/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* plugins/preauth/test/kdctest.c - Test kdcpreauth module */
/*
* Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This module is used to test preauth interface features. Currently, the
* kdcpreauth module does the following:
*
* - When generating initial method-data, it retrieves the "teststring"
* attribute from the client principal and sends it to the client, encrypted
* in the reply key. (The plain text "no key" is sent if there is no reply
* key; the encrypted message "no attr" is sent if there is no string
* attribute.) It also sets a cookie containing "method-data".
*
* - If the "err" attribute is set on the client principal, the verify method
* returns an KDC_ERR_ETYPE_NOSUPP error on the first try, with the contents
* of the err attribute as pa-data. If the client tries again with the
* padata value "tryagain", the verify method preuthenticates successfully
* with no additional processing.
*
* - If the "failopt" attribute is set on the client principal, the verify
* method returns KDC_ERR_PREAUTH_FAILED on optimistic preauth attempts.
*
* - If the "2rt" attribute is set on client principal, the verify method sends
* the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with the contents of
* the 2rt attribute as pa-data, and sets a cookie containing "more". If the
* "fail2rt" attribute is set on the client principal, the client's second
* try results in a KDC_ERR_PREAUTH_FAILED error.
*
* - It receives a space-separated list from the clpreauth module and asserts
* each string as an authentication indicator. It always succeeds in
* pre-authenticating the request.
*/
#include "k5-int.h"
#include <krb5/kdcpreauth_plugin.h>
#include "common.h"
#define TEST_PA_TYPE -123
static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 };
static void
test_edata(krb5_context context, krb5_kdc_req *req,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
{
krb5_error_code ret;
const krb5_keyblock *k = cb->client_keyblock(context, rock);
krb5_pa_data *pa;
size_t enclen;
krb5_enc_data enc;
krb5_data d;
char *attr;
ret = cb->get_string(context, rock, "teststring", &attr);
assert(!ret);
if (k != NULL) {
d = string2data((attr != NULL) ? attr : "no attr");
ret = krb5_c_encrypt_length(context, k->enctype, d.length, &enclen);
assert(!ret);
ret = alloc_data(&enc.ciphertext, enclen);
assert(!ret);
ret = krb5_c_encrypt(context, k, 1024, NULL, &d, &enc);
assert(!ret);
pa = make_pa(enc.ciphertext.data, enc.ciphertext.length);
free(enc.ciphertext.data);
} else {
pa = make_pa("no key", 6);
}
/* Exercise setting a cookie information from the edata method. */
d = string2data("method-data");
ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
assert(!ret);
cb->free_string(context, rock, attr);
(*respond)(arg, 0, pa);
}
static void
test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_error_code ret;
krb5_boolean second_round_trip = FALSE, optimistic = FALSE;
krb5_pa_data **list = NULL;
krb5_data cookie_data, d;
char *str, *ind, *toksave = NULL;
char *attr_err, *attr_2rt, *attr_fail2rt, *attr_failopt;
ret = cb->get_string(context, rock, "err", &attr_err);
assert(!ret);
ret = cb->get_string(context, rock, "2rt", &attr_2rt);
assert(!ret);
ret = cb->get_string(context, rock, "fail2rt", &attr_fail2rt);
assert(!ret);
ret = cb->get_string(context, rock, "failopt", &attr_failopt);
assert(!ret);
/* Check the incoming cookie value. */
if (!cb->get_cookie(context, rock, TEST_PA_TYPE, &cookie_data)) {
/* Make sure we are seeing optimistic preauth and not a lost cookie. */
d = make_data(data->contents, data->length);
assert(data_eq_string(d, "optimistic"));
optimistic = TRUE;
} else if (data_eq_string(cookie_data, "more")) {
second_round_trip = TRUE;
} else {
assert(data_eq_string(cookie_data, "method-data") ||
data_eq_string(cookie_data, "err"));
}
if (attr_err != NULL) {
d = make_data(data->contents, data->length);
if (data_eq_string(d, "tryagain")) {
/* Authenticate successfully. */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
} else {
d = string2data("err");
ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
assert(!ret);
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
list = make_pa_list(attr_err, strlen(attr_err));
}
} else if (attr_2rt != NULL && !second_round_trip) {
d = string2data("more");
ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
assert(!ret);
ret = KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED;
list = make_pa_list(attr_2rt, strlen(attr_2rt));
} else if ((attr_fail2rt != NULL && second_round_trip) ||
(attr_failopt != NULL && optimistic)) {
ret = KRB5KDC_ERR_PREAUTH_FAILED;
} else {
/* Parse and assert the indicators. */
str = k5memdup0(data->contents, data->length, &ret);
if (ret)
abort();
ind = strtok_r(str, " ", &toksave);
while (ind != NULL) {
cb->add_auth_indicator(context, rock, ind);
ind = strtok_r(NULL, " ", &toksave);
}
free(str);
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
}
cb->free_string(context, rock, attr_err);
cb->free_string(context, rock, attr_2rt);
cb->free_string(context, rock, attr_fail2rt);
cb->free_string(context, rock, attr_failopt);
(*respond)(arg, ret, NULL, list, NULL);
}
static krb5_error_code
test_return(krb5_context context, krb5_pa_data *padata, krb5_data *req_pkt,
krb5_kdc_req *request, krb5_kdc_rep *reply,
krb5_keyblock *encrypting_key, krb5_pa_data **send_pa_out,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
const krb5_keyblock *k = cb->client_keyblock(context, rock);
assert(k == encrypting_key || k == NULL);
return 0;
}
krb5_error_code
kdcpreauth_test_initvt(krb5_context context, int maj_ver,
int min_ver, krb5_plugin_vtable vtable);
krb5_error_code
kdcpreauth_test_initvt(krb5_context context, int maj_ver,
int min_ver, krb5_plugin_vtable vtable)
{
krb5_kdcpreauth_vtable vt;
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;
vt = (krb5_kdcpreauth_vtable)vtable;
vt->name = "test";
vt->pa_type_list = pa_types;
vt->edata = test_edata;
vt->verify = test_verify;
vt->return_padata = test_return;
return 0;
}