oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

tests: Use new framework in tests/gss

Browse Source 
Claude-coded with heavy human guidance.  This found several bugs in
tests/gss/check-negoex, and also in SPNEGO.

WARNING: Needs more review.
This commit is contained in:
Nicolas Williams
2025-12-10 11:08:09 -06:00
parent e362d69972
commit 9b88e9ec3b
8 changed files with 725 additions and 787 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/gss/Makefile.am
+5 -1
View File
@@ -17,6 +17,7 @@ port = 49188
do_subst = srcdirabs=`cd "$(srcdir)"; pwd`; objdirabs=`pwd`; sed \
-e 's,[@]srcdir[@],$(srcdir),g' \
-e "s,[@]srcdirabs[@],$${srcdirabs},g" \
-e 's,[@]top_srcdir[@],$(top_srcdir),g' \
-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
-e 's,[@]port[@],$(port),g' \
-e 's,[@]objdir[@],$(top_builddir)/tests/gss,g' \
@@ -86,13 +87,15 @@ CLEANFILES= \
mech \
current-db* \
*.log \
*.pid \
tempfile \
check-basic.tmp \
check-nodns.tmp \
check-gss.tmp \
check-gssmask.tmp \
check-spnego.tmp \
check-context.tmp
check-context.tmp \
check-negoex.tmp
EXTRA_DIST = \
NTMakefile \
@@ -104,6 +107,7 @@ EXTRA_DIST = \
check-context.in \
check-negoex.in \
krb5.conf.in \
krb5-nodns.conf.in \
include-krb5.conf \
new_clients_k5.conf.in \
mech.in
tests/gss/check-basic.in
+87 -84
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
@@ -74,12 +76,10 @@ rm -f current-db*
rm -f out-*
rm -f mkey.file*
> messages.log
test_init
echo upw > ${objdir}/foopassword
echo Creating database
${kadmin} <<EOF || exit 1
test_section "Creating database"
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -p upw --use-defaults user@${R}
add -p upw --use-defaults another@${R}
@@ -88,8 +88,8 @@ ext -k ${keytab} host/host.test.h5l.se@${R}
check ${R}
EOF
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
cleanup() {
@@ -101,121 +101,124 @@ cleanup() {
}
trap cleanup EXIT INT TERM
exitcode=0
echo "upw" > ${objdir}/foopassword
echo "initial ticket"
${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
test_section "initial ticket"
test_run ${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R}
echo "copy ccache with gss_store_cred"
test_section "copy ccache with gss_store_cred"
# Note we test that the ccache used for storing is token-expanded
${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
${klist} -c ${cache2} || exit 1
test_run ${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}"
test_run ${klist} -c ${cache2}
echo "keytab"
${acquire_cred} \
test_section "keytab"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host.test.h5l.se || exit 1
--acquire-name=host@host.test.h5l.se
echo "keytab w/ short-form name and name canon rules"
${acquire_cred} \
test_section "keytab w/ short-form name and name canon rules"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host || exit 1
--acquire-name=host@host
echo "keytab w/o name"
${acquire_cred} \
--acquire-type=accept || exit 1
test_section "keytab w/o name"
test_run ${acquire_cred} \
--acquire-type=accept
echo "keytab w/ wrong name"
${acquire_cred} \
test_section "keytab w/ wrong name (expected failure)"
# This should fail - wrong name
test_run not ${acquire_cred} \
--acquire-type=accept --kerberos \
--acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
--acquire-name=host@host2.test.h5l.se
echo "init using keytab"
${acquire_cred} \
test_section "init using keytab"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10)"
${acquire_cred} \
test_section "init using keytab (loop 10)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, target)"
${acquire_cred} \
test_section "init using keytab (loop 10, target)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, kerberos)"
${acquire_cred} \
test_section "init using keytab (loop 10, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, target, kerberos)"
${acquire_cred} \
test_section "init using keytab (loop 10, target, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using existing cc"
${acquire_cred} \
test_section "init using existing cc"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user || exit 1
--acquire-name=user
KRB5CCNAME=${nocache}
echo "fail init using existing cc"
${acquire_cred} \
test_section "fail init using existing cc (expected failure)"
# This should fail - no such cache
test_run not ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user 2>/dev/null && exit 1
--acquire-name=user
echo "use gss_krb5_ccache_name for user"
${acquire_cred} \
test_section "use gss_krb5_ccache_name for user"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--ccache=${cache} \
--acquire-type=initiate \
--acquire-name=user >/dev/null || exit 1
--acquire-name=user
KRB5CCNAME=${cache}
KRB5_KTNAME=${nokeytab}
echo "kcred"
${test_kcred} || exit 1
test_section "kcred"
test_run ${test_kcred}
${kdestroy} -c ${cache}
${kdestroy} -c ${cache} 2>/dev/null || true
KRB5_KTNAME="${keytab}"
echo "init using keytab"
${acquire_cred} \
test_section "init using keytab (after kdestroy)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (ccache)"
${acquire_cred} \
test_section "init using keytab (ccache)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--ccache=${cache} \
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
--acquire-name=host@host.test.h5l.se
trap "" EXIT
echo "killing kdc (${kdcpid})"
kill ${kdcpid} 2> /dev/null
exit $exitcode
test_finish
exit $?
tests/gss/check-context.in
+265 -310
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
@@ -73,12 +75,12 @@ rm -f current-db*
rm -f out-*
rm -f mkey.file*
> messages.log
test_init
echo Creating database
test_section "Creating database"
# add both lucid and lucid.test.h5l.se to simulate aliases
# XXX ext should ext aliases too
${kadmin} <<EOF || exit 1
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
mod --attributes=+ok-as-delegate krbtgt/${R}@${R}
add -p p1 --use-defaults host/lucid.test.h5l.se@${R}
@@ -90,10 +92,10 @@ add -p p1 --use-defaults host/short@${R}
mod --alias=host/long.test.h5l.se@${R} host/short@${R}
ext -k ${keytab} host/short@${R}
EOF
${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
test_run ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R}
# Create a server principal with no AES
${kadmin} <<EOF || exit 1
test_run ${kadmin} <<EOF
add -p kaka --use-defaults digest/${R}@${R}
add -p u1 --use-defaults user1@${R}
mod --alias=user1.alias user1@${R}
@@ -103,12 +105,12 @@ ext -k ${keytab} host/no-aes.test.h5l.se@${R}
check ${R}
EOF
${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
test_run ${kadmin} get host/no-aes.test.h5l.se@${R}
echo u1 > ${objdir}/foopassword
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
cleanup() {
@@ -120,88 +122,82 @@ cleanup() {
}
trap cleanup EXIT INT TERM
testfailed="echo test failed; cat messages.log; exit 1"
echo "Test gss_acquire_cred_with_password" ; > messages.log
${kdestroy}
${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
host@lucid.test.h5l.se || { eval "$testfailed"; }
${klist} && { eval "$testfailed"; }
test_section "gss_acquire_cred_with_password"
${kdestroy} 2>/dev/null || true
test_run ${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
host@lucid.test.h5l.se
# klist should fail (no tickets saved)
test_run not ${klist}
# These must fail (because wrong password)
${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
host@lucid.test.h5l.se && { eval "$testfailed"; }
${klist} && { eval "$testfailed"; }
${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
${klist} && { eval "$testfailed"; }
${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
${klist} && { eval "$testfailed"; }
${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \
--mech-type=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
${klist} && { eval "$testfailed"; }
${context} --client-name=user1@${R} --client-password=u2 \
--mech-types=krb5 --mech-type=krb5 host@lucid.test.h5l.se \
&& { eval "$testfailed"; }
test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
host@lucid.test.h5l.se
test_run not ${klist}
test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types='' \
--mech-type=krb5 host@lucid.test.h5l.se
test_run not ${klist}
test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types=krb5 \
--mech-type=krb5 host@lucid.test.h5l.se
test_run not ${klist}
test_run not ${context} --client-name=user1@${R} --client-password=u2 --mech-types=all \
--mech-type=krb5 host@lucid.test.h5l.se
test_run not ${klist}
test_run not ${context} --client-name=user1@${R} --client-password=u2 \
--mech-types=krb5 --mech-type=krb5 host@lucid.test.h5l.se
# gss_acquire_cred_with_password() must not have side-effects
${klist} && { eval "$testfailed"; }
test_run not ${klist}
echo "Getting client initial tickets" ; > messages.log
${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial tickets"
test_run ${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R}
echo "======test unreadable/non existant keytab and its error message" ; > messages.log
${context} --mech-type=krb5 host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
test_section "test unreadable/non existant keytab and its error message"
test_run ${context} --mech-type=krb5 host@lucid.test.h5l.se
mv ${keytabfile} ${keytabfile}.no
echo "checking non existant keytabfile (krb5)" ; > messages.log
${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \
{ eval "$testfailed"; }
echo "checking non existant keytabfile (spengo)" ; > messages.log
${context} --mech-type=spnego --mech-types=spnego,krb5 \
host@lucid.test.h5l.se > test_context.log 2>&1 && \
{ eval "$testfailed"; }
test_section "checking non existant keytabfile (krb5)"
test_run not ${context} --mech-type=krb5 host@lucid.test.h5l.se
test_section "checking non existant keytabfile (spnego)"
test_run not ${context} --mech-type=spnego --mech-types=spnego,krb5 \
host@lucid.test.h5l.se
mv ${keytabfile}.no ${keytabfile}
echo "======test naming combinations"
echo "plain" ; > messages.log
${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
echo "plain w/ short-form hostname" ; > messages.log
${context} --name-type=hostbased-service host@lucid || \
{ eval "$testfailed"; }
echo "plain (krb5)" ; > messages.log
${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
{ eval "$testfailed"; }
echo "plain (krb5 realmless)" ; > messages.log
${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
{ eval "$testfailed"; }
echo "plain (krb5 realmless short-form)" ; > messages.log
${context} --name-type=krb5-principal-name host/lucid 2>/dev/null || \
{ eval "$testfailed"; }
echo "creating short-form princ"
${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
echo "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
#${context} --dns-canon host@lucid.test.h5l.se || \
# { eval "$testfailed"; }
echo "dns canon off (long name)" ; > messages.log
${context} --no-dns-canon host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
echo "dns canon off (short name)" ; > messages.log
${context} --no-dns-canon host@lucid || \
{ eval "$testfailed"; }
echo "dns canon off (short name, krb5)" ; > messages.log
${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
{ eval "$testfailed"; }
echo "dns canon off (short name, krb5)" ; > messages.log
${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \
{ eval "$testfailed"; }
test_section "test naming combinations - plain"
test_run ${context} --name-type=hostbased-service host@lucid.test.h5l.se
echo "======test context building"
test_section "test naming combinations - plain w/ short-form hostname"
test_run ${context} --name-type=hostbased-service host@lucid
test_section "test naming combinations - plain (krb5)"
test_run ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R}
test_section "test naming combinations - plain (krb5 realmless)"
test_run ${context} --name-type=krb5-principal-name host/lucid.test.h5l.se
test_section "test naming combinations - plain (krb5 realmless short-form)"
test_run ${context} --name-type=krb5-principal-name host/lucid
test_section "creating short-form princ"
test_run ${kadmin} add -p p1 --use-defaults host/lucid@${R}
test_run ${kadmin} ext -k ${keytab} host/lucid@${R}
#test_section "dns canon on (long name) OFF, need dns_wrapper"
#test_run ${context} --dns-canon host@lucid.test.h5l.se
test_section "dns canon off (long name)"
test_run ${context} --no-dns-canon host@lucid.test.h5l.se
test_section "dns canon off (short name)"
test_run ${context} --no-dns-canon host@lucid
test_section "dns canon off (short name, krb5)"
test_run ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R}
test_section "dns canon off (short name, krb5, no realm)"
test_run ${context} --no-dns-canon --name-type=krb5-principal-name host/lucid
test_section "test context building"
for mech in krb5 krb5iov spnego spnegoiov; do
if [ "$mech" = "krb5iov" ] ; then
mech="krb5"
@@ -212,44 +208,39 @@ for mech in krb5 krb5iov spnego spnegoiov; do
iov="--iov"
fi
echo "${mech} no-mutual ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} no-mutual ${iov}"
test_run ${context} --mech-type=${mech} \
--wrapunwrap ${iov} \
--localname=mapped_user1 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "${mech} mutual ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} mutual ${iov}"
test_run ${context} --mech-type=${mech} \
--mutual \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "${mech} delegate ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} delegate ${iov}"
test_run ${context} --mech-type=${mech} \
--delegate \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "${mech} mutual delegate ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} mutual delegate ${iov}"
test_run ${context} --mech-type=${mech} \
--mutual --delegate \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
done
echo "======test authz-data (krb5)"
${context} --mech-type=krb5 \
test_section "test authz-data (krb5)"
test_run ${context} --mech-type=krb5 \
--mutual \
--wrapunwrap \
--on-behalf-of=foo@BAR.TEST.H5L.SE \
--name-type=hostbased-service host@lucid.test.h5l.se ||
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "======dce-style"
test_section "dce-style"
for mech in krb5 krb5iov spnego; do
iov=""
if [ "$mech" = "krb5iov" ] ; then
@@ -261,18 +252,16 @@ for mech in krb5 krb5iov spnego; do
iov="--iov"
fi
echo "${mech}: dce-style ${iov}" ; > messages.log
${context} \
test_section "${mech}: dce-style ${iov}"
test_run ${context} \
--mech-type=${mech} \
--mutual \
--dce-style \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
done
echo "======export-import-context"
test_section "export-import-context"
for mech in krb5 krb5iov spnego spnegoiov; do
iov=""
if [ "$mech" = "krb5iov" ] ; then
@@ -284,329 +273,295 @@ for mech in krb5 krb5iov spnego spnegoiov; do
iov="--iov"
fi
echo "${mech}: export-import-context ${iov}" ; > messages.log
${context} \
test_section "${mech}: export-import-context ${iov}"
test_run ${context} \
--mech-type=${mech} \
--mutual \
--export-import-context \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
done
echo "test gsskrb5_register_acceptor_identity (both positive and negative)"
test_section "test gsskrb5_register_acceptor_identity"
cp ${keytabfile} ${keytabfile}.new
for mech in krb5 spnego; do
echo "${mech}: acceptor_identity positive" ; > messages.log
${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
--mech-type=$mech host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
test_section "${mech}: acceptor_identity positive"
test_run ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
--mech-type=$mech host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
test_section "${mech}: acceptor_identity positive (prefix)"
test_run ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: acceptor_identity negative" ; > messages.log
${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
test_section "${mech}: acceptor_identity negative (expected failure)"
test_run not ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
--mech-type=$mech host@lucid.test.h5l.se
done
rm ${keytabfile}.new
echo "====== test PAC-based name canonicalization"
test_section "test PAC-based name canonicalization"
${kdestroy}
${kinit} --password-file=${objdir}/foopassword user1.alias@${R} || \
{ eval "$testfailed"; }
${kdestroy} 2>/dev/null || true
test_run ${kinit} --password-file=${objdir}/foopassword user1.alias@${R}
for mech in krb5 spnego; do
test_section "${mech}: PAC name canonicalization"
KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
--mech-type=$mech host@lucid.test.h5l.se > name-canon.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > name-canon.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "client name:" name-canon.log | grep "user1.alias@TEST.H5L.SE" > /dev/null && \
{ echo "client name not canonicalized"; eval "$testfailed"; }
{ echo "client name not canonicalized"; exit 1; }
grep "client name:" name-canon.log | grep "user1@TEST.H5L.SE" > /dev/null || \
{ echo "wrong client name"; eval "$testfailed"; }
{ echo "wrong client name"; exit 1; }
done
echo "====== test channel-bindings."
test_section "test channel-bindings"
for mech in krb5 spnego; do
echo "${mech}: initiator only bindings" ; > messages.log
test_section "${mech}: initiator only bindings"
${context} -v --i-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
{ echo "channel-bound flag unexpected"; exit 1; }
echo "${mech}: acceptor only bindings" ; > messages.log
test_section "${mech}: acceptor only bindings"
${context} -v --a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
{ echo "channel-bound flag unexpected"; exit 1; }
echo "${mech}: matching bindings" ; > messages.log
test_section "${mech}: matching bindings"
${context} -v --i-channel-bindings=abc --a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
{ echo "no channel-bound flag"; eval "$testfailed"; }
{ echo "no channel-bound flag"; exit 1; }
echo "${mech}: non matching bindings" ; > messages.log
${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
test_section "${mech}: non matching bindings (expected failure)"
test_run not ${context} --i-channel-bindings=abc --a-channel-bindings=xyz \
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: initiator only bindings (client-aware)" ; > messages.log
test_section "${mech}: initiator only bindings (client-aware)"
KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
--i-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
{ echo "channel-bound flag unexpected"; exit 1; }
echo "${mech}: acceptor only bindings (client-aware)" ; > messages.log
KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
test_section "${mech}: acceptor only bindings (client-aware, expected failure)"
test_run not env KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
--a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: matching bindings (client-aware)" ; > messages.log
test_section "${mech}: matching bindings (client-aware)"
KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} -v \
--i-channel-bindings=abc --a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
{ echo "no channel-bound flag"; eval "$testfailed"; }
{ echo "no channel-bound flag"; exit 1; }
echo "${mech}: non matching bindings (client-aware)" ; > messages.log
KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
test_section "${mech}: non matching bindings (client-aware, expected failure)"
test_run not env KRB5_CONFIG="${objdir}/new_clients_k5.conf" ${context} \
--i-channel-bindings=abc --a-channel-bindings=xyz \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: initiator null bindings bound (client-aware-flag)" ; > messages.log
test_section "${mech}: initiator null bindings bound (client-aware-flag)"
${context} -v --i-channel-bound \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
{ echo "channel-bound flag unexpected"; exit 1; }
echo "${mech}: initiator only bindings (client-aware-flag)" ; > messages.log
test_section "${mech}: initiator only bindings (client-aware-flag)"
${context} -v --i-channel-bound \
--i-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
{ echo "channel-bound flag unexpected"; exit 1; }
echo "${mech}: acceptor only bindings (client-aware-flag)" ; > messages.log
${context} -v --i-channel-bound \
test_section "${mech}: acceptor only bindings (client-aware-flag, expected failure)"
test_run not ${context} --i-channel-bound \
--a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se
echo "${mech}: matching bindings (client-aware-flag)" ; > messages.log
test_section "${mech}: matching bindings (client-aware-flag)"
${context} -v --i-channel-bound \
--i-channel-bindings=abc --a-channel-bindings=abc \
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se > cbinding.log 2>&1 || \
{ echo "context failed"; exit 1; }
grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
{ echo "no channel-bound flag"; eval "$testfailed"; }
{ echo "no channel-bound flag"; exit 1; }
echo "${mech}: non matching bindings (client-aware-flag)" ; > messages.log
${context} -v --i-channel-bound \
test_section "${mech}: non matching bindings (client-aware-flag, expected failure)"
test_run not ${context} --i-channel-bound \
--i-channel-bindings=abc --a-channel-bindings=xyz \
--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
--mech-type=$mech host@lucid.test.h5l.se
done
#echo "sasl-digest-md5"
#${context} --mech-type=sasl-digest-md5 \
# --name-type=hostbased-service \
# host@lucid.test.h5l.se || \
# { eval "$testfailed"; }
# host@lucid.test.h5l.se || exit 1
echo "====== gss-api session key check"
test_section "gss-api session key check"
# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
coolenctype="aes256-cts-hmac-sha384-192"
limit_enctype="aes256-cts-hmac-sha1-96"
echo "Getting client initial tickets" ; > messages.log
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial tickets for session key tests"
test_run ${kinit} --password-file=${objdir}/foopassword user1@${R}
echo "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
${context} \
test_section "Building context on cred w/o aes, but still ${coolenctype} session key"
test_run ${context} \
--mech-type=krb5 \
--mutual-auth \
--session-enctype=${coolenctype} \
--name-type=hostbased-service host@no-aes.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@no-aes.test.h5l.se
echo "Building context on cred, check if its limited still" ; > messages.log
${context} \
test_section "Building context on cred, check if its limited still"
test_run ${context} \
--mech-type=krb5 \
--client-name=user1@${R} \
--limit-enctype="${limit_enctype}" \
--mutual-auth \
--name-type=hostbased-service host@no-aes.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@no-aes.test.h5l.se
echo "====== ok-as-delegate"
test_section "ok-as-delegate"
echo "Getting client initial tickets" ; > messages.log
${kinit} --forwardable \
--password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial tickets (forwardable)"
test_run ${kinit} --forwardable \
--password-file=${objdir}/foopassword user1@${R}
echo "ok-as-delegate not used" ; > messages.log
${context} \
test_section "ok-as-delegate not used"
test_run ${context} \
--mech-type=krb5 \
--delegate \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "host without ok-as-delegate with policy-delegate" ; > messages.log
${context} \
test_section "host without ok-as-delegate with policy-delegate"
test_run ${context} \
--mech-type=krb5 \
--policy-delegate \
--server-no-delegate \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "ok-as-delegate used by policy" ; > messages.log
${context} \
test_section "ok-as-delegate used by policy"
test_run ${context} \
--mech-type=krb5 \
--policy-delegate \
--name-type=hostbased-service host@ok-delegate.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@ok-delegate.test.h5l.se
echo "Getting client initial tickets with --ok-as-delgate" ; > messages.log
${kinit} --ok-as-delegate --forwardable \
--password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial tickets with --ok-as-delegate"
test_run ${kinit} --ok-as-delegate --forwardable \
--password-file=${objdir}/foopassword user1@${R}
echo "policy delegate to non delegate host" ; > messages.log
${context} \
test_section "policy delegate to non delegate host"
test_run ${context} \
--mech-type=krb5 \
--policy-delegate \
--server-no-delegate \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "ok-as-delegate" ; > messages.log
${context} \
test_section "ok-as-delegate"
test_run ${context} \
--mech-type=krb5 \
--delegate \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "======export/import cred"
test_section "export/import cred"
echo "export-import cred (krb5)" ; > messages.log
${context} \
test_section "export-import cred (krb5)"
test_run ${context} \
--mech-type=krb5 \
--delegate \
--export-import-cred \
--name-type=hostbased-service host@ok-delegate.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@ok-delegate.test.h5l.se
echo "export-import cred (spnego)" ; > messages.log
${context} \
test_section "export-import cred (spnego)"
test_run ${context} \
--mech-type=spnego \
--delegate \
--export-import-cred \
--name-type=hostbased-service host@ok-delegate.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@ok-delegate.test.h5l.se
echo "======time diffs between client and server"
test_section "time diffs between client and server"
echo "Getting client initial ticket" ; > messages.log
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial ticket for time offset tests"
test_run ${kinit} --password-file=${objdir}/foopassword user1@${R}
echo "No time offset" ; > messages.log
${context} \
test_section "No time offset"
test_run ${context} \
--mech-type=krb5 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "Getting client initial ticket" ; > messages.log
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial ticket"
test_run ${kinit} --password-file=${objdir}/foopassword user1@${R}
echo "Server time offset" ; > messages.log
${context} \
test_section "Server time offset"
test_run ${context} \
--mech-type=krb5 \
--mutual-auth \
--server-time-offset=3600 \
--max-loops=3 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "Server time offset (cached ?)" ; > messages.log
${context} \
test_section "Server time offset (cached ?)"
test_run ${context} \
--mech-type=krb5 \
--mutual-auth \
--server-time-offset=3600 \
--max-loops=2 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "Getting client initial ticket" ; > messages.log
${kinit} --password-file=${objdir}/foopassword user1@${R} || \
{ eval "$testfailed"; }
test_section "Getting client initial ticket for client time offset"
test_run ${kinit} --password-file=${objdir}/foopassword user1@${R}
# Pre-poplute the cache since tgs-req will fail since our time is wrong
${kgetcred} host/lucid.test.h5l.se@${R} || \
{ eval "$testfailed"; }
test_run ${kgetcred} host/lucid.test.h5l.se@${R}
echo "Client time offset" ; > messages.log
${context} \
test_section "Client time offset"
test_run ${context} \
--mech-type=krb5 \
--mutual-auth \
--client-time-offset=3600 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "Getting client initial tickets (use-referrals)" ; > messages.log
${kinit} \
test_section "Getting client initial tickets (use-referrals)"
test_run ${kinit} \
--password-file=${objdir}/foopassword \
--use-referrals user1@${R} || \
{ eval "$testfailed"; }
--use-referrals user1@${R}
# XXX these tests really need to use somethat that resolve to something
${context} \
test_section "host@short"
test_run ${context} \
--mech-type=krb5 \
host@short || \
{ eval "$testfailed"; }
host@short
${context} \
test_section "host/short (krb5-principal-name)"
test_run ${context} \
--mech-type=krb5 \
--name-type=krb5-principal-name host/short || \
{ eval "$testfailed"; }
--name-type=krb5-principal-name host/short
${context} \
test_section "host@long.test.h5l.se"
test_run ${context} \
--mech-type=krb5 \
host@long.test.h5l.se || \
{ eval "$testfailed"; }
host@long.test.h5l.se
${context} \
test_section "host/long.test.h5l.se (krb5-principal-name)"
test_run ${context} \
--mech-type=krb5 \
--name-type=krb5-principal-name \
host/long.test.h5l.se || \
{ eval "$testfailed"; }
host/long.test.h5l.se
test_section "threaded context establishment"
test_section "Getting client initial tickets for threaded test"
@@ -633,5 +588,5 @@ trap "" EXIT
echo "killing kdc (${kdcpid})"
kill ${kdcpid} 2> /dev/null
exit 0
test_finish
exit $?
tests/gss/check-gss.in
+40 -30
View File
@@ -1,50 +1,60 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
confdir="@confdir@"
testdir="@testdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
${TESTS_ENVIRONMENT} ${gsstool} help > /dev/null || exit 1
${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms > /dev/null || exit 1
${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all > /dev/null || exit 1
${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos > /dev/null || exit 1
test_init
exit 0
test_section "gsstool help"
test_run ${TESTS_ENVIRONMENT} ${gsstool} help
test_section "gsstool supported-mechanisms"
test_run ${TESTS_ENVIRONMENT} ${gsstool} supported-mechanisms
test_section "gsstool attrs-for-mech --all"
test_run ${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --all
test_section "gsstool attrs-for-mech --mech=Kerberos"
test_run ${TESTS_ENVIRONMENT} ${gsstool} attrs-for-mech --mech=Kerberos
test_finish
exit $?
tests/gss/check-gssmask.in
+50 -54
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
@@ -53,9 +55,9 @@ keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"
gssmask="${TESTS_ENVIRONMENT} ../../appl/gssmask/gssmask"
gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log"
gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log"
gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log"
gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log --detach --pidfile=n1.pid"
gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log --detach --pidfile=n2.pid"
gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log --detach --pidfile=n3.pid"
gssmaestro="../../appl/gssmask/gssmaestro"
KRB5_CONFIG="${objdir}/krb5.conf"
@@ -66,12 +68,13 @@ rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
rm -f n1.pid n2.pid n3.pid
> messages.log
test_init
echo Creating database
test_section "Creating database"
# Test virtual principals, why not
${kadmin} <<EOF || exit 1
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add_ns --key-rotation-epoch=now --key-rotation-period=15m --max-ticket-life=10d --max-renewable-life=20d --attributes= "_/test.h5l.se@${R}"
ext -k ${keytab} host/n1.test.h5l.se@${R}
@@ -94,43 +97,36 @@ cleanup() {
}
trap cleanup EXIT INT TERM
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
exitcode=0
test_section "Starting client 1"
test_run ${gssmaskn1} --moniker=n1
n1pid=`cat n1.pid 2>/dev/null`
echo "Starting client 1"
${gssmaskn1} --moniker=n1 &
n1pid=$!
#echo $n1pid
#xterm -display :0 -e g ${gssmaskn1} &
#read x
test_section "Starting client 2"
test_run ${gssmaskn2} --moniker=n2
n2pid=`cat n2.pid 2>/dev/null`
echo "Starting client 2"
${gssmaskn2} --moniker=n2 &
n2pid=$!
#echo "Starting client 3"
#${gssmaskn3} --moniker=n3 &
#n3pid=$!
sleep 10
#test_section "Starting client 3"
#${gssmaskn3} --moniker=n3 || { echo "gssmask n3 failed to start"; exit 1; }
#n3pid=`cat n3.pid 2>/dev/null`
# XXX Make --wrap-ext work (seems to fail)
#
# Add --slaves=localhost:8891 if re-enabling client 3
${gssmaestro} \
test_section "Running gssmaestro"
test_run ${gssmaestro} \
--slaves=localhost:8889 \
--slaves=localhost:8890 \
--principals=user1@${R}:u1 || exitcode=1
--principals=user1@${R}:u1
trap "" EXIT
echo "killing kdc and clients (${kdcpid}, ${n1pid}, ${n2pid}, ${n3pid})"
kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null
exit $exitcode
test_finish
exit $?
tests/gss/check-negoex.in
+122 -138
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
R=TEST.H5L.SE
@@ -59,126 +61,111 @@ export KRB5_KTNAME
KRB5CCNAME="${cache}-no"
export KRB5CCNAME
KRB5_TRACE="0-/FILE:${objdir}/messages.log"
GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
export GSSAPI_SPNEGO_NAME
GSS_MECH_CONFIG="${objdir}/mech"
export GSS_MECH_CONFIG
> messages.log
test_init
exitcode=0
echo "======context building for negoex"
test_section "context building for negoex"
for HOPS in 1 2 3 4 5
do
echo "test_negoex_1 $HOPS hops"
${context} \
test_section "test_negoex_1 $HOPS hops"
test_run env HOPS=$HOPS ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
host@host.test.h5l.se
done
for HOPS in 1 2 3 4 5
do
echo "test_negoex_1 $HOPS hops early keys"
KEY=always ${context} \
test_section "test_negoex_1 $HOPS hops early keys"
test_run env HOPS=$HOPS KEY=always ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
host@host.test.h5l.se
done
HOPS=1
echo "test_negoex_1 no keys"
KEY=never ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 no keys (expected failure)"
test_run not env HOPS=1 KEY=never ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 no optimistic token"
NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 no optimistic token"
test_run env HOPS=1 NEGOEX_NO_OPTIMISTIC_TOKEN=1 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 initiator query fail, test_negoex_2 pass"
INIT_QUERY_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 initiator query fail, test_negoex_2 pass"
test_run env INIT_QUERY_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 acceptor query fail, test_negoex_2 pass"
ACCEPT_QUERY_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 acceptor query fail, test_negoex_2 pass"
test_run env ACCEPT_QUERY_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 acceptor exchange fail, test_negoex_2 pass"
ACCEPT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 acceptor exchange fail, test_negoex_2 pass"
test_run env ACCEPT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_2 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 first mech initiator exchange fail"
INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 first mech initiator exchange fail (expected failure)"
test_run not env INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 first mech initiator exchange fail, two hops"
HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 first mech initiator exchange fail, two hops (expected failure)"
test_run not env HOPS=2 INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 first mech initiator exchange fail, two hops, early keys"
HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 first mech initiator exchange fail, two hops, early keys (expected failure)"
test_run not env HOPS=2 KEY=always INIT_EXCHANGE_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 first mech init_sec_context fail"
INIT_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 first mech init_sec_context fail (expected failure)"
test_run not env INIT_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 first mech accept_sec_context fail"
HOPS=2 ACCEPT_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se 2>/dev/null && \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 first mech accept_sec_context fail (expected failure)"
test_run not env HOPS=2 ACCEPT_FAIL=102 ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 alert from acceptor to initiator"
HOPS=3 KEY=init-always ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 alert from acceptor to initiator"
test_run env HOPS=3 KEY=init-always ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
echo "test_negoex_1 alert from initiator to acceptor"
HOPS=4 KEY=accept-always ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se || \
{ exitcode=1 ; echo test failed; }
test_section "test_negoex_1 alert from initiator to acceptor"
test_run env HOPS=4 KEY=accept-always ${context} \
--mech-type=spnego --ret-mech-type=test_negoex_1 \
--name-type=hostbased-service \
host@host.test.h5l.se
unset GSS_MECH_CONFIG
echo "======test context building for sanon-x25519"
test_section "test context building for sanon-x25519"
for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
iov=""
if [ "$mech" = "sanon-x25519iov" ] ; then
@@ -190,37 +177,36 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
iov="--iov"
fi
echo "${mech} anon-flag ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} anon-flag ${iov}"
test_run ${context} --mech-type=${mech} \
--anonymous \
--ret-mech-type=sanon-x25519 \
--i-channel-bindings=negoex_sanon_test_h5l_se \
--a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
host@lucid.test.h5l.se
echo "${mech} anon-initiator ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} anon-initiator ${iov}"
test_run env KRB5_TRACE=0-/FILE:/dev/stderr ${context} --mech-type=${mech} \
--anonymous \
--client-name=WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS \
--ret-mech-type=sanon-x25519 \
--i-channel-bindings=negoex_sanon_test_h5l_se \
--a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
host@lucid.test.h5l.se
echo "${mech} anon-acceptor ${iov}" ; > messages.log
${context} --mech-type=${mech} \
test_section "${mech} anon-acceptor ${iov}"
test_run env KRB5_TRACE=0-/FILE:/dev/stderr ${context} --mech-type=${mech} \
--anonymous \
--ret-mech-type=sanon-x25519 \
--i-channel-bindings=negoex_sanon_test_h5l_se \
--a-channel-bindings=negoex_sanon_test_h5l_se \
--wrapunwrap ${iov} \
WELLKNOWN@ANONYMOUS || \
{ eval "$testfailed"; }
WELLKNOWN@ANONYMOUS
done
echo "======export-import-context for sanon-x25519"
test_section "export-import-context for sanon-x25519"
for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
iov=""
if [ "$mech" = "sanon-x25519iov" ] ; then
@@ -232,28 +218,26 @@ for mech in sanon-x25519 sanon-x25519iov spnego spnegoiov; do
iov="--iov"
fi
echo "${mech}: export-import-context ${iov}" ; > messages.log
${context} \
test_section "${mech}: export-import-context ${iov}"
test_run ${context} \
--mech-type=${mech} \
--anonymous \
--export-import-context \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
echo "${mech}: export-import-context ${iov} (split tokens)" ; > messages.log
${context} \
test_section "${mech}: export-import-context ${iov} (split tokens)"
test_run ${context} \
--mech-type=${mech} \
--anonymous \
--export-import-context \
--wrapunwrap ${iov} \
--token-split=128 \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
done
echo "======dce-style for sanon-x25519"
test_section "dce-style for sanon-x25519"
for mech in spnego spnegoiov; do
iov=""
if [ "$mech" = "spnegoiov" ] ; then
@@ -261,14 +245,14 @@ for mech in spnego spnegoiov; do
iov="--iov"
fi
echo "${mech}: dce-style ${iov}" ; > messages.log
${context} \
test_section "${mech}: dce-style ${iov}"
test_run ${context} \
--mech-type=${mech} \
--anonymous --dce-style \
--wrapunwrap ${iov} \
--name-type=hostbased-service host@lucid.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@lucid.test.h5l.se
done
exit $exitcode
test_finish
exit $?
tests/gss/check-nodns.in
+88 -84
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
@@ -74,11 +76,12 @@ rm -f current-db*
rm -f out-*
rm -f mkey.file*
> messages.log
test_init
echo Creating database
echo upw > ${objdir}/foopassword
${kadmin} <<EOF || exit 1
echo "upw" > ${objdir}/foopassword
test_section "Creating database"
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -p upw --use-defaults user@${R}
add -p upw --use-defaults another@${R}
@@ -87,8 +90,8 @@ ext -k ${keytab} host/host.test.h5l.se@${R}
check ${R}
EOF
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
cleanup() {
@@ -100,121 +103,122 @@ cleanup() {
}
trap cleanup EXIT INT TERM
exitcode=0
test_section "initial ticket"
test_run ${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R}
echo "initial ticket"
${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
echo "copy ccache with gss_store_cred"
test_section "copy ccache with gss_store_cred"
# Note we test that the ccache used for storing is token-expanded
${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
${klist} -c ${cache2} || exit 1
test_run ${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}"
test_run ${klist} -c ${cache2}
echo "keytab"
${acquire_cred} \
test_section "keytab"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host.test.h5l.se || exit 1
--acquire-name=host@host.test.h5l.se
echo "keytab w/ short-form name and name canon rules"
${acquire_cred} \
test_section "keytab w/ short-form name and name canon rules"
test_run ${acquire_cred} \
--acquire-type=accept \
--acquire-name=host@host || exit 1
--acquire-name=host@host
echo "keytab w/o name"
${acquire_cred} \
--acquire-type=accept || exit 1
test_section "keytab w/o name"
test_run ${acquire_cred} \
--acquire-type=accept
echo "keytab w/ wrong name"
${acquire_cred} \
test_section "keytab w/ wrong name (expected failure)"
# This should fail - wrong name
test_run not ${acquire_cred} \
--acquire-type=accept --kerberos \
--acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
--acquire-name=host@host2.test.h5l.se
echo "init using keytab"
${acquire_cred} \
test_section "init using keytab"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10)"
${acquire_cred} \
test_section "init using keytab (loop 10)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, target)"
${acquire_cred} \
test_section "init using keytab (loop 10, target)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--loops=10 \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, kerberos)"
${acquire_cred} \
test_section "init using keytab (loop 10, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (loop 10, target, kerberos)"
${acquire_cred} \
test_section "init using keytab (loop 10, target, kerberos)"
test_run ${acquire_cred} \
--acquire-type=initiate \
--loops=10 \
--kerberos \
--target=host@host.test.h5l.se \
--acquire-name=host@host.test.h5l.se > /dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using existing cc"
${acquire_cred} \
test_section "init using existing cc"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user || exit 1
--acquire-name=user
KRB5CCNAME=${nocache}
echo "fail init using existing cc"
${acquire_cred} \
test_section "fail init using existing cc (expected failure)"
# This should fail - no such cache
test_run not ${acquire_cred} \
--kerberos \
--name-type=user-name \
--acquire-type=initiate \
--acquire-name=user 2>/dev/null && exit 1
--acquire-name=user
echo "use gss_krb5_ccache_name for user"
${acquire_cred} \
test_section "use gss_krb5_ccache_name for user"
test_run ${acquire_cred} \
--kerberos \
--name-type=user-name \
--ccache=${cache} \
--acquire-type=initiate \
--acquire-name=user >/dev/null || exit 1
--acquire-name=user
KRB5CCNAME=${cache}
KRB5_KTNAME=${nokeytab}
echo "kcred"
${test_kcred} || exit 1
test_section "kcred"
test_run ${test_kcred}
${kdestroy} -c ${cache}
${kdestroy} -c ${cache} 2>/dev/null || true
KRB5_KTNAME="${keytab}"
echo "init using keytab"
${acquire_cred} \
test_section "init using keytab (after kdestroy)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
--acquire-name=host@host.test.h5l.se
echo "init using keytab (ccache)"
${acquire_cred} \
test_section "init using keytab (ccache)"
test_run ${acquire_cred} \
--kerberos \
--acquire-type=initiate \
--ccache=${cache} \
--acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
--acquire-name=host@host.test.h5l.se
trap "" EXIT
echo "killing kdc (${kdcpid})"
kill ${kdcpid} 2> /dev/null
exit $exitcode
test_finish
exit $?
tests/gss/check-spnego.in
+68 -86
View File
@@ -1,44 +1,46 @@
#!/bin/sh
#!/bin/bash
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
top_srcdir="@top_srcdir@"
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
. ${top_srcdir}/tests/bin/test-lib.sh
# If there is no useful db support compiled in, disable test
../db/have-db || exit 77
@@ -69,17 +71,15 @@ export KRB5CCNAME
GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
export GSSAPI_SPNEGO_NAME
testfailed="exitcode=1; echo test failed; cat messages.log; exit 1"
rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
> messages.log
test_init
echo Creating database
${kadmin} <<EOF || exit 1
test_section "Creating database"
test_run ${kadmin} <<EOF
init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
add -p p1 --use-defaults host/host.test.h5l.se@${R}
ext -k ${keytab} host/host.test.h5l.se@${R}
@@ -93,8 +93,8 @@ EOF
echo u1 > ${objdir}/foopassword
echo ds > ${objdir}/barpassword
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
test_section "Starting kdc"
test_run ${kdc} --detach --testing
kdcpid=`getpid kdc`
cleanup() {
@@ -106,56 +106,48 @@ cleanup() {
}
trap cleanup EXIT INT TERM
exitcode=0
test_section "Getting client initial tickets"
test_run ${kinit} --password-file=${objdir}/foopassword user1@${R}
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
echo "Getting digestserver initial tickets"
test_section "context building for each mech"
echo "======context building for each mech"
for mech in krb5 ; do
echo "${mech}"
${context} --mech-type=${mech} --ret-mech-type=${mech} \
for mech in krb5 ; do
test_section "${mech}"
test_run ${context} --mech-type=${mech} --ret-mech-type=${mech} \
--client-ccache="${cache}" \
--gsskrb5-acceptor-identity="${keytab}" \
--name-type=hostbased-service host@host.test.h5l.se || \
{ eval "$testfailed"; }
--name-type=hostbased-service host@host.test.h5l.se
done
echo "spnego"
${context} \
test_section "spnego"
test_run ${context} \
--client-ccache="${cache}" \
--mech-type=spnego \
--ret-mech-type=krb5 \
--name-type=hostbased-service \
--export-import-context \
host@host.test.h5l.se || \
{ eval "$testfailed"; }
host@host.test.h5l.se
echo "spnego (split tokens)"
${context} \
test_section "spnego (split tokens)"
test_run ${context} \
--token-split=128 \
--client-ccache="${cache}" \
--mech-type=spnego \
--ret-mech-type=krb5 \
--name-type=hostbased-service \
--export-import-context \
host@host.test.h5l.se || \
{ eval "$testfailed"; }
host@host.test.h5l.se
echo "test failure cases"
${context} --mech-type=sanon-x25519 --ret-mech-type=krb5 \
test_section "test failure cases"
test_run not ${context} --mech-type=sanon-x25519 --ret-mech-type=krb5 \
--client-ccache="${cache}" \
--name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
{ eval "$testfailed"; }
--name-type=hostbased-service host@host.test.h5l.se
${context} --mech-type=krb5 --ret-mech-type=sanon-x25519 \
test_run not ${context} --mech-type=krb5 --ret-mech-type=sanon-x25519 \
--client-ccache="${cache}" \
--name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
{ eval "$testfailed"; }
--name-type=hostbased-service host@host.test.h5l.se
echo "======spnego variants context building"
test_section "spnego variants context building"
for arg in \
"" \
@@ -166,55 +158,46 @@ for arg in \
"--mutual --getverifymic --wrapunwrap" \
; do
echo "with krb5 creds ${arg}"
${context} --mech-type=spnego \
test_section "with krb5 creds ${arg}"
test_run ${context} --mech-type=spnego \
$arg \
--name-type=hostbased-service \
--ret-mech-type=krb5 \
host@host.test.h5l.se || \
{ eval "$testfailed"; }
host@host.test.h5l.se
echo "no krb5 acceptor cred ${arg}"
test_section "no krb5 acceptor cred ${arg} (expected failure)"
KRB5_KTNAME="${keytab}-no"
${context} --mech-type=spnego \
test_run not ${context} --mech-type=spnego \
$arg \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=sanon-x25519 \
host@host.test.h5l.se && \
{ eval "$testfailed"; }
host@host.test.h5l.se
KRB5_KTNAME="${keytab}"
echo "no explicit krb5 acceptor cred ${arg}"
${context} --mech-type=spnego \
test_section "no explicit krb5 acceptor cred ${arg} (expected failure)"
test_run not ${context} --mech-type=spnego \
$arg \
--gsskrb5-acceptor-identity="${keytab}-no" \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=krb5 \
host@host.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
host@host.test.h5l.se
echo "no krb5 initiator cred ${arg}"
test_section "no krb5 initiator cred ${arg} (expected failure)"
KRB5CCNAME="${cache}-no"
${context} --mech-type=spnego \
test_run not ${context} --mech-type=spnego \
$arg \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=sanon-x25519 \
host@host.test.h5l.se && \
{ eval "$testfailed"; }
host@host.test.h5l.se
KRB5CCNAME="${cache}"
echo "no explicit krb5 initiator cred ${arg}"
${context} --mech-type=spnego \
test_section "no explicit krb5 initiator cred ${arg} (expected failure)"
test_run not ${context} --mech-type=spnego \
$arg \
--client-ccache="${cache}-no" \
--server-no-delegate \
--name-type=hostbased-service \
--ret-mech-type=krb5 \
host@host.test.h5l.se 2>/dev/null && \
{ eval "$testfailed"; }
host@host.test.h5l.se
done
@@ -223,6 +206,5 @@ trap "" EXIT
echo "killing kdc (${kdcpid})"
kill ${kdcpid} 2> /dev/null
exit $exitcode
test_finish
exit $?