search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libtommath: Fix possible integer overflow CVE-2023-36328
[heimdal.git] / tests / gss / check-context.in
blob5a836b9dc77267f67d634478d988a8464202c8ca
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33 #
34 # $Id$
35 #
36
37 env_setup="@env_setup@"
38 srcdir="@srcdir@"
39 objdir="@objdir@"
40
41 . ${env_setup}
42
43 # If there is no useful db support compiled in, disable test
44 ../db/have-db || exit 77
45
46 R=TEST.H5L.SE
47
48 port=@port@
49
50 keytabfile=${objdir}/server.keytab
51 keytab="FILE:${keytabfile}"
52 nokeytab="FILE:no-such-keytab"
53 cache="FILE:krb5ccfile"
54
55 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
56 kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache"
57 klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
58 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
59 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
60 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
61 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
62
63 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
64
65 KRB5_CONFIG="${objdir}/krb5.conf"
66 export KRB5_CONFIG
67
68 KRB5CCNAME=${cache}
69 export KRB5CCNAME
70
71 rm -f ${keytabfile}
72 rm -f current-db*
73 rm -f out-*
74 rm -f mkey.file*
75
76 > messages.log
77
78 echo Creating database
79 # add both lucid and lucid.test.h5l.se to simulate aliases
80 # XXX ext should ext aliases too
81 ${kadmin} <<EOF || exit 1
82 init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
83 add -p p1 --use-defaults host/lucid.test.h5l.se@${R}
84 ext -k ${keytab} host/lucid.test.h5l.se@${R}
85 add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R}
86 mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R}
87 ext -k ${keytab} host/ok-delegate.test.h5l.se@${R}
88 add -p p1 --use-defaults host/short@${R}
89 mod --alias=host/long.test.h5l.se@${R} host/short@${R}
90 ext -k ${keytab} host/short@${R}
91 EOF
92 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
93
94 # Create a server principal with no AES
95 ${kadmin} <<EOF || exit 1
96 add -p kaka --use-defaults digest/${R}@${R}
97 add -p u1 --use-defaults user1@${R}
98 mod --alias=user1.alias user1@${R}
99 add -p p1 --use-defaults host/no-aes.test.h5l.se@${R}
100 del_enctype host/no-aes.test.h5l.se@${R} aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
101 ext -k ${keytab} host/no-aes.test.h5l.se@${R}
102 check ${R}
103 EOF
104
105 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
106
107 echo u1 > ${objdir}/foopassword
108
109 echo Starting kdc
110 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
111 kdcpid=`getpid kdc`
112
113 cleanup() {
114 echo signal killing kdc
115 kill -9 ${kdcpid} 2>/dev/null
116 trap '' EXIT INT TERM
117 cat messages.log
118 exit 1
119 }
120 trap cleanup EXIT INT TERM
121
122 testfailed="echo test failed; cat messages.log; exit 1"
123
124 echo "Test gss_acquire_cred_with_password" ; > messages.log
125 ${kdestroy}
126 ${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
127 host@lucid.test.h5l.se || { eval "$testfailed"; }
128 ${klist} && { eval "$testfailed"; }
129 # These must fail (because wrong password)
130 ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
131 host@lucid.test.h5l.se && { eval "$testfailed"; }
132 ${klist} && { eval "$testfailed"; }
133 ${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \
134 --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
135 ${klist} && { eval "$testfailed"; }
136 ${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \
137 --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
138 ${klist} && { eval "$testfailed"; }
139 ${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \
140 --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
141 ${klist} && { eval "$testfailed"; }
142 ${context} --client-name=user1@${R} --client-password=u2 \
143 --mech-types=krb5,ntlm --mech-type=krb5 host@lucid.test.h5l.se \
144 && { eval "$testfailed"; }
145 # gss_acquire_cred_with_password() must not have side-effects
146 ${klist} && { eval "$testfailed"; }
147
148 echo "Getting client initial tickets" ; > messages.log
149 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
150 { eval "$testfailed"; }
151
152 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
153 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
154 { eval "$testfailed"; }
155
156 mv ${keytabfile} ${keytabfile}.no
157
158 echo "checking non existant keytabfile (krb5)" ; > messages.log
159 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
160 { eval "$testfailed"; }
161 echo "checking non existant keytabfile (spengo)" ; > messages.log
162 ${context} --mech-type=spnego --mech-types=spnego,krb5 \
163 host@lucid.test.h5l.se > test_context.log 2>&1 && \
164 { eval "$testfailed"; }
165
166 mv ${keytabfile}.no ${keytabfile}
167
168 echo "======test naming combinations"
169 echo "plain" ; > messages.log
170 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
171 { eval "$testfailed"; }
172 echo "plain w/ short-form hostname" ; > messages.log
173 ${context} --name-type=hostbased-service host@lucid || \
174 { eval "$testfailed"; }
175 echo "plain (krb5)" ; > messages.log
176 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
177 { eval "$testfailed"; }
178 echo "plain (krb5 realmless)" ; > messages.log
179 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
180 { eval "$testfailed"; }
181 echo "plain (krb5 realmless short-form)" ; > messages.log
182 ${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \
183 { eval "$testfailed"; }
184 echo "creating short-form princ"
185 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
186 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
187 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
188 #${context} --dns-canon host@lucid.test.h5l.se || \
189 # { eval "$testfailed"; }
190 echo "dns canon off (long name)" ; > messages.log
191 ${context} --no-dns-canon host@lucid.test.h5l.se || \
192 { eval "$testfailed"; }
193 echo "dns canon off (short name)" ; > messages.log
194 ${context} --no-dns-canon host@lucid || \
195 { eval "$testfailed"; }
196 echo "dns canon off (short name, krb5)" ; > messages.log
197 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
198 { eval "$testfailed"; }
199 echo "dns canon off (short name, krb5)" ; > messages.log
200 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
201 { eval "$testfailed"; }
202
203 echo "======test context building"
204 for mech in krb5 krb5iov spnego spnegoiov; do
205 if [ "$mech" = "krb5iov" ] ; then
206 mech="krb5"
207 iov="--iov"
208 fi
209 if [ "$mech" = "spnegoiov" ] ; then
210 mech="spnego"
211 iov="--iov"
212 fi
213
214 echo "${mech} no-mutual ${iov}" ; > messages.log
215 ${context} --mech-type=${mech} \
216 --wrapunwrap ${iov} \
217 --localname=mapped_user1 \
218 --name-type=hostbased-service host@lucid.test.h5l.se || \
219 { eval "$testfailed"; }
220
221 echo "${mech} mutual ${iov}" ; > messages.log
222 ${context} --mech-type=${mech} \
223 --mutual \
224 --wrapunwrap ${iov} \
225 --name-type=hostbased-service host@lucid.test.h5l.se || \
226 { eval "$testfailed"; }
227
228 echo "${mech} delegate ${iov}" ; > messages.log
229 ${context} --mech-type=${mech} \
230 --delegate \
231 --wrapunwrap ${iov} \
232 --name-type=hostbased-service host@lucid.test.h5l.se || \
233 { eval "$testfailed"; }
234
235 echo "${mech} mutual delegate ${iov}" ; > messages.log
236 ${context} --mech-type=${mech} \
237 --mutual --delegate \
238 --wrapunwrap ${iov} \
239 --name-type=hostbased-service host@lucid.test.h5l.se || \
240 { eval "$testfailed"; }
241 done
242
243 echo "======test authz-data (krb5)"
244 ${context} --mech-type=krb5 \
245 --mutual \
246 --wrapunwrap \
247 --on-behalf-of=foo@BAR.TEST.H5L.SE \
248 --name-type=hostbased-service host@lucid.test.h5l.se ||
249 { eval "$testfailed"; }
250
251 echo "======dce-style"
252 for mech in krb5 krb5iov spnego; do
253 iov=""
254 if [ "$mech" = "krb5iov" ] ; then
255 mech="krb5"
256 iov="--iov"
257 fi
258 if [ "$mech" = "spnegoiov" ] ; then
259 mech="spnego"
260 iov="--iov"
261 fi
262
263 echo "${mech}: dce-style ${iov}" ; > messages.log
264 ${context} \
265 --mech-type=${mech} \
266 --mutual \
267 --dce-style \
268 --wrapunwrap ${iov} \
269 --name-type=hostbased-service host@lucid.test.h5l.se || \
270 { eval "$testfailed"; }
271
272 done
273
274 echo "======export-import-context"
275 for mech in krb5 krb5iov spnego spnegoiov; do
276 iov=""
277 if [ "$mech" = "krb5iov" ] ; then
278 mech="krb5"
279 iov="--iov"
280 fi
281 if [ "$mech" = "spnegoiov" ] ; then
282 mech="spnego"
283 iov="--iov"
284 fi
285
286 echo "${mech}: export-import-context ${iov}" ; > messages.log
287 ${context} \
288 --mech-type=${mech} \
289 --mutual \
290 --export-import-context \
291 --wrapunwrap ${iov} \
292 --name-type=hostbased-service host@lucid.test.h5l.se || \
293 { eval "$testfailed"; }
294
295 done
296
297 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
298
299 cp ${keytabfile} ${keytabfile}.new
300 for mech in krb5 spnego; do
301 echo "${mech}: acceptor_identity positive" ; > messages.log
302 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
303 --mech-type=$mech host@lucid.test.h5l.se || \
304 { eval "$testfailed"; }
305
306 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
307 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
308 --mech-type=$mech host@lucid.test.h5l.se || \
309 { eval "$testfailed"; }
310
311 echo "${mech}: acceptor_identity negative" ; > messages.log
312 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
313 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
314 { eval "$testfailed"; }
315 done
316
317 rm ${keytabfile}.new
318
319 echo "====== test PAC-based name canonicalization"
320
321 ${kdestroy}
322 ${kinit} --password-file=${objdir}/foopassword user1.alias@${R} || \
323 { eval "$testfailed"; }
324
325 for mech in krb5 spnego; do
326 KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
327 --mech-type=$mech host@lucid.test.h5l.se > name-canon.log || \
328 { eval "$testfailed"; }
329 grep "client name:" name-canon.log | grep "user1.alias@TEST.H5L.SE" > /dev/null && \
330 { echo "client name not canonicalized"; eval "$testfailed"; }
331 grep "client name:" name-canon.log | grep "user1@TEST.H5L.SE" > /dev/null || \
332 { echo "wrong client name"; eval "$testfailed"; }
333 done
334
335 echo "====== test channel-bindings."
336
337 for mech in krb5 spnego; do
338 echo "${mech}: initiator only bindings" ; > messages.log
339 ${context} -v --i-channel-bindings=abc \
340 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
341 { eval "$testfailed"; }
342 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
343 { echo "channel-bound flag unexpected"; eval "$testfailed"; }
344
345 echo "${mech}: acceptor only bindings" ; > messages.log
346 ${context} -v --a-channel-bindings=abc \
347 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
348 { eval "$testfailed"; }
349 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
350 { echo "channel-bound flag unexpected"; eval "$testfailed"; }
351
352 echo "${mech}: matching bindings" ; > messages.log
353 ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \
354 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
355 { eval "$testfailed"; }
356 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
357 { echo "no channel-bound flag"; eval "$testfailed"; }
358
359 echo "${mech}: non matching bindings" ; > messages.log
360 ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
361 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
362 { eval "$testfailed"; }
363
364 echo "${mech}: initiator only bindings (client-aware)" ; > messages.log
365 KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
366 --i-channel-bindings=abc \
367 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
368 { eval "$testfailed"; }
369 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
370 { echo "channel-bound flag unexpected"; eval "$testfailed"; }
371
372 echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log
373 KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
374 --a-channel-bindings=abc \
375 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
376 { eval "$testfailed"; }
377
378 echo "${mech}: matching bindings (client-aware)" ; > messages.log
379 KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
380 --i-channel-bindings=abc --a-channel-bindings=abc \
381 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
382 { eval "$testfailed"; }
383 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
384 { echo "no channel-bound flag"; eval "$testfailed"; }
385
386 echo "${mech}: non matching bindings (client-aware)" ; > messages.log
387 KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
388 --i-channel-bindings=abc --a-channel-bindings=xyz \
389 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
390 { eval "$testfailed"; }
391
392 echo "${mech}: initiator null bindings bound (client-aware-flag)" ; > messages.log
393 ${context} -v --i-channel-bound \
394 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
395 { eval "$testfailed"; }
396 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
397 { echo "channel-bound flag unexpected"; eval "$testfailed"; }
398
399 echo "${mech}: initiator only bindings (client-aware-flag)" ; > messages.log
400 ${context} -v --i-channel-bound \
401 --i-channel-bindings=abc \
402 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
403 { eval "$testfailed"; }
404 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
405 { echo "channel-bound flag unexpected"; eval "$testfailed"; }
406
407 echo "${mech}: acceptor only bindings (client-aware-flag)" ; > messages.log
408 ${context} -v --i-channel-bound \
409 --a-channel-bindings=abc \
410 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
411 { eval "$testfailed"; }
412
413 echo "${mech}: matching bindings (client-aware-flag)" ; > messages.log
414 ${context} -v --i-channel-bound \
415 --i-channel-bindings=abc --a-channel-bindings=abc \
416 --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
417 { eval "$testfailed"; }
418 grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
419 { echo "no channel-bound flag"; eval "$testfailed"; }
420
421 echo "${mech}: non matching bindings (client-aware-flag)" ; > messages.log
422 ${context} -v --i-channel-bound \
423 --i-channel-bindings=abc --a-channel-bindings=xyz \
424 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
425 { eval "$testfailed"; }
426
427 done
428
429 #echo "sasl-digest-md5"
430 #${context} --mech-type=sasl-digest-md5 \
431 # --name-type=hostbased-service \
432 # host@lucid.test.h5l.se || \
433 # { eval "$testfailed"; }
434
435
436 echo "====== gss-api session key check"
437
438 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
439 coolenctype="aes256-cts-hmac-sha1-96"
440 limit_enctype="des3-cbc-sha1"
441
442 echo "Getting client initial tickets" ; > messages.log
443 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
444 { eval "$testfailed"; }
445
446
447 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
448 ${context} \
449 --mech-type=krb5 \
450 --mutual-auth \
451 --session-enctype=${coolenctype} \
452 --name-type=hostbased-service host@no-aes.test.h5l.se || \
453 { eval "$testfailed"; }
454
455 echo "Building context on cred, check if its limited still" ; > messages.log
456 ${context} \
457 --mech-type=krb5 \
458 --client-name=user1@${R} \
459 --limit-enctype="${limit_enctype}" \
460 --mutual-auth \
461 --name-type=hostbased-service host@no-aes.test.h5l.se || \
462 { eval "$testfailed"; }
463
464
465 echo "====== ok-as-delegate"
466
467 echo "Getting client initial tickets" ; > messages.log
468 ${kinit} --forwardable \
469 --password-file=${objdir}/foopassword user1@${R} || \
470 { eval "$testfailed"; }
471
472 echo "ok-as-delegate not used" ; > messages.log
473 ${context} \
474 --mech-type=krb5 \
475 --delegate \
476 --name-type=hostbased-service host@lucid.test.h5l.se || \
477 { eval "$testfailed"; }
478
479 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
480 ${context} \
481 --mech-type=krb5 \
482 --policy-delegate \
483 --server-no-delegate \
484 --name-type=hostbased-service host@lucid.test.h5l.se || \
485 { eval "$testfailed"; }
486
487 echo "ok-as-delegate used by policy" ; > messages.log
488 ${context} \
489 --mech-type=krb5 \
490 --policy-delegate \
491 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
492 { eval "$testfailed"; }
493
494 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
495 ${kinit} --ok-as-delegate --forwardable \
496 --password-file=${objdir}/foopassword user1@${R} || \
497 { eval "$testfailed"; }
498
499 echo "policy delegate to non delegate host" ; > messages.log
500 ${context} \
501 --mech-type=krb5 \
502 --policy-delegate \
503 --server-no-delegate \
504 --name-type=hostbased-service host@lucid.test.h5l.se || \
505 { eval "$testfailed"; }
506
507 echo "ok-as-delegate" ; > messages.log
508 ${context} \
509 --mech-type=krb5 \
510 --delegate \
511 --name-type=hostbased-service host@lucid.test.h5l.se || \
512 { eval "$testfailed"; }
513
514 echo "======export/import cred"
515
516 echo "export-import cred (krb5)" ; > messages.log
517 ${context} \
518 --mech-type=krb5 \
519 --delegate \
520 --export-import-cred \
521 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
522 { eval "$testfailed"; }
523
524 echo "export-import cred (spnego)" ; > messages.log
525 ${context} \
526 --mech-type=spnego \
527 --delegate \
528 --export-import-cred \
529 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
530 { eval "$testfailed"; }
531
532
533 echo "======time diffs between client and server"
534
535 echo "Getting client initial ticket" ; > messages.log
536 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
537 { eval "$testfailed"; }
538
539 echo "No time offset" ; > messages.log
540 ${context} \
541 --mech-type=krb5 \
542 --name-type=hostbased-service host@lucid.test.h5l.se || \
543 { eval "$testfailed"; }
544
545 echo "Getting client initial ticket" ; > messages.log
546 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
547 { eval "$testfailed"; }
548
549 echo "Server time offset" ; > messages.log
550 ${context} \
551 --mech-type=krb5 \
552 --mutual-auth \
553 --server-time-offset=3600 \
554 --max-loops=3 \
555 --name-type=hostbased-service host@lucid.test.h5l.se || \
556 { eval "$testfailed"; }
557
558 echo "Server time offset (cached ?)" ; > messages.log
559 ${context} \
560 --mech-type=krb5 \
561 --mutual-auth \
562 --server-time-offset=3600 \
563 --max-loops=2 \
564 --name-type=hostbased-service host@lucid.test.h5l.se || \
565 { eval "$testfailed"; }
566
567 echo "Getting client initial ticket" ; > messages.log
568 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
569 { eval "$testfailed"; }
570 # Pre-poplute the cache since tgs-req will fail since our time is wrong
571 ${kgetcred} host/lucid.test.h5l.se@${R} || \
572 { eval "$testfailed"; }
573
574 echo "Client time offset" ; > messages.log
575 ${context} \
576 --mech-type=krb5 \
577 --mutual-auth \
578 --client-time-offset=3600 \
579 --name-type=hostbased-service host@lucid.test.h5l.se || \
580 { eval "$testfailed"; }
581
582 echo "Getting client initial tickets (use-referrals)" ; > messages.log
583 ${kinit} \
584 --password-file=${objdir}/foopassword \
585 --use-referrals user1@${R} || \
586 { eval "$testfailed"; }
587
588 # XXX these tests really need to use somethat that resolve to something
589 ${context} \
590 --mech-type=krb5 \
591 host@short || \
592 { eval "$testfailed"; }
593
594 ${context} \
595 --mech-type=krb5 \
596 --name-type=krb5-principal-name host/short || \
597 { eval "$testfailed"; }
598
599 ${context} \
600 --mech-type=krb5 \
601 host@long.test.h5l.se || \
602 { eval "$testfailed"; }
603
604 ${context} \
605 --mech-type=krb5 \
606 --name-type=krb5-principal-name \
607 host/long.test.h5l.se || \
608 { eval "$testfailed"; }
609
610 trap "" EXIT
611
612 echo "killing kdc (${kdcpid})"
613 kill ${kdcpid} 2> /dev/null
614
615 exit 0
616
Heimdal