diff options
Diffstat (limited to 'third_party/heimdal/tests')
36 files changed, 530 insertions, 209 deletions
diff --git a/third_party/heimdal/tests/bin/setup-env.in b/third_party/heimdal/tests/bin/setup-env.in index 954a2c1d5f5..c9291d08bf2 100644 --- a/third_party/heimdal/tests/bin/setup-env.in +++ b/third_party/heimdal/tests/bin/setup-env.in @@ -28,6 +28,7 @@ kadmin="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmin" kadmind="${TESTS_ENVIRONMENT} ${top_builddir}/kadmin/kadmind" kdc="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc" kdc_tester="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/kdc-tester" +kcm="${TESTS_ENVIRONMENT} ${top_builddir}/kcm/kcm" test_csr_authorizer="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_csr_authorizer" test_kdc_ca="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_kdc_ca" test_token_validator="${TESTS_ENVIRONMENT} ${top_builddir}/kdc/test_token_validator" diff --git a/third_party/heimdal/tests/gss/Makefile.am b/third_party/heimdal/tests/gss/Makefile.am index ca40ae26bd2..2de36bfe24c 100644 --- a/third_party/heimdal/tests/gss/Makefile.am +++ b/third_party/heimdal/tests/gss/Makefile.am @@ -95,7 +95,9 @@ EXTRA_DIST = \ check-spnego.in \ check-ntlm.in \ check-context.in \ + check-negoex.in \ ntlm-user-file.txt \ krb5.conf.in \ + include-krb5.conf \ new_clients_k5.conf.in \ mech.in diff --git a/third_party/heimdal/tests/gss/check-basic.in b/third_party/heimdal/tests/gss/check-basic.in index d4916bd46d4..c5151c4c94f 100644 --- a/third_party/heimdal/tests/gss/check-basic.in +++ b/third_party/heimdal/tests/gss/check-basic.in @@ -94,10 +94,10 @@ echo "Doing database check" ${kadmin} check ${R} || exit 1 echo Starting kdc -${kdc} --testing --detach || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` -trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT +trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT exitcode=0 diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in index 42ea15eecb9..46c058d068b 100644 --- a/third_party/heimdal/tests/gss/check-context.in +++ b/third_party/heimdal/tests/gss/check-context.in @@ -115,10 +115,10 @@ ${kadmin} check ${R} || exit 1 echo u1 > ${objdir}/foopassword echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` -trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT testfailed="echo test failed; cat messages.log; exit 1" @@ -245,6 +245,14 @@ for mech in krb5 krb5iov spnego spnegoiov; do { eval "$testfailed"; } done +echo "======test authz-data (krb5)" +${context} --mech-type=krb5 \ + --mutual \ + --wrapunwrap \ + --on-behalf-of=foo@BAR.TEST.H5L.SE \ + --name-type=hostbased-service host@lucid.test.h5l.se || + { eval "$testfailed"; } + echo "======dce-style" for mech in krb5 krb5iov spnego; do iov="" diff --git a/third_party/heimdal/tests/gss/check-gssmask.in b/third_party/heimdal/tests/gss/check-gssmask.in index 44769eff584..539e2e94e52 100644 --- a/third_party/heimdal/tests/gss/check-gssmask.in +++ b/third_party/heimdal/tests/gss/check-gssmask.in @@ -93,10 +93,10 @@ echo "Doing database check" ${kadmin} check ${R} || exit 1 echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` -trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT exitcode=0 diff --git a/third_party/heimdal/tests/gss/check-ntlm.in b/third_party/heimdal/tests/gss/check-ntlm.in index f5bf3446ae6..f953630d09d 100644 --- a/third_party/heimdal/tests/gss/check-ntlm.in +++ b/third_party/heimdal/tests/gss/check-ntlm.in @@ -107,10 +107,10 @@ echo u1 > ${objdir}/foopassword echo ds > ${objdir}/barpassword echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` -trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT exitcode=0 diff --git a/third_party/heimdal/tests/gss/check-spnego.in b/third_party/heimdal/tests/gss/check-spnego.in index 3cf56089602..d6e4d833152 100644 --- a/third_party/heimdal/tests/gss/check-spnego.in +++ b/third_party/heimdal/tests/gss/check-spnego.in @@ -106,10 +106,10 @@ echo u1 > ${objdir}/foopassword echo ds > ${objdir}/barpassword echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` -trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT +trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT exitcode=0 diff --git a/third_party/heimdal/tests/gss/krb5.conf.in b/third_party/heimdal/tests/gss/krb5.conf.in index b8e04b65159..aae031db645 100644 --- a/third_party/heimdal/tests/gss/krb5.conf.in +++ b/third_party/heimdal/tests/gss/krb5.conf.in @@ -18,6 +18,21 @@ include @srcdirabs@/include-krb5.conf } [kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + synthetic_clients = true + enable_gss_preauth = true + gss_mechanisms_allowed = sanon-x25519 + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + database = { dbname = @objdir@/current-db realm = TEST.H5L.SE diff --git a/third_party/heimdal/tests/java/check-kinit.in b/third_party/heimdal/tests/java/check-kinit.in index 04043ca02e2..82033447409 100644 --- a/third_party/heimdal/tests/java/check-kinit.in +++ b/third_party/heimdal/tests/java/check-kinit.in @@ -90,7 +90,7 @@ ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/Makefile.am b/third_party/heimdal/tests/kdc/Makefile.am index a07f776eb23..f61a7e85307 100644 --- a/third_party/heimdal/tests/kdc/Makefile.am +++ b/third_party/heimdal/tests/kdc/Makefile.am @@ -4,6 +4,7 @@ noinst_DATA = \ an2ln-db.txt \ kdc-tester4.json \ krb5.conf \ + krb5-kcm.conf \ krb5-cccol.conf \ krb5-authz.conf \ krb5-authz2.conf \ @@ -204,6 +205,13 @@ krb5.conf: krb5.conf.in Makefile -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \ mv krb5.conf.tmp krb5.conf +krb5-kcm.conf: krb5-kcm.conf.in Makefile + $(do_subst) \ + -e 's,[@]WEAK[@],false,g' \ + -e 's,[@]dk[@],,g' \ + -e 's,[@]kdc[@],,g' < $(srcdir)/krb5-kcm.conf.in > krb5-kcm.conf.tmp && \ + mv krb5-kcm.conf.tmp krb5-kcm.conf + krb5-cccol.conf: krb5-cccol.conf.in Makefile $(do_subst) \ -e 's,[@]WEAK[@],false,g' \ @@ -383,23 +391,23 @@ EXTRA_DIST = \ NTMakefile \ an2ln-db.txt \ check-authz.in \ + check-bx509.in \ check-canon.in \ check-cc.in \ check-delegation.in \ check-des.in \ check-digest.in \ check-fast.in \ + check-hdb-mitdb.in \ + check-httpkadmind.in \ check-iprop.in \ check-kadmin.in \ - check-kinit.in \ - check-hdb-mitdb.in \ - check-kdc.in \ check-kdc-weak.in \ + check-kdc.in \ check-keys.in \ + check-kinit.in \ check-kpasswdd.in \ check-pkinit.in \ - check-bx509.in \ - check-httpkadmind.in \ check-referral.in \ check-tester.in \ check-uu.in \ @@ -409,23 +417,25 @@ EXTRA_DIST = \ hdb-mitdb.mkey \ heimdal.acl \ iprop-acl \ + k5login/foo \ + k5login/mapped_user1 \ kdc-tester1.json \ kdc-tester2.json \ kdc-tester3.json \ kdc-tester4.json.in \ - krb5-pkinit.conf.in \ - krb5-bx509.conf.in \ - krb5-httpkadmind.conf.in \ - krb5.conf.in \ krb5-authz.conf.in \ krb5-authz2.conf.in \ + krb5-bx509.conf.in \ krb5-canon.conf.in \ krb5-canon2.conf.in \ + krb5-cccol.conf.in \ krb5-hdb-mitdb.conf.in \ + krb5-httpkadmind.conf.in \ + krb5-pkinit.conf.in \ + krb5.conf.in \ krb5.conf.keys.in \ - k5login/foo \ - ntlm-user-file.txt \ leaks-kill.sh \ + ntlm-user-file.txt \ pki-mapping \ uuserver.txt \ wait-kdc.sh diff --git a/third_party/heimdal/tests/kdc/check-bx509.in b/third_party/heimdal/tests/kdc/check-bx509.in index 1cef2e0e766..b50239d8440 100644 --- a/third_party/heimdal/tests/kdc/check-bx509.in +++ b/third_party/heimdal/tests/kdc/check-bx509.in @@ -428,7 +428,7 @@ ${kadmin} add -r --use-defaults HTTP/${otherserver}@${R} || exit 1 ${kadmin} ext_keytab -r -k $ukeytab foo@${R} || exit 1 echo "Starting kdc"; -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid} ${bx509pid}; echo signal killing kdc and bx509d; exit 1;" EXIT @@ -590,7 +590,8 @@ KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r || { echo "Trivial offline CA test failed (gss-token)"; exit 2; } # Check that we get up to three tixaddrs k/v in the log -grep 'REQ.*numtixaddrs=4 tixaddrs=IPv4:8.8.8.8 tixaddrs=IPv4:8.9.10.11 tixaddrs=IPv4:11.11.11.11.*wrongaddr=yes' ${objdir}/messages.log || +grep 'REQ.*wrongaddr=true' ${objdir}/messages.log | + grep 'tixaddrs=IPv4:11.11.11.11' || { echo "KDC not warning about requests from wrong address"; exit 2; } echo "Fetching a Negotiate token" diff --git a/third_party/heimdal/tests/kdc/check-canon.in b/third_party/heimdal/tests/kdc/check-canon.in index 0bb5a413f3c..18b83a9b7a6 100644 --- a/third_party/heimdal/tests/kdc/check-canon.in +++ b/third_party/heimdal/tests/kdc/check-canon.in @@ -99,7 +99,7 @@ ${kadmin} check ${R3} || exit 1 echo foo > ${objdir}/foopassword echo "Starting kdc" ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-cc.in b/third_party/heimdal/tests/kdc/check-cc.in index ce95b300664..46e846a10ea 100644 --- a/third_party/heimdal/tests/kdc/check-cc.in +++ b/third_party/heimdal/tests/kdc/check-cc.in @@ -86,9 +86,16 @@ ${kadmin} check ${R} || exit 1 echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` +echo Starting kcm ; > messages.log +${kcm} -s ${objdir} --detach || { echo "kcm failed to start"; cat messages.log; exit 1; } +kcmpid=`getpid kcm` + +HEIM_IPC_DIR=${objdir} +export HEIM_IPC_DIR + trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT ec=0 @@ -133,6 +140,41 @@ ${klist} -l | grep foo@ >/dev/null && { ec=1 ; eval "${testfailed}"; } echo "check that bar is gone" ${klist} -l | grep bar@ >/dev/null && { ec=1 ; eval "${testfailed}"; } +echo "getting tickets (KCM)"; > messages.log +KRB5_CONFIG="${objdir}/krb5-kcm.conf" +export KRB5_CONFIG +unset KRB5CCNAME +${kinit} --default-for-principal foo@${R} +${kinit} --default-for-principal bar@${R} +${kinit} bar@${R} +${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +if [ -n "$BASH_VERSION" ]; then + ${klist} -c KCM:${UID} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } + ${klist} -c KCM:${UID}: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } + KRB5CCNAME=KCM:${UID} ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } + KRB5CCNAME=KCM:${UID}: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +fi +${kdestroy} -A +${klist} 2>/dev/null && { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep bar@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; } +${kinit} bar@${R} +${kinit} --default-for-principal foo@${R} +${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} | grep foo@${R} > /dev/null && { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} -l | grep foo@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${klist} -c KCM: | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +KRB5CCNAME=KCM: ${klist} | grep bar@${R} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${kdestroy} -A + echo "getting tickets (DIR)"; > messages.log KRB5_CONFIG="${objdir}/krb5-cccol.conf" export KRB5_CONFIG @@ -150,6 +192,9 @@ ${klist} -l | grep "bar@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.bar@TEST.H5L.SE" > /dev/null || { ec=1 ; eval "${testfailed}"; } +echo "killing kcm (${kcmpid})" +sh ${leaks_kill} kcm $kcmpid || exit 1 + echo "killing kdc (${kdcpid})" sh ${leaks_kill} kdc $kdcpid || exit 1 diff --git a/third_party/heimdal/tests/kdc/check-delegation.in b/third_party/heimdal/tests/kdc/check-delegation.in index 8657946168a..fdff0f6a0f0 100644 --- a/third_party/heimdal/tests/kdc/check-delegation.in +++ b/third_party/heimdal/tests/kdc/check-delegation.in @@ -102,7 +102,7 @@ ${kadmin} check ${R4} || exit 1 echo foo > ${objdir}/foopassword echo Starting kdc; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-des.in b/third_party/heimdal/tests/kdc/check-des.in index d45b119dfa5..144613df4f9 100644 --- a/third_party/heimdal/tests/kdc/check-des.in +++ b/third_party/heimdal/tests/kdc/check-des.in @@ -96,7 +96,7 @@ ${kadmin} check ${R} || exit 1 echo foo > ${objdir}/foopassword echo Starting kdc; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-digest.in b/third_party/heimdal/tests/kdc/check-digest.in index 1623783eba6..d934f4e2898 100644 --- a/third_party/heimdal/tests/kdc/check-digest.in +++ b/third_party/heimdal/tests/kdc/check-digest.in @@ -95,7 +95,7 @@ echo $password > ${objdir}/foopassword echo "Starting kdc" ; > messages.log env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing || - { echo "kdc failed to start"; exit 1; } + { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-fast.in b/third_party/heimdal/tests/kdc/check-fast.in index 136bf3ed62b..3fbda813a63 100644 --- a/third_party/heimdal/tests/kdc/check-fast.in +++ b/third_party/heimdal/tests/kdc/check-fast.in @@ -88,7 +88,7 @@ echo bar > ${objdir}/barpassword echo Starting kdc ; > messages.log env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-hdb-mitdb.in b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in index e9de58799a3..a241aeb4a8f 100644 --- a/third_party/heimdal/tests/kdc/check-hdb-mitdb.in +++ b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in @@ -85,7 +85,7 @@ echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-httpkadmind.in b/third_party/heimdal/tests/kdc/check-httpkadmind.in index b593925a352..f57f2af8592 100644 --- a/third_party/heimdal/tests/kdc/check-httpkadmind.in +++ b/third_party/heimdal/tests/kdc/check-httpkadmind.in @@ -519,7 +519,7 @@ ${hxtool} issue-certificate \ { echo "Failed to make PKINIT client cert"; exit 1; } echo "Starting kdc needed for httpkadmind authentication to kadmind" -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` echo "Starting httpkadmind with remote HDBs only" diff --git a/third_party/heimdal/tests/kdc/check-iprop.in b/third_party/heimdal/tests/kdc/check-iprop.in index 21296877943..524379393fa 100644 --- a/third_party/heimdal/tests/kdc/check-iprop.in +++ b/third_party/heimdal/tests/kdc/check-iprop.in @@ -314,7 +314,7 @@ cleanup() { trap cleanup EXIT echo Starting kdc ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` echo "starting master" ; > messages.log diff --git a/third_party/heimdal/tests/kdc/check-kadmin.in b/third_party/heimdal/tests/kdc/check-kadmin.in index 3d3f41003d8..45d679ceb4a 100644 --- a/third_party/heimdal/tests/kdc/check-kadmin.in +++ b/third_party/heimdal/tests/kdc/check-kadmin.in @@ -97,7 +97,7 @@ ${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1 echo "$foopassword" > ${objdir}/foopassword echo Starting kdc ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid} ${kadmpid}" EXIT diff --git a/third_party/heimdal/tests/kdc/check-kdc.in b/third_party/heimdal/tests/kdc/check-kdc.in index 75626f6ce85..e53293b2427 100644 --- a/third_party/heimdal/tests/kdc/check-kdc.in +++ b/third_party/heimdal/tests/kdc/check-kdc.in @@ -78,6 +78,8 @@ server=host/datan.test.h5l.se server2=host/computer.example.com server3=host/refer-me-out.test.h5l.se server4=host/no-auth-data-reqd.test.h5l.se +server5=host/a-host.refer-all-out.test.h5l.se +namespace=WELLKNOWN/HOSTBASED-NAMESPACE/_/refer-all-out.test.h5l.se serverip=host/10.11.12.13 serveripname=host/ip.test.h5l.org serveripname2=host/10.11.12.14 @@ -240,6 +242,9 @@ ${kadmin} add -p foo --use-defaults referral-placeholder@${R5} || exit 1 ${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} || exit 1 ${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1 ${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1 +${kadmin} add_alias referral-placeholder@${R5} ${namespace}@${R} || exit 1 +${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1 +${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 @@ -364,7 +369,7 @@ echo notfoo > ${objdir}/notfoopassword echo Starting kdc ; > messages.log env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ ${kdc} --detach --testing || - { echo "kdc failed to start"; exit 1; } + { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` echo Starting kpasswdd; > messages.log @@ -444,6 +449,8 @@ echo "Getting x-realm tickets with capaths for $R -> $R5" ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } echo "Testing HDB referral entry" ${kgetcred} --canonicalize ${server3}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Testing HDB namespace referral entry" +${kgetcred} --canonicalize ${server5}@${R} || { ec=1 ; eval "${testfailed}"; } ${klist} ${kdestroy} diff --git a/third_party/heimdal/tests/kdc/check-kinit.in b/third_party/heimdal/tests/kdc/check-kinit.in index 35ec6deadbf..c6cb23ff6f8 100644 --- a/third_party/heimdal/tests/kdc/check-kinit.in +++ b/third_party/heimdal/tests/kdc/check-kinit.in @@ -107,7 +107,7 @@ if (($# == 0)); then echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log - ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } + ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-kpasswdd.in b/third_party/heimdal/tests/kdc/check-kpasswdd.in index 4f63ce240fa..39f12e1be8c 100644 --- a/third_party/heimdal/tests/kdc/check-kpasswdd.in +++ b/third_party/heimdal/tests/kdc/check-kpasswdd.in @@ -103,7 +103,7 @@ echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing || - { echo "kdc failed to start"; exit 1; } + { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` echo Starting kpasswdd diff --git a/third_party/heimdal/tests/kdc/check-pkinit.in b/third_party/heimdal/tests/kdc/check-pkinit.in index baa9fb30691..9f90fd040f9 100644 --- a/third_party/heimdal/tests/kdc/check-pkinit.in +++ b/third_party/heimdal/tests/kdc/check-pkinit.in @@ -199,7 +199,7 @@ echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log KRB5_CONFIG="${objdir}/krb5-pkinit2.conf" -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT @@ -232,7 +232,7 @@ ${kdestroy} echo "Restarting kdc ($kdcpid)" sh ${leaks_kill} kdc $kdcpid || ec=1 KRB5_CONFIG="${objdir}/krb5-pkinit.conf" -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` echo "Trying pk-init (principal in cert)"; > messages.log diff --git a/third_party/heimdal/tests/kdc/check-referral.in b/third_party/heimdal/tests/kdc/check-referral.in index d028e39ef1f..73c26c368ca 100644 --- a/third_party/heimdal/tests/kdc/check-referral.in +++ b/third_party/heimdal/tests/kdc/check-referral.in @@ -105,7 +105,7 @@ ${kadmin} check ${R2} || exit 1 echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/check-tester.in b/third_party/heimdal/tests/kdc/check-tester.in index dba154c299b..83b48baf27f 100644 --- a/third_party/heimdal/tests/kdc/check-tester.in +++ b/third_party/heimdal/tests/kdc/check-tester.in @@ -46,6 +46,9 @@ testfailed="echo test failed; cat messages.log; exit 1" # If there is no useful db support compiled in, disable test ${have_db} || exit 77 +# Do not run in GutHub valgrind builds -- too slow / not necessary +[ -n "$CHECK_TESTER_NO_VALGRIND" ] && exit 77 + R=TEST.H5L.SE keytabfile=${objdir}/server.keytab diff --git a/third_party/heimdal/tests/kdc/check-uu.in b/third_party/heimdal/tests/kdc/check-uu.in index 7e819a14ad0..ef831ca4d94 100644 --- a/third_party/heimdal/tests/kdc/check-uu.in +++ b/third_party/heimdal/tests/kdc/check-uu.in @@ -86,7 +86,7 @@ ${kadmin} check ${R} || exit 1 echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill -9 ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT diff --git a/third_party/heimdal/tests/kdc/krb5-kcm.conf.in b/third_party/heimdal/tests/kdc/krb5-kcm.conf.in new file mode 100644 index 00000000000..bdcca073cc0 --- /dev/null +++ b/third_party/heimdal/tests/kdc/krb5-kcm.conf.in @@ -0,0 +1,165 @@ +[libdefaults] + default_realm = TEST.H5L.SE TEST2.H5L.SE + default_ccache_name = KCM:%{uid} + no-addresses = TRUE + allow_weak_crypto = @WEAK@ + dns_lookup_kdc = no + dns_lookup_realm = no + + +[appdefaults] + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + reconnect-min = 2s + reconnect-backoff = 2s + reconnect-max = 10s + +[realms] + TEST.H5L.SE = { + kdc = localhost:@port@ + admin_server = localhost:@admport@ + kpasswd_server = localhost:@pwport@ + } + SUB.TEST.H5L.SE = { + kdc = localhost:@port@ + } + TEST2.H5L.SE = { + kdc = localhost:@port@ + kpasswd_server = localhost:@pwport@ + } + TEST3.H5L.SE = { + kdc = localhost:@port@ + } + TEST4.H5L.SE = { + kdc = localhost:@port@ + } + SOME-REALM5.FR = { + kdc = localhost:@port@ + } + SOME-REALM6.US = { + kdc = localhost:@port@ + } + SOME-REALM7.UK = { + kdc = localhost:@port@ + } + SOME-REALM8.UK = { + kdc = localhost:@port@ + } + TEST-HTTP.H5L.SE = { + kdc = http/localhost:@port@ + } + H1.TEST.H5L.SE = { + kdc = localhost:@port@ + } + H2.TEST.H5L.SE = { + kdc = localhost:@port@ + } + H3.H2.TEST.H5L.SE = { + kdc = localhost:@port@ + } + H4.H2.TEST.H5L.SE = { + kdc = localhost:@port@ + } + +[domain_realm] + .test.h5l.se = TEST.H5L.SE + .sub.test.h5l.se = SUB.TEST.H5L.SE + .h1.test.h5l.se = H1.TEST.H5L.SE + .h2.test.h5l.se = H2.TEST.H5L.SE + .h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE + .h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE + .example.com = TEST2.H5L.SE + localhost = TEST.H5L.SE + .localdomain = TEST.H5L.SE + localdomain = TEST.H5L.SE + .localdomain6 = TEST.H5L.SE + localdomain6 = TEST.H5L.SE + + +[kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + + enable-http = true + + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + + database = { + label = { + dbname = @db_type@:@objdir@/current-db@kdc@ + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + label2 = { + dbname = @db_type@:@objdir@/current-db@kdc@ + realm = TEST2.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + label3 = { + dbname = sqlite:@objdir@/current-db@kdc@.sqlite3 + realm = SOME-REALM5.FR + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + } + + signal_socket = @objdir@/signal + iprop-stats = @objdir@/iprop-stats + iprop-acl = @srcdir@/iprop-acl + log-max-size = 40000 + +[hdb] + db-dir = @objdir@ + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + krb5 = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +# If you are doing preformance measurements on OSX you want to change +# the kdc LOG line from = to - below to keep the FILE open and avoid +# open/write/close which is blocking (rdar:// ) on OSX. +# kdc = 0-/FILE=@objdir@/messages.log + +[kadmin] + save-password = true + default_key_rules = { + */des3-only@* = des3-cbc-sha1:pw-salt + */aes-only@* = aes256-cts-hmac-sha1-96:pw-salt + } + @dk@ + +[capaths] + TEST.H5L.SE = { + TEST2.H5L.SE = . + SOME-REALM5.FR = 1 + TEST3.H5L.SE = TEST2.H5L.SE + TEST4.H5L.SE = TEST2.H5L.SE + TEST4.H5L.SE = TEST3.H5L.SE + SOME-REALM6.US = SOME-REALM5.FR + SOME-REALM7.UK = SOME-REALM6.US + SOME-REALM7.UK = SOME-REALM5.FR + SOME-REALM8.UK = SOME-REALM6.US + } + H4.H2.TEST.H5L.SE = { + H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE + H1.TEST.H5L.SE = H2.TEST.H5L.SE + H1.TEST.H5L.SE = TEST.H5L.SE + + TEST.H5L.SE = H3.H2.TEST.H5L.SE + TEST.H5L.SE = H2.TEST.H5L.SE + + H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE + } diff --git a/third_party/heimdal/tests/kdc/krb5.conf.in b/third_party/heimdal/tests/kdc/krb5.conf.in index 19b4e3ef64e..a85836d76b2 100644 --- a/third_party/heimdal/tests/kdc/krb5.conf.in +++ b/third_party/heimdal/tests/kdc/krb5.conf.in @@ -126,6 +126,9 @@ [hdb] db-dir = @objdir@ + enable_virtual_hostbased_princs = true + virtual_hostbased_princ_mindots = 1 + virtual_hostbased_princ_maxdots = 3 [logging] kdc = 0-/FILE:@objdir@/@messages@.log diff --git a/third_party/heimdal/tests/ldap/check-ldap.in b/third_party/heimdal/tests/ldap/check-ldap.in index b99c951032b..f73eb6e1b88 100644 --- a/third_party/heimdal/tests/ldap/check-ldap.in +++ b/third_party/heimdal/tests/ldap/check-ldap.in @@ -120,7 +120,7 @@ ${kadmin} list '*' > /dev/null || exit 1 echo "$foopassword" > ${objdir}/foopassword echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill ${kdcpid}; echo signal killing kdc; sh ${srcdir}/slapd-stop ; exit 1;" EXIT diff --git a/third_party/heimdal/tests/plugin/Makefile.am b/third_party/heimdal/tests/plugin/Makefile.am index 3fb1a2324b9..5dd43ccb04d 100644 --- a/third_party/heimdal/tests/plugin/Makefile.am +++ b/third_party/heimdal/tests/plugin/Makefile.am @@ -29,10 +29,10 @@ krb5.conf: krb5.conf.in Makefile $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp mv krb5.conf.tmp krb5.conf -lib_LTLIBRARIES = windc.la +lib_LTLIBRARIES = kdc_test_plugin.la -windc_la_SOURCES = windc.c -windc_la_LDFLAGS = -module +kdc_test_plugin_la_SOURCES = kdc_test_plugin.c +kdc_test_plugin_la_LDFLAGS = -module CLEANFILES= \ $(TESTS) \ diff --git a/third_party/heimdal/tests/plugin/check-pac.in b/third_party/heimdal/tests/plugin/check-pac.in index 60ec21a31f3..85bf8cd9a98 100644 --- a/third_party/heimdal/tests/plugin/check-pac.in +++ b/third_party/heimdal/tests/plugin/check-pac.in @@ -108,15 +108,15 @@ echo "Empty log" > messages.log echo Starting kdc -${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; } +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } kdcpid=`getpid kdc` trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT ec=0 -echo "Check that WINDC module was loaded " -grep "windc init" messages.log >/dev/null || \ +echo "Check that KDC plugin module was loaded " +grep "kdc plugin init" messages.log >/dev/null || \ { ec=1 ; eval "${testfailed}"; } echo "Getting client initial tickets"; > messages.log diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c new file mode 100644 index 00000000000..4fcf311fddf --- /dev/null +++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c @@ -0,0 +1,207 @@ +#include <string.h> +#include <krb5_locl.h> +#include <hdb.h> +#include <hx509.h> +#include <kdc.h> +#include <kdc-plugin.h> + +static krb5_error_code KRB5_CALLCONV +init(krb5_context context, void **ctx) +{ + krb5_warnx(context, "kdc plugin init"); + *ctx = NULL; + return 0; +} + +static void KRB5_CALLCONV +fini(void *ctx) +{ +} + +static krb5_error_code KRB5_CALLCONV +pac_generate(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, + hdb_entry *client, + hdb_entry *server, + const krb5_keyblock *pk_replykey, + uint64_t pac_attributes, + krb5_pac *pac) +{ + krb5_error_code ret; + krb5_data data; + + if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED | + KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) { + *pac = NULL; + return 0; + } + + krb5_warnx(context, "pac generate"); + + data.data = "\x00\x01"; + data.length = 2; + + ret = krb5_pac_init(context, pac); + if (ret) + return ret; + + ret = krb5_pac_add_buffer(context, *pac, 1, &data); + if (ret) + return ret; + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +pac_verify(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, + const krb5_principal new_ticket_client, + const krb5_principal delegation_proxy, + hdb_entry * client, + hdb_entry * server, + hdb_entry * krbtgt, + krb5_pac *pac) +{ + krb5_error_code ret; + krb5_data data; + krb5_cksumtype cstype; + uint16_t rodc_id; + krb5_enctype etype; + Key *key; + + krb5_warnx(context, "pac_verify"); + + ret = krb5_pac_get_buffer(context, *pac, 1, &data); + if (ret) + return ret; + krb5_data_free(&data); + + ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id); + if (ret) + return ret; + + if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) { + krb5_warnx(context, "Wrong RODCIdentifier"); + return EINVAL; + } + + ret = krb5_cksumtype_to_enctype(context, cstype, &etype); + if (ret) + return ret; + + ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key); + if (ret) + return ret; + + return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key); +} + +static void logit(const char *what, astgs_request_t r) +{ + krb5_context context = kdc_request_get_context((kdc_request_t)r); + const char *cname = kdc_request_get_cname((kdc_request_t)r); + const char *sname = kdc_request_get_sname((kdc_request_t)r); + + krb5_warnx(context, "%s: client %s server %s", + what, + cname ? cname : "<unknown>", + sname ? sname : "<unknown>"); +} + +static krb5_error_code KRB5_CALLCONV +client_access(void *ctx, astgs_request_t r) +{ + logit("client_access", r); + + return 0; +} + +static krb5_error_code KRB5_CALLCONV +finalize_reply(void *ctx, astgs_request_t r) +{ + heim_number_t n; + krb5_error_code ret; + + logit("finalize_reply", r); + + n = heim_number_create(1234); + if (n == NULL) + return ENOMEM; + + ret = kdc_request_set_attribute((kdc_request_t)r, + HSTR("org.h5l.tests.kdc-plugin"), n); + heim_release(n); + + return ret; +} + +static krb5_error_code KRB5_CALLCONV +audit(void *ctx, astgs_request_t r) +{ + krb5_error_code ret = kdc_request_get_error_code((kdc_request_t)r); + heim_number_t n; + + logit("audit", r); + + if (ret) + return 0; /* finalize_reply only called in success */ + + n = kdc_request_get_attribute((kdc_request_t)r, + HSTR("org.h5l.tests.kdc-plugin")); + + heim_assert(n && heim_number_get_int(n) == 1234, + "attribute not passed from finalize_reply"); + + if (n == NULL || heim_number_get_int(n) != 1234) + return EINVAL; /* return value is ignored, but for completeness */ + + return 0; +} + +static krb5plugin_kdc_ftable kdc_plugin = { + KRB5_PLUGIN_KDC_VERSION_10, + init, + fini, + pac_generate, + pac_verify, + client_access, + NULL, /* referral_policy */ + finalize_reply, + audit +}; + +static const krb5plugin_kdc_ftable *const kdc_plugins[] = { + &kdc_plugin +}; + +krb5_error_code KRB5_CALLCONV +kdc_plugin_load(krb5_context context, + krb5_get_instance_func_t *get_instance, + size_t *num_plugins, + const krb5plugin_kdc_ftable *const **plugins); + +static uintptr_t KRB5_CALLCONV +kdc_plugin_get_instance(const char *libname) +{ + if (strcmp(libname, "hdb") == 0) + return hdb_get_instance(libname); + else if (strcmp(libname, "krb5") == 0) + return krb5_get_instance(libname); + + return 0; +} + +krb5_error_code KRB5_CALLCONV +kdc_plugin_load(krb5_context context, + krb5_get_instance_func_t *get_instance, + size_t *num_plugins, + const krb5plugin_kdc_ftable *const **plugins) +{ + *get_instance = kdc_plugin_get_instance; + *num_plugins = sizeof(kdc_plugins) / sizeof(kdc_plugins[0]); + *plugins = kdc_plugins; + + return 0; +} diff --git a/third_party/heimdal/tests/plugin/krb5.conf.in b/third_party/heimdal/tests/plugin/krb5.conf.in index 8ab2f17177c..d188c314b36 100644 --- a/third_party/heimdal/tests/plugin/krb5.conf.in +++ b/third_party/heimdal/tests/plugin/krb5.conf.in @@ -19,6 +19,21 @@ } [kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + synthetic_clients = true + enable_gss_preauth = true + gss_mechanisms_allowed = sanon-x25519 + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + database = { dbname = @objdir@/current-db realm = TEST.H5L.SE diff --git a/third_party/heimdal/tests/plugin/windc.c b/third_party/heimdal/tests/plugin/windc.c deleted file mode 100644 index 357148019ae..00000000000 --- a/third_party/heimdal/tests/plugin/windc.c +++ /dev/null @@ -1,161 +0,0 @@ -#include <string.h> -#include <krb5_locl.h> -#include <hdb.h> -#include <hx509.h> -#include <kdc.h> -#include <windc_plugin.h> - -static krb5_error_code KRB5_CALLCONV -windc_init(krb5_context context, void **ctx) -{ - krb5_warnx(context, "windc init"); - *ctx = NULL; - return 0; -} - -static void KRB5_CALLCONV -windc_fini(void *ctx) -{ -} - -static krb5_error_code KRB5_CALLCONV -pac_generate(void *ctx, krb5_context context, - struct hdb_entry_ex *client, - struct hdb_entry_ex *server, - const krb5_keyblock *pk_replykey, - uint64_t pac_attributes, - krb5_pac *pac) -{ - krb5_error_code ret; - krb5_data data; - - if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED | - KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) { - *pac = NULL; - return 0; - } - - krb5_warnx(context, "pac generate"); - - data.data = "\x00\x01"; - data.length = 2; - - ret = krb5_pac_init(context, pac); - if (ret) - return ret; - - ret = krb5_pac_add_buffer(context, *pac, 1, &data); - if (ret) - return ret; - - return 0; -} - -static krb5_error_code KRB5_CALLCONV -pac_verify(void *ctx, krb5_context context, - const krb5_principal new_ticket_client, - const krb5_principal delegation_proxy, - struct hdb_entry_ex * client, - struct hdb_entry_ex * server, - struct hdb_entry_ex * krbtgt, - krb5_pac *pac) -{ - krb5_error_code ret; - krb5_data data; - krb5_cksumtype cstype; - uint16_t rodc_id; - krb5_enctype etype; - Key *key; - - krb5_warnx(context, "pac_verify"); - - ret = krb5_pac_get_buffer(context, *pac, 1, &data); - if (ret) - return ret; - krb5_data_free(&data); - - ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id); - if (ret) - return ret; - - if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) { - krb5_warnx(context, "Wrong RODCIdentifier"); - return EINVAL; - } - - ret = krb5_cksumtype_to_enctype(context, cstype, &etype); - if (ret) - return ret; - - ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key); - if (ret) - return ret; - - return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key); -} - -static void logit(const char *what, astgs_request_t r) -{ - krb5_warnx(r->context, "%s: client %s server %s", - what, - r->cname ? r->cname : "<unknown>", - r->sname ? r->sname : "<unknown>"); -} - -static krb5_error_code KRB5_CALLCONV -client_access(void *ctx, astgs_request_t r) -{ - logit("client_access", r); - return 0; -} - -static krb5_error_code KRB5_CALLCONV -finalize_reply(void *ctx, astgs_request_t r) -{ - logit("finalize_reply", r); - return 0; -} - -static krb5plugin_windc_ftable windc = { - KRB5_WINDC_PLUGING_MINOR, - windc_init, - windc_fini, - pac_generate, - pac_verify, - client_access, - finalize_reply -}; - -static const krb5plugin_windc_ftable *const windc_plugins[] = { - &windc -}; - -krb5_error_code KRB5_CALLCONV -windc_plugin_load(krb5_context context, - krb5_get_instance_func_t *get_instance, - size_t *num_plugins, - const krb5plugin_windc_ftable *const **plugins); - -static uintptr_t KRB5_CALLCONV -windc_get_instance(const char *libname) -{ - if (strcmp(libname, "hdb") == 0) - return hdb_get_instance(libname); - else if (strcmp(libname, "krb5") == 0) - return krb5_get_instance(libname); - - return 0; -} - -krb5_error_code KRB5_CALLCONV -windc_plugin_load(krb5_context context, - krb5_get_instance_func_t *get_instance, - size_t *num_plugins, - const krb5plugin_windc_ftable *const **plugins) -{ - *get_instance = windc_get_instance; - *num_plugins = sizeof(windc_plugins) / sizeof(windc_plugins[0]); - *plugins = windc_plugins; - - return 0; -} |