tests/kdc/ap-req.c

   1 /*
   2  * Copyright (c) 2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of KTH nor the names of its contributors may be
  18  *    used to endorse or promote products derived from this software without
  19  *    specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
  22  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  24  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
  25  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  26  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  27  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  28  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  29  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  30  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  31  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
  32
  33 #ifdef HAVE_CONFIG_H
  34 #include <config.h>
  35 RCSID("$Id$");
  36 #endif
  37
  38 #include <sys/types.h>
  39 #include <stdio.h>
  40 #include <krb5.h>
  41 #include <err.h>
  42 #include <getarg.h>
  43 #include <roken.h>
  44
  45 static int verify_pac = 0;
  46 static int version_flag = 0;
  47 static int help_flag    = 0;
  48
  49 static struct getargs args[] = {
  50     {"verify-pac",0,    arg_flag,       &verify_pac,
  51      "verify the PAC", NULL },
  52     {"version", 0,      arg_flag,       &version_flag,
  53      "print version", NULL },
  54     {"help",    0,      arg_flag,       &help_flag,
  55      NULL, NULL }
  56 };
  57
  58 static void
  59 usage (int ret)
  60 {
  61     arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "...");
  62     exit (ret);
  63 }
  64
  65
  66 static void
  67 test_ap(krb5_context context,
  68         krb5_principal sprincipal,
  69         krb5_keytab keytab,
  70         krb5_ccache ccache,
  71         const krb5_flags client_flags)
  72 {
  73     krb5_error_code ret;
  74     krb5_auth_context client_ac = NULL, server_ac = NULL;
  75     krb5_data data;
  76     krb5_flags server_flags;
  77     krb5_ticket *ticket = NULL;
  78     int32_t server_seq, client_seq;
  79
  80     ret = krb5_mk_req_exact(context,
  81                             &client_ac,
  82                             client_flags,
  83                             sprincipal,
  84                             NULL,
  85                             ccache,
  86                             &data);
  87     if (ret)
  88         krb5_err(context, 1, ret, "krb5_mk_req_exact");
  89
  90     ret = krb5_rd_req(context,
  91                       &server_ac,
  92                       &data,
  93                       sprincipal,
  94                       keytab,
  95                       &server_flags,
  96                       &ticket);
  97     if (ret)
  98         krb5_err(context, 1, ret, "krb5_rd_req");
  99
 100
 101     if (server_flags & AP_OPTS_MUTUAL_REQUIRED) {
 102         krb5_ap_rep_enc_part *repl;
 103
 104         krb5_data_free(&data);
 105
 106         if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0)
 107             krb5_errx(context, 1, "client flag missing mutual req");
 108
 109         ret = krb5_mk_rep (context, server_ac, &data);
 110         if (ret)
 111             krb5_err(context, 1, ret, "krb5_mk_rep");
 112
 113         ret = krb5_rd_rep (context,
 114                            client_ac,
 115                            &data,
 116                            &repl);
 117         if (ret)
 118             krb5_err(context, 1, ret, "krb5_rd_rep");
 119
 120         krb5_free_ap_rep_enc_part (context, repl);
 121     } else {
 122         if (client_flags & AP_OPTS_MUTUAL_REQUIRED)
 123             krb5_errx(context, 1, "server flag missing mutual req");
 124     }
 125
 126     krb5_auth_getremoteseqnumber(context, server_ac, &server_seq);
 127     krb5_auth_getremoteseqnumber(context, client_ac, &client_seq);
 128     if (server_seq != client_seq)
 129         krb5_errx(context, 1, "seq num differ");
 130
 131     krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq);
 132     krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq);
 133     if (server_seq != client_seq)
 134         krb5_errx(context, 1, "seq num differ");
 135
 136     krb5_data_free(&data);
 137     krb5_auth_con_free(context, client_ac);
 138     krb5_auth_con_free(context, server_ac);
 139
 140     if (verify_pac) {
 141         krb5_pac pac;
 142
 143         ret = krb5_ticket_get_authorization_data_type(context,
 144                                                       ticket,
 145                                                       KRB5_AUTHDATA_WIN2K_PAC,
 146                                                       &data);
 147         if (ret)
 148             krb5_err(context, 1, ret, "get pac");
 149
 150         ret = krb5_pac_parse(context, data.data, data.length, &pac);
 151         if (ret)
 152             krb5_err(context, 1, ret, "pac parse");
 153
 154         krb5_pac_free(context, pac);
 155     }
 156
 157     krb5_free_ticket(context, ticket);
 158 }
 159
 160
 161 int
 162 main(int argc, char **argv)
 163 {
 164     krb5_context context;
 165     krb5_error_code ret;
 166     int optidx = 0;
 167     const char *principal, *keytab, *ccache;
 168     krb5_ccache id;
 169     krb5_keytab kt;
 170     krb5_principal sprincipal;
 171
 172     setprogname(argv[0]);
 173
 174     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 175         usage(1);
 176
 177     if (help_flag)
 178         usage (0);
 179
 180     if(version_flag){
 181         print_version(NULL);
 182         exit(0);
 183     }
 184
 185     argc -= optidx;
 186     argv += optidx;
 187
 188     if (argc < 3)
 189         usage(1);
 190
 191     principal = argv[0];
 192     keytab = argv[1];
 193     ccache = argv[2];
 194
 195     ret = krb5_init_context(&context);
 196     if (ret)
 197         errx (1, "krb5_init_context failed: %d", ret);
 198
 199     ret = krb5_cc_resolve(context, ccache, &id);
 200     if (ret)
 201         krb5_err(context, 1, ret, "krb5_cc_resolve");
 202
 203     ret = krb5_parse_name(context, principal, &sprincipal);
 204     if (ret)
 205         krb5_err(context, 1, ret, "krb5_parse_name");
 206
 207     ret = krb5_kt_resolve(context, keytab, &kt);
 208     if (ret)
 209         krb5_err(context, 1, ret, "krb5_kt_resolve");
 210
 211     test_ap(context, sprincipal, kt, id, 0);
 212     test_ap(context, sprincipal, kt, id, AP_OPTS_MUTUAL_REQUIRED);
 213
 214     krb5_cc_close(context, id);
 215     krb5_kt_close(context, kt);
 216     krb5_free_principal(context, sprincipal);
 217
 218     krb5_free_context(context);
 219
 220     return ret;
 221 }