summaryrefslogtreecommitdiffstats
path: root/source4/torture/krb5
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/torture/krb5
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source4/torture/krb5')
-rw-r--r--source4/torture/krb5/kdc-canon-heimdal.c1091
-rw-r--r--source4/torture/krb5/kdc-heimdal.c1065
-rw-r--r--source4/torture/krb5/kdc-mit.c795
-rw-r--r--source4/torture/krb5/wscript_build19
4 files changed, 2970 insertions, 0 deletions
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
new file mode 100644
index 0000000..f4e4473
--- /dev/null
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -0,0 +1,1091 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Validate the krb5 pac generation routines
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "torture/smbtorture.h"
+#include "torture/krb5/proto.h"
+#include "auth/credentials/credentials.h"
+#include "lib/cmdline/cmdline.h"
+#include "source4/auth/kerberos/kerberos.h"
+#include "source4/auth/kerberos/kerberos_util.h"
+#include "lib/util/util_net.h"
+#include "auth/auth.h"
+#include "auth/auth_sam_reply.h"
+#include "auth/gensec/gensec.h"
+#include "param/param.h"
+
+#undef strcasecmp
+
+#define TEST_CANONICALIZE 0x0000001
+#define TEST_ENTERPRISE 0x0000002
+#define TEST_UPPER_USERNAME 0x0000008
+#define TEST_WIN2K 0x0000020
+#define TEST_UPN 0x0000040
+#define TEST_S4U2SELF 0x0000080
+#define TEST_REMOVEDOLLAR 0x0000100
+#define TEST_AS_REQ_SPN 0x0000200
+#define TEST_ALL 0x00003FF
+
+struct test_data {
+ const char *test_name;
+ const char *realm;
+ const char *real_realm;
+ const char *real_domain;
+ const char *username;
+ const char *real_username;
+ bool canonicalize;
+ bool enterprise;
+ bool upper_username;
+ bool win2k;
+ bool upn;
+ bool other_upn_suffix;
+ bool s4u2self;
+ bool removedollar;
+ bool as_req_spn;
+ bool spn_is_upn;
+ const char *krb5_service;
+ const char *krb5_hostname;
+};
+
+struct torture_krb5_context {
+ struct smb_krb5_context *smb_krb5_context;
+ struct torture_context *tctx;
+ struct addrinfo *server;
+ struct test_data *test_data;
+ int packet_count;
+};
+
+struct pac_data {
+ const char *principal_name;
+};
+
+/*
+ * A helper function which avoids touching the local databases to
+ * generate the session info, as we just want to verify the principal
+ * name that we found in the ticket not the full local token
+ */
+static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ struct auth_user_info_dc *user_info_dc;
+ TALLOC_CTX *tmp_ctx;
+ struct pac_data *pac_data;
+
+ if (pac_blob == NULL) {
+ DBG_ERR("pac_blob missing\n");
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
+ }
+
+ tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+ auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data);
+
+ pac_data->principal_name = talloc_strdup(pac_data, principal_name);
+ if (!pac_data->principal_name) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc, NULL, NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx,
+ NULL,
+ NULL,
+ user_info_dc, session_info_flags,
+ session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
+
+/* Also happens to be a really good one-step verfication of our Kerberos stack */
+
+static bool test_accept_ticket(struct torture_context *tctx,
+ struct cli_credentials *credentials,
+ const char *principal,
+ DATA_BLOB client_to_server)
+{
+ NTSTATUS status;
+ struct gensec_security *gensec_server_context;
+ DATA_BLOB server_to_client;
+ struct auth4_context *auth_context;
+ struct auth_session_info *session_info;
+ struct pac_data *pac_data;
+ TALLOC_CTX *tmp_ctx = talloc_new(tctx);
+
+ torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
+
+ auth_context = talloc_zero(tmp_ctx, struct auth4_context);
+ torture_assert(tctx, auth_context != NULL, "talloc_new() failed");
+
+ auth_context->generate_session_info_pac = test_generate_session_info_pac;
+
+ status = gensec_server_start(tctx,
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+ auth_context, &gensec_server_context);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
+
+ status = gensec_set_credentials(gensec_server_context, credentials);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
+
+ status = gensec_start_mech_by_name(gensec_server_context, "krb5");
+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_name (server) failed");
+
+ server_to_client = data_blob(NULL, 0);
+
+ /* Do a client-server update dance */
+ status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
+
+ /* Extract the PAC using Samba's code */
+
+ status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
+ torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
+
+ pac_data = talloc_get_type(auth_context->private_data, struct pac_data);
+
+ torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
+ torture_assert(tctx, pac_data->principal_name != NULL, "principal_name not present");
+ torture_assert_str_equal(tctx, pac_data->principal_name, principal, "wrong principal name");
+ return true;
+}
+
+/*
+ * This function is set in torture_krb5_init_context_canon as krb5
+ * send_and_recv function. This allows us to override what server the
+ * test is aimed at, and to inspect the packets just before they are
+ * sent to the network, and before they are processed on the recv
+ * side.
+ *
+ */
+static krb5_error_code test_krb5_send_to_realm_canon_override(struct smb_krb5_context *smb_krb5_context,
+ void *data, /* struct torture_krb5_context */
+ krb5_const_realm realm,
+ time_t timeout,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf)
+{
+ krb5_error_code k5ret;
+
+ struct torture_krb5_context *test_context
+ = talloc_get_type_abort(data, struct torture_krb5_context);
+
+ SMB_ASSERT(smb_krb5_context == test_context->smb_krb5_context);
+
+ k5ret = smb_krb5_send_and_recv_func_forced_tcp(smb_krb5_context,
+ test_context->server,
+ timeout,
+ send_buf,
+ recv_buf);
+ if (k5ret != 0) {
+ return k5ret;
+ }
+
+ test_context->packet_count++;
+
+ return k5ret;
+}
+
+static int test_context_destructor(struct torture_krb5_context *test_context)
+{
+ freeaddrinfo(test_context->server);
+ return 0;
+}
+
+
+static bool torture_krb5_init_context_canon(struct torture_context *tctx,
+ struct test_data *test_data,
+ struct torture_krb5_context **torture_krb5_context)
+{
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ krb5_error_code k5ret;
+ bool ok;
+
+ struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
+ torture_assert(tctx, test_context != NULL, "Failed to allocate");
+
+ test_context->test_data = test_data;
+ test_context->tctx = tctx;
+
+ k5ret = smb_krb5_init_context(test_context, tctx->lp_ctx, &test_context->smb_krb5_context);
+ torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
+
+ ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
+ torture_assert(tctx, ok, "Failed to parse target server");
+
+ talloc_set_destructor(test_context, test_context_destructor);
+
+ set_sockaddr_port(test_context->server->ai_addr, 88);
+
+ k5ret = smb_krb5_set_send_to_kdc_func(test_context->smb_krb5_context,
+ test_krb5_send_to_realm_canon_override,
+ NULL, /* send_to_kdc */
+ test_context);
+ torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
+ *torture_krb5_context = test_context;
+ return true;
+}
+
+
+static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *tcase_data)
+{
+ krb5_error_code k5ret;
+ krb5_get_init_creds_opt *krb_options = NULL;
+ struct test_data *test_data = talloc_get_type_abort(tcase_data, struct test_data);
+ krb5_principal principal;
+ krb5_principal krbtgt_other;
+ krb5_principal expected_principal;
+ const char *principal_string = NULL;
+ char *krbtgt_other_string;
+ int principal_flags;
+ const char *expected_principal_string = NULL;
+ char *expected_unparse_principal_string;
+ int expected_principal_flags;
+ char *got_principal_string;
+ char *assertion_message;
+ const char *password = cli_credentials_get_password(
+ samba_cmdline_get_creds());
+ krb5_context k5_context;
+ struct torture_krb5_context *test_context;
+ bool ok;
+ krb5_creds my_creds;
+ krb5_creds *server_creds;
+ krb5_ccache ccache;
+ krb5_auth_context auth_context;
+ char *cc_name;
+ krb5_data in_data, enc_ticket;
+ krb5_get_creds_opt opt;
+
+ const char *spn = NULL;
+ const char *spn_real_realm = NULL;
+ const char *upn = torture_setting_string(tctx, "krb5-upn", "");
+ test_data->krb5_service = torture_setting_string(tctx, "krb5-service", "host");
+ test_data->krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
+
+ /*
+ * If we have not passed a UPN on the command line,
+ * then skip the UPN tests.
+ */
+ if (test_data->upn && upn[0] == '\0') {
+ torture_skip(tctx, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
+ }
+
+ /*
+ * If we have not passed a SPN on the command line,
+ * then skip the SPN tests.
+ */
+ if (test_data->as_req_spn && test_data->krb5_hostname[0] == '\0') {
+ torture_skip(tctx, "This test needs a hostname specified as --option=torture:krb5-hostname=hostname.example.com and optionally --option=torture:krb5-service=service (defaults to host) to run");
+ }
+
+ if (test_data->removedollar &&
+ !torture_setting_bool(tctx, "run_removedollar_test", false))
+ {
+ torture_skip(tctx, "--option=torture:run_removedollar_test=true not specified");
+ }
+
+ test_data->realm = test_data->real_realm;
+
+ if (test_data->upn) {
+ char *p;
+ test_data->username = talloc_strdup(test_data, upn);
+ p = strchr(test_data->username, '@');
+ if (p) {
+ *p = '\0';
+ p++;
+ }
+ /*
+ * Test the UPN behaviour carefully. We can
+ * test in two different modes, depending on
+ * what UPN has been set up for us.
+ *
+ * If the UPN is in our realm, then we do all the tests with this name also.
+ *
+ * If the UPN is not in our realm, then we
+ * expect the tests that replace the realm to
+ * fail (as it won't match)
+ */
+ if (strcasecmp(p, test_data->real_realm) != 0) {
+ test_data->other_upn_suffix = true;
+ } else {
+ test_data->other_upn_suffix = false;
+ }
+
+ /*
+ * This lets us test the combination of the UPN prefix
+ * with a valid domain, without adding even more
+ * combinations
+ */
+ test_data->realm = p;
+ }
+
+ ok = torture_krb5_init_context_canon(tctx, test_data, &test_context);
+ torture_assert(tctx, ok, "torture_krb5_init_context failed");
+ k5_context = test_context->smb_krb5_context->krb5_context;
+
+ test_data->realm = strupper_talloc(test_data, test_data->realm);
+ if (test_data->upper_username) {
+ test_data->username = strupper_talloc(test_data, test_data->username);
+ } else {
+ test_data->username = talloc_strdup(test_data, test_data->username);
+ }
+
+ if (test_data->removedollar) {
+ char *p;
+
+ p = strchr_m(test_data->username, '$');
+ torture_assert(tctx, p != NULL, talloc_asprintf(tctx,
+ "username[%s] contains no '$'\n",
+ test_data->username));
+ *p = '\0';
+ }
+
+ spn = talloc_asprintf(test_data, "%s/%s@%s",
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ test_data->realm);
+
+ spn_real_realm = talloc_asprintf(test_data, "%s/%s@%s",
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ test_data->real_realm);
+
+ if (!test_data->canonicalize && test_data->enterprise) {
+ torture_skip(tctx,
+ "This test combination "
+ "is skipped intentionally");
+ }
+
+ if (test_data->as_req_spn) {
+ if (test_data->enterprise) {
+ torture_skip(tctx,
+ "This test combination "
+ "is skipped intentionally");
+ }
+ principal_string = spn;
+ } else {
+ principal_string = talloc_asprintf(test_data,
+ "%s@%s",
+ test_data->username,
+ test_data->realm);
+
+ }
+
+ test_data->spn_is_upn
+ = (strcasecmp(upn, spn) == 0);
+
+ /*
+ * If we are set to canonicalize, we get back the fixed UPPER
+ * case realm, and the real username (ie matching LDAP
+ * samAccountName)
+ *
+ * Otherwise, if we are set to enterprise, we
+ * get back the whole principal as-sent
+ *
+ * Finally, if we are not set to canonicalize, we get back the
+ * fixed UPPER case realm, but the as-sent username
+ */
+ if (test_data->as_req_spn && !test_data->spn_is_upn) {
+ expected_principal_string = spn;
+ } else if (test_data->canonicalize) {
+ expected_principal_string = talloc_asprintf(test_data,
+ "%s@%s",
+ test_data->real_username,
+ test_data->real_realm);
+ } else if (test_data->as_req_spn && test_data->spn_is_upn) {
+ expected_principal_string = spn_real_realm;
+ } else {
+ expected_principal_string = talloc_asprintf(test_data,
+ "%s@%s",
+ test_data->username,
+ test_data->real_realm);
+ }
+
+ if (test_data->enterprise) {
+ principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+ } else {
+ if (test_data->upn && test_data->other_upn_suffix) {
+ torture_skip(tctx, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
+ }
+ principal_flags = 0;
+ }
+
+ if (test_data->canonicalize) {
+ expected_principal_flags = 0;
+ } else {
+ expected_principal_flags = principal_flags;
+ }
+
+ torture_assert_int_equal(tctx,
+ krb5_parse_name_flags(k5_context,
+ principal_string,
+ principal_flags,
+ &principal),
+ 0, "krb5_parse_name_flags failed");
+ torture_assert_int_equal(tctx,
+ krb5_parse_name_flags(k5_context,
+ expected_principal_string,
+ expected_principal_flags,
+ &expected_principal),
+ 0, "krb5_parse_name_flags failed");
+
+ if (test_data->as_req_spn) {
+ if (test_data->upn) {
+ krb5_principal_set_type(k5_context,
+ principal,
+ KRB5_NT_PRINCIPAL);
+ krb5_principal_set_type(k5_context,
+ expected_principal,
+ KRB5_NT_PRINCIPAL);
+ } else {
+ krb5_principal_set_type(k5_context,
+ principal,
+ KRB5_NT_SRV_HST);
+ krb5_principal_set_type(k5_context,
+ expected_principal,
+ KRB5_NT_SRV_HST);
+ }
+ }
+
+ torture_assert_int_equal(tctx,
+ krb5_unparse_name(k5_context,
+ expected_principal,
+ &expected_unparse_principal_string),
+ 0, "krb5_unparse_name failed");
+ /*
+ * Prepare a AS-REQ and run the TEST_AS_REQ tests
+ *
+ */
+
+ test_context->packet_count = 0;
+
+ /*
+ * Set the canonicalize flag if this test requires it
+ */
+ torture_assert_int_equal(tctx,
+ krb5_get_init_creds_opt_alloc(k5_context, &krb_options),
+ 0, "krb5_get_init_creds_opt_alloc failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_get_init_creds_opt_set_canonicalize(k5_context,
+ krb_options,
+ test_data->canonicalize),
+ 0, "krb5_get_init_creds_opt_set_canonicalize failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_get_init_creds_opt_set_win2k(k5_context,
+ krb_options,
+ test_data->win2k),
+ 0, "krb5_get_init_creds_opt_set_win2k failed");
+
+ k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal,
+ password, NULL, NULL, 0,
+ NULL, krb_options);
+
+ if (test_context->test_data->as_req_spn
+ && !test_context->test_data->spn_is_upn) {
+ torture_assert_int_equal(tctx, k5ret,
+ KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ "Got wrong error_code from "
+ "krb5_get_init_creds_password");
+ /* We can't proceed with more checks */
+ return true;
+ } else {
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_init_creds_password for %s failed: %s",
+ principal_string,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ }
+
+ torture_assert(tctx,
+ test_context->packet_count > 1,
+ "Expected krb5_get_init_creds_password to send more packets");
+
+ /*
+ * Assert that the reply was with the correct type of
+ * principal, depending on the flags we set
+ */
+ if (test_data->canonicalize == false && test_data->as_req_spn) {
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_type(k5_context,
+ my_creds.client),
+ KRB5_NT_SRV_HST,
+ "smb_krb5_init_context gave incorrect client->name.name_type");
+ } else {
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_type(k5_context,
+ my_creds.client),
+ KRB5_NT_PRINCIPAL,
+ "smb_krb5_init_context gave incorrect client->name.name_type");
+ }
+
+ torture_assert_int_equal(tctx,
+ krb5_unparse_name(k5_context,
+ my_creds.client, &got_principal_string), 0,
+ "krb5_unparse_name failed");
+
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
+ got_principal_string, expected_principal_string);
+ krb5_free_unparsed_name(k5_context, got_principal_string);
+
+ torture_assert(tctx, krb5_principal_compare(k5_context,
+ my_creds.client, expected_principal),
+ assertion_message);
+
+
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_type(k5_context,
+ my_creds.server), KRB5_NT_SRV_INST,
+ "smb_krb5_init_context gave incorrect server->name.name_type");
+
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_num_comp(k5_context,
+ my_creds.server), 2,
+ "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
+
+ torture_assert_str_equal(tctx,
+ krb5_principal_get_comp_string(k5_context,
+ my_creds.server, 0),
+ "krbtgt",
+ "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
+
+ if (test_data->canonicalize) {
+ torture_assert_str_equal(tctx,
+ krb5_principal_get_comp_string(k5_context,
+ my_creds.server, 1),
+ test_data->real_realm,
+
+ "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
+ } else {
+ torture_assert_str_equal(tctx,
+ krb5_principal_get_comp_string(k5_context,
+ my_creds.server, 1),
+ test_data->realm,
+
+ "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
+ }
+ torture_assert_str_equal(tctx,
+ krb5_principal_get_realm(k5_context,
+ my_creds.server),
+ test_data->real_realm,
+ "smb_krb5_init_context gave incorrect my_creds.server->realm");
+
+ /* Store the result of the 'kinit' above into a memory ccache */
+ cc_name = talloc_asprintf(tctx, "MEMORY:%s", test_data->test_name);
+ torture_assert_int_equal(tctx, krb5_cc_resolve(k5_context, cc_name,
+ &ccache),
+ 0, "krb5_cc_resolve failed");
+
+ torture_assert_int_equal(tctx, krb5_cc_initialize(k5_context,
+ ccache, my_creds.client),
+ 0, "krb5_cc_initialize failed");
+
+ torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
+ ccache, &my_creds),
+ 0, "krb5_cc_store_cred failed");
+
+ /*
+ * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
+ *
+ * This tests krb5_get_creds behaviour, which allows us to set
+ * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal
+ */
+
+ krbtgt_other_string = talloc_asprintf(test_data, "krbtgt/%s@%s", test_data->real_domain, test_data->real_realm);
+ torture_assert_int_equal(tctx,
+ krb5_make_principal(k5_context, &krbtgt_other,
+ test_data->real_realm, "krbtgt",
+ test_data->real_domain, NULL),
+ 0, "krb5_make_principal failed");
+
+ test_context->packet_count = 0;
+
+ torture_assert_int_equal(tctx,
+ krb5_get_creds_opt_alloc(k5_context, &opt),
+ 0, "krb5_get_creds_opt_alloc");
+
+ krb5_get_creds_opt_add_options(k5_context,
+ opt,
+ KRB5_GC_CANONICALIZE);
+
+ krb5_get_creds_opt_add_options(k5_context,
+ opt,
+ KRB5_GC_NO_STORE);
+
+ /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
+ k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
+
+ {
+ /*
+ * In these situations, the code above does not store a
+ * principal in the credentials cache matching what
+ * krb5_get_creds() needs without talking to the KDC, so the
+ * test fails with looping detected because when we set
+ * canonicalize we confuse the client libs.
+ *
+ */
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_creds for %s should have failed with looping detected: %s",
+ krbtgt_other_string,
+ smb_get_krb5_error_message(k5_context, k5ret,
+ tctx));
+
+ torture_assert_int_equal(tctx, k5ret, KRB5_GET_IN_TKT_LOOP, assertion_message);
+ torture_assert_int_equal(tctx,
+ test_context->packet_count,
+ 2, "Expected krb5_get_creds to send packets");
+ }
+
+ /*
+ * Prepare a TGS-REQ and run the TEST_TGS_REQ_CANON tests
+ *
+ * This tests krb5_get_creds behaviour, which allows us to set
+ * the KRB5_GC_CANONICALIZE option
+ */
+
+ test_context->packet_count = 0;
+
+ torture_assert_int_equal(tctx,
+ krb5_get_creds_opt_alloc(k5_context, &opt),
+ 0, "krb5_get_creds_opt_alloc");
+
+ krb5_get_creds_opt_add_options(k5_context,
+ opt,
+ KRB5_GC_CANONICALIZE);
+
+ krb5_get_creds_opt_add_options(k5_context,
+ opt,
+ KRB5_GC_NO_STORE);
+
+ if (test_data->s4u2self) {
+ torture_assert_int_equal(tctx,
+ krb5_get_creds_opt_set_impersonate(k5_context,
+ opt,
+ principal),
+ 0, "krb5_get_creds_opt_set_impersonate failed");
+ }
+
+ /* Confirm if we can get a ticket to our own name */
+ k5ret = krb5_get_creds(k5_context, opt, ccache, principal, &server_creds);
+
+ /*
+ * In these situations, the code above does not store a
+ * principal in the credentials cache matching what
+ * krb5_get_creds() needs, so the test fails.
+ *
+ */
+ {
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_creds for %s failed: %s",
+ principal_string,
+ smb_get_krb5_error_message(k5_context, k5ret,
+ tctx));
+
+ /*
+ * Only machine accounts (strictly, accounts with a
+ * servicePrincipalName) can expect this test to succeed
+ */
+ if (torture_setting_bool(tctx, "expect_machine_account", false)
+ && (test_data->enterprise
+ || test_data->spn_is_upn
+ || test_data->upn == false)) {
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context,
+ ccache, server_creds),
+ 0, "krb5_cc_store_cred failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_free_creds(k5_context,
+ server_creds),
+ 0, "krb5_free_cred_contents failed");
+
+ torture_assert_int_equal(tctx,
+ test_context->packet_count,
+ 1, "Expected krb5_get_creds to send one packet");
+
+ } else {
+ torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ assertion_message);
+ /* Account for get_cred_kdc_capath() and get_cred_kdc_referral() fallback */
+ torture_assert_int_equal(tctx,
+ test_context->packet_count,
+ 2, "Expected krb5_get_creds to send 2 packets");
+ }
+ }
+
+ /*
+ * Confirm gettting a ticket to pass to the server, running
+ * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage.
+ *
+ * This triggers the client to attempt to get a
+ * cross-realm ticket between the alternate names of
+ * the server, and we need to confirm that behaviour.
+ *
+ */
+
+ test_context->packet_count = 0;
+ torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
+ 0, "krb5_auth_con_init failed");
+
+ in_data.length = 0;
+ k5ret = krb5_mk_req_exact(k5_context,
+ &auth_context,
+ AP_OPTS_USE_SUBKEY,
+ principal,
+ &in_data, ccache,
+ &enc_ticket);
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_mk_req_exact for %s failed: %s",
+ principal_string,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+
+ /*
+ * Only machine accounts (strictly, accounts with a
+ * servicePrincipalName) can expect this test to succeed
+ */
+ if (torture_setting_bool(tctx, "expect_machine_account", false)
+ && (test_data->enterprise ||
+ (test_context->test_data->as_req_spn
+ || test_context->test_data->spn_is_upn)
+ || test_data->upn == false)) {
+ DATA_BLOB client_to_server;
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ client_to_server = data_blob_const(enc_ticket.data, enc_ticket.length);
+
+ /* This is very weird */
+ if (test_data->canonicalize == false
+ && test_context->test_data->as_req_spn
+ && test_context->test_data->spn_is_upn
+ && test_context->test_data->s4u2self) {
+
+ torture_assert(tctx,
+ test_accept_ticket(tctx,
+ samba_cmdline_get_creds(),
+ spn_real_realm,
+ client_to_server),
+ "test_accept_ticket failed - failed to accept the ticket we just created");
+ } else if (test_data->canonicalize == true
+ && test_context->test_data->as_req_spn
+ && test_context->test_data->spn_is_upn
+ && test_context->test_data->s4u2self) {
+
+ torture_assert(tctx,
+ test_accept_ticket(tctx,
+ samba_cmdline_get_creds(),
+ expected_principal_string,
+ client_to_server),
+ "test_accept_ticket failed - failed to accept the ticket we just created");
+ } else if (test_data->canonicalize == true
+ && test_data->enterprise == false
+ && test_context->test_data->upn
+ && test_context->test_data->spn_is_upn
+ && test_context->test_data->s4u2self) {
+
+ torture_assert(tctx,
+ test_accept_ticket(tctx,
+ samba_cmdline_get_creds(),
+ expected_principal_string,
+ client_to_server),
+ "test_accept_ticket failed - failed to accept the ticket we just created");
+ } else if (test_data->canonicalize == false
+ && test_context->test_data->upn
+ && test_context->test_data->spn_is_upn
+ && test_context->test_data->s4u2self) {
+
+ const char *accept_expected_principal_string
+ = talloc_asprintf(test_data,
+ "%s@%s",
+ test_data->username,
+ test_data->real_realm);
+
+ torture_assert(tctx,
+ test_accept_ticket(tctx,
+ samba_cmdline_get_creds(),
+ accept_expected_principal_string,
+ client_to_server),
+ "test_accept_ticket failed - failed to accept the ticket we just created");
+ } else {
+
+ torture_assert(tctx,
+ test_accept_ticket(tctx,
+ samba_cmdline_get_creds(),
+ expected_unparse_principal_string,
+ client_to_server),
+ "test_accept_ticket failed - failed to accept the ticket we just created");
+ }
+ krb5_data_free(&enc_ticket);
+ } else {
+ torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ assertion_message);
+ }
+
+ /*
+ * Confirm gettting a ticket to pass to the server, running
+ * the TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST stage
+ *
+ * This triggers the client to attempt to get a
+ * cross-realm ticket between the alternate names of
+ * the server, and we need to confirm that behaviour.
+ *
+ */
+
+ if (*test_data->krb5_service && *test_data->krb5_hostname) {
+ krb5_principal host_principal_srv_inst;
+ /*
+ * This tries to guess when the krb5 libs will ask for a
+ * cross-realm ticket, and when they will just ask the KDC
+ * directly.
+ */
+ test_context->packet_count = 0;
+ torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
+ 0, "krb5_auth_con_init failed");
+
+ in_data.length = 0;
+ k5ret = krb5_mk_req(k5_context,
+ &auth_context,
+ 0,
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ &in_data, ccache,
+ &enc_ticket);
+
+ {
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_mk_req for %s/%s failed: %s",
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+
+ if (test_data->spn_is_upn == false) {
+ /*
+ * Only in these cases would the above
+ * code have needed to send packets to
+ * the network
+ */
+ torture_assert(tctx,
+ test_context->packet_count > 0,
+ "Expected krb5_get_creds to send packets");
+ }
+ }
+
+
+ test_context->packet_count = 0;
+
+ torture_assert_int_equal(tctx,
+ krb5_make_principal(k5_context, &host_principal_srv_inst,
+ test_data->real_realm,
+ strupper_talloc(tctx, test_data->krb5_service),
+ test_data->krb5_hostname,
+ NULL),
+ 0, "krb5_make_principal failed");
+
+ krb5_principal_set_type(k5_context, host_principal_srv_inst, KRB5_NT_SRV_INST);
+
+ torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
+ 0, "krb5_auth_con_init failed");
+
+ in_data.length = 0;
+ k5ret = krb5_mk_req_exact(k5_context,
+ &auth_context,
+ 0,
+ host_principal_srv_inst,
+ &in_data, ccache,
+ &enc_ticket);
+ krb5_free_principal(k5_context, host_principal_srv_inst);
+ {
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ /*
+ * Only in these cases would the above code have needed to
+ * send packets to the network
+ */
+ torture_assert(tctx,
+ test_context->packet_count > 0,
+ "Expected krb5_get_creds to send packets");
+ }
+
+
+ test_context->packet_count = 0;
+
+ torture_assert_int_equal(tctx,
+ krb5_make_principal(k5_context, &host_principal_srv_inst,
+ test_data->real_realm,
+ test_data->krb5_service,
+ strupper_talloc(tctx, test_data->krb5_hostname),
+ NULL),
+ 0, "krb5_make_principal failed");
+
+ krb5_principal_set_type(k5_context, host_principal_srv_inst, KRB5_NT_SRV_HST);
+
+ torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context),
+ 0, "krb5_auth_con_init failed");
+
+ in_data.length = 0;
+ k5ret = krb5_mk_req_exact(k5_context,
+ &auth_context,
+ 0,
+ host_principal_srv_inst,
+ &in_data, ccache,
+ &enc_ticket);
+ krb5_free_principal(k5_context, host_principal_srv_inst);
+ {
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
+ test_data->krb5_service,
+ test_data->krb5_hostname,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+ /*
+ * Only in these cases would the above code have needed to
+ * send packets to the network
+ */
+ torture_assert(tctx,
+ test_context->packet_count > 0,
+ "Expected krb5_get_creds to send packets");
+ }
+ }
+
+ /*
+ * Confirm gettting a ticket for the same krbtgt/realm that we
+ * got back with the initial ticket, running the
+ * TEST_TGS_REQ_KRBTGT stage.
+ *
+ */
+
+ test_context->packet_count = 0;
+
+ in_data.length = 0;
+ k5ret = krb5_mk_req_exact(k5_context,
+ &auth_context,
+ 0,
+ my_creds.server,
+ &in_data, ccache,
+ &enc_ticket);
+
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_mk_req_exact for %s failed: %s",
+ principal_string,
+ smb_get_krb5_error_message(k5_context, k5ret, tctx));
+ torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+
+ krb5_free_principal(k5_context, principal);
+ krb5_get_init_creds_opt_free(k5_context, krb_options);
+
+ torture_assert_int_equal(tctx, krb5_free_cred_contents(k5_context, &my_creds),
+ 0, "krb5_free_cred_contents failed");
+
+ return true;
+}
+
+struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
+{
+ unsigned int i;
+ struct torture_suite *suite = torture_suite_create(mem_ctx, "canon");
+ suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
+
+ for (i = 0; i < TEST_ALL; i++) {
+ char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s",
+ (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
+ (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
+ (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
+ (i & TEST_WIN2K) ? "win2k" : "no-win2k",
+ (i & TEST_UPN) ? "upn" :
+ ((i & TEST_AS_REQ_SPN) ? "spn" :
+ ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname")),
+ (i & TEST_S4U2SELF) ? "s4u2self" : "normal");
+ struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name);
+
+ struct test_data *test_data = talloc_zero(suite, struct test_data);
+ if (i & TEST_UPN) {
+ if (i & TEST_AS_REQ_SPN) {
+ continue;
+ }
+ }
+ if ((i & TEST_UPN) || (i & TEST_AS_REQ_SPN)) {
+ if (i & TEST_REMOVEDOLLAR) {
+ continue;
+ }
+ }
+
+ test_data->test_name = name;
+ test_data->real_realm
+ = strupper_talloc(test_data,
+ cli_credentials_get_realm(
+ samba_cmdline_get_creds()));
+ test_data->real_domain = cli_credentials_get_domain(
+ samba_cmdline_get_creds());
+ test_data->username = cli_credentials_get_username(
+ samba_cmdline_get_creds());
+ test_data->real_username = cli_credentials_get_username(
+ samba_cmdline_get_creds());
+ test_data->canonicalize = (i & TEST_CANONICALIZE) != 0;
+ test_data->enterprise = (i & TEST_ENTERPRISE) != 0;
+ test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0;
+ test_data->win2k = (i & TEST_WIN2K) != 0;
+ test_data->upn = (i & TEST_UPN) != 0;
+ test_data->s4u2self = (i & TEST_S4U2SELF) != 0;
+ test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0;
+ test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0;
+ torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon,
+ test_data);
+ torture_suite_add_suite(suite, sub_suite);
+
+ }
+ return suite;
+}
diff --git a/source4/torture/krb5/kdc-heimdal.c b/source4/torture/krb5/kdc-heimdal.c
new file mode 100644
index 0000000..2ee751b
--- /dev/null
+++ b/source4/torture/krb5/kdc-heimdal.c
@@ -0,0 +1,1065 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Validate the krb5 pac generation routines
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "torture/smbtorture.h"
+#include "torture/winbind/proto.h"
+#include "torture/krb5/proto.h"
+#include "auth/credentials/credentials.h"
+#include "lib/cmdline/cmdline.h"
+#include "source4/auth/kerberos/kerberos.h"
+#include "source4/auth/kerberos/kerberos_util.h"
+#include "lib/util/util_net.h"
+
+#define krb5_is_app_tag(dat,tag) \
+ ((dat != NULL) && (dat)->length && \
+ (((((char *)(dat)->data)[0] & ~0x20) == ((tag) | 0x40))))
+
+#define krb5_is_krb_error(dat) krb5_is_app_tag(dat, 30)
+
+enum torture_krb5_test {
+ TORTURE_KRB5_TEST_PLAIN,
+ TORTURE_KRB5_TEST_PAC_REQUEST,
+ TORTURE_KRB5_TEST_BREAK_PW,
+ TORTURE_KRB5_TEST_CLOCK_SKEW,
+ TORTURE_KRB5_TEST_AES,
+ TORTURE_KRB5_TEST_RC4,
+ TORTURE_KRB5_TEST_AES_RC4,
+
+ /*
+ * This is in and out of the client.
+ * Out refers to requests, in refers to replies
+ */
+ TORTURE_KRB5_TEST_CHANGE_SERVER_OUT,
+ TORTURE_KRB5_TEST_CHANGE_SERVER_IN,
+ TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH,
+};
+
+struct torture_krb5_context {
+ struct torture_context *tctx;
+ struct addrinfo *server;
+ enum torture_krb5_test test;
+ int packet_count;
+ AS_REQ as_req;
+ AS_REP as_rep;
+ const char *krb5_service;
+ const char *krb5_hostname;
+};
+
+/*
+ * Confirm that the outgoing packet meets certain expectations. This
+ * should be extended to further assert the correct and expected
+ * behaviour of the krb5 libs, so we know what we are sending to the
+ * server.
+ *
+ */
+
+static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, krb5_data *send_buf)
+{
+ size_t used;
+ switch (test_context->test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ case TORTURE_KRB5_TEST_AES:
+ case TORTURE_KRB5_TEST_RC4:
+ case TORTURE_KRB5_TEST_AES_RC4:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_IN:
+ torture_assert_int_equal(test_context->tctx,
+ decode_AS_REQ(send_buf->data, send_buf->length, &test_context->as_req, &used), 0,
+ "decode_AS_REQ failed");
+ torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, 5, "Got wrong as_req->pvno");
+ break;
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_OUT:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH:
+ {
+ AS_REQ mod_as_req;
+ krb5_error_code k5ret;
+ krb5_data modified_send_buf;
+ torture_assert_int_equal(test_context->tctx,
+ decode_AS_REQ(send_buf->data, send_buf->length, &test_context->as_req, &used), 0,
+ "decode_AS_REQ failed");
+ torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, 5, "Got wrong as_req->pvno");
+
+ /* Only change it if configured with --option=torture:krb5-hostname= */
+ if (test_context->krb5_hostname[0] == '\0') {
+ break;
+ }
+
+ mod_as_req = test_context->as_req;
+
+ torture_assert_int_equal(test_context->tctx,
+ mod_as_req.req_body.sname->name_string.len, 2,
+ "Sending wrong mod_as_req.req_body->sname.name_string.len");
+ free(mod_as_req.req_body.sname->name_string.val[0]);
+ free(mod_as_req.req_body.sname->name_string.val[1]);
+ mod_as_req.req_body.sname->name_string.val[0] = strdup(test_context->krb5_service);
+ mod_as_req.req_body.sname->name_string.val[1] = strdup(test_context->krb5_hostname);
+
+ ASN1_MALLOC_ENCODE(AS_REQ, modified_send_buf.data, modified_send_buf.length,
+ &mod_as_req, &used, k5ret);
+ torture_assert_int_equal(test_context->tctx,
+ k5ret, 0,
+ "encode_AS_REQ failed");
+
+ *send_buf = modified_send_buf;
+ break;
+ }
+ }
+ return true;
+}
+
+static bool torture_check_krb5_error(struct torture_krb5_context *test_context,
+ const krb5_data *reply,
+ krb5_error_code expected_error,
+ bool check_pa_data)
+{
+ KRB_ERROR error = { 0 };
+ size_t used = 0;
+ int rc;
+
+ rc = decode_KRB_ERROR(reply->data, reply->length, &error, &used);
+ torture_assert_int_equal(test_context->tctx,
+ rc, 0,
+ "decode_KRB_ERROR failed");
+
+ torture_assert_int_equal(test_context->tctx,
+ used, reply->length,
+ "length mismatch");
+ torture_assert_int_equal(test_context->tctx,
+ error.pvno, 5,
+ "Got wrong error.pvno");
+ torture_assert_int_equal(test_context->tctx,
+ error.error_code, expected_error - KRB5KDC_ERR_NONE,
+ "Got wrong error.error_code");
+
+ if (check_pa_data) {
+ METHOD_DATA m;
+ size_t len;
+ int i;
+ bool found_enc_ts = false;
+ bool found_etype_info2 = false;
+ torture_assert(test_context->tctx,
+ error.e_data != NULL,
+ "No e-data returned");
+
+ rc = decode_METHOD_DATA(error.e_data->data,
+ error.e_data->length,
+ &m,
+ &len);
+ torture_assert_int_equal(test_context->tctx,
+ rc, 0,
+ "Got invalid method data");
+
+ torture_assert(test_context->tctx,
+ m.len > 0,
+ "No PA_DATA given");
+ for (i = 0; i < m.len; i++) {
+ if (m.val[i].padata_type == KRB5_PADATA_ENC_TIMESTAMP) {
+ found_enc_ts = true;
+ }
+ else if (m.val[i].padata_type == KRB5_PADATA_ETYPE_INFO2) {
+ found_etype_info2 = true;
+ }
+ }
+ torture_assert(test_context->tctx,
+ found_etype_info2,
+ "PADATA_ETYPE_INFO2 not found");
+ if (expected_error != KRB5KDC_ERR_PREAUTH_FAILED)
+ torture_assert(test_context->tctx,
+ found_enc_ts,
+ "Encrypted timestamp not found");
+ }
+
+ free_KRB_ERROR(&error);
+
+ return true;
+}
+
+static bool torture_check_krb5_as_rep_enctype(struct torture_krb5_context *test_context,
+ const krb5_data *reply,
+ const krb5_enctype* allowed_enctypes)
+{
+ ENCTYPE reply_enctype = { 0 };
+ size_t used = 0;
+ int rc;
+ int expected_enctype = ETYPE_NULL;
+
+ rc = decode_AS_REP(reply->data,
+ reply->length,
+ &test_context->as_rep,
+ &used);
+ torture_assert_int_equal(test_context->tctx,
+ rc, 0,
+ "decode_AS_REP failed");
+ torture_assert_int_equal(test_context->tctx,
+ used, reply->length,
+ "length mismatch");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.pvno, 5,
+ "Got wrong as_rep->pvno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.ticket.tkt_vno, 5,
+ "Got wrong as_rep->ticket.tkt_vno");
+ torture_assert(test_context->tctx,
+ test_context->as_rep.ticket.enc_part.kvno,
+ "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
+
+ if (test_context->as_req.padata) {
+ /*
+ * If the AS-REQ contains a PA-ENC-TIMESTAMP, then
+ * that encryption type is used to determine the reply
+ * enctype.
+ */
+ int i = 0;
+ const PA_DATA *pa = krb5_find_padata(test_context->as_req.padata->val,
+ test_context->as_req.padata->len,
+ KRB5_PADATA_ENC_TIMESTAMP,
+ &i);
+ if (pa) {
+ EncryptedData ed;
+ size_t len;
+ krb5_error_code ret = decode_EncryptedData(pa->padata_value.data,
+ pa->padata_value.length,
+ &ed, &len);
+ torture_assert_int_equal(test_context->tctx,
+ ret,
+ 0,
+ "decode_EncryptedData failed");
+ expected_enctype = ed.etype;
+ free_EncryptedData(&ed);
+ }
+ }
+ if (expected_enctype == ETYPE_NULL) {
+ /*
+ * Otherwise, find the strongest enctype contained in
+ * the AS-REQ supported enctypes list.
+ */
+ const krb5_enctype *p = NULL;
+
+ for (p = krb5_kerberos_enctypes(NULL); *p != (krb5_enctype)ETYPE_NULL; ++p) {
+ int j;
+
+ if ((*p == (krb5_enctype)ETYPE_AES256_CTS_HMAC_SHA1_96 ||
+ *p == (krb5_enctype)ETYPE_AES128_CTS_HMAC_SHA1_96) &&
+ !test_context->as_req.req_body.kdc_options.canonicalize)
+ {
+ /*
+ * AES encryption types are only used here when
+ * we set the canonicalize flag, as the salt
+ * needs to match.
+ */
+ continue;
+ }
+
+ for (j = 0; j < test_context->as_req.req_body.etype.len; ++j) {
+ krb5_enctype etype = test_context->as_req.req_body.etype.val[j];
+ if (*p == etype) {
+ expected_enctype = etype;
+ break;
+ }
+ }
+
+ if (expected_enctype != (krb5_enctype)ETYPE_NULL) {
+ break;
+ }
+ }
+ }
+
+ {
+ /* Ensure the enctype to check against is an expected type. */
+ const krb5_enctype *p = NULL;
+ bool found = false;
+ for (p = allowed_enctypes; *p != (krb5_enctype)ETYPE_NULL; ++p) {
+ if (*p == expected_enctype) {
+ found = true;
+ break;
+ }
+ }
+
+ torture_assert(test_context->tctx,
+ found,
+ "Calculated enctype not in allowed list");
+ }
+
+ reply_enctype = test_context->as_rep.enc_part.etype;
+ torture_assert_int_equal(test_context->tctx,
+ reply_enctype, expected_enctype,
+ "Ticket encrypted with invalid algorithm");
+
+ return true;
+}
+
+/*
+ * Confirm that the incoming packet from the KDC meets certain
+ * expectations. This uses a switch and the packet count to work out
+ * what test we are in, and where in the test we are, so we can assert
+ * on the expected reply packets from the KDC.
+ *
+ */
+
+static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, krb5_data *recv_buf)
+{
+ KRB_ERROR error;
+ size_t used;
+ bool ok;
+
+ switch (test_context->test)
+ {
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_OUT:
+ case TORTURE_KRB5_TEST_PLAIN:
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
+ && (test_context->packet_count == 1)) {
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
+ torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
+ "Got wrong error.error_code");
+ free_KRB_ERROR(&error);
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
+ "decode_AS_REP failed");
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.pvno, 5,
+ "Got wrong as_rep->pvno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.ticket.tkt_vno, 5,
+ "Got wrong as_rep->ticket.tkt_vno");
+ torture_assert(test_context->tctx,
+ test_context->as_rep.ticket.enc_part.kvno,
+ "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
+ if (test_context->test == TORTURE_KRB5_TEST_PLAIN) {
+ if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
+ torture_assert_int_not_equal(test_context->tctx,
+ *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+ 0, "Did not get a RODC number in the KVNO");
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+ 0, "Unexpecedly got a RODC number in the KVNO");
+ }
+ }
+ free_AS_REP(&test_context->as_rep);
+ }
+ torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
+ free_AS_REQ(&test_context->as_req);
+ break;
+
+ /*
+ * Confirm correct error codes when we ask for the PAC. This behaviour is rather odd...
+ */
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
+ && (test_context->packet_count == 1)) {
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
+ torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
+ "Got wrong error.error_code");
+ free_KRB_ERROR(&error);
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
+ "decode_AS_REP failed");
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, test_context->as_rep.pvno, 5, "Got wrong as_rep->pvno");
+ free_AS_REP(&test_context->as_rep);
+ }
+ torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
+ free_AS_REQ(&test_context->as_req);
+ break;
+
+ /*
+ * Confirm correct error codes when we deliberatly send the wrong password
+ */
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if (test_context->packet_count == 1) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_FAILED,
+ true);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ }
+ torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
+ free_AS_REQ(&test_context->as_req);
+ break;
+
+ /*
+ * Confirm correct error codes when we deliberatly skew the client clock
+ */
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if (test_context->packet_count == 1) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KRB_AP_ERR_SKEW,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ }
+ torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
+ free_AS_REQ(&test_context->as_req);
+ break;
+ case TORTURE_KRB5_TEST_AES:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_AES\n");
+
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if (krb5_is_krb_error(recv_buf)) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KRB_ERR_RESPONSE_TOO_BIG,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else {
+ const krb5_enctype allowed_enctypes[] = {
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ETYPE_NULL
+ };
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ recv_buf,
+ allowed_enctypes);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_as_rep_enctype failed");
+ }
+
+ torture_assert(test_context->tctx,
+ test_context->packet_count < 3,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_RC4:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_RC4\n");
+
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if (krb5_is_krb_error(recv_buf)) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KRB_ERR_RESPONSE_TOO_BIG,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else {
+ const krb5_enctype allowed_enctypes[] = {
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ETYPE_NULL
+ };
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ recv_buf,
+ allowed_enctypes);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_as_rep_enctype failed");
+ }
+
+ torture_assert(test_context->tctx,
+ test_context->packet_count < 3,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_AES_RC4:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_AES_RC4\n");
+
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if (krb5_is_krb_error(recv_buf)) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KRB_ERR_RESPONSE_TOO_BIG,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else {
+ const krb5_enctype allowed_enctypes[] = {
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ETYPE_NULL
+ };
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ recv_buf,
+ allowed_enctypes);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_as_rep_enctype failed");
+ }
+
+ torture_assert(test_context->tctx,
+ test_context->packet_count < 3,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_IN:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH:
+ {
+ AS_REP mod_as_rep;
+ krb5_error_code k5ret;
+ krb5_data modified_recv_buf;
+ if (test_context->packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ recv_buf,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert(test_context->tctx,
+ ok,
+ "torture_check_krb5_error failed");
+ } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
+ && (test_context->packet_count == 1)) {
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
+ torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
+ "Got wrong error.error_code");
+ free_KRB_ERROR(&error);
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
+ "decode_AS_REP failed");
+ torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.pvno, 5,
+ "Got wrong as_rep->pvno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.ticket.tkt_vno, 5,
+ "Got wrong as_rep->ticket.tkt_vno");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep.ticket.sname.name_string.len, 2,
+ "Got wrong as_rep->ticket.sname.name_string.len");
+ free(test_context->as_rep.ticket.sname.name_string.val[0]);
+ free(test_context->as_rep.ticket.sname.name_string.val[1]);
+ test_context->as_rep.ticket.sname.name_string.val[0] = strdup("bad");
+ test_context->as_rep.ticket.sname.name_string.val[1] = strdup("mallory");
+
+ mod_as_rep = test_context->as_rep;
+
+ ASN1_MALLOC_ENCODE(AS_REP, modified_recv_buf.data, modified_recv_buf.length,
+ &mod_as_rep, &used, k5ret);
+ torture_assert_int_equal(test_context->tctx,
+ k5ret, 0,
+ "encode_AS_REQ failed");
+ krb5_data_free(recv_buf);
+
+ *recv_buf = modified_recv_buf;
+ free_AS_REQ(&test_context->as_req);
+ }
+ torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
+
+ break;
+ }
+ }
+
+
+ return true;
+}
+
+
+/*
+ * This function is set in torture_krb5_init_context as krb5
+ * send_and_recv function. This allows us to override what server the
+ * test is aimed at, and to inspect the packets just before they are
+ * sent to the network, and before they are processed on the recv
+ * side.
+ *
+ * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
+ * functions are implement the actual tests.
+ *
+ * When this asserts, the caller will get a spurious 'cannot contact
+ * any KDC' message.
+ *
+ */
+static krb5_error_code test_krb5_send_to_realm_override(
+ struct smb_krb5_context *smb_krb5_context,
+ void *data, /* struct torture_krb5_context */
+ krb5_const_realm realm,
+ time_t timeout,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf)
+{
+ krb5_error_code k5ret;
+ bool ok;
+ krb5_data modified_send_buf = *send_buf;
+
+ struct torture_krb5_context *test_context
+ = talloc_get_type_abort(data, struct torture_krb5_context);
+
+ ok = torture_krb5_pre_send_test(test_context, &modified_send_buf);
+ if (ok == false) {
+ return EINVAL;
+ }
+
+ k5ret = smb_krb5_send_and_recv_func_forced_tcp(smb_krb5_context,
+ test_context->server,
+ timeout,
+ &modified_send_buf,
+ recv_buf);
+ if (k5ret != 0) {
+ return k5ret;
+ }
+ ok = torture_krb5_post_recv_test(test_context, recv_buf);
+ if (ok == false) {
+ return EINVAL;
+ }
+
+ test_context->packet_count++;
+
+ return k5ret;
+}
+
+static int test_context_destructor(struct torture_krb5_context *test_context)
+{
+ freeaddrinfo(test_context->server);
+ return 0;
+}
+
+
+static bool torture_krb5_init_context(struct torture_context *tctx,
+ enum torture_krb5_test test,
+ struct smb_krb5_context **smb_krb5_context)
+{
+ const char *host = torture_setting_string(tctx, "host", NULL);
+ krb5_error_code k5ret;
+ bool ok;
+
+ struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
+ torture_assert(tctx, test_context != NULL, "Failed to allocate");
+
+ test_context->test = test;
+ test_context->tctx = tctx;
+
+ test_context->krb5_service = torture_setting_string(tctx, "krb5-service", "host");
+ test_context->krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
+
+ k5ret = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
+ torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
+
+ ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
+ torture_assert(tctx, ok, "Failed to parse target server");
+
+ talloc_set_destructor(test_context, test_context_destructor);
+
+ set_sockaddr_port(test_context->server->ai_addr, 88);
+
+ k5ret = smb_krb5_set_send_to_kdc_func((*smb_krb5_context),
+ test_krb5_send_to_realm_override,
+ NULL, /* send_to_kdc */
+ test_context);
+ torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
+ return true;
+}
+
+static bool torture_krb5_as_req_creds(struct torture_context *tctx,
+ struct cli_credentials *credentials,
+ enum torture_krb5_test test)
+{
+ krb5_error_code k5ret;
+ bool ok;
+ krb5_creds my_creds;
+ krb5_principal principal;
+ struct smb_krb5_context *smb_krb5_context;
+ krb5_context k5_context;
+ enum credentials_obtained obtained;
+ const char *error_string;
+ const char *password = cli_credentials_get_password(credentials);
+ const char *expected_principal_string;
+ krb5_get_init_creds_opt *krb_options = NULL;
+ const char *realm;
+ const char *krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
+
+
+ ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
+ torture_assert(tctx, ok, "torture_krb5_init_context failed");
+ k5_context = smb_krb5_context->krb5_context;
+
+ expected_principal_string
+ = cli_credentials_get_principal(credentials,
+ tctx);
+
+ realm = strupper_talloc(tctx, cli_credentials_get_realm(credentials));
+ k5ret = principal_from_credentials(tctx, credentials, smb_krb5_context,
+ &principal, &obtained, &error_string);
+ torture_assert_int_equal(tctx, k5ret, 0, error_string);
+
+ switch (test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_OUT:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_IN:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH:
+ break;
+
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ torture_assert_int_equal(tctx,
+ krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
+ 0, "krb5_get_init_creds_opt_alloc failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_get_init_creds_opt_set_pac_request(smb_krb5_context->krb5_context, krb_options, true),
+ 0, "krb5_get_init_creds_opt_set_pac_request failed");
+ break;
+
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ password = "NOT the password";
+ break;
+
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ torture_assert_int_equal(tctx,
+ krb5_set_real_time(smb_krb5_context->krb5_context, time(NULL) + 3600, 0),
+ 0, "krb5_set_real_time failed");
+ break;
+
+ case TORTURE_KRB5_TEST_AES: {
+ static krb5_enctype etype_list[] = { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 };
+
+ k5ret = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ k5ret, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype_list,
+ 1);
+ break;
+ }
+ case TORTURE_KRB5_TEST_RC4: {
+ static krb5_enctype etype_list[] = { KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 };
+
+ k5ret = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ k5ret, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype_list,
+ 1);
+ break;
+ }
+ case TORTURE_KRB5_TEST_AES_RC4: {
+ static krb5_enctype etype_list[] = { KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 };
+
+ k5ret = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ k5ret, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype_list,
+ 2);
+ break;
+ }
+
+ } /* end switch */
+
+ k5ret = krb5_get_init_creds_password(smb_krb5_context->krb5_context, &my_creds, principal,
+ password, NULL, NULL, 0,
+ NULL, krb_options);
+ krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
+
+ switch (test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_IN:
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ case TORTURE_KRB5_TEST_AES:
+ case TORTURE_KRB5_TEST_RC4:
+ case TORTURE_KRB5_TEST_AES_RC4:
+ {
+ char *got_principal_string;
+ char *assertion_message;
+ torture_assert_int_equal(tctx, k5ret, 0, "krb5_get_init_creds_password failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_type(k5_context,
+ my_creds.client),
+ KRB5_NT_PRINCIPAL,
+ "smb_krb5_init_context gave incorrect client->name.name_type");
+
+ torture_assert_int_equal(tctx,
+ krb5_unparse_name(k5_context,
+ my_creds.client,
+ &got_principal_string), 0,
+ "krb5_unparse_name failed");
+
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
+ got_principal_string, expected_principal_string);
+ krb5_free_unparsed_name(k5_context, got_principal_string);
+
+ torture_assert(tctx, krb5_principal_compare(k5_context,
+ my_creds.client,
+ principal),
+ assertion_message);
+
+
+ torture_assert_str_equal(tctx,
+ my_creds.server->name.name_string.val[0],
+ "krbtgt",
+ "Mismatch in name between AS_REP and expected response, expected krbtgt");
+ torture_assert_str_equal(tctx,
+ my_creds.server->name.name_string.val[1],
+ realm,
+ "Mismatch in realm part of krbtgt/ in AS_REP, expected krbtgt/REALM@REALM");
+
+ torture_assert_str_equal(tctx,
+ my_creds.server->realm,
+ realm,
+ "Mismatch in server realm in AS_REP, expected krbtgt/REALM@REALM");
+
+ break;
+ }
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_PREAUTH_FAILED, "krb5_get_init_creds_password should have failed");
+ return true;
+
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_SKEW, "krb5_get_init_creds_password should have failed");
+ return true;
+
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_OUT:
+ case TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH:
+ {
+ char *got_principal_string;
+ char *assertion_message;
+
+ if (krb5_hostname[0] != '\0') {
+ torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_BAD_INTEGRITY, "krb5_get_init_creds_password should have failed");
+ return true;
+ }
+
+ torture_assert_int_equal(tctx, k5ret, 0, "krb5_get_init_creds_password failed");
+
+ torture_assert_int_equal(tctx,
+ krb5_principal_get_type(k5_context,
+ my_creds.client),
+ KRB5_NT_PRINCIPAL,
+ "smb_krb5_init_context gave incorrect client->name.name_type");
+
+ torture_assert_int_equal(tctx,
+ krb5_unparse_name(k5_context,
+ my_creds.client,
+ &got_principal_string), 0,
+ "krb5_unparse_name failed");
+
+ assertion_message = talloc_asprintf(tctx,
+ "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
+ got_principal_string, expected_principal_string);
+ krb5_free_unparsed_name(k5_context, got_principal_string);
+
+ torture_assert(tctx, krb5_principal_compare(k5_context,
+ my_creds.client,
+ principal),
+ assertion_message);
+
+ break;
+ }
+ }
+
+ k5ret = krb5_free_cred_contents(smb_krb5_context->krb5_context, &my_creds);
+ torture_assert_int_equal(tctx, k5ret, 0, "krb5_free_creds failed");
+
+ return true;
+}
+
+static bool torture_krb5_as_req_cmdline(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx, samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_PLAIN);
+}
+
+static bool torture_krb5_as_req_pac_request(struct torture_context *tctx)
+{
+ if (torture_setting_bool(tctx, "expect_rodc", false)) {
+ torture_skip(tctx, "This test needs further investigation in the RODC case against a Windows DC, in particular with non-cached users");
+ }
+ return torture_krb5_as_req_creds(tctx, samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_PAC_REQUEST);
+}
+
+static bool torture_krb5_as_req_break_pw(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx, samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_BREAK_PW);
+}
+
+static bool torture_krb5_as_req_clock_skew(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx, samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_CLOCK_SKEW);
+}
+
+static bool torture_krb5_as_req_aes(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_AES);
+}
+
+static bool torture_krb5_as_req_rc4(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_RC4);
+}
+
+static bool torture_krb5_as_req_aes_rc4(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_AES_RC4);
+}
+
+/* Checking for the "Orpheus' Lyre" attack */
+static bool torture_krb5_as_req_change_server_out(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_CHANGE_SERVER_OUT);
+}
+
+static bool torture_krb5_as_req_change_server_in(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_CHANGE_SERVER_IN);
+}
+
+static bool torture_krb5_as_req_change_server_both(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH);
+}
+
+NTSTATUS torture_krb5_init(TALLOC_CTX *ctx)
+{
+ struct torture_suite *suite = torture_suite_create(ctx, "krb5");
+ struct torture_suite *kdc_suite = torture_suite_create(suite, "kdc");
+ suite->description = talloc_strdup(suite, "Kerberos tests");
+ kdc_suite->description = talloc_strdup(kdc_suite, "Kerberos KDC tests");
+
+ torture_suite_add_simple_test(kdc_suite, "as-req-cmdline",
+ torture_krb5_as_req_cmdline);
+
+ torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
+ torture_krb5_as_req_pac_request);
+
+ torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
+ torture_krb5_as_req_break_pw);
+
+ torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
+ torture_krb5_as_req_clock_skew);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-aes",
+ torture_krb5_as_req_aes);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-rc4",
+ torture_krb5_as_req_rc4);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-aes-rc4",
+ torture_krb5_as_req_aes_rc4);
+
+ /*
+ * This is in and out of the client.
+ * Out refers to requests, in refers to replies
+ */
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-change-server-in",
+ torture_krb5_as_req_change_server_in);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-change-server-out",
+ torture_krb5_as_req_change_server_out);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-change-server-both",
+ torture_krb5_as_req_change_server_both);
+
+ torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));
+ torture_suite_add_suite(suite, kdc_suite);
+
+ torture_register_suite(ctx, suite);
+ return NT_STATUS_OK;
+}
diff --git a/source4/torture/krb5/kdc-mit.c b/source4/torture/krb5/kdc-mit.c
new file mode 100644
index 0000000..5085966
--- /dev/null
+++ b/source4/torture/krb5/kdc-mit.c
@@ -0,0 +1,795 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Validate the krb5 pac generation routines
+
+ Copyright (c) 2016 Andreas Schneider <asn@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "system/time.h"
+#include "torture/smbtorture.h"
+#include "torture/winbind/proto.h"
+#include "torture/krb5/proto.h"
+#include "auth/credentials/credentials.h"
+#include "lib/cmdline/cmdline.h"
+#include "source4/auth/kerberos/kerberos.h"
+#include "source4/auth/kerberos/kerberos_util.h"
+#include "lib/util/util_net.h"
+
+#define krb5_is_app_tag(dat,tag) \
+ ((dat != NULL) && (dat)->length && \
+ ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
+
+#define krb5_is_as_req(dat) krb5_is_app_tag(dat, 10)
+#define krb5_is_as_rep(dat) krb5_is_app_tag(dat, 11)
+#define krb5_is_krb_error(dat) krb5_is_app_tag(dat, 30)
+
+enum torture_krb5_test {
+ TORTURE_KRB5_TEST_PLAIN,
+ TORTURE_KRB5_TEST_PAC_REQUEST,
+ TORTURE_KRB5_TEST_BREAK_PW,
+ TORTURE_KRB5_TEST_CLOCK_SKEW,
+ TORTURE_KRB5_TEST_AES,
+ TORTURE_KRB5_TEST_RC4,
+ TORTURE_KRB5_TEST_AES_RC4,
+};
+
+struct torture_krb5_context {
+ struct torture_context *tctx;
+ krb5_context krb5_context;
+ enum torture_krb5_test test;
+ int recv_packet_count;
+ krb5_kdc_req *as_req;
+ krb5_kdc_rep *as_rep;
+};
+
+krb5_error_code decode_krb5_error(const krb5_data *output, krb5_error **rep);
+
+krb5_error_code decode_krb5_as_req(const krb5_data *output, krb5_kdc_req **req);
+krb5_error_code decode_krb5_as_rep(const krb5_data *output, krb5_kdc_rep **rep);
+
+krb5_error_code decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
+
+void krb5_free_kdc_req(krb5_context ctx, krb5_kdc_req *req);
+void krb5_free_kdc_rep(krb5_context ctx, krb5_kdc_rep *rep);
+void krb5_free_pa_data(krb5_context ctx, krb5_pa_data **data);
+
+static bool torture_check_krb5_as_req(struct torture_krb5_context *test_context,
+ krb5_context context,
+ const krb5_data *message)
+{
+ krb5_error_code code;
+ int nktypes;
+
+ code = decode_krb5_as_req(message, &test_context->as_req);
+ torture_assert_int_equal(test_context->tctx,
+ code, 0,
+ "decode_as_req failed");
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_req->msg_type,
+ KRB5_AS_REQ,
+ "Not a AS REQ");
+
+ nktypes = test_context->as_req->nktypes;
+ torture_assert_int_not_equal(test_context->tctx,
+ nktypes, 0,
+ "No keytypes");
+
+ return true;
+}
+
+static krb5_error_code torture_krb5_pre_send_test(krb5_context context,
+ void *data,
+ const krb5_data *realm,
+ const krb5_data *message,
+ krb5_data **new_message_out,
+ krb5_data **new_reply_out)
+{
+ bool ok;
+ struct torture_krb5_context *test_context =
+ (struct torture_krb5_context *)data;
+
+ switch (test_context->test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ case TORTURE_KRB5_TEST_AES:
+ case TORTURE_KRB5_TEST_RC4:
+ case TORTURE_KRB5_TEST_AES_RC4:
+ ok = torture_check_krb5_as_req(test_context,
+ context,
+ message);
+ if (!ok) {
+ return KRB5KDC_ERR_BADOPTION;
+ }
+ break;
+ }
+
+ return 0;
+}
+
+/*
+ * We need these function to validate packets because our torture macros
+ * do a 'return false' on error.
+ */
+static bool torture_check_krb5_error(struct torture_krb5_context *test_context,
+ krb5_context context,
+ const krb5_data *reply,
+ krb5_error_code error_code,
+ bool check_pa_data)
+
+{
+ krb5_error *krb_error;
+ krb5_error_code code;
+
+ code = decode_krb5_error(reply, &krb_error);
+ torture_assert_int_equal(test_context->tctx,
+ code,
+ 0,
+ "decode_krb5_error failed");
+
+ torture_assert_int_equal(test_context->tctx,
+ krb_error->error,
+ error_code - KRB5KDC_ERR_NONE,
+ "Got wrong error code");
+
+ if (check_pa_data) {
+ krb5_pa_data **d, **pa_data = NULL;
+ bool timestamp_found = false;
+
+ torture_assert_int_not_equal(test_context->tctx,
+ krb_error->e_data.length, 0,
+ "No e-data returned");
+
+ code = decode_krb5_padata_sequence(&krb_error->e_data,
+ &pa_data);
+ torture_assert_int_equal(test_context->tctx,
+ code,
+ 0,
+ "decode_krb5_padata_sequence failed");
+
+ for (d = pa_data; d != NULL; d++) {
+ if ((*d)->pa_type == KRB5_PADATA_ENC_TIMESTAMP) {
+ timestamp_found = true;
+ break;
+ }
+ }
+ torture_assert(test_context->tctx,
+ timestamp_found,
+ "Encrypted timestamp not found");
+
+ krb5_free_pa_data(context, pa_data);
+ }
+
+ krb5_free_error(context, krb_error);
+
+ return true;
+}
+
+static bool torture_check_krb5_as_rep(struct torture_krb5_context *test_context,
+ krb5_context context,
+ const krb5_data *reply)
+{
+ krb5_error_code code;
+ bool ok;
+
+ code = decode_krb5_as_rep(reply, &test_context->as_rep);
+ torture_assert_int_equal(test_context->tctx,
+ code,
+ 0,
+ "decode_krb5_as_rep failed");
+
+ torture_assert(test_context->tctx,
+ test_context->as_rep->ticket->enc_part.kvno,
+ "No KVNO set");
+
+ ok = torture_setting_bool(test_context->tctx,
+ "expect_cached_at_rodc",
+ false);
+ if (ok) {
+ torture_assert_int_not_equal(test_context->tctx,
+ test_context->as_rep->ticket->enc_part.kvno & 0xFFFF0000,
+ 0,
+ "Did not get a RODC number in the KVNO");
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ test_context->as_rep->ticket->enc_part.kvno & 0xFFFF0000,
+ 0,
+ "Unexpecedly got a RODC number in the KVNO");
+ }
+
+ return true;
+}
+
+static bool torture_check_krb5_as_rep_enctype(struct torture_krb5_context *test_context,
+ krb5_context context,
+ const krb5_data *reply,
+ krb5_enctype expected_enctype)
+{
+ krb5_enctype reply_enctype;
+ bool ok;
+
+ ok = torture_check_krb5_as_rep(test_context,
+ context,
+ reply);
+ if (!ok) {
+ return false;
+ }
+
+ reply_enctype = test_context->as_rep->enc_part.enctype;
+
+ torture_assert_int_equal(test_context->tctx,
+ reply_enctype, expected_enctype,
+ "Ticket encrypted with invalid algorithm");
+
+ return true;
+}
+
+static krb5_error_code torture_krb5_post_recv_test(krb5_context context,
+ void *data,
+ krb5_error_code kdc_code,
+ const krb5_data *realm,
+ const krb5_data *message,
+ const krb5_data *reply,
+ krb5_data **new_reply_out)
+{
+ struct torture_krb5_context *test_context =
+ (struct torture_krb5_context *)data;
+ krb5_error_code code;
+ bool ok = true;
+
+ torture_comment(test_context->tctx,
+ "PACKET COUNT = %d\n",
+ test_context->recv_packet_count);
+
+ torture_comment(test_context->tctx,
+ "KRB5_AS_REP = %d\n",
+ krb5_is_as_req(reply));
+
+ torture_comment(test_context->tctx,
+ "KRB5_ERROR = %d\n",
+ krb5_is_krb_error(reply));
+
+ torture_comment(test_context->tctx,
+ "KDC ERROR CODE = %d\n",
+ kdc_code);
+
+ switch (test_context->test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ } else {
+ ok = torture_check_krb5_as_rep(test_context,
+ context,
+ reply);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_as_rep failed");
+ }
+
+ torture_assert_goto(test_context->tctx,
+ test_context->recv_packet_count < 2,
+ ok,
+ out,
+ "Too many packets");
+
+ break;
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KRB_ERR_RESPONSE_TOO_BIG,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ } else if (test_context->recv_packet_count == 1) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ } else if (krb5_is_krb_error(reply)) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KRB_ERR_RESPONSE_TOO_BIG,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ } else {
+ ok = torture_check_krb5_as_rep(test_context,
+ context,
+ reply);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_as_rep failed");
+ }
+
+ torture_assert_goto(test_context->tctx,
+ test_context->recv_packet_count < 3,
+ ok,
+ out,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ if (!ok) {
+ goto out;
+ }
+ } else if (test_context->recv_packet_count == 1) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_FAILED,
+ true);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ }
+
+ torture_assert_goto(test_context->tctx,
+ test_context->recv_packet_count < 2,
+ ok,
+ out,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ if (!ok) {
+ goto out;
+ }
+ } else if (test_context->recv_packet_count == 1) {
+ /*
+ * This only works if kdc_timesync 0 is set in krb5.conf
+ *
+ * See commit 5f39a4438eafd693a3eb8366bbc3901efe62e538
+ * in the MIT Kerberos source tree.
+ */
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KRB_AP_ERR_SKEW,
+ false);
+ torture_assert_goto(test_context->tctx,
+ ok,
+ ok,
+ out,
+ "torture_check_krb5_error failed");
+ }
+
+ torture_assert_goto(test_context->tctx,
+ test_context->recv_packet_count < 2,
+ ok,
+ out,
+ "Too many packets");
+ break;
+ case TORTURE_KRB5_TEST_AES:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_AES\n");
+
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ if (!ok) {
+ goto out;
+ }
+ } else {
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ context,
+ reply,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96);
+ if (!ok) {
+ goto out;
+ }
+ }
+ break;
+ case TORTURE_KRB5_TEST_RC4:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_RC4\n");
+
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ if (!ok) {
+ goto out;
+ }
+ } else {
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ context,
+ reply,
+ ENCTYPE_ARCFOUR_HMAC);
+ if (!ok) {
+ goto out;
+ }
+ }
+ break;
+ case TORTURE_KRB5_TEST_AES_RC4:
+ torture_comment(test_context->tctx, "TORTURE_KRB5_TEST_AES_RC4\n");
+
+ if (test_context->recv_packet_count == 0) {
+ ok = torture_check_krb5_error(test_context,
+ context,
+ reply,
+ KRB5KDC_ERR_PREAUTH_REQUIRED,
+ false);
+ if (!ok) {
+ goto out;
+ }
+ } else {
+ ok = torture_check_krb5_as_rep_enctype(test_context,
+ context,
+ reply,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96);
+ if (!ok) {
+ goto out;
+ }
+ }
+ break;
+ }
+
+ code = kdc_code;
+out:
+ if (!ok) {
+ code = EINVAL;
+ }
+
+ /* Cleanup */
+ krb5_free_kdc_req(test_context->krb5_context, test_context->as_req);
+ krb5_free_kdc_rep(test_context->krb5_context, test_context->as_rep);
+
+ test_context->recv_packet_count++;
+
+ return code;
+}
+
+static bool torture_krb5_init_context(struct torture_context *tctx,
+ enum torture_krb5_test test,
+ struct smb_krb5_context **smb_krb5_context)
+{
+ krb5_error_code code;
+
+ struct torture_krb5_context *test_context = talloc_zero(tctx,
+ struct torture_krb5_context);
+ torture_assert(tctx, test_context != NULL, "Failed to allocate");
+
+ test_context->test = test;
+ test_context->tctx = tctx;
+
+ code = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
+ torture_assert_int_equal(tctx, code, 0, "smb_krb5_init_context failed");
+
+ test_context->krb5_context = (*smb_krb5_context)->krb5_context;
+
+ krb5_set_kdc_send_hook((*smb_krb5_context)->krb5_context,
+ torture_krb5_pre_send_test,
+ test_context);
+
+ krb5_set_kdc_recv_hook((*smb_krb5_context)->krb5_context,
+ torture_krb5_post_recv_test,
+ test_context);
+
+ return true;
+}
+static bool torture_krb5_as_req_creds(struct torture_context *tctx,
+ struct cli_credentials *credentials,
+ enum torture_krb5_test test)
+{
+ krb5_get_init_creds_opt *krb_options = NULL;
+ struct smb_krb5_context *smb_krb5_context;
+ enum credentials_obtained obtained;
+ const char *error_string;
+ const char *password;
+ krb5_principal principal;
+ krb5_error_code code;
+ krb5_creds my_creds;
+ bool ok;
+
+ ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
+ torture_assert(tctx, ok, "torture_krb5_init_context failed");
+
+ code = principal_from_credentials(tctx,
+ credentials,
+ smb_krb5_context,
+ &principal,
+ &obtained,
+ &error_string);
+ torture_assert_int_equal(tctx, code, 0, error_string);
+
+ password = cli_credentials_get_password(credentials);
+
+ switch (test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ break;
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ code = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ code = krb5_get_init_creds_opt_set_pac_request(smb_krb5_context->krb5_context,
+ krb_options,
+ 1);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_get_init_creds_opt_set_pac_request failed");
+#endif
+ break;
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ password = "NOT the password";
+ break;
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ code = krb5_set_real_time(smb_krb5_context->krb5_context,
+ time(NULL) + 3600,
+ 0);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_set_real_time failed");
+ break;
+ case TORTURE_KRB5_TEST_AES: {
+ krb5_enctype etype[] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96 };
+
+ code = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype,
+ 1);
+ break;
+ }
+ case TORTURE_KRB5_TEST_RC4: {
+ krb5_enctype etype[] = { ENCTYPE_ARCFOUR_HMAC };
+
+ code = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype,
+ 1);
+ break;
+ }
+ case TORTURE_KRB5_TEST_AES_RC4: {
+ krb5_enctype etype[] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC };
+
+ code = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context,
+ &krb_options);
+ torture_assert_int_equal(tctx,
+ code, 0,
+ "krb5_get_init_creds_opt_alloc failed");
+
+
+ krb5_get_init_creds_opt_set_etype_list(krb_options,
+ etype,
+ 2);
+ break;
+ }
+ }
+
+ code = krb5_get_init_creds_password(smb_krb5_context->krb5_context,
+ &my_creds,
+ principal,
+ password,
+ NULL,
+ NULL,
+ 0,
+ NULL,
+ krb_options);
+ krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context,
+ krb_options);
+
+ switch (test)
+ {
+ case TORTURE_KRB5_TEST_PLAIN:
+ case TORTURE_KRB5_TEST_PAC_REQUEST:
+ case TORTURE_KRB5_TEST_AES:
+ case TORTURE_KRB5_TEST_RC4:
+ case TORTURE_KRB5_TEST_AES_RC4:
+ torture_assert_int_equal(tctx,
+ code,
+ 0,
+ "krb5_get_init_creds_password failed");
+ break;
+ case TORTURE_KRB5_TEST_BREAK_PW:
+ torture_assert_int_equal(tctx,
+ code,
+ KRB5KDC_ERR_PREAUTH_FAILED,
+ "krb5_get_init_creds_password should "
+ "have failed");
+ return true;
+ case TORTURE_KRB5_TEST_CLOCK_SKEW:
+ torture_assert_int_equal(tctx,
+ code,
+ KRB5KRB_AP_ERR_SKEW,
+ "krb5_get_init_creds_password should "
+ "have failed");
+ return true;
+ }
+
+ krb5_free_cred_contents(smb_krb5_context->krb5_context,
+ &my_creds);
+
+ return true;
+}
+
+static bool torture_krb5_as_req_cmdline(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_PLAIN);
+}
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+static bool torture_krb5_as_req_pac_request(struct torture_context *tctx)
+{
+ bool ok;
+
+ ok = torture_setting_bool(tctx, "expect_rodc", false);
+ if (ok) {
+ torture_skip(tctx,
+ "This test needs further investigation in the "
+ "RODC case against a Windows DC, in particular "
+ "with non-cached users");
+ }
+ return torture_krb5_as_req_creds(tctx, samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_PAC_REQUEST);
+}
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST */
+
+static bool torture_krb5_as_req_break_pw(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_BREAK_PW);
+}
+
+static bool torture_krb5_as_req_clock_skew(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_CLOCK_SKEW);
+}
+
+static bool torture_krb5_as_req_aes(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_AES);
+}
+
+static bool torture_krb5_as_req_rc4(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_RC4);
+}
+
+static bool torture_krb5_as_req_aes_rc4(struct torture_context *tctx)
+{
+ return torture_krb5_as_req_creds(tctx,
+ samba_cmdline_get_creds(),
+ TORTURE_KRB5_TEST_AES_RC4);
+}
+
+NTSTATUS torture_krb5_init(TALLOC_CTX *ctx)
+{
+ struct torture_suite *suite =
+ torture_suite_create(ctx, "krb5");
+ struct torture_suite *kdc_suite = torture_suite_create(suite, "kdc");
+ suite->description = talloc_strdup(suite, "Kerberos tests");
+ kdc_suite->description = talloc_strdup(kdc_suite, "Kerberos KDC tests");
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-cmdline",
+ torture_krb5_as_req_cmdline);
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ /* Only available with MIT Kerveros 1.15 and newer */
+ torture_suite_add_simple_test(kdc_suite, "as-req-pac-request",
+ torture_krb5_as_req_pac_request);
+#endif
+
+ torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
+ torture_krb5_as_req_break_pw);
+
+ /* This only works if kdc_timesync 0 is set in krb5.conf */
+ torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
+ torture_krb5_as_req_clock_skew);
+
+#if 0
+ torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));
+#endif
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-aes",
+ torture_krb5_as_req_aes);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-rc4",
+ torture_krb5_as_req_rc4);
+
+ torture_suite_add_simple_test(kdc_suite,
+ "as-req-aes-rc4",
+ torture_krb5_as_req_aes_rc4);
+
+ torture_suite_add_suite(suite, kdc_suite);
+
+ torture_register_suite(ctx, suite);
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/torture/krb5/wscript_build b/source4/torture/krb5/wscript_build
new file mode 100644
index 0000000..f59aa88
--- /dev/null
+++ b/source4/torture/krb5/wscript_build
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+
+if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
+ if bld.CONFIG_SET('SAMBA4_USES_HEIMDAL'):
+ bld.SAMBA_MODULE('TORTURE_KRB5',
+ source='kdc-heimdal.c kdc-canon-heimdal.c',
+ autoproto='proto.h',
+ subsystem='smbtorture',
+ init_function='torture_krb5_init',
+ deps='authkrb5 torture KERBEROS_UTIL',
+ internal_module=True)
+ else:
+ bld.SAMBA_MODULE('TORTURE_KRB5',
+ source='kdc-mit.c',
+ autoproto='proto.h',
+ subsystem='smbtorture',
+ init_function='torture_krb5_init',
+ deps='authkrb5 torture KERBEROS_UTIL',
+ internal_module=True)