torture-krb5: Add comments

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 79 insertions, 0 deletions

diff --git a/source4/torture/krb5/kdc-canon.c b/source4/torture/krb5/kdc-canon.c
index 53a3b6a8d02..a20f9f97a60 100644
--- a/source4/torture/krb5/kdc-canon.c
+++ b/source4/torture/krb5/kdc-canon.c
@@ -57,6 +57,20 @@ struct torture_krb5_context {
 	AS_REP as_rep;
 };
 
+
+/*
+ * Confirm that the outgoing packet meets certain expectations.  This
+ * should be extended to further assert the correct and expected
+ * behaviour of the krb5 libs, so we know what we are sending to the
+ * server.
+ *
+ * Additionally, this CHANGES the request to remove the canonicalize
+ * flag automatically added by the krb5 libs when an enterprise
+ * principal is used, so we can test what the server does in this
+ * combination.
+ *
+ */
+
 static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf)
 {
 	krb5_error_code k5ret;
@@ -93,6 +107,14 @@ static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context
 	return true;
 }
 
+/*
+ * Confirm that the incoming packet from the KDC meets certain
+ * expectations.  This uses a packet count to work out what test we
+ * are in, and where in the test we are, so we can assert on the
+ * expected reply packets from the KDC.
+ *
+ */
+
 static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
 {
 	KRB_ERROR error;
@@ -143,6 +165,20 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 	return true;
 }
 
+/* 
+ * This function is set in torture_krb5_init_context_canon as krb5
+ * send_and_recv function.  This allows us to override what server the
+ * test is aimed at, and to inspect the packets just before they are
+ * sent to the network, and before they are processed on the recv
+ * side.
+ *
+ * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
+ * functions are implement the actual tests.
+ *
+ * When this asserts, the caller will get a spurious 'cannot contact
+ * any KDC' message.
+ *
+ */
 static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context context,
 								   void *data, /* struct torture_krb5_context */
 								   krb5_krbhst_info *hi,
diff --git a/source4/torture/krb5/kdc.c b/source4/torture/krb5/kdc.c
index be4b2451b9d..eed5d8d8ba4 100644
--- a/source4/torture/krb5/kdc.c
+++ b/source4/torture/krb5/kdc.c
@@ -48,6 +48,14 @@ struct torture_krb5_context {
 	AS_REP as_rep;
 };
 
+/*
+ * Confirm that the outgoing packet meets certain expectations.  This
+ * should be extended to further assert the correct and expected
+ * behaviour of the krb5 libs, so we know what we are sending to the
+ * server.
+ *
+ */
+
 static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context, const krb5_data *send_buf)
 {
 	size_t used;
@@ -68,6 +76,14 @@ static bool torture_krb5_pre_send_test(struct torture_krb5_context *test_context
 	return true;
 }
 
+/*
+ * Confirm that the incoming packet from the KDC meets certain
+ * expectations.  This uses a switch and the packet count to work out
+ * what test we are in, and where in the test we are, so we can assert
+ * on the expected reply packets from the KDC.
+ *
+ */
+
 static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
 {
 	KRB_ERROR error;
@@ -120,6 +136,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 		torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
 		free_AS_REQ(&test_context->as_req);
 		break;
+
+		/* 
+		 * Confirm correct error codes when we ask for the PAC.  This behaviour is rather odd...
+		 */
 	case TORTURE_KRB5_TEST_PAC_REQUEST:
 		if (test_context->packet_count == 0) {
 			torture_assert_int_equal(test_context->tctx,
@@ -157,6 +177,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 		torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
 		free_AS_REQ(&test_context->as_req);
 		break;
+
+		/* 
+		 * Confirm correct error codes when we deliberatly send the wrong password
+		 */
 	case TORTURE_KRB5_TEST_BREAK_PW:
 		if (test_context->packet_count == 0) {
 			torture_assert_int_equal(test_context->tctx,
@@ -180,6 +204,10 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 		torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
 		free_AS_REQ(&test_context->as_req);
 		break;
+
+		/* 
+		 * Confirm correct error codes when we deliberatly skew the client clock
+		 */
 	case TORTURE_KRB5_TEST_CLOCK_SKEW:
 		if (test_context->packet_count == 0) {
 			torture_assert_int_equal(test_context->tctx,
@@ -207,6 +235,21 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 	return true;
 }
 
+
+/* 
+ * This function is set in torture_krb5_init_context as krb5
+ * send_and_recv function.  This allows us to override what server the
+ * test is aimed at, and to inspect the packets just before they are
+ * sent to the network, and before they are processed on the recv
+ * side.
+ *
+ * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
+ * functions are implement the actual tests.
+ *
+ * When this asserts, the caller will get a spurious 'cannot contact
+ * any KDC' message.
+ *
+ */
 static krb5_error_code smb_krb5_send_and_recv_func_override(krb5_context context,
 						    void *data, /* struct torture_krb5_context */
 						    krb5_krbhst_info *hi,