svn rev #23617: branches/krb5-1-8/src/ kdc/ lib/krb5/krb/ tests/dejagnu/ tests/dejagnu/config/ ...
tlyu@MIT.EDU
tlyu at MIT.EDU
Fri Jan 8 18:43:05 EST 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=23617
Commit By: tlyu
Log Message:
ticket: 6624
version_fixed: 1.8
status: resolved
pull up r23602, r23604, r23605 from trunk
------------------------------------------------------------------------
r23605 | hartmans | 2010-01-07 13:35:15 -0500 (Thu, 07 Jan 2010) | 4 lines
ticket: 6624
Revert change to Makefile.in that ended up not being needed
------------------------------------------------------------------------
r23604 | hartmans | 2010-01-07 13:32:20 -0500 (Thu, 07 Jan 2010) | 10 lines
Subject: automated tests for anonymous pkinit
ticket: 6624
target_version: 1.8
tags: pullup
Implement tests for anonymous pkinit. A certificate and private key
are checked in; these tests will stop working in 2023.
Note that r23602 needs to be pulled up before this ticket.
------------------------------------------------------------------------
r23602 | ghudson | 2010-01-07 12:26:58 -0500 (Thu, 07 Jan 2010) | 4 lines
Make preauth_module_dir override, rather than supplement, the
built-in path list, to avoid problems with running the same preauth
module twice.
Changed Files:
U branches/krb5-1-8/src/kdc/kdc_preauth.c
U branches/krb5-1-8/src/lib/krb5/krb/preauth2.c
U branches/krb5-1-8/src/tests/dejagnu/config/default.exp
U branches/krb5-1-8/src/tests/dejagnu/krb-standalone/standalone.exp
A branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/
A branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/ca.pem
A branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/kdc.pem
A branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/privkey.pem
Modified: branches/krb5-1-8/src/kdc/kdc_preauth.c
===================================================================
--- branches/krb5-1-8/src/kdc/kdc_preauth.c 2010-01-08 23:43:02 UTC (rev 23616)
+++ branches/krb5-1-8/src/kdc/kdc_preauth.c 2010-01-08 23:43:05 UTC (rev 23617)
@@ -391,45 +391,22 @@
/* Open plugin directories for preauth modules. */
static krb5_error_code
-open_preauth_plugin_dirs(krb5_context kcontext)
+open_preauth_plugin_dirs(krb5_context ctx)
{
static const char *path[] = {
KRB5_CONF_LIBDEFAULTS, KRB5_CONF_PREAUTH_MODULE_DIR, NULL,
};
char **profpath = NULL;
- const char **plugindirs = NULL;
- size_t nprofdirs, nobjdirs;
- krb5_error_code retval;
+ const char **dirs;
+ krb5_error_code ret;
- /* Fetch the list of paths specified in the profile, if any. */
- retval = profile_get_values(kcontext->profile, path, &profpath);
- if (retval != 0 && retval != PROF_NO_RELATION)
- return retval;
-
- /* Count the number of profile dirs. */
- nprofdirs = 0;
- if (profpath) {
- while (profpath[nprofdirs] != NULL)
- nprofdirs++;
- }
-
- nobjdirs = sizeof(objdirs) / sizeof(*objdirs);
- plugindirs = k5alloc((nprofdirs + nobjdirs) * sizeof(char *), &retval);
- if (retval != 0)
- goto cleanup;
-
- /* Concatenate the profile and hardcoded directory lists. */
- if (profpath)
- memcpy(plugindirs, profpath, nprofdirs * sizeof(char *));
- memcpy(plugindirs + nprofdirs, objdirs, nobjdirs * sizeof(char *));
-
- retval = krb5int_open_plugin_dirs(plugindirs, NULL, &preauth_plugins,
- &kcontext->err);
-
-cleanup:
+ ret = profile_get_values(ctx->profile, path, &profpath);
+ if (ret != 0 && ret != PROF_NO_RELATION)
+ return ret;
+ dirs = (profpath != NULL) ? (const char **) profpath : objdirs;
+ ret = krb5int_open_plugin_dirs(dirs, NULL, &preauth_plugins, &ctx->err);
profile_free_list(profpath);
- free(plugindirs);
- return retval;
+ return ret;
}
krb5_error_code
Modified: branches/krb5-1-8/src/lib/krb5/krb/preauth2.c
===================================================================
--- branches/krb5-1-8/src/lib/krb5/krb/preauth2.c 2010-01-08 23:43:02 UTC (rev 23616)
+++ branches/krb5-1-8/src/lib/krb5/krb/preauth2.c 2010-01-08 23:43:05 UTC (rev 23617)
@@ -72,46 +72,23 @@
/* Open plugin directories for preauth modules. */
static krb5_error_code
-open_preauth_plugin_dirs(krb5_context kcontext)
+open_preauth_plugin_dirs(krb5_context ctx)
{
static const char *path[] = {
KRB5_CONF_LIBDEFAULTS, KRB5_CONF_PREAUTH_MODULE_DIR, NULL,
};
char **profpath = NULL;
- const char **plugindirs = NULL;
- size_t nprofdirs, nobjdirs;
- krb5_error_code retval;
+ const char **dirs;
+ krb5_error_code ret;
- /* Fetch the list of paths specified in the profile, if any. */
- retval = profile_get_values(kcontext->profile, path, &profpath);
- if (retval != 0 && retval != PROF_NO_RELATION)
- return retval;
-
- /* Count the number of profile dirs. */
- nprofdirs = 0;
- if (profpath) {
- while (profpath[nprofdirs] != NULL)
- nprofdirs++;
- }
-
- nobjdirs = sizeof(objdirs) / sizeof(*objdirs);
- plugindirs = k5alloc((nprofdirs + nobjdirs) * sizeof(char *), &retval);
- if (retval != 0)
- goto cleanup;
-
- /* Concatenate the profile and hardcoded directory lists. */
- if (profpath)
- memcpy(plugindirs, profpath, nprofdirs * sizeof(char *));
- memcpy(plugindirs + nprofdirs, objdirs, nobjdirs * sizeof(char *));
-
- retval = krb5int_open_plugin_dirs(plugindirs, NULL,
- &kcontext->preauth_plugins,
- &kcontext->err);
-
-cleanup:
+ ret = profile_get_values(ctx->profile, path, &profpath);
+ if (ret != 0 && ret != PROF_NO_RELATION)
+ return ret;
+ dirs = (profpath != NULL) ? (const char **) profpath : objdirs;
+ ret = krb5int_open_plugin_dirs(dirs, NULL, &ctx->preauth_plugins,
+ &ctx->err);
profile_free_list(profpath);
- free(plugindirs);
- return retval;
+ return ret;
}
/* Create the per-krb5_context context. This means loading the modules
Modified: branches/krb5-1-8/src/tests/dejagnu/config/default.exp
===================================================================
--- branches/krb5-1-8/src/tests/dejagnu/config/default.exp 2010-01-08 23:43:02 UTC (rev 23616)
+++ branches/krb5-1-8/src/tests/dejagnu/config/default.exp 2010-01-08 23:43:05 UTC (rev 23617)
@@ -960,7 +960,9 @@
global portbase
global KRB5_DB_MODULE_DIR
global KRB5_PA_MODULE_DIR
+ global srcdir
+ set pkinit_certs [findfile "[pwd]/$srcdir/pkinit-certs" "[pwd]/$srcdir/pkinit-certs" "$srcdir/pkinit-certs"]
# Create a krb5.conf file.
if { ![file exists $tmppwd/krb5.$type.conf] \
|| $last_passname_conf != $multipass_name } {
@@ -973,6 +975,7 @@
} else {
puts $conffile " allow_weak_crypto = true"
}
+ puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem"
if [info exists default_tgs_enctypes($type)] {
puts $conffile \
" default_tgs_enctypes = $default_tgs_enctypes($type)"
@@ -1000,6 +1003,8 @@
# failures. If we were running the client and KDC on different
# hosts, this would be okay....
#puts $conffile " kdc = $hostname:[expr 6 + $portbase]"
+ puts $conffile " pkinit_identity = FILE:$pkinit_certs/kdc.pem,$pkinit_certs/privkey.pem"
+ puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem"
puts $conffile " kdc = $hostname:[expr 1 + $portbase]"
puts $conffile " admin_server = $hostname:[expr 4 + $portbase]"
puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]"
@@ -2257,6 +2262,23 @@
return 1
}
+proc kinit_anonymous { name } {
+ global REALMNAME
+ global KINIT
+ global spawn_id
+
+ # Use kinit to get a ticket.
+ #
+ spawn $KINIT -5 -f -n $name@$REALMNAME
+ expect eof
+ if ![check_exit_status kinit] {
+ fail "kinit anonymous"
+ }
+
+ pass "kinit anonymous"
+ return 1
+}
+
proc kinit_kt { name keytab standalone testname } {
global REALMNAME
global KINIT
Modified: branches/krb5-1-8/src/tests/dejagnu/krb-standalone/standalone.exp
===================================================================
--- branches/krb5-1-8/src/tests/dejagnu/krb-standalone/standalone.exp 2010-01-08 23:43:02 UTC (rev 23616)
+++ branches/krb5-1-8/src/tests/dejagnu/krb-standalone/standalone.exp 2010-01-08 23:43:05 UTC (rev 23617)
@@ -138,6 +138,8 @@
global KRBIV
global portbase
global mode
+ global tmppwd
+ global KRB5_PA_MODULE_DIR
setup_kerberos_env kdc
@@ -224,6 +226,15 @@
# Double check that the ticket was destroyed.
if ![do_klist_err "klist after destroy"] { return }
+ if ![add_random_key WELLKNOWN/ANONYMOUS 0] {
+ return
+ }
+
+ # If we have anonymous then test it
+ if [file exists "$tmppwd/../../../util/fakedest$KRB5_PA_MODULE_DIR/pkinit.so" ] {
+ kinit_anonymous "WELLKNOWN/ANONYMOUS"
+ }
+
if ![add_random_key foo/bar 1] {
return
}
Added: branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/ca.pem
===================================================================
--- branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/ca.pem (rev 0)
+++ branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/ca.pem 2010-01-08 23:43:05 UTC (rev 23617)
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
+VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp
+ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi
+ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g
+bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3
+WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV
+BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ
+a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp
+dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
+ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
+ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
+5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
+5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
+riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O
+BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk
+Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
+c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn
+BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD
+FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb
+BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs
+gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD
+Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L
+NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh
+I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz
+YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT
+e5Tj7+29DE4I
+-----END CERTIFICATE-----
Added: branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/kdc.pem
===================================================================
--- branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/kdc.pem (rev 0)
+++ branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/kdc.pem 2010-01-08 23:43:05 UTC (rev 23617)
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
+A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF
+U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN
+MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3
+pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4
+88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV
+cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq
+81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD
+VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk
+Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG
+A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N
+oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF
+AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM
+20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0
+qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l
+oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5
+3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4
+feF5h5e2ZrOVREY4cKkJmJhEwsqBVA==
+-----END CERTIFICATE-----
Added: branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/privkey.pem
===================================================================
--- branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/privkey.pem (rev 0)
+++ branches/krb5-1-8/src/tests/dejagnu/pkinit-certs/privkey.pem 2010-01-08 23:43:05 UTC (rev 23617)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
+ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
+ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
+5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
+5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
+riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM
+dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS
+SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR
+iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ
+/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn
+lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS
+Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW
+MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3
+PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY
+KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm
+349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL
+qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts
+d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf
+PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl
+mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f
+CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP
+Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3
+wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr
+W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh
+M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc=
+-----END RSA PRIVATE KEY-----
More information about the cvs-krb5
mailing list