search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
coverity 1164162
[heimdal.git] / tests / gss / check-context.in
blob24277d58a1a15315043f45cfe5d9812e5c6088a7
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33 #
34 # $Id$
35 #
36
37 srcdir="@srcdir@"
38 objdir="@objdir@"
39
40 # If there is no useful db support compile in, disable test
41 ../db/have-db || exit 77
42
43 R=TEST.H5L.SE
44
45 port=@port@
46
47 keytabfile=${objdir}/server.keytab
48 keytab="FILE:${keytabfile}"
49 nokeytab="FILE:no-such-keytab"
50 cache="FILE:krb5ccfile"
51
52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53 klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
54 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
55 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
56 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
57 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
58 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
59
60 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
61
62 KRB5_CONFIG="${objdir}/krb5.conf"
63 export KRB5_CONFIG
64
65 KRB5CCNAME=${cache}
66 export KRB5CCNAME
67
68 rm -f ${keytabfile}
69 rm -f current-db*
70 rm -f out-*
71 rm -f mkey.file*
72
73 > messages.log
74
75 echo Creating database
76 ${kadmin} \
77 init \
78 --realm-max-ticket-life=1day \
79 --realm-max-renewable-life=1month \
80 ${R} || exit 1
81
82 # add both lucid and lucid.test.h5l.se to simulate aliases
83 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
84 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
85
86 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
87 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
88 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
89
90
91 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
92 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
93 # XXX ext should ext aliases too
94 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
95 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
96
97 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
98
99 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
100
101 # Create a server principal with no AES
102 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
103 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
104 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
105 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
106 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
107
108 echo "Doing database check"
109 ${kadmin} check ${R} || exit 1
110
111 echo u1 > ${objdir}/foopassword
112
113 echo Starting kdc
114 ${kdc} &
115 kdcpid=$!
116
117 sh ${srcdir}/../kdc/wait-kdc.sh
118 if [ "$?" != 0 ] ; then
119 kill ${kdcpid}
120 exit 1
121 fi
122
123 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
124
125 testfailed="echo test failed; cat messages.log; exit 1"
126
127 echo "Test gss_acquire_cred_with_password" ; > messages.log
128 ${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
129 host@lucid.test.h5l.se || { eval "$testfailed"; }
130 # These must fail (because wrong password)
131 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
132 host@lucid.test.h5l.se && { eval "$testfailed"; }
133 ${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \
134 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
135 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
136 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
137 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \
138 --mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
139 ${context} --client-name=user1@${R} --client-password=u2 \
140 --mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \
141 && { eval "$testfailed"; }
142 # gss_acquire_cred_with_password() must not have side-effects
143 ${klist} && { eval "$testfailed"; }
144
145 echo "Getting client initial tickets" ; > messages.log
146 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
147 { eval "$testfailed"; }
148
149 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
150 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
151 { eval "$testfailed"; }
152
153 mv ${keytabfile} ${keytabfile}.no
154
155 echo "checking non existant keytabfile (krb5)" ; > messages.log
156 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
157 { eval "$testfailed"; }
158 grep ${keytabfile} test_context.log > /dev/null || \
159 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
160 echo "checking non existant keytabfile (spengo)" ; > messages.log
161 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
162 { eval "$testfailed"; }
163 grep ${keytabfile} test_context.log > /dev/null || \
164 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
165
166 mv ${keytabfile}.no ${keytabfile}
167
168 echo "======test naming combinations"
169 echo "plain" ; > messages.log
170 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
171 { eval "$testfailed"; }
172 echo "plain w/ short-form hostname" ; > messages.log
173 ${context} --name-type=hostbased-service host@lucid || \
174 { eval "$testfailed"; }
175 echo "plain (krb5)" ; > messages.log
176 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
177 { eval "$testfailed"; }
178 echo "plain (krb5 realmless)" ; > messages.log
179 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
180 { eval "$testfailed"; }
181 echo "plain (krb5 realmless short-form should fail)" ; > messages.log
182 ${context} --name-type=krb5-principal-name host/lucid 2>/dev/null && \
183 { eval "$testfailed"; }
184 echo "creating short-form princ"
185 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
186 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
187 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
188 #${context} --dns-canon host@lucid.test.h5l.se || \
189 # { eval "$testfailed"; }
190 echo "dns canon off (long name)" ; > messages.log
191 ${context} --no-dns-canon host@lucid.test.h5l.se || \
192 { eval "$testfailed"; }
193 echo "dns canon off (short name)" ; > messages.log
194 ${context} --no-dns-canon host@lucid || \
195 { eval "$testfailed"; }
196 echo "dns canon off (short name, krb5)" ; > messages.log
197 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
198 { eval "$testfailed"; }
199 echo "dns canon off (short name, krb5)" ; > messages.log
200 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
201 { eval "$testfailed"; }
202
203 echo "======test context building"
204 for mech in krb5 krb5iov spnego spnegoiov; do
205 if [ "$mech" = "krb5iov" ] ; then
206 mech="krb5"
207 iov="--iov"
208 fi
209 if [ "$mech" = "spnegoiov" ] ; then
210 mech="spnego"
211 iov="--iov"
212 fi
213
214 echo "${mech} no-mutual ${iov}" ; > messages.log
215 ${context} --mech-type=${mech} \
216 --wrapunwrap ${iov} \
217 --name-type=hostbased-service host@lucid.test.h5l.se || \
218 { eval "$testfailed"; }
219
220 echo "${mech} mutual ${iov}" ; > messages.log
221 ${context} --mech-type=${mech} \
222 --mutual \
223 --wrapunwrap ${iov} \
224 --name-type=hostbased-service host@lucid.test.h5l.se || \
225 { eval "$testfailed"; }
226
227 echo "${mech} delegate ${iov}" ; > messages.log
228 ${context} --mech-type=${mech} \
229 --delegate \
230 --wrapunwrap ${iov} \
231 --name-type=hostbased-service host@lucid.test.h5l.se || \
232 { eval "$testfailed"; }
233
234 echo "${mech} mutual delegate ${iov}" ; > messages.log
235 ${context} --mech-type=${mech} \
236 --mutual --delegate \
237 --wrapunwrap ${iov} \
238 --name-type=hostbased-service host@lucid.test.h5l.se || \
239 { eval "$testfailed"; }
240 done
241
242 echo "======dce-style"
243 for mech in krb5 krb5iov spnego; do
244 iov=""
245 if [ "$mech" = "krb5iov" ] ; then
246 mech="krb5"
247 iov="--iov"
248 fi
249 if [ "$mech" = "spnegoiov" ] ; then
250 mech="spnego"
251 iov="--iov"
252 fi
253
254 echo "${mech}: dce-style ${iov}" ; > messages.log
255 ${context} \
256 --mech-type=${mech} \
257 --mutual \
258 --dce-style \
259 --wrapunwrap ${iov} \
260 --name-type=hostbased-service host@lucid.test.h5l.se || \
261 { eval "$testfailed"; }
262
263 done
264
265 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
266
267 cp ${keytabfile} ${keytabfile}.new
268 for mech in krb5 spnego; do
269 echo "${mech}: acceptor_identity positive" ; > messages.log
270 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
271 --mech-type=$mech host@lucid.test.h5l.se || \
272 { eval "$testfailed"; }
273
274 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
275 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
276 --mech-type=$mech host@lucid.test.h5l.se || \
277 { eval "$testfailed"; }
278
279 echo "${mech}: acceptor_identity negative" ; > messages.log
280 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
281 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
282 { eval "$testfailed"; }
283 done
284
285 rm ${keytabfile}.new
286
287
288 #echo "sasl-digest-md5"
289 #${context} --mech-type=sasl-digest-md5 \
290 # --name-type=hostbased-service \
291 # host@lucid.test.h5l.se || \
292 # { eval "$testfailed"; }
293
294
295 echo "====== gss-api session key check"
296
297 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
298 coolenctype="aes256-cts-hmac-sha1-96"
299 limit_enctype="des3-cbc-sha1"
300
301 echo "Getting client initial tickets" ; > messages.log
302 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
303 { eval "$testfailed"; }
304
305
306 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
307 ${context} \
308 --mech-type=krb5 \
309 --mutual-auth \
310 --session-enctype=${coolenctype} \
311 --name-type=hostbased-service host@no-aes.test.h5l.se || \
312 { eval "$testfailed"; }
313
314 echo "Building context on cred, check if its limited still" ; > messages.log
315 ${context} \
316 --mech-type=krb5 \
317 --client-name=user1@${R} \
318 --limit-enctype="${limit_enctype}" \
319 --mutual-auth \
320 --name-type=hostbased-service host@no-aes.test.h5l.se || \
321 { eval "$testfailed"; }
322
323
324 echo "====== ok-as-delegate"
325
326 echo "Getting client initial tickets" ; > messages.log
327 ${kinit} --forwardable \
328 --password-file=${objdir}/foopassword user1@${R} || \
329 { eval "$testfailed"; }
330
331 echo "ok-as-delegate not used" ; > messages.log
332 ${context} \
333 --mech-type=krb5 \
334 --delegate \
335 --name-type=hostbased-service host@lucid.test.h5l.se || \
336 { eval "$testfailed"; }
337
338 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
339 ${context} \
340 --mech-type=krb5 \
341 --policy-delegate \
342 --server-no-delegate \
343 --name-type=hostbased-service host@lucid.test.h5l.se || \
344 { eval "$testfailed"; }
345
346 echo "ok-as-delegate used by policy" ; > messages.log
347 ${context} \
348 --mech-type=krb5 \
349 --policy-delegate \
350 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
351 { eval "$testfailed"; }
352
353 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
354 ${kinit} --ok-as-delegate --forwardable \
355 --password-file=${objdir}/foopassword user1@${R} || \
356 { eval "$testfailed"; }
357
358 echo "policy delegate to non delegate host" ; > messages.log
359 ${context} \
360 --mech-type=krb5 \
361 --policy-delegate \
362 --server-no-delegate \
363 --name-type=hostbased-service host@lucid.test.h5l.se || \
364 { eval "$testfailed"; }
365
366 echo "ok-as-delegate" ; > messages.log
367 ${context} \
368 --mech-type=krb5 \
369 --delegate \
370 --name-type=hostbased-service host@lucid.test.h5l.se || \
371 { eval "$testfailed"; }
372
373 echo "======export/import cred"
374
375 echo "export-import cred (krb5)" ; > messages.log
376 ${context} \
377 --mech-type=krb5 \
378 --delegate \
379 --export-import-cred \
380 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
381 { eval "$testfailed"; }
382
383 echo "export-import cred (spnego)" ; > messages.log
384 ${context} \
385 --mech-type=spnego \
386 --delegate \
387 --export-import-cred \
388 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
389 { eval "$testfailed"; }
390
391
392 echo "======time diffs between client and server"
393
394 echo "Getting client initial ticket" ; > messages.log
395 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
396 { eval "$testfailed"; }
397
398 echo "No time offset" ; > messages.log
399 ${context} \
400 --mech-type=krb5 \
401 --name-type=hostbased-service host@lucid.test.h5l.se || \
402 { eval "$testfailed"; }
403
404 echo "Getting client initial ticket" ; > messages.log
405 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
406 { eval "$testfailed"; }
407
408 echo "Server time offset" ; > messages.log
409 ${context} \
410 --mech-type=krb5 \
411 --mutual-auth \
412 --server-time-offset=3600 \
413 --max-loops=3 \
414 --name-type=hostbased-service host@lucid.test.h5l.se || \
415 { eval "$testfailed"; }
416
417 echo "Server time offset (cached ?)" ; > messages.log
418 ${context} \
419 --mech-type=krb5 \
420 --mutual-auth \
421 --server-time-offset=3600 \
422 --max-loops=2 \
423 --name-type=hostbased-service host@lucid.test.h5l.se || \
424 { eval "$testfailed"; }
425
426 echo "Getting client initial ticket" ; > messages.log
427 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
428 { eval "$testfailed"; }
429 # Pre-poplute the cache since tgs-req will fail since our time is wrong
430 ${kgetcred} host/lucid.test.h5l.se@${R} || \
431 { eval "$testfailed"; }
432
433 echo "Client time offset" ; > messages.log
434 ${context} \
435 --mech-type=krb5 \
436 --mutual-auth \
437 --client-time-offset=3600 \
438 --name-type=hostbased-service host@lucid.test.h5l.se || \
439 { eval "$testfailed"; }
440
441 echo "Getting client initial tickets (use-referrals)" ; > messages.log
442 ${kinit} \
443 --password-file=${objdir}/foopassword \
444 --use-referrals user1@${R} || \
445 { eval "$testfailed"; }
446
447 # XXX these tests really need to use somethat that resolve to something
448 ${context} \
449 --mech-type=krb5 \
450 host@short || \
451 { eval "$testfailed"; }
452
453 ${context} \
454 --mech-type=krb5 \
455 --name-type=krb5-principal-name host/short || \
456 { eval "$testfailed"; }
457
458 ${context} \
459 --mech-type=krb5 \
460 host@long.test.h5l.se || \
461 { eval "$testfailed"; }
462
463 ${context} \
464 --mech-type=krb5 \
465 --name-type=krb5-principal-name \
466 host/long.test.h5l.se || \
467 { eval "$testfailed"; }
468
469 trap "" EXIT
470
471 echo "killing kdc (${kdcpid})"
472 kill ${kdcpid} 2> /dev/null
473
474 exit 0
475
Heimdal