summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/tests/kdc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/tests/kdc
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/tests/kdc')
-rw-r--r--third_party/heimdal/tests/kdc/Makefile.am441
-rw-r--r--third_party/heimdal/tests/kdc/NTMakefile35
-rw-r--r--third_party/heimdal/tests/kdc/an2ln-db.txt144
-rw-r--r--third_party/heimdal/tests/kdc/check-authz.in134
-rw-r--r--third_party/heimdal/tests/kdc/check-bx509.in675
-rw-r--r--third_party/heimdal/tests/kdc/check-canon.in210
-rw-r--r--third_party/heimdal/tests/kdc/check-cc.in203
-rw-r--r--third_party/heimdal/tests/kdc/check-delegation.in152
-rw-r--r--third_party/heimdal/tests/kdc/check-des.in155
-rw-r--r--third_party/heimdal/tests/kdc/check-digest.in291
-rw-r--r--third_party/heimdal/tests/kdc/check-fast.in214
-rw-r--r--third_party/heimdal/tests/kdc/check-hdb-mitdb.in111
-rw-r--r--third_party/heimdal/tests/kdc/check-httpkadmind.in688
-rw-r--r--third_party/heimdal/tests/kdc/check-iprop.in611
-rw-r--r--third_party/heimdal/tests/kdc/check-kadmin.in412
-rw-r--r--third_party/heimdal/tests/kdc/check-kdc-weak.in37
-rw-r--r--third_party/heimdal/tests/kdc/check-kdc.in1097
-rw-r--r--third_party/heimdal/tests/kdc/check-keys.in104
-rw-r--r--third_party/heimdal/tests/kdc/check-kinit.in149
-rw-r--r--third_party/heimdal/tests/kdc/check-kpasswdd.in194
-rw-r--r--third_party/heimdal/tests/kdc/check-pkinit.in388
-rw-r--r--third_party/heimdal/tests/kdc/check-referral.in231
-rw-r--r--third_party/heimdal/tests/kdc/check-tester.in121
-rw-r--r--third_party/heimdal/tests/kdc/check-uu.in131
-rw-r--r--third_party/heimdal/tests/kdc/donotexists.txt1
-rw-r--r--third_party/heimdal/tests/kdc/hdb-mitdbbin0 -> 16384 bytes
-rw-r--r--third_party/heimdal/tests/kdc/hdb-mitdb.kadm5bin0 -> 8192 bytes
-rw-r--r--third_party/heimdal/tests/kdc/hdb-mitdb.mkeybin0 -> 30 bytes
-rw-r--r--third_party/heimdal/tests/kdc/heimdal.acl10
-rw-r--r--third_party/heimdal/tests/kdc/iprop-acl1
-rw-r--r--third_party/heimdal/tests/kdc/k5login/foo1
-rw-r--r--third_party/heimdal/tests/kdc/k5login/mapped_user11
-rw-r--r--third_party/heimdal/tests/kdc/kdc-tester1.json31
-rw-r--r--third_party/heimdal/tests/kdc/kdc-tester2.json12
-rw-r--r--third_party/heimdal/tests/kdc/kdc-tester3.json23
-rw-r--r--third_party/heimdal/tests/kdc/kdc-tester4.json.in22
-rw-r--r--third_party/heimdal/tests/kdc/krb5-authz.conf.in26
-rw-r--r--third_party/heimdal/tests/kdc/krb5-authz2.conf.in27
-rw-r--r--third_party/heimdal/tests/kdc/krb5-bx509.conf.in187
-rw-r--r--third_party/heimdal/tests/kdc/krb5-canon.conf.in100
-rw-r--r--third_party/heimdal/tests/kdc/krb5-canon2.conf.in97
-rw-r--r--third_party/heimdal/tests/kdc/krb5-cccol.conf.in165
-rw-r--r--third_party/heimdal/tests/kdc/krb5-hdb-mitdb.conf.in60
-rw-r--r--third_party/heimdal/tests/kdc/krb5-httpkadmind.conf.in96
-rw-r--r--third_party/heimdal/tests/kdc/krb5-kcm.conf.in165
-rw-r--r--third_party/heimdal/tests/kdc/krb5-pkinit.conf.in80
-rw-r--r--third_party/heimdal/tests/kdc/krb5.conf.in172
-rw-r--r--third_party/heimdal/tests/kdc/krb5.conf.keys.in19
-rw-r--r--third_party/heimdal/tests/kdc/leaks-kill.sh27
-rw-r--r--third_party/heimdal/tests/kdc/ntlm-user-file.txt1
-rw-r--r--third_party/heimdal/tests/kdc/pki-mapping2
-rw-r--r--third_party/heimdal/tests/kdc/uuserver.txt4
-rw-r--r--third_party/heimdal/tests/kdc/wait-kdc.sh65
53 files changed, 8323 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/Makefile.am b/third_party/heimdal/tests/kdc/Makefile.am
new file mode 100644
index 0000000..f61a7e8
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/Makefile.am
@@ -0,0 +1,441 @@
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = \
+ an2ln-db.txt \
+ kdc-tester4.json \
+ krb5.conf \
+ krb5-kcm.conf \
+ krb5-cccol.conf \
+ krb5-authz.conf \
+ krb5-authz2.conf \
+ krb5-canon.conf \
+ krb5-canon2.conf \
+ krb5-hdb-mitdb.conf \
+ krb5-weak.conf \
+ krb5-pkinit.conf \
+ krb5-bx509.conf \
+ krb5-httpkadmind.conf \
+ krb5-pkinit-win.conf \
+ krb5-master2.conf \
+ krb5-slave2.conf \
+ krb5-slave.conf
+
+check_SCRIPTS = $(SCRIPT_TESTS)
+
+SCRIPT_TESTS = \
+ check-authz \
+ check-canon \
+ check-cc \
+ check-delegation \
+ check-des \
+ check-digest \
+ check-fast \
+ check-kadmin \
+ check-hdb-mitdb \
+ check-kdc \
+ check-kdc-weak \
+ check-keys \
+ check-kpasswdd \
+ check-pkinit \
+ check-bx509 \
+ check-httpkadmind \
+ check-iprop \
+ check-referral \
+ check-tester \
+ check-uu
+
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+admport = 49189
+admport2 = 49190
+pwport = 49191
+restport = 49192
+restport2 = 49193
+ipropport = 49194
+ipropport2 = 49195
+pkinit_ticket_max_life_from_cert = 0
+
+if HAVE_DLOPEN
+do_dlopen = -e 's,[@]DLOPEN[@],true,g'
+else
+do_dlopen = -e 's,[@]DLOPEN[@],false,g'
+endif
+
+do_subst = $(heim_verbose)sed $(do_dlopen) \
+ -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
+ -e 's,[@]top_srcdir[@],$(top_srcdir),g' \
+ -e 's,[@]srcdir[@],$(srcdir),g' \
+ -e 's,[@]port[@],$(port),g' \
+ -e 's,[@]admport[@],$(admport),g' \
+ -e 's,[@]admport2[@],$(admport2),g' \
+ -e 's,[@]bx509port[@],$(restport),g' \
+ -e 's,[@]restport[@],$(restport),g' \
+ -e 's,[@]restport2[@],$(restport2),g' \
+ -e 's,[@]pwport[@],$(pwport),g' \
+ -e 's,[@]ipropport[@],$(ipropport),g' \
+ -e 's,[@]ipropport2[@],$(ipropport2),g' \
+ -e 's,[@]objdir[@],$(top_builddir)/tests/kdc,g' \
+ -e 's,[@]top_builddir[@],$(top_builddir),g' \
+ -e 's,[@]db_type[@],$(db_type),g' \
+ -e 's,[@]max_life_from_cert[@],$(pkinit_ticket_max_life_from_cert),g' \
+ -e 's,[@]ENABLE_AFS_STRING_TO_KEY[@],$(ENABLE_AFS_STRING_TO_KEY),' \
+ -e 's,[@]EGREP[@],$(EGREP),g'
+
+chmod = chmod
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+
+check-authz: check-authz.in Makefile krb5-authz.conf krb5-authz2.conf
+ $(do_subst) < $(srcdir)/check-authz.in > check-authz.tmp && \
+ $(chmod) +x check-authz.tmp && \
+ mv check-authz.tmp check-authz
+
+check-canon: check-canon.in Makefile krb5-canon.conf krb5-canon2.conf
+ $(do_subst) < $(srcdir)/check-canon.in > check-canon.tmp && \
+ $(chmod) +x check-canon.tmp && \
+ mv check-canon.tmp check-canon
+
+check-cc: check-cc.in Makefile
+ $(do_subst) < $(srcdir)/check-cc.in > check-cc.tmp && \
+ $(chmod) +x check-cc.tmp && \
+ mv check-cc.tmp check-cc
+
+check-delegation: check-delegation.in Makefile
+ $(do_subst) < $(srcdir)/check-delegation.in > check-delegation.tmp && \
+ $(chmod) +x check-delegation.tmp && \
+ mv check-delegation.tmp check-delegation
+
+check-des: check-des.in Makefile krb5.conf
+ $(do_subst) < $(srcdir)/check-des.in > check-des.tmp && \
+ $(chmod) +x check-des.tmp && \
+ mv check-des.tmp check-des
+
+check-hdb-mitdb: check-hdb-mitdb.in Makefile krb5-hdb-mitdb.conf
+ $(do_subst) < $(srcdir)/check-hdb-mitdb.in > check-hdb-mitdb.tmp && \
+ $(chmod) +x check-hdb-mitdb.tmp && \
+ mv check-hdb-mitdb.tmp check-hdb-mitdb
+
+check-fast: check-fast.in Makefile
+ $(do_subst) < $(srcdir)/check-fast.in > check-fast.tmp && \
+ $(chmod) +x check-fast.tmp && \
+ mv check-fast.tmp check-fast
+
+check-kdc: check-kdc.in Makefile
+ $(do_subst) < $(srcdir)/check-kdc.in > check-kdc.tmp && \
+ $(chmod) +x check-kdc.tmp && \
+ mv check-kdc.tmp check-kdc
+
+check-kdc-weak: check-kdc-weak.in Makefile
+ $(do_subst) < $(srcdir)/check-kdc-weak.in > check-kdc-weak.tmp && \
+ $(chmod) +x check-kdc-weak.tmp && \
+ mv check-kdc-weak.tmp check-kdc-weak
+
+check-tester: check-tester.in kdc-tester4.json Makefile
+ $(do_subst) < $(srcdir)/check-tester.in > check-tester.tmp && \
+ $(chmod) +x check-tester.tmp && \
+ mv check-tester.tmp check-tester
+
+check-keys: check-keys.in Makefile
+ $(do_subst) < $(srcdir)/check-keys.in > check-keys.tmp && \
+ $(chmod) +x check-keys.tmp && \
+ mv check-keys.tmp check-keys
+
+check-kinit: check-kinit.in Makefile
+ $(do_subst) < $(srcdir)/check-kinit.in > check-kinit.tmp && \
+ $(chmod) +x check-kinit.tmp && \
+ mv check-kinit.tmp check-kinit
+
+check-kadmin: check-kadmin.in Makefile
+ $(do_subst) < $(srcdir)/check-kadmin.in > check-kadmin.tmp && \
+ $(chmod) +x check-kadmin.tmp && \
+ mv check-kadmin.tmp check-kadmin
+
+check-uu: check-uu.in Makefile
+ $(do_subst) < $(srcdir)/check-uu.in > check-uu.tmp && \
+ $(chmod) +x check-uu.tmp && \
+ mv check-uu.tmp check-uu
+
+check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf krb5-pkinit2.conf
+ $(do_subst) < $(srcdir)/check-pkinit.in > check-pkinit.tmp && \
+ $(chmod) +x check-pkinit.tmp && \
+ mv check-pkinit.tmp check-pkinit
+
+check-bx509: check-bx509.in Makefile krb5-bx509.conf
+ $(do_subst) < $(srcdir)/check-bx509.in > check-bx509.tmp && \
+ $(chmod) +x check-bx509.tmp && \
+ mv check-bx509.tmp check-bx509
+
+check-httpkadmind: check-httpkadmind.in Makefile krb5-httpkadmind.conf
+ $(do_subst) < $(srcdir)/check-httpkadmind.in > check-httpkadmind.tmp && \
+ $(chmod) +x check-httpkadmind.tmp && \
+ mv check-httpkadmind.tmp check-httpkadmind
+
+check-iprop: check-iprop.in Makefile krb5.conf krb5-master2.conf krb5-slave.conf krb5-slave2.conf
+ $(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp && \
+ $(chmod) +x check-iprop.tmp && \
+ mv check-iprop.tmp check-iprop
+
+check-digest: check-digest.in Makefile
+ $(do_subst) < $(srcdir)/check-digest.in > check-digest.tmp && \
+ $(chmod) +x check-digest.tmp && \
+ mv check-digest.tmp check-digest
+
+check-referral: check-referral.in Makefile
+ $(do_subst) < $(srcdir)/check-referral.in > check-referral.tmp && \
+ $(chmod) +x check-referral.tmp && \
+ mv check-referral.tmp check-referral
+
+check-kpasswdd: check-kpasswdd.in Makefile
+ $(do_subst) < $(srcdir)/check-kpasswdd.in > check-kpasswdd.tmp && \
+ $(chmod) +x check-kpasswdd.tmp && \
+ mv check-kpasswdd.tmp check-kpasswdd
+
+kdc-tester4.json: kdc-tester4.json.in Makefile
+ $(do_subst) < $(srcdir)/kdc-tester4.json.in > kdc-tester4.json.tmp && \
+ mv kdc-tester4.json.tmp kdc-tester4.json
+
+krb5.conf: krb5.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]messages[@],messages,g' \
+ -e 's,[@]ipropstats[@],iprop-stats,g' \
+ -e 's,[@]signalsocket[@],signal,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
+ mv krb5.conf.tmp krb5.conf
+
+krb5-kcm.conf: krb5-kcm.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-kcm.conf.in > krb5-kcm.conf.tmp && \
+ mv krb5-kcm.conf.tmp krb5-kcm.conf
+
+krb5-cccol.conf: krb5-cccol.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-cccol.conf.in > krb5-cccol.conf.tmp && \
+ mv krb5-cccol.conf.tmp krb5-cccol.conf
+
+krb5-authz.conf: krb5-authz.conf.in Makefile
+ $(do_subst) < $(srcdir)/krb5-authz.conf.in > krb5-authz.conf.tmp && \
+ mv krb5-authz.conf.tmp krb5-authz.conf
+
+krb5-authz2.conf: krb5-authz2.conf.in Makefile
+ $(do_subst) < $(srcdir)/krb5-authz2.conf.in > krb5-authz2.conf.tmp && \
+ mv krb5-authz2.conf.tmp krb5-authz2.conf
+
+krb5-canon.conf: krb5-canon.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-canon.conf.in > krb5-canon.conf.tmp && \
+ mv krb5-canon.conf.tmp krb5-canon.conf
+
+krb5-canon2.conf: krb5-canon2.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-canon2.conf.in > krb5-canon2.conf.tmp && \
+ mv krb5-canon2.conf.tmp krb5-canon2.conf
+
+krb5-hdb-mitdb.conf: krb5-hdb-mitdb.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],false,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-hdb-mitdb.conf.in > krb5-hdb-mitdb.conf.tmp && \
+ mv krb5-hdb-mitdb.conf.tmp krb5-hdb-mitdb.conf
+
+krb5-weak.conf: krb5.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],true,g' \
+ -e 's,[@]dk[@],default_keys = aes256-cts-hmac-sha1-96:pw-salt arcfour-hmac-md5:pw-salt des3-cbc-sha1:pw-salt des:pw-salt,g' \
+ -e 's,[@]messages[@],messages,g' \
+ -e 's,[@]signalsocket[@],signal,g' \
+ -e 's,[@]ipropstats[@],iprop-stats,g' \
+ -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5-weak.conf.tmp && \
+ mv krb5-weak.conf.tmp krb5-weak.conf
+
+krb5-slave.conf: krb5.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],true,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]messages[@],messages,g' \
+ -e 's,[@]signalsocket[@],signal2,g' \
+ -e 's,[@]ipropstats[@],iprop-stats,g' \
+ -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-slave.conf.tmp && \
+ mv krb5-slave.conf.tmp krb5-slave.conf
+
+krb5-master2.conf: krb5.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],true,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]messages[@],messages2,g' \
+ -e 's,[@]signalsocket[@],signal2,g' \
+ -e 's,[@]ipropstats[@],iprop-stats2,g' \
+ -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-master2.conf.tmp && \
+ mv krb5-master2.conf.tmp krb5-master2.conf
+
+krb5-slave2.conf: krb5.conf.in Makefile
+ $(do_subst) \
+ -e 's,[@]WEAK[@],true,g' \
+ -e 's,[@]dk[@],,g' \
+ -e 's,[@]messages[@],messages2,g' \
+ -e 's,[@]signalsocket[@],signal3,g' \
+ -e 's,[@]ipropstats[@],iprop-stats2,g' \
+ -e 's,[@]kdc[@],.slave2,g' < $(srcdir)/krb5.conf.in > krb5-slave2.conf.tmp && \
+ mv krb5-slave2.conf.tmp krb5-slave2.conf
+
+krb5-pkinit.conf: krb5-pkinit.conf.in Makefile
+ $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp && \
+ mv krb5-pkinit.conf.tmp krb5-pkinit.conf
+
+krb5-pkinit2.conf : pkinit_ticket_max_life_from_cert = 30d
+
+krb5-pkinit2.conf: krb5-pkinit.conf.in Makefile
+ $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit2.conf.tmp && \
+ mv krb5-pkinit2.conf.tmp krb5-pkinit2.conf
+
+krb5-bx509.conf: krb5-bx509.conf.in Makefile
+ $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-bx509.conf.in > krb5-bx509.conf.tmp && \
+ mv krb5-bx509.conf.tmp krb5-bx509.conf
+
+krb5-httpkadmind.conf: krb5-httpkadmind.conf.in Makefile
+ $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-httpkadmind.conf.in > krb5-httpkadmind.conf.tmp && \
+ mv krb5-httpkadmind.conf.tmp krb5-httpkadmind.conf
+
+krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile
+ $(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp && \
+ mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf
+
+clean: clean-am
+ rm -rf cc_dir simple_csr_authz
+
+CLEANFILES= \
+ $(TESTS) \
+ *.crt \
+ *.der \
+ *.log \
+ *.pem \
+ *.pid \
+ *.tmp \
+ acache.krb5 \
+ barpassword \
+ ca.crt \
+ cache.krb5 \
+ cache2.krb5 \
+ cdigest-reply \
+ client-cache \
+ curlheaders \
+ current-db* \
+ current.log* \
+ digest-reply \
+ extracted_config \
+ extracted_keytab* \
+ foopassword \
+ foopassword.rkpty \
+ iprop-stats \
+ iprop-stats2 \
+ iprop.keytab \
+ ipropd.dumpfile \
+ kdc-tester4.json \
+ krb5-authz.conf \
+ krb5-authz2.conf \
+ krb5-canon.conf \
+ krb5-canon2.conf \
+ krb5-cc.conf \
+ krb5-cccol.conf \
+ krb5-hdb-mitdb.conf \
+ krb5-master2.conf \
+ krb5-pkinit-win.conf \
+ krb5-pkinit.conf \
+ krb5-pkinit2.conf \
+ krb5-bx509.conf \
+ krb5-httpkadmind.conf \
+ krb5-slave2.conf \
+ krb5-slave.conf \
+ krb5-weak.conf \
+ krb5.conf \
+ krb5.conf.keys \
+ kt \
+ leaks-log \
+ localname \
+ malloc-log \
+ malloc-log-master \
+ malloc-log-slave \
+ messages.log2 \
+ negotiate-token \
+ notfoopassword \
+ o2cache.krb5 \
+ o2digest-reply \
+ ocache.krb5 \
+ out-log \
+ req \
+ response-headers \
+ s2digest-reply \
+ sdb \
+ sdigest-init \
+ sdigest-reply \
+ server.keytab \
+ signal \
+ signal2 \
+ signal3 \
+ tempfile \
+ test-rc-file.rc \
+ ukt \
+ uuserver.log
+
+EXTRA_DIST = \
+ NTMakefile \
+ an2ln-db.txt \
+ check-authz.in \
+ check-bx509.in \
+ check-canon.in \
+ check-cc.in \
+ check-delegation.in \
+ check-des.in \
+ check-digest.in \
+ check-fast.in \
+ check-hdb-mitdb.in \
+ check-httpkadmind.in \
+ check-iprop.in \
+ check-kadmin.in \
+ check-kdc-weak.in \
+ check-kdc.in \
+ check-keys.in \
+ check-kinit.in \
+ check-kpasswdd.in \
+ check-pkinit.in \
+ check-referral.in \
+ check-tester.in \
+ check-uu.in \
+ donotexists.txt \
+ hdb-mitdb \
+ hdb-mitdb.kadm5 \
+ hdb-mitdb.mkey \
+ heimdal.acl \
+ iprop-acl \
+ k5login/foo \
+ k5login/mapped_user1 \
+ kdc-tester1.json \
+ kdc-tester2.json \
+ kdc-tester3.json \
+ kdc-tester4.json.in \
+ krb5-authz.conf.in \
+ krb5-authz2.conf.in \
+ krb5-bx509.conf.in \
+ krb5-canon.conf.in \
+ krb5-canon2.conf.in \
+ krb5-cccol.conf.in \
+ krb5-hdb-mitdb.conf.in \
+ krb5-httpkadmind.conf.in \
+ krb5-pkinit.conf.in \
+ krb5.conf.in \
+ krb5.conf.keys.in \
+ leaks-kill.sh \
+ ntlm-user-file.txt \
+ pki-mapping \
+ uuserver.txt \
+ wait-kdc.sh
diff --git a/third_party/heimdal/tests/kdc/NTMakefile b/third_party/heimdal/tests/kdc/NTMakefile
new file mode 100644
index 0000000..16ca0a7
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=tests\kdc
+
+!include ../../windows/NTMakefile.w32
+
diff --git a/third_party/heimdal/tests/kdc/an2ln-db.txt b/third_party/heimdal/tests/kdc/an2ln-db.txt
new file mode 100644
index 0000000..0b2fe38
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/an2ln-db.txt
@@ -0,0 +1,144 @@
+0575ee035f72dfb1 junk
+074897aaa3c4eace junk
+0c0015d1cb0edf2e junk
+15c02bb64902a207 junk
+1730cb4567c1bfce junk
+17c6e78171587710 junk
+21bef891f06af28e junk
+2358b67cdd649987 junk
+2b334ee5d32eb55b junk
+2f4cd4424e58822d junk
+4758f671c662b7e2 junk
+4bf0af25dd5211bd junk
+4d7f715b271ddb10 junk
+4f701fa5a4055c00 junk
+4f7634440d7bef3a junk
+5593a6bc03a68a3d junk
+5652948873ae4a9b junk
+5ababa9c833ce592 junk
+5c2fb83355b59cf1 junk
+5cf29f522abbcbe1 junk
+5d184a0f45bdaf61 junk
+70a01e2a09ba4b40 junk
+75bdfdb4c9c9b26b junk
+787aa58456e66463 junk
+788fa38b04026ca9 junk
+79ad9f69fb354592 junk
+7a686ba61c736eb1 junk
+807644c5c50f29d5 junk
+826de82aa81c3f8a junk
+85316d269114d787 junk
+86b7d20af35cffba junk
+895ca88e162d398f junk
+9008213d189aac2b junk
+98a51d5c9a172691 junk
+9af7d4a596944dcf junk
+a094067ad439189c junk
+a86904ae8f55df9e junk
+aa3ae6e252f65711 junk
+b19ffc6336a23be3 junk
+b4e37e4d23c4d7be junk
+b5c8b14d1e8ae7cb junk
+b9365f7ec3b0d52c junk
+bar/mapped1@TEST2.H5L.SE foobar
+bar/mapped2@TEST2.H5L.SE foobaz
+c118fb30610b8011 junk
+c19ffa62f50ad8f7 junk
+c9fce89738e25054 junk
+cb4555bb49891436 junk
+ccfb9930466fe627 junk
+cd2e8bc1fd014a86 junk
+d0d8dfeddf1b1eaa junk
+d22ff9ea01dfe15f junk
+d2bce251fcf6d5a3 junk
+d377b118646db95d junk
+d42fd3b12935a24a junk
+d948845a3b0068ac junk
+dbb143ecf6019b50 junk
+dbe41b5888e50c9c junk
+dd7a0a53ed569e21 junk
+dd82f76178ff0315 junk
+e1d62414205aa5a1 junk
+e3156ded04399027 junk
+e6bccd04c18fbd2e junk
+e9cb04e892e8f072 junk
+ebb5773344e4ade4 junk
+ef08d2dc9fef4f05 junk
+f59975170a04e071 junk
+f75338796ea735f0 junk
+f8cd2e85efa891af junk
+fd6e5e417b8296a7 junk
+foo/mapped1@TEST2.H5L.SE foo_mapped
+mapped1@TEST2.H5L.SE m1
+mapped1@TEST3.H5L.SE mapped1
+mapped2@TEST2.H5L.SE m2
+mapped2@TEST3.H5L.SE mapped2
+user1@@TEST.H5L.SE mapped_user1
+z008213d189aac2b junk
+z07644c5c50f29d5 junk
+z094067ad439189c junk
+z0a01e2a09ba4b40 junk
+z0d8dfeddf1b1eaa junk
+z118fb30610b8011 junk
+z19ffa62f50ad8f7 junk
+z19ffc6336a23be3 junk
+z1bef891f06af28e junk
+z1d62414205aa5a1 junk
+z22ff9ea01dfe15f junk
+z26de82aa81c3f8a junk
+z2bce251fcf6d5a3 junk
+z3156ded04399027 junk
+z358b67cdd649987 junk
+z377b118646db95d junk
+z42fd3b12935a24a junk
+z4e37e4d23c4d7be junk
+z5316d269114d787 junk
+z575ee035f72dfb1 junk
+z593a6bc03a68a3d junk
+z59975170a04e071 junk
+z5bdfdb4c9c9b26b junk
+z5c02bb64902a207 junk
+z5c8b14d1e8ae7cb junk
+z652948873ae4a9b junk
+z6b7d20af35cffba junk
+z6bccd04c18fbd2e junk
+z730cb4567c1bfce junk
+z74897aaa3c4eace junk
+z75338796ea735f0 junk
+z758f671c662b7e2 junk
+z7c6e78171587710 junk
+z86904ae8f55df9e junk
+z87aa58456e66463 junk
+z88fa38b04026ca9 junk
+z8a51d5c9a172691 junk
+z8cd2e85efa891af junk
+z9365f7ec3b0d52c junk
+z948845a3b0068ac junk
+z95ca88e162d398f junk
+z9ad9f69fb354592 junk
+z9cb04e892e8f072 junk
+z9fce89738e25054 junk
+za3ae6e252f65711 junk
+za686ba61c736eb1 junk
+zababa9c833ce592 junk
+zaf7d4a596944dcf junk
+zb334ee5d32eb55b junk
+zb4555bb49891436 junk
+zbb143ecf6019b50 junk
+zbb5773344e4ade4 junk
+zbe41b5888e50c9c junk
+zbf0af25dd5211bd junk
+zc0015d1cb0edf2e junk
+zc2fb83355b59cf1 junk
+zcf29f522abbcbe1 junk
+zcfb9930466fe627 junk
+zd184a0f45bdaf61 junk
+zd2e8bc1fd014a86 junk
+zd6e5e417b8296a7 junk
+zd7a0a53ed569e21 junk
+zd7f715b271ddb10 junk
+zd82f76178ff0315 junk
+zf08d2dc9fef4f05 junk
+zf4cd4424e58822d junk
+zf701fa5a4055c00 junk
+zf7634440d7bef3a junk
diff --git a/third_party/heimdal/tests/kdc/check-authz.in b/third_party/heimdal/tests/kdc/check-authz.in
new file mode 100644
index 0000000..02015b3
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-authz.in
@@ -0,0 +1,134 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="."
+
+. ${env_setup}
+
+srcdir="${top_srcdir}/tests/kdc"
+test_alname="${test_alname} --simple"
+
+rm -f localname
+
+check_localname() {
+ stderr=
+ if test "$2" -ne 0; then
+ stderr="2>/dev/null"
+ fi
+ eval ${test_alname} "'$1'" > localname $stderr
+ status=$?
+ if test $status -ne "$2"; then
+ echo "Unexpected exit code from test_alname $1: $status"
+ exit 1
+ fi
+ if test $status -ne 0; then
+ return 0
+ fi
+ read lname < localname
+ if test "X$lname" != "X$3"; then
+ echo "Unexpected mapping of $1: $lname"
+ exit 1
+ fi
+ return 0
+}
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+R3=TEST3.H5L.SE
+R4=TEST4.H5L.SE
+
+KRB5_CONFIG="${objdir}/krb5-authz.conf"
+export KRB5_CONFIG
+
+echo "Checking 1-component principal names in default realms"
+check_localname mapped1@${R} 0 foo || exit 1
+check_localname mapped2@${R} 0 bar || exit 1
+check_localname mapped1@${R2} 0 m1 || exit 1
+check_localname mapped2@${R2} 0 m2 || exit 1
+check_localname mapped1@${R3} 0 mapped1 || exit 1
+check_localname mapped2@${R3} 0 mapped2 || exit 1
+check_localname notmapped1@${R} 0 notmapped1 || exit 1
+check_localname notmapped1@${R2} 0 notmapped1 || exit 1
+check_localname notmapped1@${R3} 0 notmapped1 || exit 1
+
+echo "Checking 1-component principal names in non-default realm"
+check_localname mapped1@${R4} 1 || exit 1
+check_localname notmapped1@${R4} 1 || exit 1
+
+echo "Checking 2-component principal names"
+check_localname foo/mapped1@${R} 0 foo || exit 1
+check_localname foo/mapped2@${R} 0 bar || exit 1
+check_localname bar/mapped1@${R2} 0 foobar || exit 1
+check_localname bar/mapped2@${R2} 0 foobaz || exit 1
+check_localname foo/mapped1@${R3} 1 || exit 1
+check_localname bar/mapped1@${R3} 1 || exit 1
+check_localname foo/notmapped1@${R} 1 || exit 1
+check_localname bar/notmapped1@${R2} 1 || exit 1
+
+echo "Checking 2-component principal names in non-default realm"
+check_localname foo/mapped1@${R4} 1 || exit 1
+check_localname bar/mapped1@${R4} 1 || exit 1
+check_localname foo/notmapped1@${R4} 1 || exit 1
+check_localname bar/notmapped1@${R4} 1 || exit 1
+
+echo "Checking for overflow"
+test_alname="${test_alname} --simple --lname-size=1"
+check_localname mapped1@${R} 3 || exit 1
+check_localname mapped2@${R} 3 || exit 1
+check_localname mapped1@${R2} 3 || exit 1
+check_localname mapped2@${R2} 3 || exit 1
+check_localname mapped1@${R3} 3 || exit 1
+check_localname mapped2@${R3} 3 || exit 1
+
+echo "Checking krb5_kuserok()"
+${test_kuserok} random-princ@RANDOM-REALM foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R} foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R2} m1 > /dev/null || exit 1
+${test_kuserok} notmapped1@${R3} notmapped1 > /dev/null || exit 1
+${test_kuserok} this-better-not-exist@NOR-THIS foo > /dev/null && exit 1
+
+KRB5_CONFIG="${objdir}/krb5-authz2.conf"
+export KRB5_CONFIG
+
+echo "Checking krb5_kuserok() (with authoritative k5login files)"
+${test_kuserok} random-princ@RANDOM-REALM foo > /dev/null || exit 1
+${test_kuserok} mapped1@${R} foo > /dev/null && exit 1
+${test_kuserok} mapped1@${R2} m1 > /dev/null || exit 1
+${test_kuserok} notmapped1@${R3} notmapped1 > /dev/null || exit 1
+${test_kuserok} this-better-not-exist@NOR-THIS foo > /dev/null && exit 1
+
+rm -f messages.log
+
+exit 0
diff --git a/third_party/heimdal/tests/kdc/check-bx509.in b/third_party/heimdal/tests/kdc/check-bx509.in
new file mode 100644
index 0000000..b50239d
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-bx509.in
@@ -0,0 +1,675 @@
+#!/bin/sh
+#
+# Copyright (c) 2019 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+DCs="DC=test,DC=h5l,DC=se"
+
+port=@port@
+bx509port=@bx509port@
+
+kadmin="${kadmin} -l -r $R"
+bx509d="${bx509d} --reverse-proxied -p $bx509port"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=datan.test.h5l.se
+otherserver=other.test.h5l.se
+cachefile="${objdir}/cache.krb5"
+cache="FILE:${cachefile}"
+cachefile2="${objdir}/cache2.krb5"
+cache2="FILE:${cachefile2}"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
+kt=${objdir}/kt
+keytab=FILE:${kt}
+ukt=${objdir}/ukt
+ukeytab=FILE:${ukt}
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist2="${klist} --hidden -v -c $cache2"
+klistjson="${klist} --json -c $cache"
+klist="${klist} --hidden -v -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+kx509="${kx509} -c $cache"
+
+KRB5_CONFIG="${objdir}/krb5-bx509.conf"
+export KRB5_CONFIG
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+ rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+ rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+ pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$pkinit" != yes -o "$rsa" != yes ; then
+ exit 77
+fi
+
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f *.pem *.crt *.der
+rm -rf simple_csr_authz
+
+mkdir -p simple_csr_authz
+
+> messages.log
+
+# We'll avoid using a KDC for now. For testing /bx509 we only need keys for
+# Negotiate tokens, and we'll use ktutil and kimpersonate to make it possible
+# to create and accept those without a KDC. When we test /bnegotiate, however,
+# we'll start a KDC.
+
+# csr_grant ext-type value grantee_principal
+csr_grant() {
+ mkdir -p "${objdir}/simple_csr_authz/${3}"
+ touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
+}
+
+csr_revoke() {
+ rm -rf "${objdir}/simple_csr_authz"
+ mkdir -p "${objdir}/simple_csr_authz"
+}
+
+# get_cert "" curl-opts
+# get_cert "&qparams" curl-opts
+get_cert() {
+ url="http://${server}:${bx509port}/bx509?csr=$csr${1}"
+ shift
+ curl -g --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "$@" "$url"
+}
+
+rm -f $kt $ukt
+$ktutil -k $keytab add -r -V 1 -e aes128-cts-hmac-sha1-96 \
+ -p HTTP/datan.test.h5l.se@${R} ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$ktutil -k $keytab list ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$kimpersonate --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96 \
+ -c foo@${R} -s HTTP/datan.test.h5l.se@${R} ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$klist ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+
+echo "Setting up certificates"
+# We need:
+#
+# - a CA certificate for issuing client certificates
+# - a CA certificate for issuing server certificates
+# - a CA certificate for issuing mixed certificates
+# - a certificate for bx509 itself (well, not in reverse proxy mode, but we'll
+# make one anyways)
+
+# Make the realm's user cert issuer CA certificate.
+#
+# NOTE WELL: We need all three KeyUsage values listed below!
+# We also need this to be of type "pkinit-kdc",
+# which means we'll get an appropriate EKU OID as
+# well.
+$hxtool ca --issue-ca --self-signed --type=pkinit-kdc \
+ --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
+ --pk-init-principal=krbtgt/${R}@${R} \
+ --generate-key=rsa --key-bits=1024 \
+ --subject="OU=Users,CN=KDC,${DCs}" \
+ --certificate=PEM-FILE:"${objdir}/user-issuer.pem" ||
+ { echo "failed to setup CA certificate"; exit 2; }
+
+# We'll use the user cert issuer as the PKINIT anchor, allowing bx509-issued
+# certificates to be used for PKINIT. Though we won't be testing PKINIT here
+# -- we test kx509->PKINIT in check-pkinit.
+cp ${objdir}/user-issuer.pem ${objdir}/pkinit-anchor.pem
+
+# Put the cert alone in the trust anchors file
+ex "${objdir}/pkinit-anchor.pem" <<"EOF"
+/-----BEGIN CERTIFICATE-----
+1,.-1 d
+wq
+EOF
+
+$hxtool ca --issue-ca --self-signed \
+ --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
+ --generate-key=rsa --key-bits=1024 \
+ --subject="OU=Servers,CN=KDC,${DCs}" \
+ --certificate=PEM-FILE:"${objdir}/server-issuer.pem" ||
+ { echo "failed to setup CA certificate"; exit 2; }
+
+$hxtool ca --issue-ca --self-signed \
+ --ku=digitalSignature --ku=keyCertSign --ku=cRLSign \
+ --generate-key=rsa --key-bits=1024 \
+ --subject="OU=Users,CN=KDC,${DCs}" \
+ --certificate=PEM-FILE:"${objdir}/mixed-issuer.pem" ||
+ { echo "failed to setup CA certificate"; exit 2; }
+
+$hxtool ca --issue-ca --type=https-negotiate-server \
+ --ca-certificate=PEM-FILE:"${objdir}/server-issuer.pem" \
+ --ku=digitalSignature --pk-init-principal=HTTP/${server}@${R}\
+ --generate-key=rsa --key-bits=1024 --subject="" \
+ --certificate=PEM-FILE:"${objdir}/bx509.pem" ||
+ { echo "failed to setup CA certificate"; exit 2; }
+
+# XXX Before starting bx509d let us use kdc test programs to check that:
+#
+# - the negotiate token validator plugin works
+# - the simple CSR authorizer plugin works
+# - the KDC CA tester program works
+
+echo "Check gss-token and Negotiate token validator plugin"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server | tr A B)
+$test_token_validator -a datan.test.h5l.se Negotiate "$token" &&
+ { echo "Negotiate token validator accepted invalid token"; exit 2; }
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
+$test_token_validator -a datan.test.h5l.se Negotiate "$token" ||
+ { echo "Negotiate token validator failed to validate valid token"; exit 2; }
+
+echo "Making a plain CSR"
+$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
+ --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
+ { echo "Failed to make a CSR"; exit 2; }
+
+rm -f trivial.pem server.pem email.pem
+
+echo "Testing plain user cert issuance KDC CA"
+$test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/trivial.pem ||
+ { echo "Trivial offline CA test failed"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/trivial.pem ||
+ { echo "Trivial offline CA test failed"; exit 2; }
+$hxtool acert --end-entity \
+ --expr="%{certificate.subject} == \"CN=foo,$DCs\"" \
+ -P "foo@${R}" "FILE:${objdir}/trivial.pem" ||
+ { echo "Trivial offline CA test failed"; exit 2; }
+$hxtool acert --expr="%{certificate.subject} == \"OU=Users,CN=KDC,$DCs\"" \
+ --lacks-private-key "FILE:${objdir}/trivial.pem" ||
+ { echo "Trivial offline CA test failed (issuer private keys included!!)"; exit 2; }
+
+echo "Testing other cert issuance KDC CA"
+csr_revoke
+# https server cert
+$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
+ --key=FILE:"${objdir}/k.der" \
+ --eku=id_pkix_kp_serverAuth \
+ --dnsname=foo.test.h5l.se "${objdir}/req" ||
+ { echo "Failed to make a CSR with a dNSName SAN request"; exit 2; }
+$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/server.pem &&
+ { echo "Trivial offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
+csr_grant dnsname foo.test.h5l.se foo@${R}
+csr_grant eku 1.3.6.1.5.5.7.3.1 foo@${R}
+$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/server.pem ||
+ { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/server.pem ||
+ { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool acert --expr="%{certificate.subject} == \"OU=Servers,CN=KDC,$DCs\"" \
+ --lacks-private-key "FILE:${objdir}/server.pem" ||
+ { echo "Trivial offline CA test failed (issuer private keys included!!)"; exit 2; }
+# email cert
+$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
+ --key=FILE:"${objdir}/k.der" \
+ --eku=id_pkix_kp_clientAuth \
+ --email=foo@test.h5l.se "${objdir}/req" ||
+ { echo "Failed to make a CSR with an rfc822Name SAN request"; exit 2; }
+$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/email.pem &&
+ { echo "Offline CA test failed: unauthorized issuance (dNSName)"; exit 2; }
+csr_grant email foo@test.h5l.se foo@${R}
+csr_grant eku 1.3.6.1.5.5.7.3.2 foo@${R}
+$test_kdc_ca -a bx509 foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/email.pem ||
+ { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool print --content PEM-FILE:${objdir}/email.pem ||
+ { echo "Offline CA test failed for explicitly authorized dNSName"; exit 2; }
+$hxtool acert --expr="%{certificate.subject} == \"OU=Users,CN=KDC,$DCs\"" \
+ --lacks-private-key "FILE:${objdir}/email.pem" ||
+ { echo "Offline CA test failed (issuer private keys included!!)"; exit 2; }
+
+if ! which curl; then
+ echo "curl is not available -- not testing bx509d"
+ exit 77
+fi
+
+if ! test -x ${objdir}/../../kdc/bx509d; then
+ echo "Configured w/o libmicrohttpd -- not testing bx509d"
+ exit 77
+fi
+
+echo "Creating database"
+${kadmin} init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+${kadmin} add -r --use-defaults foo@${R} || exit 1
+${kadmin} add -r --use-defaults bar@${R} || exit 1
+${kadmin} modify --pkinit-acl="CN=foo,DC=test,DC=h5l,DC=se" foo@${R} || exit 1
+
+
+echo "Starting bx509d"
+${bx509d} -H $server --cert=${objdir}/bx509.pem -t --daemon ||
+ { echo "bx509 failed to start"; exit 2; }
+bx509pid=`getpid bx509d`
+
+trap "kill -9 ${bx509pid}; echo signal killing bx509d; exit 1;" EXIT
+ec=0
+
+rm -f trivial.pem server.pem email.pem
+
+echo "Making a plain CSR"
+csr_revoke
+$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
+ --key=FILE:"${objdir}/k.der" "${objdir}/req" ||
+ { echo "Failed to make a CSR"; exit 2; }
+csr=$($rkbase64 -- ${objdir}/req | $rkvis -h --stdin)
+
+# XXX Add autoconf check for curl?
+# Create a barebones bx509 HTTP/1.1 client test program?
+
+echo "Fetching a trivial user certificate"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
+if (set -vx; get_cert '' -sf -o "${objdir}/trivial.pem"); then
+ $hxtool print --content "FILE:${objdir}/trivial.pem"
+ if $hxtool acert --end-entity \
+ --expr="%{certificate.subject} == \"CN=foo,$DCs\"" \
+ -P "foo@${R}" "FILE:${objdir}/trivial.pem"; then
+ echo 'Successfully obtained a trivial client certificate!'
+ else
+ echo 'FAIL: Obtained a trivial client certificate w/o expected PKINIT SAN)'
+ exit 1
+ fi
+ if $hxtool acert --expr="%{certificate.subject} == \"OU=Users,$DCs\"" \
+ --has-private-key "FILE:${objdir}/trivial.pem"; then
+ echo 'Successfully obtained a trivial client certificate!'
+ fi
+else
+ echo 'Failed to get a certificate!'
+ exit 1
+fi
+
+echo "Checking that authorization is enforced"
+csr_revoke
+get_cert '&rfc822Name=foo@bar.example' -vvv -o "${objdir}/bad1.pem"
+if (set -vx; get_cert '&rfc822Name=foo@bar.example' -sf -o "${objdir}/trivial.pem"); then
+ $hxtool print --content "FILE:${objdir}/bad1.pem"
+ echo 'Obtained a client certificate for a non-granted name!'
+ exit 1
+else
+ echo 'Correctly failed to get a client certificate for a non-granted name'
+fi
+
+if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/bad2.pem"); then
+ $hxtool print --content "FILE:${objdir}/bad2.pem"
+ echo 'Obtained a server certificate for a non-granted name!'
+ exit 1
+else
+ echo 'Correctly failed to get a server certificate for a non-granted name'
+fi
+
+echo "Fetching a server certificate with one dNSName SAN"
+csr_grant dnsname $server foo@${R}
+if (set -vx; get_cert "&dNSName=$server" -sf -o "${objdir}/server.pem"); then
+ $hxtool print --content "FILE:${objdir}/server.pem"
+ if (set -vx; $hxtool acert --expr="%{certificate.subject} == \"\"" \
+ --end-entity -P foo@${R} \
+ "FILE:${objdir}/server.pem"); then
+ echo 'Got a broken server certificate (has PKINIT SAN)'
+ exit 1
+ elif $hxtool acert --end-entity -D $server "FILE:${objdir}/server.pem"; then
+ echo 'Successfully obtained a server certificate!'
+ else
+ echo 'Got a broken server certificate'
+ exit 1
+ fi
+else
+ echo 'Failed to get a server certificate!'
+ exit 1
+fi
+
+echo "Fetching a server certificate with two dNSName SANs"
+csr_grant dnsname "second-$server" foo@${R}
+if (set -vx;
+ get_cert "&dNSName=${server}&dNSName=second-$server" -sf \
+ -o "${objdir}/server2.pem"); then
+ $hxtool print --content "FILE:${objdir}/server2.pem"
+ if $hxtool acert --expr="%{certificate.subject} == \"\"" \
+ --end-entity -P foo@${R} \
+ "FILE:${objdir}/server2.pem"; then
+ echo 'Got a broken server certificate (has PKINIT SAN)'
+ exit 1
+ elif $hxtool acert --end-entity -D "$server" \
+ -D "second-$server" \
+ "FILE:${objdir}/server2.pem"; then
+ echo 'Successfully obtained a server certificate with two dNSName SANs!'
+ else
+ echo 'Got a broken server certificate (wanted two dNSName SANs)'
+ exit 1
+ fi
+else
+ echo 'Failed to get a server certificate with two dNSName SANs!'
+ exit 1
+fi
+
+echo "Fetching an email certificate"
+csr_grant email foo@bar.example foo@${R}
+if (set -vx; get_cert "&rfc822Name=foo@bar.example" -sf -o "${objdir}/email.pem"); then
+ $hxtool print --content "FILE:${objdir}/email.pem"
+ if $hxtool acert --end-entity -P "foo@${R}" "FILE:${objdir}/email.pem"; then
+ echo 'Got a broken email certificate (has PKINIT SAN)'
+ exit 1
+ elif $hxtool acert --expr="%{certificate.subject} == \"\"" \
+ --end-entity -M foo@bar.example \
+ "FILE:${objdir}/email.pem"; then
+ echo 'Successfully obtained a email certificate!'
+ else
+ echo 'Got a broken email certificate'
+ exit 1
+ fi
+else
+ echo 'Failed to get an email certificate!'
+ exit 1
+fi
+
+# Need to start a KDC to test this.
+rm -f $kt $ukt
+${kdestroy}
+${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
+${kadmin} ext_keytab -r -k $keytab HTTP/${server}@${R} || exit 1
+${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1
+${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1
+
+echo "Starting kdc";
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+trap "kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;" EXIT
+
+${kinit} -kt $ukeytab foo@${R} || exit 1
+$klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
+
+echo "Fetch TGT (not granted for other)"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
+if (set -vx;
+ curl -o "${cachefile2}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8"); then
+ echo "Got a TGT with /get-tgt end-point when not granted!"
+ exit 2
+fi
+
+echo "Fetch TGT"
+(set -vx; csr_grant pkinit foo@${R} foo@${R})
+(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile2}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+
+${klist2} | grep Addresses:.IPv4:8.8.8.8 ||
+ { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
+
+echo "Fetch TGT (inception)"
+${kdestroy}
+token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?address=8.8.8.8"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+${klist} | grep Addresses:.IPv4:8.8.8.8 ||
+ { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
+
+echo "Fetch TGT (for other)"
+(set -vx; csr_grant pkinit bar@${R} foo@${R})
+${kdestroy}
+token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+${klist} | grep Addresses:.IPv4:8.8.8.8 ||
+ { echo "Failed to get a TGT with /get-tgt end-point with addresses"; exit 2; }
+
+echo "Fetch TGT (for other, w/ lifetime req under max)"
+${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
+(set -vx; csr_grant pkinit bar@${R} foo@${R})
+${kdestroy}
+token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=3d"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+if which jq >/dev/null; then
+ if ! ${klistjson} | jq -e '
+ (reduce (.tickets[0]|(.Issued,.Expires)|
+ strptime("%b %e %H:%M:%S %Y")|mktime) as $t
+ (0; if .==0 then $t else $t - . end) / 86400) | floor |
+ . == 3'; then
+ echo "Incorrect lifetime"
+ exit 2
+ fi
+fi
+
+echo "Fetch TGT (for other, w/ lifetime req over max)"
+${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
+(set -vx; csr_grant pkinit bar@${R} foo@${R})
+${kdestroy}
+token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=10d"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+if which jq >/dev/null; then
+ if ! ${klistjson} | jq -e '
+ (reduce (.tickets[0]|(.Issued,.Expires)|
+ strptime("%b %e %H:%M:%S %Y")|mktime) as $t
+ (0; if .==0 then $t else $t - . end) / 86400) | floor |
+ . == 5'; then
+ echo "Incorrect lifetime"
+ exit 2
+ fi
+fi
+
+echo "Fetch TGT (for other, w/ lifetime req under max)"
+${kadmin} modify --max-ticket-life=10d krbtgt/${R}@${R}
+(set -vx; csr_grant pkinit bar@${R} foo@${R})
+${kdestroy}
+token=$(KRB5CCNAME=$cache2 $gsstoken HTTP@$server)
+if ! (set -vx;
+ curl -o "${cachefile}" -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&address=8.9.10.11&address=11.11.11.11&address=12.12.12.12&lifetime=5d"); then
+ echo "Failed to get a TGT with /get-tgt end-point"
+ exit 2
+fi
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+if which jq >/dev/null; then
+ if ! ${klistjson} | jq -e '
+ (reduce (.tickets[0]|(.Issued,.Expires)|
+ strptime("%b %e %H:%M:%S %Y")|mktime) as $t
+ (0; if .==0 then $t else $t - . end) / 86400) |
+ . >= 4'; then
+ echo "Failed to get a TGT with /get-tgt end-point with addresses"
+ exit 2
+ fi
+fi
+
+echo "Fetch negotiate token (pre-test)"
+# Do what /bnegotiate does, roughly, prior to testing /bnegotiate
+$hxtool request-create --subject='' --generate-key=rsa --key-bits=1024 \
+ --key=PEM-FILE:"${objdir}/k.pem" "${objdir}/req" ||
+ { echo "Failed to make a CSR"; exit 2; }
+$test_kdc_ca -a bx509 -A foo@${R} PKCS10:${objdir}/req \
+ PEM-FILE:${objdir}/pkinit-test.pem ||
+ { echo "Trivial offline CA test failed (CA)"; exit 2; }
+cat ${objdir}/k.pem >> ${objdir}/pkinit-test.pem
+${kinit} -C PEM-FILE:${objdir}/pkinit-test.pem foo@${R} ||
+ { echo "Trivial offline CA test failed (PKINIT)"; exit 2; }
+${kgetcred} -H HTTP/${server}@${R} ||
+ { echo "Trivial offline CA test failed (TGS)"; exit 2; }
+KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
+ { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
+
+# Check that we get up to three tixaddrs k/v in the log
+grep 'REQ.*wrongaddr=true' ${objdir}/messages.log |
+ grep 'tixaddrs=IPv4:11.11.11.11' ||
+ { echo "KDC not warning about requests from wrong address"; exit 2; }
+
+echo "Fetching a Negotiate token"
+token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
+if (set -vx;
+ curl -o negotiate-token -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/bnegotiate?target=HTTP%40${server}"); then
+ # bx509 sends us a token w/o a newline for now; we add one because
+ # gss-token expects it.
+ test -s negotiate-token && echo >> negotiate-token
+ if test -s negotiate-token && KRB5_KTNAME="$keytab" $gsstoken -Nr < negotiate-token; then
+ echo 'Successfully obtained a Negotiate token!'
+ else
+ echo 'Failed to get a Negotiate token (got an unacceptable token)!'
+ exit 1
+ fi
+else
+ echo 'Failed to get a Negotiate token!'
+ exit 1
+fi
+
+referer=https://${otherserver}/blah
+redirect=$(${rkvis} -h https://${otherserver}/blah?q=whatever)
+if (set -vx;
+ curl -o negotiate-token -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/bnegotiate?target=HTTP%40${server}&redirect=${redirect}"); then
+ echo "Error: /bnegotiate with target and redirect succeeded"
+ exit 1
+fi
+
+if (set -vx;
+ curl -o negotiate-token -Lgsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
+ echo "Error: /bnegotiate with redirect but no Referer succeeded"
+ exit 1
+fi
+
+referer=http://${otherserver}/blah
+redirect=$(${rkvis} -h http://${otherserver}/blah?q=whatever)
+if (set -vx;
+ curl -gsf \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ -H "Referer: $referer" \
+ "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
+ echo "Error: redirect for non-https referer"
+ exit 1
+fi
+
+referer=https://${otherserver}/blah
+redirect=$(${rkvis} -h https://${otherserver}/blah?q=whatever)
+if (set -vx;
+ curl -gfs -D curlheaders \
+ --resolve ${server}:${bx509port}:127.0.0.1 \
+ -H "Authorization: Negotiate $token" \
+ -H "Referer: $referer" \
+ "http://${server}:${bx509port}/bnegotiate?redirect=${redirect}"); then
+ read junk code junk < curlheaders
+ if test "$code" = 307; then
+ echo "Got a proper redirect"
+ else
+ echo "Error: unexpected status code $code (wanted 307)"
+ fi
+else
+ echo "Error: no redirect"
+ exit 1
+fi
+
+echo "killing kdc (${kdcpid}) and bx509d (${bx509pid})"
+sh ${leaks_kill} kdc $kdcpid || ec=1
+sh ${leaks_kill} bx509d $bx509pid || ec=1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-canon.in b/third_party/heimdal/tests/kdc/check-canon.in
new file mode 100644
index 0000000..18b83a9
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-canon.in
@@ -0,0 +1,210 @@
+#!/bin/sh
+#
+# Copyright (c) 2011, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+# (krb5_kt_get_entry() is tested in another test)
+${have_db} || exit 77
+
+R1=TEST.H5L.SE
+R2=TEST2.H5L.SE
+R3=TEST3.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r ${R1}"
+kdc="${kdc} --addresses=localhost -P $port"
+
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+KRB5_CONFIG="${objdir}/krb5-canon.conf"
+export KRB5_CONFIG
+
+testfailed="echo test failed; ${klist}; exit 1"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo "Creating database"
+initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
+
+${kadmin} ${initflags} ${R1} || exit 1
+${kadmin} ${initflags} ${R2} || exit 1
+${kadmin} ${initflags} ${R3} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R1} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R1}@${R2} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R1} || exit 1
+${kadmin} add -p cross3 --use-defaults krbtgt/${R3}@${R1} || exit 1
+${kadmin} add -p cross4 --use-defaults krbtgt/${R1}@${R3} || exit 1
+${kadmin} add -p cross5 --use-defaults krbtgt/${R3}@${R2} || exit 1
+${kadmin} add -p cross6 --use-defaults krbtgt/${R2}@${R3} || exit 1
+
+${kadmin} add -p foo --use-defaults host/t1@${R1} || exit 1
+${kadmin} add -p foo --use-defaults host/t2@${R2} || exit 1
+${kadmin} add -p foo --use-defaults host/t3@${R3} || exit 1
+${kadmin} add -p foo --use-defaults host/t11.test1.h5l.se@${R1} || exit 1
+${kadmin} add -p foo --use-defaults host/t12.test1.h5l.se@${R2} || exit 1
+${kadmin} add -p foo --use-defaults host/t22.test2.h5l.se@${R2} || exit 1
+${kadmin} add -p foo --use-defaults host/t23.test2.h5l.se@${R3} || exit 1
+${kadmin} add -p foo --use-defaults host/t33.test3.h5l.se@${R3} || exit 1
+
+
+echo "Doing database check"
+${kadmin} check ${R1} || exit 1
+${kadmin} check ${R2} || exit 1
+${kadmin} check ${R3} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo "Starting kdc" ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets";
+${kinit} --password-file=${objdir}/foopassword foo@${R1} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "get service tickets (success)"
+for host in t1 t2 t3 t11 t12 t22 t33 ; do
+ echo " $host"
+ ${kgetcred} --name-type=SRV_HST host $host || { ec=1 ; eval "${testfailed}"; }
+done
+echo "get service tickets (failure)"
+for host in t23 ; do
+ echo " $host"
+ ${kgetcred} --name-type=SRV_HST host $host 2>/dev/null && { ec=1 ; eval "${testfailed}"; }
+done
+
+echo "check result"
+${klist} | grep 'host/t1@$' > /dev/null ||
+ { ec=1 ; echo "t1 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t1@${R1}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t1 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t2@$' > /dev/null ||
+ { ec=1 ; echo "t2 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t2@${R2}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t2 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t3@$' > /dev/null ||
+ { ec=1 ; echo "t3 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t3@${R3}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t3 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t11@$' > /dev/null ||
+ { ec=1 ; echo "t11 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t11.test1.h5l.se@${R1}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t11 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t12@$' > /dev/null ||
+ { ec=1 ; echo "t12 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t12.test1.h5l.se@${R2}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t12 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t22@$' > /dev/null ||
+ { ec=1 ; echo "t22 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t22.test2.h5l.se@${R2}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t22 entry not present"; eval "${testfailed}"; }
+${klist} | grep 'host/t33@$' > /dev/null ||
+ { ec=1 ; echo "t33 referral entry not present"; eval "${testfailed}"; }
+${klist} | grep "host/t33.test3.h5l.se@${R3}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t33 entry not present"; eval "${testfailed}"; }
+
+
+${kdestroy}
+
+if false; then
+
+ # This may not be portable. It'd be nice to be able to set more of the
+ # resolver configuration via the environment!
+ LOCALDOMAIN=test1.h5l.se
+ export LOCALDOMAIN
+ KRB5_CONFIG="${objdir}/krb5-canon2.conf"
+ export KRB5_CONFIG
+
+ echo "Getting client initial tickets (round 2)";
+ ${kinit} --password-file=${objdir}/foopassword foo@${R1} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+ echo "get service tickets (success)"
+ for host in t1 t2 t3 t11 ; do
+ echo " $host"
+ ${kgetcred} --name-type=SRV_HST host $host || { ec=1 ; eval "${testfailed}"; }
+ done
+ echo "get service tickets (failure)"
+ for host in t12 t22 t23 t33 ; do
+ echo " $host"
+ ${kgetcred} --name-type=SRV_HST host $host 2> /dev/null &&
+ { ec=1 ; eval "${testfailed}"; }
+ done
+
+ echo "check result"
+ ${klist} | grep 'host/t1@$' > /dev/null ||
+ { ec=1 ; echo "t1 referral entry not present"; eval "${testfailed}"; }
+ ${klist} | grep "host/t1@${R1}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t1 entry not present"; eval "${testfailed}"; }
+ ${klist} | grep 'host/t2@$' > /dev/null ||
+ { ec=1 ; echo "t2 referral entry not present"; eval "${testfailed}"; }
+ ${klist} | grep "host/t2@${R2}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t2 entry not present"; eval "${testfailed}"; }
+ ${klist} | grep 'host/t3@$' > /dev/null ||
+ { ec=1 ; echo "t3 referral entry not present"; eval "${testfailed}"; }
+ ${klist} | grep "host/t3@${R3}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t3 entry not present"; eval "${testfailed}"; }
+ ${klist} | grep 'host/t11@$' > /dev/null ||
+ { ec=1 ; echo "t11 referral entry not present"; eval "${testfailed}"; }
+ ${klist} | grep "host/t11.test1.h5l.se@${R1}" > /dev/null ||
+ { ec=1 ; echo "canonicalized t11 entry not present"; eval "${testfailed}"; }
+
+
+ ${kdestroy}
+fi
+
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-cc.in b/third_party/heimdal/tests/kdc/check-cc.in
new file mode 100644
index 0000000..46e846a
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-cc.in
@@ -0,0 +1,203 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+unset KRB5CCNAME
+
+testfailed="echo test failed; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+pwport=@pwport@
+
+kinit="${kinit} --password-file=${objdir}/foopassword ${afs_no_afslog}"
+kdestroy="${kdestroy} ${afs_no_unlog}"
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p foo --use-defaults bar@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo Starting kcm ; > messages.log
+${kcm} -s ${objdir} --detach || { echo "kcm failed to start"; cat messages.log; exit 1; }
+kcmpid=`getpid kcm`
+
+HEIM_IPC_DIR=${objdir}
+export HEIM_IPC_DIR
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+export KRB5CCNAME=SCC:${objdir}/sdb
+
+${kswitch} -p foo@${R} 2>/dev/null && ${kdestroy}
+${kswitch} -p foo@${R} 2>/dev/null && ${kdestroy}
+${kswitch} -p bar@${R} 2>/dev/null && ${kdestroy}
+${kswitch} -p bar@${R} 2>/dev/null && ${kdestroy}
+
+echo "getting default tickets"; > messages.log
+${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kswitch} -p foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "getting both tickets"; > messages.log
+${kinit} -c ${KRB5CCNAME}:1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} -c ${KRB5CCNAME}:2 bar@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "switch foo"
+${kswitch} -p foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} | head -2 | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep bar@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+echo "switch bar"
+${kswitch} -p bar@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} | head -2 | grep bar@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep bar@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+echo "delete bar"
+${kdestroy}
+echo "check that bar is gone"
+${klist} -l | grep bar@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
+echo "check that foo is still there"
+${klist} -l | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
+${kswitch} -p foo@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "delete foo"
+${kdestroy} || { ec=1 ; eval "${testfailed}"; }
+echo "check that foo is gone"
+${klist} -l | grep foo@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
+echo "check that bar is gone"
+${klist} -l | grep bar@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
+
+echo "getting tickets (KCM)"; > messages.log
+KRB5_CONFIG="${objdir}/krb5-kcm.conf"
+export KRB5_CONFIG
+unset KRB5CCNAME
+${kinit} --default-for-principal foo@${R}
+${kinit} --default-for-principal bar@${R}
+${kinit} bar@${R}
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+if [ -n "$BASH_VERSION" ]; then
+ ${klist} -c KCM:${UID} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ ${klist} -c KCM:${UID}: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ KRB5CCNAME=KCM:${UID} ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ KRB5CCNAME=KCM:${UID}: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+fi
+${kdestroy} -A
+${klist} 2>/dev/null && { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep bar@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
+${kinit} bar@${R}
+${kinit} --default-for-principal foo@${R}
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${kdestroy} -A
+
+echo "getting tickets (DIR)"; > messages.log
+KRB5_CONFIG="${objdir}/krb5-cccol.conf"
+export KRB5_CONFIG
+unset KRB5CCNAME
+rm -rf ${objdir}/kt ${objdir}/cc_dir
+mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
+${kinit} --default-for-principal foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} --default-for-principal --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
+primary=`cat ${objdir}/cc_dir/primary`
+[ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
+${klist} -l |
+ grep "foo@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.foo@TEST.H5L.SE" > /dev/null ||
+ { ec=1 ; eval "${testfailed}"; }
+${klist} -l |
+ grep "bar@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.bar@TEST.H5L.SE" > /dev/null ||
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "killing kcm (${kcmpid})"
+sh ${leaks_kill} kcm $kcmpid || exit 1
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-delegation.in b/third_party/heimdal/tests/kdc/check-delegation.in
new file mode 100644
index 0000000..fdff0f6
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-delegation.in
@@ -0,0 +1,152 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+R3=TEST3.H5L.SE
+R4=TEST4.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r ${R}"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test4.h5l.se@TEST4.H5L.ORG
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+testfailed="echo test failed; ${klist} -v ; exit 1"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
+
+${kadmin} ${initflags} ${R} || exit 1
+${kadmin} ${initflags} ${R2} || exit 1
+${kadmin} ${initflags} ${R3} || exit 1
+${kadmin} ${initflags} ${R4} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R2} || exit 1
+${kadmin} add -p cross3 --use-defaults krbtgt/${R4}@${R3} || exit 1
+
+${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R2}@${R} || exit 1
+${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R3}@${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults host/server.test3.h5l.se@${R3} || exit 1
+${kadmin} modify --attributes=+ok-as-delegate host/server.test3.h5l.se@${R3} || exit 1
+${kadmin} add -p foo --use-defaults host/noserver.test3.h5l.se@${R3} || exit 1
+
+${kadmin} add -p foo --use-defaults host/server.test4.h5l.se@${R4} || exit 1
+${kadmin} modify --attributes=+ok-as-delegate host/server.test4.h5l.se@${R4} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+${kadmin} check ${R3} || exit 1
+${kadmin} check ${R4} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "get cross realm manually"
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} krbtgt/${R3}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} krbtgt/${R4}@${R3} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/server.test3.h5l.se@${R3} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/server.test4.h5l.se@${R4} || { ec=1 ; eval "${testfailed}"; }
+
+
+echo "check result"
+${klist} -v | awk '/Server:.*host.server.test3/{c=8}{if(c-->0){print}}' | grep 'Ticket flags:.*ok-as-delegate' > /dev/null || \
+ { ec=1 ; echo "server.test3 failed"; eval "${testfailed}"; }
+${klist} -v | awk '/Server:.*host.noserver.test3/{c=8}{if(c-->0){print}}' | grep 'Ticket flags:.*ok-as-delegate' 2> /dev/null && \
+ { ec=1 ; echo "noserver.test3 failed"; eval "${testfailed}"; }
+${klist} -v | awk '/Server:.*host.server.test4/{c=8}{if(c-->0){print}}' | grep 'Ticket flags:.*ok-as-delegate' 2> /dev/null && \
+ { ec=1 ; echo "server.test4 failed" ; eval "${testfailed}"; }
+
+${kdestroy}
+
+#echo "Getting client initial tickets"; > messages.log
+#${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+# { ec=1 ; eval "${testfailed}"; }
+#
+#echo "get cross realm automagicly"
+#${kgetcred} host/server.test4.h5l.se@${R4} || { ec=1 ; eval "${testfailed}"; }
+#
+#echo "check result"
+#${klist} -v | grep -A8 -e 'Server:.*server.test4' | grep 'Ticket flags:.*ok-as-delegate' && { ec=1 ; eval "${testfailed}"; }
+#
+#${kdestroy}
+
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-des.in b/third_party/heimdal/tests/kdc/check-des.in
new file mode 100644
index 0000000..144613d
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-des.in
@@ -0,0 +1,155 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+afsserver=afs/test.h5l.se
+hostserver=host/server.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R2} || exit 1
+
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${afsserver}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${hostserver}@${R} || exit 1
+${kadmin} add_enctype -r ${afsserver}@${R} des-cbc-crc || exit 1
+${kadmin} add_enctype -r ${hostserver}@${R} des-cbc-crc || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting non des tickets (afs)"; > messages.log
+${kgetcred} ${afsserver}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -v | grep des-cbc-crc > /dev/null && { ec=1 ; eval "${testfailed}"; }
+echo "Getting non des tickets (host/)"; > messages.log
+${kgetcred} ${hostserver}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -v | grep des-cbc-crc > /dev/null && { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting des tickets (fail test)"; > messages.log
+${kgetcred} -e des-cbc-crc ${hostserver}@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting non des tickets"; > messages.log
+${kgetcred} ${afsserver}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -v | grep des-cbc-crc > /dev/null && { ec=1 ; eval "${testfailed}"; }
+
+
+KRB5_CONFIG="${objdir}/krb5-weak.conf"
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting non des tickets (host/), failure test"; > messages.log
+${kgetcred} -e des-cbc-crc ${hostserver}@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+${klist} -v | grep des-cbc-crc > /dev/null && { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting des tickets (afs)"; > messages.log
+${kgetcred} -e des-cbc-crc ${afsserver}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -v | grep des-cbc-crc > /dev/null || { ec=1 ; eval "${testfailed}"; }
+
+${kdestroy}
+
+
+
+${kdestroy}
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-digest.in b/third_party/heimdal/tests/kdc/check-digest.in
new file mode 100644
index 0000000..d934f4e
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-digest.in
@@ -0,0 +1,291 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+srcdir="@srcdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+ocache="FILE:${objdir}/ocache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kdigest="${kdigest} --ccache=$cache"
+
+username=foo
+userpassword=digestpassword
+
+password=foobarbaz
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
+${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo $password > ${objdir}/foopassword
+
+echo "Starting kdc" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing ||
+ { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting digest server tickets"
+${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
+${kdigest} digest-server-init \
+ --kerberos-realm=${R} \
+ --type=CHAP > /dev/null || exitcode=1
+
+echo "Trying NTLM"
+
+NTLM_ACCEPTOR_CCACHE="$cache"
+export NTLM_ACCEPTOR_CCACHE
+
+echo "Trying server-init"
+${kdigest} ntlm-server-init \
+ --kerberos-realm=${R} \
+ > sdigest-init || exitcode=1
+
+echo "test_ntlm"
+${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
+
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+echo "test_context --mech-type=ntlm"
+${test_context} --mech-type=ntlm \
+ --client-name=foo@TEST \
+ --name-type=hostbased-service datan@TEST || \
+ { echo "test_context 1 failed"; exit 1; }
+
+${test_context} --mech-type=ntlm \
+ --client-name=foo@TEST \
+ --name-type=hostbased-service datan@host.TEST || \
+ { echo "test_context 2 failed"; exit 1; }
+
+${test_context} --mech-type=ntlm \
+ --client-name=foo@TEST \
+ --name-type=hostbased-service datan@host.test.domain2 || \
+ { echo "test_context 3 failed"; exit 1; }
+
+echo "Trying SL in NTLM"
+
+
+for type in \
+ "" \
+ "--getverifymic" \
+ "--wrapunwrap" \
+ "--getverifymic --wrapunwrap" \
+ ; do
+
+ echo "Trying NTLM type: ${type}"
+ ${test_context} --mech-type=ntlm ${type} \
+ --client-name=foo@TEST \
+ --name-type=hostbased-service datan@TEST || \
+ { echo "test_context 1 failed"; exit 1; }
+
+done
+
+
+echo "Trying CHAP"
+
+${kdigest} digest-server-init \
+ --kerberos-realm=${R} \
+ --type=CHAP \
+ > sdigest-reply || exitcode=1
+
+snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
+identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
+opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
+
+${kdigest} digest-client-request \
+ --type=CHAP \
+ --username="$username" \
+ --password="$userpassword" \
+ --opaque="$opaque" \
+ --server-identifier="$identifier" \
+ --server-nonce="$snonce" \
+ > cdigest-reply || exitcode=1
+
+cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
+
+#echo user: $username
+#echo server-nonce: $snonce
+#echo opaqeue: $opaque
+#echo identifier: $identifier
+
+${kdigest} digest-server-request \
+ --kerberos-realm=${R} \
+ --type=CHAP \
+ --username="$username" \
+ --opaque="$opaque" \
+ --client-response="$cresponseData" \
+ --server-identifier="$identifier" \
+ --server-nonce="$snonce" \
+ > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+
+if test "X$status" = "Xok" ; then
+ echo "CHAP response ok"
+else
+ echo "CHAP response failed"
+ exitcode=1
+fi
+
+cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
+
+${kdigest} digest-server-request \
+ --kerberos-realm=${R} \
+ --type=CHAP \
+ --username="$username" \
+ --opaque="$opaque" \
+ --client-response="$cresponseData" \
+ --server-identifier="$identifier" \
+ --server-nonce="$snonce" \
+ > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+
+if test "X$status" = "Xfailed" ; then
+ echo "CHAP response fail as it should"
+else
+ echo "CHAP response succeeded errorously"
+ exitcode=1
+fi
+
+echo "Trying MS-CHAP-V2"
+
+${kdigest} digest-server-init \
+ --kerberos-realm=${R} \
+ --type=MS-CHAP-V2 \
+ > sdigest-reply || exitcode=1
+
+snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
+opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
+cnonce="21402324255E262A28295F2B3A337C7E"
+
+echo "MS-CHAP-V2 client request"
+${kdigest} digest-client-request \
+ --type=MS-CHAP-V2 \
+ --username="$username" \
+ --password="$userpassword" \
+ --opaque="$opaque" \
+ --client-nonce="$cnonce" \
+ --server-nonce="$snonce" \
+ > cdigest-reply || exitcode=1
+
+cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
+cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
+ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
+
+${kdigest} digest-server-request \
+ --kerberos-realm=${R} \
+ --type=MS-CHAP-V2 \
+ --username="$username" \
+ --opaque="$opaque" \
+ --client-response="$cresponseData" \
+ --client-nonce="$cnonce" \
+ --server-nonce="$snonce" \
+ > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
+skey=`grep session-key= s2digest-reply | cut -f2- -d=`
+
+if test "X$sRsp" != "X$cRsp" ; then
+ echo "rsp wrong $sRsp != $cRsp"
+ exitcode=1
+fi
+
+if test "X$skey" != "X$ckey" ; then
+ echo "rsp wrong"
+ exitcode=1
+fi
+
+if test "X$status" = "Xok" ; then
+ echo "MS-CHAP-V2 response ok"
+else
+ echo "MS-CHAP-V2 response failed"
+ exitcode=1
+fi
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+exit $exitcode
+
diff --git a/third_party/heimdal/tests/kdc/check-fast.in b/third_party/heimdal/tests/kdc/check-fast.in
new file mode 100644
index 0000000..3fbda81
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-fast.in
@@ -0,0 +1,214 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2011 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${1-${objdir}/krb5.conf}"
+export KRB5_CONFIG
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+acache="FILE:${objdir}/acache.krb5"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+akinit="${kinit} -c $acache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+aklist="${klist} -c $acache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+echo bar > ${objdir}/barpassword
+
+echo Starting kdc ; > messages.log
+env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+
+ec=0
+
+#
+# Check armor ticket
+#
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Checking for FAST avail"
+${klist} --hidden | grep fast_avail > /dev/null || { exit 1; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Acquire host ticket to be used as an ARMOR ticket"; > messages.log
+${akinit} --password-file=${objdir}/foopassword ${server}@${R} >/dev/null|| { exit 1; }
+echo "Checking for FAST avail (in the FAST armor cache)"; > messages.log
+${aklist} --hidden | grep fast_avail > /dev/null || { exit 1; }
+
+#
+# Client tests
+#
+
+echo "Getting client initial tickets with FAST armor ticket"; > messages.log
+${kinit} --fast-armor-cache=${acache} \
+ --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client initial tickets with FAST armor ticket [failure]"; > messages.log
+${kinit} --fast-armor-cache=${acache} \
+ --password-file=${objdir}/barpassword foo@$R 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Checking for FAST avail (in the FAST acquired cache)"; > messages.log
+${klist} --hidden | grep fast_avail > /dev/null || { exit 1; }
+
+echo "Getting service ticket"
+${kgetcred} ${server}@${R} || { exit 1; }
+${kdestroy}
+
+#
+# Test GSS-API pre-authentication using SAnon. It will only succeed where there
+# is FAST armor to authenticate the KDC, otherwise it will fail as SAnon does
+# not provide mutual authentication (GSS_C_MUTUAL_FLAG).
+#
+
+for mech in sanon-x25519 spnego ; do
+ echo "Trying ${mech} pre-authentication with FAST armor"; > messages.log
+ ${kinit} --fast-armor-cache=${acache} \
+ --anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+
+ echo "Getting service ticket"
+ ${kgetcred} ${server}@${R} || { exit 1; }
+ ${kdestroy}
+
+ echo "Trying ${mech} pre-authentication with anonymous FAST armor"; > messages.log
+ ${kinit} --pk-anon-fast-armor \
+ --anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+
+ echo "Getting service ticket"
+ ${kgetcred} ${server}@${R} || { exit 1; }
+ ${kdestroy}
+
+ echo "Trying ${mech} pre-authentication with no FAST armor"; > messages.log
+ ${kinit} \
+ --anonymous --gss-mech=${mech} @$R 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+done
+
+#
+# Use MIT client tools
+#
+
+mit=/usr/local/mitkerberos/bin
+
+if [ -f ${mit}/kinit ] ; then
+ echo "Running MIT FAST tests"
+
+ kinitpty=${objdir}/foopassword.rkpty
+cat > ${kinitpty} <<EOF
+expect Password
+password foo\n
+EOF
+
+ echo "Acquire host ticket"; > messages.log
+ ${rkpty} ${kinitpty} ${mit}/kinit -c ${acache} ${server}@${R} >/dev/null|| { exit 1; }
+ (${aklist} | grep ${server} > /dev/null ) || { exit 1; }
+
+ echo "Checking for FAST avail"; > messages.log
+ ${aklist} --hidden | grep fast_avail > /dev/null || { exit 1; }
+
+ echo "Using plain to get a initial ticket"; > messages.log
+ ${rkpty} ${kinitpty} ${mit}/kinit -c ${cache} foo@${R} >/dev/null|| { exit 1; }
+ (${klist} | grep foo > /dev/null ) || { exit 1; }
+
+ echo "Using FAST to get a initial ticket"; > messages.log
+ ${rkpty} ${kinitpty} ${mit}/kinit -c ${cache} -T ${acache} foo@${R} >/dev/null || { exit 1; }
+ (${klist} | grep foo > /dev/null ) || { exit 1; }
+
+ echo "Checking for FAST avail"; > messages.log
+ ${klist} --hidden | grep fast_avail > /dev/null || { exit 1; }
+
+ echo "Getting service ticket"; > messages.log
+ ${mit}/kvno -c ${cache} ${server}@${R} || { exit 1; }
+
+fi
+
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-hdb-mitdb.in b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in
new file mode 100644
index 0000000..a241aeb
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${1-${objdir}/krb5-hdb-mitdb.conf}"
+export KRB5_CONFIG
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no ldap support compiled in, disable test
+if ${kdc} --builtin-hdb | grep mit-db > /dev/null ; then
+ :
+else
+ echo "no MIT KDB support"
+ exit 77
+fi
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R --config-file=${KRB5_CONFIG}"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Database should exist
+
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-httpkadmind.in b/third_party/heimdal/tests/kdc/check-httpkadmind.in
new file mode 100644
index 0000000..f57f2af
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-httpkadmind.in
@@ -0,0 +1,688 @@
+#!/bin/sh
+#
+# Copyright (c) 2020 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+if ! which curl > /dev/null; then
+ echo "curl is not available -- not testing httpkadmind"
+ exit 77
+fi
+if ! test -x ${objdir}/../../kdc/httpkadmind; then
+ echo "Configured w/o libmicrohttpd -- not testing httpkadmind"
+ exit 77
+fi
+
+R=TEST.H5L.SE
+domain=test.h5l.se
+
+port=@port@
+admport=@admport@
+admport1=@admport@
+admport2=@admport2@
+restport=@restport@
+restport1=@restport@
+restport2=@restport2@
+
+server=datan.test.h5l.se
+otherserver=other.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+cache2="FILE:${objdir}/cache2.krb5"
+admincache="FILE:${objdir}/cache3.krb5"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
+kt=${objdir}/kt
+keytab=FILE:${kt}
+ukt=${objdir}/ukt
+ukeytab=FILE:${ukt}
+
+kdc="${kdc} --addresses=localhost -P $port"
+kadminr="${kadmin} -r $R -a $(uname -n)"
+kadmin="${kadmin} -l -r $R"
+kadmind2="${kadmind} --keytab=${keytab} --detach -p $admport2 --read-only"
+kadmind="${kadmind} --keytab=${keytab} --detach -p $admport"
+httpkadmind2="${httpkadmind} --reverse-proxied -T Negotiate -p $restport2"
+httpkadmind="${httpkadmind} --reverse-proxied -T Negotiate -p $restport1"
+
+kinit2="${kinit} -c $cache2 ${afs_no_afslog}"
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+adminklist="${klist} --hidden -v -c $admincache"
+klist2="${klist} --hidden -v -c $cache2"
+klist="${klist} --hidden -v -c $cache"
+kgetcred2="${kgetcred} -c $cache2"
+kgetcred="${kgetcred} -c $cache"
+kdestroy2="${kdestroy} -c $cache2 ${afs_no_unlog}"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+kx509="${kx509} -c $cache"
+
+KRB5_CONFIG="${objdir}/krb5-httpkadmind.conf"
+export KRB5_CONFIG
+KRB5CCNAME=$cache
+export KRB5CCNAME
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f *.pem *.crt *.der
+rm -rf simple_csr_authz
+rm -f extracted_keytab*
+
+mkdir -p simple_csr_authz
+
+> messages.log
+
+# We'll avoid using a KDC for now. For testing /httpkadmind we only need keys
+# for Negotiate tokens, and we'll use ktutil and kimpersonate to make it
+# possible to create and accept those without a KDC.
+
+# grant ext-type value grantee_principal
+grant() {
+ mkdir -p "${objdir}/simple_csr_authz/${3}"
+ touch "${objdir}/simple_csr_authz/${3}/${1}-${2}"
+}
+
+revoke() {
+ rm -rf "${objdir}/simple_csr_authz"
+ mkdir -p "${objdir}/simple_csr_authz"
+}
+
+if set -o|grep 'verbose.*on' > /dev/null ||
+ set -o|grep 'xtrace.*on' > /dev/null; then
+ verbose=-vvv
+else
+ verbose=
+fi
+
+# HTTP curl-opts
+HTTP() {
+ curl -g --resolve ${server}:${restport2}:127.0.0.1 \
+ --resolve ${server}:${restport}:127.0.0.1 \
+ -u: --negotiate $verbose "$@"
+}
+
+# get_config QPARAMS curl-opts
+get_config() {
+ url="http://${server}:${restport}/get-config?$1"
+ shift
+ HTTP $verbose "$@" "$url"
+}
+
+# get_keytab QPARAMS curl-opts
+get_keytab() {
+ url="http://${server}:${restport}/get-keys?$1"
+ shift
+ HTTP $verbose "$@" "$url"
+}
+
+# get_keytab_POST QPARAMS curl-opts
+get_keytab_POST() {
+ # Curl is awful, so if you don't use -f, you don't get non-zero exit codes on
+ # error responses, but if you do use -f then -D doesn't work. Ugh.
+ #
+ # So first we check that POST w/o CSRF token fails:
+ q=$1
+ shift
+
+ get_keytab "$q" -X POST --data-binary @/dev/null -f "$@" &&
+ { echo "POST succeeded w/o CSRF token!"; return 1; }
+ get_keytab "$q" -X POST --data-binary @/dev/null -D response-headers "$@"
+ grep ^X-CSRF-Token: response-headers >/dev/null || return 1
+ get_keytab "$q" -X POST --data-binary @/dev/null -D response-headers \
+ -H "$(sed -e 's/\r//' response-headers | grep ^X-CSRF-Token:)" "$@"
+ grep '^HTTP/1.1 200' response-headers >/dev/null || return $?
+ return 0
+}
+
+get_keytab_POST_redir() {
+ url="http://${server}:${restport}/get-keys?$1"
+ shift
+ HTTP -X POST --data-binary @/dev/null -D response-headers "$@" "$url"
+ grep ^X-CSRF-Token: response-headers >/dev/null ||
+ { echo "POST w/o CSRF token had response w/o CSRF token!"; return 1; }
+ HTTP -X POST --data-binary @/dev/null -f \
+ -H "$(sed -e 's/\r//' response-headers | grep ^X-CSRF-Token:)" \
+ --location --location-trusted "$@" "$url"
+}
+
+kdcpid=
+httpkadmindpid=
+httpkadmind2pid=
+kadmindpid=
+kadmind2pid=
+cleanup() {
+ test -n "$kdcpid" &&
+ { echo signal killing kdc; kill -9 "$kdcpid"; }
+ test -n "$httpkadmindpid" &&
+ { echo signal killing httpkadmind; kill -9 "$httpkadmindpid"; }
+ test -n "$httpkadmind2pid" &&
+ { echo signal killing httpkadmind; kill -9 "$httpkadmind2pid"; }
+ test -n "$kadmindpid" &&
+ { echo signal killing kadmind; kill -9 "$kadmindpid"; }
+ test -n "$kadmind2pid" &&
+ { echo signal killing kadmind; kill -9 "$kadmind2pid"; }
+}
+trap cleanup EXIT
+
+rm -f extracted_keytab
+
+echo "Creating database"
+rm -f $kt $ukt
+${kadmin} init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+${kadmin} add -r --use-defaults foo@${R} || exit 1
+${kadmin} add -r --use-defaults httpkadmind/admin@${R} || exit 1
+${kadmin} add -r --use-defaults WELLKNOWN/CSRFTOKEN@${R} || exit 1
+${kadmin} add -r --use-defaults HTTP/localhost@${R} || exit 1
+${kadmin} add -r --use-defaults host/xyz.${domain}@${R} || exit 1
+${kadmin} add -r --use-defaults HTTP/xyz.${domain}@${R} || exit 1
+${kadmin} add_ns --key-rotation-epoch=-1d --key-rotation-period=5m \
+ --max-ticket-life=1d --max-renewable-life=5d \
+ --attributes= HTTP/ns.${domain}@${R} || exit 1
+${kadmin} add -r --use-defaults HTTP/${server}@${R} || exit 1
+${kadmin} ext_keytab -r -k $keytab kadmin/admin@${R} || exit 1
+${kadmin} ext_keytab -r -k $keytab httpkadmind/admin@${R} || exit 1
+${kadmin} ext_keytab -r -k $keytab HTTP/${server}@${R} || exit 1
+${kadmin} ext_keytab -r -k $keytab HTTP/localhost@${R} || exit 1
+${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1
+${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1
+${kdestroy}
+
+# For a while let's not bother with a KDC
+$kimpersonate --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96 \
+ -c foo@${R} -s HTTP/datan.test.h5l.se@${R} ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$kimpersonate -A --ccache=$cache -k $keytab -R -t aes128-cts-hmac-sha1-96 \
+ -c foo@${R} -s HTTP/localhost@${R} ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$klist -t >/dev/null ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+
+echo "Starting httpkadmind"
+${httpkadmind} -H $server -H localhost --local -t --daemon ||
+ { echo "httpkadmind failed to start"; exit 2; }
+httpkadmindpid=`getpid httpkadmind`
+ec=0
+
+echo "Checking that concrete principal exists"
+${kadmin} get HTTP/xyz.${domain} > /dev/null ||
+ { echo "Failed to create HTTP/xyz.${domain}"; exit 1; }
+echo "Checking that virtual principal exists"
+${kadmin} get HTTP/foo.ns.${domain} > /dev/null ||
+ { echo "Virtual principals not working"; exit 1; }
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Fetching krb5.conf for $p"
+get_config "princ=$p" -sf -o "${objdir}/extracted_config" ||
+ { echo "Failed to get config for $p"; exit 1; }
+read config < "${objdir}/extracted_config"
+test "$config" = "include /etc/krb5.conf" ||
+ { echo "Got unexpected default config for $p"; exit 1; }
+${kadmin} mod --krb5-config-file="$KRB5_CONFIG" $p ||
+ { echo "Failed to set config for $p"; exit 1; }
+get_config "princ=$p" -sf -o "${objdir}/extracted_config" ||
+ { echo "Failed to get config for $p"; exit 1; }
+cmp "${objdir}/extracted_config" "$KRB5_CONFIG" ||
+ { echo "Got unexpected config for $p"; exit 1; }
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Fetching keytab for concrete principal $p"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+hn=foo.ns.${domain}
+p=HTTP/$hn
+echo "Fetching keytab for virtual principal $p"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+hn1=foo.ns.${domain}
+hn2=foobar.ns.${domain}
+hn3=xyz.${domain}
+p1=HTTP/$hn1
+p2=HTTP/$hn2
+p3=HTTP/$hn3
+echo "Fetching keytabs for more than one principal"
+rm -f extracted_keytab*
+grant dnsname $hn1 foo@${R}
+grant dnsname $hn2 foo@${R}
+grant dnsname $hn3 foo@${R}
+# Note that httpkadmind will first process dNSName q-params, then the spn
+# q-params.
+${kadmin} ext_keytab -k extracted_keytab $p1 ||
+ { echo "Failed to get a keytab for $p1 with kadmin"; exit 1; }
+${kadmin} ext_keytab -k extracted_keytab $p3 ||
+ { echo "Failed to get a keytab for $p3 with kadmin"; exit 1; }
+${kadmin} ext_keytab -k extracted_keytab $p2 ||
+ { echo "Failed to get a keytab for $p2 with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for multiple principals"; exit 1; }
+get_keytab "dNSName=${hn1}&spn=${p2}&dNSName=${hn3}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for multiple principals with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+grep $hn1 extracted_keytab.rest > /dev/null ||
+ { echo "Keytab does not include keys for $p1"; exit 1; }
+grep $hn2 extracted_keytab.rest > /dev/null ||
+ { echo "Keytab does not include keys for $p2"; exit 1; }
+grep $hn3 extracted_keytab.rest > /dev/null ||
+ { echo "Keytab does not include keys for $p3"; exit 1; }
+
+p=host/foo.ns.${domain}
+echo "Checking that $p doesn't exist (no namespace for host service)"
+get_keytab "svc=host&dNSName=foo.ns.${domain}" -sf -o "${objdir}/extracted_keytab.rest" &&
+ { echo "Got a keytab for host/foo.ns.${domain} when not namespaced!"; }
+
+echo "Checking that authorization is enforced"
+revoke
+get_keytab "dNSName=xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "Got a keytab for HTTP/xyz.${domain} when not authorized!"; exit 1; }
+get_keytab "dNSName=foo.ns.${domain}" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "Got a keytab for HTTP/foo.ns.${domain} when not authorized!"; exit 1; }
+
+echo "Checking that host service keys are not served"
+hn=xyz.${domain}
+p=host/$hn
+echo "Fetching keytab for virtual principal $p"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+get_keytab "service=host&dNSName=xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "Got a keytab for $p even though it is a host service!"; exit 1; }
+get_keytab "spn=host/xyz.${domain}" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "Got a keytab for $p even though it is a host service!"; exit 1; }
+revoke
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Checking key rotation for concrete principal $p"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 1 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to rotate keys for $p"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
+ { echo "Keys for $p did not change!"; exit 1; }
+test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 2 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Checking key rotation w/ revocation for concrete principal $p"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+get_keytab "dNSName=${hn}&revoke=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&revoke=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
+ { echo "Keys for $p did not change!"; exit 1; }
+test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 1 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+
+hn=abc.${domain}
+p=HTTP/$hn
+echo "Checking concrete principal creation ($p)"
+rm -f extracted_keytab
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}&create=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&create=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+rm -f extracted_keytab
+${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+if false; then
+hn=bar.ns.${domain}
+p=HTTP/$hn
+echo "Checking materialization of virtual principal ($p)"
+rm -f extracted_keytab
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}&materialize=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&materialize=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to materialize and get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+rm -f extracted_keytab
+${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+fi
+
+echo "Starting secondary httpkadmind to test HTTP redirection"
+${httpkadmind2} --primary-server-uri=http://localhost:$restport \
+ -H $server --local --local-read-only -t --daemon ||
+ { echo "httpkadmind failed to start"; exit 2; }
+httpkadmind2pid=`getpid httpkadmind`
+ec=0
+
+hn=def.${domain}
+p=HTTP/$hn
+restport=$restport2
+echo "Checking principal creation at secondary yields redirect"
+rm -f extracted_keytab
+grant dnsname $hn foo@${R}
+get_keytab_POST_redir "dNSName=${hn}&create=true" \
+ -s -o "${objdir}/extracted_keytab"
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+rm -f extracted_keytab
+${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+echo "killing httpkadmind (${httpkadmindpid} ${httpkadmind2pid})"
+sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
+sh ${leaks_kill} httpkadmind $httpkadmind2pid || ec=1
+httpkadmindpid=
+httpkadmind2pid=
+test $ec = 1 &&
+ { echo "Error killing httpkadmind instances or memory errors found"; exit 1; }
+
+echo "Starting primary kadmind for testing httpkadmind with remote HDB"
+${kadmind} ||
+ { echo "Read-write kadmind failed to start"; exit 2; }
+kadmindpid=`getpid kadmind`
+echo "Starting secondray (read-only) kadmind for testing httpkadmind with remote HDB"
+${kadmind2} ||
+ { echo "Read-only kadmind failed to start"; exit 2; }
+kadmind2pid=`getpid kadmind`
+
+# Make a ccache for use with kadmin(1)
+$kimpersonate --ticket-flags=initial --ccache=$admincache -k $keytab -t aes128-cts-hmac-sha1-96 \
+ -c httpkadmind/admin@${R} -s kadmin/admin@${R} ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+$adminklist -t >/dev/null ||
+ { echo "failed to setup kimpersonate credentials"; exit 2; }
+
+
+echo "Making PKINIT certs for KDC"
+${hxtool} issue-certificate \
+ --self-signed \
+ --issue-ca \
+ --ca-private-key=FILE:${keyfile} \
+ --subject="CN=CA,DC=test,DC=h5l,DC=se" \
+ --certificate="FILE:ca.crt" || exit 1
+${hxtool} request-create \
+ --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
+ --key=FILE:${keyfile2} \
+ req-kdc.der || exit 1
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-kdc" \
+ --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
+ --req="PKCS10:req-kdc.der" \
+ --certificate="FILE:kdc.crt" || exit 1
+${hxtool} request-create \
+ --subject="CN=bar,DC=test,DC=h5l,DC=se" \
+ --key=FILE:${keyfile2} \
+ req-pkinit.der ||
+ { echo "Failed to make CSR for PKINIT client cert"; exit 1; }
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --pk-init-principal="host/synthesized.${domain}@$R" \
+ --req="PKCS10:req-pkinit.der" \
+ --lifetime=7d \
+ --certificate="FILE:pkinit-synthetic.crt" ||
+ { echo "Failed to make PKINIT client cert"; exit 1; }
+
+echo "Starting kdc needed for httpkadmind authentication to kadmind"
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo "Starting httpkadmind with remote HDBs only"
+restport=$restport1
+${httpkadmind} -H $server -H localhost -t --daemon \
+ --writable-admin-server=$(uname -n):$admport \
+ --read-only-admin-server=$(uname -n):$admport2 \
+ --kadmin-client-name=httpkadmind/admin@${R} \
+ --kadmin-client-keytab=$keytab ||
+ { echo "httpkadmind failed to start"; exit 2; }
+httpkadmindpid=`getpid httpkadmind`
+ec=0
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Fetching keytab for concrete principal $p using remote HDB"
+rm -f extracted_keytab*
+grant dnsname $hn httpkadmind/admin@${R}
+KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+get_keytab "spn=${p}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Checking key rotation for concrete principal $p using remote HDB"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 1 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to rotate keys for $p"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
+ { echo "Keys for $p did not change!"; exit 1; }
+test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 2 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+
+sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
+httpkadmindpid=
+
+echo "Starting httpkadmind with local read-only HDB and remote read-write HDB"
+${httpkadmind} -H $server -H localhost -t --daemon \
+ --local-read-only \
+ --writable-admin-server=$(uname -n):$admport \
+ --kadmin-client-name=httpkadmind/admin@${R} \
+ --kadmin-client-keytab=$keytab ||
+ { echo "httpkadmind failed to start"; exit 2; }
+httpkadmindpid=`getpid httpkadmind`
+ec=0
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Fetching keytab for concrete principal $p using local read-only HDB"
+rm -f extracted_keytab*
+grant dnsname $hn httpkadmind/admin@${R}
+KRB5CCNAME=$admincache ${kadmin} ext_keytab -k extracted_keytab $p ||
+ { echo "Failed to get a keytab for $p with kadmin"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.kadmin ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+get_keytab "spn=${p}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.kadmin extracted_keytab.rest ||
+ { echo "Keytabs for $p don't match!"; exit 1; }
+
+hn=xyz.${domain}
+p=HTTP/$hn
+echo "Checking key rotation for concrete principal $p using local read-only HDB and remote HDB"
+rm -f extracted_keytab*
+grant dnsname $hn foo@${R}
+get_keytab "dNSName=${hn}" -sf -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to get a keytab for $p with curl"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest1 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+test "$(grep $p extracted_keytab.rest1 | wc -l)" -eq 2 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+get_keytab "dNSName=${hn}&rotate=true" -sf -o "${objdir}/extracted_keytab" &&
+ { echo "GET succeeded for write operation!"; exit 1; }
+get_keytab_POST "dNSName=${hn}&rotate=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to rotate keys for $p"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list --keys > extracted_keytab.rest2 ||
+ { echo "Failed to list keytab for $p"; exit 1; }
+cmp extracted_keytab.rest1 extracted_keytab.rest2 > /dev/null &&
+ { echo "Keys for $p did not change!"; exit 1; }
+test "$(grep $p extracted_keytab.rest2 | wc -l)" -eq 3 ||
+ { echo "Wrong number of new keys!"; exit 1; }
+
+echo "Checking that host services as clients can self-serve"
+hn=synthesized.${domain}
+p=host/$hn
+KRB5CCNAME=$admincache ${kadmin} get -s $p &&
+ { echo "Internal error -- $p exists too soon"; exit 1; }
+${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
+ { echo "Failed to kinit with PKINIT client cert"; exit 1; }
+${kgetcred2} HTTP/localhost@$R || echo WAT
+${klist2}
+rm -f extracted_keytab*
+KRB5CCNAME=$cache2 \
+get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab" ||
+ { echo "Failed to create and extract host keys for self"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab" list ||
+ { echo "Failed to create and extract host keys for self (bogus keytab)"; exit 1; }
+KRB5CCNAME=$admincache ${kadmin} get -s $p ||
+ { echo "Failed to create and extract host keys for self"; exit 1; }
+
+echo "Checking that host services can't get other host service principals"
+hn=nonexistent.${domain}
+p=host/$hn
+KRB5CCNAME=$cache2 \
+get_keytab_POST "spn=$p&create=true" -s -o "${objdir}/extracted_keytab2" &&
+ { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab2" list || true
+KRB5CCNAME=$admincache ${kadmin} get -s $p &&
+ { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
+
+echo "Checking that host services can't get keys for themselves and others"
+hn=synthesized.${domain}
+p=host/$hn
+p2=host/nonexistent.${domain}
+${kinit2} -C "FILE:${objdir}/pkinit-synthetic.crt,${keyfile2}" ${p}@${R} || \
+ { echo "Failed to kinit with PKINIT client cert"; exit 1; }
+${kgetcred2} HTTP/localhost@$R || echo WAT
+${klist2}
+rm -f extracted_keytab*
+KRB5CCNAME=$cache2 \
+get_keytab_POST "spn=$p&spn=$p2&create=true" -s -o "${objdir}/extracted_keytab" &&
+ { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
+${ktutil} -k "${objdir}/extracted_keytab2" list || true
+KRB5CCNAME=$admincache ${kadmin} get -s $p2 &&
+ { echo "Failed to fail to create and extract host keys for other!"; exit 1; }
+
+grep 'Internal error' messages.log &&
+ { echo "Internal errors in log"; exit 1; }
+
+sh ${leaks_kill} httpkadmind $httpkadmindpid || ec=1
+sh ${leaks_kill} kadmind $kadmindpid || ec=1
+sh ${leaks_kill} kadmind $kadmind2pid || ec=1
+sh ${leaks_kill} kdc $kdcpid || ec=1
+
+if [ $ec = 0 ]; then
+ trap "" EXIT
+ echo "Success"
+fi
+
+# TODO
+#
+# - implement and test that we can materialize a principal yet leave it with
+# virtual keys
+# - test new key delay? this one is tricky
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-iprop.in b/third_party/heimdal/tests/kdc/check-iprop.in
new file mode 100644
index 0000000..5243793
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-iprop.in
@@ -0,0 +1,611 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+db_type=@db_type@
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+
+# Don't run this test in AFS, since it lacks support for AF_UNIX
+expr "X`/bin/pwd || pwd`" : "X/afs/.*" > /dev/null 2>/dev/null && exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+ipropport=@ipropport@
+ipropport2=@ipropport2@
+
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/iprop.keytab
+keytab="FILE:${keytabfile}"
+
+kdc="${kdc} --addresses=localhost -P $port"
+kadmin="${kadmin} -r $R"
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+
+# We'll test iprop, and in particular, hierarchical iprop. This means we'll
+# have a setup like:
+#
+# ipropd-master -> ipropd-slave -> 2nd ipropd-master -> 2nd ipropd-slave
+
+# Waiting for incremental propagation is inherently difficult because we don't
+# have a way for ipropd-slave to signal this script that it has received
+# updates. Well, it does have a way to signal a possible ipropd-master for
+# hierarchical iprop, but we don't have a way to get that signal here.
+#
+# FIXME: Add a private interface for async waiting for iprop.
+#
+# What we do is we have a set of utility functions:
+#
+# - get_iprop_ver [N] -> checks that N (default to 1) ops have made it over
+# - get_iprop_ver2 [N] -> same, but for second ipropd-slave instance
+#
+# - wait_for -> repeat a command until it succeeds or too many tries
+# - wait_for_slave [N] -> wait for N ops to make it over (calls get_iprop_ver)
+# - wait_for_slave2 [N] -> same, but for second ipropd-slave instance
+#
+# In particular the wait_for* functions busy-wait for a max amount of time,
+# with sleeps in between.
+#
+# NOTE: get_iprop_ver and get_iprop_ver2 keep hidden state.
+#
+# When first called, get_iprop_ver / get_iprop_ver2 save the current version
+# numbers. Thereafter they check that N ops have been received.
+#
+# It is critical to account for every incremental op via get_iprop_ver /
+# get_iprop_ver2, or wait_for_slave / wait_for_slave2, otherwise this test will
+# be racy and will have spurious failures!
+#
+# The pattern should be something like this:
+#
+# echo "Add host"
+# ${kadmin} -l add --random-key --use-defaults host/foo@${R} || exit 1
+# wait_for_slave
+# ^^^^^^^^^^^^^^
+# waits for 1 operation
+#
+# or
+#
+# echo "Rollover host keys"
+# ${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+# ${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+# ${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+# wait_for_slave 3
+# ^^^^^^^^^^^^^^^^
+# waits for the three operations
+#
+# So though all operations must be accounted for, they need not be accounted
+# one by one.
+
+slave_ver_from_master_old=
+slave_ver_from_master_new=
+slave_ver_old=
+slave_ver_new=
+get_iprop_ver () {
+ min_change=${1:-1}
+ slave_ver_from_master_new=`grep '^iprop/' iprop-stats | head -1 | awk '{print $3}'`
+ slave_ver_new=`grep 'up-to-date with version:' iprop-slave-status | awk '{print $4}'`
+ if [ -z "$slave_ver_from_master_new" -o -z "$slave_ver_new" ]; then
+ return 1
+ fi
+ if [ x"$slave_ver_from_master_new" != x"$slave_ver_new" ]; then
+ return 1
+ fi
+ if [ x"$slave_ver_from_master_old" != x ]; then
+ change=`expr "$slave_ver_from_master_new" - "$slave_ver_from_master_old"`
+ if [ "$change" -lt "$min_change" ]; then
+ return 1
+ fi
+ fi
+ slave_ver_from_master_old=$slave_ver_from_master_new
+ slave_ver_old=$slave_ver_new
+ return 0
+}
+
+slave_ver_from_master_old2=
+slave_ver_from_master_new2=
+slave_ver_old2=
+slave_ver_new2=
+get_iprop_ver2 () {
+ min_change=${1:-1}
+ slave_ver_from_master_new2=`grep '^iprop/' iprop-stats2 | head -1 | awk '{print $3}'`
+ slave_ver_new2=`grep 'up-to-date with version:' iprop-slave-status2 | awk '{print $4}'`
+ if [ -z "$slave_ver_from_master_new2" -o -z "$slave_ver_new2" ]; then
+ return 1
+ fi
+ if [ x"$slave_ver_from_master_new2" != x"$slave_ver_new2" ]; then
+ return 1
+ fi
+ if [ x"$slave_ver_from_master_old2" != x ]; then
+ change=`expr "$slave_ver_from_master_new2" - "$slave_ver_from_master_old2"`
+ if [ "$change" -lt "$min_change" ]; then
+ return 1
+ fi
+ fi
+ slave_ver_from_master_old2=$slave_ver_from_master_new2
+ slave_ver_old2=$slave_ver_new2
+ return 0
+}
+
+waitsec=65
+sleeptime=2
+wait_for () {
+ msg=$1
+ shift
+ t=0
+ while ! "$@"; do
+ sleep $sleeptime;
+ t=`expr $t + $sleeptime`
+ if [ $t -gt $waitsec ]; then
+ echo "Waited too long for $msg"
+ exit 1
+ fi
+ done
+ return 0
+}
+
+check_pidfile_is_dead () {
+ if test ! -f lt-${1}.pid -a ! -f ${1}.pid; then
+ return 0
+ fi
+ _pid=`cat lt-${1}.pid ${1}.pid 2>/dev/null`
+ if [ -z "$_pid" ]; then
+ return 0
+ fi
+ if kill -0 $_pid 2>/dev/null; then
+ return 1
+ fi
+ return 0
+}
+
+wait_for_slave () {
+ wait_for "iprop versions to change and/or slave to catch up" get_iprop_ver "$@"
+}
+
+wait_for_slave2 () {
+ wait_for "iprop versions to change and/or second slave to catch up" get_iprop_ver2 "$@"
+}
+
+wait_for_master_down () {
+ wait_for "master to exit" check_pidfile_is_dead ipropd-master
+}
+
+wait_for_slave_down () {
+ wait_for "slave to exit" check_pidfile_is_dead ipropd-slave
+}
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f current*.log
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log messages.log
+
+> messages.log
+> messages.log2
+
+echo Creating database
+${kadmin} -l \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} -l add -p foo --use-defaults user@${R} || exit 1
+
+${kadmin} -l add --random-key --use-defaults iprop/localhost@${R} || exit 1
+${kadmin} -l ext -k ${keytab} iprop/localhost@${R} || exit 1
+${kadmin} -l add --random-key --use-defaults iprop/slave.test.h5l.se@${R} || exit 1
+${kadmin} -l ext -k ${keytab} iprop/slave.test.h5l.se@${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo "Test log recovery"
+${kadmin} -l add --random-key --use-defaults recovtest@${R} || exit 1
+# Test theory: save the log, make a change and save the record it
+# produced, restore the log, append to it the saved record, then add dummy
+# record.
+
+# Save the log
+cp current.log current.log.tmp
+ls -l current.log.tmp | awk '{print $5}' > tmp
+read sz < tmp
+# Make a change
+${kadmin} -l mod -a requires-pre-auth recovtest@${R} || exit 1
+${kadmin} -l get recovtest@${R} | grep 'Attributes: requires-pre-auth$' > /dev/null || exit 1
+# Save the resulting log record
+ls -l current.log | awk '{print $5}' > tmp
+read nsz < tmp
+rm tmp
+dd bs=1 if=current.log skip=$sz of=current.log.tmp.saved-record count=`expr $nsz - $sz` 2>/dev/null
+# Undo the change
+${kadmin} -l mod -a -requires-pre-auth recovtest@${R} || exit 1
+${kadmin} -l get recovtest@${R} | grep 'Attributes:.$' > /dev/null || exit 1
+# Restore the log
+cp current.log current.log.save
+mv current.log.tmp current.log
+# Append the saved record
+cat current.log.tmp.saved-record >> current.log
+rm current.log.tmp.saved-record
+# Check that we still see the principal as modified after another write forcing
+# log recovery.
+${kadmin} -l add --random-key --use-defaults dummy@${R} || exit 1
+${kadmin} -l del dummy@${R} || exit 1
+${kadmin} -l get recovtest@${R} | grep 'Attributes: requires-pre-auth$' > /dev/null || exit 1
+
+# -- foo
+ipds=
+ipdm=
+kdcpid=
+
+> iprop-stats
+> iprop-stats2
+rm -f iprop-slave-status iprop-slave-status2
+
+ipropd_slave2=$ipropd_slave
+ipropd_master2=$ipropd_master
+ipropd_slave="${ipropd_slave} --status-file=iprop-slave-status --port=$ipropport"
+ipropd_slave="${ipropd_slave} --hostname=slave.test.h5l.se -k ${keytab}"
+ipropd_slave="${ipropd_slave} --detach localhost"
+ipropd_master="${ipropd_master} --hostname=localhost -k ${keytab}"
+ipropd_master="${ipropd_master} --port=$ipropport"
+ipropd_master="${ipropd_master} --database=${objdir}/current-db --detach"
+
+ipropd_slave2="${ipropd_slave2} --status-file=iprop-slave-status2 --port=$ipropport2"
+ipropd_slave2="${ipropd_slave2} --hostname=slave.test.h5l.se -k ${keytab}"
+ipropd_slave2="${ipropd_slave2} --pidfile-basename=ipropd-slave2"
+ipropd_slave2="${ipropd_slave2} --detach localhost"
+ipropd_master2="${ipropd_master2} --hostname=localhost -k ${keytab}"
+ipropd_master2="${ipropd_master2} --port=$ipropport2"
+ipropd_master2="${ipropd_master2} --pidfile-basename=ipropd-master2"
+ipropd_master2="${ipropd_master2} --database=${objdir}/current-db.slave --detach"
+
+cleanup() {
+ echo 'killing ipropd s + m + kdc'
+ test -n "$ipdm" && kill -9 $ipdm >/dev/null 2>/dev/null
+ test -n "$ipdm2" && kill -9 $ipdm2 >/dev/null 2>/dev/null
+ test -n "$ipds" && kill -9 $ipds >/dev/null 2>/dev/null
+ test -n "$ipds2" && kill -9 $ipds2 >/dev/null 2>/dev/null
+ test -n "$kdcpid" && kill -9 $kdcpid >/dev/null 2>/dev/null
+ tail messages.log
+ tail iprop-stats
+ exit 1
+}
+trap cleanup EXIT
+
+echo Starting kdc ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo "starting master" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+${ipropd_master} || { echo "ipropd-master failed to start"; exit 1; }
+ipdm=`getpid ipropd-master`
+
+echo "starting slave" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropd_slave} || { echo "ipropd-slave failed to start"; exit 1; }
+ipds=`getpid ipropd-slave`
+sh ${wait_kdc} ipropd-slave messages.log 'slave status change: up-to-date' || exit 1
+get_iprop_ver || exit 1
+
+echo "checking slave is up"
+${EGREP} 'iprop/slave.test.h5l.se@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1
+${EGREP} 'up-to-date with version' iprop-slave-status >/dev/null || { echo "slave to up to date" ; cat iprop-slave-status ; exit 1; }
+
+# Also setup a second master on the slave, then a second slave to pull from the
+# second master.
+echo "starting master2" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-master2.conf" \
+${ipropd_master2} || { echo "second ipropd-master failed to start"; exit 1; }
+ipdm2=`getpid ipropd-master2`
+
+echo "starting slave2" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-slave2.conf" \
+${ipropd_slave2} || { echo "ipropd-slave failed to start"; exit 1; }
+ipds2=`getpid ipropd-slave2`
+sh ${wait_kdc} ipropd-slave messages2.log 'slave status change: up-to-date' || exit 1
+wait_for "Slave sees new host" get_iprop_ver2 0 || exit 1
+
+# ----------------- checking: pushing lives changes
+
+slave_get() { KRB5_CONFIG="${objdir}/krb5-slave.conf" ${kadmin} -l get "$@"; }
+slave_check_exists() {
+ # Creation with a random key is not atomic, there are at present
+ # 3 log entries to create a random key principal, the entry is
+ # "invalid" for the first two of these. We wait for the entry to
+ # exist and not be invalid
+ #
+ attrs=`slave_get -o attributes "$@" 2>/dev/null` || return 1
+ echo $attrs | egrep 'Attributes:' | egrep -v invalid >/dev/null || return 1
+ get_iprop_ver 0
+}
+
+echo "Add host"
+${kadmin} -l add --random-key --use-defaults host/foo@${R} || exit 1
+wait_for_slave
+wait_for "Slave sees new host" slave_check_exists "host/foo@${R}"
+
+echo "Rollover host keys"
+${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+${kadmin} -l cpw -r --keepold host/foo@${R} || exit 1
+wait_for_slave 3
+slave_get host/foo@${R} | \
+ ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
+' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
+' | ${EGREP} 1234 > /dev/null || exit 1
+
+wait_for_slave2 4
+
+echo "Delete 3DES keys"
+${kadmin} -l del_enctype host/foo@${R} des3-cbc-sha1
+wait_for_slave
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} | \
+ ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
+' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
+' | ${EGREP} 1234 > /dev/null || exit 1
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} | \
+ ${EGREP} 'Keytypes:.*des3-cbc-sha1' > /dev/null && exit 1
+
+echo "Change policy host"
+${kadmin} -l modify --policy=default host/foo@${R} || exit 1
+wait_for_slave
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} > /dev/null 2>/dev/null || exit 1
+
+echo "Rename host"
+${kadmin} -l rename host/foo@${R} host/bar@${R} || exit 1
+wait_for_slave
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} > /dev/null 2>/dev/null && exit 1
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/bar@${R} > /dev/null || exit 1
+
+wait_for_slave2 3
+
+echo "Delete host"
+${kadmin} -l delete host/bar@${R} || exit 1
+wait_for_slave
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/bar@${R} > /dev/null 2>/dev/null && exit 1
+
+# See note below in LMDB sanity checking
+echo "Re-add host"
+${kadmin} -l add --random-key --use-defaults host/foo@${R} || exit 1
+${kadmin} -l add --random-key --use-defaults host/bar@${R} || exit 1
+wait_for_slave 2
+wait_for "Slave sees re-added host" slave_check_exists "host/bar@${R}"
+
+wait_for_slave2 3
+
+echo "kill slave and remove log and database"
+> iprop-stats
+sh ${leaks_kill} ipropd-slave $ipds || exit 1
+rm -f iprop-slave-status
+
+wait_for_slave_down
+${EGREP} 'iprop/slave.test.h5l.se@TEST.H5L.SE.*Down' iprop-stats >/dev/null || exit 1
+
+# ----------------- checking: slave is missing changes while down
+
+rm current.slave.log current-db.slave* || exit 1
+
+echo "doing changes while slave is down"
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+
+echo "Making a copy of the master log file"
+cp ${objdir}/current.log ${objdir}/current.log.tmp
+
+# ----------------- checking: checking that master and slaves resyncs
+
+echo "starting slave again" ; > messages.log
+> iprop-stats
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropd_slave} || { echo "ipropd-slave failed to start"; exit 1; }
+ipds=`getpid ipropd-slave`
+
+echo "checking slave is up again"
+wait_for "slave to start and connect to master" \
+ ${EGREP} 'iprop/slave.test.h5l.se@TEST.H5L.SE.*Up' iprop-stats >/dev/null
+wait_for_slave 2
+wait_for_slave2 2
+${EGREP} 'up-to-date with version' iprop-slave-status >/dev/null || { echo "slave not up to date" ; cat iprop-slave-status ; exit 1; }
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+echo "compare versions on master and slave logs (no lock)"
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iprop_log} last-version -n > slave-last.tmp
+${iprop_log} last-version -n > master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
+echo "kill slave and remove log and database"
+sh ${leaks_kill} ipropd-slave $ipds || exit 1
+wait_for_slave_down
+
+rm current.slave.log current-db.slave* || exit 1
+> iprop-stats
+rm -f iprop-slave-status
+echo "starting slave" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropd_slave} || { echo "ipropd-slave failed to start"; exit 1; }
+ipds=`getpid ipropd-slave`
+wait_for_slave 0
+
+echo "checking slave is up again"
+wait_for "slave to start and connect to master" \
+ ${EGREP} 'iprop/slave.test.h5l.se@TEST.H5L.SE.*Up' iprop-stats >/dev/null
+${EGREP} 'up-to-date with version' iprop-slave-status >/dev/null || { echo "slave not up to date" ; cat iprop-slave-status ; exit 1; }
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+# ----------------- checking: checking live truncation of master log
+
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+wait_for_slave
+wait_for_slave2
+
+echo "live truncate on master log"
+${iprop_log} truncate -K 5 || exit 1
+wait_for_slave 0
+
+echo "Killing master and slave"
+sh ${leaks_kill} ipropd-master $ipdm || exit 1
+sh ${leaks_kill} ipropd-slave $ipds || exit 1
+
+rm -f iprop-slave-status
+
+wait_for_slave_down
+wait_for_master_down
+
+echo "compare versions on master and slave logs"
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iprop_log} last-version > slave-last.tmp
+${iprop_log} last-version > master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
+# ----------------- checking: master going backward
+> iprop-stats
+> messages.log
+
+echo "Going back to old version of the master log file"
+cp ${objdir}/current.log.tmp ${objdir}/current.log
+
+echo "starting master" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+${ipropd_master} || { echo "ipropd-master failed to start"; exit 1; }
+ipdm=`getpid ipropd-master`
+
+echo "starting slave" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropd_slave} || { echo "ipropd-slave failed to start"; exit 1; }
+ipds=`getpid ipropd-slave`
+wait_for_slave -1
+
+echo "checking slave is up again"
+wait_for "slave to start and connect to master" \
+ ${EGREP} 'iprop/slave.test.h5l.se@TEST.H5L.SE.*Up' iprop-stats >/dev/null
+${EGREP} 'up-to-date with version' iprop-slave-status >/dev/null || { echo "slave to up to date" ; cat iprop-slave-status ; exit 1; }
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+echo "pushing one change"
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+wait_for_slave
+wait_for_slave2 0
+
+echo "Killing master"
+sh ${leaks_kill} ipropd-master $ipdm || exit 1
+
+wait_for_master_down
+
+wait_for "slave to disconnect" \
+ ${EGREP} 'disconnected' iprop-slave-status >/dev/null
+
+if ! tail -30 messages.log | grep 'disconnected for server' > /dev/null; then
+ echo "client didnt disconnect"
+ exit 1
+fi
+
+echo "probing for slave pid"
+kill -0 ${ipds} || { echo "slave no longer there"; exit 1; }
+
+> messages.log
+
+echo "Staring master again" ; > messages.log
+env ${HEIM_MALLOC_DEBUG} \
+${ipropd_master} || { echo "ipropd-master failed to start"; exit 1; }
+ipdm=`getpid ipropd-master`
+
+echo "probing for slave pid"
+kill -0 ${ipds} || { echo "slave no longer there"; exit 1; }
+
+
+echo "pushing one change"
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+wait_for_slave
+wait_for_slave2
+
+echo "shutting down all services"
+
+leaked=false
+sh ${leaks_kill} kdc $kdcpid || leaked=true
+sh ${leaks_kill} ipropd-master $ipdm || leaked=true
+sh ${leaks_kill} ipropd-slave $ipds || leaked=true
+sh ${leaks_kill} ipropd-master $ipdm2 || leaked=true
+sh ${leaks_kill} ipropd-slave $ipds2 || leaked=true
+rm -f iprop-slave-status
+trap "" EXIT
+$leaked && exit 1
+
+echo "compare versions on master and slave logs"
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iprop_log} last-version > slave-last.tmp
+${iprop_log} last-version > master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
+if [ "$db_type" = lmdb ] && type mdb_stat > /dev/null 2>&1; then
+ # Sanity check that we have the same number of principals at the HDB
+ # and LMDB levels.
+ #
+ # We should also do this for the sqlite backend, but that would
+ # require a sqlite3(1) shell that is capable of opening our HDB
+ # files.
+ echo "checking that principals in DB == entries in LMDB"
+ # Add one to match lmdb overhead
+ princs=`(echo; ${kadmin} -l list '*') | wc -l`
+ entries=`mdb_stat -n current-db.mdb | grep 'Entries:' | awk '{print $2}'`
+ [ "$princs" -eq "$entries" ] || exit 1
+fi
+
+exit 0
diff --git a/third_party/heimdal/tests/kdc/check-kadmin.in b/third_party/heimdal/tests/kdc/check-kadmin.in
new file mode 100644
index 0000000..45d679c
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-kadmin.in
@@ -0,0 +1,412 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+srcdir="@srcdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+admport=@admport@
+
+cache="FILE:${objdir}/cache.krb5"
+
+kadmin="${kadmin} -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+kadmind="${kadmind} -p $admport"
+
+server=host/datan.test.h5l.se
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+foopassword="fooLongPasswordYo123;"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log
+
+> messages.log
+
+echo Creating database
+${kadmin} -l \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} -l add -p "$foopassword" --use-defaults foo/admin@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults bar@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults baz@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults bez@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults fez@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults hasalias@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults pkinit@${R} || exit 1
+${kadmin} -l modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults prune@${R} || exit 1
+${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
+${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
+${kadmin} -l add -p "$foopassword" --use-defaults pruneall@${R} || exit 1
+${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
+${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
+
+echo "$foopassword" > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid} ${kadmpid}" EXIT
+
+#----------------------------------
+echo "kinit (no admin); test mod --alias authorization"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} hasalias@${R} || exit 1
+
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+# Check that one non-permitted alias -> failure
+env KRB5CCNAME=${cache} \
+${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=badalias@${R} hasalias@${R} &&
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+# Check that all permitted aliases -> success
+env KRB5CCNAME=${cache} \
+${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} hasalias@${R} ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+# Check that we can drop aliases
+env KRB5CCNAME=${cache} \
+${kadmin} -p hasalias@${R} modify --alias=goodalias3@${R} hasalias@${R} ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
+read junk aliases < kadmin.tmp
+rm kadmin.tmp
+[ "$aliases" != "goodalias3@${R}" ] && { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+env KRB5CCNAME=${cache} \
+${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} --alias=goodalias3@${R} hasalias@${R} ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
+read junk aliases < kadmin.tmp
+rm kadmin.tmp
+[ "$aliases" != "goodalias1@${R} goodalias2@${R} goodalias3@${R}" ] && { echo "FOO failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} bar@${R} || exit 1
+echo "kadmin"
+env KRB5CCNAME=${cache} \
+${kadmin} -p bar@${R} add -p "$foopassword" --use-defaults kaka2@${R} ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+${kadmin} -l get kaka2@${R} > /dev/null ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} baz@${R} || exit 1
+echo "kadmin globacl"
+env KRB5CCNAME=${cache} \
+${kadmin} -p baz@${R} get bar@${R} > /dev/null ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} baz@${R} || exit 1
+echo "kadmin globacl, negative"
+env KRB5CCNAME=${cache} \
+${kadmin} -p baz@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
+ { echo "kadmin succesded $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} baz@${R} || exit 1
+echo "kadmin globacl"
+env KRB5CCNAME=${cache} \
+${kadmin} -p baz@${R} get bar@${R} > /dev/null ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} bez@${R} || exit 1
+echo "kadmin globacl, negative"
+env KRB5CCNAME=${cache} \
+${kadmin} -p bez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
+ { echo "kadmin succesded $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} fez@${R} || exit 1
+echo "kadmin globacl"
+env KRB5CCNAME=${cache} \
+${kadmin} -p fez@${R} get bar@${R} > /dev/null ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} fez@${R} || exit 1
+echo "kadmin globacl, negative"
+env KRB5CCNAME=${cache} \
+${kadmin} -p fez@${R} passwd -p "$foopassword" bar@${R} > /dev/null 2>/dev/null &&
+ { echo "kadmin succesded $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (admin)"
+${kinit} --password-file=${objdir}/foopassword \
+ -S kadmin/admin@${R} foo/admin@${R} || exit 1
+
+echo "kadmin"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} add -p "$foopassword" --use-defaults kaka@${R} ||
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+echo "kadmin"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} add -p abc --use-defaults kaka@${R} &&
+ { echo "kadmin succeeded $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get doesnotexists"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \
+ > /dev/null 2>kadmin.tmp && \
+ { echo "kadmin passed"; cat messages.log ; exit 1; }
+
+# evil hack to support libtool
+sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp
+mv kadmin2.tmp kadmin.tmp
+
+# If client tried IPv6, but service only listened on IPv4
+grep -v ': connect' kadmin.tmp > kadmin2.tmp
+mv kadmin2.tmp kadmin.tmp
+
+cmp kadmin.tmp ${srcdir}/donotexists.txt || \
+ { echo "wrong response"; exit 1;}
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get pkinit-acl"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -o pkinit-acl pkinit@${R} \
+ > /dev/null || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get -o principal"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -o principal bar@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+if test "`cat kadmin.tmp`" != "Principal: bar@TEST.H5L.SE" ; then
+ cat kadmin.tmp ; cat messages.log ; exit 1 ;
+fi
+
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get -o kvno"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -o kvno bar@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+if test "`cat kadmin.tmp`" != "Kvno: 1" ; then
+ cat kadmin.tmp ; cat messages.log ; exit 1 ;
+fi
+
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get -o princ_expire_time"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -o princ_expire_time bar@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+if test "`cat kadmin.tmp`" != "Principal expires: never" ; then
+ cat kadmin.tmp ; cat messages.log ; exit 1 ;
+fi
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get -s -o attributes"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -s -o attributes bar@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+if test "`cat kadmin.tmp`" != "Attributes" ; then
+ cat kadmin.tmp ; cat messages.log ; exit 1 ;
+fi
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin prune"
+env KRB5CCNAME=${cache} \
+${kadmin} prune --kvno=2 prune@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+env KRB5CCNAME=${cache} \
+${kadmin} get prune@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
+' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
+' | ${EGREP} '^13$' > /dev/null || \
+ { echo "kadmin prune failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin pruneall"
+env KRB5CCNAME=${cache} \
+${kadmin} get pruneall@${R} \
+ > kadmin.tmp 2>&1 || \
+ { echo "kadmin failed $?"; cat messages.log ; exit 1; }
+wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
+
+cat kadmin.tmp | ${EGREP} Keytypes: | cut -d: -f2 | tr ' ' '
+' | sed 's/^.*[[]\(.*\)[]].*$/\1/' | grep '[0-9]' | sort -nu | tr -d '
+' | ${EGREP} '^3$' > /dev/null || \
+ { echo "kadmin pruneall failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+
+echo "killing kdc (${kdcpid} ${kadmpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-kdc-weak.in b/third_party/heimdal/tests/kdc/check-kdc-weak.in
new file mode 100644
index 0000000..182f530
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-kdc-weak.in
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Copyright (c) 2009 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+objdir="@objdir@"
+
+exec ${top_builddir}/tests/kdc/check-kdc ${objdir}/krb5-weak.conf
diff --git a/third_party/heimdal/tests/kdc/check-kdc.in b/third_party/heimdal/tests/kdc/check-kdc.in
new file mode 100644
index 0000000..e53293b
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-kdc.in
@@ -0,0 +1,1097 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${1-${objdir}/krb5.conf}"
+export KRB5_CONFIG
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+RH=TEST-HTTP.H5L.SE
+R2=TEST2.H5L.SE
+R3=TEST3.H5L.SE
+R4=TEST4.H5L.SE
+R5=SOME-REALM5.FR
+R6=SOME-REALM6.US
+R7=SOME-REALM7.UK
+R8=SOME-REALM8.UK
+
+H1=H1.$R
+H2=H2.$R
+H3=H3.$H2
+H4=H4.$H2
+
+r=`echo "$R" | tr '[A-Z]' '[a-z]'`
+h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'`
+h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'`
+h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'`
+h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'`
+
+port=@port@
+pwport=@pwport@
+
+kadmin5="${kadmin} -l -r $R5"
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
+
+server=host/datan.test.h5l.se
+server2=host/computer.example.com
+server3=host/refer-me-out.test.h5l.se
+server4=host/no-auth-data-reqd.test.h5l.se
+server5=host/a-host.refer-all-out.test.h5l.se
+namespace=WELLKNOWN/HOSTBASED-NAMESPACE/_/refer-all-out.test.h5l.se
+serverip=host/10.11.12.13
+serveripname=host/ip.test.h5l.org
+serveripname2=host/10.11.12.14
+alias1=host/datan.example.com
+alias2=host/datan
+aliaskeytab=host/datan
+cache="FILE:${objdir}/cache.krb5"
+ocache="FILE:${objdir}/ocache.krb5"
+o2cache="FILE:${objdir}/o2cache.krb5"
+icache="FILE:${objdir}/icache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+ps="proxy-service@${R}"
+rps="restricted-proxy-service@${R}"
+aesenctype="aes256-cts-hmac-sha1-96"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist2="${klist} -c $o2cache"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
+test_set_kvno0="${test_set_kvno0} -c $cache"
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R2} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R3} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R4} || exit 1
+
+${kadmin5} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R5} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R6} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R7} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R8} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${H1} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${H2} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${H3} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${H4} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${RH} || exit 1
+
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
+${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
+${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
+${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
+${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
+${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1
+${kadmin} add -p foo --use-defaults foo@${H3} || exit 1
+${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1
+${kadmin} add -p foo --use-defaults foo@${H4} || exit 1
+${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1
+${kadmin} add -p bar --use-defaults bar@${R} || exit 1
+${kadmin} add -p foo --use-defaults remove@${R} || exit 1
+${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1
+${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1
+${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
+${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
+${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
+${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
+${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
+
+${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
+${kadmin} add -p foo --use-defaults ${ps} || exit 1
+${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
+${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${ps} || exit 1
+
+# Note: rps is not trusted-for-delegation
+${kadmin} add -p foo --use-defaults ${rps} || exit 1
+${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
+${kadmin} ext -k ${keytab} ${rps} || exit 1
+
+${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
+${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
+${kadmin} add -p foo --use-defaults referral-placeholder@${R5} || exit 1
+${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} || exit 1
+${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
+${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
+${kadmin} add_alias referral-placeholder@${R5} ${namespace}@${R} || exit 1
+${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
+${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
+${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
+${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
+${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
+
+${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
+${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
+${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
+
+${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
+${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1
+${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1
+
+${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1
+
+${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
+${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1
+${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1
+${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${RH} || exit 1
+
+echo "Check parser"
+${kadmin} add -p foo --use-defaults -- -p || exit 1
+${kadmin} delete -- -p || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+${kadmin} check ${R3} || exit 1
+${kadmin} check ${R4} || exit 1
+${kadmin5} check ${R5} || exit 1
+${kadmin} check ${R6} || exit 1
+${kadmin} check ${R7} || exit 1
+${kadmin} check ${R8} || exit 1
+${kadmin} check ${H1} || exit 1
+${kadmin} check ${H2} || exit 1
+${kadmin} check ${H3} || exit 1
+${kadmin} check ${H4} || exit 1
+
+echo "Extracting enctypes"
+${ktutil} -k ${keytab} list > tempfile || exit 1
+${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
+ ${EGREP} -v "$server" | # we did cpw for this one
+ awk '$1 !~ /1/ { exit 1 }' || exit 1
+${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
+ ${EGREP} "$server" | head -1 |
+ awk '$1 !~ /3/ { exit 1 }' || exit 1
+
+
+${kadmin} get foo@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
+
+enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
+enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
+
+echo "deleting all but des enctypes on kt-des3 in keytab"
+${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1
+for a in ${enctype_sans_des3} ; do
+ ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
+done
+
+echo "checking globbing keys rules"
+${kadmin} get foo/des3-only@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
+if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then
+ echo "des3 only is not only des3: $enctypes"
+ exit 1
+fi
+
+${kadmin} get foo/aes-only@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
+if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then
+ echo "aes only is not only aes: $enctypes"
+ exit 1
+fi
+
+
+echo foo > ${objdir}/foopassword
+echo notfoo > ${objdir}/notfoopassword
+
+echo Starting kdc ; > messages.log
+env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
+${kdc} --detach --testing ||
+ { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo Starting kpasswdd; > messages.log
+env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
+ { echo "kpasswdd failed to start"; exit 1; }
+kpasswddpid=`getpid kpasswdd`
+
+
+trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets with wrong password"; > messages.log
+${kadmin} modify --attributes=+disallow-client ${server} || exit 1
+${kinit} --password-file=${objdir}/notfoopassword \
+ foo@${R} 2>kinit-log.tmp && \
+ { ec=1 ; eval "${testfailed}"; }
+grep 'Password incorrect' kinit-log.tmp > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Doing krbtgt key rollover"; > messages.log
+${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (http transport)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Testing capaths logic"
+${kinit} --password-file=${objdir}/foopassword \
+ -e ${aesenctype} -e ${aesenctype} \
+ foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting x-realm tickets with capaths for $R -> $R2"
+${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R3"
+${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R4"
+${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R5"
+${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R6"
+${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R7"
+${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
+echo "Should not get x-realm tickets with capaths for $R -> $R8"
+${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Testing capaths logic (reverse order)"
+${kinit} --password-file=${objdir}/foopassword \
+ -e ${aesenctype} -e ${aesenctype} \
+ foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting x-realm tickets with capaths for $R -> $R4"
+${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R3"
+${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R2"
+${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R7"
+${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R6"
+${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with capaths for $R -> $R5"
+${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
+echo "Testing HDB referral entry"
+${kgetcred} --canonicalize ${server3}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Testing HDB namespace referral entry"
+${kgetcred} --canonicalize ${server5}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+${kdestroy}
+
+echo "Testing hierarchical referral logic"
+${kinit} --password-file=${objdir}/foopassword \
+ -e ${aesenctype} -e ${aesenctype} \
+ foo@${H3} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting x-realm tickets with HDB referral alias for $R1 -> $R3"
+${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
+${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
+fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
+${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
+fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
+${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
+fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Testing multi-hop [capaths] referral logic"
+${kinit} --password-file=${objdir}/foopassword \
+ -e ${aesenctype} -e ${aesenctype} \
+ foo@${H4} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1"
+${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Testing forwardable/renewable flag copying in TGS-REQ"
+${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -f | grep ${server} | grep FRA > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
+${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -f | grep sensitive | grep FRA > /dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Specific enctype"; > messages.log
+${kinit} --password-file=${objdir}/foopassword \
+ -e ${aesenctype} -e ${aesenctype} \
+ foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+for a in $enctypes; do
+ echo "Getting client initial tickets ($a)"; > messages.log
+ ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+ echo "Getting tickets"; > messages.log
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+done
+
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting tickets ($a)"; > messages.log
+ ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client initial tickets without PAC"; > messages.log
+${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting tickets ($a)"; > messages.log
+ ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} && \
+ { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client initial tickets with PAC"; > messages.log
+${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
+ ${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
+ { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server4}@${R2}
+done
+${kdestroy}
+
+echo "Getting client authenticated anonymous initial tickets"; > messages.log
+${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting tickets ($a)"; > messages.log
+ ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client anonymous service tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting tickets ($a)"; > messages.log
+ ${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client initial tickets for cross realm case"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+ echo "Getting cross realm tickets ($a)"; > messages.log
+ ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+ echo " checking we we got back right ticket"
+ ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo " checking if ticket is useful"
+ ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server2}@${R2}
+done
+${kdestroy}
+
+echo "Trying x-realm TGT with kvno 0 case";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+ { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying x-realm TGT with kvno 0 case with key rollover";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+ { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Rolling over cross realm keys"; > messages.log
+${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+echo "Start tracing kdc, then hit return"
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying x-realm TGT with no kvno case";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+ { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying x-realm TGT with no kvno case with key rollover";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+ { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Rolling over cross realm keys"; > messages.log
+${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+echo "Start tracing kdc, then hit return"
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "try all permutations"; > messages.log
+for a in $enctypes; do
+ echo "Getting client initial tickets ($a)"; > messages.log
+ ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+ for b in $enctypes; do
+ echo "Getting tickets ($a -> $b)"; > messages.log
+ ${kgetcred} -e $b ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy} --credential=${server}@${R}
+ done
+ ${kdestroy}
+done
+
+echo "Getting client initial tickets ip based name"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+echo "Getting ip based name tickets"; > messages.log
+${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo " checking we we got back right ticket"
+${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
+echo " checking if ticket is useful"
+${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets ip based name (alias)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+for a in ${serveripname} ${serveripname2} ; do
+ echo "Getting ip based name tickets (alias) $a"; > messages.log
+ ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
+ echo " checking we we got back right ticket"
+ ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
+ echo " checking if ticket is useful"
+ ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+done
+${kdestroy}
+
+echo "Getting server initial tickets"; > messages.log
+${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; }
+${kadmin} modify --attributes=-disallow-client ${server} || exit 1
+${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} | grep "Principal: ${server}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting key for key that are a subset in keytab compared to kdb"
+${kinit} --keytab=${keytab} kt-des3@${R}
+${klist} | grep "Principal: kt-des3" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "initial tickets for deleted user test case"; > messages.log
+${kinit} --password-file=${objdir}/foopassword remove@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "try getting ticket with deleted user"; > messages.log
+${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "cross realm case (deleted user)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kadmin} delete remove2@${R2} || exit 1
+${kgetcred} ${server}@${R} 2> /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "rename user"; > messages.log
+${kadmin} add -p foo --use-defaults rename@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kadmin} rename rename@${R} rename2@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+${kadmin} delete rename2@${R} || exit 1
+
+echo "rename user to another realm"; > messages.log
+${kadmin} add -p foo --use-defaults rename@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kadmin} rename rename@${R} rename@${R2} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+${kadmin} delete rename@${R2} || exit 1
+
+echo deleting all but aes enctypes on krbtgt
+${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
+
+echo deleting all but des enctypes on server-des3
+${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
+${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
+
+echo "try all permutations (only aes)"; > messages.log
+for a in $enctypes; do
+ echo "Getting client initial tickets ($a)"; > messages.log
+ ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
+ { ec=1 ; eval "${testfailed}"; }
+ for b in $enctypes; do
+ echo "Getting tickets ($a -> $b)"; > messages.log
+ ${kgetcred} -e $b ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+ echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
+ ${kgetcred} ${server}-des3@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+ ${kdestroy} --credential=${server}@${R}
+ ${kdestroy} --credential=${server}-des3@${R}
+ done
+ ${kdestroy}
+done
+
+echo deleting all enctypes on krbtgt
+${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "try initial ticket w/o and keys on krbtgt"
+${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+echo "adding random aes key"
+${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "try initial ticket with random aes key on krbtgt"
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+rsa=yes
+ecdsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+ rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+ rsa=no
+fi
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+ pkinit=yes
+fi
+
+if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
+ ecdsa=no
+fi
+
+
+# If we support pkinit and have RSA, lets try that
+if test "$pkinit" = yes -a "$rsa" = yes ; then
+
+ echo "try anonymous pkinit"; > messages.log
+ ${kinit} --renewable -n @${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ for type in "" "--pk-use-enckey"; do
+ echo "Trying pk-init (principal in certificate) $type"; > messages.log
+ ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
+ ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ echo "Trying pk-init (password protected key) $type"; > messages.log
+ ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ echo "Trying pk-init (proxy cert) $type"; > messages.log
+ ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+ done
+
+ if test "$ecdsa" = yes > /dev/null ; then
+ echo "Trying pk-init (ec certificate)"
+ > messages.log
+ ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+ grep 'PKINIT using ecdh' messages.log > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+ fi
+
+else
+ echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
+fi
+
+echo "test impersonate using rc4 based tgt"; > messages.log
+${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${ps} ${keytab} ${ocache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "tickets for impersonate test case"; > messages.log
+${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${ps} ${keytab} ${ocache} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " negative check"
+${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate unknown client"; > messages.log
+${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate account-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate pw-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test delegate sensitive client"; > messages.log
+${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation (evidence from impersonation)"; > messages.log
+${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " try using the credential"
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " negative check"
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ bar@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation evidence (evidence from TGS)"; > messages.log
+echo bar > ${objdir}/barpassword
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+# Bug #816 have a regular ticket in ${cache} for ${server} see that it isn't used
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
+echo " try using the credential"
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " negative check"
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ bar@${R} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation with foreign client (evidence from TGS)"; > messages.log
+# We can't test foreign client with evidence from S4U2Self, since Heimdal doesn't support it yet
+rm -f ocache.krb5
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/foopassword foo@${R2} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${klist2} | grep "Principal: foo@${R2}" || { ec=1 ; eval "${testfailed}"; }
+echo " try using the credential"
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation impersonation (non forward)"; > messages.log
+rm -f ocache.krb5
+${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation evidence (evidence from AS)"; > messages.log
+# This fails because we don't add PAC ticket-signature in AS-REP (as Windows).
+${kinit} --cache=${ocache} --password-file=${objdir}/barpassword \
+ --forwardable --server=${ps} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --delegation-credential-cache=${ocache} ${server}@${R} && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation impersonation (missing PAC)"; > messages.log
+rm -f ocache.krb5
+${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+${kdestroy}
+
+echo "test constrained delegation NOT trusted-for-delegation (evidence from TGS)"; > messages.log
+
+${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation NOT trusted-for-delegation (evidence from impersonate, negative)"; > messages.log
+rm -f ocache.krb5
+${kgetcred_imp} --impersonate=bar@${R} ${rps} || \
+ { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${rps} ${keytab} ${ocache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${ocache} \
+ ${server}@${R} && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation bronze-bit attack, aka CVE-2020-17049"; > messages.log
+
+KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \
+{ ec=1 ; eval "${testfailed}"; }
+
+${kgetcred} \
+ --out-cache=${o2cache} \
+ --delegation-credential-cache=${icache} \
+ ${server}@${R} && \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "check renewing" > messages.log
+${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "kinit -R"
+${kinit} -R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "check renewing MIT interface" > messages.log
+${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "test_renew"
+env KRB5CCNAME=${cache} ${test_renew} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "checking server aliases"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo " verify entry in keytab"
+${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " verify entry in keytab with any"
+${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " verify failure with alias entry"
+${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+echo " verify alias entry in keytab with any"
+${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "testing removal of keytab"
+${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
+test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
+
+echo "Checking client pw expire"; > messages.log
+${kinit} --password-file=${objdir}/foopassword \
+ pw-expire@${R} 2>kinit-log.tmp|| \
+ { ec=1 ; eval "${testfailed}"; }
+grep 'Your password will expire' kinit-log.tmp > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " kinit passes"
+${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null
+${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo " test_gic passes"
+${kdestroy}
+
+echo "Checking password expiration" ; > messages.log
+
+kinitpty=${objdir}/foopassword.rkpty
+cat > ${kinitpty} <<EOF
+expect Password
+password foo\n
+expect Password has expired
+expect New password
+password Foobar11\n
+expect password
+password Foobar11\n
+expect Success: Password changed
+EOF
+
+echo "Checking client pw expire"; > messages.log
+${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \
+ { ec=1 ; eval "${testfailed}"; }
+
+${kdestroy}
+
+
+echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-keys.in b/third_party/heimdal/tests/kdc/check-keys.in
new file mode 100644
index 0000000..6784bb5
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-keys.in
@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="."
+
+. ${env_setup}
+
+srcdir="${top_srcdir}/tests/kdc"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+principal=host/datan.test.h5l.se@${R}
+
+kadmin="${kadmin} -l -r $R"
+
+CIN=${srcdir}/krb5.conf.keys.in
+COUT=${objdir}/krb5.conf.keys
+
+sedvars="-e s,[@]srcdir[@],${srcdir},g -e s,[@]objdir[@],${objdir},g"
+
+KRB5_CONFIG="${COUT}"
+export KRB5_CONFIG
+
+rm -f ${COUT}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log
+
+sed -e 's/@keys@/v5/' \
+ ${sedvars} < ${CIN} > ${COUT}
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults ${principal} || exit 1
+
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v4/' \
+ ${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v4 v5/' \
+ ${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v5 v4/' \
+ ${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/des:pw-salt:/' \
+ ${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+if [ 'X@ENABLE_AFS_STRING_TO_KEY@' = "X1" ]; then
+ sed -e 's/@keys@/des-cbc-crc:afs3-salt:test.h5l.se/' \
+ ${sedvars} < ${CIN} > ${COUT}
+ ${kadmin} cpw -p foo ${principal} || exit 1
+
+ sed -e 's/@keys@/des:afs3-salt:test.h5l.se/' \
+ ${sedvars} < ${CIN} > ${COUT}
+ ${kadmin} cpw -p foo ${principal} || exit 1
+fi
+
+exit 0
diff --git a/third_party/heimdal/tests/kdc/check-kinit.in b/third_party/heimdal/tests/kdc/check-kinit.in
new file mode 100644
index 0000000..c6cb23f
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-kinit.in
@@ -0,0 +1,149 @@
+#!/bin/bash
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${objdir}/krb5-kinit.conf"
+export KRB5_CONFIG
+KRB5CCNAME="${objdir}/foocc"
+export KRB5CCNAME
+
+testfailed="echo test failed; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+pwport=@pwport@
+
+kinit="${kinit} --password-file=${objdir}/foopassword ${afs_no_afslog} -c ${objdir}/foocc"
+klist="${klist} -c ${objdir}/foocc"
+kgetcred="${kgetcred} -c ${objdir}/foocc"
+kdestroy="${kdestroy} ${afs_no_unlog}"
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+> messages.log
+
+num_concurrent=50
+num_princs=20
+torture_time=200
+cred_life=$((torture_time / 10))
+cred_renew_life=$((torture_time / 2))
+out=${objdir}/out-kinit-torture-kgetcred
+kinit_out=${objdir}/out-kinit-torture-kinit
+
+parent_shell_proc=$$
+
+if (($# == 0)); then
+
+ echo "This is a MANUAL test."
+
+ rm -f ${keytabfile}
+ rm -f current-db*
+ rm -f out-*
+ rm -f mkey.file*
+
+ cp "${objdir}/krb5.conf" "${objdir}/krb5-kinit.conf"
+
+ echo "Creating database"
+ ${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+ echo "Adding foo"
+ ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+
+ echo "Creating torture principals"
+ for i in $(seq 0 $((num_princs - 1)) ); do
+ ${kadmin} add -r --use-defaults svc${i}@${R} || exit 1
+ done
+
+ echo "Doing database check"
+ ${kadmin} check ${R} || exit 1
+
+ echo foo > ${objdir}/foopassword
+
+ echo Starting kdc ; > messages.log
+ ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+ kdcpid=`getpid kdc`
+
+ trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ ec=0
+else
+ echo "begin torture (output in $out)"
+ secs=$(date +%s)
+ cat /dev/null > "$out"
+ while (($(date +%s) < (secs + torture_time) )); do
+ echo .
+ for i in $(seq 0 1000); do
+ printf '%d\n' $((i % num_princs))
+ done | xargs -P $num_concurrent -I '{}' ${kgetcred} "svc{}@${R}"
+ ${klist} -v || exit 1
+ if ! kill -0 $parent_shell_proc; then
+ printf 'Parent shell script exited; exiting'
+ exit 1
+ grep 'Matching credential .* not found' messages.log > /dev/null &&
+ echo "THAT DID NOT WORK RIGHT"
+ fi
+ sleep 5
+ done
+ ${klist} -v
+ exit 0
+fi
+
+echo "checking that we have tickets"
+${kinit} -l $cred_life -r $cred_renew_life foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -v || { ec=1 ; eval "${testfailed}"; }
+echo "torturing"
+${kinit} -l $cred_life -r $cred_renew_life foo@${R} "$0" torture-me || { ec=1 ; eval "${testfailed}"; }
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-kpasswdd.in b/third_party/heimdal/tests/kdc/check-kpasswdd.in
new file mode 100644
index 0000000..39f12e1
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-kpasswdd.in
@@ -0,0 +1,194 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+testfailed="echo test failed; cat messages.log; exit \$ec"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+pwport=@pwport@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo "Creating database for $R"
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "Creating database for ${R2}"
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults bar@${R2} || exit 1
+
+echo "Doing database check for ${R} ${R2}"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing ||
+ { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo Starting kpasswdd
+env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
+ { echo "kpasswdd failed to start"; exit 1; }
+kpasswddpid=`getpid kpasswdd`
+
+trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc; exit \$ec;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "checking ${R}"
+
+pw=ak4unandsop39NuJ
+
+echo "Changing password"
+cat > cpw.tmp <<EOF
+expect Password
+password foo\n
+expect New password
+send ${pw}\n
+expect New password
+send ${pw}\n
+expect Success
+EOF
+
+${rkpty} cpw.tmp env ${kpasswd} foo@${R} || \
+ { ec=$? ; eval "${testfailed}"; }
+
+rm cpw.tmp
+
+echo ${pw} > ${objdir}/barpassword
+
+
+echo "Getting client initial tickets for ${R}"; > messages.log
+${kinit} --password-file=${objdir}/barpassword foo@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "checking ${R2}"
+
+cat > cpw.tmp <<EOF
+expect Password
+password foo\n
+expect New password
+send ${pw}\n
+expect New password
+send ${pw}\n
+expect Success
+EOF
+
+${rkpty} cpw.tmp ../../kpasswd/kpasswd bar@${R2} || \
+ { ec=$? ; eval "${testfailed}"; }
+
+rm cpw.tmp
+
+
+echo "Getting client initial tickets for ${R2}"; > messages.log
+${kinit} --password-file=${objdir}/barpassword bar@${R2} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "killing kdc (${kdcpid} ${kpasswddpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-pkinit.in b/third_party/heimdal/tests/kdc/check-pkinit.in
new file mode 100644
index 0000000..9f90fd0
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-pkinit.in
@@ -0,0 +1,388 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klistjson="${klist} --json -c $cache"
+klistplain="${klist} -c $cache"
+klist="${klist} --hidden -v -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+kx509="${kx509} -c $cache"
+
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+export KRB5_CONFIG
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+ rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+ rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+ pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$pkinit" != yes -o "$rsa" != yes ; then
+ exit 77
+fi
+
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} modify --max-ticket-life=5d krbtgt/${R}@${R} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p bar --use-defaults bar@${R} || exit 1
+${kadmin} add -p baz --use-defaults baz@${R} || exit 1
+${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1
+${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1
+${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+# XXX Do not use committed, in-tree private keys or certificates!
+# XXX Add hxtool command to generate a private key w/o generating a CSR
+# XXX Use hxtool to generate a fresh private key
+# XXX Use hxtool to generate self-signed CA certs
+# XXX Use PEM-FILE and store private key and certificate in same file
+# XXX Update krb5.conf.in to use ${objdir}-relative keys and certificates
+
+echo "Setting up certificates"
+${hxtool} request-create \
+ --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
+ --key=FILE:${keyfile2} \
+ req-kdc.der || exit 1
+${hxtool} request-create \
+ --subject="CN=bar,DC=test,DC=h5l,DC=se" \
+ --key=FILE:${keyfile2} \
+ req-pkinit.der || exit 1
+${hxtool} request-create \
+ --subject="CN=baz,DC=test,DC=h5l,DC=se" \
+ --key=FILE:${keyfile2} \
+ req-pkinit2.der || exit 1
+
+echo "issue self-signed ca cert"
+${hxtool} issue-certificate \
+ --self-signed \
+ --issue-ca \
+ --ca-private-key=FILE:${keyfile} \
+ --subject="CN=CA,DC=test,DC=h5l,DC=se" \
+ --certificate="FILE:ca.crt" || exit 1
+
+echo "issue kdc certificate"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-kdc" \
+ --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
+ --req="PKCS10:req-kdc.der" \
+ --certificate="FILE:kdc.crt" || exit 1
+
+echo "issue user certificate (pkinit san)"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --pk-init-principal="bar@TEST.H5L.SE" \
+ --req="PKCS10:req-pkinit.der" \
+ --lifetime=7d \
+ --certificate="FILE:pkinit.crt" || exit 1
+
+echo "issue user certificate (pkinit san; synthetic principal)"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --pk-init-principal="synthetized@TEST.H5L.SE" \
+ --req="PKCS10:req-pkinit.der" \
+ --lifetime=7d \
+ --certificate="FILE:pkinit-synthetic.crt" || exit 1
+
+echo "issue user 2 certificate (no san)"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --req="PKCS10:req-pkinit2.der" \
+ --certificate="FILE:pkinit2.crt" || exit 1
+
+echo "issue user 3 certificate (ms san)"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --ms-upn="bar@test.h5l.se" \
+ --req="PKCS10:req-pkinit2.der" \
+ --certificate="FILE:pkinit3.crt" || exit 1
+
+echo "issue user 3 certificate (ms san, baz2)"
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --ms-upn="baz2\\@test.h5l.se@${R}" \
+ --req="PKCS10:req-pkinit2.der" \
+ --certificate="FILE:pkinit4.crt" || exit 1
+
+echo "issue self-signed kx509 template cert"
+${hxtool} issue-certificate \
+ --self-signed \
+ --ca-private-key=FILE:${keyfile} \
+ --subject='CN=${principal-component0},DC=test,DC=h5l,DC=se' \
+ --certificate="FILE:kx509-template.crt" || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT
+
+ec=0
+
+echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log
+base="${objdir}"
+${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
+ ${klistjson} |
+ jq -e '(((.tickets[0].Expires|
+ strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
+ (floor < 4)' >/dev/null &&
+ { ec=1 ; eval "${testfailed}"; }
+fi
+${kdestroy}
+
+echo "Trying pk-init (principal in cert; synthetic)"; > messages.log
+base="${objdir}"
+${kinit} --lifetime=5d -C FILE:${base}/pkinit-synthetic.crt,${keyfile2} synthetized@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+${kdestroy}
+
+echo "Restarting kdc ($kdcpid)"
+sh ${leaks_kill} kdc $kdcpid || ec=1
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+echo "Trying pk-init (principal in cert)"; > messages.log
+base="${objdir}"
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
+ ${klistjson} |
+ jq -e '(((.tickets[0].Expires|
+ strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
+ (floor > 1)' >/dev/null &&
+ { ec=1 ; eval "${testfailed}"; }
+fi
+${kdestroy}
+
+echo "Trying pk-init (principal in cert; longer max_life from cert ext)"; > messages.log
+# Re-issue cert with --pkinit-max-life=7d
+${hxtool} issue-certificate \
+ --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+ --type="pkinit-client" \
+ --pk-init-principal="bar@TEST.H5L.SE" \
+ --req="PKCS10:req-pkinit.der" \
+ --lifetime=7d \
+ --pkinit-max-life=7d \
+ --certificate="FILE:pkinit.crt" || exit 1
+base="${objdir}"
+${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
+ ${klistjson} |
+ jq -e '(((.tickets[0].Expires|
+ strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
+ (floor < 4)' >/dev/null &&
+ { ec=1 ; eval "${testfailed}"; }
+fi
+
+echo "Check kx509 certificate acquisition"
+${kx509} -s || { ec=1 ; eval "${testfailed}"; }
+${kx509} -o PEM-FILE:${objdir}/kx509.pem || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Check PKINIT w/ kx509 certificate"
+${kinit} -C PEM-FILE:${objdir}/kx509.pem bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal subject in DB)"; > messages.log
+${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn)"; > messages.log
+${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn, enterprise)"; > messages.log
+${kinit} --canonicalize --enterprise \
+ -C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn, enterprise, pk-enterprise)"; > messages.log
+${kinit} --canonicalize \
+ --pk-enterprise \
+ -C FILE:${base}/pkinit4.crt,${keyfile2} ${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf"
+export KRB5_CONFIG
+
+echo "Duplicated tests, now in windows 2000 mode"
+
+echo "Trying pk-init (principal in cert)"; > messages.log
+base="${objdir}"
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal subject in DB)"; > messages.log
+${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn)"; > messages.log
+${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+export KRB5_CONFIG
+
+echo "Trying PKCS11 support"
+
+cat > test-rc-file.rc <<EOF
+certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2}
+app-fatal true
+EOF
+
+SOFTPKCS11RC="test-rc-file.rc"
+export SOFTPKCS11RC
+
+dir=${base}/../../lib/hx509
+file=
+
+for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
+ if [ -f $dir/$a ] ; then
+ file=$dir/$a
+ break
+ fi
+done
+
+if [ X"$file" != X -a @DLOPEN@ ] ; then
+
+ echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+ ${kinit} -C PKCS11:${file} foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+ ${kdestroy}
+
+fi
+
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || ec=1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-referral.in b/third_party/heimdal/tests/kdc/check-referral.in
new file mode 100644
index 0000000..73c26c3
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-referral.in
@@ -0,0 +1,231 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+R2=SUB.TEST.H5L.SE
+
+service=ldap/host.sub.test.h5l.se:389
+
+port=@port@
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=localhost -P $port"
+
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${kinit} -c $cache ${afs_no_afslog}"
+klist="${klist} -c $cache"
+kgetcred="${kgetcred} -c $cache"
+kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
+${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
+
+${kadmin} add -p foo --use-defaults ${service}@${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults bar@${R} || exit 1
+${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
+
+${kadmin} ext -k ${keytab} krbtgt/${R}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+
+echo "Getting client bar"; > messages.log
+${kinit} --password-file=${objdir}/foopassword bar@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: bar@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client baz"; > messages.log
+${kinit} --password-file=${objdir}/foopassword 'baz\@realm.foo@'${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep 'Principal: baz' > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+
+echo "Test AS-REQ"
+
+echo "Getting client (no canon)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
+${kinit} --canonicalize --enterprise \
+ --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client alias1 tickets"; > messages.log
+${kinit} --canonicalize --enterprise \
+ --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "Getting client alias2 tickets"; > messages.log
+${kinit} --canonicalize --enterprise \
+ --password-file=${objdir}/foopassword alias2@${R}@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client alias1 tickets (non canon case)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword alias1@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: alias1@${R}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client alias2 tickets (removed)"; > messages.log
+${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} --canonicalize --enterprise \
+ --password-file=${objdir}/foopassword \
+ alias2@${R}@${R} > /dev/null 2>/dev/null && \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Remove alias"
+${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
+
+echo "Test server referrals"
+
+echo "Getting client for ${service}@${R} (tgs kdc referral)"
+> messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} --canonicalize ${service}@${R} ||
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "${service}@${R2}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client for ${service}@${R2} (tgs client side guessing)"
+> messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+ { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service}@${R2} ||
+ { ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "${service}@${R2}" > /dev/null || \
+ { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "killing kdc (${kdcpid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-tester.in b/third_party/heimdal/tests/kdc/check-tester.in
new file mode 100644
index 0000000..83b48ba
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-tester.in
@@ -0,0 +1,121 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+top_builddir="@top_builddir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+srcdir="@srcdir@"
+
+. ${env_setup}
+
+KRB5_CONFIG="${1-${objdir}/krb5.conf}"
+export KRB5_CONFIG
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+# Do not run in GutHub valgrind builds -- too slow / not necessary
+[ -n "$CHECK_TESTER_NO_VALGRIND" ] && exit 77
+
+R=TEST.H5L.SE
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
+
+kadmin="${kadmin} -l -r $R"
+
+server=host/datan.test.h5l.se
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+ rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+ rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+ pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$rsa" != yes ; then
+ pkinit=no
+fi
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} ext -k ${keytab} foo@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "password"
+${kdc_tester} ${srcdir}/kdc-tester1.json > out-log 2>&1 || exit 1
+sed 's/^/ /' out-log
+
+echo "keytab"
+${kdc_tester} ${srcdir}/kdc-tester2.json > out-log 2>&1 || exit 1
+sed 's/^/ /' out-log
+
+echo "FAST + keytab"
+${kdc_tester} ${srcdir}/kdc-tester3.json > out-log 2>&1 || exit 1
+sed 's/^/ /' out-log
+
+
+if test "$pkinit" = yes ; then
+
+ echo "pkinit"
+ ${kdc_tester} ${objdir}/kdc-tester4.json > out-log 2>&1 || exit 1
+ sed 's/^/ /' out-log
+
+fi
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/check-uu.in b/third_party/heimdal/tests/kdc/check-uu.in
new file mode 100644
index 0000000..ef831ca
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/check-uu.in
@@ -0,0 +1,131 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+env_setup="@env_setup@"
+objdir="@objdir@"
+srcdir="@srcdir@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+${have_db} || exit 77
+
+R=TEST.H5L.SE
+
+uuspid=
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+cache1="FILE:${objdir}/cache1.krb5"
+cache2="FILE:${objdir}/cache2.krb5"
+
+kinit1="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache1 ${afs_no_afslog}"
+kinit2="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache2 ${afs_no_afslog}"
+kdestroy1="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache1 ${afs_no_unlog}"
+kdestroy2="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache2 ${afs_no_unlog}"
+uu_server="${TESTS_ENVIRONMENT} ../../appl/test/uu_server"
+uu_client="${TESTS_ENVIRONMENT} ../../appl/test/uu_client"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+ init \
+ --realm-max-ticket-life=1day \
+ --realm-max-renewable-life=1month \
+ ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults user1@${R} || exit 1
+${kadmin} add -p foo --use-defaults user2@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc ; > messages.log
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets user1"; > messages.log
+${kinit1} --password-file=${objdir}/foopassword user1@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client initial tickets user2"; > messages.log
+${kinit2} --password-file=${objdir}/foopassword user2@$R || \
+ { ec=1 ; eval "${testfailed}"; }
+
+
+echo "starting uu server (using user1)"
+KRB5CCNAME=$cache1 ${uu_server} > uuserver.log &
+uuspid=$!
+sleep 5
+
+echo "trying to contact server with client (using user2)"
+KRB5CCNAME=$cache2 ${uu_client} localhost > messages.log 2>&1 || \
+ { ec=1; eval "${testfailed}"; }
+
+sleep 5
+
+echo "checking if server got the right message"
+cmp uuserver.log ${srcdir}/uuserver.txt || \
+ { ec=1; eval "${testfailed}"; }
+
+uuspid=""
+
+${kdestroy1}
+${kdestroy2}
+
+echo "killing kdc uu_server (${kdcpid} ${uuspid})"
+sh ${leaks_kill} kdc $kdcpid || exit 1
+
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/kdc/donotexists.txt b/third_party/heimdal/tests/kdc/donotexists.txt
new file mode 100644
index 0000000..5294397
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/donotexists.txt
@@ -0,0 +1 @@
+kadmin: get doesnotexists@TEST.H5L.SE: Principal does not exist
diff --git a/third_party/heimdal/tests/kdc/hdb-mitdb b/third_party/heimdal/tests/kdc/hdb-mitdb
new file mode 100644
index 0000000..00fefb9
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/hdb-mitdb
Binary files differ
diff --git a/third_party/heimdal/tests/kdc/hdb-mitdb.kadm5 b/third_party/heimdal/tests/kdc/hdb-mitdb.kadm5
new file mode 100644
index 0000000..41663b9
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/hdb-mitdb.kadm5
Binary files differ
diff --git a/third_party/heimdal/tests/kdc/hdb-mitdb.mkey b/third_party/heimdal/tests/kdc/hdb-mitdb.mkey
new file mode 100644
index 0000000..627c0fa
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/hdb-mitdb.mkey
Binary files differ
diff --git a/third_party/heimdal/tests/kdc/heimdal.acl b/third_party/heimdal/tests/kdc/heimdal.acl
new file mode 100644
index 0000000..2888a25
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/heimdal.acl
@@ -0,0 +1,10 @@
+foo/admin@TEST.H5L.SE all
+httpkadmind/admin@TEST.H5L.SE all,get-keys
+bar@TEST.H5L.SE all
+baz@TEST.H5L.SE get,add *
+bez@TEST.H5L.SE get,add *@TEST.H5L.SE
+fez@TEST.H5L.SE get,add
+hasalias@TEST.H5L.SE get,mod hasalias@TEST.H5L.SE
+hasalias@TEST.H5L.SE get,add goodalias1@TEST.H5L.SE
+hasalias@TEST.H5L.SE get,add goodalias2@TEST.H5L.SE
+hasalias@TEST.H5L.SE get,add goodalias3@TEST.H5L.SE
diff --git a/third_party/heimdal/tests/kdc/iprop-acl b/third_party/heimdal/tests/kdc/iprop-acl
new file mode 100644
index 0000000..334a407
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/iprop-acl
@@ -0,0 +1 @@
+iprop/slave.test.h5l.se@TEST.H5L.SE
diff --git a/third_party/heimdal/tests/kdc/k5login/foo b/third_party/heimdal/tests/kdc/k5login/foo
new file mode 100644
index 0000000..b51a40b
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/k5login/foo
@@ -0,0 +1 @@
+random-princ@RANDOM-REALM
diff --git a/third_party/heimdal/tests/kdc/k5login/mapped_user1 b/third_party/heimdal/tests/kdc/k5login/mapped_user1
new file mode 100644
index 0000000..a7857c2
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/k5login/mapped_user1
@@ -0,0 +1 @@
+user1@TEST.H5L.SE
diff --git a/third_party/heimdal/tests/kdc/kdc-tester1.json b/third_party/heimdal/tests/kdc/kdc-tester1.json
new file mode 100644
index 0000000..08a7744
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/kdc-tester1.json
@@ -0,0 +1,31 @@
+[
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "password" : "foo"
+ }
+ },
+ {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "password" : "foo",
+ "ccache" : "MEMORY:cache"
+ },
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kgetcred",
+ "server" : "host/datan.test.h5l.se@TEST.H5L.SE",
+ "ccache" : "MEMORY:cache"
+ }
+ },
+ {
+ "op" : "kdestroy",
+ "ccache" : "MEMORY:cache"
+ }
+]
+
diff --git a/third_party/heimdal/tests/kdc/kdc-tester2.json b/third_party/heimdal/tests/kdc/kdc-tester2.json
new file mode 100644
index 0000000..207ae37
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/kdc-tester2.json
@@ -0,0 +1,12 @@
+[
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "keytab" : "FILE:server.keytab"
+ }
+ }
+]
+
diff --git a/third_party/heimdal/tests/kdc/kdc-tester3.json b/third_party/heimdal/tests/kdc/kdc-tester3.json
new file mode 100644
index 0000000..682e485
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/kdc-tester3.json
@@ -0,0 +1,23 @@
+[
+ {
+ "op" : "kinit",
+ "client" : "host/datan.test.h5l.se@TEST.H5L.SE",
+ "keytab" : "FILE:server.keytab",
+ "ccache" : "MEMORY:fast-cc"
+ },
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "keytab" : "FILE:server.keytab",
+ "fast-armor-cc" : "MEMORY:fast-cc"
+ }
+ },
+ {
+ "op" : "kdestroy",
+ "ccache" : "MEMORY:fast-cc"
+ }
+]
+
diff --git a/third_party/heimdal/tests/kdc/kdc-tester4.json.in b/third_party/heimdal/tests/kdc/kdc-tester4.json.in
new file mode 100644
index 0000000..0cbc337
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/kdc-tester4.json.in
@@ -0,0 +1,22 @@
+[
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "pkinit-user-cert-id" : "FILE:@top_srcdir@/lib/hx509/data/pkinit.crt,@top_srcdir@/lib/hx509/data/pkinit.key"
+ }
+ },
+ {
+ "op" : "repeat",
+ "num" : 333,
+ "value" : {
+ "op" : "kinit",
+ "client" : "foo@TEST.H5L.SE",
+ "pkinit-user-cert-id" : "FILE:@top_srcdir@/lib/hx509/data/pkinit.crt,@top_srcdir@/lib/hx509/data/pkinit.key",
+ "pkinit-use-rsa" : true
+ }
+ }
+]
+
diff --git a/third_party/heimdal/tests/kdc/krb5-authz.conf.in b/third_party/heimdal/tests/kdc/krb5-authz.conf.in
new file mode 100644
index 0000000..0d4f38b
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-authz.conf.in
@@ -0,0 +1,26 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
+ no-addresses = TRUE
+ kuserok = SYSTEM-K5LOGIN:@srcdir@/k5login
+ kuserok = USER-K5LOGIN
+ kuserok = SIMPLE
+
+[appdefaults]
+
+[realms]
+ TEST.H5L.SE = {
+ auth_to_local_names = {
+ foo/mapped1 = foo
+ foo/mapped2 = bar
+ mapped1 = foo
+ mapped2 = bar
+ }
+ auth_to_local = DB:@srcdir@/an2ln-db.txt DEFAULT
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ default = 0-/FILE:@objdir@/messages.log
+
diff --git a/third_party/heimdal/tests/kdc/krb5-authz2.conf.in b/third_party/heimdal/tests/kdc/krb5-authz2.conf.in
new file mode 100644
index 0000000..9a8efb0
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-authz2.conf.in
@@ -0,0 +1,27 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE TEST3.H5L.SE
+ no-addresses = TRUE
+ k5login_authoritative = TRUE
+ k5login_directory = @srcdir@/k5login
+ kuserok = SYSTEM-K5LOGIN
+ kuserok = SIMPLE
+
+[appdefaults]
+
+[realms]
+ TEST.H5L.SE = {
+ auth_to_local_names = {
+ foo/mapped1 = foo
+ foo/mapped2 = bar
+ mapped1 = foo
+ mapped2 = bar
+ }
+ auth_to_local = DB:@srcdir@/an2ln-db.txt DEFAULT
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ default = 0-/FILE:@objdir@/messages.log
+
diff --git a/third_party/heimdal/tests/kdc/krb5-bx509.conf.in b/third_party/heimdal/tests/kdc/krb5-bx509.conf.in
new file mode 100644
index 0000000..8a9d0bb
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-bx509.conf.in
@@ -0,0 +1,187 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = TRUE
+ rdns = false
+ fcache_strict_checking = false
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+
+[appdefaults]
+ pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
+ pkinit_pool = FILE:@objdir@/pkinit-anchor.pem
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ pkinit_win2k = @w2k@
+ }
+
+[kdc]
+ check-ticket-addresses = no
+ warn_ticket_addresses = yes
+ num-kdc-processes = 1
+ strict-nametypes = true
+ enable-pkinit = true
+ pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+ pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+ pkinit_mappings_file = @srcdir@/pki-mapping
+
+ # Locate kdc plugins for testing
+ plugin_dir = @objdir@/../../kdc/.libs
+
+ # Configure kdc plugins for testing
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+ enable-pkinit = true
+ pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+ pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_max_life_from_cert = 5d
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/log.current-db.log
+ }
+
+ negotiate_token_validator = {
+ keytab = FILE:@objdir@/kt
+ }
+
+ realms = {
+ TEST.H5L.SE = {
+ kx509 = {
+ user = {
+ include_pkinit_san = true
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ hostbased_service = {
+ HTTP = {
+ include_dnsname_san = true
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ }
+ client = {
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+[bx509]
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+ realms = {
+ TEST.H5L.SE = {
+ # Default (no cert exts requested)
+ user = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ }
+ hostbased_service = {
+ # Only for HTTP services
+ HTTP = {
+ # Use an issuer for server certs:
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ include_dnsname_san = true
+ # Don't bother with a template
+ }
+ }
+ # Non-default certs (extensions requested)
+ #
+ # Use no templates -- get empty subject names,
+ # use SANs.
+ #
+ # Use appropriate issuers.
+ client = {
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+
+[get-tgt]
+ no_addresses = true
+ allow_addresses = true
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+ realms = {
+ TEST.H5L.SE = {
+ # Default (no cert exts requested)
+ client = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ allow_extra_lifetime = true
+ max_cert_lifetime = 7d
+ force_cert_lifetime = 2d
+ }
+ user = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ allow_extra_lifetime = true
+ max_cert_lifetime = 7d
+ force_cert_lifetime = 2d
+ }
+ hostbased_service = {
+ # Only for HTTP services
+ HTTP = {
+ # Use an issuer for server certs:
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ include_dnsname_san = true
+ # Don't bother with a template
+ }
+ }
+ # Non-default certs (extensions requested)
+ #
+ # Use no templates -- get empty subject names,
+ # use SANs.
+ #
+ # Use appropriate issuers.
+ client = {
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ bx509d = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[domain_realm]
+ . = TEST.H5L.SE
diff --git a/third_party/heimdal/tests/kdc/krb5-canon.conf.in b/third_party/heimdal/tests/kdc/krb5-canon.conf.in
new file mode 100644
index 0000000..0ce45b5
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-canon.conf.in
@@ -0,0 +1,100 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ no-addresses = TRUE
+ dns_lookup_realm = no
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+ name_canon_rules = as-is:realm=TEST2.H5L.SE
+ name_canon_rules = as-is:realm=TEST3.H5L.SE
+ name_canon_rules = qualify:domain=test1.h5l.se:realm=TEST.H5L.SE
+ name_canon_rules = qualify:domain=test1.h5l.se:realm=TEST2.H5L.SE
+ name_canon_rules = qualify:domain=test2.h5l.se:realm=TEST2.H5L.SE
+ name_canon_rules = qualify:domain=test3.h5l.se:realm=TEST3.H5L.SE
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST2.H5L.SE = {
+ kdc = localhost:@port@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST3.H5L.SE = {
+ kdc = localhost:@port@
+ }
+
+[domain_realm]
+ .test1.h5l.se = TEST.H5L.SE
+ .test2.h5l.se = TEST2.H5L.SE
+ .test3.h5l.se = TEST3.H5L.SE
+ localhost = TEST.H5L.SE
+
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = @objdir@/current-db@kdc@
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label2 = {
+ dbname = @objdir@/current-db@kdc@
+ realm = TEST2.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/signal
+ iprop-stats = @objdir@/iprop-stats
+ iprop-acl = @srcdir@/iprop-acl
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+ save-password = true
+ @dk@
+
+[capaths]
+ TEST.H5L.SE = {
+ TEST3.H5L.SE = .
+ TEST2.H5L.SE = .
+ }
+ TEST2.H5L.SE = {
+ TEST.H5L.SE = .
+ TEST3.H5L.SE = .
+ }
+ TEST3.H5L.SE = {
+ TEST.H5L.SE = .
+ TEST2.H5L.SE = .
+ }
diff --git a/third_party/heimdal/tests/kdc/krb5-canon2.conf.in b/third_party/heimdal/tests/kdc/krb5-canon2.conf.in
new file mode 100644
index 0000000..dae71d3
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-canon2.conf.in
@@ -0,0 +1,97 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ no-addresses = TRUE
+ dns_lookup_realm = no
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+ name_canon_rules = as-is:realm=TEST2.H5L.SE
+ name_canon_rules = as-is:realm=TEST3.H5L.SE
+ name_canon_rules = nss
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST2.H5L.SE = {
+ kdc = localhost:@port@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST3.H5L.SE = {
+ kdc = localhost:@port@
+ }
+
+[domain_realm]
+ .test1.h5l.se = TEST.H5L.SE
+ .test2.h5l.se = TEST2.H5L.SE
+ .test3.h5l.se = TEST3.H5L.SE
+ localhost = TEST.H5L.SE
+
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = @objdir@/current-db@kdc@
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label2 = {
+ dbname = @objdir@/current-db@kdc@
+ realm = TEST2.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/signal
+ iprop-stats = @objdir@/iprop-stats
+ iprop-acl = @srcdir@/iprop-acl
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+ save-password = true
+ @dk@
+
+[capaths]
+ TEST.H5L.SE = {
+ TEST3.H5L.SE = .
+ TEST2.H5L.SE = .
+ }
+ TEST2.H5L.SE = {
+ TEST.H5L.SE = .
+ TEST3.H5L.SE = .
+ }
+ TEST3.H5L.SE = {
+ TEST.H5L.SE = .
+ TEST2.H5L.SE = .
+ }
diff --git a/third_party/heimdal/tests/kdc/krb5-cccol.conf.in b/third_party/heimdal/tests/kdc/krb5-cccol.conf.in
new file mode 100644
index 0000000..819de80
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-cccol.conf.in
@@ -0,0 +1,165 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ default_cc_collection = DIR:@objdir@/cc_dir/
+ no-addresses = TRUE
+ allow_weak_crypto = @WEAK@
+ dns_lookup_kdc = no
+ dns_lookup_realm = no
+
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+ SUB.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST2.H5L.SE = {
+ kdc = localhost:@port@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST3.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST4.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM5.FR = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM6.US = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM7.UK = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM8.UK = {
+ kdc = localhost:@port@
+ }
+ TEST-HTTP.H5L.SE = {
+ kdc = http/localhost:@port@
+ }
+ H1.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H3.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H4.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+
+[domain_realm]
+ .test.h5l.se = TEST.H5L.SE
+ .sub.test.h5l.se = SUB.TEST.H5L.SE
+ .h1.test.h5l.se = H1.TEST.H5L.SE
+ .h2.test.h5l.se = H2.TEST.H5L.SE
+ .h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE
+ .h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE
+ .example.com = TEST2.H5L.SE
+ localhost = TEST.H5L.SE
+ .localdomain = TEST.H5L.SE
+ localdomain = TEST.H5L.SE
+ .localdomain6 = TEST.H5L.SE
+ localdomain6 = TEST.H5L.SE
+
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label2 = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST2.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label3 = {
+ dbname = sqlite:@objdir@/current-db@kdc@.sqlite3
+ realm = SOME-REALM5.FR
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/signal
+ iprop-stats = @objdir@/iprop-stats
+ iprop-acl = @srcdir@/iprop-acl
+ log-max-size = 40000
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ krb5 = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+# If you are doing preformance measurements on OSX you want to change
+# the kdc LOG line from = to - below to keep the FILE open and avoid
+# open/write/close which is blocking (rdar:// ) on OSX.
+# kdc = 0-/FILE=@objdir@/messages.log
+
+[kadmin]
+ save-password = true
+ default_key_rules = {
+ */des3-only@* = des3-cbc-sha1:pw-salt
+ */aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
+ }
+ @dk@
+
+[capaths]
+ TEST.H5L.SE = {
+ TEST2.H5L.SE = .
+ SOME-REALM5.FR = 1
+ TEST3.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST3.H5L.SE
+ SOME-REALM6.US = SOME-REALM5.FR
+ SOME-REALM7.UK = SOME-REALM6.US
+ SOME-REALM7.UK = SOME-REALM5.FR
+ SOME-REALM8.UK = SOME-REALM6.US
+ }
+ H4.H2.TEST.H5L.SE = {
+ H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = TEST.H5L.SE
+
+ TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ TEST.H5L.SE = H2.TEST.H5L.SE
+
+ H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ }
diff --git a/third_party/heimdal/tests/kdc/krb5-hdb-mitdb.conf.in b/third_party/heimdal/tests/kdc/krb5-hdb-mitdb.conf.in
new file mode 100644
index 0000000..2be7eed
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-hdb-mitdb.conf.in
@@ -0,0 +1,60 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = TRUE
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+
+[domain_realm]
+ .test.h5l.se = TEST.H5L.SE
+ localhost = TEST.H5L.SE
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = mit-db:@srcdir@/hdb-mitdb
+ realm = TEST.H5L.SE
+ mkey_file = @srcdir@/hdb-mitdb.mkey
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/signal
+ iprop-stats = @objdir@/iprop-stats
+ iprop-acl = @srcdir@/iprop-acl
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+ save-password = true
+ @dk@
+
diff --git a/third_party/heimdal/tests/kdc/krb5-httpkadmind.conf.in b/third_party/heimdal/tests/kdc/krb5-httpkadmind.conf.in
new file mode 100644
index 0000000..4882d52
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-httpkadmind.conf.in
@@ -0,0 +1,96 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = TRUE
+ rdns = false
+ fcache_strict_checking = false
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+
+[appdefaults]
+ pkinit_anchors = FILE:@objdir@/ca.crt
+ pkinit_pool = FILE:@objdir@/ca.crt
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ pkinit_win2k = @w2k@
+ }
+
+[kdc]
+ num-kdc-processes = 1
+ strict-nametypes = true
+ synthetic_clients = true
+ enable-pkinit = true
+ pkinit_identity = FILE:@objdir@/kdc.crt,@srcdir@/../../lib/hx509/data/key2.der
+ pkinit_anchors = FILE:@objdir@/ca.crt
+ pkinit_mappings_file = @srcdir@/pki-mapping
+
+ # Locate kdc plugins for testing
+ plugin_dir = @objdir@/../../kdc/.libs
+
+ # Configure kdc plugins for testing
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/log.current-db.log
+ acl_file = @srcdir@/heimdal.acl
+ }
+
+ negotiate_token_validator = {
+ keytab = FILE:@objdir@/kt
+ }
+
+ realms = {
+ TEST.H5L.SE = {
+ kx509 = {
+ user = {
+ include_pkinit_san = true
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ hostbased_service = {
+ HTTP = {
+ include_dnsname_san = true
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ }
+ client = {
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+ }
+
+[hdb]
+ db-dir = @objdir@
+ enable_virtual_hostbased_princs = true
+ virtual_hostbased_princ_mindots = 1
+ virtual_hostbased_princ_maxdots = 3
+ virtual_hostbased_princ_svcs = HTTP host
+
+[ext_keytab]
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ bx509d = 0-/FILE:@objdir@/messages.log
+ httpkadmind = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[domain_realm]
+ . = TEST.H5L.SE
diff --git a/third_party/heimdal/tests/kdc/krb5-kcm.conf.in b/third_party/heimdal/tests/kdc/krb5-kcm.conf.in
new file mode 100644
index 0000000..bdcca07
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-kcm.conf.in
@@ -0,0 +1,165 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ default_ccache_name = KCM:%{uid}
+ no-addresses = TRUE
+ allow_weak_crypto = @WEAK@
+ dns_lookup_kdc = no
+ dns_lookup_realm = no
+
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+ SUB.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST2.H5L.SE = {
+ kdc = localhost:@port@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST3.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST4.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM5.FR = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM6.US = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM7.UK = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM8.UK = {
+ kdc = localhost:@port@
+ }
+ TEST-HTTP.H5L.SE = {
+ kdc = http/localhost:@port@
+ }
+ H1.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H3.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H4.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+
+[domain_realm]
+ .test.h5l.se = TEST.H5L.SE
+ .sub.test.h5l.se = SUB.TEST.H5L.SE
+ .h1.test.h5l.se = H1.TEST.H5L.SE
+ .h2.test.h5l.se = H2.TEST.H5L.SE
+ .h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE
+ .h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE
+ .example.com = TEST2.H5L.SE
+ localhost = TEST.H5L.SE
+ .localdomain = TEST.H5L.SE
+ localdomain = TEST.H5L.SE
+ .localdomain6 = TEST.H5L.SE
+ localdomain6 = TEST.H5L.SE
+
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label2 = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST2.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label3 = {
+ dbname = sqlite:@objdir@/current-db@kdc@.sqlite3
+ realm = SOME-REALM5.FR
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/signal
+ iprop-stats = @objdir@/iprop-stats
+ iprop-acl = @srcdir@/iprop-acl
+ log-max-size = 40000
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ krb5 = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+# If you are doing preformance measurements on OSX you want to change
+# the kdc LOG line from = to - below to keep the FILE open and avoid
+# open/write/close which is blocking (rdar:// ) on OSX.
+# kdc = 0-/FILE=@objdir@/messages.log
+
+[kadmin]
+ save-password = true
+ default_key_rules = {
+ */des3-only@* = des3-cbc-sha1:pw-salt
+ */aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
+ }
+ @dk@
+
+[capaths]
+ TEST.H5L.SE = {
+ TEST2.H5L.SE = .
+ SOME-REALM5.FR = 1
+ TEST3.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST3.H5L.SE
+ SOME-REALM6.US = SOME-REALM5.FR
+ SOME-REALM7.UK = SOME-REALM6.US
+ SOME-REALM7.UK = SOME-REALM5.FR
+ SOME-REALM8.UK = SOME-REALM6.US
+ }
+ H4.H2.TEST.H5L.SE = {
+ H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = TEST.H5L.SE
+
+ TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ TEST.H5L.SE = H2.TEST.H5L.SE
+
+ H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ }
diff --git a/third_party/heimdal/tests/kdc/krb5-pkinit.conf.in b/third_party/heimdal/tests/kdc/krb5-pkinit.conf.in
new file mode 100644
index 0000000..fbc2127
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-pkinit.conf.in
@@ -0,0 +1,80 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = TRUE
+ enable_kx509 = true
+
+[appdefaults]
+ pkinit_anchors = FILE:@objdir@/ca.crt
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ pkinit_win2k = @w2k@
+ }
+
+[kdc]
+ strict-nametypes = true
+ synthetic_clients = true
+ enable-pkinit = true
+ pkinit_identity = FILE:@objdir@/kdc.crt,@srcdir@/../../lib/hx509/data/key2.der
+ pkinit_anchors = FILE:@objdir@/ca.crt
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_max_life_from_cert_extension = true
+ pkinit_max_life_from_cert = @max_life_from_cert@
+
+ plugin_dir = @objdir@/../../kdc/.libs
+
+ simple_csr_authorizer_directory = @objdir@/simple_csr_authz
+
+ enable_kx509 = true
+ require_initial_kca_tickets = false
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/log.current-db.log
+ }
+
+
+ realms = {
+ TEST.H5L.SE = {
+ negotiate_token_validator = {
+ keytab = HDBGET:@objdir@/current-db
+ }
+ kx509 = {
+ user = {
+ include_pkinit_san = true
+ subject_name = CN=${principal-name-without-realm},DC=TEST,DC=H5L,DC=SE
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+ template_cert = FILE:@objdir@/kx509-template.crt
+ }
+ hostbased_service = {
+ HTTP = {
+ include_dnsname_san = true
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+ }
+ }
+ client = {
+ ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+ }
+ server = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = FILE:@objdir@/ca.crt,@srcdir@/../../lib/hx509/data/key.der
+ }
+ }
+ }
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+ save-password = true
diff --git a/third_party/heimdal/tests/kdc/krb5.conf.in b/third_party/heimdal/tests/kdc/krb5.conf.in
new file mode 100644
index 0000000..a85836d
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5.conf.in
@@ -0,0 +1,172 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE TEST2.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = @WEAK@
+ dns_lookup_kdc = no
+ dns_lookup_realm = no
+
+
+[appdefaults]
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ reconnect-min = 2s
+ reconnect-backoff = 2s
+ reconnect-max = 10s
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ admin_server = localhost:@admport@
+ kpasswd_server = localhost:@pwport@
+ }
+ SUB.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST2.H5L.SE = {
+ kdc = localhost:@port@
+ kpasswd_server = localhost:@pwport@
+ }
+ TEST3.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ TEST4.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM5.FR = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM6.US = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM7.UK = {
+ kdc = localhost:@port@
+ }
+ SOME-REALM8.UK = {
+ kdc = localhost:@port@
+ }
+ TEST-HTTP.H5L.SE = {
+ kdc = http/localhost:@port@
+ }
+ H1.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H3.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+ H4.H2.TEST.H5L.SE = {
+ kdc = localhost:@port@
+ }
+
+[domain_realm]
+ .test.h5l.se = TEST.H5L.SE
+ .sub.test.h5l.se = SUB.TEST.H5L.SE
+ .h1.test.h5l.se = H1.TEST.H5L.SE
+ .h2.test.h5l.se = H2.TEST.H5L.SE
+ .h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE
+ .h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE
+ .example.com = TEST2.H5L.SE
+ localhost = TEST.H5L.SE
+ .localdomain = TEST.H5L.SE
+ localdomain = TEST.H5L.SE
+ .localdomain6 = TEST.H5L.SE
+ localdomain6 = TEST.H5L.SE
+
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+
+ enable-http = true
+
+ synthetic_clients = true
+
+ enable_gss_preauth = true
+ gss_mechanisms_allowed = sanon-x25519
+
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ label = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label2 = {
+ dbname = @db_type@:@objdir@/current-db@kdc@
+ realm = TEST2.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ label3 = {
+ dbname = sqlite:@objdir@/current-db@kdc@.sqlite3
+ realm = SOME-REALM5.FR
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/current@kdc@.log
+ }
+ }
+
+ signal_socket = @objdir@/@signalsocket@
+ iprop-stats = @objdir@/@ipropstats@
+ iprop-acl = @srcdir@/iprop-acl
+ log-max-size = 40000
+
+[hdb]
+ db-dir = @objdir@
+ enable_virtual_hostbased_princs = true
+ virtual_hostbased_princ_mindots = 1
+ virtual_hostbased_princ_maxdots = 3
+
+[logging]
+ kdc = 0-/FILE:@objdir@/@messages@.log
+ krb5 = 0-/FILE:@objdir@/@messages@.log
+ default = 0-/FILE:@objdir@/@messages@.log
+
+# If you are doing preformance measurements on OSX you want to change
+# the kdc LOG line from = to - below to keep the FILE open and avoid
+# open/write/close which is blocking (rdar:// ) on OSX.
+# kdc = 0-/FILE=@objdir@/@messages@.log
+
+[kadmin]
+ save-password = true
+ default_key_rules = {
+ */des3-only@* = des3-cbc-sha1:pw-salt
+ */aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
+ }
+ @dk@
+
+[capaths]
+ TEST.H5L.SE = {
+ TEST2.H5L.SE = .
+ SOME-REALM5.FR = 1
+ TEST3.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST2.H5L.SE
+ TEST4.H5L.SE = TEST3.H5L.SE
+ SOME-REALM6.US = SOME-REALM5.FR
+ SOME-REALM7.UK = SOME-REALM6.US
+ SOME-REALM7.UK = SOME-REALM5.FR
+ SOME-REALM8.UK = SOME-REALM6.US
+ }
+ H4.H2.TEST.H5L.SE = {
+ H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = H2.TEST.H5L.SE
+ H1.TEST.H5L.SE = TEST.H5L.SE
+
+ TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ TEST.H5L.SE = H2.TEST.H5L.SE
+
+ H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE
+ }
diff --git a/third_party/heimdal/tests/kdc/krb5.conf.keys.in b/third_party/heimdal/tests/kdc/krb5.conf.keys.in
new file mode 100644
index 0000000..16891de
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5.conf.keys.in
@@ -0,0 +1,19 @@
+[libdefaults]
+ allow_weak_crypto = TRUE
+
+[kdc]
+ strict-nametypes = true
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ acl_file = @srcdir@/heimdal.acl
+ log_file = @objdir@/log.current-db.log
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+
+[kadmin]
+ default_keys = @keys@
diff --git a/third_party/heimdal/tests/kdc/leaks-kill.sh b/third_party/heimdal/tests/kdc/leaks-kill.sh
new file mode 100644
index 0000000..1474bdd
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/leaks-kill.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+name=$1
+pid=$2
+
+kill $pid
+set -- .
+while kill -0 $pid 2>/dev/null
+do
+ set -- "$@" "."
+ if [ $# -gt 4 ]
+ then
+ kill kill -9 $pid 2> /dev/null
+ break
+ fi
+ sleep 1
+done
+
+set -- .
+while kill -0 $pid 2>/dev/null
+do
+ set -- "$@" "."
+ if [ $# -gt 4 ]; then exit 1; fi
+ sleep 1
+done
+
+exit 0
diff --git a/third_party/heimdal/tests/kdc/ntlm-user-file.txt b/third_party/heimdal/tests/kdc/ntlm-user-file.txt
new file mode 100644
index 0000000..d807127
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/ntlm-user-file.txt
@@ -0,0 +1 @@
+TEST:foo:digestpassword
diff --git a/third_party/heimdal/tests/kdc/pki-mapping b/third_party/heimdal/tests/kdc/pki-mapping
new file mode 100644
index 0000000..18fb481
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/pki-mapping
@@ -0,0 +1,2 @@
+foo@TEST.H5L.SE:CN=pkinit,C=SE
+foo@TEST.H5L.SE:CN=bar,DC=test,DC=h5l,DC=se
diff --git a/third_party/heimdal/tests/kdc/uuserver.txt b/third_party/heimdal/tests/kdc/uuserver.txt
new file mode 100644
index 0000000..2c191bf
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/uuserver.txt
@@ -0,0 +1,4 @@
+User is `user2@TEST.H5L.SE'
+Server is `user1@TEST.H5L.SE'
+safe packet: hej
+priv packet: hemligt
diff --git a/third_party/heimdal/tests/kdc/wait-kdc.sh b/third_party/heimdal/tests/kdc/wait-kdc.sh
new file mode 100644
index 0000000..d0226fc
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/wait-kdc.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+name=${1:-KDC}
+log=${2:-messages.log}
+waitfor="${3:-${name} started}"
+
+t=0
+waitsec=65
+
+echo "Waiting for ${name} to start, see logfile ${log}"
+
+while true ; do
+ if grep "${waitfor}" ${log} > /dev/null; then
+ break
+ fi
+ if grep "No sockets" ${log} ; then
+ echo "The ${name} failed to bind to any sockets, another ${name} running ?"
+ exit 1
+ fi
+ if grep "bind" ${log} | grep "Operation not permitted" ; then
+ echo "The ${name} failed to bind to any sockets, another ${name} running ?"
+ exit 1
+ fi
+ if [ "$t" -gt $waitsec ]; then
+ echo "Error: ${name} failed to start after $waitsec seconds"
+ exit 2
+ fi
+
+ t=`expr ${t} + 2`
+ sleep 2
+ echo "Have waited $t seconds"
+done
+
+exit 0