krb5.git/src/tests, branch gss_cs MIT Kerberos patches Avoid keyctl purge in keyring ccache tests 2013-12-21T04:10:03+00:00 Greg Hudson ghudson@mit.edu 2013-12-20T20:19:06+00:00 94da4584645475272abec6259d1666e34bd59594 keyctl purge was added in keyutils 1.5 (released in March 2011). Use keyctl unlink to clean up keys instead, as it is more universal. ticket: 7810 target_version: 1.12.1 tags: pullup 
keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup
Use an extended com_err hook in klist 2013-12-21T04:10:03+00:00 Greg Hudson ghudson@mit.edu 2013-12-20T16:06:52+00:00 ae027dd69fc80cca549c9198d10afad389f30873 Add an adapted version of extended_com_err_fn from kinit to klist and use it. In do_ccache(), rely on the ccache type to set a reasonable message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to a nonexistent or unreadable ccache, and don't confuse the user with the name of the ccache operation that failed. ticket: 7809 
Add an adapted version of extended_com_err_fn from kinit to klist and
use it.  In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.

ticket: 7809
Test SPNEGO error message in t_s4u.py 2013-12-18T21:03:16+00:00 Greg Hudson ghudson@mit.edu 2013-12-18T21:03:16+00:00 4faca53e3a8ee213d43da8998f6889e7bfd36248 Now that #7045 is fixed, we can check for the correct error message from t_s4u2proxy_krb5 with --spnego. ticket: 7045 
Now that #7045 is fixed, we can check for the correct error message
from t_s4u2proxy_krb5 with --spnego.

ticket: 7045
Fix up tests directory ignores, deps, cleanup 2013-12-12T05:35:23+00:00 Greg Hudson ghudson@mit.edu 2013-12-12T05:23:02+00:00 291f03290b6476ec6b98e48c6971b65f1d899269 A few test programs didn't make it into .gitignore, OBJS, or EXTRADEPSRCS. 
A few test programs didn't make it into .gitignore, OBJS, or
EXTRADEPSRCS.
Add tests for krb5_sname_to_principal 2013-12-12T05:16:17+00:00 Greg Hudson ghudson@mit.edu 2013-12-09T05:45:08+00:00 6211396239897a3a9c207690ea2d6dc9ec580bc2 






make depend
2013-12-11T03:24:03+00:00

Tom Yu
tlyu@mit.edu

2013-12-11T03:24:03+00:00

88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853












Add another kadmin ACL test for backreferences
2013-11-21T21:18:27+00:00

Greg Hudson
ghudson@mit.edu

2013-11-21T21:18:27+00:00

119281156097a9da659ce5a7c06f0d517994781c

Add a test using backreferences which don't correspond directly to
principal components, to verify that *N refers to the Nth wildcard and
not the Nth component.





Add a test using backreferences which don't correspond directly to
principal components, to verify that *N refers to the Nth wildcard and
not the Nth component.







Remove last uses of "possibly-insecure" mktemp(3)
2013-11-04T18:43:36+00:00

Ben Kaduk
kaduk@mit.edu

2012-07-03T14:27:20+00:00

0415740bb569bad53b18f4483837e7e037f88544

Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation.  This has been the case for quite some time,
as was noted in RT #6199.  Our usage of the function has decreased
with time, but has not yet disappeared entirely.  This commit
removes the last few instances from our tree.

kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file.  When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.

ticket: 1794





Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation.  This has been the case for quite some time,
as was noted in RT #6199.  Our usage of the function has decreased
with time, but has not yet disappeared entirely.  This commit
removes the last few instances from our tree.

kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file.  When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.

ticket: 1794







Add tests for anonymous kadmin
2013-10-30T16:31:00+00:00

Greg Hudson
ghudson@mit.edu

2013-10-28T17:34:04+00:00

7b7e72f66cda405967b2a1da0b5ff8141feb0eb1












Add tests for different salt combinations
2013-10-25T23:34:37+00:00

Ben Kaduk
kaduk@mit.edu

2013-10-25T17:33:23+00:00

e04cd7a75a36b2fc9914a5e767a2fc639ac96939

Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.

Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4.  As such, it only makes sense for single-DES
enctypes.  The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.





Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.

Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4.  As such, it only makes sense for single-DES
enctypes.  The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.