search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
waf: add a cross-execute program that runs natively
[Samba.git] / source4 / torture / krb5 / kdc.c
bloba6fcde957d4ed18d3c3d2c49908403ac8146ad2c
1 /*
2 Unix SMB/CIFS implementation.
3
4 Validate the krb5 pac generation routines
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/winbind/proto.h"
27 #include "torture/krb5/proto.h"
28 #include "auth/credentials/credentials.h"
29 #include "lib/cmdline/popt_common.h"
30 #include "source4/auth/kerberos/kerberos.h"
31 #include "source4/auth/kerberos/kerberos_util.h"
32 #include "lib/util/util_net.h"
33
34 enum torture_krb5_test {
35 TORTURE_KRB5_TEST_PLAIN,
36 TORTURE_KRB5_TEST_PAC_REQUEST,
37 TORTURE_KRB5_TEST_BREAK_PW,
38 TORTURE_KRB5_TEST_CLOCK_SKEW,
39 };
40
41 struct torture_krb5_context {
42 struct torture_context *tctx;
43 struct addrinfo *server;
44 enum torture_krb5_test test;
45 int packet_count;
46 AS_REQ as_req;
47 AS_REP as_rep;
48 };
49
50 /*
51 * Confirm that the outgoing packet meets certain expectations. This
52 * should be extended to further assert the correct and expected
53 * behaviour of the krb5 libs, so we know what we are sending to the
54 * server.
55 *
56 */
57
58 static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf)
59 {
60 size_t used;
61 switch (test_context->test)
62 {
63 case TORTURE_KRB5_TEST_PLAIN:
64 case TORTURE_KRB5_TEST_PAC_REQUEST:
65 case TORTURE_KRB5_TEST_BREAK_PW:
66 case TORTURE_KRB5_TEST_CLOCK_SKEW:
67 torture_assert_int_equal(test_context->tctx,
68 decode_AS_REQ(send_buf->data, send_buf->length, &test_context->as_req, &used), 0,
69 "decode_AS_REQ failed");
70 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
71 torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, 5, "Got wrong as_req->pvno");
72 break;
73 }
74 return true;
75 }
76
77 /*
78 * Confirm that the incoming packet from the KDC meets certain
79 * expectations. This uses a switch and the packet count to work out
80 * what test we are in, and where in the test we are, so we can assert
81 * on the expected reply packets from the KDC.
82 *
83 */
84
85 static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
86 {
87 KRB_ERROR error;
88 size_t used;
89 switch (test_context->test)
90 {
91 case TORTURE_KRB5_TEST_PLAIN:
92 if (test_context->packet_count == 0) {
93 torture_assert_int_equal(test_context->tctx,
94 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
95 "decode_AS_REP failed");
96 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
97 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
98 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
99 "Got wrong error.error_code");
100 free_KRB_ERROR(&error);
101 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
102 && (test_context->packet_count == 1)) {
103 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
104 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
105 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
106 "Got wrong error.error_code");
107 free_KRB_ERROR(&error);
108 } else {
109 torture_assert_int_equal(test_context->tctx,
110 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
111 "decode_AS_REP failed");
112 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
113 torture_assert_int_equal(test_context->tctx,
114 test_context->as_rep.pvno, 5,
115 "Got wrong as_rep->pvno");
116 torture_assert_int_equal(test_context->tctx,
117 test_context->as_rep.ticket.tkt_vno, 5,
118 "Got wrong as_rep->ticket.tkt_vno");
119 torture_assert(test_context->tctx,
120 test_context->as_rep.ticket.enc_part.kvno,
121 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
122 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
123 torture_assert_int_not_equal(test_context->tctx,
124 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
125 0, "Did not get a RODC number in the KVNO");
126 } else {
127 torture_assert_int_equal(test_context->tctx,
128 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
129 0, "Unexpecedly got a RODC number in the KVNO");
130 }
131 free_AS_REP(&test_context->as_rep);
132 }
133 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
134 free_AS_REQ(&test_context->as_req);
135 break;
136
137 /*
138 * Confirm correct error codes when we ask for the PAC. This behaviour is rather odd...
139 */
140 case TORTURE_KRB5_TEST_PAC_REQUEST:
141 if (test_context->packet_count == 0) {
142 torture_assert_int_equal(test_context->tctx,
143 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
144 "decode_AS_REP failed");
145 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
146 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
147 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
148 "Got wrong error.error_code");
149 free_KRB_ERROR(&error);
150 } else if (test_context->packet_count == 1) {
151 torture_assert_int_equal(test_context->tctx,
152 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
153 "decode_AS_REP failed");
154 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
155 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
156 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
157 "Got wrong error.error_code");
158 free_KRB_ERROR(&error);
159 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
160 && (test_context->packet_count == 2)) {
161 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
162 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
163 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
164 "Got wrong error.error_code");
165 free_KRB_ERROR(&error);
166 } else {
167 torture_assert_int_equal(test_context->tctx,
168 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
169 "decode_AS_REP failed");
170 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
171 torture_assert_int_equal(test_context->tctx, test_context->as_rep.pvno, 5, "Got wrong as_rep->pvno");
172 free_AS_REP(&test_context->as_rep);
173 }
174 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
175 free_AS_REQ(&test_context->as_req);
176 break;
177
178 /*
179 * Confirm correct error codes when we deliberatly send the wrong password
180 */
181 case TORTURE_KRB5_TEST_BREAK_PW:
182 if (test_context->packet_count == 0) {
183 torture_assert_int_equal(test_context->tctx,
184 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
185 "decode_AS_REP failed");
186 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
187 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
188 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
189 "Got wrong error.error_code");
190 free_KRB_ERROR(&error);
191 } else if (test_context->packet_count == 1) {
192 torture_assert_int_equal(test_context->tctx,
193 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
194 "decode_AS_REP failed");
195 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
196 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
197 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_FAILED - KRB5KDC_ERR_NONE,
198 "Got wrong error.error_code");
199 free_KRB_ERROR(&error);
200 }
201 torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
202 free_AS_REQ(&test_context->as_req);
203 break;
204
205 /*
206 * Confirm correct error codes when we deliberatly skew the client clock
207 */
208 case TORTURE_KRB5_TEST_CLOCK_SKEW:
209 if (test_context->packet_count == 0) {
210 torture_assert_int_equal(test_context->tctx,
211 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
212 "decode_AS_REP failed");
213 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
214 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
215 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
216 "Got wrong error.error_code");
217 free_KRB_ERROR(&error);
218 } else if (test_context->packet_count == 1) {
219 torture_assert_int_equal(test_context->tctx,
220 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
221 "decode_AS_REP failed");
222 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
223 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
224 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_AP_ERR_SKEW - KRB5KDC_ERR_NONE,
225 "Got wrong error.error_code");
226 free_KRB_ERROR(&error);
227 }
228 torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
229 free_AS_REQ(&test_context->as_req);
230 break;
231 }
232 return true;
233 }
234
235
236 /*
237 * This function is set in torture_krb5_init_context as krb5
238 * send_and_recv function. This allows us to override what server the
239 * test is aimed at, and to inspect the packets just before they are
240 * sent to the network, and before they are processed on the recv
241 * side.
242 *
243 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
244 * functions are implement the actual tests.
245 *
246 * When this asserts, the caller will get a spurious 'cannot contact
247 * any KDC' message.
248 *
249 */
250 static krb5_error_code smb_krb5_send_and_recv_func_override(krb5_context context,
251 void *data, /* struct torture_krb5_context */
252 krb5_krbhst_info *hi,
253 time_t timeout,
254 const krb5_data *send_buf,
255 krb5_data *recv_buf)
256 {
257 krb5_error_code k5ret;
258 bool ok;
259
260 struct torture_krb5_context *test_context
261 = talloc_get_type_abort(data, struct torture_krb5_context);
262
263 ok = torture_krb5_pre_send_test(test_context, send_buf);
264 if (ok == false) {
265 return EINVAL;
266 }
267
268 k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
269 hi, timeout, send_buf, recv_buf);
270 if (k5ret != 0) {
271 return k5ret;
272 }
273 ok = torture_krb5_post_recv_test(test_context, recv_buf);
274 if (ok == false) {
275 return EINVAL;
276 }
277
278 test_context->packet_count++;
279
280 return k5ret;
281 }
282
283 static int test_context_destructor(struct torture_krb5_context *test_context)
284 {
285 freeaddrinfo(test_context->server);
286 return 0;
287 }
288
289
290 static bool torture_krb5_init_context(struct torture_context *tctx,
291 enum torture_krb5_test test,
292 struct smb_krb5_context **smb_krb5_context)
293 {
294 const char *host = torture_setting_string(tctx, "host", NULL);
295 krb5_error_code k5ret;
296 bool ok;
297
298 struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
299 torture_assert(tctx, test_context != NULL, "Failed to allocate");
300
301 test_context->test = test;
302 test_context->tctx = tctx;
303
304 k5ret = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
305 torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
306
307 ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
308 torture_assert(tctx, ok, "Failed to parse target server");
309
310 talloc_set_destructor(test_context, test_context_destructor);
311
312 set_sockaddr_port(test_context->server->ai_addr, 88);
313
314 k5ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
315 smb_krb5_send_and_recv_func_override,
316 test_context);
317 torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
318 return true;
319 }
320
321 static bool torture_krb5_as_req_creds(struct torture_context *tctx,
322 struct cli_credentials *credentials,
323 enum torture_krb5_test test)
324 {
325 krb5_error_code k5ret;
326 bool ok;
327 krb5_creds my_creds;
328 krb5_principal principal;
329 struct smb_krb5_context *smb_krb5_context;
330 enum credentials_obtained obtained;
331 const char *error_string;
332 const char *password = cli_credentials_get_password(credentials);
333 krb5_get_init_creds_opt *krb_options = NULL;
334
335 ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
336 torture_assert(tctx, ok, "torture_krb5_init_context failed");
337
338 k5ret = principal_from_credentials(tctx, credentials, smb_krb5_context,
339 &principal, &obtained, &error_string);
340 torture_assert_int_equal(tctx, k5ret, 0, error_string);
341
342 switch (test)
343 {
344 case TORTURE_KRB5_TEST_PLAIN:
345 break;
346
347 case TORTURE_KRB5_TEST_PAC_REQUEST:
348 torture_assert_int_equal(tctx,
349 krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
350 0, "krb5_get_init_creds_opt_alloc failed");
351
352 torture_assert_int_equal(tctx,
353 krb5_get_init_creds_opt_set_pac_request(smb_krb5_context->krb5_context, krb_options, true),
354 0, "krb5_get_init_creds_opt_set_pac_request failed");
355 break;
356
357 case TORTURE_KRB5_TEST_BREAK_PW:
358 password = "NOT the password";
359 break;
360
361 case TORTURE_KRB5_TEST_CLOCK_SKEW:
362 torture_assert_int_equal(tctx,
363 krb5_set_real_time(smb_krb5_context->krb5_context, time(NULL) + 3600, 0),
364 0, "krb5_set_real_time failed");
365 break;
366
367 break;
368 }
369 k5ret = krb5_get_init_creds_password(smb_krb5_context->krb5_context, &my_creds, principal,
370 password, NULL, NULL, 0,
371 NULL, krb_options);
372 krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
373
374 switch (test)
375 {
376 case TORTURE_KRB5_TEST_PLAIN:
377 case TORTURE_KRB5_TEST_PAC_REQUEST:
378 torture_assert_int_equal(tctx, k5ret, 0, "krb5_get_init_creds_password failed");
379 break;
380
381 case TORTURE_KRB5_TEST_BREAK_PW:
382 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_PREAUTH_FAILED, "krb5_get_init_creds_password should have failed");
383 return true;
384
385 case TORTURE_KRB5_TEST_CLOCK_SKEW:
386 torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_SKEW, "krb5_get_init_creds_password should have failed");
387 return true;
388
389 }
390
391 k5ret = krb5_free_cred_contents(smb_krb5_context->krb5_context, &my_creds);
392 torture_assert_int_equal(tctx, k5ret, 0, "krb5_free_creds failed");
393
394 return true;
395 }
396
397 static bool torture_krb5_as_req_cmdline(struct torture_context *tctx)
398 {
399 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_PLAIN);
400 }
401
402 static bool torture_krb5_as_req_pac_request(struct torture_context *tctx)
403 {
404 if (torture_setting_bool(tctx, "expect_rodc", false)) {
405 torture_skip(tctx, "This test needs further investigation in the RODC case against a Windows DC, in particular with non-cached users");
406 }
407 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_PAC_REQUEST);
408 }
409
410 static bool torture_krb5_as_req_break_pw(struct torture_context *tctx)
411 {
412 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_BREAK_PW);
413 }
414
415 static bool torture_krb5_as_req_clock_skew(struct torture_context *tctx)
416 {
417 return torture_krb5_as_req_creds(tctx, cmdline_credentials, TORTURE_KRB5_TEST_CLOCK_SKEW);
418 }
419
420 NTSTATUS torture_krb5_init(void)
421 {
422 struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "krb5");
423 struct torture_suite *kdc_suite = torture_suite_create(suite, "kdc");
424 suite->description = talloc_strdup(suite, "Kerberos tests");
425 kdc_suite->description = talloc_strdup(kdc_suite, "Kerberos KDC tests");
426
427 torture_suite_add_simple_test(kdc_suite, "as-req-cmdline",
428 torture_krb5_as_req_cmdline);
429
430 torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
431 torture_krb5_as_req_pac_request);
432
433 torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
434 torture_krb5_as_req_break_pw);
435
436 torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
437 torture_krb5_as_req_clock_skew);
438
439 torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));
440 torture_suite_add_suite(suite, kdc_suite);
441
442 torture_register_suite(suite);
443 return NT_STATUS_OK;
444 }
Samba GIT mirror