[krbdev.mit.edu #5445] gsstest doesn't like krb5-1.6 GSSAPI library

Wed Feb 21 22:53:00 EST 2007

I'm playing with gsstest-1.26 (the latest on the SAP FTP site, though  
I've seen mentions on the net of a 1.27 which I haven't tracked down)  
and the 1.6 branch.

First problem: gss_canonicalize_name returns a name that will be  
rejected by gss_release_name in the mechglue code because the  
"loopback" field is not set properly.  With that problem quickly  
hacked around, it's still reporting three problem cases:

TEST: acquiring *default* accepting credentials (simple)
Status:  gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
          gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
            "Invalid credential was supplied"
RESULT  NOT ok (rc=1)

It looks like acquiring the default acceptor credentials doesn't  
produce an error, but calling gss_inquire_cred on the result to get a  
name out does, because internally it tries to import an empty name.   
(Acquiring the acceptor credentials by name was a previous test, and  
worked fine.)

TEST: acquiring *default* accepting credentials (query)
Status:  gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
          gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
            "Invalid credential was supplied"
RESULT  NOT ok (rc=1)

The "query" version of this test looks at the name in the acquired  
credentials, plays some games with exporting and importing and  
canonicalizing the name, then tries to acquire credentials using the  
resulting name.

TEST: Trying gss_import_name() with ""
Status:  gss_import_name() == (GSS_S_CALL_INACCESSIBLE_READ| 
GSS_S_BAD_NAME)
          gss_display_status(0x01020000,GSS_S_GSS_CODE) =
            "A required input parameter could not be read"
            "An invalid name was supplied"
ERROR: gss_import_name() didn't return GSS_S_BAD_NAME or GSS_S_FAILURE!
RESULT  NOT ok (rc=1)

The test program uses an empty string, not a null or invalid pointer,  
so INACCESSIBLE_READ is probably incorrect.

Ken