diff options
Diffstat (limited to 'krb5-master-rcache-acquirecred-test.patch')
| -rw-r--r-- | krb5-master-rcache-acquirecred-test.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/krb5-master-rcache-acquirecred-test.patch b/krb5-master-rcache-acquirecred-test.patch new file mode 100644 index 0000000..e8eef5e --- /dev/null +++ b/krb5-master-rcache-acquirecred-test.patch @@ -0,0 +1,82 @@ +commit 6f8d5135334c9ddb674f9824e750872b3b0642ea +Author: Greg Hudson <ghudson@mit.edu> +Date: Thu Jan 16 11:49:55 2014 -0500 + + Add test for gss_acquire_cred_from rcache feature + +diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c +index 575f96d..e28f5d0 100644 +--- a/src/tests/gssapi/t_credstore.c ++++ b/src/tests/gssapi/t_credstore.c +@@ -46,7 +46,9 @@ main(int argc, char *argv[]) + gss_cred_usage_t cred_usage = GSS_C_BOTH; + gss_OID_set mechs = GSS_C_NO_OID_SET; + gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; +- krb5_boolean store_creds = FALSE; ++ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT; ++ gss_buffer_desc itok, atok; ++ krb5_boolean store_creds = FALSE, replay = FALSE; + char opt; + + /* Parse options. */ +@@ -54,6 +56,8 @@ main(int argc, char *argv[]) + opt = (*argv)[1]; + if (opt == 's') + store_creds = TRUE; ++ else if (opt == 'r') ++ replay = TRUE; + else if (opt == 'a') + cred_usage = GSS_C_ACCEPT; + else if (opt == 'b') +@@ -101,6 +105,31 @@ main(int argc, char *argv[]) + &store, &cred, NULL, NULL); + check_gsserr("gss_acquire_cred_from", major, minor); + ++ if (replay) { ++ /* Induce a replay using cred as the acceptor cred, to test the replay ++ * cache indicated by the store. */ ++ major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, name, ++ &mech_krb5, 0, GSS_C_INDEFINITE, ++ GSS_C_NO_CHANNEL_BINDINGS, ++ GSS_C_NO_BUFFER, NULL, &itok, NULL, NULL); ++ check_gsserr("gss_init_sec_context", major, minor); ++ (void)gss_delete_sec_context(&minor, &ictx, NULL); ++ ++ major = gss_accept_sec_context(&minor, &actx, cred, &itok, ++ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, ++ &atok, NULL, NULL, NULL); ++ check_gsserr("gss_accept_sec_context(1)", major, minor); ++ (void)gss_release_buffer(&minor, &atok); ++ (void)gss_delete_sec_context(&minor, &actx, NULL); ++ ++ major = gss_accept_sec_context(&minor, &actx, cred, &itok, ++ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, ++ &atok, NULL, NULL, NULL); ++ check_gsserr("gss_accept_sec_context(2)", major, minor); ++ (void)gss_release_buffer(&minor, &atok); ++ (void)gss_delete_sec_context(&minor, &actx, NULL); ++ } ++ + gss_release_name(&minor, &name); + gss_release_cred(&minor, &cred); + free(store.elements); +diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py +index 74139e4..106910d 100755 +--- a/src/tests/gssapi/t_gssapi.py ++++ b/src/tests/gssapi/t_gssapi.py +@@ -91,6 +91,15 @@ realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) + realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache, + 'keytab', servicekeytab]) + ++# Test rcache feature of cred stores. t_credstore -r should produce a ++# replay error normally, but not with rcache set to "none:". ++output = realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ], ++ expected_code=1) ++if 'gss_accept_sec_context(2): Request is a replay' not in output: ++ fail('Expected replay error not seen in t_credstore output') ++realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ, ++ 'rcache', 'none:']) ++ + # Verify that we can't acquire acceptor creds without a keytab. + os.remove(realm.keytab) + output = realm.run(['./t_accname', 'p:abc'], expected_code=1) |