src/tests/dejagnu/krb-standalone/pwhist.exp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

# password history tests

# one *non-interactive* kadmin.local request
proc onerq { rq pname str {flags ""} } {
    global REALMNAME
    global KADMIN_LOCAL

    spawn $KADMIN_LOCAL -r $REALMNAME -q "$rq $flags $pname"
    expect_after {
	timeout {
	    verbose "kadmin.local $rq $flags $pname timed out"
	    catch expect_after
	    kill [exp_pid]
	    close
	    expect eof
	    wait
	    return 0
	} eof {
	    verbose "kadmin.local $rq $flags $pname got EOF"
	    catch expect_after
	    wait
	    return 0
	}
    }
    expect $str
    expect_after
    expect eof
    wait
    return 1
}

proc addprinc { pname pw } {
    global REALMNAME

    return [onerq addprinc $pname \
		"Principal \"$pname@$REALMNAME\" created." "-pw $pw"]
}

proc delprinc { pname } {
    global REALMNAME
    return [onerq delprinc $pname \
		"Principal \"$pname@$REALMNAME\" deleted." "-force"]
}

proc cpw { pname pw } {
    global REALMNAME

    return [onerq cpw $pname \
		"Password for \"$pname@$REALMNAME\" changed." "-pw $pw"]
}

proc modprinc { pname flags } {
    global REALMNAME

    return [onerq modprinc $pname \
		"Principal \"$pname@$REALMNAME\" modified." $flags]
}

proc addpol { pname } {
    if ![onerq addpol $pname ""] {
	return 0
    }
    return [onerq getpol $pname "Policy: $pname"]
}

proc delpol { pname } {
    onerq delpol $pname "" -force
    return [onerq getpol $pname \
		"Policy does not exist while retrieving policy \"$pname\"."]
}

proc modpol { pname flags } {
    return [onerq modpol $pname "" $flags]
}

# Mandatory command must return true.
# Issues a break in its parent on failure.
proc mustrun { cmd } {
    if ![eval $cmd] {
	perror "mandatory command failed: $cmd"
	uplevel break
    }
}

# Fail test if command fails.
# Issues a break in its parent on failure.
proc chkpass { cmd } {
    upvar test test
    if ![eval $cmd] {
	verbose "unexpected failure: $cmd"
	fail $test
	uplevel break
    }
}

# Fail test if command succeeds.
# Issues a break in its parent on failure.
proc chkfail { cmd } {
    upvar test test
    if [eval $cmd] {
	verbose "unexpected success: $cmd"
	fail $test
	uplevel break
    }
}

# wrapper to run command (actually usually sequence of commands)
#
# If any part of CMD throws an exception, set failall, otherwise pass.
# If failall is already true, report unresolved.
proc wraptest { test cmd } {
    upvar failall failall
    if $failall {
	unresolved $test
	return
    }
    if [catch $cmd] {
	set failall 1
    } else {
	pass $test
    }
}

# Set up the kerberos database.
if {![get_hostname] \
    || ![setup_kerberos_files] \
    || ![setup_kerberos_env] \
    || ![setup_kerberos_db 0]} {
    return
}

set failall 0
wraptest "nkeys=1, nhist=3" {
    mustrun { addpol crashpol }
    mustrun { modpol crashpol "-history 3"}
    mustrun { addprinc crash 1111 }
    mustrun { modprinc crash "-policy crashpol" }
    chkpass { cpw crash 2222 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
}
verbose {old_keys [ 1111 ->[] ]}

# The following will result in reading/writing past array bounds if
# add_to_history() is not patched.
#
# NOTE: A pass from this test does not mean the bug isn't present;
# check with Purify, valgrind, etc.
wraptest "array bounds ok on nkeys=1, nhist 3->2" {
    mustrun { modpol crashpol "-history 2" }
    chkpass { cpw crash 3333 }
}
verbose {old_keys [ ->2222 ]}

wraptest "verify nhist=2" {
    mustrun { delprinc crash }
    mustrun { addprinc crash 1111 }
    mustrun { modprinc crash "-policy crashpol" }
    chkpass { cpw crash 2222 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
}
verbose {old_keys [ ->1111 ]}

# The following will fail if growing the history array causes an extra
# key to be lost due to failure to shift entries.
wraptest "grow nhist 2->3" {
    mustrun { modpol crashpol "-history 3" }
    chkpass { cpw crash 3333 }
    chkfail { cpw crash 3333 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
}
verbose {old_keys [ 2222 ->1111 ]}

wraptest "grow nhist 3->4" {
    mustrun { modpol crashpol "-history 4" }
    chkfail { cpw crash 3333 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
    chkpass { cpw crash 4444 }
    chkfail { cpw crash 3333 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
}
verbose {old_keys [ 2222 3333 ->1111 ]}
wraptest "shrink nhist 4->3" {
    mustrun { modpol crashpol "-history 3" }
    chkfail { cpw crash 4444 }
    chkfail { cpw crash 3333 }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 1111 }
    chkpass { cpw crash 5555 }
}
verbose {old_keys [ 4444 ->3333 ]}
wraptest "verify nhist=3" {
    chkfail { cpw crash 5555 }
    chkfail { cpw crash 4444 }
    chkfail { cpw crash 3333 }
    chkpass { cpw crash 2222 }
}
verbose {old_keys [ ->4444 5555 ]}
wraptest "shrink nhist 3->2" {
    mustrun { modpol crashpol "-history 2" }
    chkfail { cpw crash 2222 }
    chkfail { cpw crash 5555 }
    chkfail { cpw crash 4444 }
    chkpass { cpw crash 3333 }
}
verbose {old_keys [ ->2222 ]}

delprinc crash
delpol crashpol

stop_kerberos_daemons