From d0751b576363a25ca67f485651b206677bf1d4b8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 23 Jan 2015 14:07:41 +1300 Subject: [PATCH] torture-krb5: Add comments Signed-off-by: Andrew Bartlett --- source4/torture/krb5/kdc-canon.c | 36 +++++++++++++++++++++++++++++++++ source4/torture/krb5/kdc.c | 43 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) diff --git a/source4/torture/krb5/kdc-canon.c b/source4/torture/krb5/kdc-canon.c index 53a3b6a8d02..a20f9f97a60 100644 --- a/source4/torture/krb5/kdc-canon.c +++ b/source4/torture/krb5/kdc-canon.c @@ -57,6 +57,20 @@ struct torture_krb5_context { AS_REP as_rep; }; + +/* + * Confirm that the outgoing packet meets certain expectations. This + * should be extended to further assert the correct and expected + * behaviour of the krb5 libs, so we know what we are sending to the + * server. + * + * Additionally, this CHANGES the request to remove the canonicalize + * flag automatically added by the krb5 libs when an enterprise + * principal is used, so we can test what the server does in this + * combination. + * + */ + static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf) { krb5_error_code k5ret; @@ -93,6 +107,14 @@ static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context return true; } +/* + * Confirm that the incoming packet from the KDC meets certain + * expectations. This uses a packet count to work out what test we + * are in, and where in the test we are, so we can assert on the + * expected reply packets from the KDC. + * + */ + static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) { KRB_ERROR error; @@ -143,6 +165,20 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex return true; } +/* + * This function is set in torture_krb5_init_context_canon as krb5 + * send_and_recv function. This allows us to override what server the + * test is aimed at, and to inspect the packets just before they are + * sent to the network, and before they are processed on the recv + * side. + * + * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test() + * functions are implement the actual tests. + * + * When this asserts, the caller will get a spurious 'cannot contact + * any KDC' message. + * + */ static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context context, void *data, /* struct torture_krb5_context */ krb5_krbhst_info *hi, diff --git a/source4/torture/krb5/kdc.c b/source4/torture/krb5/kdc.c index be4b2451b9d..eed5d8d8ba4 100644 --- a/source4/torture/krb5/kdc.c +++ b/source4/torture/krb5/kdc.c @@ -48,6 +48,14 @@ struct torture_krb5_context { AS_REP as_rep; }; +/* + * Confirm that the outgoing packet meets certain expectations. This + * should be extended to further assert the correct and expected + * behaviour of the krb5 libs, so we know what we are sending to the + * server. + * + */ + static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf) { size_t used; @@ -68,6 +76,14 @@ static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context return true; } +/* + * Confirm that the incoming packet from the KDC meets certain + * expectations. This uses a switch and the packet count to work out + * what test we are in, and where in the test we are, so we can assert + * on the expected reply packets from the KDC. + * + */ + static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) { KRB_ERROR error; @@ -120,6 +136,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets"); free_AS_REQ(&test_context->as_req); break; + + /* + * Confirm correct error codes when we ask for the PAC. This behaviour is rather odd... + */ case TORTURE_KRB5_TEST_PAC_REQUEST: if (test_context->packet_count == 0) { torture_assert_int_equal(test_context->tctx, @@ -157,6 +177,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets"); free_AS_REQ(&test_context->as_req); break; + + /* + * Confirm correct error codes when we deliberatly send the wrong password + */ case TORTURE_KRB5_TEST_BREAK_PW: if (test_context->packet_count == 0) { torture_assert_int_equal(test_context->tctx, @@ -180,6 +204,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets"); free_AS_REQ(&test_context->as_req); break; + + /* + * Confirm correct error codes when we deliberatly skew the client clock + */ case TORTURE_KRB5_TEST_CLOCK_SKEW: if (test_context->packet_count == 0) { torture_assert_int_equal(test_context->tctx, @@ -207,6 +235,21 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex return true; } + +/* + * This function is set in torture_krb5_init_context as krb5 + * send_and_recv function. This allows us to override what server the + * test is aimed at, and to inspect the packets just before they are + * sent to the network, and before they are processed on the recv + * side. + * + * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test() + * functions are implement the actual tests. + * + * When this asserts, the caller will get a spurious 'cannot contact + * any KDC' message. + * + */ static krb5_error_code smb_krb5_send_and_recv_func_override(krb5_context context, void *data, /* struct torture_krb5_context */ krb5_krbhst_info *hi, -- 2.11.4.GIT