search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
torture-krb5: Split the expected behaviour of the RODC up
[Samba.git] / source4 / torture / krb5 / kdc.c
blobcf8c39b99b97109931af2b873c093b60c07694bd
1 /*
2 Unix SMB/CIFS implementation.
3
4 Validate the krb5 pac generation routines
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/winbind/proto.h"
27 #include "torture/krb5/proto.h"
28 #include "auth/credentials/credentials.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "source4/auth/kerberos/kerberos.h"
31 #include "source4/auth/kerberos/kerberos_util.h"
32 #include "lib/util/util_net.h"
33
34 enum torture_krb5_test {
35 TORTURE_KRB5_TEST_PLAIN,
36 TORTURE_KRB5_TEST_WIN2K,
37 TORTURE_KRB5_TEST_PAC_REQUEST,
38 TORTURE_KRB5_TEST_BREAK_PW,
39 TORTURE_KRB5_TEST_CLOCK_SKEW,
40 };
41
42 struct torture_krb5_context {
43 struct torture_context *tctx;
44 struct addrinfo *server;
45 enum torture_krb5_test test;
46 int packet_count;
47 AS_REQ as_req;
48 AS_REP as_rep;
49 };
50
51 /*
52 * Confirm that the outgoing packet meets certain expectations. This
53 * should be extended to further assert the correct and expected
54 * behaviour of the krb5 libs, so we know what we are sending to the
55 * server.
56 *
57 */
58
59 static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf)
60 {
61 size_t used;
62 switch (test_context->test)
63 {
64 case TORTURE_KRB5_TEST_PLAIN:
65 case TORTURE_KRB5_TEST_WIN2K:
66 case TORTURE_KRB5_TEST_PAC_REQUEST:
67 case TORTURE_KRB5_TEST_BREAK_PW:
68 case TORTURE_KRB5_TEST_CLOCK_SKEW:
69 torture_assert_int_equal(test_context->tctx,
70 decode_AS_REQ(send_buf->data, send_buf->length, &test_context->as_req, &used), 0,
71 "decode_AS_REQ failed");
72 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
73 torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, 5, "Got wrong as_req->pvno");
74 break;
75 }
76 return true;
77 }
78
79 /*
80 * Confirm that the incoming packet from the KDC meets certain
81 * expectations. This uses a switch and the packet count to work out
82 * what test we are in, and where in the test we are, so we can assert
83 * on the expected reply packets from the KDC.
84 *
85 */
86
87 static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
88 {
89 KRB_ERROR error;
90 size_t used;
91 switch (test_context->test)
92 {
93 case TORTURE_KRB5_TEST_PLAIN:
94 case TORTURE_KRB5_TEST_WIN2K:
95 if (test_context->packet_count == 0) {
96 torture_assert_int_equal(test_context->tctx,
97 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
98 "decode_AS_REP failed");
99 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
100 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
101 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
102 "Got wrong error.error_code");
103 free_KRB_ERROR(&error);
104 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
105 && (test_context->packet_count == 1)) {
106 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
107 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
108 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
109 "Got wrong error.error_code");
110 free_KRB_ERROR(&error);
111 } else {
112 torture_assert_int_equal(test_context->tctx,
113 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
114 "decode_AS_REP failed");
115 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
116 torture_assert_int_equal(test_context->tctx,
117 test_context->as_rep.pvno, 5,
118 "Got wrong as_rep->pvno");
119 torture_assert_int_equal(test_context->tctx,
120 test_context->as_rep.ticket.tkt_vno, 5,
121 "Got wrong as_rep->ticket.tkt_vno");
122 torture_assert(test_context->tctx,
123 test_context->as_rep.ticket.enc_part.kvno,
124 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
125 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
126 torture_assert_int_not_equal(test_context->tctx,
127 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
128 0, "Did not get a RODC number in the KVNO");
129 } else {
130 torture_assert_int_equal(test_context->tctx,
131 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
132 0, "Unexpecedly got a RODC number in the KVNO");
133 }
134 free_AS_REP(&test_context->as_rep);
135 }
136 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
137 free_AS_REQ(&test_context->as_req);
138 break;
139
140 /*
141 * Confirm correct error codes when we ask for the PAC. This behaviour is rather odd...
142 */
143 case TORTURE_KRB5_TEST_PAC_REQUEST:
144 if (test_context->packet_count == 0) {
145 torture_assert_int_equal(test_context->tctx,
146 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
147 "decode_AS_REP failed");
148 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
149 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
150 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
151 "Got wrong error.error_code");
152 free_KRB_ERROR(&error);
153 } else if (test_context->packet_count == 1) {
154 torture_assert_int_equal(test_context->tctx,
155 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
156 "decode_AS_REP failed");
157 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
158 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
159 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
160 "Got wrong error.error_code");
161 free_KRB_ERROR(&error);
162 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
163 && (test_context->packet_count == 2)) {
164 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
165 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
166 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
167 "Got wrong error.error_code");
168 free_KRB_ERROR(&error);
169 } else {
170 torture_assert_int_equal(test_context->tctx,
171 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
172 "decode_AS_REP failed");
173 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
174 torture_assert_int_equal(test_context->tctx, test_context->as_rep.pvno, 5, "Got wrong as_rep->pvno");
175 free_AS_REP(&test_context->as_rep);
176 }
177 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
178 free_AS_REQ(&test_context->as_req);
179 break;
180
181 /*
182 * Confirm correct error codes when we deliberatly send the wrong password
183 */
184 case TORTURE_KRB5_TEST_BREAK_PW:
185 if (test_context->packet_count == 0) {
186 torture_assert_int_equal(test_context->tctx,
187 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
188 "decode_AS_REP failed");
189 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
190 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
191 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
192 "Got wrong error.error_code");
193 free_KRB_ERROR(&error);
194 } else if (test_context->packet_count == 1) {
195 torture_assert_int_equal(test_context->tctx,
196 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
197 "decode_AS_REP failed");
198 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
199 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
200 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_FAILED - KRB5KDC_ERR_NONE,
201 "Got wrong error.error_code");
202 free_KRB_ERROR(&error);
203 }
204 torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
205 free_AS_REQ(&test_context->as_req);
206 break;
207
208 /*
209 * Confirm correct error codes when we deliberatly skew the client clock
210 */
211 case TORTURE_KRB5_TEST_CLOCK_SKEW:
212 if (test_context->packet_count == 0) {
213 torture_assert_int_equal(test_context->tctx,
214 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
215 "decode_AS_REP failed");
216 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
217 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
218 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
219 "Got wrong error.error_code");
220 free_KRB_ERROR(&error);
221 } else if (test_context->packet_count == 1) {
222 torture_assert_int_equal(test_context->tctx,
223 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
224 "decode_AS_REP failed");
225 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
226 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
227 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_AP_ERR_SKEW - KRB5KDC_ERR_NONE,
228 "Got wrong error.error_code");
229 free_KRB_ERROR(&error);
230 }
231 torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
232 free_AS_REQ(&test_context->as_req);
233 break;
234 }
235 return true;
236 }
237
238
239 /*
240 * This function is set in torture_krb5_init_context as krb5
241 * send_and_recv function. This allows us to override what server the
242 * test is aimed at, and to inspect the packets just before they are
243 * sent to the network, and before they are processed on the recv
244 * side.
245 *
246 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
247 * functions are implement the actual tests.
248 *
249 * When this asserts, the caller will get a spurious 'cannot contact
250 * any KDC' message.
251 *
252 */
253 static krb5_error_code smb_krb5_send_and_recv_func_override(krb5_context context,
254 void *data, /* struct torture_krb5_context */
255 krb5_krbhst_info *hi,
256 time_t timeout,
257 const krb5_data *send_buf,
258 krb5_data *recv_buf)
259 {
260 krb5_error_code k5ret;
261 bool ok;
262
263 struct torture_krb5_context *test_context
264 = talloc_get_type_abort(data, struct torture_krb5_context);
265
266 ok = torture_krb5_pre_send_test(test_context, send_buf);
267 if (ok == false) {
268 return EINVAL;
269 }
270
271 k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
272 hi, timeout, send_buf, recv_buf);
273
274 ok = torture_krb5_post_recv_test(test_context, recv_buf);
275 if (ok == false) {
276 return EINVAL;
277 }
278
279 test_context->packet_count++;
280
281 return k5ret;
282 }
283
284 static int test_context_destructor(struct torture_krb5_context *test_context)
285 {
286 freeaddrinfo(test_context->server);
287 return 0;
288 }
289
290
291 static bool torture_krb5_init_context(struct torture_context *tctx,
292 enum torture_krb5_test test,
293 struct smb_krb5_context **smb_krb5_context)
294 {
295 const char *host = torture_setting_string(tctx, "host", NULL);
296 krb5_error_code k5ret;
297 bool ok;
298
299 struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
300 torture_assert(tctx, test_context != NULL, "Failed to allocate");
301
302 test_context->test = test;
303 test_context->tctx = tctx;
304
305 k5ret = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
306 torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
307
308 ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
309 torture_assert(tctx, ok, "Failed to parse target server");
310
311 talloc_set_destructor(test_context, test_context_destructor);
312
313 set_sockaddr_port(test_context->server->ai_addr, 88);
314
315 k5ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
316 smb_krb5_send_and_recv_func_override,
317 test_context);
318 torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
319 return true;
320 }
321
322 static bool torture_krb5_as_req_creds(struct torture_context *tctx,
323 struct cli_credentials *credentials,
324 enum torture_krb5_test test)
325 {
326 krb5_error_code k5ret;
327 bool ok;
328 krb5_creds my_creds;
329 krb5_principal principal;
330 struct smb_krb5_context *smb_krb5_context;
331 enum credentials_obtained obtained;
332 const char *error_string;
333 const char *password = cli_credentials_get_password(credentials);
334 krb5_get_init_creds_opt *krb_options = NULL;
335
336 ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
337 torture_assert(tctx, ok, "torture_krb5_init_context failed");
338
339 k5ret = principal_from_credentials(tctx, credentials, smb_krb5_context,
340 &principal, &obtained, &error_string);
341 torture_assert_int_equal(tctx, k5ret, 0, error_string);
342
343 switch (test)
344 {
345 case TORTURE_KRB5_TEST_PLAIN:
346 break;
347
348 case TORTURE_KRB5_TEST_WIN2K:
349 torture_assert_int_equal(tctx,
350 krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
351 0, "krb5_get_init_creds_opt_alloc failed");
352
353 torture_assert_int_equal(tctx,
354 krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context, krb_options, true),
355 0, "krb5_get_init_creds_opt_set_win2k failed");
356 break;
357
358 case TORTURE_KRB5_TEST_PAC_REQUEST:
359 torture_assert_int_equal(tctx,
360 krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
361 0, "krb5_get_init_creds_opt_alloc failed");
362
363 torture_assert_int_equal(tctx,
364 krb5_get_init_creds_opt_set_pac_request(smb_krb5_context->krb5_context, krb_options, true),
365 0, "krb5_get_init_creds_opt_set_pac_request failed");
366 break;
367
368 case TORTURE_KRB5_TEST_BREAK_PW:
369 password = "NOT the password";
370 break;
371
372 case TORTURE_KRB5_TEST_CLOCK_SKEW:
373 torture_assert_int_equal(tctx,
374 krb5_set_real_time(smb_krb5_context->krb5_context, time(NULL) + 3600, 0),
375 0, "krb5_set_real_time failed");
376 break;
377
378 break;
379 }
380 k5ret = krb5_get_init_creds_password(smb_krb5_context->krb5_context, &my_creds, principal,
381 password, NULL, NULL, 0,
382 NULL, krb_options);
383 krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
384
385 switch (test)
386 {
387 case TORTURE_KRB5_TEST_PLAIN:
388 case TORTURE_KRB5_TEST_WIN2K:
389 case TORTURE_KRB5_TEST_PAC_REQUEST:
390 torture_assert_int_equal(tctx, k5ret, 0, "krb5_get_init_creds_password failed");
391 break;
392
393 case TORTURE_KRB5_TEST_BREAK_PW:
394 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_PREAUTH_FAILED, "krb5_get_init_creds_password should have failed");
395 return true;
396
397 case TORTURE_KRB5_TEST_CLOCK_SKEW:
398 torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_SKEW, "krb5_get_init_creds_password should have failed");
399 return true;
400
401 }
402
403 torture_assert_int_equal(tctx,
404 krb5_principal_get_type(smb_krb5_context->krb5_context,
405 my_creds.client), KRB5_NT_PRINCIPAL,
406 "smb_krb5_init_context gave incorrect client->name.name_type");
407
408 torture_assert(tctx, krb5_principal_compare(smb_krb5_context->krb5_context,
409 principal, my_creds.client),
410 "krb5_get_init_creds_password returned a different principal");
411
412 torture_assert_int_equal(tctx,
413 krb5_principal_get_type(smb_krb5_context->krb5_context,
414 my_creds.server), KRB5_NT_SRV_INST,
415 "smb_krb5_init_context gave incorrect client->name.name_type");
416
417 torture_assert_str_equal(tctx, krb5_principal_get_comp_string(smb_krb5_context->krb5_context,
418 my_creds.server, 0),
419 "krbtgt",
420 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
421
422 k5ret = krb5_free_cred_contents(smb_krb5_context->krb5_context, &my_creds);
423 torture_assert_int_equal(tctx, k5ret, 0, "krb5_free_creds failed");
424
425 return true;
426 }
427
428 static bool torture_krb5_as_req_cmdline(struct torture_context *tctx)
429 {
430 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_PLAIN);
431 }
432
433 static bool torture_krb5_as_req_win2k(struct torture_context *tctx)
434 {
435 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_WIN2K);
436 }
437
438 static bool torture_krb5_as_req_pac_request(struct torture_context *tctx)
439 {
440 if (torture_setting_bool(tctx, "expect_rodc", false)) {
441 torture_skip(tctx, "This test needs further investigation in the RODC case against a Windows DC, in particular with non-cached users");
442 }
443 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_PAC_REQUEST);
444 }
445
446 static bool torture_krb5_as_req_break_pw(struct torture_context *tctx)
447 {
448 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_BREAK_PW);
449 }
450
451 static bool torture_krb5_as_req_clock_skew(struct torture_context *tctx)
452 {
453 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_CLOCK_SKEW);
454 }
455
456 NTSTATUS torture_krb5_init(void)
457 {
458 struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "krb5");
459 struct torture_suite *kdc_suite = torture_suite_create(suite, "kdc");
460 suite->description = talloc_strdup(suite, "Kerberos tests");
461 kdc_suite->description = talloc_strdup(kdc_suite, "Kerberos KDC tests");
462
463 torture_suite_add_simple_test(kdc_suite, "as-req-cmdline",
464 torture_krb5_as_req_cmdline);
465
466 torture_suite_add_simple_test(kdc_suite, "as-req-win2k",
467 torture_krb5_as_req_win2k);
468
469 torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
470 torture_krb5_as_req_pac_request);
471
472 torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
473 torture_krb5_as_req_break_pw);
474
475 torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
476 torture_krb5_as_req_clock_skew);
477
478 torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));
479 torture_suite_add_suite(suite, kdc_suite);
480
481 torture_register_suite(suite);
482 return NT_STATUS_OK;
483 }
Samba GIT mirror