diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
| commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
| tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/tests/kdc/check-digest.in | |
| parent | Initial commit. (diff) | |
| download | samba-upstream.tar.xz samba-upstream.zip | |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/tests/kdc/check-digest.in')
| -rw-r--r-- | third_party/heimdal/tests/kdc/check-digest.in | 291 |
1 files changed, 291 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/check-digest.in b/third_party/heimdal/tests/kdc/check-digest.in new file mode 100644 index 0000000..d934f4e --- /dev/null +++ b/third_party/heimdal/tests/kdc/check-digest.in @@ -0,0 +1,291 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" +srcdir="@srcdir@" + +testfailed="echo test failed; cat messages.log; exit 1" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +cache="FILE:${objdir}/cache.krb5" +ocache="FILE:${objdir}/ocache.krb5" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" + +kinit="${kinit} -c $cache ${afs_no_afslog}" +klist="${klist} -c $cache" +kdigest="${kdigest} --ccache=$cache" + +username=foo +userpassword=digestpassword + +password=foobarbaz + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1 +${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 +${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo $password > ${objdir}/foopassword + +echo "Starting kdc" ; > messages.log +env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing || + { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT + +exitcode=0 + +echo "Getting digest server tickets" +${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1 +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=CHAP > /dev/null || exitcode=1 + +echo "Trying NTLM" + +NTLM_ACCEPTOR_CCACHE="$cache" +export NTLM_ACCEPTOR_CCACHE + +echo "Trying server-init" +${kdigest} ntlm-server-init \ + --kerberos-realm=${R} \ + > sdigest-init || exitcode=1 + +echo "test_ntlm" +${test_ntlm} || { echo "test_ntlm failed"; exit 1; } + +NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" +export NTLM_USER_FILE + +echo "test_context --mech-type=ntlm" +${test_context} --mech-type=ntlm \ + --client-name=foo@TEST \ + --name-type=hostbased-service datan@TEST || \ + { echo "test_context 1 failed"; exit 1; } + +${test_context} --mech-type=ntlm \ + --client-name=foo@TEST \ + --name-type=hostbased-service datan@host.TEST || \ + { echo "test_context 2 failed"; exit 1; } + +${test_context} --mech-type=ntlm \ + --client-name=foo@TEST \ + --name-type=hostbased-service datan@host.test.domain2 || \ + { echo "test_context 3 failed"; exit 1; } + +echo "Trying SL in NTLM" + + +for type in \ + "" \ + "--getverifymic" \ + "--wrapunwrap" \ + "--getverifymic --wrapunwrap" \ + ; do + + echo "Trying NTLM type: ${type}" + ${test_context} --mech-type=ntlm ${type} \ + --client-name=foo@TEST \ + --name-type=hostbased-service datan@TEST || \ + { echo "test_context 1 failed"; exit 1; } + +done + + +echo "Trying CHAP" + +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=CHAP \ + > sdigest-reply || exitcode=1 + +snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` +identifier=`grep identifier= sdigest-reply | cut -f2- -d=` +opaque=`grep opaque= sdigest-reply | cut -f2- -d=` + +${kdigest} digest-client-request \ + --type=CHAP \ + --username="$username" \ + --password="$userpassword" \ + --opaque="$opaque" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > cdigest-reply || exitcode=1 + +cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` + +#echo user: $username +#echo server-nonce: $snonce +#echo opaqeue: $opaque +#echo identifier: $identifier + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=CHAP \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` + +if test "X$status" = "Xok" ; then + echo "CHAP response ok" +else + echo "CHAP response failed" + exitcode=1 +fi + +cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'` + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=CHAP \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` + +if test "X$status" = "Xfailed" ; then + echo "CHAP response fail as it should" +else + echo "CHAP response succeeded errorously" + exitcode=1 +fi + +echo "Trying MS-CHAP-V2" + +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=MS-CHAP-V2 \ + > sdigest-reply || exitcode=1 + +snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` +opaque=`grep opaque= sdigest-reply | cut -f2- -d=` +cnonce="21402324255E262A28295F2B3A337C7E" + +echo "MS-CHAP-V2 client request" +${kdigest} digest-client-request \ + --type=MS-CHAP-V2 \ + --username="$username" \ + --password="$userpassword" \ + --opaque="$opaque" \ + --client-nonce="$cnonce" \ + --server-nonce="$snonce" \ + > cdigest-reply || exitcode=1 + +cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` +cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=` +ckey=`grep session-key= cdigest-reply | cut -f2- -d=` + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=MS-CHAP-V2 \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --client-nonce="$cnonce" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` +sRsp=`grep rsp= s2digest-reply | cut -f2- -d=` +skey=`grep session-key= s2digest-reply | cut -f2- -d=` + +if test "X$sRsp" != "X$cRsp" ; then + echo "rsp wrong $sRsp != $cRsp" + exitcode=1 +fi + +if test "X$skey" != "X$ckey" ; then + echo "rsp wrong" + exitcode=1 +fi + +if test "X$status" = "Xok" ; then + echo "MS-CHAP-V2 response ok" +else + echo "MS-CHAP-V2 response failed" + exitcode=1 +fi + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +sh ${leaks_kill} kdc $kdcpid || exit 1 + +exit $exitcode + |