tests/kdc/check-digest.in

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
   4 # (Royal Institute of Technology, Stockholm, Sweden).
   5 # All rights reserved.
   6 #
   7 # Redistribution and use in source and binary forms, with or without
   8 # modification, are permitted provided that the following conditions
   9 # are met:
  10 #
  11 # 1. Redistributions of source code must retain the above copyright
  12 #    notice, this list of conditions and the following disclaimer.
  13 #
  14 # 2. Redistributions in binary form must reproduce the above copyright
  15 #    notice, this list of conditions and the following disclaimer in the
  16 #    documentation and/or other materials provided with the distribution.
  17 #
  18 # 3. Neither the name of the Institute nor the names of its contributors
  19 #    may be used to endorse or promote products derived from this software
  20 #    without specific prior written permission.
  21 #
  22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25 # ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32 # SUCH DAMAGE.
  33 #
  34 # $Id$
  35 #
  36
  37 srcdir="@srcdir@"
  38 objdir="@objdir@"
  39
  40 # If there is no useful db support compile in, disable test
  41 ../db/have-db || exit 77
  42
  43 R=TEST.H5L.SE
  44
  45 port=@port@
  46
  47 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
  48 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
  49
  50 server=host/datan.test.h5l.se
  51 cache="FILE:${objdir}/cache.krb5"
  52 ocache="FILE:${objdir}/ocache.krb5"
  53 keytabfile=${objdir}/server.keytab
  54 keytab="FILE:${keytabfile}"
  55
  56 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
  57 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
  58 kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache"
  59 test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm"
  60 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
  61
  62 username=foo
  63 userpassword=digestpassword
  64
  65 password=foobarbaz
  66
  67 KRB5_CONFIG="${objdir}/krb5.conf"
  68 export KRB5_CONFIG
  69
  70 rm -f ${keytabfile}
  71 rm -f current-db*
  72 rm -f out-*
  73 rm -f mkey.file*
  74
  75 > messages.log
  76
  77 echo Creating database
  78 ${kadmin} \
  79     init \
  80     --realm-max-ticket-life=1day \
  81     --realm-max-renewable-life=1month \
  82     ${R} || exit 1
  83
  84 ${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
  85 ${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
  86 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
  87 ${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
  88 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
  89
  90 echo "Doing database check"
  91 ${kadmin} check ${R} || exit 1
  92
  93 echo $password > ${objdir}/foopassword
  94
  95 echo Starting kdc
  96 env \
  97 MallocStackLogging=1 \
  98 MallocStackLoggingNoCompact=1 \
  99 MallocErrorAbort=1 \
 100 MallocLogFile=${objdir}/malloc-log \
 101 ${kdc} &
 102 kdcpid=$!
 103
 104 sh ${srcdir}/wait-kdc.sh
 105 if [ "$?" != 0 ] ; then
 106     kill -9 ${kdcpid}
 107     exit 1
 108 fi
 109
 110 trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
 111
 112 exitcode=0
 113
 114 echo "Getting digest server tickets"
 115 ${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
 116 ${kdigest} digest-server-init \
 117     --kerberos-realm=${R} \
 118     --type=CHAP > /dev/null || exitcode=1
 119
 120 echo "Trying NTLM"
 121
 122 NTLM_ACCEPTOR_CCACHE="$cache"
 123 export NTLM_ACCEPTOR_CCACHE
 124
 125 echo "Trying server-init"
 126 echo ${kdigest} ntlm-server-init \
 127     --kerberos-realm=${R} \
 128     > sdigest-init || exitcode=1
 129
 130 echo "test_ntlm"
 131 ${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
 132
 133 NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
 134 export NTLM_USER_FILE
 135
 136 echo "test_context --mech-type=ntlm"
 137 ${context} --mech-type=ntlm \
 138             --name-type=hostbased-service datan@TEST || \
 139                 { echo "test_context 1 failed"; exit 1; }
 140
 141 ${context} --mech-type=ntlm \
 142             --name-type=hostbased-service datan@host.TEST || \
 143                 { echo "test_context 2 failed"; exit 1; }
 144
 145 ${context} --mech-type=ntlm \
 146             --name-type=hostbased-service datan@host.test.domain2 || \
 147                 { echo "test_context 3 failed"; exit 1; }
 148
 149 ${context} --mech-type=ntlm \
 150             --name-type=hostbased-service datan@host.foo 2>/dev/null && \
 151                 { echo "test_context 4 failed"; exit 1; }
 152
 153 echo "Trying SL in NTLM"
 154
 155
 156 for type in \
 157     "" \
 158     "--getverifymic" \
 159     "--wrapunwrap" \
 160     "--getverifymic --wrapunwrap" \
 161     ; do
 162
 163         echo "Trying NTLM type: ${type}"
 164         ${context} --mech-type=ntlm ${type} \
 165             --name-type=hostbased-service datan@TEST || \
 166             { echo "test_context 1 failed"; exit 1; }
 167
 168 done
 169
 170
 171 echo "Trying CHAP"
 172
 173 ${kdigest} digest-server-init \
 174     --kerberos-realm=${R} \
 175     --type=CHAP \
 176     > sdigest-reply || exitcode=1
 177
 178 snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
 179 identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
 180 opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
 181
 182 ${kdigest} digest-client-request \
 183     --type=CHAP \
 184     --username="$username"  \
 185     --password="$userpassword"  \
 186     --opaque="$opaque"  \
 187     --server-identifier="$identifier"  \
 188     --server-nonce="$snonce" \
 189     > cdigest-reply || exitcode=1
 190
 191 cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
 192
 193 #echo user: $username
 194 #echo server-nonce: $snonce
 195 #echo opaqeue: $opaque
 196 #echo identifier: $identifier
 197
 198 ${kdigest} digest-server-request \
 199     --kerberos-realm=${R} \
 200     --type=CHAP \
 201     --username="$username"  \
 202     --opaque="$opaque"  \
 203     --client-response="$cresponseData"  \
 204     --server-identifier="$identifier"  \
 205     --server-nonce="$snonce"  \
 206     > s2digest-reply || exitcode=1
 207
 208 status=`grep status= s2digest-reply | cut -f2- -d=`
 209
 210 if test "X$status" = "Xok" ; then
 211     echo "CHAP response ok"
 212 else
 213     echo "CHAP response failed"
 214     exitcode=1
 215 fi
 216
 217 cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
 218
 219 ${kdigest} digest-server-request \
 220     --kerberos-realm=${R} \
 221     --type=CHAP \
 222     --username="$username"  \
 223     --opaque="$opaque"  \
 224     --client-response="$cresponseData" \
 225     --server-identifier="$identifier"  \
 226     --server-nonce="$snonce"  \
 227     > s2digest-reply || exitcode=1
 228
 229 status=`grep status= s2digest-reply | cut -f2- -d=`
 230
 231 if test "X$status" = "Xfailed" ; then
 232     echo "CHAP response fail as it should"
 233 else
 234     echo "CHAP response succeeded errorously"
 235     exitcode=1
 236 fi
 237
 238 echo "Trying MS-CHAP-V2"
 239
 240 ${kdigest} digest-server-init \
 241     --kerberos-realm=${R} \
 242     --type=MS-CHAP-V2 \
 243     > sdigest-reply || exitcode=1
 244
 245 snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
 246 opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
 247 cnonce="21402324255E262A28295F2B3A337C7E"
 248
 249 echo "MS-CHAP-V2 client request"
 250 ${kdigest} digest-client-request \
 251     --type=MS-CHAP-V2 \
 252     --username="$username"  \
 253     --password="$userpassword"  \
 254     --opaque="$opaque"  \
 255     --client-nonce="$cnonce"  \
 256     --server-nonce="$snonce" \
 257     > cdigest-reply || exitcode=1
 258
 259 cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
 260 cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
 261 ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
 262
 263 ${kdigest} digest-server-request \
 264     --kerberos-realm=${R} \
 265     --type=MS-CHAP-V2 \
 266     --username="$username"  \
 267     --opaque="$opaque"  \
 268     --client-response="$cresponseData"  \
 269     --client-nonce="$cnonce"  \
 270     --server-nonce="$snonce"  \
 271     > s2digest-reply || exitcode=1
 272
 273 status=`grep status= s2digest-reply | cut -f2- -d=`
 274 sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
 275 skey=`grep session-key= s2digest-reply | cut -f2- -d=`
 276
 277 if test "X$sRsp" != "X$cRsp" ; then
 278     echo "rsp wrong $sRsp != $cRsp"
 279     exitcode=1
 280 fi
 281
 282 if test "X$skey" != "X$ckey" ; then
 283     echo "rsp wrong"
 284     exitcode=1
 285 fi
 286
 287 if test "X$status" = "Xok" ; then
 288     echo "MS-CHAP-V2 response ok"
 289 else
 290     echo "MS-CHAP-V2 response failed"
 291     exitcode=1
 292 fi
 293
 294 trap "" EXIT
 295
 296 echo "killing kdc (${kdcpid})"
 297 sh ${srcdir}/leaks-kill.sh kdc $kdcpid || exit 1
 298
 299 exit $exitcode
 300