etc/services - sync with NetBSD-8
[minix.git] / crypto / external / bsd / heimdal / dist / tests / gss / check-context.in
blob58651058d83c38b44b14a30214da9bfcee959864
1 #!/bin/sh
3 # Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
34 # Id
37 srcdir="@srcdir@"
38 objdir="@objdir@"
40 # If there is no useful db support compile in, disable test
41 ../db/have-db || exit 77
43 R=TEST.H5L.SE
45 port=@port@
47 keytabfile=${objdir}/server.keytab
48 keytab="FILE:${keytabfile}"
49 nokeytab="FILE:no-such-keytab"
50 cache="FILE:krb5ccfile"
52 kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53 klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54 kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55 kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56 kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57 ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
59 context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
61 KRB5_CONFIG="${objdir}/krb5.conf"
62 export KRB5_CONFIG
64 KRB5CCNAME=${cache}
65 export KRB5CCNAME
67 rm -f ${keytabfile}
68 rm -f current-db*
69 rm -f out-*
70 rm -f mkey.file*
72 > messages.log
74 echo Creating database
75 ${kadmin} \
76 init \
77 --realm-max-ticket-life=1day \
78 --realm-max-renewable-life=1month \
79 ${R} || exit 1
81 # add both lucid and lucid.test.h5l.se to simulate aliases
82 ${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83 ${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84 ${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
85 ${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
87 ${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
88 ${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
89 ${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
92 ${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
93 ${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
94 # XXX ext should ext aliases too
95 ${kadmin} ext -k ${keytab} host/short@${R} || exit 1
96 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
98 ${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
100 ${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
102 # Create a server principal with no AES
103 ${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
104 ${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
105 ${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
106 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
107 ${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
109 echo "Doing database check"
110 ${kadmin} check ${R} || exit 1
112 echo u1 > ${objdir}/foopassword
114 echo Starting kdc
115 ${kdc} &
116 kdcpid=$!
118 sh ${srcdir}/../kdc/wait-kdc.sh
119 if [ "$?" != 0 ] ; then
120 kill ${kdcpid}
121 exit 1
124 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
126 testfailed="echo test failed; cat messages.log; exit 1"
128 echo "Getting client initial tickets" ; > messages.log
129 ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
130 { eval "$testfailed"; }
132 echo "======test unreadable/non existant keytab and its error message" ; > messages.log
133 ${context} --mech-type=krb5 host@lucid.test.h5l.se || \
134 { eval "$testfailed"; }
136 mv ${keytabfile} ${keytabfile}.no
138 echo "checking non existant keytabfile (krb5)" ; > messages.log
139 ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
140 { eval "$testfailed"; }
141 grep ${keytabfile} test_context.log > /dev/null || \
142 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
143 echo "checking non existant keytabfile (spengo)" ; > messages.log
144 ${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
145 { eval "$testfailed"; }
146 grep ${keytabfile} test_context.log > /dev/null || \
147 { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
149 mv ${keytabfile}.no ${keytabfile}
151 echo "======test naming combinations"
152 echo "plain" ; > messages.log
153 ${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
154 { eval "$testfailed"; }
155 echo "plain (krb5)" ; > messages.log
156 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
157 { eval "$testfailed"; }
158 echo "plain (krb5 realmless)" ; > messages.log
159 ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
160 { eval "$testfailed"; }
161 echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
162 #${context} --dns-canon host@lucid.test.h5l.se || \
163 # { eval "$testfailed"; }
164 echo "dns canon off (long name)" ; > messages.log
165 ${context} --no-dns-canon host@lucid.test.h5l.se || \
166 { eval "$testfailed"; }
167 echo "dns canon off (short name)" ; > messages.log
168 ${context} --no-dns-canon host@lucid || \
169 { eval "$testfailed"; }
170 echo "dns canon off (short name, krb5)" ; > messages.log
171 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
172 { eval "$testfailed"; }
173 echo "dns canon off (short name, krb5)" ; > messages.log
174 ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
175 { eval "$testfailed"; }
177 echo "======test context building"
178 for mech in krb5 krb5iov spnego spnegoiov; do
179 if [ "$mech" = "krb5iov" ] ; then
180 mech="krb5"
181 iov="--iov"
183 if [ "$mech" = "spnegoiov" ] ; then
184 mech="spnego"
185 iov="--iov"
188 echo "${mech} no-mutual ${iov}" ; > messages.log
189 ${context} --mech-type=${mech} \
190 --wrapunwrap ${iov} \
191 --name-type=hostbased-service host@lucid.test.h5l.se || \
192 { eval "$testfailed"; }
194 echo "${mech} mutual ${iov}" ; > messages.log
195 ${context} --mech-type=${mech} \
196 --mutual \
197 --wrapunwrap ${iov} \
198 --name-type=hostbased-service host@lucid.test.h5l.se || \
199 { eval "$testfailed"; }
201 echo "${mech} delegate ${iov}" ; > messages.log
202 ${context} --mech-type=${mech} \
203 --delegate \
204 --wrapunwrap ${iov} \
205 --name-type=hostbased-service host@lucid.test.h5l.se || \
206 { eval "$testfailed"; }
208 echo "${mech} mutual delegate ${iov}" ; > messages.log
209 ${context} --mech-type=${mech} \
210 --mutual --delegate \
211 --wrapunwrap ${iov} \
212 --name-type=hostbased-service host@lucid.test.h5l.se || \
213 { eval "$testfailed"; }
214 done
216 echo "======dce-style"
217 for mech in krb5 krb5iov spnego; do
218 iov=""
219 if [ "$mech" = "krb5iov" ] ; then
220 mech="krb5"
221 iov="--iov"
223 if [ "$mech" = "spnegoiov" ] ; then
224 mech="spnego"
225 iov="--iov"
228 echo "${mech}: dce-style ${iov}" ; > messages.log
229 ${context} \
230 --mech-type=${mech} \
231 --mutual \
232 --dce-style \
233 --wrapunwrap ${iov} \
234 --name-type=hostbased-service host@lucid.test.h5l.se || \
235 { eval "$testfailed"; }
237 done
239 echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
241 cp ${keytabfile} ${keytabfile}.new
242 for mech in krb5 spnego; do
243 echo "${mech}: acceptor_identity positive" ; > messages.log
244 ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
245 --mech-type=$mech host@lucid.test.h5l.se || \
246 { eval "$testfailed"; }
248 echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
249 ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
250 --mech-type=$mech host@lucid.test.h5l.se || \
251 { eval "$testfailed"; }
253 echo "${mech}: acceptor_identity negative" ; > messages.log
254 ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
255 --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
256 { eval "$testfailed"; }
257 done
259 rm ${keytabfile}.new
262 #echo "sasl-digest-md5"
263 #${context} --mech-type=sasl-digest-md5 \
264 # --name-type=hostbased-service \
265 # host@lucid.test.h5l.se || \
266 # { eval "$testfailed"; }
269 echo "====== gss-api session key check"
271 # this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
272 coolenctype="aes256-cts-hmac-sha1-96"
273 limit_enctype="des3-cbc-sha1"
275 echo "Getting client initial tickets" ; > messages.log
276 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
277 { eval "$testfailed"; }
280 echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
281 ${context} \
282 --mech-type=krb5 \
283 --mutual-auth \
284 --session-enctype=${coolenctype} \
285 --name-type=hostbased-service host@no-aes.test.h5l.se || \
286 { eval "$testfailed"; }
288 echo "Building context on cred, check if its limited still" ; > messages.log
289 ${context} \
290 --mech-type=krb5 \
291 --client-name=user1@${R} \
292 --limit-enctype="${limit_enctype}" \
293 --mutual-auth \
294 --name-type=hostbased-service host@no-aes.test.h5l.se || \
295 { eval "$testfailed"; }
298 echo "====== ok-as-delegate"
300 echo "Getting client initial tickets" ; > messages.log
301 ${kinit} --forwardable \
302 --password-file=${objdir}/foopassword user1@${R} || \
303 { eval "$testfailed"; }
305 echo "ok-as-delegate not used" ; > messages.log
306 ${context} \
307 --mech-type=krb5 \
308 --delegate \
309 --name-type=hostbased-service host@lucid.test.h5l.se || \
310 { eval "$testfailed"; }
312 echo "host without ok-as-delegate with policy-delegate" ; > messages.log
313 ${context} \
314 --mech-type=krb5 \
315 --policy-delegate \
316 --server-no-delegate \
317 --name-type=hostbased-service host@lucid.test.h5l.se || \
318 { eval "$testfailed"; }
320 echo "ok-as-delegate used by policy" ; > messages.log
321 ${context} \
322 --mech-type=krb5 \
323 --policy-delegate \
324 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
325 { eval "$testfailed"; }
327 echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
328 ${kinit} --ok-as-delegate --forwardable \
329 --password-file=${objdir}/foopassword user1@${R} || \
330 { eval "$testfailed"; }
332 echo "policy delegate to non delegate host" ; > messages.log
333 ${context} \
334 --mech-type=krb5 \
335 --policy-delegate \
336 --server-no-delegate \
337 --name-type=hostbased-service host@lucid.test.h5l.se || \
338 { eval "$testfailed"; }
340 echo "ok-as-delegate" ; > messages.log
341 ${context} \
342 --mech-type=krb5 \
343 --delegate \
344 --name-type=hostbased-service host@lucid.test.h5l.se || \
345 { eval "$testfailed"; }
347 echo "======export/import cred"
349 echo "export-import cred (krb5)" ; > messages.log
350 ${context} \
351 --mech-type=krb5 \
352 --delegate \
353 --export-import-cred \
354 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
355 { eval "$testfailed"; }
357 echo "export-import cred (spnego)" ; > messages.log
358 ${context} \
359 --mech-type=spnego \
360 --delegate \
361 --export-import-cred \
362 --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
363 { eval "$testfailed"; }
366 echo "======time diffs between client and server"
368 echo "Getting client initial ticket" ; > messages.log
369 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
370 { eval "$testfailed"; }
372 echo "No time offset" ; > messages.log
373 ${context} \
374 --mech-type=krb5 \
375 --name-type=hostbased-service host@lucid.test.h5l.se || \
376 { eval "$testfailed"; }
378 echo "Getting client initial ticket" ; > messages.log
379 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
380 { eval "$testfailed"; }
382 echo "Server time offset" ; > messages.log
383 ${context} \
384 --mech-type=krb5 \
385 --mutual-auth \
386 --server-time-offset=3600 \
387 --max-loops=3 \
388 --name-type=hostbased-service host@lucid.test.h5l.se || \
389 { eval "$testfailed"; }
391 echo "Server time offset (cached ?)" ; > messages.log
392 ${context} \
393 --mech-type=krb5 \
394 --mutual-auth \
395 --server-time-offset=3600 \
396 --max-loops=2 \
397 --name-type=hostbased-service host@lucid.test.h5l.se || \
398 { eval "$testfailed"; }
400 echo "Getting client initial ticket" ; > messages.log
401 ${kinit} --password-file=${objdir}/foopassword user1@${R} || \
402 { eval "$testfailed"; }
403 # Pre-poplute the cache since tgs-req will fail since our time is wrong
404 ${kgetcred} host/lucid.test.h5l.se@${R} || \
405 { eval "$testfailed"; }
407 echo "Client time offset" ; > messages.log
408 ${context} \
409 --mech-type=krb5 \
410 --mutual-auth \
411 --client-time-offset=3600 \
412 --name-type=hostbased-service host@lucid.test.h5l.se || \
413 { eval "$testfailed"; }
415 echo "Getting client initial tickets (use-referrals)" ; > messages.log
416 ${kinit} \
417 --password-file=${objdir}/foopassword \
418 --use-referrals user1@${R} || \
419 { eval "$testfailed"; }
421 # XXX these tests really need to use somethat that resolve to something
422 ${context} \
423 --mech-type=krb5 \
424 host@short || \
425 { eval "$testfailed"; }
427 ${context} \
428 --mech-type=krb5 \
429 --name-type=krb5-principal-name host/short || \
430 { eval "$testfailed"; }
432 ${context} \
433 --mech-type=krb5 \
434 host@long.test.h5l.se || \
435 { eval "$testfailed"; }
437 ${context} \
438 --mech-type=krb5 \
439 --name-type=krb5-principal-name \
440 host/long.test.h5l.se || \
441 { eval "$testfailed"; }
443 trap "" EXIT
445 echo "killing kdc (${kdcpid})"
446 kill ${kdcpid} 2> /dev/null
448 exit 0