/crypto/heimdal/tests/kdc/check-digest.in
https://bitbucket.org/freebsd/freebsd-head/ · Autoconf · 295 lines · 192 code · 63 blank · 40 comment · 36 complexity · c6d78c7cf5818133d57500dee1cef39f MD5 · raw file
- #!/bin/sh
- #
- # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- # (Royal Institute of Technology, Stockholm, Sweden).
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without
- # modification, are permitted provided that the following conditions
- # are met:
- #
- # 1. Redistributions of source code must retain the above copyright
- # notice, this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright
- # notice, this list of conditions and the following disclaimer in the
- # documentation and/or other materials provided with the distribution.
- #
- # 3. Neither the name of the Institute nor the names of its contributors
- # may be used to endorse or promote products derived from this software
- # without specific prior written permission.
- #
- # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- # SUCH DAMAGE.
- #
- # $Id: check-digest.in 21849 2007-08-08 06:56:41Z lha $
- #
- srcdir="@srcdir@"
- objdir="@objdir@"
- # If there is no useful db support compile in, disable test
- ../db/have-db || exit 77
- R=TEST.H5L.SE
- port=@port@
- kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
- kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
- server=host/datan.test.h5l.se
- cache="FILE:${objdir}/cache.krb5"
- ocache="FILE:${objdir}/ocache.krb5"
- keytabfile=${objdir}/server.keytab
- keytab="FILE:${keytabfile}"
- kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
- klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
- kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache"
- test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm"
- context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
- username=foo
- userpassword=digestpassword
- password=foobarbaz
- KRB5_CONFIG="${objdir}/krb5.conf"
- export KRB5_CONFIG
- rm -f ${keytabfile}
- rm -f current-db*
- rm -f out-*
- rm -f mkey.file*
- > messages.log
- echo Creating database
- ${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
- ${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
- ${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
- ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
- ${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
- ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
- echo "Doing database check"
- ${kadmin} check ${R} || exit 1
- echo $password > ${objdir}/foopassword
- echo Starting kdc
- ${kdc} &
- kdcpid=$!
- sh ${srcdir}/wait-kdc.sh
- if [ "$?" != 0 ] ; then
- kill ${kdcpid}
- exit 1
- fi
- trap "kill ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
- exitcode=0
- echo "Getting digest server tickets"
- ${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
- ${kdigest} digest-server-init \
- --kerberos-realm=${R} \
- --type=CHAP > /dev/null || exitcode=1
- echo "Trying NTLM"
- NTLM_ACCEPTOR_CCACHE="$cache"
- export NTLM_ACCEPTOR_CCACHE
- echo "Trying server-init"
- echo ${kdigest} ntlm-server-init \
- --kerberos-realm=${R} \
- > sdigest-init || exitcode=1
- echo "test_ntlm"
- ${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
- NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
- export NTLM_USER_FILE
- echo "test_context --mech-type=ntlm"
- ${context} --mech-type=ntlm \
- --name-type=hostbased-service datan@TEST || \
- { echo "test_context 1 failed"; exit 1; }
- ${context} --mech-type=ntlm \
- --name-type=hostbased-service datan@host.TEST || \
- { echo "test_context 2 failed"; exit 1; }
- ${context} --mech-type=ntlm \
- --name-type=hostbased-service datan@host.test.domain2 || \
- { echo "test_context 3 failed"; exit 1; }
- ${context} --mech-type=ntlm \
- --name-type=hostbased-service datan@host.foo 2>/dev/null && \
- { echo "test_context 4 failed"; exit 1; }
- echo "Trying SL in NTLM"
- for type in \
- "" \
- "--getverifymic" \
- "--wrapunwrap" \
- "--getverifymic --wrapunwrap" \
- ; do
- echo "Trying NTLM type: ${type}"
- ${context} --mech-type=ntlm ${type} \
- --name-type=hostbased-service datan@TEST || \
- { echo "test_context 1 failed"; exit 1; }
- done
- echo "Trying CHAP"
- ${kdigest} digest-server-init \
- --kerberos-realm=${R} \
- --type=CHAP \
- > sdigest-reply || exitcode=1
- snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
- identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
- opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
- ${kdigest} digest-client-request \
- --type=CHAP \
- --username="$username" \
- --password="$userpassword" \
- --opaque="$opaque" \
- --server-identifier="$identifier" \
- --server-nonce="$snonce" \
- > cdigest-reply || exitcode=1
- cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
- #echo user: $username
- #echo server-nonce: $snonce
- #echo opaqeue: $opaque
- #echo identifier: $identifier
- ${kdigest} digest-server-request \
- --kerberos-realm=${R} \
- --type=CHAP \
- --username="$username" \
- --opaque="$opaque" \
- --client-response="$cresponseData" \
- --server-identifier="$identifier" \
- --server-nonce="$snonce" \
- > s2digest-reply || exitcode=1
- status=`grep status= s2digest-reply | cut -f2- -d=`
- if test "X$status" = "Xok" ; then
- echo "CHAP response ok"
- else
- echo "CHAP response failed"
- exitcode=1
- fi
- cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
- ${kdigest} digest-server-request \
- --kerberos-realm=${R} \
- --type=CHAP \
- --username="$username" \
- --opaque="$opaque" \
- --client-response="$cresponseData" \
- --server-identifier="$identifier" \
- --server-nonce="$snonce" \
- > s2digest-reply || exitcode=1
- status=`grep status= s2digest-reply | cut -f2- -d=`
- if test "X$status" = "Xfailed" ; then
- echo "CHAP response fail as it should"
- else
- echo "CHAP response succeeded errorously"
- exitcode=1
- fi
- echo "Trying MS-CHAP-V2"
- ${kdigest} digest-server-init \
- --kerberos-realm=${R} \
- --type=MS-CHAP-V2 \
- > sdigest-reply || exitcode=1
- snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
- opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
- cnonce="21402324255E262A28295F2B3A337C7E"
- echo "MS-CHAP-V2 client request"
- ${kdigest} digest-client-request \
- --type=MS-CHAP-V2 \
- --username="$username" \
- --password="$userpassword" \
- --opaque="$opaque" \
- --client-nonce="$cnonce" \
- --server-nonce="$snonce" \
- > cdigest-reply || exitcode=1
- cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
- cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
- ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
- ${kdigest} digest-server-request \
- --kerberos-realm=${R} \
- --type=MS-CHAP-V2 \
- --username="$username" \
- --opaque="$opaque" \
- --client-response="$cresponseData" \
- --client-nonce="$cnonce" \
- --server-nonce="$snonce" \
- > s2digest-reply || exitcode=1
- status=`grep status= s2digest-reply | cut -f2- -d=`
- sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
- skey=`grep session-key= s2digest-reply | cut -f2- -d=`
- if test "X$sRsp" != "X$cRsp" ; then
- echo "rsp wrong $sRsp != $cRsp"
- exitcode=1
- fi
- if test "X$skey" != "X$ckey" ; then
- echo "rsp wrong"
- exitcode=1
- fi
- if test "X$status" = "Xok" ; then
- echo "MS-CHAP-V2 response ok"
- else
- echo "MS-CHAP-V2 response failed"
- exitcode=1
- fi
- trap "" EXIT
- echo "killing kdc (${kdcpid})"
- kill $kdcpid || exit 1
- exit $exitcode