3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 # If there is no useful db support compile in, disable test
41 ..
/db
/have-db ||
exit 77
47 keytabfile
=${objdir}/server.keytab
48 keytab
="FILE:${keytabfile}"
49 nokeytab
="FILE:no-such-keytab"
50 cache
="FILE:krb5ccfile"
52 kinit
="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53 klist
="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
54 klist
="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
55 kgetcred
="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
56 kadmin
="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
57 kdc
="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
58 ktutil
="${TESTS_ENVIRONMENT} ../../admin/ktutil"
60 context
="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
62 KRB5_CONFIG
="${objdir}/krb5.conf"
75 echo Creating database
78 --realm-max-ticket-life=1day \
79 --realm-max-renewable-life=1month \
82 # add both lucid and lucid.test.h5l.se to simulate aliases
83 ${kadmin} add
-p p1
--use-defaults host
/lucid.
test.h5l.se@
${R} ||
exit 1
84 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} ||
exit 1
86 ${kadmin} add
-p p1
--use-defaults host
/ok-delegate.
test.h5l.se@
${R} ||
exit 1
87 ${kadmin} mod
--attributes=+ok-as-delegate host
/ok-delegate.
test.h5l.se@
${R} ||
exit 1
88 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} ||
exit 1
91 ${kadmin} add
-p p1
--use-defaults host
/short@
${R} ||
exit 1
92 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} ||
exit 1
93 # XXX ext should ext aliases too
94 ${kadmin} ext -k ${keytab} host/short@${R} ||
exit 1
95 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} ||
exit 1
97 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} ||
exit 1
99 ${kadmin} add
-p u1
--use-defaults user1@
${R} ||
exit 1
101 # Create a server principal with no AES
102 ${kadmin} add
-p p1
--use-defaults host
/no-aes.
test.h5l.se@
${R} ||
exit 1
103 ${kadmin} get host
/no-aes.
test.h5l.se@
${R} > tempfile ||
exit 1
104 ${kadmin} del_enctype host
/no-aes.
test.h5l.se@
${R} \
105 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 ||
exit 1
106 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} ||
exit 1
108 echo "Doing database check"
109 ${kadmin} check
${R} ||
exit 1
111 echo u1
> ${objdir}/foopassword
117 sh
${srcdir}/..
/kdc
/wait-kdc.sh
118 if [ "$?" != 0 ] ; then
123 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
125 testfailed
="echo test failed; cat messages.log; exit 1"
127 echo "Test gss_acquire_cred_with_password" ; > messages.log
128 ${context} --client-name=user1@
${R} --client-password=u1
--mech-type=krb5 \
129 host@lucid.
test.h5l.se ||
{ eval "$testfailed"; }
130 # These must fail (because wrong password)
131 ${context} --client-name=user1@
${R} --client-password=u2
--mech-type=krb5 \
132 host@lucid.
test.h5l.se
&& { eval "$testfailed"; }
133 ${context} --client-name=user1@
${R} --client-password=u2
--mech-type='' \
134 --mech-types=krb5
host@lucid.
test.h5l.se
&& { eval "$testfailed"; }
135 ${context} --client-name=user1@
${R} --client-password=u2
--mech-type=krb5 \
136 --mech-types=krb5
host@lucid.
test.h5l.se
&& { eval "$testfailed"; }
137 ${context} --client-name=user1@
${R} --client-password=u2
--mech-type=all \
138 --mech-types=krb5
host@lucid.
test.h5l.se
&& { eval "$testfailed"; }
139 ${context} --client-name=user1@
${R} --client-password=u2 \
140 --mech-type=krb5
,ntlm
--mech-types=krb5
host@lucid.
test.h5l.se \
141 && { eval "$testfailed"; }
142 # gss_acquire_cred_with_password() must not have side-effects
143 ${klist} && { eval "$testfailed"; }
145 echo "Getting client initial tickets" ; > messages.log
146 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
147 { eval "$testfailed"; }
149 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
150 ${context} --mech-type=krb5
host@lucid.
test.h5l.se || \
151 { eval "$testfailed"; }
153 mv ${keytabfile} ${keytabfile}.no
155 echo "checking non existant keytabfile (krb5)" ; > messages.log
156 ${context} --mech-type=krb5
host@lucid.
test.h5l.se
> test_context.log
2>&1 && \
157 { eval "$testfailed"; }
158 grep ${keytabfile} test_context.log
> /dev
/null || \
159 { echo "string missing failed"; cat test_context.log
; eval "$testfailed"; }
160 echo "checking non existant keytabfile (spengo)" ; > messages.log
161 ${context} --mech-type=spnego
host@lucid.
test.h5l.se
> test_context.log
2>&1 && \
162 { eval "$testfailed"; }
163 grep ${keytabfile} test_context.log
> /dev
/null || \
164 { echo "string missing failed"; cat test_context.log
; eval "$testfailed"; }
166 mv ${keytabfile}.no
${keytabfile}
168 echo "======test naming combinations"
169 echo "plain" ; > messages.log
170 ${context} --name-type=hostbased-service
host@lucid.
test.h5l.se || \
171 { eval "$testfailed"; }
172 echo "plain w/ short-form hostname" ; > messages.log
173 ${context} --name-type=hostbased-service
host@lucid || \
174 { eval "$testfailed"; }
175 echo "plain (krb5)" ; > messages.log
176 ${context} --name-type=krb5-principal-name host
/lucid.
test.h5l.se@
${R} || \
177 { eval "$testfailed"; }
178 echo "plain (krb5 realmless)" ; > messages.log
179 ${context} --name-type=krb5-principal-name host
/lucid.
test.h5l.se || \
180 { eval "$testfailed"; }
181 echo "plain (krb5 realmless short-form should fail)" ; > messages.log
182 ${context} --name-type=krb5-principal-name host
/lucid
2>/dev
/null
&& \
183 { eval "$testfailed"; }
184 echo "creating short-form princ"
185 ${kadmin} add
-p p1
--use-defaults host
/lucid@
${R} ||
exit 1
186 ${kadmin} ext -k ${keytab} host/lucid@${R} ||
exit 1
187 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
188 #${context} --dns-canon host@lucid.test.h5l.se || \
189 # { eval "$testfailed"; }
190 echo "dns canon off (long name)" ; > messages.log
191 ${context} --no-dns-canon host@lucid.
test.h5l.se || \
192 { eval "$testfailed"; }
193 echo "dns canon off (short name)" ; > messages.log
194 ${context} --no-dns-canon host@lucid || \
195 { eval "$testfailed"; }
196 echo "dns canon off (short name, krb5)" ; > messages.log
197 ${context} --no-dns-canon --name-type=krb5-principal-name host
/lucid@
${R} || \
198 { eval "$testfailed"; }
199 echo "dns canon off (short name, krb5)" ; > messages.log
200 ${context} --no-dns-canon --name-type=krb5-principal-name host
/lucid || \
201 { eval "$testfailed"; }
203 echo "======test context building"
204 for mech
in krb5 krb5iov spnego spnegoiov
; do
205 if [ "$mech" = "krb5iov" ] ; then
209 if [ "$mech" = "spnegoiov" ] ; then
214 echo "${mech} no-mutual ${iov}" ; > messages.log
215 ${context} --mech-type=${mech} \
216 --wrapunwrap ${iov} \
217 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
218 { eval "$testfailed"; }
220 echo "${mech} mutual ${iov}" ; > messages.log
221 ${context} --mech-type=${mech} \
223 --wrapunwrap ${iov} \
224 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
225 { eval "$testfailed"; }
227 echo "${mech} delegate ${iov}" ; > messages.log
228 ${context} --mech-type=${mech} \
230 --wrapunwrap ${iov} \
231 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
232 { eval "$testfailed"; }
234 echo "${mech} mutual delegate ${iov}" ; > messages.log
235 ${context} --mech-type=${mech} \
236 --mutual --delegate \
237 --wrapunwrap ${iov} \
238 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
239 { eval "$testfailed"; }
242 echo "======dce-style"
243 for mech
in krb5 krb5iov spnego
; do
245 if [ "$mech" = "krb5iov" ] ; then
249 if [ "$mech" = "spnegoiov" ] ; then
254 echo "${mech}: dce-style ${iov}" ; > messages.log
256 --mech-type=${mech} \
259 --wrapunwrap ${iov} \
260 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
261 { eval "$testfailed"; }
265 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
267 cp ${keytabfile} ${keytabfile}.new
268 for mech
in krb5 spnego
; do
269 echo "${mech}: acceptor_identity positive" ; > messages.log
270 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
271 --mech-type=$mech host@lucid.
test.h5l.se || \
272 { eval "$testfailed"; }
274 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
275 ${context} --gsskrb5-acceptor-identity=FILE
:${keytabfile}.new \
276 --mech-type=$mech host@lucid.
test.h5l.se || \
277 { eval "$testfailed"; }
279 echo "${mech}: acceptor_identity negative" ; > messages.log
280 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
281 --mech-type=$mech host@lucid.
test.h5l.se
2>/dev
/null
&& \
282 { eval "$testfailed"; }
288 #echo "sasl-digest-md5"
289 #${context} --mech-type=sasl-digest-md5 \
290 # --name-type=hostbased-service \
291 # host@lucid.test.h5l.se || \
292 # { eval "$testfailed"; }
295 echo "====== gss-api session key check"
297 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
298 coolenctype
="aes256-cts-hmac-sha1-96"
299 limit_enctype
="des3-cbc-sha1"
301 echo "Getting client initial tickets" ; > messages.log
302 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
303 { eval "$testfailed"; }
306 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
310 --session-enctype=${coolenctype} \
311 --name-type=hostbased-service
host@no-aes.
test.h5l.se || \
312 { eval "$testfailed"; }
314 echo "Building context on cred, check if its limited still" ; > messages.log
317 --client-name=user1@
${R} \
318 --limit-enctype="${limit_enctype}" \
320 --name-type=hostbased-service
host@no-aes.
test.h5l.se || \
321 { eval "$testfailed"; }
324 echo "====== ok-as-delegate"
326 echo "Getting client initial tickets" ; > messages.log
327 ${kinit} --forwardable \
328 --password-file=${objdir}/foopassword user1@
${R} || \
329 { eval "$testfailed"; }
331 echo "ok-as-delegate not used" ; > messages.log
335 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
336 { eval "$testfailed"; }
338 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
342 --server-no-delegate \
343 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
344 { eval "$testfailed"; }
346 echo "ok-as-delegate used by policy" ; > messages.log
350 --name-type=hostbased-service
host@ok-delegate.
test.h5l.se || \
351 { eval "$testfailed"; }
353 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
354 ${kinit} --ok-as-delegate --forwardable \
355 --password-file=${objdir}/foopassword user1@
${R} || \
356 { eval "$testfailed"; }
358 echo "policy delegate to non delegate host" ; > messages.log
362 --server-no-delegate \
363 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
364 { eval "$testfailed"; }
366 echo "ok-as-delegate" ; > messages.log
370 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
371 { eval "$testfailed"; }
373 echo "======export/import cred"
375 echo "export-import cred (krb5)" ; > messages.log
379 --export-import-cred \
380 --name-type=hostbased-service
host@ok-delegate.
test.h5l.se || \
381 { eval "$testfailed"; }
383 echo "export-import cred (spnego)" ; > messages.log
387 --export-import-cred \
388 --name-type=hostbased-service
host@ok-delegate.
test.h5l.se || \
389 { eval "$testfailed"; }
392 echo "======time diffs between client and server"
394 echo "Getting client initial ticket" ; > messages.log
395 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
396 { eval "$testfailed"; }
398 echo "No time offset" ; > messages.log
401 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
402 { eval "$testfailed"; }
404 echo "Getting client initial ticket" ; > messages.log
405 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
406 { eval "$testfailed"; }
408 echo "Server time offset" ; > messages.log
412 --server-time-offset=3600 \
414 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
415 { eval "$testfailed"; }
417 echo "Server time offset (cached ?)" ; > messages.log
421 --server-time-offset=3600 \
423 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
424 { eval "$testfailed"; }
426 echo "Getting client initial ticket" ; > messages.log
427 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
428 { eval "$testfailed"; }
429 # Pre-poplute the cache since tgs-req will fail since our time is wrong
430 ${kgetcred} host
/lucid.
test.h5l.se@
${R} || \
431 { eval "$testfailed"; }
433 echo "Client time offset" ; > messages.log
437 --client-time-offset=3600 \
438 --name-type=hostbased-service
host@lucid.
test.h5l.se || \
439 { eval "$testfailed"; }
441 echo "Getting client initial tickets (use-referrals)" ; > messages.log
443 --password-file=${objdir}/foopassword \
444 --use-referrals user1@
${R} || \
445 { eval "$testfailed"; }
447 # XXX these tests really need to use somethat that resolve to something
451 { eval "$testfailed"; }
455 --name-type=krb5-principal-name host
/short || \
456 { eval "$testfailed"; }
460 host@long.
test.h5l.se || \
461 { eval "$testfailed"; }
465 --name-type=krb5-principal-name \
466 host
/long.
test.h5l.se || \
467 { eval "$testfailed"; }
471 echo "killing kdc (${kdcpid})"
472 kill ${kdcpid} 2> /dev
/null