2016-05-13 09:42:44 +02:00
/*
Unix SMB / CIFS implementation .
Validate the krb5 pac generation routines
Copyright ( c ) 2016 Andreas Schneider < asn @ samba . org >
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "system/kerberos.h"
2016-07-05 16:16:17 +02:00
# include "system/time.h"
2016-05-13 09:42:44 +02:00
# include "torture/smbtorture.h"
# include "torture/winbind/proto.h"
# include "torture/krb5/proto.h"
# include "auth/credentials/credentials.h"
# include "lib/cmdline/popt_common.h"
# include "source4/auth/kerberos/kerberos.h"
# include "source4/auth/kerberos/kerberos_util.h"
# include "lib/util/util_net.h"
2016-05-13 09:36:34 +02:00
# define krb5_is_app_tag(dat,tag) \
( ( dat ! = NULL ) & & ( dat ) - > length & & \
( ( ( ( dat ) - > data [ 0 ] & ~ 0x20 ) = = ( ( tag ) | 0x40 ) ) ) )
# define krb5_is_as_req(dat) krb5_is_app_tag(dat, 10)
# define krb5_is_as_rep(dat) krb5_is_app_tag(dat, 11)
# define krb5_is_krb_error(dat) krb5_is_app_tag(dat, 30)
enum torture_krb5_test {
TORTURE_KRB5_TEST_PLAIN ,
TORTURE_KRB5_TEST_PAC_REQUEST ,
TORTURE_KRB5_TEST_BREAK_PW ,
TORTURE_KRB5_TEST_CLOCK_SKEW ,
2016-07-01 12:33:45 +02:00
TORTURE_KRB5_TEST_AES ,
TORTURE_KRB5_TEST_RC4 ,
TORTURE_KRB5_TEST_AES_RC4 ,
2016-05-13 09:36:34 +02:00
} ;
struct torture_krb5_context {
struct torture_context * tctx ;
krb5_context krb5_context ;
enum torture_krb5_test test ;
int recv_packet_count ;
krb5_kdc_req * as_req ;
krb5_kdc_rep * as_rep ;
} ;
krb5_error_code decode_krb5_error ( const krb5_data * output , krb5_error * * rep ) ;
krb5_error_code decode_krb5_as_req ( const krb5_data * output , krb5_kdc_req * * req ) ;
krb5_error_code decode_krb5_as_rep ( const krb5_data * output , krb5_kdc_rep * * rep ) ;
2016-07-04 16:37:08 +02:00
krb5_error_code decode_krb5_padata_sequence ( const krb5_data * output , krb5_pa_data * * * rep ) ;
2016-05-13 09:36:34 +02:00
void krb5_free_kdc_req ( krb5_context ctx , krb5_kdc_req * req ) ;
void krb5_free_kdc_rep ( krb5_context ctx , krb5_kdc_rep * rep ) ;
2016-07-04 16:37:08 +02:00
void krb5_free_pa_data ( krb5_context ctx , krb5_pa_data * * data ) ;
2016-05-13 09:36:34 +02:00
static bool torture_check_krb5_as_req ( struct torture_krb5_context * test_context ,
krb5_context context ,
const krb5_data * message )
{
krb5_error_code code ;
int nktypes ;
code = decode_krb5_as_req ( message , & test_context - > as_req ) ;
torture_assert_int_equal ( test_context - > tctx ,
code , 0 ,
" decode_as_req failed " ) ;
torture_assert_int_equal ( test_context - > tctx ,
test_context - > as_req - > msg_type ,
KRB5_AS_REQ ,
" Not a AS REQ " ) ;
nktypes = test_context - > as_req - > nktypes ;
torture_assert_int_not_equal ( test_context - > tctx ,
nktypes , 0 ,
" No keytypes " ) ;
return true ;
}
static krb5_error_code torture_krb5_pre_send_test ( krb5_context context ,
void * data ,
const krb5_data * realm ,
const krb5_data * message ,
krb5_data * * new_message_out ,
krb5_data * * new_reply_out )
{
bool ok ;
struct torture_krb5_context * test_context =
( struct torture_krb5_context * ) data ;
switch ( test_context - > test )
{
case TORTURE_KRB5_TEST_PLAIN :
case TORTURE_KRB5_TEST_PAC_REQUEST :
case TORTURE_KRB5_TEST_BREAK_PW :
case TORTURE_KRB5_TEST_CLOCK_SKEW :
2016-07-01 12:33:45 +02:00
case TORTURE_KRB5_TEST_AES :
case TORTURE_KRB5_TEST_RC4 :
case TORTURE_KRB5_TEST_AES_RC4 :
2016-05-13 09:36:34 +02:00
ok = torture_check_krb5_as_req ( test_context ,
context ,
message ) ;
if ( ! ok ) {
return KRB5KDC_ERR_BADOPTION ;
}
break ;
}
return 0 ;
}
/*
* We need these function to validate packets because our torture macros
* do a ' return false ' on error .
*/
static bool torture_check_krb5_error ( struct torture_krb5_context * test_context ,
krb5_context context ,
const krb5_data * reply ,
2016-07-04 16:37:08 +02:00
krb5_error_code error_code ,
bool check_pa_data )
2016-05-13 09:36:34 +02:00
2016-05-13 09:42:44 +02:00
{
2016-05-13 09:36:34 +02:00
krb5_error * krb_error ;
krb5_error_code code ;
code = decode_krb5_error ( reply , & krb_error ) ;
torture_assert_int_equal ( test_context - > tctx ,
code ,
0 ,
" decode_krb5_error failed " ) ;
torture_assert_int_equal ( test_context - > tctx ,
krb_error - > error ,
error_code - KRB5KDC_ERR_NONE ,
" Got wrong error code " ) ;
2016-07-04 16:37:08 +02:00
if ( check_pa_data ) {
krb5_pa_data * * d , * * pa_data = NULL ;
bool timestamp_found = false ;
torture_assert_int_not_equal ( test_context - > tctx ,
krb_error - > e_data . length , 0 ,
" No e-data returned " ) ;
code = decode_krb5_padata_sequence ( & krb_error - > e_data ,
& pa_data ) ;
torture_assert_int_equal ( test_context - > tctx ,
code ,
0 ,
" decode_krb5_padata_sequence failed " ) ;
for ( d = pa_data ; d ! = NULL ; d + + ) {
if ( ( * d ) - > pa_type = = KRB5_PADATA_ENC_TIMESTAMP ) {
timestamp_found = true ;
break ;
}
}
torture_assert ( test_context - > tctx ,
timestamp_found ,
" Encrypted timestamp not found " ) ;
krb5_free_pa_data ( context , pa_data ) ;
}
2016-05-13 09:36:34 +02:00
krb5_free_error ( context , krb_error ) ;
2016-05-13 09:42:44 +02:00
return true ;
}
2016-05-13 09:36:34 +02:00
static bool torture_check_krb5_as_rep ( struct torture_krb5_context * test_context ,
krb5_context context ,
const krb5_data * reply )
{
krb5_error_code code ;
bool ok ;
code = decode_krb5_as_rep ( reply , & test_context - > as_rep ) ;
torture_assert_int_equal ( test_context - > tctx ,
code ,
0 ,
" decode_krb5_as_rep failed " ) ;
torture_assert ( test_context - > tctx ,
test_context - > as_rep - > ticket - > enc_part . kvno ,
" No KVNO set " ) ;
ok = torture_setting_bool ( test_context - > tctx ,
" expect_cached_at_rodc " ,
false ) ;
if ( ok ) {
torture_assert_int_not_equal ( test_context - > tctx ,
test_context - > as_rep - > ticket - > enc_part . kvno & 0xFFFF0000 ,
0 ,
" Did not get a RODC number in the KVNO " ) ;
} else {
torture_assert_int_equal ( test_context - > tctx ,
test_context - > as_rep - > ticket - > enc_part . kvno & 0xFFFF0000 ,
0 ,
" Unexpecedly got a RODC number in the KVNO " ) ;
}
return true ;
}
2016-07-01 12:33:45 +02:00
static bool torture_check_krb5_as_rep_enctype ( struct torture_krb5_context * test_context ,
krb5_context context ,
const krb5_data * reply ,
krb5_enctype expected_enctype )
{
krb5_enctype reply_enctype ;
bool ok ;
ok = torture_check_krb5_as_rep ( test_context ,
context ,
reply ) ;
if ( ! ok ) {
return false ;
}
reply_enctype = test_context - > as_rep - > enc_part . enctype ;
torture_assert_int_equal ( test_context - > tctx ,
reply_enctype , expected_enctype ,
" Ticket encrypted with invalid algorithm " ) ;
return true ;
}
2016-05-13 09:36:34 +02:00
static krb5_error_code torture_krb5_post_recv_test ( krb5_context context ,
void * data ,
krb5_error_code kdc_code ,
const krb5_data * realm ,
const krb5_data * message ,
const krb5_data * reply ,
krb5_data * * new_reply_out )
{
struct torture_krb5_context * test_context =
( struct torture_krb5_context * ) data ;
krb5_error_code code ;
bool ok = true ;
torture_comment ( test_context - > tctx ,
" PACKET COUNT = %d \n " ,
test_context - > recv_packet_count ) ;
torture_comment ( test_context - > tctx ,
" KRB5_AS_REP = %d \n " ,
krb5_is_as_req ( reply ) ) ;
torture_comment ( test_context - > tctx ,
" KRB5_ERROR = %d \n " ,
krb5_is_krb_error ( reply ) ) ;
torture_comment ( test_context - > tctx ,
" KDC ERROR CODE = %d \n " ,
kdc_code ) ;
switch ( test_context - > test )
{
case TORTURE_KRB5_TEST_PLAIN :
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
2016-07-04 16:37:08 +02:00
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
2016-05-13 09:36:34 +02:00
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
} else {
ok = torture_check_krb5_as_rep ( test_context ,
context ,
reply ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_as_rep failed " ) ;
}
torture_assert_goto ( test_context - > tctx ,
test_context - > recv_packet_count < 2 ,
ok ,
out ,
" Too many packets " ) ;
break ;
case TORTURE_KRB5_TEST_PAC_REQUEST :
2016-07-04 11:35:19 +02:00
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
2016-07-04 16:37:08 +02:00
KRB5KRB_ERR_RESPONSE_TOO_BIG ,
false ) ;
2016-07-04 11:35:19 +02:00
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
} else if ( test_context - > recv_packet_count = = 1 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
2016-07-04 16:37:08 +02:00
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
2016-07-04 11:35:19 +02:00
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
} else if ( krb5_is_krb_error ( reply ) ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
2016-07-04 16:37:08 +02:00
KRB5KRB_ERR_RESPONSE_TOO_BIG ,
false ) ;
2016-07-04 11:35:19 +02:00
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
} else {
ok = torture_check_krb5_as_rep ( test_context ,
context ,
reply ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_as_rep failed " ) ;
}
torture_assert_goto ( test_context - > tctx ,
test_context - > recv_packet_count < 3 ,
ok ,
out ,
" Too many packets " ) ;
break ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_BREAK_PW :
2016-07-04 16:37:08 +02:00
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
if ( ! ok ) {
goto out ;
}
} else if ( test_context - > recv_packet_count = = 1 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_FAILED ,
true ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
}
torture_assert_goto ( test_context - > tctx ,
test_context - > recv_packet_count < 2 ,
ok ,
out ,
" Too many packets " ) ;
break ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_CLOCK_SKEW :
2016-07-05 16:16:17 +02:00
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
if ( ! ok ) {
goto out ;
}
} else if ( test_context - > recv_packet_count = = 1 ) {
/*
* This only works if kdc_timesync 0 is set in krb5 . conf
*
* See commit 5f 39 a4438eafd693a3eb8366bbc3901efe62e538
* in the MIT Kerberos source tree .
*/
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KRB_AP_ERR_SKEW ,
false ) ;
torture_assert_goto ( test_context - > tctx ,
ok ,
ok ,
out ,
" torture_check_krb5_error failed " ) ;
}
torture_assert_goto ( test_context - > tctx ,
test_context - > recv_packet_count < 2 ,
ok ,
out ,
" Too many packets " ) ;
2016-05-13 09:36:34 +02:00
break ;
2016-07-01 12:33:45 +02:00
case TORTURE_KRB5_TEST_AES :
torture_comment ( test_context - > tctx , " TORTURE_KRB5_TEST_AES \n " ) ;
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
if ( ! ok ) {
goto out ;
}
} else {
ok = torture_check_krb5_as_rep_enctype ( test_context ,
context ,
reply ,
ENCTYPE_AES256_CTS_HMAC_SHA1_96 ) ;
if ( ! ok ) {
goto out ;
}
}
break ;
case TORTURE_KRB5_TEST_RC4 :
torture_comment ( test_context - > tctx , " TORTURE_KRB5_TEST_RC4 \n " ) ;
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
if ( ! ok ) {
goto out ;
}
} else {
ok = torture_check_krb5_as_rep_enctype ( test_context ,
context ,
reply ,
ENCTYPE_ARCFOUR_HMAC ) ;
if ( ! ok ) {
goto out ;
}
}
break ;
case TORTURE_KRB5_TEST_AES_RC4 :
torture_comment ( test_context - > tctx , " TORTURE_KRB5_TEST_AES_RC4 \n " ) ;
if ( test_context - > recv_packet_count = = 0 ) {
ok = torture_check_krb5_error ( test_context ,
context ,
reply ,
KRB5KDC_ERR_PREAUTH_REQUIRED ,
false ) ;
if ( ! ok ) {
goto out ;
}
} else {
ok = torture_check_krb5_as_rep_enctype ( test_context ,
context ,
reply ,
ENCTYPE_AES256_CTS_HMAC_SHA1_96 ) ;
if ( ! ok ) {
goto out ;
}
}
break ;
2016-05-13 09:36:34 +02:00
}
code = kdc_code ;
out :
if ( ! ok ) {
code = EINVAL ;
}
/* Cleanup */
krb5_free_kdc_req ( test_context - > krb5_context , test_context - > as_req ) ;
krb5_free_kdc_rep ( test_context - > krb5_context , test_context - > as_rep ) ;
test_context - > recv_packet_count + + ;
return code ;
}
static bool torture_krb5_init_context ( struct torture_context * tctx ,
enum torture_krb5_test test ,
struct smb_krb5_context * * smb_krb5_context )
{
krb5_error_code code ;
struct torture_krb5_context * test_context = talloc_zero ( tctx ,
struct torture_krb5_context ) ;
torture_assert ( tctx , test_context ! = NULL , " Failed to allocate " ) ;
test_context - > test = test ;
test_context - > tctx = tctx ;
code = smb_krb5_init_context ( tctx , tctx - > lp_ctx , smb_krb5_context ) ;
torture_assert_int_equal ( tctx , code , 0 , " smb_krb5_init_context failed " ) ;
test_context - > krb5_context = ( * smb_krb5_context ) - > krb5_context ;
krb5_set_kdc_send_hook ( ( * smb_krb5_context ) - > krb5_context ,
torture_krb5_pre_send_test ,
test_context ) ;
krb5_set_kdc_recv_hook ( ( * smb_krb5_context ) - > krb5_context ,
torture_krb5_post_recv_test ,
test_context ) ;
return true ;
}
static bool torture_krb5_as_req_creds ( struct torture_context * tctx ,
struct cli_credentials * credentials ,
enum torture_krb5_test test )
{
krb5_get_init_creds_opt * krb_options = NULL ;
struct smb_krb5_context * smb_krb5_context ;
enum credentials_obtained obtained ;
const char * error_string ;
const char * password ;
krb5_principal principal ;
krb5_error_code code ;
krb5_creds my_creds ;
bool ok ;
ok = torture_krb5_init_context ( tctx , test , & smb_krb5_context ) ;
torture_assert ( tctx , ok , " torture_krb5_init_context failed " ) ;
code = principal_from_credentials ( tctx ,
credentials ,
smb_krb5_context ,
& principal ,
& obtained ,
& error_string ) ;
torture_assert_int_equal ( tctx , code , 0 , error_string ) ;
2016-07-04 16:37:08 +02:00
password = cli_credentials_get_password ( credentials ) ;
2016-05-13 09:36:34 +02:00
switch ( test )
{
case TORTURE_KRB5_TEST_PLAIN :
2016-07-04 11:35:19 +02:00
break ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_PAC_REQUEST :
2016-07-04 11:35:19 +02:00
# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
code = krb5_get_init_creds_opt_alloc ( smb_krb5_context - > krb5_context ,
& krb_options ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_get_init_creds_opt_alloc failed " ) ;
code = krb5_get_init_creds_opt_set_pac_request ( smb_krb5_context - > krb5_context ,
krb_options ,
1 ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_get_init_creds_opt_set_pac_request failed " ) ;
# endif
break ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_BREAK_PW :
2016-07-04 16:37:08 +02:00
password = " NOT the password " ;
break ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_CLOCK_SKEW :
2016-07-05 16:16:17 +02:00
code = krb5_set_real_time ( smb_krb5_context - > krb5_context ,
time ( NULL ) + 3600 ,
0 ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_set_real_time failed " ) ;
2016-05-13 09:36:34 +02:00
break ;
2016-07-01 12:33:45 +02:00
case TORTURE_KRB5_TEST_AES : {
krb5_enctype etype [ ] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96 } ;
code = krb5_get_init_creds_opt_alloc ( smb_krb5_context - > krb5_context ,
& krb_options ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_get_init_creds_opt_alloc failed " ) ;
krb5_get_init_creds_opt_set_etype_list ( krb_options ,
etype ,
1 ) ;
break ;
}
case TORTURE_KRB5_TEST_RC4 : {
krb5_enctype etype [ ] = { ENCTYPE_ARCFOUR_HMAC } ;
code = krb5_get_init_creds_opt_alloc ( smb_krb5_context - > krb5_context ,
& krb_options ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_get_init_creds_opt_alloc failed " ) ;
krb5_get_init_creds_opt_set_etype_list ( krb_options ,
etype ,
1 ) ;
break ;
}
case TORTURE_KRB5_TEST_AES_RC4 : {
krb5_enctype etype [ ] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96 , ENCTYPE_ARCFOUR_HMAC } ;
code = krb5_get_init_creds_opt_alloc ( smb_krb5_context - > krb5_context ,
& krb_options ) ;
torture_assert_int_equal ( tctx ,
code , 0 ,
" krb5_get_init_creds_opt_alloc failed " ) ;
krb5_get_init_creds_opt_set_etype_list ( krb_options ,
etype ,
2 ) ;
break ;
}
2016-05-13 09:36:34 +02:00
}
code = krb5_get_init_creds_password ( smb_krb5_context - > krb5_context ,
& my_creds ,
principal ,
password ,
NULL ,
NULL ,
0 ,
NULL ,
krb_options ) ;
krb5_get_init_creds_opt_free ( smb_krb5_context - > krb5_context ,
krb_options ) ;
switch ( test )
{
case TORTURE_KRB5_TEST_PLAIN :
case TORTURE_KRB5_TEST_PAC_REQUEST :
2016-07-01 12:33:45 +02:00
case TORTURE_KRB5_TEST_AES :
case TORTURE_KRB5_TEST_RC4 :
case TORTURE_KRB5_TEST_AES_RC4 :
2016-05-13 09:36:34 +02:00
torture_assert_int_equal ( tctx ,
code ,
0 ,
" krb5_get_init_creds_password failed " ) ;
break ;
case TORTURE_KRB5_TEST_BREAK_PW :
2016-07-04 16:37:08 +02:00
torture_assert_int_equal ( tctx ,
code ,
KRB5KDC_ERR_PREAUTH_FAILED ,
" krb5_get_init_creds_password should "
" have failed " ) ;
return true ;
2016-05-13 09:36:34 +02:00
case TORTURE_KRB5_TEST_CLOCK_SKEW :
2016-07-05 16:16:17 +02:00
torture_assert_int_equal ( tctx ,
code ,
KRB5KRB_AP_ERR_SKEW ,
" krb5_get_init_creds_password should "
" have failed " ) ;
return true ;
2016-05-13 09:36:34 +02:00
}
krb5_free_cred_contents ( smb_krb5_context - > krb5_context ,
& my_creds ) ;
return true ;
}
static bool torture_krb5_as_req_cmdline ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-05-13 09:36:34 +02:00
TORTURE_KRB5_TEST_PLAIN ) ;
}
2016-07-04 11:35:19 +02:00
# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
static bool torture_krb5_as_req_pac_request ( struct torture_context * tctx )
{
bool ok ;
ok = torture_setting_bool ( tctx , " expect_rodc " , false ) ;
if ( ok ) {
torture_skip ( tctx ,
" This test needs further investigation in the "
" RODC case against a Windows DC, in particular "
" with non-cached users " ) ;
}
2017-05-09 16:10:03 -07:00
return torture_krb5_as_req_creds ( tctx , popt_get_cmdline_credentials ( ) ,
TORTURE_KRB5_TEST_PAC_REQUEST ) ;
2016-07-04 11:35:19 +02:00
}
# endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST */
2016-07-04 16:37:08 +02:00
static bool torture_krb5_as_req_break_pw ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-07-04 16:37:08 +02:00
TORTURE_KRB5_TEST_BREAK_PW ) ;
}
2016-07-05 16:16:17 +02:00
static bool torture_krb5_as_req_clock_skew ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-07-05 16:16:17 +02:00
TORTURE_KRB5_TEST_CLOCK_SKEW ) ;
}
2016-07-01 12:33:45 +02:00
static bool torture_krb5_as_req_aes ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-07-01 12:33:45 +02:00
TORTURE_KRB5_TEST_AES ) ;
}
static bool torture_krb5_as_req_rc4 ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-07-01 12:33:45 +02:00
TORTURE_KRB5_TEST_RC4 ) ;
}
static bool torture_krb5_as_req_aes_rc4 ( struct torture_context * tctx )
{
return torture_krb5_as_req_creds ( tctx ,
2017-05-09 16:10:03 -07:00
popt_get_cmdline_credentials ( ) ,
2016-07-01 12:33:45 +02:00
TORTURE_KRB5_TEST_AES_RC4 ) ;
}
2017-04-20 12:24:43 -07:00
NTSTATUS torture_krb5_init ( TALLOC_CTX * ctx )
2016-05-13 09:42:44 +02:00
{
struct torture_suite * suite =
2017-04-24 14:41:26 -07:00
torture_suite_create ( ctx , " krb5 " ) ;
2016-05-13 09:42:44 +02:00
struct torture_suite * kdc_suite = torture_suite_create ( suite , " kdc " ) ;
suite - > description = talloc_strdup ( suite , " Kerberos tests " ) ;
kdc_suite - > description = talloc_strdup ( kdc_suite , " Kerberos KDC tests " ) ;
2016-05-13 09:36:34 +02:00
torture_suite_add_simple_test ( kdc_suite ,
" as-req-cmdline " ,
torture_krb5_as_req_cmdline ) ;
2016-07-04 11:35:19 +02:00
# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
/* Only available with MIT Kerveros 1.15 and newer */
2016-05-13 09:36:34 +02:00
torture_suite_add_simple_test ( kdc_suite , " as-req-pac-request " ,
torture_krb5_as_req_pac_request ) ;
2016-07-04 11:35:19 +02:00
# endif
2016-05-13 09:36:34 +02:00
torture_suite_add_simple_test ( kdc_suite , " as-req-break-pw " ,
torture_krb5_as_req_break_pw ) ;
2016-07-05 16:16:17 +02:00
/* This only works if kdc_timesync 0 is set in krb5.conf */
2016-05-13 09:36:34 +02:00
torture_suite_add_simple_test ( kdc_suite , " as-req-clock-skew " ,
torture_krb5_as_req_clock_skew ) ;
2016-05-13 09:42:44 +02:00
2016-07-05 16:16:17 +02:00
#if 0
2016-05-13 09:36:34 +02:00
torture_suite_add_suite ( kdc_suite , torture_krb5_canon ( kdc_suite ) ) ;
# endif
2016-07-01 12:33:45 +02:00
torture_suite_add_simple_test ( kdc_suite ,
" as-req-aes " ,
torture_krb5_as_req_aes ) ;
torture_suite_add_simple_test ( kdc_suite ,
" as-req-rc4 " ,
torture_krb5_as_req_rc4 ) ;
torture_suite_add_simple_test ( kdc_suite ,
" as-req-aes-rc4 " ,
torture_krb5_as_req_aes_rc4 ) ;
2016-05-13 09:42:44 +02:00
torture_suite_add_suite ( suite , kdc_suite ) ;
2017-04-24 14:41:26 -07:00
torture_register_suite ( ctx , suite ) ;
2016-05-13 09:42:44 +02:00
return NT_STATUS_OK ;
}