;
1761 test_data->enterprise = (i & TEST_ENTERPRISE) != 0;
1762 test_data->upper_realm = (i & TEST_UPPER_REALM) != 0;
1763 test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0;
1764 test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
1765 test_data->win2k = (i & TEST_WIN2K) != 0;
1766 test_data->upn = (i & TEST_UPN) != 0;
1767 torture_suite_add_simple_tcase_const(suite, name, torture_krb5_as_req_canon,
1768 test_data);
1769
1770 }
1771 return suite;
1772 }
Samba GIT mirror