lib/krb5/test_ap-req.c

   1 /*
   2  * Copyright (c) 2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of KTH nor the names of its contributors may be
  18  *    used to endorse or promote products derived from this software without
  19  *    specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
  22  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  24  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
  25  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  26  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  27  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  28  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  29  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  30  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  31  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
  32
  33 #include <config.h>
  34
  35 #include <sys/types.h>
  36 #include <stdio.h>
  37 #include <krb5.h>
  38 #include <err.h>
  39 #include <getarg.h>
  40 #include <roken.h>
  41
  42 static int verify_pac = 0;
  43 static int server_any = 0;
  44 static int version_flag = 0;
  45 static int help_flag    = 0;
  46
  47 static struct getargs args[] = {
  48     {"verify-pac",0,    arg_flag,       &verify_pac,
  49      "verify the PAC", NULL },
  50     {"server-any",0,    arg_flag,       &server_any,
  51      "let server pick the principal", NULL },
  52     {"version", 0,      arg_flag,       &version_flag,
  53      "print version", NULL },
  54     {"help",    0,      arg_flag,       &help_flag,
  55      NULL, NULL }
  56 };
  57
  58 static void
  59 usage (int ret)
  60 {
  61     arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "...");
  62     exit (ret);
  63 }
  64
  65
  66 static void
  67 test_ap(krb5_context context,
  68         krb5_principal target,
  69         krb5_principal server,
  70         krb5_keytab keytab,
  71         krb5_ccache ccache,
  72         const krb5_flags client_flags)
  73 {
  74     krb5_error_code ret;
  75     krb5_auth_context client_ac = NULL, server_ac = NULL;
  76     krb5_data data;
  77     krb5_flags server_flags;
  78     krb5_ticket *ticket = NULL;
  79     int32_t server_seq, client_seq;
  80
  81     ret = krb5_mk_req_exact(context,
  82                             &client_ac,
  83                             client_flags,
  84                             target,
  85                             NULL,
  86                             ccache,
  87                             &data);
  88     if (ret)
  89         krb5_err(context, 1, ret, "krb5_mk_req_exact");
  90
  91     ret = krb5_rd_req(context,
  92                       &server_ac,
  93                       &data,
  94                       server,
  95                       keytab,
  96                       &server_flags,
  97                       &ticket);
  98     if (ret)
  99         krb5_err(context, 1, ret, "krb5_rd_req");
 100
 101
 102     if (server_flags & AP_OPTS_MUTUAL_REQUIRED) {
 103         krb5_ap_rep_enc_part *repl;
 104
 105         krb5_data_free(&data);
 106
 107         if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0)
 108             krb5_errx(context, 1, "client flag missing mutual req");
 109
 110         ret = krb5_mk_rep (context, server_ac, &data);
 111         if (ret)
 112             krb5_err(context, 1, ret, "krb5_mk_rep");
 113
 114         ret = krb5_rd_rep (context,
 115                            client_ac,
 116                            &data,
 117                            &repl);
 118         if (ret)
 119             krb5_err(context, 1, ret, "krb5_rd_rep");
 120
 121         krb5_free_ap_rep_enc_part (context, repl);
 122     } else {
 123         if (client_flags & AP_OPTS_MUTUAL_REQUIRED)
 124             krb5_errx(context, 1, "server flag missing mutual req");
 125     }
 126
 127     krb5_auth_getremoteseqnumber(context, server_ac, &server_seq);
 128     krb5_auth_getremoteseqnumber(context, client_ac, &client_seq);
 129     if (server_seq != client_seq)
 130         krb5_errx(context, 1, "seq num differ");
 131
 132     krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq);
 133     krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq);
 134     if (server_seq != client_seq)
 135         krb5_errx(context, 1, "seq num differ");
 136
 137     krb5_data_free(&data);
 138     krb5_auth_con_free(context, client_ac);
 139     krb5_auth_con_free(context, server_ac);
 140
 141     if (verify_pac) {
 142         krb5_pac pac;
 143
 144         ret = krb5_ticket_get_authorization_data_type(context,
 145                                                       ticket,
 146                                                       KRB5_AUTHDATA_WIN2K_PAC,
 147                                                       &data);
 148         if (ret)
 149             krb5_err(context, 1, ret, "get pac");
 150
 151         ret = krb5_pac_parse(context, data.data, data.length, &pac);
 152         if (ret)
 153             krb5_err(context, 1, ret, "pac parse");
 154
 155         krb5_pac_free(context, pac);
 156     }
 157
 158     krb5_free_ticket(context, ticket);
 159 }
 160
 161
 162 int
 163 main(int argc, char **argv)
 164 {
 165     krb5_context context;
 166     krb5_error_code ret;
 167     int optidx = 0;
 168     const char *principal, *keytab, *ccache;
 169     krb5_ccache id;
 170     krb5_keytab kt;
 171     krb5_principal sprincipal, server;
 172
 173     setprogname(argv[0]);
 174
 175     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 176         usage(1);
 177
 178     if (help_flag)
 179         usage (0);
 180
 181     if(version_flag){
 182         print_version(NULL);
 183         exit(0);
 184     }
 185
 186     argc -= optidx;
 187     argv += optidx;
 188
 189     if (argc < 3)
 190         usage(1);
 191
 192     principal = argv[0];
 193     keytab = argv[1];
 194     ccache = argv[2];
 195
 196     ret = krb5_init_context(&context);
 197     if (ret)
 198         errx (1, "krb5_init_context failed: %d", ret);
 199
 200     ret = krb5_cc_resolve(context, ccache, &id);
 201     if (ret)
 202         krb5_err(context, 1, ret, "krb5_cc_resolve");
 203
 204     ret = krb5_parse_name(context, principal, &sprincipal);
 205     if (ret)
 206         krb5_err(context, 1, ret, "krb5_parse_name");
 207
 208     ret = krb5_kt_resolve(context, keytab, &kt);
 209     if (ret)
 210         krb5_err(context, 1, ret, "krb5_kt_resolve");
 211
 212     if (server_any)
 213         server = NULL;
 214     else
 215         server = sprincipal;
 216
 217     test_ap(context, sprincipal, server, kt, id, 0);
 218     test_ap(context, sprincipal, server, kt, id, AP_OPTS_MUTUAL_REQUIRED);
 219
 220     krb5_cc_close(context, id);
 221     krb5_kt_close(context, kt);
 222     krb5_free_principal(context, sprincipal);
 223
 224     krb5_free_context(context);
 225
 226     return ret;
 227 }