search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
[heimdal.git] / tests / gss / check-context.in
blobb691b957238d3958f6df6f2e568eaadbb1080bb1
1 #!/bin/sh
2 #
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
10 #
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
21 #
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
33 #
34 # $Id$
35 #
36
37 srcdir="@srcdir@"
38 objdir="@objdir@"
39
40 # If there is no useful db support compile in, disable test
41 ../db/have-db || exit 77
42
43 R=TEST.H5L.SE
44
45 port=@port@
46
47 keytabfile=${objdir}/server.keytab
48 keytab="FILE:${keytabfile}"
49 nokeytab="FILE:no-such-keytab"
50 cache="FILE:krb5ccfile"
51
52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
53 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
58
59 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
60
61 KRB5_CONFIG="${objdir}/krb5.conf"
62 export KRB5_CONFIG
63
64 KRB5CCNAME=${cache}
65 export KRB5CCNAME
66
67 rm -f ${keytabfile}
68 rm -f current-db*
69 rm -f out-*
70 rm -f mkey.file*
71
72 > messages.log
73
74 echo Creating database
75 ${kadmin} \
76 init \
77 --realm-max-ticket-life=1day \
78 --realm-max-renewable-life=1month \
79 ${R} || exit 1
80
81 # add both lucid and lucid.test.h5l.se to simulate aliases
82 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
85 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
86
87 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
88 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
89 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
90
91
92 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
93 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
94 # XXX ext should ext aliases too
95 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
96 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
97
98 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
99
100 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
101
102 # Create a server principal with no AES
103 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
104 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
105 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
106 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
107 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
108
109 echo "Doing database check"
110 ${kadmin} check ${R} || exit 1
111
112 echo u1 > ${objdir}/foopassword
113
114 echo Starting kdc
115 ${kdc} &
116 kdcpid=$!
117
118 sh ${srcdir}/../kdc/wait-kdc.sh
119 if [ "$?" != 0 ] ; then
120 kill ${kdcpid}
121 exit 1
122 fi
123
124 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
125
126 exitcode=0
127
128 echo "Getting client initial tickets"
129 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || exitcode=1
130
131 echo "======test unreadable/non existant keytab and its error message"
132 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
133 { exitcode=1 ; echo "test failed"; }
134
135 mv ${keytabfile} ${keytabfile}.no
136
137 echo "checking non existant keytabfile (krb5)"
138 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
139 { exitcode=1 ; echo "test failed"; }
140 grep ${keytabfile} test_context.log > /dev/null || \
141 { exitcode=1 ; echo "string missing failed"; }
142 echo "checking non existant keytabfile (spengo)"
143 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
144 { exitcode=1 ; echo "test failed"; }
145 grep ${keytabfile} test_context.log > /dev/null || \
146 { exitcode=1 ; echo "string missing failed"; }
147
148 mv ${keytabfile}.no ${keytabfile}
149
150 echo "======test naming combinations"
151 echo "plain"
152 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
153 { exitcode=1 ; echo "test failed"; }
154 echo "plain (krb5)"
155 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
156 { exitcode=1 ; echo "test failed"; }
157 echo "plain (krb5 realmless)"
158 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
159 { exitcode=1 ; echo "test failed"; }
160 echo "dns canon on (long name) OFF, need dns_wrapper"
161 #${context} --dns-canon host@lucid.test.h5l.se || \
162 # { exitcode=1 ; echo "test failed"; }
163 echo "dns canon off (long name)"
164 ${context} --no-dns-canon host@lucid.test.h5l.se || \
165 { exitcode=1 ; echo "test failed"; }
166 echo "dns canon off (short name)"
167 ${context} --no-dns-canon host@lucid || \
168 { exitcode=1 ; echo "test failed"; }
169 echo "dns canon off (short name, krb5)"
170 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
171 { exitcode=1 ; echo "test failed"; }
172 echo "dns canon off (short name, krb5)"
173 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
174 { exitcode=1 ; echo "test failed"; }
175
176 echo "======test context building"
177 for mech in krb5 spnego ; do
178 iov=""
179 if [ "$mech" == "krb5" ] ; then
180 iov="--iov"
181 fi
182
183 echo "${mech} no-mutual"
184 ${context} --mech-type=${mech} \
185 --wrapunwrap ${iov} \
186 --name-type=hostbased-service host@lucid.test.h5l.se || \
187 { exitcode=1 ; echo "test failed"; }
188
189 echo "${mech} mutual"
190 ${context} --mech-type=${mech} \
191 --mutual \
192 --wrapunwrap ${iov} \
193 --name-type=hostbased-service host@lucid.test.h5l.se || \
194 { exitcode=1 ; echo "test failed"; }
195
196 echo "${mech} delegate"
197 ${context} --mech-type=${mech} \
198 --delegate \
199 --wrapunwrap ${iov} \
200 --name-type=hostbased-service host@lucid.test.h5l.se || \
201 { exitcode=1 ; echo "test failed"; }
202
203 echo "${mech} mutual delegate"
204 ${context} --mech-type=${mech} \
205 --mutual --delegate \
206 --wrapunwrap ${iov} \
207 --name-type=hostbased-service host@lucid.test.h5l.se || \
208 { exitcode=1 ; echo "test failed"; }
209 done
210
211 #add spnego !
212 echo "======dce-style"
213 for mech in krb5 ; do
214 iov=""
215 if [ "$mech" == "krb5" ] ; then
216 iov="--iov"
217 fi
218
219 echo "${mech}: dce-style"
220 ${context} \
221 --mech-type=${mech} \
222 --mutual \
223 --dce-style \
224 --wrapunwrap ${iov} \
225 --name-type=hostbased-service host@lucid.test.h5l.se || \
226 { exitcode=1 ; echo "test failed"; }
227
228 done
229
230 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
231
232 cp ${keytabfile} ${keytabfile}.new
233 for mech in krb5 spnego; do
234 echo "${mech}: acceptor_identity positive"
235 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
236 --mech-type=$mech host@lucid.test.h5l.se || \
237 { exitcode=1 ; echo "test failed"; }
238
239 echo "${mech}: acceptor_identity negative"
240 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
241 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
242 { exitcode=1 ; echo "test failed"; }
243 done
244
245 rm ${keytabfile}.new
246
247
248 #echo "sasl-digest-md5"
249 #${context} --mech-type=sasl-digest-md5 \
250 # --name-type=hostbased-service \
251 # host@lucid.test.h5l.se || \
252 # { exitcode=1 ; echo "test failed"; }
253
254
255 echo "====== gss-api session key check"
256
257 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
258 coolenctype="aes256-cts-hmac-sha1-96"
259
260 echo "Getting client initial tickets"
261 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
262 { echo "kinit failed"; exitcode=1; }
263
264 echo "Building context on cred w/o aes, but still ${coolenctype} session key"
265 ${context} \
266 --mech-type=krb5 \
267 --mutual-auth \
268 --session-enctype=${coolenctype} \
269 --name-type=hostbased-service host@no-aes.test.h5l.se || \
270 { exitcode=1 ; echo "test failed"; }
271
272 echo "====== ok-as-delegate"
273
274 echo "Getting client initial tickets"
275 ${kinit} --forwardable \
276 --password-file=${objdir}/foopassword user1@${R} || exitcode=1
277
278 echo "ok-as-delegate not used"
279 ${context} \
280 --mech-type=krb5 \
281 --delegate \
282 --name-type=hostbased-service host@lucid.test.h5l.se || \
283 { exitcode=1 ; echo "test failed"; }
284
285 echo "host without ok-as-delegate with policy-delegate"
286 ${context} \
287 --mech-type=krb5 \
288 --policy-delegate \
289 --server-no-delegate \
290 --name-type=hostbased-service host@lucid.test.h5l.se || \
291 { exitcode=1 ; echo "test failed"; }
292
293 echo "ok-as-delegate used by policy"
294 ${context} \
295 --mech-type=krb5 \
296 --policy-delegate \
297 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
298 { exitcode=1 ; echo "test failed"; }
299
300 echo "Getting client initial tickets with --ok-as-delgate"
301 ${kinit} --ok-as-delegate --forwardable \
302 --password-file=${objdir}/foopassword user1@${R} || exitcode=1
303
304 echo "policy delegate to non delegate host"
305 ${context} \
306 --mech-type=krb5 \
307 --policy-delegate \
308 --server-no-delegate \
309 --name-type=hostbased-service host@lucid.test.h5l.se || \
310 { exitcode=1 ; echo "test failed"; }
311
312 echo "ok-as-delegate"
313 ${context} \
314 --mech-type=krb5 \
315 --delegate \
316 --name-type=hostbased-service host@lucid.test.h5l.se || \
317 { exitcode=1 ; echo "test failed"; }
318
319
320 echo "======time diffs between client and server"
321
322 echo "Getting client initial ticket"
323 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
324
325 echo "No time offset"
326 ${context} \
327 --mech-type=krb5 \
328 --name-type=hostbased-service host@lucid.test.h5l.se || \
329 { exitcode=1 ; echo "test failed"; }
330
331 echo "Getting client initial ticket"
332 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
333
334 echo "Server time offset"
335 ${context} \
336 --mech-type=krb5 \
337 --mutual-auth \
338 --server-time-offset=3600 \
339 --max-loops=3 \
340 --name-type=hostbased-service host@lucid.test.h5l.se || \
341 { exitcode=1 ; echo "test failed"; }
342
343 echo "Server time offset (cached ?)"
344 ${context} \
345 --mech-type=krb5 \
346 --mutual-auth \
347 --server-time-offset=3600 \
348 --max-loops=2 \
349 --name-type=hostbased-service host@lucid.test.h5l.se || \
350 { exitcode=1 ; echo "test failed"; }
351
352 echo "Getting client initial ticket"
353 ${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
354 # Pre-poplute the cache since tgs-req will fail since our time is wrong
355 ${kgetcred} host/lucid.test.h5l.se@${R} || exitcode=1
356
357 echo "Client time offset"
358 ${context} \
359 --mech-type=krb5 \
360 --mutual-auth \
361 --client-time-offset=3600 \
362 --name-type=hostbased-service host@lucid.test.h5l.se || \
363 { exitcode=1 ; echo "test failed"; }
364
365 echo "Getting client initial tickets (use-referrals)"
366 ${kinit} \
367 --password-file=${objdir}/foopassword \
368 --use-referrals user1@${R} || exitcode=1
369
370 # XXX these tests really need to use somethat that resolve to something
371 ${context} \
372 --mech-type=krb5 \
373 host@short || \
374 { exitcode=1 ; echo "test failed"; }
375
376 ${context} \
377 --mech-type=krb5 \
378 --name-type=krb5-principal-name host/short || \
379 { exitcode=1 ; echo "test failed"; }
380
381 ${context} \
382 --mech-type=krb5 \
383 host@long.test.h5l.se || \
384 { exitcode=1 ; echo "test failed"; }
385
386 ${context} \
387 --mech-type=krb5 \
388 --name-type=krb5-principal-name \
389 host/long.test.h5l.se || \
390 { exitcode=1 ; echo "test failed"; }
391
392 trap "" EXIT
393
394 echo "killing kdc (${kdcpid})"
395 kill ${kdcpid} 2> /dev/null
396
397 [ "$exitcode" = 0 ] && echo "all ok"
398
399 exit $exitcode
400
401
Heimdal