2 Unix SMB/CIFS implementation.
4 Validate the krb5 pac generation routines
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/winbind/proto.h"
27 #include "torture/krb5/proto.h"
28 #include "auth/credentials/credentials.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "source4/auth/kerberos/kerberos.h"
31 #include "source4/auth/kerberos/kerberos_util.h"
32 #include "lib/util/util_net.h"
34 enum torture_krb5_test
{
35 TORTURE_KRB5_TEST_PLAIN
,
36 TORTURE_KRB5_TEST_WIN2K
,
37 TORTURE_KRB5_TEST_PAC_REQUEST
,
38 TORTURE_KRB5_TEST_BREAK_PW
,
39 TORTURE_KRB5_TEST_CLOCK_SKEW
,
42 struct torture_krb5_context
{
43 struct torture_context
*tctx
;
44 struct addrinfo
*server
;
45 enum torture_krb5_test test
;
52 * Confirm that the outgoing packet meets certain expectations. This
53 * should be extended to further assert the correct and expected
54 * behaviour of the krb5 libs, so we know what we are sending to the
59 static bool torture_krb5_pre_send_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
)
62 switch (test_context
->test
)
64 case TORTURE_KRB5_TEST_PLAIN
:
65 case TORTURE_KRB5_TEST_WIN2K
:
66 case TORTURE_KRB5_TEST_PAC_REQUEST
:
67 case TORTURE_KRB5_TEST_BREAK_PW
:
68 case TORTURE_KRB5_TEST_CLOCK_SKEW
:
69 torture_assert_int_equal(test_context
->tctx
,
70 decode_AS_REQ(send_buf
->data
, send_buf
->length
, &test_context
->as_req
, &used
), 0,
71 "decode_AS_REQ failed");
72 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
73 torture_assert_int_equal(test_context
->tctx
, test_context
->as_req
.pvno
, 5, "Got wrong as_req->pvno");
80 * Confirm that the incoming packet from the KDC meets certain
81 * expectations. This uses a switch and the packet count to work out
82 * what test we are in, and where in the test we are, so we can assert
83 * on the expected reply packets from the KDC.
87 static bool torture_krb5_post_recv_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
91 switch (test_context
->test
)
93 case TORTURE_KRB5_TEST_PLAIN
:
94 case TORTURE_KRB5_TEST_WIN2K
:
95 if (test_context
->packet_count
== 0) {
96 torture_assert_int_equal(test_context
->tctx
,
97 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
98 "decode_AS_REP failed");
99 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
100 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
101 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
102 "Got wrong error.error_code");
103 free_KRB_ERROR(&error
);
104 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
105 && (test_context
->packet_count
== 1)) {
106 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
107 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
108 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
109 "Got wrong error.error_code");
110 free_KRB_ERROR(&error
);
112 torture_assert_int_equal(test_context
->tctx
,
113 decode_AS_REP(recv_buf
->data
, recv_buf
->length
, &test_context
->as_rep
, &used
), 0,
114 "decode_AS_REP failed");
115 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
116 torture_assert_int_equal(test_context
->tctx
,
117 test_context
->as_rep
.pvno
, 5,
118 "Got wrong as_rep->pvno");
119 torture_assert_int_equal(test_context
->tctx
,
120 test_context
->as_rep
.ticket
.tkt_vno
, 5,
121 "Got wrong as_rep->ticket.tkt_vno");
122 torture_assert(test_context
->tctx
,
123 test_context
->as_rep
.ticket
.enc_part
.kvno
,
124 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
125 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
126 torture_assert_int_not_equal(test_context
->tctx
,
127 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
128 0, "Did not get a RODC number in the KVNO");
130 torture_assert_int_equal(test_context
->tctx
,
131 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
132 0, "Unexpecedly got a RODC number in the KVNO");
134 free_AS_REP(&test_context
->as_rep
);
136 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
137 free_AS_REQ(&test_context
->as_req
);
141 * Confirm correct error codes when we ask for the PAC. This behaviour is rather odd...
143 case TORTURE_KRB5_TEST_PAC_REQUEST
:
144 if (test_context
->packet_count
== 0) {
145 torture_assert_int_equal(test_context
->tctx
,
146 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
147 "decode_AS_REP failed");
148 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
149 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
150 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
151 "Got wrong error.error_code");
152 free_KRB_ERROR(&error
);
153 } else if (test_context
->packet_count
== 1) {
154 torture_assert_int_equal(test_context
->tctx
,
155 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
156 "decode_AS_REP failed");
157 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
158 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
159 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
160 "Got wrong error.error_code");
161 free_KRB_ERROR(&error
);
162 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
163 && (test_context
->packet_count
== 2)) {
164 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
165 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
166 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
167 "Got wrong error.error_code");
168 free_KRB_ERROR(&error
);
170 torture_assert_int_equal(test_context
->tctx
,
171 decode_AS_REP(recv_buf
->data
, recv_buf
->length
, &test_context
->as_rep
, &used
), 0,
172 "decode_AS_REP failed");
173 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
174 torture_assert_int_equal(test_context
->tctx
, test_context
->as_rep
.pvno
, 5, "Got wrong as_rep->pvno");
175 free_AS_REP(&test_context
->as_rep
);
177 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
178 free_AS_REQ(&test_context
->as_req
);
182 * Confirm correct error codes when we deliberatly send the wrong password
184 case TORTURE_KRB5_TEST_BREAK_PW
:
185 if (test_context
->packet_count
== 0) {
186 torture_assert_int_equal(test_context
->tctx
,
187 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
188 "decode_AS_REP failed");
189 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
190 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
191 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
192 "Got wrong error.error_code");
193 free_KRB_ERROR(&error
);
194 } else if (test_context
->packet_count
== 1) {
195 torture_assert_int_equal(test_context
->tctx
,
196 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
197 "decode_AS_REP failed");
198 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
199 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
200 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KDC_ERR_PREAUTH_FAILED
- KRB5KDC_ERR_NONE
,
201 "Got wrong error.error_code");
202 free_KRB_ERROR(&error
);
204 torture_assert(test_context
->tctx
, test_context
->packet_count
< 2, "too many packets");
205 free_AS_REQ(&test_context
->as_req
);
209 * Confirm correct error codes when we deliberatly skew the client clock
211 case TORTURE_KRB5_TEST_CLOCK_SKEW
:
212 if (test_context
->packet_count
== 0) {
213 torture_assert_int_equal(test_context
->tctx
,
214 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
215 "decode_AS_REP failed");
216 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
217 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
218 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
219 "Got wrong error.error_code");
220 free_KRB_ERROR(&error
);
221 } else if (test_context
->packet_count
== 1) {
222 torture_assert_int_equal(test_context
->tctx
,
223 decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
), 0,
224 "decode_AS_REP failed");
225 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
226 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5, "Got wrong error.pvno");
227 torture_assert_int_equal(test_context
->tctx
, error
.error_code
, KRB5KRB_AP_ERR_SKEW
- KRB5KDC_ERR_NONE
,
228 "Got wrong error.error_code");
229 free_KRB_ERROR(&error
);
231 torture_assert(test_context
->tctx
, test_context
->packet_count
< 2, "too many packets");
232 free_AS_REQ(&test_context
->as_req
);
240 * This function is set in torture_krb5_init_context as krb5
241 * send_and_recv function. This allows us to override what server the
242 * test is aimed at, and to inspect the packets just before they are
243 * sent to the network, and before they are processed on the recv
246 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
247 * functions are implement the actual tests.
249 * When this asserts, the caller will get a spurious 'cannot contact
253 static krb5_error_code
smb_krb5_send_and_recv_func_override(krb5_context context
,
254 void *data
, /* struct torture_krb5_context */
255 krb5_krbhst_info
*hi
,
257 const krb5_data
*send_buf
,
260 krb5_error_code k5ret
;
263 struct torture_krb5_context
*test_context
264 = talloc_get_type_abort(data
, struct torture_krb5_context
);
266 ok
= torture_krb5_pre_send_test(test_context
, send_buf
);
271 k5ret
= smb_krb5_send_and_recv_func_forced(context
, test_context
->server
,
272 hi
, timeout
, send_buf
, recv_buf
);
274 ok
= torture_krb5_post_recv_test(test_context
, recv_buf
);
279 test_context
->packet_count
++;
284 static int test_context_destructor(struct torture_krb5_context
*test_context
)
286 freeaddrinfo(test_context
->server
);
291 static bool torture_krb5_init_context(struct torture_context
*tctx
,
292 enum torture_krb5_test test
,
293 struct smb_krb5_context
**smb_krb5_context
)
295 const char *host
= torture_setting_string(tctx
, "host", NULL
);
296 krb5_error_code k5ret
;
299 struct torture_krb5_context
*test_context
= talloc_zero(tctx
, struct torture_krb5_context
);
300 torture_assert(tctx
, test_context
!= NULL
, "Failed to allocate");
302 test_context
->test
= test
;
303 test_context
->tctx
= tctx
;
305 k5ret
= smb_krb5_init_context(tctx
, tctx
->lp_ctx
, smb_krb5_context
);
306 torture_assert_int_equal(tctx
, k5ret
, 0, "smb_krb5_init_context failed");
308 ok
= interpret_string_addr_internal(&test_context
->server
, host
, AI_NUMERICHOST
);
309 torture_assert(tctx
, ok
, "Failed to parse target server");
311 talloc_set_destructor(test_context
, test_context_destructor
);
313 set_sockaddr_port(test_context
->server
->ai_addr
, 88);
315 k5ret
= krb5_set_send_to_kdc_func((*smb_krb5_context
)->krb5_context
,
316 smb_krb5_send_and_recv_func_override
,
318 torture_assert_int_equal(tctx
, k5ret
, 0, "krb5_set_send_to_kdc_func failed");
322 static bool torture_krb5_as_req_creds(struct torture_context
*tctx
,
323 struct cli_credentials
*credentials
,
324 enum torture_krb5_test test
)
326 krb5_error_code k5ret
;
329 krb5_principal principal
;
330 struct smb_krb5_context
*smb_krb5_context
;
331 enum credentials_obtained obtained
;
332 const char *error_string
;
333 const char *password
= cli_credentials_get_password(credentials
);
334 krb5_get_init_creds_opt
*krb_options
= NULL
;
336 ok
= torture_krb5_init_context(tctx
, test
, &smb_krb5_context
);
337 torture_assert(tctx
, ok
, "torture_krb5_init_context failed");
339 k5ret
= principal_from_credentials(tctx
, credentials
, smb_krb5_context
,
340 &principal
, &obtained
, &error_string
);
341 torture_assert_int_equal(tctx
, k5ret
, 0, error_string
);
345 case TORTURE_KRB5_TEST_PLAIN
:
348 case TORTURE_KRB5_TEST_WIN2K
:
349 torture_assert_int_equal(tctx
,
350 krb5_get_init_creds_opt_alloc(smb_krb5_context
->krb5_context
, &krb_options
),
351 0, "krb5_get_init_creds_opt_alloc failed");
353 torture_assert_int_equal(tctx
,
354 krb5_get_init_creds_opt_set_win2k(smb_krb5_context
->krb5_context
, krb_options
, true),
355 0, "krb5_get_init_creds_opt_set_win2k failed");
358 case TORTURE_KRB5_TEST_PAC_REQUEST
:
359 torture_assert_int_equal(tctx
,
360 krb5_get_init_creds_opt_alloc(smb_krb5_context
->krb5_context
, &krb_options
),
361 0, "krb5_get_init_creds_opt_alloc failed");
363 torture_assert_int_equal(tctx
,
364 krb5_get_init_creds_opt_set_pac_request(smb_krb5_context
->krb5_context
, krb_options
, true),
365 0, "krb5_get_init_creds_opt_set_pac_request failed");
368 case TORTURE_KRB5_TEST_BREAK_PW
:
369 password
= "NOT the password";
372 case TORTURE_KRB5_TEST_CLOCK_SKEW
:
373 torture_assert_int_equal(tctx
,
374 krb5_set_real_time(smb_krb5_context
->krb5_context
, time(NULL
) + 3600, 0),
375 0, "krb5_set_real_time failed");
380 k5ret
= krb5_get_init_creds_password(smb_krb5_context
->krb5_context
, &my_creds
, principal
,
381 password
, NULL
, NULL
, 0,
383 krb5_get_init_creds_opt_free(smb_krb5_context
->krb5_context
, krb_options
);
387 case TORTURE_KRB5_TEST_PLAIN
:
388 case TORTURE_KRB5_TEST_WIN2K
:
389 case TORTURE_KRB5_TEST_PAC_REQUEST
:
390 torture_assert_int_equal(tctx
, k5ret
, 0, "krb5_get_init_creds_password failed");
393 case TORTURE_KRB5_TEST_BREAK_PW
:
394 torture_assert_int_equal(tctx
, k5ret
, KRB5KDC_ERR_PREAUTH_FAILED
, "krb5_get_init_creds_password should have failed");
397 case TORTURE_KRB5_TEST_CLOCK_SKEW
:
398 torture_assert_int_equal(tctx
, k5ret
, KRB5KRB_AP_ERR_SKEW
, "krb5_get_init_creds_password should have failed");
403 torture_assert_int_equal(tctx
,
404 krb5_principal_get_type(smb_krb5_context
->krb5_context
,
405 my_creds
.client
), KRB5_NT_PRINCIPAL
,
406 "smb_krb5_init_context gave incorrect client->name.name_type");
408 torture_assert(tctx
, krb5_principal_compare(smb_krb5_context
->krb5_context
,
409 principal
, my_creds
.client
),
410 "krb5_get_init_creds_password returned a different principal");
412 torture_assert_int_equal(tctx
,
413 krb5_principal_get_type(smb_krb5_context
->krb5_context
,
414 my_creds
.server
), KRB5_NT_SRV_INST
,
415 "smb_krb5_init_context gave incorrect client->name.name_type");
417 torture_assert_str_equal(tctx
, krb5_principal_get_comp_string(smb_krb5_context
->krb5_context
,
420 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
422 k5ret
= krb5_free_cred_contents(smb_krb5_context
->krb5_context
, &my_creds
);
423 torture_assert_int_equal(tctx
, k5ret
, 0, "krb5_free_creds failed");
428 static bool torture_krb5_as_req_cmdline(struct torture_context
*tctx
)
430 return torture_krb5_as_req_creds(tctx
, cmdline_credentials
, TORTURE_KRB5_TEST_PLAIN
);
433 static bool torture_krb5_as_req_win2k(struct torture_context
*tctx
)
435 return torture_krb5_as_req_creds(tctx
, cmdline_credentials
, TORTURE_KRB5_TEST_WIN2K
);
438 static bool torture_krb5_as_req_pac_request(struct torture_context
*tctx
)
440 if (torture_setting_bool(tctx
, "expect_rodc", false)) {
441 torture_skip(tctx
, "This test needs further investigation in the RODC case against a Windows DC, in particular with non-cached users");
443 return torture_krb5_as_req_creds(tctx
, cmdline_credentials
, TORTURE_KRB5_TEST_PAC_REQUEST
);
446 static bool torture_krb5_as_req_break_pw(struct torture_context
*tctx
)
448 return torture_krb5_as_req_creds(tctx
, cmdline_credentials
, TORTURE_KRB5_TEST_BREAK_PW
);
451 static bool torture_krb5_as_req_clock_skew(struct torture_context
*tctx
)
453 return torture_krb5_as_req_creds(tctx
, cmdline_credentials
, TORTURE_KRB5_TEST_CLOCK_SKEW
);
456 NTSTATUS
torture_krb5_init(void)
458 struct torture_suite
*suite
= torture_suite_create(talloc_autofree_context(), "krb5");
459 struct torture_suite
*kdc_suite
= torture_suite_create(suite
, "kdc");
460 suite
->description
= talloc_strdup(suite
, "Kerberos tests");
461 kdc_suite
->description
= talloc_strdup(kdc_suite
, "Kerberos KDC tests");
463 torture_suite_add_simple_test(kdc_suite
, "as-req-cmdline",
464 torture_krb5_as_req_cmdline
);
466 torture_suite_add_simple_test(kdc_suite
, "as-req-win2k",
467 torture_krb5_as_req_win2k
);
469 torture_suite_add_simple_test(kdc_suite
, "as-req-pac-request",
470 torture_krb5_as_req_pac_request
);
472 torture_suite_add_simple_test(kdc_suite
, "as-req-break-pw",
473 torture_krb5_as_req_break_pw
);
475 torture_suite_add_simple_test(kdc_suite
, "as-req-clock-skew",
476 torture_krb5_as_req_clock_skew
);
478 torture_suite_add_suite(kdc_suite
, torture_krb5_canon(kdc_suite
));
479 torture_suite_add_suite(suite
, kdc_suite
);
481 torture_register_suite(suite
);