2 Unix SMB/CIFS implementation.
4 Validate the krb5 pac generation routines
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/krb5/proto.h"
27 #include "auth/credentials/credentials.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "source4/auth/kerberos/kerberos.h"
30 #include "source4/auth/kerberos/kerberos_util.h"
31 #include "lib/util/util_net.h"
32 #include "auth/auth.h"
33 #include "auth/auth_sam_reply.h"
34 #include "auth/gensec/gensec.h"
35 #include "param/param.h"
37 #define TEST_CANONICALIZE 0x0000001
38 #define TEST_ENTERPRISE 0x0000002
39 #define TEST_UPPER_REALM 0x0000004
40 #define TEST_UPPER_USERNAME 0x0000008
41 #define TEST_NETBIOS_REALM 0x0000010
42 #define TEST_WIN2K 0x0000020
43 #define TEST_UPN 0x0000040
44 #define TEST_S4U2SELF 0x0000080
45 #define TEST_REMOVEDOLLAR 0x0000100
46 #define TEST_ALL 0x00001FF
49 const char *test_name
;
51 const char *real_realm
;
52 const char *real_domain
;
54 const char *real_username
;
62 bool other_upn_suffix
;
65 const char *krb5_service
;
66 const char *krb5_hostname
;
71 TEST_TGS_REQ_KRBTGT_CANON
= 1,
72 TEST_TGS_REQ_CANON
= 2,
73 TEST_SELF_TRUST_TGS_REQ
= 3,
75 TEST_TGS_REQ_KRBTGT
= 5,
76 TEST_TGS_REQ_HOST
= 6,
77 TEST_TGS_REQ_HOST_SRV_INST
= 7,
78 TEST_TGS_REQ_HOST_SRV_HST
= 8,
83 struct torture_krb5_context
{
84 struct smb_krb5_context
*smb_krb5_context
;
85 struct torture_context
*tctx
;
86 struct addrinfo
*server
;
87 struct test_data
*test_data
;
89 enum test_stage test_stage
;
97 const char *principal_name
;
101 * A helper function which avoids touching the local databases to
102 * generate the session info, as we just want to verify the principal
103 * name that we found in the ticket not the full local token
105 static NTSTATUS
test_generate_session_info_pac(struct auth4_context
*auth_ctx
,
107 struct smb_krb5_context
*smb_krb5_context
,
109 const char *principal_name
,
110 const struct tsocket_address
*remote_address
,
111 uint32_t session_info_flags
,
112 struct auth_session_info
**session_info
)
115 struct auth_user_info_dc
*user_info_dc
;
117 struct pac_data
*pac_data
;
119 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gssapi_session_info context");
120 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
122 auth_ctx
->private_data
= pac_data
= talloc_zero(auth_ctx
, struct pac_data
);
124 pac_data
->principal_name
= talloc_strdup(pac_data
, principal_name
);
125 if (!pac_data
->principal_name
) {
126 talloc_free(tmp_ctx
);
127 return NT_STATUS_NO_MEMORY
;
130 nt_status
= kerberos_pac_blob_to_user_info_dc(tmp_ctx
,
132 smb_krb5_context
->krb5_context
,
133 &user_info_dc
, NULL
, NULL
);
134 if (!NT_STATUS_IS_OK(nt_status
)) {
135 talloc_free(tmp_ctx
);
139 if (user_info_dc
->info
->authenticated
) {
140 session_info_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
143 session_info_flags
|= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
;
144 nt_status
= auth_generate_session_info(mem_ctx
,
147 user_info_dc
, session_info_flags
,
149 if (!NT_STATUS_IS_OK(nt_status
)) {
150 talloc_free(tmp_ctx
);
154 talloc_free(tmp_ctx
);
158 /* Check to see if we can pass the PAC across to the NETLOGON server for validation */
160 /* Also happens to be a really good one-step verfication of our Kerberos stack */
162 static bool test_accept_ticket(struct torture_context
*tctx
,
163 struct cli_credentials
*credentials
,
164 const char *principal
,
165 DATA_BLOB client_to_server
)
168 struct gensec_security
*gensec_server_context
;
169 DATA_BLOB server_to_client
;
170 struct auth4_context
*auth_context
;
171 struct auth_session_info
*session_info
;
172 struct pac_data
*pac_data
;
173 TALLOC_CTX
*tmp_ctx
= talloc_new(tctx
);
175 torture_assert(tctx
, tmp_ctx
!= NULL
, "talloc_new() failed");
177 auth_context
= talloc_zero(tmp_ctx
, struct auth4_context
);
178 torture_assert(tctx
, auth_context
!= NULL
, "talloc_new() failed");
180 auth_context
->generate_session_info_pac
= test_generate_session_info_pac
;
182 status
= gensec_server_start(tctx
,
183 lpcfg_gensec_settings(tctx
, tctx
->lp_ctx
),
184 auth_context
, &gensec_server_context
);
185 torture_assert_ntstatus_ok(tctx
, status
, "gensec_server_start (server) failed");
187 status
= gensec_set_credentials(gensec_server_context
, credentials
);
188 torture_assert_ntstatus_ok(tctx
, status
, "gensec_set_credentials (server) failed");
190 status
= gensec_start_mech_by_name(gensec_server_context
, "krb5");
191 torture_assert_ntstatus_ok(tctx
, status
, "gensec_start_mech_by_name (server) failed");
193 server_to_client
= data_blob(NULL
, 0);
195 /* Do a client-server update dance */
196 status
= gensec_update(gensec_server_context
, tmp_ctx
, client_to_server
, &server_to_client
);
197 torture_assert_ntstatus_ok(tctx
, status
, "gensec_update (server) failed");
199 /* Extract the PAC using Samba's code */
201 status
= gensec_session_info(gensec_server_context
, gensec_server_context
, &session_info
);
202 torture_assert_ntstatus_ok(tctx
, status
, "gensec_session_info failed");
204 pac_data
= talloc_get_type(auth_context
->private_data
, struct pac_data
);
206 torture_assert(tctx
, pac_data
!= NULL
, "gensec_update failed to fill in pac_data in auth_context");
207 torture_assert(tctx
, pac_data
->principal_name
!= NULL
, "principal_name not present");
208 torture_assert_str_equal(tctx
, pac_data
->principal_name
, principal
, "wrong principal name");
213 * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND
215 * Confirm that the outgoing packet meets certain expectations. This
216 * should be extended to further assert the correct and expected
217 * behaviour of the krb5 libs, so we know what we are sending to the
220 * Additionally, this CHANGES the request to remove the canonicalize
221 * flag automatically added by the krb5 libs when an enterprise
222 * principal is used, so we can test what the server does in this
227 static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context
*test_context
,
228 const krb5_data
*send_buf
,
229 krb5_data
*modified_send_buf
)
232 krb5_error_code k5ret
;
234 torture_assert_int_equal(test_context
->tctx
, decode_AS_REQ(send_buf
->data
, send_buf
->length
,
235 &test_context
->as_req
, &used
),
236 0, "decode_AS_REQ for TEST_AS_REQ failed");
237 mod_as_req
= test_context
->as_req
;
238 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
239 torture_assert_int_equal(test_context
->tctx
, test_context
->as_req
.pvno
,
240 5, "Got wrong as_req->pvno");
241 if (test_context
->test_data
->canonicalize
|| test_context
->test_data
->enterprise
) {
242 torture_assert(test_context
->tctx
,
243 test_context
->as_req
.req_body
.kdc_options
.canonicalize
,
244 "krb5 libs did not set canonicalize!");
246 torture_assert_int_equal(test_context
->tctx
,
247 test_context
->as_req
.req_body
.kdc_options
.canonicalize
,
249 "krb5 libs unexpectedly set canonicalize!");
252 if (test_context
->test_data
->enterprise
) {
253 torture_assert_int_equal(test_context
->tctx
,
254 test_context
->as_req
.req_body
.cname
->name_type
,
255 KRB5_NT_ENTERPRISE_PRINCIPAL
,
256 "krb5 libs did not pass principal as enterprise!");
258 torture_assert_int_equal(test_context
->tctx
,
259 test_context
->as_req
.req_body
.cname
->name_type
,
261 "krb5 libs unexpectedly set principal as enterprise!");
264 /* Force off canonicalize that was forced on by the krb5 libs */
265 if (test_context
->test_data
->canonicalize
== false && test_context
->test_data
->enterprise
) {
266 mod_as_req
.req_body
.kdc_options
.canonicalize
= false;
269 if (test_context
->test_stage
== TEST_AS_REQ_SELF
) {
271 * Force the server name to match the client name,
272 * including the name type. This isn't possible with
273 * the krb5 client libs alone
275 mod_as_req
.req_body
.sname
= test_context
->as_req
.req_body
.cname
;
278 ASN1_MALLOC_ENCODE(AS_REQ
, modified_send_buf
->data
, modified_send_buf
->length
,
279 &mod_as_req
, &used
, k5ret
);
280 torture_assert_int_equal(test_context
->tctx
,
282 "encode_AS_REQ failed");
284 if (test_context
->test_stage
!= TEST_AS_REQ_SELF
) {
285 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
,
286 "re-encode length mismatch");
294 * Confirm that the reply packet from the KDC meets certain
295 * expectations as part of TEST_AS_REQ. This uses a packet count to
296 * work out what packet we are up to in the multiple exchanged
297 * triggerd by krb5_get_init_creds_password().
301 static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context
*test_context
,
302 const krb5_data
*recv_buf
)
306 if (test_context
->packet_count
== 0) {
307 krb5_error_code k5ret
;
309 * The client libs obtain the salt by attempting to
310 * authenticate without pre-authentication and getting
311 * the correct salt with the
312 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
313 * the test (netbios_realm && upn) that deliberatly
314 * has an incorrect principal, we check we get the
317 k5ret
= decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
,
321 k5ret
= decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
324 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
325 torture_assert(test_context
->tctx
, false,
326 "expected to get a KRB_ERROR packet with "
327 "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP");
329 torture_assert(test_context
->tctx
, false,
330 "expected to get a KRB_ERROR packet with "
331 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
334 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
335 torture_assert(test_context
->tctx
, false,
336 "unable to decode as KRB-ERROR or AS-REP, "
337 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN");
339 torture_assert(test_context
->tctx
, false,
340 "unable to decode as KRB-ERROR or AS-REP, "
341 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
345 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
347 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5,
348 "Got wrong error.pvno");
349 if (test_context
->test_data
->netbios_realm
&& test_context
->test_data
->upn
) {
350 torture_assert_int_equal(test_context
->tctx
,
352 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
353 "Got wrong error.error_code");
355 torture_assert_int_equal(test_context
->tctx
,
357 KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
358 "Got wrong error.error_code");
361 free_KRB_ERROR(&error
);
362 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
363 && (test_context
->packet_count
== 1)) {
365 * The Windows 2012R2 KDC will always respond with
366 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
367 * won't fit, because of the PAC. (It appears to do
368 * this always, even if it will). This triggers the
369 * client to try again over TCP.
371 torture_assert_int_equal(test_context
->tctx
,
372 used
, recv_buf
->length
,
374 torture_assert_int_equal(test_context
->tctx
,
376 "Got wrong error.pvno");
377 torture_assert_int_equal(test_context
->tctx
,
379 KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
380 "Got wrong error.error_code");
381 free_KRB_ERROR(&error
);
384 * Finally the successful packet.
386 torture_assert_int_equal(test_context
->tctx
,
387 decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
388 &test_context
->as_rep
, &used
), 0,
389 "decode_AS_REP failed");
390 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
392 torture_assert_int_equal(test_context
->tctx
,
393 test_context
->as_rep
.pvno
, 5,
394 "Got wrong as_rep->pvno");
395 torture_assert_int_equal(test_context
->tctx
,
396 test_context
->as_rep
.ticket
.tkt_vno
, 5,
397 "Got wrong as_rep->ticket.tkt_vno");
398 torture_assert(test_context
->tctx
,
399 test_context
->as_rep
.ticket
.enc_part
.kvno
,
400 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
403 * We can confirm that the correct proxy behaviour is
404 * in use on the KDC by checking the KVNO of the
405 * krbtgt account returned in the reply.
407 * A packet passed to the full RW DC will not have a
408 * KVNO in the upper bits, while a packet processed
409 * locally on the RODC will have these bits filled in
410 * the msDS-SecondaryKrbTgtNumber
412 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
413 torture_assert_int_not_equal(test_context
->tctx
,
414 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
415 0, "Did not get a RODC number in the KVNO");
417 torture_assert_int_equal(test_context
->tctx
,
418 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
419 0, "Unexpecedly got a RODC number in the KVNO");
421 free_AS_REP(&test_context
->as_rep
);
423 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
424 free_AS_REQ(&test_context
->as_req
);
429 * TEST_TGS_REQ_KRBTGT_CANON
432 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds()
433 * for the krbtgt/realm principal meets certain expectations, like
434 * that the canonicalize bit is not set
438 static bool torture_krb5_pre_send_tgs_req_krbtgt_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
441 torture_assert_int_equal(test_context
->tctx
,
442 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
443 &test_context
->tgs_req
, &used
),
444 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
445 torture_assert_int_equal(test_context
->tctx
,
446 used
, send_buf
->length
,
448 torture_assert_int_equal(test_context
->tctx
,
449 test_context
->tgs_req
.pvno
, 5,
450 "Got wrong as_req->pvno");
451 torture_assert_int_equal(test_context
->tctx
,
452 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
454 "krb5 libs unexpectedly did not set canonicalize!");
456 torture_assert_int_equal(test_context
->tctx
,
457 test_context
->tgs_req
.req_body
.sname
->name_type
,
459 "Mismatch in name_type between request and expected request");
461 torture_assert_str_equal(test_context
->tctx
,
462 test_context
->tgs_req
.req_body
.realm
,
463 test_context
->test_data
->real_realm
,
464 "Mismatch in realm between request and expected request");
466 *modified_send_buf
= *send_buf
;
471 * TEST_TGS_REQ_KRBTGT_CANON
473 * Confirm that the reply TGS-REP packet for krb5_get_creds()
474 * where the client is behaving as if this is a cross-realm trust due
475 * to case or netbios vs dns name differences meets certain
476 * expectations, while canonicalize is set
480 static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
483 torture_assert_int_equal(test_context
->tctx
,
484 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
485 &test_context
->tgs_rep
, &used
),
487 "decode_TGS_REP failed");
488 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
489 torture_assert_int_equal(test_context
->tctx
,
490 test_context
->tgs_rep
.pvno
, 5,
491 "Got wrong as_rep->pvno");
492 torture_assert_int_equal(test_context
->tctx
,
493 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
494 "Got wrong as_rep->ticket.tkt_vno");
495 torture_assert(test_context
->tctx
,
496 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
497 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
498 torture_assert_str_equal(test_context
->tctx
,
499 test_context
->tgs_req
.req_body
.realm
,
500 test_context
->tgs_rep
.ticket
.realm
,
501 "Mismatch in realm between request and ticket response");
502 torture_assert_str_equal(test_context
->tctx
,
503 test_context
->tgs_rep
.ticket
.realm
,
504 test_context
->test_data
->real_realm
,
505 "Mismatch in realm between ticket response and expected ticket response");
506 torture_assert_int_equal(test_context
->tctx
,
507 test_context
->tgs_rep
.ticket
.sname
.name_type
,
509 "Mismatch in name_type between ticket response and expected value of KRB5_NT_SRV_INST");
511 torture_assert_int_equal(test_context
->tctx
,
512 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
,
514 "Mismatch in name_type between ticket response and expected value, expected krbtgt/REALM@REALM");
516 torture_assert_str_equal(test_context
->tctx
,
517 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0], "krbtgt",
518 "Mismatch in name between reponse and expected response, expected krbtgt");
519 torture_assert_str_equal(test_context
->tctx
,
520 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[1], test_context
->test_data
->real_realm
,
521 "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM");
524 * We can confirm that the correct proxy behaviour is
525 * in use on the KDC by checking the KVNO of the
526 * krbtgt account returned in the reply.
528 * A packet passed to the full RW DC will not have a
529 * KVNO in the upper bits, while a packet processed
530 * locally on the RODC will have these bits filled in
531 * the msDS-SecondaryKrbTgtNumber
533 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
534 torture_assert_int_not_equal(test_context
->tctx
,
535 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
536 0, "Did not get a RODC number in the KVNO");
538 torture_assert_int_equal(test_context
->tctx
,
539 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
540 0, "Unexpecedly got a RODC number in the KVNO");
542 free_TGS_REP(&test_context
->tgs_rep
);
543 torture_assert(test_context
->tctx
,
544 test_context
->packet_count
< 2,
546 free_TGS_REQ(&test_context
->tgs_req
);
553 * Confirm that the outgoing TGS-REQ packet from krb5_get_creds
554 * certain expectations, like that the canonicalize bit is set (this
555 * test is to force that handling) and that if an enterprise name was
556 * requested, that it was sent.
560 static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context
*test_context
,
561 const krb5_data
*send_buf
,
562 krb5_data
*modified_send_buf
)
565 torture_assert_int_equal(test_context
->tctx
,
566 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
567 &test_context
->tgs_req
, &used
),
568 0, "decode_TGS_REQ for TEST_TGS_REQ_CANON test failed");
569 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
570 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5, "Got wrong as_req->pvno");
571 torture_assert_int_equal(test_context
->tctx
,
572 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
573 true, "krb5 libs unexpectedly did not set canonicalize!");
575 if (test_context
->test_data
->enterprise
) {
576 torture_assert_int_equal(test_context
->tctx
,
577 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_ENTERPRISE_PRINCIPAL
,
578 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
579 torture_assert_str_equal(test_context
->tctx
,
580 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->real_realm
,
581 "Mismatch in realm between request and expected request");
583 } else if (test_context
->test_data
->canonicalize
) {
584 torture_assert_int_equal(test_context
->tctx
,
585 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
586 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
587 torture_assert_str_equal(test_context
->tctx
,
588 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->real_realm
,
589 "Mismatch in realm between request and expected request");
592 torture_assert_int_equal(test_context
->tctx
,
593 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
594 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
595 torture_assert_str_equal(test_context
->tctx
,
596 test_context
->tgs_req
.req_body
.realm
, test_context
->test_data
->realm
,
597 "Mismatch in realm between request and expected request");
601 *modified_send_buf
= *send_buf
;
607 * TEST_TGS_REQ_CANON - RECV
609 * Confirm that the reply TGS-REP or error packet from the KDC meets
610 * certain expectations as part of TEST_TGS_REQ_CANON.
612 * This is triggered by krb5_get_creds()
616 static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
622 * If this account did not have a servicePrincipalName, then
623 * we expect a errro packet, not a TGS-REQ
625 if (decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0) {
626 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
627 torture_assert_int_equal(test_context
->tctx
,
629 "Got wrong error.pvno");
630 torture_assert_int_equal(test_context
->tctx
,
632 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
633 "Got wrong error.error_code");
635 torture_assert_int_equal(test_context
->tctx
,
636 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
637 &test_context
->tgs_rep
,
640 "decode_TGS_REP failed");
641 torture_assert_int_equal(test_context
->tctx
,
642 used
, recv_buf
->length
,
644 torture_assert_int_equal(test_context
->tctx
,
645 test_context
->tgs_rep
.pvno
, 5,
646 "Got wrong as_rep->pvno");
647 torture_assert_int_equal(test_context
->tctx
,
648 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
649 "Got wrong as_rep->ticket.tkt_vno");
650 torture_assert(test_context
->tctx
,
651 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
652 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
653 torture_assert_str_equal(test_context
->tctx
,
654 test_context
->tgs_rep
.ticket
.realm
,
655 test_context
->test_data
->real_realm
,
656 "Mismatch in realm between ticket response and expected upper case REALM");
657 torture_assert_int_equal(test_context
->tctx
,
658 test_context
->tgs_rep
.ticket
.sname
.name_type
,
659 test_context
->tgs_req
.req_body
.sname
->name_type
,
660 "Mismatch in name_type between request and ticket response");
661 torture_assert_int_equal(test_context
->tctx
,
662 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
,
663 test_context
->tgs_req
.req_body
.sname
->name_string
.len
,
664 "Mismatch in name_string.len between request and ticket response");
665 torture_assert(test_context
->tctx
,
666 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
>= 1,
667 "name_string.len should be >=1 in ticket response");
668 torture_assert_str_equal(test_context
->tctx
,
669 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0],
670 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
671 "Mismatch in name between request and expected request");
672 torture_assert_int_equal(test_context
->tctx
,
673 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
674 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
675 free_TGS_REP(&test_context
->tgs_rep
);
677 torture_assert(test_context
->tctx
, test_context
->packet_count
== 0, "too many packets");
678 free_TGS_REQ(&test_context
->tgs_req
);
684 * TEST_SELF_TRUST_TGS_REQ
686 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
687 * certain expectations, like that the canonicalize bit is set (this
688 * test is to force that handling).
690 * This test is for the case where the name we ask for, while a valid
691 * alternate name for our own realm is used. The client acts as if
692 * this is cross-realm trust.
696 static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context
*test_context
,
697 const krb5_data
*send_buf
,
698 krb5_data
*modified_send_buf
)
701 torture_assert_int_equal(test_context
->tctx
,
702 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
703 &test_context
->tgs_req
, &used
),
704 0, "decode_TGS_REQ for TEST_SELF_TRUST_TGS_REQ test failed");
705 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
706 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5, "Got wrong as_req->pvno");
707 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
, false, "krb5 libs unexpectedly set canonicalize!");
709 if (test_context
->test_data
->canonicalize
) {
710 torture_assert_str_equal(test_context
->tctx
,
711 test_context
->tgs_req
.req_body
.realm
,
712 test_context
->test_data
->real_realm
,
713 "Mismatch in realm between request and expected request");
715 torture_assert_str_equal(test_context
->tctx
,
716 test_context
->tgs_req
.req_body
.realm
,
717 test_context
->test_data
->realm
,
718 "Mismatch in realm between request and expected request");
720 torture_assert_int_equal(test_context
->tctx
,
721 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
722 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
723 torture_assert_int_equal(test_context
->tctx
,
724 test_context
->tgs_req
.req_body
.sname
->name_string
.len
, 2,
725 "Mismatch in name between request and expected request, expected krbtgt/realm");
726 torture_assert_str_equal(test_context
->tctx
,
727 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0], "krbtgt",
728 "Mismatch in name between request and expected request, expected krbtgt");
729 torture_assert_str_equal(test_context
->tctx
,
730 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1], test_context
->test_data
->realm
,
731 "Mismatch in realm part of cross-realm request principal between request and expected request");
732 *modified_send_buf
= *send_buf
;
738 * TEST_SELF_TRUST_TGS_REQ and TEST_TGS_REQ_KRBTGT - RECV
740 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(),
741 * where the client is behaving as if this is a cross-realm trust due
742 * to case or netbios vs dns name differences meets certain
747 static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
750 torture_assert_int_equal(test_context
->tctx
,
751 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
752 &test_context
->tgs_rep
, &used
),
754 "decode_TGS_REP failed");
755 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
, "length mismatch");
756 torture_assert_int_equal(test_context
->tctx
,
757 test_context
->tgs_rep
.pvno
, 5,
758 "Got wrong as_rep->pvno");
759 torture_assert_int_equal(test_context
->tctx
,
760 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
761 "Got wrong as_rep->ticket.tkt_vno");
762 torture_assert(test_context
->tctx
,
763 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
764 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
765 torture_assert_str_equal(test_context
->tctx
,
766 test_context
->tgs_req
.req_body
.realm
,
767 test_context
->tgs_rep
.ticket
.realm
,
768 "Mismatch in realm between request and ticket response");
769 torture_assert_int_equal(test_context
->tctx
,
770 test_context
->tgs_rep
.ticket
.sname
.name_type
,
771 test_context
->tgs_req
.req_body
.sname
->name_type
,
772 "Mismatch in name_type between request and ticket response");
774 torture_assert_int_equal(test_context
->tctx
,
775 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
, 2,
776 "Mismatch in name between request and expected request, expected krbtgt/realm");
777 torture_assert_str_equal(test_context
->tctx
,
778 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0], "krbtgt",
779 "Mismatch in name between request and expected request, expected krbtgt");
780 torture_assert_str_equal(test_context
->tctx
,
781 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[1], test_context
->test_data
->realm
,
782 "Mismatch in realm part of cross-realm request principal between response and expected request");
784 * We can confirm that the correct proxy behaviour is
785 * in use on the KDC by checking the KVNO of the
786 * krbtgt account returned in the reply.
788 * A packet passed to the full RW DC will not have a
789 * KVNO in the upper bits, while a packet processed
790 * locally on the RODC will have these bits filled in
791 * the msDS-SecondaryKrbTgtNumber
793 if (torture_setting_bool(test_context
->tctx
, "expect_cached_at_rodc", false)) {
794 torture_assert_int_not_equal(test_context
->tctx
,
795 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
796 0, "Did not get a RODC number in the KVNO");
798 torture_assert_int_equal(test_context
->tctx
,
799 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
800 0, "Unexpecedly got a RODC number in the KVNO");
802 free_TGS_REP(&test_context
->tgs_rep
);
803 torture_assert_int_equal(test_context
->tctx
,
804 test_context
->packet_count
, 0,
806 test_context
->packet_count
= 0;
807 test_context
->test_stage
= TEST_TGS_REQ
;
808 free_TGS_REQ(&test_context
->tgs_req
);
815 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
816 * certain expectations, like that the canonicalize bit is set (this
817 * test is to force that handling) and that if an enterprise name was
818 * requested, that it was sent.
822 static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
825 torture_assert_int_equal(test_context
->tctx
,
826 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
827 &test_context
->tgs_req
, &used
),
828 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
829 torture_assert_int_equal(test_context
->tctx
, used
, send_buf
->length
, "length mismatch");
830 torture_assert_int_equal(test_context
->tctx
, test_context
->tgs_req
.pvno
, 5,
831 "Got wrong as_req->pvno");
832 torture_assert_int_equal(test_context
->tctx
,
833 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
835 "krb5 libs unexpectedly set canonicalize!");
837 if (test_context
->test_data
->enterprise
) {
838 torture_assert_int_equal(test_context
->tctx
,
839 test_context
->tgs_req
.req_body
.sname
->name_type
,
840 KRB5_NT_ENTERPRISE_PRINCIPAL
,
841 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
842 torture_assert_str_equal(test_context
->tctx
,
843 test_context
->tgs_req
.req_body
.realm
,
844 test_context
->test_data
->real_realm
,
845 "Mismatch in realm between request and expected request");
848 torture_assert_int_equal(test_context
->tctx
,
849 test_context
->tgs_req
.req_body
.sname
->name_type
,
851 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
852 torture_assert_str_equal(test_context
->tctx
,
853 test_context
->tgs_req
.req_body
.realm
,
854 test_context
->test_data
->realm
,
855 "Mismatch in realm between request and expected request");
859 *modified_send_buf
= *send_buf
;
865 * TEST_TGS_REQ - RECV
867 * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), for
868 * the actual target service.
872 static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
877 * If this account did not have a servicePrincipalName, then
878 * we expect a errro packet, not a TGS-REQ
880 if (decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0) {
881 torture_assert_int_equal(test_context
->tctx
,
882 used
, recv_buf
->length
,
884 torture_assert_int_equal(test_context
->tctx
,
886 "Got wrong error.pvno");
887 torture_assert_int_equal(test_context
->tctx
,
889 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
890 "Got wrong error.error_code");
892 torture_assert_int_equal(test_context
->tctx
,
893 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
894 &test_context
->tgs_rep
, &used
),
896 "decode_TGS_REP failed");
897 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
899 torture_assert_int_equal(test_context
->tctx
,
900 test_context
->tgs_rep
.pvno
, 5,
901 "Got wrong as_rep->pvno");
902 torture_assert_int_equal(test_context
->tctx
,
903 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
904 "Got wrong as_rep->ticket.tkt_vno");
905 torture_assert(test_context
->tctx
,
906 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
907 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
908 torture_assert_str_equal(test_context
->tctx
,
909 test_context
->tgs_rep
.ticket
.realm
,
910 test_context
->test_data
->real_realm
,
911 "Mismatch in realm between ticket response and expected upper case REALM");
912 torture_assert_int_equal(test_context
->tctx
,
913 test_context
->tgs_req
.req_body
.sname
->name_type
,
914 test_context
->tgs_rep
.ticket
.sname
.name_type
, "Mismatch in name_type between request and ticket response");
915 torture_assert_int_equal(test_context
->tctx
,
916 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
917 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
918 free_TGS_REP(&test_context
->tgs_rep
);
920 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
921 free_TGS_REQ(&test_context
->tgs_req
);
922 test_context
->test_stage
= TEST_DONE
;
927 * TEST_TGS_REQ_KRBTGT
930 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
931 * for the krbtgt/realm principal meets certain expectations, like
932 * that the canonicalize bit is not set
936 static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
939 torture_assert_int_equal(test_context
->tctx
,
940 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
941 &test_context
->tgs_req
, &used
),
942 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
943 torture_assert_int_equal(test_context
->tctx
,
944 used
, send_buf
->length
,
946 torture_assert_int_equal(test_context
->tctx
,
947 test_context
->tgs_req
.pvno
, 5,
948 "Got wrong as_req->pvno");
949 torture_assert_int_equal(test_context
->tctx
,
950 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
952 "krb5 libs unexpectedly set canonicalize!");
954 torture_assert_str_equal(test_context
->tctx
,
955 test_context
->tgs_req
.req_body
.realm
,
956 test_context
->test_data
->realm
,
957 "Mismatch in realm between request and expected request");
959 *modified_send_buf
= *send_buf
;
960 test_context
->test_stage
= TEST_DONE
;
965 * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST and TEST_TGS_REQ_HOST_SRV_HST
968 * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact()
969 * for the krbtgt/realm principal meets certain expectations, like
970 * that the canonicalize bit is not set
974 static bool torture_krb5_pre_send_tgs_req_host_test(struct torture_krb5_context
*test_context
, const krb5_data
*send_buf
, krb5_data
*modified_send_buf
)
977 torture_assert_int_equal(test_context
->tctx
,
978 decode_TGS_REQ(send_buf
->data
, send_buf
->length
,
979 &test_context
->tgs_req
, &used
),
980 0, "decode_TGS_REQ for TEST_TGS_REQ test failed");
981 torture_assert_int_equal(test_context
->tctx
,
982 used
, send_buf
->length
,
984 torture_assert_int_equal(test_context
->tctx
,
985 test_context
->tgs_req
.pvno
, 5,
986 "Got wrong as_req->pvno");
987 torture_assert_int_equal(test_context
->tctx
,
988 test_context
->tgs_req
.req_body
.sname
->name_string
.len
, 2,
989 "Mismatch in name between request and expected request, expected krbtgt/realm");
990 torture_assert_int_equal(test_context
->tctx
,
991 test_context
->tgs_req
.req_body
.kdc_options
.canonicalize
,
993 "krb5 libs unexpectedly did not set canonicalize!");
995 if (test_context
->test_stage
== TEST_TGS_REQ_HOST_SRV_INST
) {
996 torture_assert_int_equal(test_context
->tctx
,
997 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_SRV_INST
,
998 "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_INST");
999 torture_assert_str_equal(test_context
->tctx
,
1000 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
1001 strupper_talloc(test_context
, test_context
->test_data
->krb5_service
),
1002 "Mismatch in name between request and expected request, expected service");
1003 torture_assert_str_equal(test_context
->tctx
,
1004 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1],
1005 test_context
->test_data
->krb5_hostname
,
1006 "Mismatch in hostname part between request and expected request");
1008 } else if (test_context
->test_stage
== TEST_TGS_REQ_HOST_SRV_HST
) {
1010 torture_assert_int_equal(test_context
->tctx
,
1011 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_SRV_HST
,
1012 "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_HST");
1013 torture_assert_str_equal(test_context
->tctx
,
1014 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
1015 test_context
->test_data
->krb5_service
,
1016 "Mismatch in name between request and expected request, expected service");
1017 torture_assert_str_equal(test_context
->tctx
,
1018 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1],
1019 strupper_talloc(test_context
, test_context
->test_data
->krb5_hostname
),
1020 "Mismatch in hostname part between request and expected request");
1023 torture_assert_int_equal(test_context
->tctx
,
1024 test_context
->tgs_req
.req_body
.sname
->name_type
, KRB5_NT_PRINCIPAL
,
1025 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
1026 torture_assert_str_equal(test_context
->tctx
,
1027 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
1028 test_context
->test_data
->krb5_service
,
1029 "Mismatch in name between request and expected request, expected service");
1030 torture_assert_str_equal(test_context
->tctx
,
1031 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1],
1032 test_context
->test_data
->krb5_hostname
,
1033 "Mismatch in hostname part between request and expected request");
1036 torture_assert_str_equal(test_context
->tctx
,
1037 test_context
->tgs_req
.req_body
.realm
,
1038 test_context
->test_data
->real_realm
,
1039 "Mismatch in realm between request and expected request");
1041 *modified_send_buf
= *send_buf
;
1046 * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST - RECV
1048 * Confirm that the reply TGS-REP packet for krb5_mk_req(), for
1049 * the actual target service, as a SPN, not a any other name type.
1053 static bool torture_krb5_post_recv_tgs_req_host_test(struct torture_krb5_context
*test_context
, const krb5_data
*recv_buf
)
1056 torture_assert_int_equal(test_context
->tctx
,
1057 decode_TGS_REP(recv_buf
->data
, recv_buf
->length
,
1058 &test_context
->tgs_rep
, &used
),
1060 "decode_TGS_REP failed");
1061 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
1063 torture_assert_int_equal(test_context
->tctx
,
1064 test_context
->tgs_rep
.pvno
, 5,
1065 "Got wrong as_rep->pvno");
1066 torture_assert_int_equal(test_context
->tctx
,
1067 test_context
->tgs_rep
.ticket
.tkt_vno
, 5,
1068 "Got wrong as_rep->ticket.tkt_vno");
1069 torture_assert(test_context
->tctx
,
1070 test_context
->tgs_rep
.ticket
.enc_part
.kvno
,
1071 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
1072 torture_assert_str_equal(test_context
->tctx
,
1073 test_context
->tgs_rep
.ticket
.realm
,
1074 test_context
->test_data
->real_realm
,
1075 "Mismatch in realm between ticket response and expected upper case REALM");
1076 torture_assert_int_equal(test_context
->tctx
,
1077 test_context
->tgs_req
.req_body
.sname
->name_type
,
1078 test_context
->tgs_rep
.ticket
.sname
.name_type
, "Mismatch in name_type between request and ticket response");
1079 torture_assert_int_equal(test_context
->tctx
,
1080 test_context
->tgs_rep
.ticket
.sname
.name_string
.len
, 2,
1081 "Mismatch in name between request and expected request, expected service/hostname");
1082 torture_assert_str_equal(test_context
->tctx
,
1083 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[0],
1084 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[0],
1085 "Mismatch in name between request and expected request, expected service/hostname");
1086 torture_assert_str_equal(test_context
->tctx
,
1087 test_context
->tgs_rep
.ticket
.sname
.name_string
.val
[1],
1088 test_context
->tgs_req
.req_body
.sname
->name_string
.val
[1],
1089 "Mismatch in name between request and expected request, expected service/hostname");
1091 torture_assert_int_equal(test_context
->tctx
,
1092 *test_context
->tgs_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
1093 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
1094 free_TGS_REP(&test_context
->tgs_rep
);
1096 torture_assert(test_context
->tctx
, test_context
->packet_count
< 2, "too many packets");
1101 * TEST_AS_REQ_SELF - RECV
1103 * Confirm that the reply packet from the KDC meets certain
1104 * expectations as part of TEST_AS_REQ. This uses a packet count to
1105 * work out what packet we are up to in the multiple exchanged
1106 * triggerd by krb5_get_init_creds_password().
1110 static bool torture_krb5_post_recv_as_req_self_test(struct torture_krb5_context
*test_context
,
1111 const krb5_data
*recv_buf
)
1115 if (test_context
->packet_count
== 0) {
1116 krb5_error_code k5ret
;
1118 * The client libs obtain the salt by attempting to
1119 * authenticate without pre-authentication and getting
1120 * the correct salt with the
1121 * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in
1122 * the test (netbios_realm && upn) that deliberatly
1123 * has an incorrect principal, we check we get the
1126 k5ret
= decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
,
1130 k5ret
= decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
1133 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
1134 || (test_context
->test_data
->upn
== true)) {
1135 torture_assert(test_context
->tctx
, false,
1136 "expected to get a KRB_ERROR packet with "
1137 "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
1139 torture_assert(test_context
->tctx
, false,
1140 "expected to get a KRB_ERROR packet with "
1141 "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP");
1144 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
1145 || (test_context
->test_data
->upn
== true)) {
1146 torture_assert(test_context
->tctx
, false,
1147 "unable to decode as KRB-ERROR or AS-REP, "
1148 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN or KRB5KDC_ERR_PREAUTH_REQUIRED");
1150 torture_assert(test_context
->tctx
, false,
1151 "unable to decode as KRB-ERROR or AS-REP, "
1152 "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED");
1156 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
1158 torture_assert_int_equal(test_context
->tctx
, error
.pvno
, 5,
1159 "Got wrong error.pvno");
1160 if ((torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) == false
1161 || (test_context
->test_data
->upn
== true))
1162 && error
.error_code
== KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
) {
1166 * This case is because Samba's Heimdal KDC
1167 * checks server and client accounts before
1168 * checking for pre-authentication.
1171 torture_assert_int_equal(test_context
->tctx
,
1173 KRB5KDC_ERR_PREAUTH_REQUIRED
- KRB5KDC_ERR_NONE
,
1174 "Got wrong error.error_code");
1177 free_KRB_ERROR(&error
);
1178 } else if ((decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0)
1179 && (test_context
->packet_count
== 1)) {
1181 * The Windows 2012R2 KDC will always respond with
1182 * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket
1183 * won't fit, because of the PAC. (It appears to do
1184 * this always, even if it will). This triggers the
1185 * client to try again over TCP.
1187 torture_assert_int_equal(test_context
->tctx
,
1188 used
, recv_buf
->length
,
1190 torture_assert_int_equal(test_context
->tctx
,
1192 "Got wrong error.pvno");
1193 if ((torture_setting_bool(test_context
->tctx
, "expect_machine_account", false)
1194 && (test_context
->test_data
->upn
== false))) {
1195 torture_assert_int_equal(test_context
->tctx
,
1197 KRB5KRB_ERR_RESPONSE_TOO_BIG
- KRB5KDC_ERR_NONE
,
1198 "Got wrong error.error_code");
1200 torture_assert_int_equal(test_context
->tctx
,
1202 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- KRB5KDC_ERR_NONE
,
1203 "Got wrong error.error_code");
1205 free_KRB_ERROR(&error
);
1208 * Finally the successful packet.
1210 torture_assert_int_equal(test_context
->tctx
,
1211 decode_AS_REP(recv_buf
->data
, recv_buf
->length
,
1212 &test_context
->as_rep
, &used
), 0,
1213 "decode_AS_REP failed");
1214 torture_assert_int_equal(test_context
->tctx
, used
, recv_buf
->length
,
1216 torture_assert_int_equal(test_context
->tctx
,
1217 test_context
->as_rep
.pvno
, 5,
1218 "Got wrong as_rep->pvno");
1219 torture_assert_int_equal(test_context
->tctx
,
1220 test_context
->as_rep
.ticket
.tkt_vno
, 5,
1221 "Got wrong as_rep->ticket.tkt_vno");
1222 torture_assert(test_context
->tctx
,
1223 test_context
->as_rep
.ticket
.enc_part
.kvno
,
1224 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
1227 * We do not expect an RODC number here in the KVNO,
1228 * as this is a ticket to the user's own account.
1230 torture_assert_int_equal(test_context
->tctx
,
1231 *test_context
->as_rep
.ticket
.enc_part
.kvno
& 0xFFFF0000,
1232 0, "Unexpecedly got a RODC number in the KVNO");
1233 free_AS_REP(&test_context
->as_rep
);
1235 torture_assert(test_context
->tctx
, test_context
->packet_count
< 3, "too many packets");
1236 free_AS_REQ(&test_context
->as_req
);
1241 * This function is set in torture_krb5_init_context_canon as krb5
1242 * send_and_recv function. This allows us to override what server the
1243 * test is aimed at, and to inspect the packets just before they are
1244 * sent to the network, and before they are processed on the recv
1247 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
1248 * functions are implement the actual tests.
1250 * When this asserts, the caller will get a spurious 'cannot contact
1254 static krb5_error_code
smb_krb5_send_and_recv_func_canon_override(krb5_context context
,
1255 void *data
, /* struct torture_krb5_context */
1256 krb5_krbhst_info
*hi
,
1258 const krb5_data
*send_buf
,
1259 krb5_data
*recv_buf
)
1261 krb5_error_code k5ret
;
1263 krb5_data modified_send_buf
;
1265 struct torture_krb5_context
*test_context
1266 = talloc_get_type_abort(data
, struct torture_krb5_context
);
1268 switch (test_context
->test_stage
) {
1270 torture_warning(test_context
->tctx
, "Unexpected outgoing packet from krb5 libs");
1273 ok
= torture_krb5_pre_send_as_req_test(test_context
, send_buf
,
1274 &modified_send_buf
);
1276 case TEST_TGS_REQ_KRBTGT_CANON
:
1277 ok
= torture_krb5_pre_send_tgs_req_krbtgt_canon_test(test_context
, send_buf
,
1278 &modified_send_buf
);
1280 case TEST_TGS_REQ_CANON
:
1281 ok
= torture_krb5_pre_send_tgs_req_canon_test(test_context
, send_buf
,
1282 &modified_send_buf
);
1284 case TEST_SELF_TRUST_TGS_REQ
:
1285 ok
= torture_krb5_pre_send_self_trust_tgs_req_test(test_context
, send_buf
,
1286 &modified_send_buf
);
1289 ok
= torture_krb5_pre_send_tgs_req_test(test_context
, send_buf
,
1290 &modified_send_buf
);
1292 case TEST_TGS_REQ_KRBTGT
:
1293 ok
= torture_krb5_pre_send_tgs_req_krbtgt_test(test_context
, send_buf
,
1294 &modified_send_buf
);
1296 case TEST_TGS_REQ_HOST
:
1297 case TEST_TGS_REQ_HOST_SRV_INST
:
1298 case TEST_TGS_REQ_HOST_SRV_HST
:
1299 ok
= torture_krb5_pre_send_tgs_req_host_test(test_context
, send_buf
,
1300 &modified_send_buf
);
1302 case TEST_AS_REQ_SELF
:
1303 ok
= torture_krb5_pre_send_as_req_test(test_context
, send_buf
,
1304 &modified_send_buf
);
1311 k5ret
= smb_krb5_send_and_recv_func_forced(context
, test_context
->server
,
1312 hi
, timeout
, &modified_send_buf
,
1318 switch (test_context
->test_stage
) {
1320 torture_warning(test_context
->tctx
, "Unexpected outgoing packet from krb5 libs");
1323 ok
= torture_krb5_post_recv_as_req_test(test_context
, recv_buf
);
1325 case TEST_TGS_REQ_KRBTGT_CANON
:
1326 ok
= torture_krb5_post_recv_tgs_req_krbtgt_canon_test(test_context
, recv_buf
);
1328 case TEST_TGS_REQ_CANON
:
1329 ok
= torture_krb5_post_recv_tgs_req_canon_test(test_context
, recv_buf
);
1331 case TEST_SELF_TRUST_TGS_REQ
:
1332 ok
= torture_krb5_post_recv_self_trust_tgs_req_test(test_context
, recv_buf
);
1335 ok
= torture_krb5_post_recv_tgs_req_test(test_context
, recv_buf
);
1337 case TEST_TGS_REQ_KRBTGT
:
1338 ok
= torture_krb5_post_recv_self_trust_tgs_req_test(test_context
, recv_buf
);
1340 case TEST_TGS_REQ_HOST
:
1341 case TEST_TGS_REQ_HOST_SRV_INST
:
1342 case TEST_TGS_REQ_HOST_SRV_HST
:
1343 ok
= torture_krb5_post_recv_tgs_req_host_test(test_context
, recv_buf
);
1345 case TEST_AS_REQ_SELF
:
1346 ok
= torture_krb5_post_recv_as_req_self_test(test_context
, recv_buf
);
1352 torture_warning(test_context
->tctx
, "Packet of length %llu failed post-recv checks in test stage %d", (unsigned long long)recv_buf
->length
, test_context
->test_stage
);
1353 if (decode_KRB_ERROR(recv_buf
->data
, recv_buf
->length
, &error
, &used
) == 0) {
1354 torture_warning(test_context
->tctx
,
1355 "STAGE: %d Unexpectedly got a KRB-ERROR packet "
1356 "with error code %d (%s)",
1357 test_context
->test_stage
,
1359 error_message(error
.error_code
+ KRB5KDC_ERR_NONE
));
1360 free_KRB_ERROR(&error
);
1365 test_context
->packet_count
++;
1370 static int test_context_destructor(struct torture_krb5_context
*test_context
)
1372 freeaddrinfo(test_context
->server
);
1377 static bool torture_krb5_init_context_canon(struct torture_context
*tctx
,
1378 struct test_data
*test_data
,
1379 struct torture_krb5_context
**torture_krb5_context
)
1381 const char *host
= torture_setting_string(tctx
, "host", NULL
);
1382 krb5_error_code k5ret
;
1385 struct torture_krb5_context
*test_context
= talloc_zero(tctx
, struct torture_krb5_context
);
1386 torture_assert(tctx
, test_context
!= NULL
, "Failed to allocate");
1388 test_context
->test_data
= test_data
;
1389 test_context
->tctx
= tctx
;
1391 k5ret
= smb_krb5_init_context(test_context
, tctx
->lp_ctx
, &test_context
->smb_krb5_context
);
1392 torture_assert_int_equal(tctx
, k5ret
, 0, "smb_krb5_init_context failed");
1394 ok
= interpret_string_addr_internal(&test_context
->server
, host
, AI_NUMERICHOST
);
1395 torture_assert(tctx
, ok
, "Failed to parse target server");
1397 talloc_set_destructor(test_context
, test_context_destructor
);
1399 set_sockaddr_port(test_context
->server
->ai_addr
, 88);
1401 k5ret
= krb5_set_send_to_kdc_func(test_context
->smb_krb5_context
->krb5_context
,
1402 smb_krb5_send_and_recv_func_canon_override
,
1404 torture_assert_int_equal(tctx
, k5ret
, 0, "krb5_set_send_to_kdc_func failed");
1405 *torture_krb5_context
= test_context
;
1410 static bool torture_krb5_as_req_canon(struct torture_context
*tctx
, const void *tcase_data
)
1412 krb5_error_code k5ret
;
1413 krb5_get_init_creds_opt
*krb_options
= NULL
;
1414 struct test_data
*test_data
= talloc_get_type_abort(tcase_data
, struct test_data
);
1415 krb5_principal principal
;
1416 krb5_principal krbtgt_other
;
1417 krb5_principal expected_principal
;
1418 char *principal_string
;
1419 char *krbtgt_other_string
;
1420 int principal_flags
;
1421 char *expected_principal_string
;
1422 char *expected_unparse_principal_string
;
1423 int expected_principal_flags
;
1424 char *got_principal_string
;
1425 char *assertion_message
;
1426 const char *password
= cli_credentials_get_password(cmdline_credentials
);
1427 krb5_context k5_context
;
1428 struct torture_krb5_context
*test_context
;
1430 krb5_creds my_creds
;
1431 krb5_creds
*server_creds
;
1433 krb5_auth_context auth_context
;
1435 krb5_data in_data
, enc_ticket
;
1436 krb5_get_creds_opt opt
;
1438 const char *upn
= torture_setting_string(tctx
, "krb5-upn", "");
1439 test_data
->krb5_service
= torture_setting_string(tctx
, "krb5-service", "host");
1440 test_data
->krb5_hostname
= torture_setting_string(tctx
, "krb5-hostname", "");
1443 * If we have not passed a UPN on the command line,
1444 * then skip the UPN tests.
1446 if (test_data
->upn
&& upn
[0] == '\0') {
1447 torture_skip(tctx
, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
1450 if (test_data
->removedollar
&&
1451 !torture_setting_bool(tctx
, "run_removedollar_test", false))
1453 torture_skip(tctx
, "--option=torture:run_removedollar_test=true not specified");
1456 if (test_data
->netbios_realm
) {
1457 test_data
->realm
= test_data
->real_domain
;
1459 test_data
->realm
= test_data
->real_realm
;
1462 if (test_data
->upn
) {
1464 test_data
->username
= talloc_strdup(test_data
, upn
);
1465 p
= strchr(test_data
->username
, '@');
1471 * Test the UPN behaviour carefully. We can
1472 * test in two different modes, depending on
1473 * what UPN has been set up for us.
1475 * If the UPN is in our realm, then we do all the tests with this name also.
1477 * If the UPN is not in our realm, then we
1478 * expect the tests that replace the realm to
1479 * fail (as it won't match)
1481 if (strcasecmp(p
, test_data
->real_realm
) != 0) {
1482 test_data
->other_upn_suffix
= true;
1484 test_data
->other_upn_suffix
= false;
1488 * This lets us test the combination of the UPN prefix
1489 * with a valid domain, without adding even more
1492 if (test_data
->netbios_realm
== false) {
1493 test_data
->realm
= p
;
1497 ok
= torture_krb5_init_context_canon(tctx
, test_data
, &test_context
);
1498 torture_assert(tctx
, ok
, "torture_krb5_init_context failed");
1499 k5_context
= test_context
->smb_krb5_context
->krb5_context
;
1501 if (test_data
->upper_realm
) {
1502 test_data
->realm
= strupper_talloc(test_data
, test_data
->realm
);
1504 test_data
->realm
= strlower_talloc(test_data
, test_data
->realm
);
1506 if (test_data
->upper_username
) {
1507 test_data
->username
= strupper_talloc(test_data
, test_data
->username
);
1509 test_data
->username
= talloc_strdup(test_data
, test_data
->username
);
1512 if (test_data
->removedollar
) {
1515 p
= strchr_m(test_data
->username
, '$');
1516 torture_assert(tctx
, p
!= NULL
, talloc_asprintf(tctx
,
1517 "username[%s] contains no '$'\n",
1518 test_data
->username
));
1522 principal_string
= talloc_asprintf(test_data
, "%s@%s", test_data
->username
, test_data
->realm
);
1525 * If we are set to canonicalize, we get back the fixed UPPER
1526 * case realm, and the real username (ie matching LDAP
1529 * Otherwise, if we are set to enterprise, we
1530 * get back the whole principal as-sent
1532 * Finally, if we are not set to canonicalize, we get back the
1533 * fixed UPPER case realm, but the as-sent username
1535 if (test_data
->canonicalize
) {
1536 expected_principal_string
= talloc_asprintf(test_data
,
1538 test_data
->real_username
,
1539 test_data
->real_realm
);
1540 } else if (test_data
->enterprise
) {
1541 expected_principal_string
= principal_string
;
1543 expected_principal_string
= talloc_asprintf(test_data
,
1545 test_data
->username
,
1546 test_data
->real_realm
);
1549 if (test_data
->enterprise
) {
1550 principal_flags
= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
1552 if (test_data
->upn
&& test_data
->other_upn_suffix
) {
1553 torture_skip(tctx
, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
1555 principal_flags
= 0;
1558 if (test_data
->canonicalize
) {
1559 expected_principal_flags
= 0;
1561 expected_principal_flags
= principal_flags
;
1564 torture_assert_int_equal(tctx
,
1565 krb5_parse_name_flags(k5_context
,
1569 0, "krb5_parse_name_flags failed");
1570 torture_assert_int_equal(tctx
,
1571 krb5_parse_name_flags(k5_context
,
1572 expected_principal_string
,
1573 expected_principal_flags
,
1574 &expected_principal
),
1575 0, "krb5_parse_name_flags failed");
1577 torture_assert_int_equal(tctx
,
1578 krb5_unparse_name(k5_context
,
1580 &expected_unparse_principal_string
),
1581 0, "krb5_unparse_name failed");
1583 * Prepare a AS-REQ and run the TEST_AS_REQ tests
1587 test_context
->test_stage
= TEST_AS_REQ
;
1588 test_context
->packet_count
= 0;
1591 * Set the canonicalize flag if this test requires it
1593 torture_assert_int_equal(tctx
,
1594 krb5_get_init_creds_opt_alloc(k5_context
, &krb_options
),
1595 0, "krb5_get_init_creds_opt_alloc failed");
1597 torture_assert_int_equal(tctx
,
1598 krb5_get_init_creds_opt_set_canonicalize(k5_context
,
1600 test_data
->canonicalize
),
1601 0, "krb5_get_init_creds_opt_set_canonicalize failed");
1603 torture_assert_int_equal(tctx
,
1604 krb5_get_init_creds_opt_set_win2k(k5_context
,
1607 0, "krb5_get_init_creds_opt_set_win2k failed");
1609 k5ret
= krb5_get_init_creds_password(k5_context
, &my_creds
, principal
,
1610 password
, NULL
, NULL
, 0,
1613 if (test_data
->netbios_realm
&& test_data
->upn
) {
1614 torture_assert_int_equal(tctx
, k5ret
,
1615 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
,
1616 "Got wrong error_code from krb5_get_init_creds_password");
1617 /* We can't proceed with more checks */
1620 assertion_message
= talloc_asprintf(tctx
,
1621 "krb5_get_init_creds_password for %s failed: %s",
1623 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1624 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1627 torture_assert(tctx
,
1628 test_context
->packet_count
> 1,
1629 "Expected krb5_get_init_creds_password to send more packets");
1632 * Assert that the reply was with the correct type of
1633 * principal, depending on the flags we set
1635 if (test_data
->canonicalize
== false && test_data
->enterprise
) {
1636 torture_assert_int_equal(tctx
,
1637 krb5_principal_get_type(k5_context
,
1639 KRB5_NT_ENTERPRISE_PRINCIPAL
,
1640 "smb_krb5_init_context gave incorrect client->name.name_type");
1642 torture_assert_int_equal(tctx
,
1643 krb5_principal_get_type(k5_context
,
1646 "smb_krb5_init_context gave incorrect client->name.name_type");
1649 torture_assert_int_equal(tctx
,
1650 krb5_unparse_name(k5_context
,
1651 my_creds
.client
, &got_principal_string
), 0,
1652 "krb5_unparse_name failed");
1654 assertion_message
= talloc_asprintf(tctx
,
1655 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
1656 got_principal_string
, expected_principal_string
);
1657 krb5_free_unparsed_name(k5_context
, got_principal_string
);
1659 torture_assert(tctx
, krb5_principal_compare(k5_context
,
1660 my_creds
.client
, expected_principal
),
1664 torture_assert_int_equal(tctx
,
1665 krb5_principal_get_type(k5_context
,
1666 my_creds
.server
), KRB5_NT_SRV_INST
,
1667 "smb_krb5_init_context gave incorrect server->name.name_type");
1669 torture_assert_int_equal(tctx
,
1670 krb5_principal_get_num_comp(k5_context
,
1671 my_creds
.server
), 2,
1672 "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
1674 torture_assert_str_equal(tctx
,
1675 krb5_principal_get_comp_string(k5_context
,
1676 my_creds
.server
, 0),
1678 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
1680 if (test_data
->canonicalize
|| test_data
->enterprise
) {
1681 torture_assert_str_equal(tctx
,
1682 krb5_principal_get_comp_string(k5_context
,
1683 my_creds
.server
, 1),
1684 test_data
->real_realm
,
1686 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1688 torture_assert_str_equal(tctx
,
1689 krb5_principal_get_comp_string(k5_context
,
1690 my_creds
.server
, 1),
1693 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
1695 torture_assert_str_equal(tctx
,
1696 krb5_principal_get_realm(k5_context
,
1698 test_data
->real_realm
,
1699 "smb_krb5_init_context gave incorrect my_creds.server->realm");
1701 /* Store the result of the 'kinit' above into a memory ccache */
1702 cc_name
= talloc_asprintf(tctx
, "MEMORY:%s", test_data
->test_name
);
1703 torture_assert_int_equal(tctx
, krb5_cc_resolve(k5_context
, cc_name
,
1705 0, "krb5_cc_resolve failed");
1707 torture_assert_int_equal(tctx
, krb5_cc_initialize(k5_context
,
1708 ccache
, my_creds
.client
),
1709 0, "krb5_cc_initialize failed");
1711 torture_assert_int_equal(tctx
, krb5_cc_store_cred(k5_context
,
1713 0, "krb5_cc_store_cred failed");
1716 * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
1718 * This tests krb5_get_creds behaviour, which allows us to set
1719 * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal
1722 krbtgt_other_string
= talloc_asprintf(test_data
, "krbtgt/%s@%s", test_data
->real_domain
, test_data
->real_realm
);
1723 torture_assert_int_equal(tctx
,
1724 krb5_make_principal(k5_context
, &krbtgt_other
,
1725 test_data
->real_realm
, "krbtgt",
1726 test_data
->real_domain
, NULL
),
1727 0, "krb5_make_principal failed");
1729 test_context
->test_stage
= TEST_TGS_REQ_KRBTGT_CANON
;
1730 test_context
->packet_count
= 0;
1732 torture_assert_int_equal(tctx
,
1733 krb5_get_creds_opt_alloc(k5_context
, &opt
),
1734 0, "krb5_get_creds_opt_alloc");
1736 krb5_get_creds_opt_add_options(k5_context
,
1738 KRB5_GC_CANONICALIZE
);
1740 krb5_get_creds_opt_add_options(k5_context
,
1744 /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
1745 k5ret
= krb5_get_creds(k5_context
, opt
, ccache
, krbtgt_other
, &server_creds
);
1747 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1748 && test_data
->netbios_realm
&& test_data
->upper_realm
) {
1750 * In these situations, the code above does store a
1751 * principal in the credentials cache matching what
1752 * krb5_get_creds() needs, so the test succeds, with no packets.
1755 assertion_message
= talloc_asprintf(tctx
,
1756 "krb5_get_creds for %s failed with: %s",
1757 krbtgt_other_string
,
1758 smb_get_krb5_error_message(k5_context
, k5ret
,
1761 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1762 torture_assert_int_equal(tctx
,
1763 test_context
->packet_count
,
1764 0, "Expected krb5_get_creds not to send packets");
1765 } else if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1766 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1767 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
1768 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1772 * In these situations, the code above does not store a
1773 * principal in the credentials cache matching what
1774 * krb5_get_creds() needs without talking to the KDC, so the
1775 * test fails with looping detected because when we set
1776 * canonicalize we confuse the client libs.
1779 assertion_message
= talloc_asprintf(tctx
,
1780 "krb5_get_creds for %s should have failed with looping detected: %s",
1781 krbtgt_other_string
,
1782 smb_get_krb5_error_message(k5_context
, k5ret
,
1785 torture_assert_int_equal(tctx
, k5ret
, KRB5_GET_IN_TKT_LOOP
, assertion_message
);
1786 torture_assert_int_equal(tctx
,
1787 test_context
->packet_count
,
1788 2, "Expected krb5_get_creds to send packets");
1792 * Prepare a TGS-REQ and run the TEST_TGS_REQ_CANON tests
1794 * This tests krb5_get_creds behaviour, which allows us to set
1795 * the KRB5_GC_CANONICALIZE option
1798 test_context
->test_stage
= TEST_TGS_REQ_CANON
;
1799 test_context
->packet_count
= 0;
1801 torture_assert_int_equal(tctx
,
1802 krb5_get_creds_opt_alloc(k5_context
, &opt
),
1803 0, "krb5_get_creds_opt_alloc");
1805 krb5_get_creds_opt_add_options(k5_context
,
1807 KRB5_GC_CANONICALIZE
);
1809 krb5_get_creds_opt_add_options(k5_context
,
1813 if (test_data
->s4u2self
) {
1814 torture_assert_int_equal(tctx
,
1815 krb5_get_creds_opt_set_impersonate(k5_context
,
1818 0, "krb5_get_creds_opt_set_impersonate failed");
1821 /* Confirm if we can get a ticket to our own name */
1822 k5ret
= krb5_get_creds(k5_context
, opt
, ccache
, principal
, &server_creds
);
1825 * In these situations, the code above does not store a
1826 * principal in the credentials cache matching what
1827 * krb5_get_creds() needs, so the test fails.
1830 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1831 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1832 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
1833 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1835 assertion_message
= talloc_asprintf(tctx
,
1836 "krb5_get_creds for %s failed: %s",
1838 smb_get_krb5_error_message(k5_context
, k5ret
,
1842 * Only machine accounts (strictly, accounts with a
1843 * servicePrincipalName) can expect this test to succeed
1845 if (torture_setting_bool(tctx
, "expect_machine_account", false)
1846 && (test_data
->enterprise
|| test_data
->upn
== false)) {
1847 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1848 torture_assert_int_equal(tctx
, krb5_cc_store_cred(k5_context
,
1849 ccache
, server_creds
),
1850 0, "krb5_cc_store_cred failed");
1852 torture_assert_int_equal(tctx
,
1853 krb5_free_creds(k5_context
,
1855 0, "krb5_free_cred_contents failed");
1858 torture_assert_int_equal(tctx
, k5ret
, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
1862 torture_assert_int_equal(tctx
,
1863 test_context
->packet_count
,
1864 1, "Expected krb5_get_creds to send packets");
1868 * Confirm gettting a ticket to pass to the server, running
1869 * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage.
1871 * This triggers the client to attempt to get a
1872 * cross-realm ticket between the alternate names of
1873 * the server, and we need to confirm that behaviour.
1878 * This tries to guess when the krb5 libs will ask for a
1879 * cross-realm ticket, and when they will just ask the KDC
1882 if (test_context
->test_data
->canonicalize
== false
1883 || test_context
->test_data
->enterprise
1884 || (test_context
->test_data
->upper_realm
1885 && test_context
->test_data
->netbios_realm
== false)) {
1886 test_context
->test_stage
= TEST_TGS_REQ
;
1888 test_context
->test_stage
= TEST_SELF_TRUST_TGS_REQ
;
1891 test_context
->packet_count
= 0;
1892 torture_assert_int_equal(tctx
, krb5_auth_con_init(k5_context
, &auth_context
),
1893 0, "krb5_auth_con_init failed");
1896 k5ret
= krb5_mk_req_exact(k5_context
,
1902 assertion_message
= talloc_asprintf(tctx
,
1903 "krb5_mk_req_exact for %s failed: %s",
1905 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1908 * Only machine accounts (strictly, accounts with a
1909 * servicePrincipalName) can expect this test to succeed
1911 if (torture_setting_bool(tctx
, "expect_machine_account", false) && (test_data
->enterprise
|| test_data
->upn
== false)) {
1912 DATA_BLOB client_to_server
;
1913 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1914 client_to_server
= data_blob_const(enc_ticket
.data
, enc_ticket
.length
);
1915 torture_assert(tctx
,
1916 test_accept_ticket(tctx
, cmdline_credentials
,
1917 expected_unparse_principal_string
,
1919 "test_accept_ticket failed - failed to accept the ticket we just created");
1920 krb5_data_free(&enc_ticket
);
1922 torture_assert_int_equal(tctx
, k5ret
, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
1927 * Only in these cases would the above code have needed to
1928 * send packets to the network
1930 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1931 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1932 torture_assert(tctx
,
1933 test_context
->packet_count
> 0,
1934 "Expected krb5_mk_req_exact to send packets");
1938 * Confirm gettting a ticket to pass to the server, running
1939 * the TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST stage
1941 * This triggers the client to attempt to get a
1942 * cross-realm ticket between the alternate names of
1943 * the server, and we need to confirm that behaviour.
1947 if (*test_data
->krb5_service
&& *test_data
->krb5_hostname
) {
1948 krb5_principal host_principal_srv_inst
;
1950 * This tries to guess when the krb5 libs will ask for a
1951 * cross-realm ticket, and when they will just ask the KDC
1954 test_context
->test_stage
= TEST_TGS_REQ_HOST
;
1955 test_context
->packet_count
= 0;
1956 torture_assert_int_equal(tctx
, krb5_auth_con_init(k5_context
, &auth_context
),
1957 0, "krb5_auth_con_init failed");
1960 k5ret
= krb5_mk_req(k5_context
,
1963 test_data
->krb5_service
,
1964 test_data
->krb5_hostname
,
1968 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
1969 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
1970 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
1971 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
1973 assertion_message
= talloc_asprintf(tctx
,
1974 "krb5_mk_req for %s/%s failed: %s",
1975 test_data
->krb5_hostname
,
1976 test_data
->krb5_service
,
1977 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
1979 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
1981 * Only in these cases would the above code have needed to
1982 * send packets to the network
1984 torture_assert(tctx
,
1985 test_context
->packet_count
> 0,
1986 "Expected krb5_get_creds to send packets");
1990 test_context
->test_stage
= TEST_TGS_REQ_HOST_SRV_INST
;
1991 test_context
->packet_count
= 0;
1993 torture_assert_int_equal(tctx
,
1994 krb5_make_principal(k5_context
, &host_principal_srv_inst
,
1995 test_data
->real_realm
,
1996 strupper_talloc(tctx
, test_data
->krb5_service
),
1997 test_data
->krb5_hostname
,
1999 0, "krb5_make_principal failed");
2001 krb5_principal_set_type(k5_context
, host_principal_srv_inst
, KRB5_NT_SRV_INST
);
2003 torture_assert_int_equal(tctx
, krb5_auth_con_init(k5_context
, &auth_context
),
2004 0, "krb5_auth_con_init failed");
2007 k5ret
= krb5_mk_req_exact(k5_context
,
2010 host_principal_srv_inst
,
2013 krb5_free_principal(k5_context
, host_principal_srv_inst
);
2014 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
2015 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
2016 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
2017 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2019 assertion_message
= talloc_asprintf(tctx
,
2020 "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
2021 test_data
->krb5_service
,
2022 test_data
->krb5_hostname
,
2023 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
2025 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
2027 * Only in these cases would the above code have needed to
2028 * send packets to the network
2030 torture_assert(tctx
,
2031 test_context
->packet_count
> 0,
2032 "Expected krb5_get_creds to send packets");
2036 test_context
->test_stage
= TEST_TGS_REQ_HOST_SRV_HST
;
2037 test_context
->packet_count
= 0;
2039 torture_assert_int_equal(tctx
,
2040 krb5_make_principal(k5_context
, &host_principal_srv_inst
,
2041 test_data
->real_realm
,
2042 test_data
->krb5_service
,
2043 strupper_talloc(tctx
, test_data
->krb5_hostname
),
2045 0, "krb5_make_principal failed");
2047 krb5_principal_set_type(k5_context
, host_principal_srv_inst
, KRB5_NT_SRV_HST
);
2049 torture_assert_int_equal(tctx
, krb5_auth_con_init(k5_context
, &auth_context
),
2050 0, "krb5_auth_con_init failed");
2053 k5ret
= krb5_mk_req_exact(k5_context
,
2056 host_principal_srv_inst
,
2059 krb5_free_principal(k5_context
, host_principal_srv_inst
);
2060 if (test_data
->canonicalize
== false && test_data
->enterprise
== false
2061 && (test_data
->upper_realm
== false || test_data
->netbios_realm
== true)) {
2062 torture_assert_int_equal(tctx
, k5ret
, KRB5_CC_NOTFOUND
,
2063 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
2065 assertion_message
= talloc_asprintf(tctx
,
2066 "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
2067 test_data
->krb5_service
,
2068 test_data
->krb5_hostname
,
2069 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
2071 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
2073 * Only in these cases would the above code have needed to
2074 * send packets to the network
2076 torture_assert(tctx
,
2077 test_context
->packet_count
> 0,
2078 "Expected krb5_get_creds to send packets");
2083 * Confirm gettting a ticket for the same krbtgt/realm that we
2084 * got back with the initial ticket, running the
2085 * TEST_TGS_REQ_KRBTGT stage.
2089 test_context
->test_stage
= TEST_TGS_REQ_KRBTGT
;
2090 test_context
->packet_count
= 0;
2093 k5ret
= krb5_mk_req_exact(k5_context
,
2100 assertion_message
= talloc_asprintf(tctx
,
2101 "krb5_mk_req_exact for %s failed: %s",
2103 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
2104 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
2107 * Confirm gettting a ticket for our own principal that we
2108 * got back with the initial ticket, running the
2109 * TEST_AS_REQ_SELF stage.
2112 test_context
->test_stage
= TEST_AS_REQ_SELF
;
2113 test_context
->packet_count
= 0;
2115 k5ret
= krb5_get_init_creds_password(k5_context
, &my_creds
, principal
,
2116 password
, NULL
, NULL
, 0,
2117 principal_string
, krb_options
);
2119 if (torture_setting_bool(test_context
->tctx
, "expect_machine_account", false) && (test_data
->upn
== false)) {
2120 assertion_message
= talloc_asprintf(tctx
,
2121 "krb5_get_init_creds_password for %s failed: %s",
2123 smb_get_krb5_error_message(k5_context
, k5ret
, tctx
));
2124 torture_assert_int_equal(tctx
, k5ret
, 0, assertion_message
);
2125 torture_assert(tctx
,
2126 test_context
->packet_count
>= 2,
2127 "Expected krb5_get_init_creds_password to send more packets");
2130 assertion_message
= talloc_asprintf(tctx
,
2131 "Got wrong error_code from krb5_get_init_creds_password, expected KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN trying to get a ticket to %s for %s", principal_string
, principal_string
);
2132 torture_assert_int_equal(tctx
, k5ret
,
2133 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
,
2135 torture_assert(tctx
,
2136 test_context
->packet_count
>= 1,
2137 "Expected krb5_get_init_creds_password to send more packets");
2139 /* We can't proceed with more checks */
2144 * Assert that the reply was with the correct type of
2145 * principal, depending on the flags we set
2147 if (test_data
->canonicalize
== false && test_data
->enterprise
) {
2148 torture_assert_int_equal(tctx
,
2149 krb5_principal_get_type(k5_context
,
2151 KRB5_NT_ENTERPRISE_PRINCIPAL
,
2152 "smb_krb5_init_context gave incorrect client->name.name_type");
2153 torture_assert_int_equal(tctx
,
2154 krb5_principal_get_type(k5_context
,
2156 KRB5_NT_ENTERPRISE_PRINCIPAL
,
2157 "smb_krb5_init_context gave incorrect server->name.name_type");
2159 torture_assert_int_equal(tctx
,
2160 krb5_principal_get_type(k5_context
,
2163 "smb_krb5_init_context gave incorrect client->name.name_type");
2164 torture_assert_int_equal(tctx
,
2165 krb5_principal_get_type(k5_context
,
2168 "smb_krb5_init_context gave incorrect server->name.name_type");
2171 torture_assert_int_equal(tctx
,
2172 krb5_unparse_name(k5_context
,
2173 my_creds
.client
, &got_principal_string
), 0,
2174 "krb5_unparse_name failed");
2176 assertion_message
= talloc_asprintf(tctx
,
2177 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
2178 got_principal_string
, expected_principal_string
);
2179 krb5_free_unparsed_name(k5_context
, got_principal_string
);
2181 torture_assert(tctx
, krb5_principal_compare(k5_context
,
2182 my_creds
.client
, expected_principal
),
2185 torture_assert_int_equal(tctx
,
2186 krb5_unparse_name(k5_context
,
2187 my_creds
.client
, &got_principal_string
), 0,
2188 "krb5_unparse_name failed");
2190 assertion_message
= talloc_asprintf(tctx
,
2191 "krb5_get_init_creds_password returned a different server principal %s to what was expected %s",
2192 got_principal_string
, expected_principal_string
);
2193 krb5_free_unparsed_name(k5_context
, got_principal_string
);
2195 torture_assert(tctx
, krb5_principal_compare(k5_context
,
2196 my_creds
.client
, expected_principal
),
2199 krb5_free_principal(k5_context
, principal
);
2200 krb5_get_init_creds_opt_free(k5_context
, krb_options
);
2202 torture_assert_int_equal(tctx
, krb5_free_cred_contents(k5_context
, &my_creds
),
2203 0, "krb5_free_cred_contents failed");
2208 struct torture_suite
*torture_krb5_canon(TALLOC_CTX
*mem_ctx
)
2211 struct torture_suite
*suite
= torture_suite_create(mem_ctx
, "canon");
2212 suite
->description
= talloc_strdup(suite
, "Kerberos Canonicalisation tests");
2214 for (i
= 0; i
< TEST_ALL
; i
++) {
2215 char *name
= talloc_asprintf(suite
, "%s.%s.%s.%s.%s.%s.%s.%s.%s",
2216 (i
& TEST_CANONICALIZE
) ? "canon" : "no-canon",
2217 (i
& TEST_ENTERPRISE
) ? "enterprise" : "no-enterprise",
2218 (i
& TEST_UPPER_REALM
) ? "uc-realm" : "lc-realm",
2219 (i
& TEST_UPPER_USERNAME
) ? "uc-user" : "lc-user",
2220 (i
& TEST_NETBIOS_REALM
) ? "netbios-realm" : "krb5-realm",
2221 (i
& TEST_WIN2K
) ? "win2k" : "no-win2k",
2222 (i
& TEST_UPN
) ? "upn" : "no-upn",
2223 (i
& TEST_S4U2SELF
) ? "s4u2self" : "normal",
2224 (i
& TEST_REMOVEDOLLAR
) ? "removedollar" : "keepdollar");
2226 struct test_data
*test_data
= talloc_zero(suite
, struct test_data
);
2228 test_data
->test_name
= name
;
2229 test_data
->real_realm
2230 = strupper_talloc(test_data
, cli_credentials_get_realm(cmdline_credentials
));
2231 test_data
->real_domain
= cli_credentials_get_domain(cmdline_credentials
);
2232 test_data
->username
= cli_credentials_get_username(cmdline_credentials
);
2233 test_data
->real_username
= cli_credentials_get_username(cmdline_credentials
);
2234 test_data
->canonicalize
= (i
& TEST_CANONICALIZE
) != 0;
2235 test_data
->enterprise
= (i
& TEST_ENTERPRISE
) != 0;
2236 test_data
->upper_realm
= (i
& TEST_UPPER_REALM
) != 0;
2237 test_data
->upper_username
= (i
& TEST_UPPER_USERNAME
) != 0;
2238 test_data
->netbios_realm
= (i
& TEST_NETBIOS_REALM
) != 0;
2239 test_data
->win2k
= (i
& TEST_WIN2K
) != 0;
2240 test_data
->upn
= (i
& TEST_UPN
) != 0;
2241 test_data
->s4u2self
= (i
& TEST_S4U2SELF
) != 0;
2242 test_data
->removedollar
= (i
& TEST_REMOVEDOLLAR
) != 0;
2243 torture_suite_add_simple_tcase_const(suite
, name
, torture_krb5_as_req_canon
,