/crypto/heimdal/tests/kdc/check-digest.in

https://bitbucket.org/freebsd/freebsd-head/ · Autoconf · 295 lines · 192 code · 63 blank · 40 comment · 36 complexity · c6d78c7cf5818133d57500dee1cef39f MD5 · raw file

  1. #!/bin/sh
  2. #
  3. # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
  4. # (Royal Institute of Technology, Stockholm, Sweden).
  5. # All rights reserved.
  6. #
  7. # Redistribution and use in source and binary forms, with or without
  8. # modification, are permitted provided that the following conditions
  9. # are met:
  10. #
  11. # 1. Redistributions of source code must retain the above copyright
  12. # notice, this list of conditions and the following disclaimer.
  13. #
  14. # 2. Redistributions in binary form must reproduce the above copyright
  15. # notice, this list of conditions and the following disclaimer in the
  16. # documentation and/or other materials provided with the distribution.
  17. #
  18. # 3. Neither the name of the Institute nor the names of its contributors
  19. # may be used to endorse or promote products derived from this software
  20. # without specific prior written permission.
  21. #
  22. # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25. # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32. # SUCH DAMAGE.
  33. #
  34. # $Id: check-digest.in 21849 2007-08-08 06:56:41Z lha $
  35. #
  36. srcdir="@srcdir@"
  37. objdir="@objdir@"
  38. # If there is no useful db support compile in, disable test
  39. ../db/have-db || exit 77
  40. R=TEST.H5L.SE
  41. port=@port@
  42. kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
  43. kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
  44. server=host/datan.test.h5l.se
  45. cache="FILE:${objdir}/cache.krb5"
  46. ocache="FILE:${objdir}/ocache.krb5"
  47. keytabfile=${objdir}/server.keytab
  48. keytab="FILE:${keytabfile}"
  49. kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
  50. klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
  51. kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache"
  52. test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm"
  53. context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
  54. username=foo
  55. userpassword=digestpassword
  56. password=foobarbaz
  57. KRB5_CONFIG="${objdir}/krb5.conf"
  58. export KRB5_CONFIG
  59. rm -f ${keytabfile}
  60. rm -f current-db*
  61. rm -f out-*
  62. rm -f mkey.file*
  63. > messages.log
  64. echo Creating database
  65. ${kadmin} \
  66. init \
  67. --realm-max-ticket-life=1day \
  68. --realm-max-renewable-life=1month \
  69. ${R} || exit 1
  70. ${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
  71. ${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
  72. ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
  73. ${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
  74. ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
  75. echo "Doing database check"
  76. ${kadmin} check ${R} || exit 1
  77. echo $password > ${objdir}/foopassword
  78. echo Starting kdc
  79. ${kdc} &
  80. kdcpid=$!
  81. sh ${srcdir}/wait-kdc.sh
  82. if [ "$?" != 0 ] ; then
  83. kill ${kdcpid}
  84. exit 1
  85. fi
  86. trap "kill ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
  87. exitcode=0
  88. echo "Getting digest server tickets"
  89. ${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
  90. ${kdigest} digest-server-init \
  91. --kerberos-realm=${R} \
  92. --type=CHAP > /dev/null || exitcode=1
  93. echo "Trying NTLM"
  94. NTLM_ACCEPTOR_CCACHE="$cache"
  95. export NTLM_ACCEPTOR_CCACHE
  96. echo "Trying server-init"
  97. echo ${kdigest} ntlm-server-init \
  98. --kerberos-realm=${R} \
  99. > sdigest-init || exitcode=1
  100. echo "test_ntlm"
  101. ${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
  102. NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
  103. export NTLM_USER_FILE
  104. echo "test_context --mech-type=ntlm"
  105. ${context} --mech-type=ntlm \
  106. --name-type=hostbased-service datan@TEST || \
  107. { echo "test_context 1 failed"; exit 1; }
  108. ${context} --mech-type=ntlm \
  109. --name-type=hostbased-service datan@host.TEST || \
  110. { echo "test_context 2 failed"; exit 1; }
  111. ${context} --mech-type=ntlm \
  112. --name-type=hostbased-service datan@host.test.domain2 || \
  113. { echo "test_context 3 failed"; exit 1; }
  114. ${context} --mech-type=ntlm \
  115. --name-type=hostbased-service datan@host.foo 2>/dev/null && \
  116. { echo "test_context 4 failed"; exit 1; }
  117. echo "Trying SL in NTLM"
  118. for type in \
  119. "" \
  120. "--getverifymic" \
  121. "--wrapunwrap" \
  122. "--getverifymic --wrapunwrap" \
  123. ; do
  124. echo "Trying NTLM type: ${type}"
  125. ${context} --mech-type=ntlm ${type} \
  126. --name-type=hostbased-service datan@TEST || \
  127. { echo "test_context 1 failed"; exit 1; }
  128. done
  129. echo "Trying CHAP"
  130. ${kdigest} digest-server-init \
  131. --kerberos-realm=${R} \
  132. --type=CHAP \
  133. > sdigest-reply || exitcode=1
  134. snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
  135. identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
  136. opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
  137. ${kdigest} digest-client-request \
  138. --type=CHAP \
  139. --username="$username" \
  140. --password="$userpassword" \
  141. --opaque="$opaque" \
  142. --server-identifier="$identifier" \
  143. --server-nonce="$snonce" \
  144. > cdigest-reply || exitcode=1
  145. cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
  146. #echo user: $username
  147. #echo server-nonce: $snonce
  148. #echo opaqeue: $opaque
  149. #echo identifier: $identifier
  150. ${kdigest} digest-server-request \
  151. --kerberos-realm=${R} \
  152. --type=CHAP \
  153. --username="$username" \
  154. --opaque="$opaque" \
  155. --client-response="$cresponseData" \
  156. --server-identifier="$identifier" \
  157. --server-nonce="$snonce" \
  158. > s2digest-reply || exitcode=1
  159. status=`grep status= s2digest-reply | cut -f2- -d=`
  160. if test "X$status" = "Xok" ; then
  161. echo "CHAP response ok"
  162. else
  163. echo "CHAP response failed"
  164. exitcode=1
  165. fi
  166. cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
  167. ${kdigest} digest-server-request \
  168. --kerberos-realm=${R} \
  169. --type=CHAP \
  170. --username="$username" \
  171. --opaque="$opaque" \
  172. --client-response="$cresponseData" \
  173. --server-identifier="$identifier" \
  174. --server-nonce="$snonce" \
  175. > s2digest-reply || exitcode=1
  176. status=`grep status= s2digest-reply | cut -f2- -d=`
  177. if test "X$status" = "Xfailed" ; then
  178. echo "CHAP response fail as it should"
  179. else
  180. echo "CHAP response succeeded errorously"
  181. exitcode=1
  182. fi
  183. echo "Trying MS-CHAP-V2"
  184. ${kdigest} digest-server-init \
  185. --kerberos-realm=${R} \
  186. --type=MS-CHAP-V2 \
  187. > sdigest-reply || exitcode=1
  188. snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
  189. opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
  190. cnonce="21402324255E262A28295F2B3A337C7E"
  191. echo "MS-CHAP-V2 client request"
  192. ${kdigest} digest-client-request \
  193. --type=MS-CHAP-V2 \
  194. --username="$username" \
  195. --password="$userpassword" \
  196. --opaque="$opaque" \
  197. --client-nonce="$cnonce" \
  198. --server-nonce="$snonce" \
  199. > cdigest-reply || exitcode=1
  200. cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
  201. cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
  202. ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
  203. ${kdigest} digest-server-request \
  204. --kerberos-realm=${R} \
  205. --type=MS-CHAP-V2 \
  206. --username="$username" \
  207. --opaque="$opaque" \
  208. --client-response="$cresponseData" \
  209. --client-nonce="$cnonce" \
  210. --server-nonce="$snonce" \
  211. > s2digest-reply || exitcode=1
  212. status=`grep status= s2digest-reply | cut -f2- -d=`
  213. sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
  214. skey=`grep session-key= s2digest-reply | cut -f2- -d=`
  215. if test "X$sRsp" != "X$cRsp" ; then
  216. echo "rsp wrong $sRsp != $cRsp"
  217. exitcode=1
  218. fi
  219. if test "X$skey" != "X$ckey" ; then
  220. echo "rsp wrong"
  221. exitcode=1
  222. fi
  223. if test "X$status" = "Xok" ; then
  224. echo "MS-CHAP-V2 response ok"
  225. else
  226. echo "MS-CHAP-V2 response failed"
  227. exitcode=1
  228. fi
  229. trap "" EXIT
  230. echo "killing kdc (${kdcpid})"
  231. kill $kdcpid || exit 1
  232. exit $exitcode