krb5.git/src/tests/gssapi, branch master-mechdconf Unnamed repository; edit this file 'description' to name the repository. Get getopt from unistd.h (not getopt.h) in tests 2014-03-28T19:51:55+00:00 Greg Hudson ghudson@mit.edu 2014-03-28T16:33:43+00:00 613c62d689c31a325d51be88657dedd17af3cf81 POSIX defines getopt to be declared in unistd.h, and HP-UX (as of version 11.31) does not appear to have getopt.h. In test programs which currently include getopt.h and aren't currently built on Windows, include unistd.h or just assume we will get it via k5-int.h. ticket: 7894 (new) target_version: 1.12.2 tags: pullup 
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h.  In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.

ticket: 7894 (new)
target_version: 1.12.2
tags: pullup
Test SPNEGO acceptor response to MS krb5 mech OID 2014-02-05T05:40:20+00:00 Greg Hudson ghudson@mit.edu 2014-02-04T01:59:54+00:00 53cfb8327c452bd72a8e915338fb5ec838079cd3 In t_spnego.c, add code to make a SPNEGO request with the erroneous Microsoft OID value and examine the response to make sure that it uses the same OID value as the request did. The token and tmp variables were unused, so rename them to itok and atok for the purpose of the new test code. ticket: 7858 target_version: 1.12.2 tags: pullup 
In t_spnego.c, add code to make a SPNEGO request with the erroneous
Microsoft OID value and examine the response to make sure that it uses
the same OID value as the request did.  The token and tmp variables
were unused, so rename them to itok and atok for the purpose of the
new test code.

ticket: 7858
target_version: 1.12.2
tags: pullup
Add test coverage for gss_pseudo_random 2014-01-22T17:43:00+00:00 Greg Hudson ghudson@mit.edu 2014-01-18T18:25:56+00:00 1f2caa1ba9b77062b4072ec609000404481cd5bb Add a test program which compares gss_pseudo_random outputs against expected values for each enctype. 
Add a test program which compares gss_pseudo_random outputs against
expected values for each enctype.
Add test for gss_acquire_cred_from rcache feature 2014-01-17T20:58:08+00:00 Greg Hudson ghudson@mit.edu 2014-01-16T16:49:55+00:00 6f8d5135334c9ddb674f9824e750872b3b0642ea 






Use an extended com_err hook in klist
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T16:06:52+00:00

ae027dd69fc80cca549c9198d10afad389f30873

Add an adapted version of extended_com_err_fn from kinit to klist and
use it.  In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.

ticket: 7809





Add an adapted version of extended_com_err_fn from kinit to klist and
use it.  In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.

ticket: 7809







Test SPNEGO error message in t_s4u.py
2013-12-18T21:03:16+00:00

Greg Hudson
ghudson@mit.edu

2013-12-18T21:03:16+00:00

4faca53e3a8ee213d43da8998f6889e7bfd36248

Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.

ticket: 7045





Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.

ticket: 7045







make depend
2013-12-11T03:24:03+00:00

Tom Yu
tlyu@mit.edu

2013-12-11T03:24:03+00:00

88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853












Fix gss_accept_sec_context error tokens
2013-10-15T03:52:52+00:00

Greg Hudson
ghudson@mit.edu

2013-10-08T21:07:34+00:00

c547bc16f2ab6ee66c076ef944c3fbac8a66f5d4

A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it.  Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.

This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855.  In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.

Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message.  Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9.  Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.

ticket: 1445
target_version: 1.12
tags: pullup





A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it.  Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.

This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855.  In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.

Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message.  Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9.  Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.

ticket: 1445
target_version: 1.12
tags: pullup







Add missing entries to tests/gssapi Makefile.in
2013-10-15T03:52:51+00:00

Greg Hudson
ghudson@mit.edu

2013-10-08T16:35:51+00:00

e547a515f837a7c59c0fe73d192a374593b70263

Some test sources files, objects, or programs were missing from SRCS,
OBJS, all, check-pytests, or clean.  t_oid was also out of order in a
couple of places.





Some test sources files, objects, or programs were missing from SRCS,
OBJS, all, check-pytests, or clean.  t_oid was also out of order in a
couple of places.







Fix GSSAPI krb5 cred ccache import
2013-10-15T03:32:05+00:00

Greg Hudson
ghudson@mit.edu

2013-10-07T13:51:56+00:00

48dd01f29b893a958a64dcf6eb0b734e8463425b

json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4





json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4