Make empty passwords work via init_creds APIs

In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password.  This allows empty passwords to work via
the API.

Remove the kadm5 test which explicitly uses an empty password.

Based on a patch from Stef Walter.

ticket: 7642

4 files changed, 106 insertions, 4 deletions

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 2358c898b4..91f312eb9c 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -5,8 +5,8 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
 
 RUN_SETUP = @KRB5_RUN_ENV@ KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf
 
-OBJS= gcred.o hist.o kdbtest.o t_localauth.o
-EXTRADEPSRCS= gcred.c hist.c kdbtest.c t_localauth.c
+OBJS= gcred.o hist.o kdbtest.o t_init_creds.o t_localauth.o
+EXTRADEPSRCS= gcred.c hist.c kdbtest.c t_init_creds.c t_localauth.c
 
 TEST_DB = ./testdb
 TEST_REALM = FOO.TEST.REALM
@@ -28,6 +28,9 @@ kdbtest: kdbtest.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ kdbtest.o $(KDB5_LIBS) $(KADMSRV_LIBS) \
 		$(KRB5_BASE_LIBS)
 
+t_init_creds: t_init_creds.o $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $@ t_init_creds.o $(KRB5_BASE_LIBS)
+
 t_localauth: t_localauth.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ t_localauth.o $(KRB5_BASE_LIBS)
 
@@ -73,7 +76,7 @@ kdb_check: kdc.conf krb5.conf
 	$(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
 	$(RM) $(TEST_DB)* stash_file
 
-check-pytests:: gcred hist kdbtest t_localauth
+check-pytests:: gcred hist kdbtest t_init_creds t_localauth
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
@@ -101,5 +104,5 @@ check-pytests:: gcred hist kdbtest t_localauth
 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
 
 clean::
-	$(RM) gcred hist kdbtest krb5.conf kdc.conf t_localauth
+	$(RM) gcred hist kdbtest krb5.conf kdc.conf t_init_creds t_localauth
 	$(RM) -rf kdc_realm/sandbox ldap
diff --git a/src/tests/deps b/src/tests/deps
index e21779e333..b50d0df3ef 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -40,5 +40,7 @@ $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
   $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
   $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
   $(top_srcdir)/include/krb5.h kdbtest.c
+$(OUTPRE)t_init_creds.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_init_creds.c
 $(OUTPRE)t_localauth.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
   $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_localauth.c
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index bb7a543c75..98e77a2f74 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -22,6 +22,15 @@ for realm in multipass_realms(create_host=False):
     # Test kinit against kdb keytab
     realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ])
 
+# Test that we can get initial creds with an empty password via the
+# API.  We have to disable the "empty" pwqual module to create a
+# principal with an empty password.  (Regression test for #7642.)
+conf={'plugins': {'pwqual': {'disable': 'empty'}}}
+realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
+realm.run_kadminl('addprinc -pw "" user')
+realm.run(['./t_init_creds', 'user', ''])
+realm.stop()
+
 realm = K5Realm(create_host=False)
 
 # Spot-check KRB5_TRACE output
diff --git a/src/tests/t_init_creds.c b/src/tests/t_init_creds.c
new file mode 100644
index 0000000000..6be8340f15
--- /dev/null
+++ b/src/tests/t_init_creds.c
@@ -0,0 +1,88 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/t_init_creds.c - test harness for getting initial creds */
+/*
+ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This program exercises the init_creds APIs in ways kinit doesn't.  Right now
+ * it is very simplistic, but it can be extended as needed.
+ */
+
+#include <krb5.h>
+#include <stdio.h>
+
+static krb5_context ctx;
+
+static void
+check(krb5_error_code code)
+{
+    const char *errmsg;
+
+    if (code) {
+        errmsg = krb5_get_error_message(ctx, code);
+        fprintf(stderr, "%s\n", errmsg);
+        krb5_free_error_message(ctx, errmsg);
+        exit(1);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    const char *princstr, *password;
+    krb5_principal client;
+    krb5_init_creds_context icc;
+    krb5_creds creds;
+
+    if (argc != 3) {
+        fprintf(stderr, "Usage: t_init_creds princname password\n");
+        exit(1);
+    }
+    princstr = argv[1];
+    password = argv[2];
+
+    check(krb5_init_context(&ctx));
+    check(krb5_parse_name(ctx, princstr, &client));
+
+    /* Try once with the traditional interface. */
+    check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+                                       NULL, 0, NULL, NULL));
+    krb5_free_cred_contents(ctx, &creds);
+
+    /* Try again with the step interface. */
+    check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc));
+    check(krb5_init_creds_set_password(ctx, icc, password));
+    check(krb5_init_creds_get(ctx, icc));
+    krb5_init_creds_free(ctx, icc);
+
+    krb5_free_principal(ctx, client);
+    krb5_free_context(ctx);
+    return 0;
+}