Drop changing the password, really need kadmin/ldap support to do it
[Samba.git] / lib / krb5 / test_ap-req.c
blobd32ae4849a53586ddd8b6e10aca85ba3e328bed5
1 /*
2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of KTH nor the names of its contributors may be
18 * used to endorse or promote products derived from this software without
19 * specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
33 #include <config.h>
35 #include <sys/types.h>
36 #include <stdio.h>
37 #include <krb5.h>
38 #include <err.h>
39 #include <getarg.h>
40 #include <roken.h>
42 static int verify_pac = 0;
43 static int server_any = 0;
44 static int version_flag = 0;
45 static int help_flag = 0;
47 static struct getargs args[] = {
48 {"verify-pac",0, arg_flag, &verify_pac,
49 "verify the PAC", NULL },
50 {"server-any",0, arg_flag, &server_any,
51 "let server pick the principal", NULL },
52 {"version", 0, arg_flag, &version_flag,
53 "print version", NULL },
54 {"help", 0, arg_flag, &help_flag,
55 NULL, NULL }
58 static void
59 usage (int ret)
61 arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "...");
62 exit (ret);
66 static void
67 test_ap(krb5_context context,
68 krb5_principal target,
69 krb5_principal server,
70 krb5_keytab keytab,
71 krb5_ccache ccache,
72 const krb5_flags client_flags)
74 krb5_error_code ret;
75 krb5_auth_context client_ac = NULL, server_ac = NULL;
76 krb5_data data;
77 krb5_flags server_flags;
78 krb5_ticket *ticket = NULL;
79 int32_t server_seq, client_seq;
81 ret = krb5_mk_req_exact(context,
82 &client_ac,
83 client_flags,
84 target,
85 NULL,
86 ccache,
87 &data);
88 if (ret)
89 krb5_err(context, 1, ret, "krb5_mk_req_exact");
91 ret = krb5_rd_req(context,
92 &server_ac,
93 &data,
94 server,
95 keytab,
96 &server_flags,
97 &ticket);
98 if (ret)
99 krb5_err(context, 1, ret, "krb5_rd_req");
102 if (server_flags & AP_OPTS_MUTUAL_REQUIRED) {
103 krb5_ap_rep_enc_part *repl;
105 krb5_data_free(&data);
107 if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0)
108 krb5_errx(context, 1, "client flag missing mutual req");
110 ret = krb5_mk_rep (context, server_ac, &data);
111 if (ret)
112 krb5_err(context, 1, ret, "krb5_mk_rep");
114 ret = krb5_rd_rep (context,
115 client_ac,
116 &data,
117 &repl);
118 if (ret)
119 krb5_err(context, 1, ret, "krb5_rd_rep");
121 krb5_free_ap_rep_enc_part (context, repl);
122 } else {
123 if (client_flags & AP_OPTS_MUTUAL_REQUIRED)
124 krb5_errx(context, 1, "server flag missing mutual req");
127 krb5_auth_getremoteseqnumber(context, server_ac, &server_seq);
128 krb5_auth_getremoteseqnumber(context, client_ac, &client_seq);
129 if (server_seq != client_seq)
130 krb5_errx(context, 1, "seq num differ");
132 krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq);
133 krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq);
134 if (server_seq != client_seq)
135 krb5_errx(context, 1, "seq num differ");
137 krb5_data_free(&data);
138 krb5_auth_con_free(context, client_ac);
139 krb5_auth_con_free(context, server_ac);
141 if (verify_pac) {
142 krb5_pac pac;
144 ret = krb5_ticket_get_authorization_data_type(context,
145 ticket,
146 KRB5_AUTHDATA_WIN2K_PAC,
147 &data);
148 if (ret)
149 krb5_err(context, 1, ret, "get pac");
151 ret = krb5_pac_parse(context, data.data, data.length, &pac);
152 if (ret)
153 krb5_err(context, 1, ret, "pac parse");
155 krb5_pac_free(context, pac);
158 krb5_free_ticket(context, ticket);
163 main(int argc, char **argv)
165 krb5_context context;
166 krb5_error_code ret;
167 int optidx = 0;
168 const char *principal, *keytab, *ccache;
169 krb5_ccache id;
170 krb5_keytab kt;
171 krb5_principal sprincipal, server;
173 setprogname(argv[0]);
175 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
176 usage(1);
178 if (help_flag)
179 usage (0);
181 if(version_flag){
182 print_version(NULL);
183 exit(0);
186 argc -= optidx;
187 argv += optidx;
189 if (argc < 3)
190 usage(1);
192 principal = argv[0];
193 keytab = argv[1];
194 ccache = argv[2];
196 ret = krb5_init_context(&context);
197 if (ret)
198 errx (1, "krb5_init_context failed: %d", ret);
200 ret = krb5_cc_resolve(context, ccache, &id);
201 if (ret)
202 krb5_err(context, 1, ret, "krb5_cc_resolve");
204 ret = krb5_parse_name(context, principal, &sprincipal);
205 if (ret)
206 krb5_err(context, 1, ret, "krb5_parse_name");
208 ret = krb5_kt_resolve(context, keytab, &kt);
209 if (ret)
210 krb5_err(context, 1, ret, "krb5_kt_resolve");
212 if (server_any)
213 server = NULL;
214 else
215 server = sprincipal;
217 test_ap(context, sprincipal, server, kt, id, 0);
218 test_ap(context, sprincipal, server, kt, id, AP_OPTS_MUTUAL_REQUIRED);
220 krb5_cc_close(context, id);
221 krb5_kt_close(context, kt);
222 krb5_free_principal(context, sprincipal);
224 krb5_free_context(context);
226 return ret;