| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Both the Python and dejagnu iprop tests are slow since they use sleeps
to give kpropd time to do its work (although we can fix this with some
work). Since the Python tests cover the same ground as the dejagnu
tests, we don't need both.
|
| |
|
|
| |
ticket: 7374
|
| |
|
|
|
|
|
| |
Unlike most GSS test programs, t_s4u2proxy_krb5 uses a cleanup
handler, so we have to be careful to initialize everything we clean
up--particularly service2_name, which is initialized after a possible
goto. Also, remember to release acceptor_name.
|
| |
|
|
|
|
|
|
|
| |
If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)
ticket: 7356
|
| | |
|
| |
|
|
|
|
| |
Declarations of gss_OID_desc mech_krb5, etc. in tests/gssapi/common.h
can result in multiple definitions when the test programs are linked.
Prefix the declarations with "extern" to prevent this.
|
| |
|
|
|
|
|
|
| |
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
|
| |
|
|
|
|
| |
Test the fix for https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
Also test that krb5kdc can return svc unavailable
|
| |
|
|
| |
ticket: 7354
|
| |
|
|
|
|
|
|
|
| |
For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC
4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test
encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and
PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo
are renamed, as asn1c otherwise rejects them as conflicting with the
RFC 4556 definitions.
|
| | |
|
| |
|
|
|
| |
Fix minor typos in lib/krb5/krb/Makefile.in and
tests/gssapi/Makefile.in so that "make depend" will work.
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
| |
gcc warnings that nametype may be used uninitialized, presumably
failing to deduce that usage() never returns. Initialize nametype to
make it build.
|
| |
|
|
|
| |
Exercise gss_export_name and importing of exported name tokens in
t_gssapi.py.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Now that we're doing a kind of deferred credential acquisition for
krb5, the behavior of gss_inquire_cred is a bit more subtle because
(per RFC 2743 section 2.1.4) we have to choose a credential cache or
acceptor name sooner than we would otherwise do so. Add a C program
to invoke gss_acquire_cred/gss_inquire_cred and some Python tests
using it.
|
| |
|
|
|
|
| |
ticket: 7231 (new)
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
| |
|
|
|
|
|
| |
Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.
ticket: 7220 (new)
|
| |
|
|
|
|
|
| |
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
|
| |
|
|
|
|
|
| |
Make the default_keytab_name and default_client_keytab_name variables
subject to parameter expansion.
ticket: 7219 (new)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In combination with -k, -i will cause kinit or klist to use the
default client keytab instead of the default acceptor keytab. This
gives an easy way to figure out what default client keytab name is in
use and to get credentials using it.
ticket: 7216 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The dejagnu tests create some persistent acl files containing
hostname-derived principal names. These can get out of date if the
host has changed names since the last time the dejagnu tests were run,
causing failures (notably in iprop.exp). To avoid this problem,
change the dejagnu tests to always create new acl files for each test
run.
ticket: 7200 (new)
tags: pullup
target_version: 1.10.3
|
| |
|
|
|
|
|
|
| |
If the directory for a DIR ccache doesn't exist yet, try to create it
(but not its parents) with mode 700. Exercise this in test scripts by
not pre-creating directories.
ticket: 7196 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES. Calls to setlocale() itself were introduced in
fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME). If potentially
localized data is being sent on the wire, that is a bug that should
be fixed. No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.
ticket: 7192
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to use -1 as a sentinel value, we should explicitly cast
to make it clear what we are doing. It might be better to use
a less convoluted sentinel value such as SIZE_T_MAX, though.
Additionally, since size_t is unsigned and at least as wide as
an int, a loop with int index variable that compares against a
size_t for its termination check could become an infinite loop.
Make the loop index size_t for consistency.
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
|
| |
|
|
|
|
| |
This is a cosmetic change to reintroduce some space characters that
cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag
and the length or short value.
|
| |
|
|
|
|
|
|
| |
Modify the trval output slightly so that the reference trval output
files don't containing trailing whitespace, to make them friendlier to
our git hooks. (The pkinit and ldap trval reference files now contain
a leading blank line, which isn't very elegant, but avoiding that
requires too much Makefile.in complexity.) Also correct a typo.
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
ticket: 7160
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
ticket: 7159 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
ticket: 7130
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
Add a Python script to test the enforcement of kadm5.acl
specifications, including wildcards and restrictions.
ticket: 7097
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25828 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin()
to run a kadmin query using it. Modify t_stringattr.py to use these
helpers instead of its own.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25826 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Very few Python tests need kadmind, so it makes more sense to have to
turn it on than to have to turn it off.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25825 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
In t_general.py, run kinit with KRB5_TRACE enabled and make sure we
see some basic strings in the resulting file.
ticket: 7113
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25821 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
Move some tests out of the multipass_realms loop since they aren't
enctype-dependent. Fix the success message not to mention kvno
wrapping. Don't start kadmind in the multipass_realms loop since we
don't use it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25820 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
ticket: 7099
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25819 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
When getting initial credentials with a keytab, filter the list of
request enctypes based on the keys in the keytab.
Based on a patch from Stef Walter.
ticket: 2131
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
Create a test script for keytab-related tests. Move the kvno wrapping
test there from t_general.py, and augment it to better match what's in
standalone.exp. Add tests for kinit with keytab, including kinit with
the most-preferred enctype missing from the keytab (which currently
fails).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25815 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
|
