tests/kdc/check-digest.in

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
   4 # (Royal Institute of Technology, Stockholm, Sweden).
   5 # All rights reserved.
   6 #
   7 # Redistribution and use in source and binary forms, with or without
   8 # modification, are permitted provided that the following conditions
   9 # are met:
  10 #
  11 # 1. Redistributions of source code must retain the above copyright
  12 #    notice, this list of conditions and the following disclaimer.
  13 #
  14 # 2. Redistributions in binary form must reproduce the above copyright
  15 #    notice, this list of conditions and the following disclaimer in the
  16 #    documentation and/or other materials provided with the distribution.
  17 #
  18 # 3. Neither the name of the Institute nor the names of its contributors
  19 #    may be used to endorse or promote products derived from this software
  20 #    without specific prior written permission.
  21 #
  22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25 # ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32 # SUCH DAMAGE.
  33
  34 top_builddir="@top_builddir@"
  35 env_setup="@env_setup@"
  36 objdir="@objdir@"
  37 srcdir="@srcdir@"
  38
  39 testfailed="echo test failed; cat messages.log; exit 1"
  40
  41 . ${env_setup}
  42
  43 # If there is no useful db support compile in, disable test
  44 ${have_db} || exit 77
  45
  46 R=TEST.H5L.SE
  47
  48 port=@port@
  49
  50 kadmin="${kadmin} -l -r $R"
  51 kdc="${kdc} --addresses=localhost -P $port"
  52
  53 server=host/datan.test.h5l.se
  54 cache="FILE:${objdir}/cache.krb5"
  55 ocache="FILE:${objdir}/ocache.krb5"
  56 keytabfile=${objdir}/server.keytab
  57 keytab="FILE:${keytabfile}"
  58
  59 kinit="${kinit} -c $cache ${afs_no_afslog}"
  60 klist="${klist} -c $cache"
  61 kdigest="${kdigest} --ccache=$cache"
  62
  63 username=foo
  64 userpassword=digestpassword
  65
  66 password=foobarbaz
  67
  68 KRB5_CONFIG="${objdir}/krb5.conf"
  69 export KRB5_CONFIG
  70
  71 rm -f ${keytabfile}
  72 rm -f current-db*
  73 rm -f out-*
  74 rm -f mkey.file*
  75
  76 > messages.log
  77
  78 echo Creating database
  79 ${kadmin} \
  80     init \
  81     --realm-max-ticket-life=1day \
  82     --realm-max-renewable-life=1month \
  83     ${R} || exit 1
  84
  85 ${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
  86 ${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
  87 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
  88 ${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
  89 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
  90
  91 echo "Doing database check"
  92 ${kadmin} check ${R} || exit 1
  93
  94 echo $password > ${objdir}/foopassword
  95
  96 echo "Starting kdc"
  97 env ${HEIM_MALLOC_DEBUG} ${kdc} &
  98 kdcpid=$!
  99
 100 sh ${wait_kdc}
 101 if [ "$?" != 0 ] ; then
 102     kill -9 ${kdcpid}
 103     exit 1
 104 fi
 105
 106 trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
 107
 108 exitcode=0
 109
 110 echo "Getting digest server tickets"
 111 ${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
 112 ${kdigest} digest-server-init \
 113     --kerberos-realm=${R} \
 114     --type=CHAP > /dev/null || exitcode=1
 115
 116 echo "Trying NTLM"
 117
 118 NTLM_ACCEPTOR_CCACHE="$cache"
 119 export NTLM_ACCEPTOR_CCACHE
 120
 121 echo "Trying server-init"
 122 ${kdigest} ntlm-server-init \
 123     --kerberos-realm=${R} \
 124     > sdigest-init || exitcode=1
 125
 126 echo "test_ntlm"
 127 ${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
 128
 129 NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
 130 export NTLM_USER_FILE
 131
 132 echo "test_context --mech-type=ntlm"
 133 ${test_context} --mech-type=ntlm \
 134             --name-type=hostbased-service datan@TEST || \
 135                 { echo "test_context 1 failed"; exit 1; }
 136
 137 ${test_context} --mech-type=ntlm \
 138             --name-type=hostbased-service datan@host.TEST || \
 139                 { echo "test_context 2 failed"; exit 1; }
 140
 141 ${test_context} --mech-type=ntlm \
 142             --name-type=hostbased-service datan@host.test.domain2 || \
 143                 { echo "test_context 3 failed"; exit 1; }
 144
 145 ${test_context} --mech-type=ntlm \
 146             --name-type=hostbased-service datan@host.foo 2>/dev/null && \
 147                 { echo "test_context 4 failed"; exit 1; }
 148
 149 echo "Trying SL in NTLM"
 150
 151
 152 for type in \
 153     "" \
 154     "--getverifymic" \
 155     "--wrapunwrap" \
 156     "--getverifymic --wrapunwrap" \
 157     ; do
 158
 159         echo "Trying NTLM type: ${type}"
 160         ${test_context} --mech-type=ntlm ${type} \
 161             --name-type=hostbased-service datan@TEST || \
 162             { echo "test_context 1 failed"; exit 1; }
 163
 164 done
 165
 166
 167 echo "Trying CHAP"
 168
 169 ${kdigest} digest-server-init \
 170     --kerberos-realm=${R} \
 171     --type=CHAP \
 172     > sdigest-reply || exitcode=1
 173
 174 snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
 175 identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
 176 opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
 177
 178 ${kdigest} digest-client-request \
 179     --type=CHAP \
 180     --username="$username"  \
 181     --password="$userpassword"  \
 182     --opaque="$opaque"  \
 183     --server-identifier="$identifier"  \
 184     --server-nonce="$snonce" \
 185     > cdigest-reply || exitcode=1
 186
 187 cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
 188
 189 #echo user: $username
 190 #echo server-nonce: $snonce
 191 #echo opaqeue: $opaque
 192 #echo identifier: $identifier
 193
 194 ${kdigest} digest-server-request \
 195     --kerberos-realm=${R} \
 196     --type=CHAP \
 197     --username="$username"  \
 198     --opaque="$opaque"  \
 199     --client-response="$cresponseData"  \
 200     --server-identifier="$identifier"  \
 201     --server-nonce="$snonce"  \
 202     > s2digest-reply || exitcode=1
 203
 204 status=`grep status= s2digest-reply | cut -f2- -d=`
 205
 206 if test "X$status" = "Xok" ; then
 207     echo "CHAP response ok"
 208 else
 209     echo "CHAP response failed"
 210     exitcode=1
 211 fi
 212
 213 cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
 214
 215 ${kdigest} digest-server-request \
 216     --kerberos-realm=${R} \
 217     --type=CHAP \
 218     --username="$username"  \
 219     --opaque="$opaque"  \
 220     --client-response="$cresponseData" \
 221     --server-identifier="$identifier"  \
 222     --server-nonce="$snonce"  \
 223     > s2digest-reply || exitcode=1
 224
 225 status=`grep status= s2digest-reply | cut -f2- -d=`
 226
 227 if test "X$status" = "Xfailed" ; then
 228     echo "CHAP response fail as it should"
 229 else
 230     echo "CHAP response succeeded errorously"
 231     exitcode=1
 232 fi
 233
 234 echo "Trying MS-CHAP-V2"
 235
 236 ${kdigest} digest-server-init \
 237     --kerberos-realm=${R} \
 238     --type=MS-CHAP-V2 \
 239     > sdigest-reply || exitcode=1
 240
 241 snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
 242 opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
 243 cnonce="21402324255E262A28295F2B3A337C7E"
 244
 245 echo "MS-CHAP-V2 client request"
 246 ${kdigest} digest-client-request \
 247     --type=MS-CHAP-V2 \
 248     --username="$username"  \
 249     --password="$userpassword"  \
 250     --opaque="$opaque"  \
 251     --client-nonce="$cnonce"  \
 252     --server-nonce="$snonce" \
 253     > cdigest-reply || exitcode=1
 254
 255 cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
 256 cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
 257 ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
 258
 259 ${kdigest} digest-server-request \
 260     --kerberos-realm=${R} \
 261     --type=MS-CHAP-V2 \
 262     --username="$username"  \
 263     --opaque="$opaque"  \
 264     --client-response="$cresponseData"  \
 265     --client-nonce="$cnonce"  \
 266     --server-nonce="$snonce"  \
 267     > s2digest-reply || exitcode=1
 268
 269 status=`grep status= s2digest-reply | cut -f2- -d=`
 270 sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
 271 skey=`grep session-key= s2digest-reply | cut -f2- -d=`
 272
 273 if test "X$sRsp" != "X$cRsp" ; then
 274     echo "rsp wrong $sRsp != $cRsp"
 275     exitcode=1
 276 fi
 277
 278 if test "X$skey" != "X$ckey" ; then
 279     echo "rsp wrong"
 280     exitcode=1
 281 fi
 282
 283 if test "X$status" = "Xok" ; then
 284     echo "MS-CHAP-V2 response ok"
 285 else
 286     echo "MS-CHAP-V2 response failed"
 287     exitcode=1
 288 fi
 289
 290 trap "" EXIT
 291
 292 echo "killing kdc (${kdcpid})"
 293 sh ${leaks_kill} kdc $kdcpid || exit 1
 294
 295 exit $exitcode
 296