summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/tests/gss
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/tests/gss
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/tests/gss')
-rw-r--r--third_party/heimdal/tests/gss/Makefile.am103
-rw-r--r--third_party/heimdal/tests/gss/NTMakefile35
-rw-r--r--third_party/heimdal/tests/gss/check-basic.in219
-rw-r--r--third_party/heimdal/tests/gss/check-context.in582
-rw-r--r--third_party/heimdal/tests/gss/check-gss.in50
-rw-r--r--third_party/heimdal/tests/gss/check-gssmask.in137
-rw-r--r--third_party/heimdal/tests/gss/check-negoex.in278
-rw-r--r--third_party/heimdal/tests/gss/check-ntlm.in168
-rw-r--r--third_party/heimdal/tests/gss/check-spnego.in246
-rw-r--r--third_party/heimdal/tests/gss/include-krb5.conf17
-rw-r--r--third_party/heimdal/tests/gss/krb5.conf.in53
-rw-r--r--third_party/heimdal/tests/gss/mech.in5
-rw-r--r--third_party/heimdal/tests/gss/new_clients_k5.conf.in5
-rw-r--r--third_party/heimdal/tests/gss/ntlm-user-file.txt2
14 files changed, 1900 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/gss/Makefile.am b/third_party/heimdal/tests/gss/Makefile.am
new file mode 100644
index 0000000..2de36bf
--- /dev/null
+++ b/third_party/heimdal/tests/gss/Makefile.am
@@ -0,0 +1,103 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf new_clients_k5.conf mech
+
+SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
+
+TESTS = $(SCRIPT_TESTS)
+
+check_SCRIPTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \
+ -e 's,[@]srcdir[@],$(srcdir),g' \
+ -e "s,[@]srcdirabs[@],$${srcdirabs},g" \
+ -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
+ -e 's,[@]port[@],$(port),g' \
+ -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \
+ -e "s,[@]objdirabs[@],$${objdirabs},g"
+
+check-gss: check-gss.in Makefile
+ $(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp && \
+ chmod +x check-gss.tmp && \
+ mv check-gss.tmp check-gss
+
+check-gssmask: check-gssmask.in Makefile
+ $(do_subst) < $(srcdir)/check-gssmask.in > check-gssmask.tmp && \
+ chmod +x check-gssmask.tmp && \
+ mv check-gssmask.tmp check-gssmask
+
+check-context: check-context.in Makefile
+ $(do_subst) < $(srcdir)/check-context.in > check-context.tmp && \
+ chmod +x check-context.tmp && \
+ mv check-context.tmp check-context
+
+check-spnego: check-spnego.in Makefile
+ $(do_subst) < $(srcdir)/check-spnego.in > check-spnego.tmp && \
+ chmod +x check-spnego.tmp && \
+ mv check-spnego.tmp check-spnego
+
+check-basic: check-basic.in Makefile
+ $(do_subst) < $(srcdir)/check-basic.in > check-basic.tmp && \
+ chmod +x check-basic.tmp && \
+ mv check-basic.tmp check-basic
+
+check-ntlm: check-ntlm.in Makefile
+ $(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \
+ chmod +x check-ntlm.tmp && \
+ mv check-ntlm.tmp check-ntlm
+
+check-negoex: check-negoex.in Makefile
+ $(do_subst) < $(srcdir)/check-negoex.in > check-negoex.tmp && \
+ chmod +x check-negoex.tmp && \
+ mv check-negoex.tmp check-negoex
+
+krb5.conf: krb5.conf.in Makefile
+ $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
+ mv krb5.conf.tmp krb5.conf
+
+new_clients_k5.conf: new_clients_k5.conf.in Makefile
+ $(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
+ mv new_clients_k5.conf.tmp new_clients_k5.conf
+
+mech: mech.in Makefile
+ $(do_subst) < $(srcdir)/mech.in > mech.tmp && \
+ mv mech.tmp mech
+
+CLEANFILES= \
+ $(TESTS) \
+ foopassword \
+ barpassword \
+ krb5ccfile \
+ krb5ccfile-ds \
+ server.keytab \
+ krb5.conf \
+ new_clients_k5.conf \
+ mech \
+ current-db* \
+ *.log \
+ tempfile \
+ check-basic.tmp \
+ check-gss.tmp \
+ check-gssmask.tmp \
+ check-spnego.tmp \
+ check-ntlm.tmp \
+ check-context.tmp
+
+EXTRA_DIST = \
+ NTMakefile \
+ check-basic.in \
+ check-gss.in \
+ check-gssmask.in \
+ check-spnego.in \
+ check-ntlm.in \
+ check-context.in \
+ check-negoex.in \
+ ntlm-user-file.txt \
+ krb5.conf.in \
+ include-krb5.conf \
+ new_clients_k5.conf.in \
+ mech.in
diff --git a/third_party/heimdal/tests/gss/NTMakefile b/third_party/heimdal/tests/gss/NTMakefile
new file mode 100644
index 0000000..c1ca7a2
--- /dev/null
+++ b/third_party/heimdal/tests/gss/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=tests\gss
+
+!include ../../windows/NTMakefile.w32
+
diff --git a/third_party/heimdal/tests/gss/check-basic.in b/third_party/heimdal/tests/gss/check-basic.in
new file mode 100644
index 0000000..c5151c4
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-basic.in
@@ -0,0 +1,219 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+nokeytab="FILE:no-such-keytab"
+cache="FILE:krb5ccfile"
+cache2="FILE:krb5ccfile2"
+nocache="FILE:no-such-cache"
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred"
+test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
+test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+echo upw > ${objdir}/foopassword
+
+${kadmin} add -p upw --use-defaults user@${R} || exit 1
+${kadmin} add -p upw --use-defaults another@${R} || exit 1
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+
+exitcode=0
+
+echo "initial ticket"
+${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
+
+echo "copy ccache with gss_store_cred"
+# Note we test that the ccache used for storing is token-expanded
+${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
+${klist} -c ${cache2} || exit 1
+
+echo "keytab"
+${acquire_cred} \
+ --acquire-type=accept \
+ --acquire-name=host@host.test.h5l.se || exit 1
+
+echo "keytab w/ short-form name and name canon rules"
+${acquire_cred} \
+ --acquire-type=accept \
+ --acquire-name=host@host || exit 1
+
+echo "keytab w/o name"
+${acquire_cred} \
+ --acquire-type=accept || exit 1
+
+echo "keytab w/ wrong name"
+${acquire_cred} \
+ --acquire-type=accept --kerberos \
+ --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
+
+echo "init using keytab"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --loops=10 \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --loops=10 \
+ --target=host@host.test.h5l.se \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, kerberos)"
+${acquire_cred} \
+ --acquire-type=initiate \
+ --loops=10 \
+ --kerberos \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target, kerberos)"
+${acquire_cred} \
+ --acquire-type=initiate \
+ --loops=10 \
+ --kerberos \
+ --target=host@host.test.h5l.se \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using existing cc"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --acquire-type=initiate \
+ --acquire-name=user || exit 1
+
+KRB5CCNAME=${nocache}
+
+echo "fail init using existing cc"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --acquire-type=initiate \
+ --acquire-name=user 2>/dev/null && exit 1
+
+echo "use gss_krb5_ccache_name for user"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --ccache=${cache} \
+ --acquire-type=initiate \
+ --acquire-name=user >/dev/null || exit 1
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME=${nokeytab}
+
+echo "kcred"
+${test_kcred} || exit 1
+
+${kdestroy} -c ${cache}
+
+KRB5_KTNAME="${keytab}"
+
+echo "init using keytab"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+echo "init using keytab (ccache)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --ccache=${cache} \
+ --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in
new file mode 100644
index 0000000..2b866d2
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-context.in
@@ -0,0 +1,582 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+nokeytab="FILE:no-such-keytab"
+cache="FILE:krb5ccfile"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache"
+klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5CCNAME=${cache}
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+# add both lucid and lucid.test.h5l.se to simulate aliases
+${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
+${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
+
+
+${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
+${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
+# XXX ext should ext aliases too
+${kadmin} ext -k ${keytab} host/short@${R} || exit 1
+${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+${kadmin} mod --alias=user1.alias user1@${R} || exit 1
+
+# Create a server principal with no AES
+${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
+${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
+${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
+ aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
+${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+echo "Test gss_acquire_cred_with_password" ; > messages.log
+${kdestroy}
+${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
+ host@lucid.test.h5l.se || { eval "$testfailed"; }
+${klist} && { eval "$testfailed"; }
+# These must fail (because wrong password)
+${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
+ host@lucid.test.h5l.se && { eval "$testfailed"; }
+${klist} && { eval "$testfailed"; }
+${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \
+ --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
+${klist} && { eval "$testfailed"; }
+${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \
+ --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
+${klist} && { eval "$testfailed"; }
+${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \
+ --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
+${klist} && { eval "$testfailed"; }
+${context} --client-name=user1@${R} --client-password=u2 \
+ --mech-types=krb5,ntlm --mech-type=krb5 host@lucid.test.h5l.se \
+ && { eval "$testfailed"; }
+# gss_acquire_cred_with_password() must not have side-effects
+${klist} && { eval "$testfailed"; }
+
+echo "Getting client initial tickets" ; > messages.log
+${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
+ { eval "$testfailed"; }
+
+echo "======test unreadable/non existant keytab and its error message" ; > messages.log
+${context} --mech-type=krb5 host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+mv ${keytabfile} ${keytabfile}.no
+
+echo "checking non existant keytabfile (krb5)" ; > messages.log
+${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
+ { eval "$testfailed"; }
+echo "checking non existant keytabfile (spengo)" ; > messages.log
+${context} --mech-type=spnego --mech-types=spnego,krb5 \
+ host@lucid.test.h5l.se > test_context.log 2>&1 && \
+ { eval "$testfailed"; }
+
+mv ${keytabfile}.no ${keytabfile}
+
+echo "======test naming combinations"
+echo "plain" ; > messages.log
+${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+echo "plain w/ short-form hostname" ; > messages.log
+${context} --name-type=hostbased-service host@lucid || \
+ { eval "$testfailed"; }
+echo "plain (krb5)" ; > messages.log
+${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
+ { eval "$testfailed"; }
+echo "plain (krb5 realmless)" ; > messages.log
+${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+echo "plain (krb5 realmless short-form)" ; > messages.log
+${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \
+ { eval "$testfailed"; }
+echo "creating short-form princ"
+${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
+${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
+echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
+#${context} --dns-canon host@lucid.test.h5l.se || \
+# { eval "$testfailed"; }
+echo "dns canon off (long name)" ; > messages.log
+${context} --no-dns-canon host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+echo "dns canon off (short name)" ; > messages.log
+${context} --no-dns-canon host@lucid || \
+ { eval "$testfailed"; }
+echo "dns canon off (short name, krb5)" ; > messages.log
+${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
+ { eval "$testfailed"; }
+echo "dns canon off (short name, krb5)" ; > messages.log
+${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
+ { eval "$testfailed"; }
+
+echo "======test context building"
+for mech in krb5 krb5iov spnego spnegoiov; do
+ if [ "$mech" = "krb5iov" ] ; then
+ mech="krb5"
+ iov="--iov"
+ fi
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech} no-mutual ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --wrapunwrap ${iov} \
+ --localname=mapped_user1 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech} mutual ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --mutual \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech} delegate ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --delegate \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech} mutual delegate ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --mutual --delegate \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+done
+
+echo "======test authz-data (krb5)"
+${context} --mech-type=krb5 \
+ --mutual \
+ --wrapunwrap \
+ --on-behalf-of=foo@BAR.TEST.H5L.SE \
+ --name-type=hostbased-service host@lucid.test.h5l.se ||
+ { eval "$testfailed"; }
+
+echo "======dce-style"
+for mech in krb5 krb5iov spnego; do
+ iov=""
+ if [ "$mech" = "krb5iov" ] ; then
+ mech="krb5"
+ iov="--iov"
+ fi
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech}: dce-style ${iov}" ; > messages.log
+ ${context} \
+ --mech-type=${mech} \
+ --mutual \
+ --dce-style \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+done
+
+echo "======export-import-context"
+for mech in krb5 krb5iov spnego spnegoiov; do
+ iov=""
+ if [ "$mech" = "krb5iov" ] ; then
+ mech="krb5"
+ iov="--iov"
+ fi
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech}: export-import-context ${iov}" ; > messages.log
+ ${context} \
+ --mech-type=${mech} \
+ --mutual \
+ --export-import-context \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+done
+
+echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
+
+cp ${keytabfile} ${keytabfile}.new
+for mech in krb5 spnego; do
+ echo "${mech}: acceptor_identity positive" ; > messages.log
+ ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
+ --mech-type=$mech host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
+ ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
+ --mech-type=$mech host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech}: acceptor_identity negative" ; > messages.log
+ ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+done
+
+rm ${keytabfile}.new
+
+echo "====== test PAC-based name canonicalization"
+
+${kdestroy}
+${kinit} --password-file=${objdir}/foopassword user1.alias@${R} || \
+ { eval "$testfailed"; }
+
+for mech in krb5 spnego; do
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+ --mech-type=$mech host@lucid.test.h5l.se > name-canon.log || \
+ { eval "$testfailed"; }
+ grep "client name:" name-canon.log | grep "user1.alias@TEST.H5L.SE" > /dev/null && \
+ { echo "client name not canonicalized"; eval "$testfailed"; }
+ grep "client name:" name-canon.log | grep "user1@TEST.H5L.SE" > /dev/null || \
+ { echo "wrong client name"; eval "$testfailed"; }
+done
+
+echo "====== test channel-bindings."
+
+for mech in krb5 spnego; do
+ echo "${mech}: initiator only bindings" ; > messages.log
+ ${context} -v --i-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: acceptor only bindings" ; > messages.log
+ ${context} -v --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: matching bindings" ; > messages.log
+ ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+ { echo "no channel-bound flag"; eval "$testfailed"; }
+
+ echo "${mech}: non matching bindings" ; > messages.log
+ ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+ echo "${mech}: initiator only bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+ --i-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+ { echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+ echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+ --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+ echo "${mech}: matching bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
+ --i-channel-bindings=abc --a-channel-bindings=abc \
+ --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+ { eval "$testfailed"; }
+ grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+ { echo "no channel-bound flag"; eval "$testfailed"; }
+
+ echo "${mech}: non matching bindings (client-aware)" ; > messages.log
+ KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
+ --i-channel-bindings=abc --a-channel-bindings=xyz \
+ --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+ { eval "$testfailed"; }
+
+done
+
+#echo "sasl-digest-md5"
+#${context} --mech-type=sasl-digest-md5 \
+# --name-type=hostbased-service \
+# host@lucid.test.h5l.se || \
+# { eval "$testfailed"; }
+
+
+echo "====== gss-api session key check"
+
+# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
+coolenctype="aes256-cts-hmac-sha1-96"
+limit_enctype="des3-cbc-sha1"
+
+echo "Getting client initial tickets" ; > messages.log
+${kinit} --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+
+
+echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --mutual-auth \
+ --session-enctype=${coolenctype} \
+ --name-type=hostbased-service host@no-aes.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Building context on cred, check if its limited still" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --client-name=user1@${R} \
+ --limit-enctype="${limit_enctype}" \
+ --mutual-auth \
+ --name-type=hostbased-service host@no-aes.test.h5l.se || \
+ { eval "$testfailed"; }
+
+
+echo "====== ok-as-delegate"
+
+echo "Getting client initial tickets" ; > messages.log
+${kinit} --forwardable \
+ --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+
+echo "ok-as-delegate not used" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --delegate \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "host without ok-as-delegate with policy-delegate" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --policy-delegate \
+ --server-no-delegate \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "ok-as-delegate used by policy" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --policy-delegate \
+ --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
+${kinit} --ok-as-delegate --forwardable \
+ --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+
+echo "policy delegate to non delegate host" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --policy-delegate \
+ --server-no-delegate \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "ok-as-delegate" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --delegate \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "======export/import cred"
+
+echo "export-import cred (krb5)" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --delegate \
+ --export-import-cred \
+ --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "export-import cred (spnego)" ; > messages.log
+${context} \
+ --mech-type=spnego \
+ --delegate \
+ --export-import-cred \
+ --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
+ { eval "$testfailed"; }
+
+
+echo "======time diffs between client and server"
+
+echo "Getting client initial ticket" ; > messages.log
+${kinit} --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+
+echo "No time offset" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Getting client initial ticket" ; > messages.log
+${kinit} --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+
+echo "Server time offset" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --mutual-auth \
+ --server-time-offset=3600 \
+ --max-loops=3 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Server time offset (cached ?)" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --mutual-auth \
+ --server-time-offset=3600 \
+ --max-loops=2 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Getting client initial ticket" ; > messages.log
+${kinit} --password-file=${objdir}/foopassword user1@${R} || \
+ { eval "$testfailed"; }
+# Pre-poplute the cache since tgs-req will fail since our time is wrong
+${kgetcred} host/lucid.test.h5l.se@${R} || \
+ { eval "$testfailed"; }
+
+echo "Client time offset" ; > messages.log
+${context} \
+ --mech-type=krb5 \
+ --mutual-auth \
+ --client-time-offset=3600 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+echo "Getting client initial tickets (use-referrals)" ; > messages.log
+${kinit} \
+ --password-file=${objdir}/foopassword \
+ --use-referrals user1@${R} || \
+ { eval "$testfailed"; }
+
+# XXX these tests really need to use somethat that resolve to something
+${context} \
+ --mech-type=krb5 \
+ host@short || \
+ { eval "$testfailed"; }
+
+${context} \
+ --mech-type=krb5 \
+ --name-type=krb5-principal-name host/short || \
+ { eval "$testfailed"; }
+
+${context} \
+ --mech-type=krb5 \
+ host@long.test.h5l.se || \
+ { eval "$testfailed"; }
+
+${context} \
+ --mech-type=krb5 \
+ --name-type=krb5-principal-name \
+ host/long.test.h5l.se || \
+ { eval "$testfailed"; }
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit 0
+
diff --git a/third_party/heimdal/tests/gss/check-gss.in b/third_party/heimdal/tests/gss/check-gss.in
new file mode 100644
index 0000000..f5254a1
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-gss.in
@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+confdir="@confdir@"
+testdir="@testdir@"
+
+. ${env_setup}
+
+${TESTS_ENVIRONMENT} ${gsstool} help > /dev/null || exit 1
+${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms > /dev/null || exit 1
+${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all > /dev/null || exit 1
+${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos > /dev/null || exit 1
+
+exit 0
+
+
diff --git a/third_party/heimdal/tests/gss/check-gssmask.in b/third_party/heimdal/tests/gss/check-gssmask.in
new file mode 100644
index 0000000..539e2e9
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-gssmask.in
@@ -0,0 +1,137 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+gssmask="${TESTS_ENVIRONMENT} ../../appl/gssmask/gssmask"
+gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log"
+gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log"
+gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log"
+gssmaestro="../../appl/gssmask/gssmaestro"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5CCNAME=${cache}
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+# Test virtual principals, why not
+${kadmin} add_ns --key-rotation-epoch=now \
+ --key-rotation-period=15m \
+ --max-ticket-life=10d \
+ --max-renewable-life=20d \
+ --attributes= \
+ "_/test.h5l.se@${R}" || exit 1
+${kadmin} ext -k ${keytab} host/n1.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/n2.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/n3.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Starting client 1"
+${gssmaskn1} --moniker=n1 &
+n1pid=$!
+#echo $n1pid
+#xterm -display :0 -e g ${gssmaskn1} &
+#read x
+
+echo "Starting client 2"
+${gssmaskn2} --moniker=n2 &
+n2pid=$!
+
+echo "Starting client 3"
+${gssmaskn3} --moniker=n3 &
+n3pid=$!
+
+trap "kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null; echo signal killing kdc and maskar; exit 1;" EXIT
+
+sleep 10
+
+# --wrap-ext
+
+${gssmaestro} \
+ --slaves=localhost:8889 \
+ --slaves=localhost:8890 \
+ --slaves=localhost:8891 \
+ --principals=user1@${R}:u1 || exitcode=1
+
+trap "" EXIT
+
+echo "killing kdc and clients (${kdcpid}, ${n1pid}, ${n2pid}, ${n3pid})"
+kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/third_party/heimdal/tests/gss/check-negoex.in b/third_party/heimdal/tests/gss/check-negoex.in
new file mode 100644
index 0000000..063e0c1
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-negoex.in
@@ -0,0 +1,278 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile="${objdir}/server.keytab-no"
+keytab="FILE:${keytabfile}-no"
+cache="FILE:krb5ccfile-no"
+cacheds="FILE:krb5ccfile-ds-no"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}-no"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}-no"
+export KRB5CCNAME
+unset NTLM_ACCEPTOR_CCACHE
+unset NTLM_USER_FILE
+
+GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
+export GSSAPI_SPNEGO_NAME
+
+GSS_MECH_CONFIG="${objdir}/mech"
+export GSS_MECH_CONFIG
+
+> messages.log
+
+exitcode=0
+
+echo "======context building for negoex"
+
+for HOPS in 1 2 3 4 5
+do
+ echo "test_negoex_1 $HOPS hops"
+ ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+done
+
+for HOPS in 1 2 3 4 5
+do
+ echo "test_negoex_1 $HOPS hops early keys"
+ KEY=always ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+done
+
+HOPS=1
+echo "test_negoex_1 no keys"
+ KEY=never ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 no optimistic token"
+ NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 initiator query fail, test_negoex_2 pass"
+ INIT_QUERY_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_2 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 acceptor query fail, test_negoex_2 pass"
+ ACCEPT_QUERY_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_2 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 acceptor exchange fail, test_negoex_2 pass"
+ ACCEPT_EXCHANGE_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_2 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 first mech initiator exchange fail"
+ INIT_EXCHANGE_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 first mech initiator exchange fail, two hops"
+ HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 first mech initiator exchange fail, two hops, early keys"
+ HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 first mech init_sec_context fail"
+ INIT_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 first mech accept_sec_context fail"
+ HOPS=2 ACCEPT_FAIL=102 ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 alert from acceptor to initiator"
+ HOPS=3 KEY=init-always ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test_negoex_1 alert from initiator to acceptor"
+ HOPS=4 KEY=accept-always ${context} \
+ --mech-type=spnego --ret-mech-type=test_negoex_1 \
+ --name-type=hostbased-service \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+
+unset GSS_MECH_CONFIG
+
+echo "======test context building for sanon-x25519"
+for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
+ iov=""
+ if [ "$mech" = "sanon-x25519iov" ] ; then
+ mech="sanon-x25519"
+ iov="--iov"
+ fi
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech} anon-flag ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --anonymous \
+ --ret-mech-type=sanon-x25519 \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
+ --wrapunwrap ${iov} \
+ host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech} anon-initiator ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \
+ --ret-mech-type=sanon-x25519 \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
+ --wrapunwrap ${iov} \
+ host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech} anon-acceptor ${iov}" ; > messages.log
+ ${context} --mech-type=${mech} \
+ --ret-mech-type=sanon-x25519 \
+ --i-channel-bindings=negoex_sanon_test_h5l_se \
+ --a-channel-bindings=negoex_sanon_test_h5l_se \
+ --wrapunwrap ${iov} \
+ WELLKNOWN@ANONYMOUS || \
+ { eval "$testfailed"; }
+done
+
+echo "======export-import-context for sanon-x25519"
+for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
+ iov=""
+ if [ "$mech" = "sanon-x25519iov" ] ; then
+ mech="sanon-x25519"
+ iov="--iov"
+ fi
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech}: export-import-context ${iov}" ; > messages.log
+ ${context} \
+ --mech-type=${mech} \
+ --anonymous \
+ --export-import-context \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+ echo "${mech}: export-import-context ${iov} (split tokens)" ; > messages.log
+ ${context} \
+ --mech-type=${mech} \
+ --anonymous \
+ --export-import-context \
+ --wrapunwrap ${iov} \
+ --token-split=128 \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+done
+
+echo "======dce-style for sanon-x25519"
+for mech in spnego spnegoiov; do
+ iov=""
+ if [ "$mech" = "spnegoiov" ] ; then
+ mech="spnego"
+ iov="--iov"
+ fi
+
+ echo "${mech}: dce-style ${iov}" ; > messages.log
+ ${context} \
+ --mech-type=${mech} \
+ --anonymous --dce-style \
+ --wrapunwrap ${iov} \
+ --name-type=hostbased-service host@lucid.test.h5l.se || \
+ { eval "$testfailed"; }
+
+done
+
+trap "" EXIT
+
+exit $exitcode
diff --git a/third_party/heimdal/tests/gss/check-ntlm.in b/third_party/heimdal/tests/gss/check-ntlm.in
new file mode 100644
index 0000000..f953630
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-ntlm.in
@@ -0,0 +1,168 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+cache="FILE:krb5ccfile"
+cacheds="FILE:krb5ccfile-ds"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
+kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds ${afs_no_afslog}"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+NTLM_ACCEPTOR_CCACHE="${cacheds}"
+export NTLM_ACCEPTOR_CCACHE
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
+export GSSAPI_SPNEGO_NAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+echo ds > ${objdir}/barpassword
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting client initial tickets"
+${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
+echo "Getting digestserver initial tickets"
+${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1
+
+echo "======probe"
+KRB5CCNAME="$cacheds"
+
+ ${kdigest} digest-probe --realm=${R} > /dev/null || \
+ { exitcode=1; echo "test failed"; }
+
+echo "======context building ntlm"
+
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no"
+KRB5CCNAME="$cache"
+
+echo "no NTLM initiator creds"
+${context} --mech-type=ntlm \
+ --mutual \
+ --name-type=hostbased-service \
+ --ret-mech-type=ntlm \
+ host@host.test.h5l.se 2> /dev/null && \
+ { exitcode=1 ; echo "test failed"; }
+
+echo "Getting client initial tickets (with ntlm creds)"
+${kinit} --password-file=${objdir}/foopassword --ntlm-domain=TEST user1@${R} || exitcode=1
+
+echo "NTLM initiator krb5 creds"
+${context} --mech-type=ntlm \
+ --mutual \
+ --name-type=hostbased-service \
+ --ret-mech-type=ntlm \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo "test failed"; }
+
+echo "NTLM initiator krb5 creds (getverifymic, wrapunwrap)"
+${context} --mech-type=ntlm \
+ --mutual \
+ --name-type=hostbased-service \
+ --ret-mech-type=ntlm \
+ --getverifymic --wrapunwrap \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo "test failed"; }
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/third_party/heimdal/tests/gss/check-spnego.in b/third_party/heimdal/tests/gss/check-spnego.in
new file mode 100644
index 0000000..d6e4d83
--- /dev/null
+++ b/third_party/heimdal/tests/gss/check-spnego.in
@@ -0,0 +1,246 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+cache="FILE:krb5ccfile"
+cacheds="FILE:krb5ccfile-ds"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog} --forwardable"
+kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds ${afs_no_afslog}"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+NTLM_ACCEPTOR_CCACHE="${cacheds}"
+export NTLM_ACCEPTOR_CCACHE
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
+export GSSAPI_SPNEGO_NAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+echo ds > ${objdir}/barpassword
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting client initial tickets"
+${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
+echo "Getting digestserver initial tickets"
+${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1
+
+echo "======context building for each mech"
+
+for mech in ntlm krb5 ; do
+ echo "${mech}"
+ ${context} --mech-type=${mech} --ret-mech-type=${mech} \
+ --client-ccache="${cache}" \
+ --gsskrb5-acceptor-identity="${keytab}" \
+ --name-type=hostbased-service host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+done
+
+echo "spnego"
+${context} \
+ --client-ccache="${cache}" \
+ --mech-type=spnego \
+ --ret-mech-type=krb5 \
+ --name-type=hostbased-service \
+ --export-import-context \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+
+echo "spnego (split tokens)"
+${context} \
+ --token-split=128 \
+ --client-ccache="${cache}" \
+ --mech-type=spnego \
+ --ret-mech-type=krb5 \
+ --name-type=hostbased-service \
+ --export-import-context \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+
+echo "test failure cases"
+${context} --mech-type=ntlm --ret-mech-type=krb5 \
+ --client-ccache="${cache}" \
+ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+${context} --mech-type=krb5 --ret-mech-type=ntlm \
+ --client-ccache="${cache}" \
+ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+echo "======spnego variants context building"
+
+for arg in \
+ "" \
+ "--mutual" \
+ "--delegate" \
+ "--mutual --delegate" \
+ "--getverifymic --wrapunwrap" \
+ "--mutual --getverifymic --wrapunwrap" \
+ ; do
+
+ echo "no NTLM acceptor cred ${arg}"
+ NTLM_ACCEPTOR_CCACHE="${cacheds}-no"
+ ${context} --mech-type=spnego \
+ $arg \
+ --name-type=hostbased-service \
+ --ret-mech-type=krb5 \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+ NTLM_ACCEPTOR_CCACHE="${cacheds}"
+
+ echo "no NTLM initiator cred ${arg}"
+ NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no"
+ ${context} --mech-type=spnego \
+ $arg \
+ --name-type=hostbased-service \
+ --ret-mech-type=krb5 \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+ NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+
+ echo "no krb5 acceptor cred ${arg}"
+ KRB5_KTNAME="${keytab}-no"
+ ${context} --mech-type=spnego \
+ $arg \
+ --server-no-delegate \
+ --name-type=hostbased-service \
+ --ret-mech-type=ntlm \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+ KRB5_KTNAME="${keytab}"
+
+ echo "no explicit krb5 acceptor cred ${arg}"
+ ${context} --mech-type=spnego \
+ $arg \
+ --gsskrb5-acceptor-identity="${keytab}-no" \
+ --server-no-delegate \
+ --name-type=hostbased-service \
+ --ret-mech-type=krb5 \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+ echo "no krb5 initiator cred ${arg}"
+ KRB5CCNAME="${cache}-no"
+ ${context} --mech-type=spnego \
+ $arg \
+ --server-no-delegate \
+ --name-type=hostbased-service \
+ --ret-mech-type=ntlm \
+ host@host.test.h5l.se || \
+ { exitcode=1 ; echo test failed; }
+ KRB5CCNAME="${cache}"
+
+ echo "no explicit krb5 initiator cred ${arg}"
+ ${context} --mech-type=spnego \
+ $arg \
+ --client-ccache="${cache}-no" \
+ --server-no-delegate \
+ --name-type=hostbased-service \
+ --ret-mech-type=krb5 \
+ host@host.test.h5l.se 2>/dev/null && \
+ { exitcode=1 ; echo test failed; }
+
+done
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/third_party/heimdal/tests/gss/include-krb5.conf b/third_party/heimdal/tests/gss/include-krb5.conf
new file mode 100644
index 0000000..ae21e9e
--- /dev/null
+++ b/third_party/heimdal/tests/gss/include-krb5.conf
@@ -0,0 +1,17 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE
+ no-addresses = TRUE
+ dns_canonicalize_hostname = false
+ dns_lookup_realm = false
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+ name_canon_rules = qualify:domain=test.h5l.se
+
+[domain_realms]
+ .test.h5l.se = TEST.H5L.SE
+
+[kdc]
+ enable-digest = true
+ digests_allowed = ntlm-v2,ntlm-v1-session,ntlm-v1
+
+[kadmin]
+ save-password = true
diff --git a/third_party/heimdal/tests/gss/krb5.conf.in b/third_party/heimdal/tests/gss/krb5.conf.in
new file mode 100644
index 0000000..aae031d
--- /dev/null
+++ b/third_party/heimdal/tests/gss/krb5.conf.in
@@ -0,0 +1,53 @@
+include @srcdirabs@/include-krb5.conf
+
+[libdefaults]
+ default_keytab_name = @objdir@/server.keytab
+ enable-kx509 = yes
+ kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem
+ default_realm = TEST.H5L.SE
+ kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login
+ kuserok = USER-K5LOGIN
+ kuserok = SIMPLE
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ auth_to_local_names = {
+ user1 = mapped_user1
+ }
+ }
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+ synthetic_clients = true
+ enable_gss_preauth = true
+ gss_mechanisms_allowed = sanon-x25519
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/current.log
+ }
+
+[hdb]
+ db-dir = @objdir@
+ enable_virtual_hostbased_princs = true
+ virtual_hostbased_princ_mindots = 1
+ virtual_hostbased_princ_maxdots = 3
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+include @srcdirabs@/missing-krb5.conf
diff --git a/third_party/heimdal/tests/gss/mech.in b/third_party/heimdal/tests/gss/mech.in
new file mode 100644
index 0000000..4c4acc9
--- /dev/null
+++ b/third_party/heimdal/tests/gss/mech.in
@@ -0,0 +1,5 @@
+#
+# Test GSS-API mechglue configuration file.
+#
+test_negoex_1 2.25.1414534758 @objdir@/../../lib/gssapi/.libs/test_negoex_mech.so
+test_negoex_2 2.25.1175737388 @objdir@/../../lib/gssapi/.libs/test_negoex_mech.so
diff --git a/third_party/heimdal/tests/gss/new_clients_k5.conf.in b/third_party/heimdal/tests/gss/new_clients_k5.conf.in
new file mode 100644
index 0000000..41c9e21
--- /dev/null
+++ b/third_party/heimdal/tests/gss/new_clients_k5.conf.in
@@ -0,0 +1,5 @@
+include @objdirabs@/krb5.conf
+
+[libdefaults]
+ client_aware_channel_bindings = true
+ report_canonical_client_name = true
diff --git a/third_party/heimdal/tests/gss/ntlm-user-file.txt b/third_party/heimdal/tests/gss/ntlm-user-file.txt
new file mode 100644
index 0000000..cd2c654
--- /dev/null
+++ b/third_party/heimdal/tests/gss/ntlm-user-file.txt
@@ -0,0 +1,2 @@
+# $Id$
+TEST:user1:u1