check-digest.in - This Autoconf code generates a test suite…

/crypto/heimdal/tests/kdc/check-digest.in

https://bitbucket.org/freebsd/freebsd-head/ · Autoconf · 295 lines · 192 code · 63 blank · 40 comment · 36 complexity · c6d78c7cf5818133d57500dee1cef39f MD5 · raw file


#!/bin/sh
#
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden). 
# All rights reserved. 
#
# Redistribution and use in source and binary forms, with or without 
# modification, are permitted provided that the following conditions 
# are met: 
#
# 1. Redistributions of source code must retain the above copyright 
#    notice, this list of conditions and the following disclaimer. 
#
# 2. Redistributions in binary form must reproduce the above copyright 
#    notice, this list of conditions and the following disclaimer in the 
#    documentation and/or other materials provided with the distribution. 
#
# 3. Neither the name of the Institute nor the names of its contributors 
#    may be used to endorse or promote products derived from this software 
#    without specific prior written permission. 
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
# SUCH DAMAGE. 
#
# $Id: check-digest.in 21849 2007-08-08 06:56:41Z lha $
#

srcdir="@srcdir@"
objdir="@objdir@"

# If there is no useful db support compile in, disable test
../db/have-db || exit 77

R=TEST.H5L.SE

port=@port@

kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"

server=host/datan.test.h5l.se
cache="FILE:${objdir}/cache.krb5"
ocache="FILE:${objdir}/ocache.krb5"
keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"

kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache"
test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm"
context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"

username=foo
userpassword=digestpassword

password=foobarbaz

KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG

rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*

> messages.log

echo Creating database
${kadmin} \
    init \
    --realm-max-ticket-life=1day \
    --realm-max-renewable-life=1month \
    ${R} || exit 1

${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1

echo "Doing database check"
${kadmin} check ${R} || exit 1

echo $password > ${objdir}/foopassword

echo Starting kdc
${kdc} &
kdcpid=$!

sh ${srcdir}/wait-kdc.sh
if [ "$?" != 0 ] ; then
    kill ${kdcpid}
    exit 1
fi

trap "kill ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT

exitcode=0

echo "Getting digest server tickets"
${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
${kdigest} digest-server-init \
    --kerberos-realm=${R} \
    --type=CHAP > /dev/null || exitcode=1

echo "Trying NTLM"

NTLM_ACCEPTOR_CCACHE="$cache"
export NTLM_ACCEPTOR_CCACHE

echo "Trying server-init"
echo ${kdigest} ntlm-server-init \
    --kerberos-realm=${R} \
    > sdigest-init || exitcode=1

echo "test_ntlm"
${test_ntlm} || { echo "test_ntlm failed"; exit 1; }

NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
export NTLM_USER_FILE

echo "test_context --mech-type=ntlm"
${context} --mech-type=ntlm \
	    --name-type=hostbased-service datan@TEST || \
		{ echo "test_context 1 failed"; exit 1; }

${context} --mech-type=ntlm \
	    --name-type=hostbased-service datan@host.TEST || \
		{ echo "test_context 2 failed"; exit 1; }

${context} --mech-type=ntlm \
	    --name-type=hostbased-service datan@host.test.domain2 || \
		{ echo "test_context 3 failed"; exit 1; }

${context} --mech-type=ntlm \
	    --name-type=hostbased-service datan@host.foo 2>/dev/null && \
		{ echo "test_context 4 failed"; exit 1; }

echo "Trying SL in NTLM"


for type in \
    "" \
    "--getverifymic" \
    "--wrapunwrap" \
    "--getverifymic --wrapunwrap" \
    ; do

	echo "Trying NTLM type: ${type}"
	${context} --mech-type=ntlm ${type} \
	    --name-type=hostbased-service datan@TEST || \
	    { echo "test_context 1 failed"; exit 1; }

done


echo "Trying CHAP"

${kdigest} digest-server-init \
    --kerberos-realm=${R} \
    --type=CHAP \
    > sdigest-reply || exitcode=1

snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
opaque=`grep opaque= sdigest-reply | cut -f2- -d=`

${kdigest} digest-client-request \
    --type=CHAP \
    --username="$username"  \
    --password="$userpassword"  \
    --opaque="$opaque"  \
    --server-identifier="$identifier"  \
    --server-nonce="$snonce" \
    > cdigest-reply || exitcode=1

cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`

#echo user: $username
#echo server-nonce: $snonce
#echo opaqeue: $opaque
#echo identifier: $identifier

${kdigest} digest-server-request \
    --kerberos-realm=${R} \
    --type=CHAP \
    --username="$username"  \
    --opaque="$opaque"  \
    --client-response="$cresponseData"  \
    --server-identifier="$identifier"  \
    --server-nonce="$snonce"  \
    > s2digest-reply || exitcode=1

status=`grep status= s2digest-reply | cut -f2- -d=`

if test "X$status" = "Xok" ; then
    echo "CHAP response ok"
else
    echo "CHAP response failed"
    exitcode=1
fi

cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`

${kdigest} digest-server-request \
    --kerberos-realm=${R} \
    --type=CHAP \
    --username="$username"  \
    --opaque="$opaque"  \
    --client-response="$cresponseData" \
    --server-identifier="$identifier"  \
    --server-nonce="$snonce"  \
    > s2digest-reply || exitcode=1

status=`grep status= s2digest-reply | cut -f2- -d=`

if test "X$status" = "Xfailed" ; then
    echo "CHAP response fail as it should"
else
    echo "CHAP response succeeded errorously"
    exitcode=1
fi

echo "Trying MS-CHAP-V2"

${kdigest} digest-server-init \
    --kerberos-realm=${R} \
    --type=MS-CHAP-V2 \
    > sdigest-reply || exitcode=1

snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
cnonce="21402324255E262A28295F2B3A337C7E"

echo "MS-CHAP-V2 client request"
${kdigest} digest-client-request \
    --type=MS-CHAP-V2 \
    --username="$username"  \
    --password="$userpassword"  \
    --opaque="$opaque"  \
    --client-nonce="$cnonce"  \
    --server-nonce="$snonce" \
    > cdigest-reply || exitcode=1

cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
ckey=`grep session-key= cdigest-reply | cut -f2- -d=`

${kdigest} digest-server-request \
    --kerberos-realm=${R} \
    --type=MS-CHAP-V2 \
    --username="$username"  \
    --opaque="$opaque"  \
    --client-response="$cresponseData"  \
    --client-nonce="$cnonce"  \
    --server-nonce="$snonce"  \
    > s2digest-reply || exitcode=1

status=`grep status= s2digest-reply | cut -f2- -d=`
sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
skey=`grep session-key= s2digest-reply | cut -f2- -d=`

if test "X$sRsp" != "X$cRsp" ; then
    echo "rsp wrong $sRsp != $cRsp"
    exitcode=1
fi

if test "X$skey" != "X$ckey" ; then
    echo "rsp wrong"
    exitcode=1
fi

if test "X$status" = "Xok" ; then
    echo "MS-CHAP-V2 response ok"
else
    echo "MS-CHAP-V2 response failed"
    exitcode=1
fi

trap "" EXIT

echo "killing kdc (${kdcpid})"
kill $kdcpid || exit 1

exit $exitcode

Summary ✨

This Autoconf code generates a test suite for Kerberos authentication protocols, including CHAP and MS-CHAP-V2. It sets up a test environment with a KDC (Key Distribution Center) server, client, and user credentials. The script runs various tests to verify the correct functioning of these protocols, including response validation and session key exchange.

Alerts (5)

Complexity hotspot; lines 84 to 88 (total complexity: 5)
84 85 86 87 88