diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-12-03 11:58:53 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2021-12-07 04:05:34 +0000 |
| commit | 2701293f48a9e4014f9ba1e925d458fe25865bfb (patch) | |
| tree | 116a69354cbd21389cce0cd0249441ca3454dcbe /source4/torture | |
| parent | 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df (diff) | |
| download | samba-2701293f48a9e4014f9ba1e925d458fe25865bfb.tar.gz | |
s4:torture: Remove pre-send and post-receive callbacks
The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/torture')
| -rw-r--r-- | source4/torture/krb5/kdc-canon-heimdal.c | 1069 |
1 files changed, 1 insertions, 1068 deletions
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 85c38546310..59ae750e206 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -71,30 +71,12 @@ struct test_data { const char *krb5_hostname; }; -enum test_stage { - TEST_AS_REQ = 0, - TEST_TGS_REQ_KRBTGT_CANON = 1, - TEST_TGS_REQ_CANON = 2, - TEST_SELF_TRUST_TGS_REQ = 3, - TEST_TGS_REQ = 4, - TEST_TGS_REQ_KRBTGT = 5, - TEST_TGS_REQ_HOST = 6, - TEST_TGS_REQ_HOST_SRV_INST = 7, - TEST_TGS_REQ_HOST_SRV_HST = 8, - TEST_DONE = 9 -}; - struct torture_krb5_context { struct smb_krb5_context *smb_krb5_context; struct torture_context *tctx; struct addrinfo *server; struct test_data *test_data; int packet_count; - enum test_stage test_stage; - AS_REQ as_req; - AS_REP as_rep; - TGS_REQ tgs_req; - TGS_REP tgs_rep; }; struct pac_data { @@ -214,948 +196,6 @@ static bool test_accept_ticket(struct torture_context *tctx, } /* - * TEST_AS_REQ - SEND - * - * Confirm that the outgoing packet meets certain expectations. This - * should be extended to further assert the correct and expected - * behaviour of the krb5 libs, so we know what we are sending to the - * server. - * - * Additionally, this CHANGES the request to remove the canonicalize - * flag automatically added by the krb5 libs when an enterprise - * principal is used, so we can test what the server does in this - * combination. - * - */ - -static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_context, - const krb5_data *send_buf, - krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, decode_AS_REQ(send_buf->data, send_buf->length, - &test_context->as_req, &used), - 0, "decode_AS_REQ for TEST_AS_REQ failed"); - torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, - 5, "Got wrong as_req->pvno"); - if (test_context->test_data->canonicalize - || test_context->test_data->enterprise) { - torture_assert(test_context->tctx, - test_context->as_req.req_body.kdc_options.canonicalize, - "krb5 libs did not set canonicalize!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.kdc_options.canonicalize, - false, - "krb5 libs unexpectedly set canonicalize!"); - } - - if (test_context->test_data->as_req_spn) { - if (test_context->test_data->upn) { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_PRINCIPAL, - "krb5 libs unexpectedly " - "did not set principal " - "as NT_PRINCIPAL!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_SRV_HST, - "krb5 libs unexpectedly " - "did not set principal " - "as NT_SRV_HST!"); - } - } else if (test_context->test_data->enterprise) { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_ENTERPRISE_PRINCIPAL, - "krb5 libs did not pass principal as enterprise!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, - KRB5_NT_PRINCIPAL, - "krb5 libs unexpectedly set principal as enterprise!"); - } - - *modified_send_buf = *send_buf; - - return true; -} - -/* - * TEST_AS_REQ - RECV - * - * Confirm that the reply packet from the KDC meets certain - * expectations as part of TEST_AS_REQ. This uses a packet count to - * work out what packet we are up to in the multiple exchanged - * triggerd by krb5_get_init_creds_password(). - * - */ - -static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context *test_context, - const krb5_data *recv_buf) -{ - KRB_ERROR error; - size_t used; - if (test_context->packet_count == 0) { - krb5_error_code k5ret; - /* - * The client libs obtain the salt by attempting to - * authenticate without pre-authentication and getting - * the correct salt with the - * KRB5KDC_ERR_PREAUTH_REQUIRED error. If we are in - * the test (netbios_realm && upn) that deliberatly - * has an incorrect principal, we check we get the - * correct error. - */ - k5ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length, - &error, &used); - if (k5ret != 0) { - AS_REP as_rep; - k5ret = decode_AS_REP(recv_buf->data, recv_buf->length, - &as_rep, &used); - if (k5ret == 0) { - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert(test_context->tctx, false, - "expected to get a KRB_ERROR packet with " - "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, got valid AS-REP"); - } else { - torture_assert(test_context->tctx, false, - "expected to get a KRB_ERROR packet with " - "KRB5KDC_ERR_PREAUTH_REQUIRED, got valid AS-REP"); - } - } else { - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert(test_context->tctx, false, - "unable to decode as KRB-ERROR or AS-REP, " - "expected to get a KRB_ERROR packet with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"); - } else { - torture_assert(test_context->tctx, false, - "unable to decode as KRB-ERROR or AS-REP, " - "expected to get a KRB_ERROR packet with KRB5KDC_ERR_PREAUTH_REQUIRED"); - } - } - } - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, error.pvno, 5, - "Got wrong error.pvno"); - if (test_context->test_data->netbios_realm && test_context->test_data->upn) { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else if (test_context->test_data->as_req_spn && !test_context->test_data->spn_is_upn) { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else { - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } - - free_KRB_ERROR(&error); - } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) - && (test_context->packet_count == 1)) { - /* - * The Windows 2012R2 KDC will always respond with - * KRB5KRB_ERR_RESPONSE_TOO_BIG over UDP as the ticket - * won't fit, because of the PAC. (It appears to do - * this always, even if it will). This triggers the - * client to try again over TCP. - */ - torture_assert_int_equal(test_context->tctx, - used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - error.pvno, 5, - "Got wrong error.pvno"); - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - free_KRB_ERROR(&error); - } else { - /* - * Finally the successful packet. - */ - torture_assert_int_equal(test_context->tctx, - decode_AS_REP(recv_buf->data, recv_buf->length, - &test_context->as_rep, &used), 0, - "decode_AS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->as_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->as_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->as_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - - /* - * We can confirm that the correct proxy behaviour is - * in use on the KDC by checking the KVNO of the - * krbtgt account returned in the reply. - * - * A packet passed to the full RW DC will not have a - * KVNO in the upper bits, while a packet processed - * locally on the RODC will have these bits filled in - * the msDS-SecondaryKrbTgtNumber - */ - if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) { - torture_assert_int_not_equal(test_context->tctx, - *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Did not get a RODC number in the KVNO"); - } else { - torture_assert_int_equal(test_context->tctx, - *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO"); - } - free_AS_REP(&test_context->as_rep); - } - torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets"); - free_AS_REQ(&test_context->as_req); - return true; -} - -/* - * TEST_TGS_REQ_KRBTGT_CANON - * - * - * Confirm that the outgoing TGS-REQ packet from krb5_get_creds() - * for the krbtgt/realm principal meets certain expectations, like - * that the canonicalize bit is not set - * - */ - -static bool torture_krb5_pre_send_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_TGS_REQ test failed"); - torture_assert_int_equal(test_context->tctx, - used, send_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.pvno, 5, - "Got wrong as_req->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - true, - "krb5 libs unexpectedly did not set canonicalize!"); - - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - KRB5_NT_PRINCIPAL, - "Mismatch in name_type between request and expected request"); - - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - *modified_send_buf = *send_buf; - return true; -} - -/* - * TEST_TGS_REQ_KRBTGT_CANON - * - * Confirm that the reply TGS-REP packet for krb5_get_creds() - * where the client is behaving as if this is a cross-realm trust due - * to case or netbios vs dns name differences meets certain - * expectations, while canonicalize is set - * - */ - -static bool torture_krb5_post_recv_tgs_req_krbtgt_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, - &test_context->tgs_rep, &used), - 0, - "decode_TGS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->tgs_rep.ticket.realm, - "Mismatch in realm between request and ticket response"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.realm, - test_context->test_data->real_realm, - "Mismatch in realm between ticket response and expected ticket response"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_type, - KRB5_NT_SRV_INST, - "Mismatch in name_type between ticket response and expected value of KRB5_NT_SRV_INST"); - - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.len, - 2, - "Mismatch in name_type between ticket response and expected value, expected krbtgt/REALM@REALM"); - - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt", - "Mismatch in name between response and expected response, expected krbtgt"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->real_realm, - "Mismatch in realm part of krbtgt/ in expected response, expected krbtgt/REALM@REALM"); - - /* - * We can confirm that the correct proxy behaviour is - * in use on the KDC by checking the KVNO of the - * krbtgt account returned in the reply. - * - * A packet passed to the full RW DC will not have a - * KVNO in the upper bits, while a packet processed - * locally on the RODC will have these bits filled in - * the msDS-SecondaryKrbTgtNumber - */ - if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) { - torture_assert_int_not_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Did not get a RODC number in the KVNO"); - } else { - torture_assert_int_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO"); - } - free_TGS_REP(&test_context->tgs_rep); - torture_assert(test_context->tctx, - test_context->packet_count < 2, - "too many packets"); - free_TGS_REQ(&test_context->tgs_req); - return true; -} - -/* - * TEST_TGS_REQ_CANON - * - * Confirm that the outgoing TGS-REQ packet from krb5_get_creds - * certain expectations, like that the canonicalize bit is set (this - * test is to force that handling) and that if an enterprise name was - * requested, that it was sent. - * - */ - -static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context *test_context, - const krb5_data *send_buf, - krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_TGS_REQ_CANON test failed"); - torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - true, "krb5 libs unexpectedly did not set canonicalize!"); - - if (test_context->test_data->enterprise) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - } else if (test_context->test_data->as_req_spn) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_HST, - "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_HST"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - } else if (test_context->test_data->canonicalize) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - } else { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, test_context->test_data->realm, - "Mismatch in realm between request and expected request"); - - } - - *modified_send_buf = *send_buf; - - return true; -} - -/* - * TEST_TGS_REQ_CANON - RECV - * - * Confirm that the reply TGS-REP or error packet from the KDC meets - * certain expectations as part of TEST_TGS_REQ_CANON. - * - * This is triggered by krb5_get_creds() - * - */ - -static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) -{ - KRB_ERROR error; - size_t used; - - /* - * If this account did not have a servicePrincipalName, then - * we expect a errro packet, not a TGS-REQ - */ - if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) { - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, - error.pvno, 5, - "Got wrong error.pvno"); - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else { - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, - &test_context->tgs_rep, - &used), - 0, - "decode_TGS_REP failed"); - torture_assert_int_equal(test_context->tctx, - used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.realm, - test_context->test_data->real_realm, - "Mismatch in realm between ticket response and expected upper case REALM"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_type, - test_context->tgs_req.req_body.sname->name_type, - "Mismatch in name_type between request and ticket response"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.len, - test_context->tgs_req.req_body.sname->name_string.len, - "Mismatch in name_string.len between request and ticket response"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.len >= 1, - "name_string.len should be >=1 in ticket response"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[0], - test_context->tgs_req.req_body.sname->name_string.val[0], - "Mismatch in name between request and expected request"); - torture_assert_int_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); - free_TGS_REP(&test_context->tgs_rep); - } - torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets"); - free_TGS_REQ(&test_context->tgs_req); - - return true; -} - -/* - * TEST_SELF_TRUST_TGS_REQ - * - * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact() - * certain expectations, like that the canonicalize bit is set (this - * test is to force that handling). - * - * This test is for the case where the name we ask for, while a valid - * alternate name for our own realm is used. The client acts as if - * this is cross-realm trust. - * - */ - -static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context *test_context, - const krb5_data *send_buf, - krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_SELF_TRUST_TGS_REQ test failed"); - torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno"); - - if (test_context->test_data->enterprise - || (test_context->test_data->spn_is_upn && test_context->test_data->upn)) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - true, - "krb5 libs unexpectedly" - " did not set canonicalize!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - false, - "krb5 libs unexpectedly" - " set canonicalize!"); - } - - - if (test_context->test_data->canonicalize) { - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - } else { - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->realm, - "Mismatch in realm between request and expected request"); - } - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.len, 2, - "Mismatch in name between request and expected request, expected krbtgt/realm"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[0], "krbtgt", - "Mismatch in name between request and expected request, expected krbtgt"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[1], test_context->test_data->realm, - "Mismatch in realm part of cross-realm request principal between request and expected request"); - *modified_send_buf = *send_buf; - - return true; -} - -/* - * TEST_SELF_TRUST_TGS_REQ and TEST_TGS_REQ_KRBTGT - RECV - * - * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), - * where the client is behaving as if this is a cross-realm trust due - * to case or netbios vs dns name differences meets certain - * expectations. - * - */ - -static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, - &test_context->tgs_rep, &used), - 0, - "decode_TGS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->tgs_rep.ticket.realm, - "Mismatch in realm between request and ticket response"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_type, - test_context->tgs_req.req_body.sname->name_type, - "Mismatch in name_type between request and ticket response"); - - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.len, 2, - "Mismatch in name between request and expected request, expected krbtgt/realm"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt", - "Mismatch in name between request and expected request, expected krbtgt"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->realm, - "Mismatch in realm part of cross-realm request principal between response and expected request"); - /* - * We can confirm that the correct proxy behaviour is - * in use on the KDC by checking the KVNO of the - * krbtgt account returned in the reply. - * - * A packet passed to the full RW DC will not have a - * KVNO in the upper bits, while a packet processed - * locally on the RODC will have these bits filled in - * the msDS-SecondaryKrbTgtNumber - */ - if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) { - torture_assert_int_not_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Did not get a RODC number in the KVNO"); - } else { - torture_assert_int_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO"); - } - free_TGS_REP(&test_context->tgs_rep); - torture_assert_int_equal(test_context->tctx, - test_context->packet_count, 0, - "too many packets"); - test_context->packet_count = 0; - test_context->test_stage = TEST_TGS_REQ; - free_TGS_REQ(&test_context->tgs_req); - return true; -} - -/* - * TEST_TGS_REQ - * - * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact() - * certain expectations, like that the canonicalize bit is set (this - * test is to force that handling) and that if an enterprise name was - * requested, that it was sent. - * - */ - -static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_TGS_REQ test failed"); - torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch"); - torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, - "Got wrong as_req->pvno"); - - if (test_context->test_data->enterprise - && test_context->test_data->s4u2self == false - && test_context->test_data->spn_is_upn) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - true, - "krb5 libs unexpectedly" - " did not set canonicalize!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - false, - "krb5 libs unexpectedly" - " set canonicalize!"); - } - - if (test_context->test_data->enterprise) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - KRB5_NT_ENTERPRISE_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - } else if (test_context->test_data->spn_is_upn && test_context->test_data->upn && test_context->test_data->canonicalize) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - } else if (test_context->test_data->spn_is_upn - && test_context->test_data->as_req_spn - && test_context->test_data->canonicalize == false) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - KRB5_NT_SRV_HST, - "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_HST"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->realm, - "Mismatch in realm between request and expected request"); - - } else { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->realm, - "Mismatch in realm between request and expected request"); - - } - - *modified_send_buf = *send_buf; - - return true; -} - -/* - * TEST_TGS_REQ - RECV - * - * Confirm that the reply TGS-REP packet for krb5_mk_req_exact(), for - * the actual target service. - * - */ - -static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) -{ - KRB_ERROR error; - size_t used; - /* - * If this account did not have a servicePrincipalName, then - * we expect a errro packet, not a TGS-REQ - */ - if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) { - torture_assert_int_equal(test_context->tctx, - used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - error.pvno, 5, - "Got wrong error.pvno"); - torture_assert_int_equal(test_context->tctx, - error.error_code, - KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, - "Got wrong error.error_code"); - } else { - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, - &test_context->tgs_rep, &used), - 0, - "decode_TGS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.realm, - test_context->test_data->real_realm, - "Mismatch in realm between ticket response and expected upper case REALM"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response"); - torture_assert_int_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); - free_TGS_REP(&test_context->tgs_rep); - } - torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets"); - free_TGS_REQ(&test_context->tgs_req); - test_context->test_stage = TEST_DONE; - return true; -} - -/* - * TEST_TGS_REQ_KRBTGT - * - * - * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact() - * for the krbtgt/realm principal meets certain expectations, like - * that the canonicalize bit is not set - * - */ - -static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_TGS_REQ test failed"); - torture_assert_int_equal(test_context->tctx, - used, send_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.pvno, 5, - "Got wrong as_req->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - false, - "krb5 libs unexpectedly set canonicalize!"); - - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->realm, - "Mismatch in realm between request and expected request"); - - *modified_send_buf = *send_buf; - test_context->test_stage = TEST_DONE; - return true; -} - -/* - * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST and TEST_TGS_REQ_HOST_SRV_HST - * - * - * Confirm that the outgoing TGS-REQ packet from krb5_mk_req_exact() - * for the krbtgt/realm principal meets certain expectations, like - * that the canonicalize bit is not set - * - */ - -static bool torture_krb5_pre_send_tgs_req_host_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, krb5_data *modified_send_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REQ(send_buf->data, send_buf->length, - &test_context->tgs_req, &used), - 0, "decode_TGS_REQ for TEST_TGS_REQ test failed"); - torture_assert_int_equal(test_context->tctx, - used, send_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.pvno, 5, - "Got wrong as_req->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.len, 2, - "Mismatch in name between request and expected request, expected krbtgt/realm"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.kdc_options.canonicalize, - true, - "krb5 libs unexpectedly did not set canonicalize!"); - - if (test_context->test_stage == TEST_TGS_REQ_HOST_SRV_INST) { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_INST, - "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_INST"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[0], - strupper_talloc(test_context, test_context->test_data->krb5_service), - "Mismatch in name between request and expected request, expected service"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[1], - test_context->test_data->krb5_hostname, - "Mismatch in hostname part between request and expected request"); - - } else if (test_context->test_stage == TEST_TGS_REQ_HOST_SRV_HST) { - - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_SRV_HST, - "Mismatch in name type between request and expected request, expected KRB5_NT_SRV_HST"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[0], - test_context->test_data->krb5_service, - "Mismatch in name between request and expected request, expected service"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[1], - strupper_talloc(test_context, test_context->test_data->krb5_hostname), - "Mismatch in hostname part between request and expected request"); - - } else { - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL, - "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[0], - test_context->test_data->krb5_service, - "Mismatch in name between request and expected request, expected service"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_string.val[1], - test_context->test_data->krb5_hostname, - "Mismatch in hostname part between request and expected request"); - - } - torture_assert_str_equal(test_context->tctx, - test_context->tgs_req.req_body.realm, - test_context->test_data->real_realm, - "Mismatch in realm between request and expected request"); - - *modified_send_buf = *send_buf; - return true; -} - -/* - * TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST - RECV - * - * Confirm that the reply TGS-REP packet for krb5_mk_req(), for - * the actual target service, as a SPN, not a any other name type. - * - */ - -static bool torture_krb5_post_recv_tgs_req_host_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf) -{ - size_t used; - torture_assert_int_equal(test_context->tctx, - decode_TGS_REP(recv_buf->data, recv_buf->length, - &test_context->tgs_rep, &used), - 0, - "decode_TGS_REP failed"); - torture_assert_int_equal(test_context->tctx, used, recv_buf->length, - "length mismatch"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.pvno, 5, - "Got wrong as_rep->pvno"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.tkt_vno, 5, - "Got wrong as_rep->ticket.tkt_vno"); - torture_assert(test_context->tctx, - test_context->tgs_rep.ticket.enc_part.kvno, - "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.realm, - test_context->test_data->real_realm, - "Mismatch in realm between ticket response and expected upper case REALM"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_req.req_body.sname->name_type, - test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response"); - torture_assert_int_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.len, 2, - "Mismatch in name between request and expected request, expected service/hostname"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[0], - test_context->tgs_req.req_body.sname->name_string.val[0], - "Mismatch in name between request and expected request, expected service/hostname"); - torture_assert_str_equal(test_context->tctx, - test_context->tgs_rep.ticket.sname.name_string.val[1], - test_context->tgs_req.req_body.sname->name_string.val[1], - "Mismatch in name between request and expected request, expected service/hostname"); - - torture_assert_int_equal(test_context->tctx, - *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, - 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); - free_TGS_REP(&test_context->tgs_rep); - - torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets"); - return true; -} - -/* * This function is set in torture_krb5_init_context_canon as krb5 * send_and_recv function. This allows us to override what server the * test is aimed at, and to inspect the packets just before they are @@ -1177,102 +217,17 @@ static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context c krb5_data *recv_buf) { krb5_error_code k5ret; - bool ok = false; - krb5_data modified_send_buf; struct torture_krb5_context *test_context = talloc_get_type_abort(data, struct torture_krb5_context); - switch (test_context->test_stage) { - case TEST_DONE: - torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs"); - return EINVAL; - case TEST_AS_REQ: - ok = torture_krb5_pre_send_as_req_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_TGS_REQ_KRBTGT_CANON: - ok = torture_krb5_pre_send_tgs_req_krbtgt_canon_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_TGS_REQ_CANON: - ok = torture_krb5_pre_send_tgs_req_canon_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_SELF_TRUST_TGS_REQ: - ok = torture_krb5_pre_send_self_trust_tgs_req_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_TGS_REQ: - ok = torture_krb5_pre_send_tgs_req_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_TGS_REQ_KRBTGT: - ok = torture_krb5_pre_send_tgs_req_krbtgt_test(test_context, send_buf, - &modified_send_buf); - break; - case TEST_TGS_REQ_HOST: - case TEST_TGS_REQ_HOST_SRV_INST: - case TEST_TGS_REQ_HOST_SRV_HST: - ok = torture_krb5_pre_send_tgs_req_host_test(test_context, send_buf, - &modified_send_buf); - break; - } - if (ok == false) { - return EINVAL; - } - k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server, - hi, timeout, &modified_send_buf, + hi, timeout, send_buf, recv_buf); if (k5ret != 0) { return k5ret; } - switch (test_context->test_stage) { - case TEST_DONE: - torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs"); - return EINVAL; - case TEST_AS_REQ: - ok = torture_krb5_post_recv_as_req_test(test_context, recv_buf); - break; - case TEST_TGS_REQ_KRBTGT_CANON: - ok = torture_krb5_post_recv_tgs_req_krbtgt_canon_test(test_context, recv_buf); - break; - case TEST_TGS_REQ_CANON: - ok = torture_krb5_post_recv_tgs_req_canon_test(test_context, recv_buf); - break; - case TEST_SELF_TRUST_TGS_REQ: - ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf); - break; - case TEST_TGS_REQ: - ok = torture_krb5_post_recv_tgs_req_test(test_context, recv_buf); - break; - case TEST_TGS_REQ_KRBTGT: - ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf); - break; - case TEST_TGS_REQ_HOST: - case TEST_TGS_REQ_HOST_SRV_INST: - case TEST_TGS_REQ_HOST_SRV_HST: - ok = torture_krb5_post_recv_tgs_req_host_test(test_context, recv_buf); - break; - } - if (ok == false) { - KRB_ERROR error; - size_t used; - torture_warning(test_context->tctx, "Packet of length %llu failed post-recv checks in test stage %d", (unsigned long long)recv_buf->length, test_context->test_stage); - if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) { - torture_warning(test_context->tctx, - "STAGE: %d Unexpectedly got a KRB-ERROR packet " - "with error code %d (%s)", - test_context->test_stage, - error.error_code, - error_message(error.error_code + KRB5KDC_ERR_NONE)); - free_KRB_ERROR(&error); - } - return EINVAL; - } - test_context->packet_count++; return k5ret; @@ -1558,7 +513,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * * */ - test_context->test_stage = TEST_AS_REQ; test_context->packet_count = 0; /* @@ -1708,7 +662,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * test_data->real_domain, NULL), 0, "krb5_make_principal failed"); - test_context->test_stage = TEST_TGS_REQ_KRBTGT_CANON; test_context->packet_count = 0; torture_assert_int_equal(tctx, @@ -1777,7 +730,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * * the KRB5_GC_CANONICALIZE option */ - test_context->test_stage = TEST_TGS_REQ_CANON; test_context->packet_count = 0; torture_assert_int_equal(tctx, @@ -1858,21 +810,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * * */ - /* - * This tries to guess when the krb5 libs will ask for a - * cross-realm ticket, and when they will just ask the KDC - * directly. - */ - if (test_context->test_data->canonicalize == false - || test_context->test_data->enterprise - || (test_context->test_data->spn_is_upn && test_context->test_data->upn) - || (test_context->test_data->upper_realm - && test_context->test_data->netbios_realm == false)) { - test_context->test_stage = TEST_TGS_REQ; - } else { - test_context->test_stage = TEST_SELF_TRUST_TGS_REQ; - } - test_context->packet_count = 0; torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context), 0, "krb5_auth_con_init failed"); @@ -1998,7 +935,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * * cross-realm ticket, and when they will just ask the KDC * directly. */ - test_context->test_stage = TEST_TGS_REQ_HOST; test_context->packet_count = 0; torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context), 0, "krb5_auth_con_init failed"); @@ -2050,7 +986,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * } - test_context->test_stage = TEST_TGS_REQ_HOST_SRV_INST; test_context->packet_count = 0; torture_assert_int_equal(tctx, @@ -2096,7 +1031,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * } - test_context->test_stage = TEST_TGS_REQ_HOST_SRV_HST; test_context->packet_count = 0; torture_assert_int_equal(tctx, @@ -2149,7 +1083,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * * */ - test_context->test_stage = TEST_TGS_REQ_KRBTGT; test_context->packet_count = 0; in_data.length = 0; |