krb5 commit: Add tests for LDAP ticket/policy name misuse

[Greg Hudson]

https://github.com/krb5/krb5/commit/e8df0458673071e56346730fa843c83aca88631f
commit e8df0458673071e56346730fa843c83aca88631f
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Dec 5 14:02:04 2014 -0500

    Add tests for LDAP ticket/policy name misuse
    
    ticket: 8051

 src/tests/t_kdb.py |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 83271c5..9372926 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -240,6 +240,27 @@ if out:
 # Create another ticket policy to be destroyed with the realm.
 kldaputil(['create_policy', 'tktpol2'])
 
+# Try to create a password policy conflicting with a ticket policy.
+out = realm.run_kadminl('addpol tktpol2')
+if 'Already exists while creating policy "tktpol2"' not in out:
+    fail('Expected error not seen in kadmin.local output')
+
+# Try to create a ticket policy conflicting with a password policy.
+realm.run_kadminl('addpol pwpol')
+out = kldaputil(['create_policy', 'pwpol'], expected_code=1)
+if 'Already exists while creating policy object' not in out:
+    fail('Expected error not seen in kdb5_ldap_util output')
+
+# Try to use a password policy as a ticket policy.
+out = realm.run_kadminl('modprinc -x tktpolicy=pwpol princ4')
+if 'Object class violation' not in out:
+    fail('Expected error not seem in kadmin.local output')
+
+# Try to use a ticket policy as a password policy (CVE-2014-5353).
+out = realm.run_kadminl('modprinc -policy tktpol2 princ4')
+if 'WARNING: policy "tktpol2" does not exist' not in out:
+    fail('Expected error not seen in kadmin.local output')
+
 # Do some basic tests with a KDC against the LDAP module, exercising the
 # db_args processing code.
 realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri,