From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- third_party/heimdal/tests/gss/Makefile.am | 103 ++++ third_party/heimdal/tests/gss/NTMakefile | 35 ++ third_party/heimdal/tests/gss/check-basic.in | 219 ++++++++ third_party/heimdal/tests/gss/check-context.in | 582 +++++++++++++++++++++ third_party/heimdal/tests/gss/check-gss.in | 50 ++ third_party/heimdal/tests/gss/check-gssmask.in | 137 +++++ third_party/heimdal/tests/gss/check-negoex.in | 278 ++++++++++ third_party/heimdal/tests/gss/check-ntlm.in | 168 ++++++ third_party/heimdal/tests/gss/check-spnego.in | 246 +++++++++ third_party/heimdal/tests/gss/include-krb5.conf | 17 + third_party/heimdal/tests/gss/krb5.conf.in | 54 ++ third_party/heimdal/tests/gss/mech.in | 5 + .../heimdal/tests/gss/new_clients_k5.conf.in | 5 + third_party/heimdal/tests/gss/ntlm-user-file.txt | 2 + 14 files changed, 1901 insertions(+) create mode 100644 third_party/heimdal/tests/gss/Makefile.am create mode 100644 third_party/heimdal/tests/gss/NTMakefile create mode 100644 third_party/heimdal/tests/gss/check-basic.in create mode 100644 third_party/heimdal/tests/gss/check-context.in create mode 100644 third_party/heimdal/tests/gss/check-gss.in create mode 100644 third_party/heimdal/tests/gss/check-gssmask.in create mode 100644 third_party/heimdal/tests/gss/check-negoex.in create mode 100644 third_party/heimdal/tests/gss/check-ntlm.in create mode 100644 third_party/heimdal/tests/gss/check-spnego.in create mode 100644 third_party/heimdal/tests/gss/include-krb5.conf create mode 100644 third_party/heimdal/tests/gss/krb5.conf.in create mode 100644 third_party/heimdal/tests/gss/mech.in create mode 100644 third_party/heimdal/tests/gss/new_clients_k5.conf.in create mode 100644 third_party/heimdal/tests/gss/ntlm-user-file.txt (limited to 'third_party/heimdal/tests/gss') diff --git a/third_party/heimdal/tests/gss/Makefile.am b/third_party/heimdal/tests/gss/Makefile.am new file mode 100644 index 0000000..2de36bf --- /dev/null +++ b/third_party/heimdal/tests/gss/Makefile.am @@ -0,0 +1,103 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +noinst_DATA = krb5.conf new_clients_k5.conf mech + +SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex + +TESTS = $(SCRIPT_TESTS) + +check_SCRIPTS = $(SCRIPT_TESTS) + +port = 49188 + +do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \ + -e 's,[@]srcdir[@],$(srcdir),g' \ + -e "s,[@]srcdirabs[@],$${srcdirabs},g" \ + -e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \ + -e 's,[@]port[@],$(port),g' \ + -e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \ + -e "s,[@]objdirabs[@],$${objdirabs},g" + +check-gss: check-gss.in Makefile + $(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp && \ + chmod +x check-gss.tmp && \ + mv check-gss.tmp check-gss + +check-gssmask: check-gssmask.in Makefile + $(do_subst) < $(srcdir)/check-gssmask.in > check-gssmask.tmp && \ + chmod +x check-gssmask.tmp && \ + mv check-gssmask.tmp check-gssmask + +check-context: check-context.in Makefile + $(do_subst) < $(srcdir)/check-context.in > check-context.tmp && \ + chmod +x check-context.tmp && \ + mv check-context.tmp check-context + +check-spnego: check-spnego.in Makefile + $(do_subst) < $(srcdir)/check-spnego.in > check-spnego.tmp && \ + chmod +x check-spnego.tmp && \ + mv check-spnego.tmp check-spnego + +check-basic: check-basic.in Makefile + $(do_subst) < $(srcdir)/check-basic.in > check-basic.tmp && \ + chmod +x check-basic.tmp && \ + mv check-basic.tmp check-basic + +check-ntlm: check-ntlm.in Makefile + $(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \ + chmod +x check-ntlm.tmp && \ + mv check-ntlm.tmp check-ntlm + +check-negoex: check-negoex.in Makefile + $(do_subst) < $(srcdir)/check-negoex.in > check-negoex.tmp && \ + chmod +x check-negoex.tmp && \ + mv check-negoex.tmp check-negoex + +krb5.conf: krb5.conf.in Makefile + $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \ + mv krb5.conf.tmp krb5.conf + +new_clients_k5.conf: new_clients_k5.conf.in Makefile + $(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \ + mv new_clients_k5.conf.tmp new_clients_k5.conf + +mech: mech.in Makefile + $(do_subst) < $(srcdir)/mech.in > mech.tmp && \ + mv mech.tmp mech + +CLEANFILES= \ + $(TESTS) \ + foopassword \ + barpassword \ + krb5ccfile \ + krb5ccfile-ds \ + server.keytab \ + krb5.conf \ + new_clients_k5.conf \ + mech \ + current-db* \ + *.log \ + tempfile \ + check-basic.tmp \ + check-gss.tmp \ + check-gssmask.tmp \ + check-spnego.tmp \ + check-ntlm.tmp \ + check-context.tmp + +EXTRA_DIST = \ + NTMakefile \ + check-basic.in \ + check-gss.in \ + check-gssmask.in \ + check-spnego.in \ + check-ntlm.in \ + check-context.in \ + check-negoex.in \ + ntlm-user-file.txt \ + krb5.conf.in \ + include-krb5.conf \ + new_clients_k5.conf.in \ + mech.in diff --git a/third_party/heimdal/tests/gss/NTMakefile b/third_party/heimdal/tests/gss/NTMakefile new file mode 100644 index 0000000..c1ca7a2 --- /dev/null +++ b/third_party/heimdal/tests/gss/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=tests\gss + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/tests/gss/check-basic.in b/third_party/heimdal/tests/gss/check-basic.in new file mode 100644 index 0000000..c5151c4 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-basic.in @@ -0,0 +1,219 @@ +#!/bin/sh +# +# Copyright (c) 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +nokeytab="FILE:no-such-keytab" +cache="FILE:krb5ccfile" +cache2="FILE:krb5ccfile2" +nocache="FILE:no-such-cache" + +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=localhost -P $port" + +acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred" +test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred" +test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5_KTNAME="${keytab}" +export KRB5_KTNAME +KRB5CCNAME="${cache}" +export KRB5CCNAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +echo upw > ${objdir}/foopassword + +${kadmin} add -p upw --use-defaults user@${R} || exit 1 +${kadmin} add -p upw --use-defaults another@${R} || exit 1 +${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT + +exitcode=0 + +echo "initial ticket" +${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1 + +echo "copy ccache with gss_store_cred" +# Note we test that the ccache used for storing is token-expanded +${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1 +${klist} -c ${cache2} || exit 1 + +echo "keytab" +${acquire_cred} \ + --acquire-type=accept \ + --acquire-name=host@host.test.h5l.se || exit 1 + +echo "keytab w/ short-form name and name canon rules" +${acquire_cred} \ + --acquire-type=accept \ + --acquire-name=host@host || exit 1 + +echo "keytab w/o name" +${acquire_cred} \ + --acquire-type=accept || exit 1 + +echo "keytab w/ wrong name" +${acquire_cred} \ + --acquire-type=accept --kerberos \ + --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1 + +echo "init using keytab" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --loops=10 \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, target)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --loops=10 \ + --target=host@host.test.h5l.se \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, kerberos)" +${acquire_cred} \ + --acquire-type=initiate \ + --loops=10 \ + --kerberos \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, target, kerberos)" +${acquire_cred} \ + --acquire-type=initiate \ + --loops=10 \ + --kerberos \ + --target=host@host.test.h5l.se \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using existing cc" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --acquire-type=initiate \ + --acquire-name=user || exit 1 + +KRB5CCNAME=${nocache} + +echo "fail init using existing cc" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --acquire-type=initiate \ + --acquire-name=user 2>/dev/null && exit 1 + +echo "use gss_krb5_ccache_name for user" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --ccache=${cache} \ + --acquire-type=initiate \ + --acquire-name=user >/dev/null || exit 1 + +KRB5CCNAME=${cache} +KRB5_KTNAME=${nokeytab} + +echo "kcred" +${test_kcred} || exit 1 + +${kdestroy} -c ${cache} + +KRB5_KTNAME="${keytab}" + +echo "init using keytab" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + +echo "init using keytab (ccache)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --ccache=${cache} \ + --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill ${kdcpid} 2> /dev/null + +exit $exitcode diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in new file mode 100644 index 0000000..2b866d2 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-context.in @@ -0,0 +1,582 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +nokeytab="FILE:no-such-keytab" +cache="FILE:krb5ccfile" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache" +klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" +ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" + +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5CCNAME=${cache} +export KRB5CCNAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +# add both lucid and lucid.test.h5l.se to simulate aliases +${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1 + +${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1 +${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1 + + +${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1 +${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1 +# XXX ext should ext aliases too +${kadmin} ext -k ${keytab} host/short@${R} || exit 1 +${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1 + +${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 + +${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 +${kadmin} mod --alias=user1.alias user1@${R} || exit 1 + +# Create a server principal with no AES +${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1 +${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1 +${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \ + aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1 +${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo u1 > ${objdir}/foopassword + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +testfailed="echo test failed; cat messages.log; exit 1" + +echo "Test gss_acquire_cred_with_password" ; > messages.log +${kdestroy} +${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \ + host@lucid.test.h5l.se || { eval "$testfailed"; } +${klist} && { eval "$testfailed"; } +# These must fail (because wrong password) +${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \ + host@lucid.test.h5l.se && { eval "$testfailed"; } +${klist} && { eval "$testfailed"; } +${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \ + --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } +${klist} && { eval "$testfailed"; } +${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \ + --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } +${klist} && { eval "$testfailed"; } +${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \ + --mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; } +${klist} && { eval "$testfailed"; } +${context} --client-name=user1@${R} --client-password=u2 \ + --mech-types=krb5,ntlm --mech-type=krb5 host@lucid.test.h5l.se \ + && { eval "$testfailed"; } +# gss_acquire_cred_with_password() must not have side-effects +${klist} && { eval "$testfailed"; } + +echo "Getting client initial tickets" ; > messages.log +${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ + { eval "$testfailed"; } + +echo "======test unreadable/non existant keytab and its error message" ; > messages.log +${context} --mech-type=krb5 host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +mv ${keytabfile} ${keytabfile}.no + +echo "checking non existant keytabfile (krb5)" ; > messages.log +${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ + { eval "$testfailed"; } +echo "checking non existant keytabfile (spengo)" ; > messages.log +${context} --mech-type=spnego --mech-types=spnego,krb5 \ + host@lucid.test.h5l.se > test_context.log 2>&1 && \ + { eval "$testfailed"; } + +mv ${keytabfile}.no ${keytabfile} + +echo "======test naming combinations" +echo "plain" ; > messages.log +${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } +echo "plain w/ short-form hostname" ; > messages.log +${context} --name-type=hostbased-service host@lucid || \ + { eval "$testfailed"; } +echo "plain (krb5)" ; > messages.log +${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ + { eval "$testfailed"; } +echo "plain (krb5 realmless)" ; > messages.log +${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ + { eval "$testfailed"; } +echo "plain (krb5 realmless short-form)" ; > messages.log +${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \ + { eval "$testfailed"; } +echo "creating short-form princ" +${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 +${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 +echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log +#${context} --dns-canon host@lucid.test.h5l.se || \ +# { eval "$testfailed"; } +echo "dns canon off (long name)" ; > messages.log +${context} --no-dns-canon host@lucid.test.h5l.se || \ + { eval "$testfailed"; } +echo "dns canon off (short name)" ; > messages.log +${context} --no-dns-canon host@lucid || \ + { eval "$testfailed"; } +echo "dns canon off (short name, krb5)" ; > messages.log +${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ + { eval "$testfailed"; } +echo "dns canon off (short name, krb5)" ; > messages.log +${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ + { eval "$testfailed"; } + +echo "======test context building" +for mech in krb5 krb5iov spnego spnegoiov; do + if [ "$mech" = "krb5iov" ] ; then + mech="krb5" + iov="--iov" + fi + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech} no-mutual ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --wrapunwrap ${iov} \ + --localname=mapped_user1 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech} mutual ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --mutual \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech} delegate ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --delegate \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech} mutual delegate ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --mutual --delegate \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } +done + +echo "======test authz-data (krb5)" +${context} --mech-type=krb5 \ + --mutual \ + --wrapunwrap \ + --on-behalf-of=foo@BAR.TEST.H5L.SE \ + --name-type=hostbased-service host@lucid.test.h5l.se || + { eval "$testfailed"; } + +echo "======dce-style" +for mech in krb5 krb5iov spnego; do + iov="" + if [ "$mech" = "krb5iov" ] ; then + mech="krb5" + iov="--iov" + fi + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech}: dce-style ${iov}" ; > messages.log + ${context} \ + --mech-type=${mech} \ + --mutual \ + --dce-style \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +done + +echo "======export-import-context" +for mech in krb5 krb5iov spnego spnegoiov; do + iov="" + if [ "$mech" = "krb5iov" ] ; then + mech="krb5" + iov="--iov" + fi + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech}: export-import-context ${iov}" ; > messages.log + ${context} \ + --mech-type=${mech} \ + --mutual \ + --export-import-context \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +done + +echo "test gsskrb5_register_acceptor_identity (both positive and negative)" + +cp ${keytabfile} ${keytabfile}.new +for mech in krb5 spnego; do + echo "${mech}: acceptor_identity positive" ; > messages.log + ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ + --mech-type=$mech host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log + ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ + --mech-type=$mech host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech}: acceptor_identity negative" ; > messages.log + ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } +done + +rm ${keytabfile}.new + +echo "====== test PAC-based name canonicalization" + +${kdestroy} +${kinit} --password-file=${objdir}/foopassword user1.alias@${R} || \ + { eval "$testfailed"; } + +for mech in krb5 spnego; do + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ + --mech-type=$mech host@lucid.test.h5l.se > name-canon.log || \ + { eval "$testfailed"; } + grep "client name:" name-canon.log | grep "user1.alias@TEST.H5L.SE" > /dev/null && \ + { echo "client name not canonicalized"; eval "$testfailed"; } + grep "client name:" name-canon.log | grep "user1@TEST.H5L.SE" > /dev/null || \ + { echo "wrong client name"; eval "$testfailed"; } +done + +echo "====== test channel-bindings." + +for mech in krb5 spnego; do + echo "${mech}: initiator only bindings" ; > messages.log + ${context} -v --i-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: acceptor only bindings" ; > messages.log + ${context} -v --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: matching bindings" ; > messages.log + ${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ + { echo "no channel-bound flag"; eval "$testfailed"; } + + echo "${mech}: non matching bindings" ; > messages.log + ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + + echo "${mech}: initiator only bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ + --i-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \ + { echo "channel-bound flag unexpected"; eval "$testfailed"; } + + echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + + echo "${mech}: matching bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \ + --i-channel-bindings=abc --a-channel-bindings=abc \ + --mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \ + { eval "$testfailed"; } + grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \ + { echo "no channel-bound flag"; eval "$testfailed"; } + + echo "${mech}: non matching bindings (client-aware)" ; > messages.log + KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \ + --i-channel-bindings=abc --a-channel-bindings=xyz \ + --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ + { eval "$testfailed"; } + +done + +#echo "sasl-digest-md5" +#${context} --mech-type=sasl-digest-md5 \ +# --name-type=hostbased-service \ +# host@lucid.test.h5l.se || \ +# { eval "$testfailed"; } + + +echo "====== gss-api session key check" + +# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 +coolenctype="aes256-cts-hmac-sha1-96" +limit_enctype="des3-cbc-sha1" + +echo "Getting client initial tickets" ; > messages.log +${kinit} --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } + + +echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log +${context} \ + --mech-type=krb5 \ + --mutual-auth \ + --session-enctype=${coolenctype} \ + --name-type=hostbased-service host@no-aes.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Building context on cred, check if its limited still" ; > messages.log +${context} \ + --mech-type=krb5 \ + --client-name=user1@${R} \ + --limit-enctype="${limit_enctype}" \ + --mutual-auth \ + --name-type=hostbased-service host@no-aes.test.h5l.se || \ + { eval "$testfailed"; } + + +echo "====== ok-as-delegate" + +echo "Getting client initial tickets" ; > messages.log +${kinit} --forwardable \ + --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } + +echo "ok-as-delegate not used" ; > messages.log +${context} \ + --mech-type=krb5 \ + --delegate \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "host without ok-as-delegate with policy-delegate" ; > messages.log +${context} \ + --mech-type=krb5 \ + --policy-delegate \ + --server-no-delegate \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "ok-as-delegate used by policy" ; > messages.log +${context} \ + --mech-type=krb5 \ + --policy-delegate \ + --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log +${kinit} --ok-as-delegate --forwardable \ + --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } + +echo "policy delegate to non delegate host" ; > messages.log +${context} \ + --mech-type=krb5 \ + --policy-delegate \ + --server-no-delegate \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "ok-as-delegate" ; > messages.log +${context} \ + --mech-type=krb5 \ + --delegate \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "======export/import cred" + +echo "export-import cred (krb5)" ; > messages.log +${context} \ + --mech-type=krb5 \ + --delegate \ + --export-import-cred \ + --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ + { eval "$testfailed"; } + +echo "export-import cred (spnego)" ; > messages.log +${context} \ + --mech-type=spnego \ + --delegate \ + --export-import-cred \ + --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ + { eval "$testfailed"; } + + +echo "======time diffs between client and server" + +echo "Getting client initial ticket" ; > messages.log +${kinit} --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } + +echo "No time offset" ; > messages.log +${context} \ + --mech-type=krb5 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Getting client initial ticket" ; > messages.log +${kinit} --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } + +echo "Server time offset" ; > messages.log +${context} \ + --mech-type=krb5 \ + --mutual-auth \ + --server-time-offset=3600 \ + --max-loops=3 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Server time offset (cached ?)" ; > messages.log +${context} \ + --mech-type=krb5 \ + --mutual-auth \ + --server-time-offset=3600 \ + --max-loops=2 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Getting client initial ticket" ; > messages.log +${kinit} --password-file=${objdir}/foopassword user1@${R} || \ + { eval "$testfailed"; } +# Pre-poplute the cache since tgs-req will fail since our time is wrong +${kgetcred} host/lucid.test.h5l.se@${R} || \ + { eval "$testfailed"; } + +echo "Client time offset" ; > messages.log +${context} \ + --mech-type=krb5 \ + --mutual-auth \ + --client-time-offset=3600 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +echo "Getting client initial tickets (use-referrals)" ; > messages.log +${kinit} \ + --password-file=${objdir}/foopassword \ + --use-referrals user1@${R} || \ + { eval "$testfailed"; } + +# XXX these tests really need to use somethat that resolve to something +${context} \ + --mech-type=krb5 \ + host@short || \ + { eval "$testfailed"; } + +${context} \ + --mech-type=krb5 \ + --name-type=krb5-principal-name host/short || \ + { eval "$testfailed"; } + +${context} \ + --mech-type=krb5 \ + host@long.test.h5l.se || \ + { eval "$testfailed"; } + +${context} \ + --mech-type=krb5 \ + --name-type=krb5-principal-name \ + host/long.test.h5l.se || \ + { eval "$testfailed"; } + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill ${kdcpid} 2> /dev/null + +exit 0 + diff --git a/third_party/heimdal/tests/gss/check-gss.in b/third_party/heimdal/tests/gss/check-gss.in new file mode 100644 index 0000000..f5254a1 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-gss.in @@ -0,0 +1,50 @@ +#!/bin/sh +# +# Copyright (c) 2006 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +confdir="@confdir@" +testdir="@testdir@" + +. ${env_setup} + +${TESTS_ENVIRONMENT} ${gsstool} help > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all > /dev/null || exit 1 +${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos > /dev/null || exit 1 + +exit 0 + + diff --git a/third_party/heimdal/tests/gss/check-gssmask.in b/third_party/heimdal/tests/gss/check-gssmask.in new file mode 100644 index 0000000..539e2e9 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-gssmask.in @@ -0,0 +1,137 @@ +#!/bin/sh +# +# Copyright (c) 2006 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" + +gssmask="${TESTS_ENVIRONMENT} ../../appl/gssmask/gssmask" +gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log" +gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log" +gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log" +gssmaestro="../../appl/gssmask/gssmaestro" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5CCNAME=${cache} +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +# Test virtual principals, why not +${kadmin} add_ns --key-rotation-epoch=now \ + --key-rotation-period=15m \ + --max-ticket-life=10d \ + --max-renewable-life=20d \ + --attributes= \ + "_/test.h5l.se@${R}" || exit 1 +${kadmin} ext -k ${keytab} host/n1.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/n2.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/n3.test.h5l.se@${R} || exit 1 + +${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +exitcode=0 + +echo "Starting client 1" +${gssmaskn1} --moniker=n1 & +n1pid=$! +#echo $n1pid +#xterm -display :0 -e g ${gssmaskn1} & +#read x + +echo "Starting client 2" +${gssmaskn2} --moniker=n2 & +n2pid=$! + +echo "Starting client 3" +${gssmaskn3} --moniker=n3 & +n3pid=$! + +trap "kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null; echo signal killing kdc and maskar; exit 1;" EXIT + +sleep 10 + +# --wrap-ext + +${gssmaestro} \ + --slaves=localhost:8889 \ + --slaves=localhost:8890 \ + --slaves=localhost:8891 \ + --principals=user1@${R}:u1 || exitcode=1 + +trap "" EXIT + +echo "killing kdc and clients (${kdcpid}, ${n1pid}, ${n2pid}, ${n3pid})" +kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null + +exit $exitcode + + diff --git a/third_party/heimdal/tests/gss/check-negoex.in b/third_party/heimdal/tests/gss/check-negoex.in new file mode 100644 index 0000000..063e0c1 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-negoex.in @@ -0,0 +1,278 @@ +#!/bin/sh +# +# Copyright (c) 2006 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +R=TEST.H5L.SE + +port=@port@ + +keytabfile="${objdir}/server.keytab-no" +keytab="FILE:${keytabfile}-no" +cache="FILE:krb5ccfile-no" +cacheds="FILE:krb5ccfile-ds-no" + +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5_KTNAME="${keytab}-no" +export KRB5_KTNAME +KRB5CCNAME="${cache}-no" +export KRB5CCNAME +unset NTLM_ACCEPTOR_CCACHE +unset NTLM_USER_FILE + +GSSAPI_SPNEGO_NAME=host@host.test.h5l.se +export GSSAPI_SPNEGO_NAME + +GSS_MECH_CONFIG="${objdir}/mech" +export GSS_MECH_CONFIG + +> messages.log + +exitcode=0 + +echo "======context building for negoex" + +for HOPS in 1 2 3 4 5 +do + echo "test_negoex_1 $HOPS hops" + ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } +done + +for HOPS in 1 2 3 4 5 +do + echo "test_negoex_1 $HOPS hops early keys" + KEY=always ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } +done + +HOPS=1 +echo "test_negoex_1 no keys" + KEY=never ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 no optimistic token" + NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 initiator query fail, test_negoex_2 pass" + INIT_QUERY_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null || \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 acceptor query fail, test_negoex_2 pass" + ACCEPT_QUERY_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null || \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 acceptor exchange fail, test_negoex_2 pass" + ACCEPT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_2 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null || \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 first mech initiator exchange fail" + INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 first mech initiator exchange fail, two hops" + HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 first mech initiator exchange fail, two hops, early keys" + HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 first mech init_sec_context fail" + INIT_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 first mech accept_sec_context fail" + HOPS=2 ACCEPT_FAIL=102 ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 alert from acceptor to initiator" + HOPS=3 KEY=init-always ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + +echo "test_negoex_1 alert from initiator to acceptor" + HOPS=4 KEY=accept-always ${context} \ + --mech-type=spnego --ret-mech-type=test_negoex_1 \ + --name-type=hostbased-service \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + +unset GSS_MECH_CONFIG + +echo "======test context building for sanon-x25519" +for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do + iov="" + if [ "$mech" = "sanon-x25519iov" ] ; then + mech="sanon-x25519" + iov="--iov" + fi + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech} anon-flag ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --anonymous \ + --ret-mech-type=sanon-x25519 \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ + --wrapunwrap ${iov} \ + host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech} anon-initiator ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \ + --ret-mech-type=sanon-x25519 \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ + --wrapunwrap ${iov} \ + host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech} anon-acceptor ${iov}" ; > messages.log + ${context} --mech-type=${mech} \ + --ret-mech-type=sanon-x25519 \ + --i-channel-bindings=negoex_sanon_test_h5l_se \ + --a-channel-bindings=negoex_sanon_test_h5l_se \ + --wrapunwrap ${iov} \ + WELLKNOWN@ANONYMOUS || \ + { eval "$testfailed"; } +done + +echo "======export-import-context for sanon-x25519" +for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do + iov="" + if [ "$mech" = "sanon-x25519iov" ] ; then + mech="sanon-x25519" + iov="--iov" + fi + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech}: export-import-context ${iov}" ; > messages.log + ${context} \ + --mech-type=${mech} \ + --anonymous \ + --export-import-context \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + + echo "${mech}: export-import-context ${iov} (split tokens)" ; > messages.log + ${context} \ + --mech-type=${mech} \ + --anonymous \ + --export-import-context \ + --wrapunwrap ${iov} \ + --token-split=128 \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +done + +echo "======dce-style for sanon-x25519" +for mech in spnego spnegoiov; do + iov="" + if [ "$mech" = "spnegoiov" ] ; then + mech="spnego" + iov="--iov" + fi + + echo "${mech}: dce-style ${iov}" ; > messages.log + ${context} \ + --mech-type=${mech} \ + --anonymous --dce-style \ + --wrapunwrap ${iov} \ + --name-type=hostbased-service host@lucid.test.h5l.se || \ + { eval "$testfailed"; } + +done + +trap "" EXIT + +exit $exitcode diff --git a/third_party/heimdal/tests/gss/check-ntlm.in b/third_party/heimdal/tests/gss/check-ntlm.in new file mode 100644 index 0000000..f953630 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-ntlm.in @@ -0,0 +1,168 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +cache="FILE:krb5ccfile" +cacheds="FILE:krb5ccfile-ds" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" +kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds ${afs_no_afslog}" +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" +kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest" + +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5CCNAME=${cache} +KRB5_KTNAME="${keytab}" +export KRB5_KTNAME +KRB5CCNAME="${cache}" +export KRB5CCNAME +NTLM_ACCEPTOR_CCACHE="${cacheds}" +export NTLM_ACCEPTOR_CCACHE +NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" +export NTLM_USER_FILE + +GSSAPI_SPNEGO_NAME=host@host.test.h5l.se +export GSSAPI_SPNEGO_NAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1 + +${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 + +${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1 +${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1 + +${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo u1 > ${objdir}/foopassword +echo ds > ${objdir}/barpassword + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +exitcode=0 + +echo "Getting client initial tickets" +${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1 +echo "Getting digestserver initial tickets" +${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1 + +echo "======probe" +KRB5CCNAME="$cacheds" + + ${kdigest} digest-probe --realm=${R} > /dev/null || \ + { exitcode=1; echo "test failed"; } + +echo "======context building ntlm" + +NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no" +KRB5CCNAME="$cache" + +echo "no NTLM initiator creds" +${context} --mech-type=ntlm \ + --mutual \ + --name-type=hostbased-service \ + --ret-mech-type=ntlm \ + host@host.test.h5l.se 2> /dev/null && \ + { exitcode=1 ; echo "test failed"; } + +echo "Getting client initial tickets (with ntlm creds)" +${kinit} --password-file=${objdir}/foopassword --ntlm-domain=TEST user1@${R} || exitcode=1 + +echo "NTLM initiator krb5 creds" +${context} --mech-type=ntlm \ + --mutual \ + --name-type=hostbased-service \ + --ret-mech-type=ntlm \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo "test failed"; } + +echo "NTLM initiator krb5 creds (getverifymic, wrapunwrap)" +${context} --mech-type=ntlm \ + --mutual \ + --name-type=hostbased-service \ + --ret-mech-type=ntlm \ + --getverifymic --wrapunwrap \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo "test failed"; } + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill ${kdcpid} 2> /dev/null + +exit $exitcode + + diff --git a/third_party/heimdal/tests/gss/check-spnego.in b/third_party/heimdal/tests/gss/check-spnego.in new file mode 100644 index 0000000..d6e4d83 --- /dev/null +++ b/third_party/heimdal/tests/gss/check-spnego.in @@ -0,0 +1,246 @@ +#!/bin/sh +# +# Copyright (c) 2006 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +cache="FILE:krb5ccfile" +cacheds="FILE:krb5ccfile-ds" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog} --forwardable" +kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds ${afs_no_afslog}" +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +KRB5CCNAME=${cache} +KRB5_KTNAME="${keytab}" +export KRB5_KTNAME +KRB5CCNAME="${cache}" +export KRB5CCNAME +NTLM_ACCEPTOR_CCACHE="${cacheds}" +export NTLM_ACCEPTOR_CCACHE +NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" +export NTLM_USER_FILE + +GSSAPI_SPNEGO_NAME=host@host.test.h5l.se +export GSSAPI_SPNEGO_NAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1 + +${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 + +${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1 +${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1 + +${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo u1 > ${objdir}/foopassword +echo ds > ${objdir}/barpassword + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +exitcode=0 + +echo "Getting client initial tickets" +${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1 +echo "Getting digestserver initial tickets" +${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1 + +echo "======context building for each mech" + +for mech in ntlm krb5 ; do + echo "${mech}" + ${context} --mech-type=${mech} --ret-mech-type=${mech} \ + --client-ccache="${cache}" \ + --gsskrb5-acceptor-identity="${keytab}" \ + --name-type=hostbased-service host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } +done + +echo "spnego" +${context} \ + --client-ccache="${cache}" \ + --mech-type=spnego \ + --ret-mech-type=krb5 \ + --name-type=hostbased-service \ + --export-import-context \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + +echo "spnego (split tokens)" +${context} \ + --token-split=128 \ + --client-ccache="${cache}" \ + --mech-type=spnego \ + --ret-mech-type=krb5 \ + --name-type=hostbased-service \ + --export-import-context \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + +echo "test failure cases" +${context} --mech-type=ntlm --ret-mech-type=krb5 \ + --client-ccache="${cache}" \ + --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ + { exitcode=1 ; echo test failed; } + +${context} --mech-type=krb5 --ret-mech-type=ntlm \ + --client-ccache="${cache}" \ + --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ + { exitcode=1 ; echo test failed; } + +echo "======spnego variants context building" + +for arg in \ + "" \ + "--mutual" \ + "--delegate" \ + "--mutual --delegate" \ + "--getverifymic --wrapunwrap" \ + "--mutual --getverifymic --wrapunwrap" \ + ; do + + echo "no NTLM acceptor cred ${arg}" + NTLM_ACCEPTOR_CCACHE="${cacheds}-no" + ${context} --mech-type=spnego \ + $arg \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + NTLM_ACCEPTOR_CCACHE="${cacheds}" + + echo "no NTLM initiator cred ${arg}" + NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no" + ${context} --mech-type=spnego \ + $arg \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" + + echo "no krb5 acceptor cred ${arg}" + KRB5_KTNAME="${keytab}-no" + ${context} --mech-type=spnego \ + $arg \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=ntlm \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + KRB5_KTNAME="${keytab}" + + echo "no explicit krb5 acceptor cred ${arg}" + ${context} --mech-type=spnego \ + $arg \ + --gsskrb5-acceptor-identity="${keytab}-no" \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + + echo "no krb5 initiator cred ${arg}" + KRB5CCNAME="${cache}-no" + ${context} --mech-type=spnego \ + $arg \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=ntlm \ + host@host.test.h5l.se || \ + { exitcode=1 ; echo test failed; } + KRB5CCNAME="${cache}" + + echo "no explicit krb5 initiator cred ${arg}" + ${context} --mech-type=spnego \ + $arg \ + --client-ccache="${cache}-no" \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + +done + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill ${kdcpid} 2> /dev/null + +exit $exitcode + + diff --git a/third_party/heimdal/tests/gss/include-krb5.conf b/third_party/heimdal/tests/gss/include-krb5.conf new file mode 100644 index 0000000..ae21e9e --- /dev/null +++ b/third_party/heimdal/tests/gss/include-krb5.conf @@ -0,0 +1,17 @@ +[libdefaults] + default_realm = TEST.H5L.SE + no-addresses = TRUE + dns_canonicalize_hostname = false + dns_lookup_realm = false + name_canon_rules = as-is:realm=TEST.H5L.SE + name_canon_rules = qualify:domain=test.h5l.se + +[domain_realms] + .test.h5l.se = TEST.H5L.SE + +[kdc] + enable-digest = true + digests_allowed = ntlm-v2,ntlm-v1-session,ntlm-v1 + +[kadmin] + save-password = true diff --git a/third_party/heimdal/tests/gss/krb5.conf.in b/third_party/heimdal/tests/gss/krb5.conf.in new file mode 100644 index 0000000..01c4c2e --- /dev/null +++ b/third_party/heimdal/tests/gss/krb5.conf.in @@ -0,0 +1,54 @@ +include @srcdirabs@/include-krb5.conf + +[libdefaults] + default_keytab_name = @objdir@/server.keytab + enable-kx509 = yes + kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem + default_realm = TEST.H5L.SE + kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login + kuserok = USER-K5LOGIN + kuserok = SIMPLE + +[realms] + TEST.H5L.SE = { + kdc = localhost:@port@ + auth_to_local_names = { + user1 = mapped_user1 + } + } + +[kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + synthetic_clients = true + enable_gss_preauth = true + gss_mechanisms_allowed = sanon-x25519 + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + + database = { + dbname = @objdir@/current-db + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + log_file = @objdir@/current.log + } + +[hdb] + db-dir = @objdir@ + enable_virtual_hostbased_princs = true + virtual_hostbased_princ_mindots = 1 + virtual_hostbased_princ_maxdots = 3 + same_realm_aliases_are_soft = true + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +include @srcdirabs@/missing-krb5.conf diff --git a/third_party/heimdal/tests/gss/mech.in b/third_party/heimdal/tests/gss/mech.in new file mode 100644 index 0000000..4c4acc9 --- /dev/null +++ b/third_party/heimdal/tests/gss/mech.in @@ -0,0 +1,5 @@ +# +# Test GSS-API mechglue configuration file. +# +test_negoex_1 2.25.1414534758 @objdir@/../../lib/gssapi/.libs/test_negoex_mech.so +test_negoex_2 2.25.1175737388 @objdir@/../../lib/gssapi/.libs/test_negoex_mech.so diff --git a/third_party/heimdal/tests/gss/new_clients_k5.conf.in b/third_party/heimdal/tests/gss/new_clients_k5.conf.in new file mode 100644 index 0000000..41c9e21 --- /dev/null +++ b/third_party/heimdal/tests/gss/new_clients_k5.conf.in @@ -0,0 +1,5 @@ +include @objdirabs@/krb5.conf + +[libdefaults] + client_aware_channel_bindings = true + report_canonical_client_name = true diff --git a/third_party/heimdal/tests/gss/ntlm-user-file.txt b/third_party/heimdal/tests/gss/ntlm-user-file.txt new file mode 100644 index 0000000..cd2c654 --- /dev/null +++ b/third_party/heimdal/tests/gss/ntlm-user-file.txt @@ -0,0 +1,2 @@ +# $Id$ +TEST:user1:u1 -- cgit v1.2.3