Add HTTPS patches from masterkrb5-1.12.2-6.fc21

Pull in a stack of patches to add support for accessing servers via
HTTPS proxies, such as python-kdcproxy or the KDC Proxy Service on a
properly-outfitted Windows box.  Pull in the patch to move the logic out
of libkrb5 proper and into a loadable plugin to avoid linking our local
applications against our libkrb5 against libssl against the installed
copy of libgssapi_krb5 and our local libkrb5support.  Adjust a couple of
other patches to apply correctly after them.

1 files changed, 259 insertions, 0 deletions

diff --git a/0013-Add-tests-for-MS-KKDCP-client-support.patch b/0013-Add-tests-for-MS-KKDCP-client-support.patch
new file mode 100644
index 0000000..fdb6eca
--- /dev/null
+++ b/0013-Add-tests-for-MS-KKDCP-client-support.patch
@@ -0,0 +1,259 @@
+Tweaked context for src/tests/Makefile.in because t_salt.py hadn't yet been
+added as a test in 1.12, and the rdreq and s2p helpers weren't there yet.
+
+From 3e2c7cc557048faac3400ae41b0228bd37a82a4c Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@dahyabhai.net>
+Date: Fri, 7 Feb 2014 18:56:10 -0500
+Subject: [PATCH 13/13] Add tests for MS-KKDCP client support
+
+Exercise the MS-KKDCP client support using the test proxy server, for
+AS, TGS, and kpasswd requests while also checking the certificate
+verification and name checks.
+
+ticket: 7929
+---
+ src/tests/Makefile.in |   1 +
+ src/tests/t_proxy.py  | 219 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 220 insertions(+)
+ create mode 100644 src/tests/t_proxy.py
+
+diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
+index 7347ed6..536f5cb 100644
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -134,6 +134,7 @@ check-pytests:: t_init_creds t_localauth
+ 	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
+ 			-i au.log
+ 	$(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS)
+ 
+ clean::
+ 	$(RM) gcred hist hrealm kdbtest plugorder responder
+diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py
+new file mode 100644
+index 0000000..e4e3d48
+--- /dev/null
++++ b/src/tests/t_proxy.py
+@@ -0,0 +1,219 @@
++#!/usr/bin/python
++from k5test import *
++
++# Skip this test if we're missing proxy functionality or parts of the proxy.
++if runenv.proxy_tls_impl == 'no':
++    success('Warning: not testing proxy support because feature ' +
++            'was not enabled')
++    exit(0)
++try:
++    from paste import httpserver
++except:
++    success('Warning: not testing proxy support because python ' +
++            'paste.httpserver module not found')
++    exit(0)
++try:
++    import kdcproxy
++except:
++    success('Warning: not testing proxy support because python ' +
++            'kdcproxy module not found')
++    exit(0)
++
++# Construct a krb5.conf fragment configuring the client to use a local proxy
++# server.
++proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++                               'proxy-subject.pem')
++proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++                           'proxy-san.pem')
++proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++                             'proxy-ideal.pem')
++proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++                             'proxy-no-match.pem')
++proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++                           'proxy-badsig.pem')
++proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
++proxyurl = 'https://localhost:$port5/KdcProxy'
++proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
++proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
++proxyurl6 = 'https://[::1]:$port5/KdcProxy'
++
++unanchored_krb5_conf = {'realms': {'$realm': {
++                        'kdc': proxyurl,
++                        'kpasswd_server': proxyurl}}}
++anchored_name_krb5_conf = {'realms': {'$realm': {
++                           'kdc': proxyurl,
++                           'kpasswd_server': proxyurl,
++                           'http_anchors': 'FILE:%s' % proxyca}}}
++anchored_upcasename_krb5_conf = {'realms': {'$realm': {
++                                 'kdc': proxyurlupcase,
++                                 'kpasswd_server': proxyurlupcase,
++                                 'http_anchors': 'FILE:%s' % proxyca}}}
++anchored_kadmin_krb5_conf = {'realms': {'$realm': {
++                             'kdc': proxyurl,
++                             'admin_server': proxyurl,
++                             'http_anchors': 'FILE:%s' % proxyca}}}
++anchored_ipv4_krb5_conf = {'realms': {'$realm': {
++                           'kdc': proxyurl4,
++                           'kpasswd_server': proxyurl4,
++                           'http_anchors': 'FILE:%s' % proxyca}}}
++kpasswd_input = (password('user') + '\n' + password('user') + '\n' +
++                 password('user') + '\n')
++
++def start_proxy(realm, keycertpem):
++    proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf')
++    proxy_exec_path = os.path.join(srctop, 'util', 'paste-kdcproxy.py')
++    conf = open(proxy_conf_path, 'w')
++    conf.write('[%s]\n' % realm.realm)
++    conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase)
++    conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2))
++    conf.close()
++    realm.env['KDCPROXY_CONFIG'] = proxy_conf_path
++    cmd = [proxy_exec_path, str(realm.server_port()), keycertpem]
++    return realm.start_server(cmd, sentinel='proxy server ready')
++
++# Fail: untrusted issuer and hostname doesn't match.
++output("running pass 1: issuer not trusted and hostname doesn't match\n")
++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxywrongpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: untrusted issuer, host name matches subject.
++output("running pass 2: subject matches, issuer not trusted\n")
++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxysubjectpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: untrusted issuer, host name matches subjectAltName.
++output("running pass 3: subjectAltName matches, issuer not trusted\n")
++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxysanpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: untrusted issuer, certificate signature is bad.
++output("running pass 4: subject matches, issuer not trusted\n")
++realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxybadpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: trusted issuer but hostname doesn't match.
++output("running pass 5: issuer trusted but hostname doesn't match\n")
++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxywrongpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subject.
++output("running pass 6: issuer trusted, subject matches\n")
++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
++                get_creds=False)
++proxy = start_proxy(realm, proxysubjectpem)
++realm.kinit(realm.user_princ, password=password('user'))
++realm.run([kvno, realm.host_princ])
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subjectAltName.
++output("running pass 7: issuer trusted, subjectAltName matches\n")
++realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
++                get_creds=False)
++proxy = start_proxy(realm, proxysanpem)
++realm.kinit(realm.user_princ, password=password('user'))
++realm.run([kvno, realm.host_princ])
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: certificate signature is bad.
++output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n")
++realm = K5Realm(krb5_conf=anchored_name_krb5_conf,
++                get_creds=False,
++		                create_host=False)
++proxy = start_proxy(realm, proxybadpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: trusted issuer but IP doesn't match.
++output("running pass 9: issuer trusted but no name matches IP\n")
++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxywrongpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: trusted issuer, but subject does not match.
++output("running pass 10: issuer trusted, but subject does not match IP\n")
++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxysubjectpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subjectAltName.
++output("running pass 11: issuer trusted, subjectAltName matches IP\n")
++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True,
++                get_creds=False)
++proxy = start_proxy(realm, proxysanpem)
++realm.kinit(realm.user_princ, password=password('user'))
++realm.run([kvno, realm.host_princ])
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++# Fail: certificate signature is bad.
++output("running pass 12: issuer trusted, names don't match, signature bad\n")
++realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
++                create_host=False)
++proxy = start_proxy(realm, proxybadpem)
++realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subject, using kadmin
++# configuration to find kpasswdd.
++output("running pass 13: issuer trusted, subject matches\n")
++realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
++                get_creds=False, create_host=False)
++proxy = start_proxy(realm, proxysubjectpem)
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subjectAltName, using
++# kadmin configuration to find kpasswdd.
++output("running pass 14: issuer trusted, subjectAltName matches\n")
++realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
++                get_creds=False, create_host=False)
++proxy = start_proxy(realm, proxysanpem)
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++# Succeed: trusted issuer and host name matches subjectAltName (give or take
++# case).
++output("running pass 15: issuer trusted, subjectAltName case-insensitive\n")
++realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True,
++                get_creds=False, create_host=False)
++proxy = start_proxy(realm, proxysanpem)
++realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
++stop_daemon(proxy)
++realm.stop()
++
++success('MS-KKDCP proxy')
+-- 
+2.1.0
+