Workaround bugs exposed by test_context changes

Bugs exposed by 61720a0: - test_context --client-name=... --mech-type=ntlm ... fails; - gss_acquire_cred() with desired_mech=NTLM and desired_name==GSS_C_NO_NAME fails; - gss_init_sec_context() with non-default cred handle calls the mechanism even when the given cred handle has no element for the requencet mechanism. tests/gss/check-ntlm works by accident: gss_acquire_cred() with desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are Kerberos credentials available, and then the subsequent gss_init_sec_context() call works because of the third bug described above.
2015-04-16 18:42:51 -05:00
parent fb177480bd
commit d6a7d14fc5
3 changed files with 36 additions and 7 deletions
--- a/lib/gssapi/test_context.c
+++ b/lib/gssapi/test_context.c
@@ -591,6 +591,31 @@ main(int argc, char **argv)
 	mechoid = string_to_oid(mech_string);

    if (mechs_string == NULL) {
+        /*
+         * We ought to be able to use the OID set of the one mechanism
+         * OID given.  But there's some breakage that conspires to make
+         * that fail though it should succeed:
+         *
+         *  - the NTLM gss_acquire_cred() refuses to work with
+         *    desired_name == GSS_C_NO_NAME
+         *  - the NTLM gss_import_name() also fails, so that merely
+         *    adding --client-name to this program's invocation doesn't
+         *    work around that
+         *  - gss_acquire_cred() with desired_mechs == GSS_C_NO_OID_SET
+         *    does work here because we happen to have Kerberos
+         *    credentials in check-ntlm, and the subsequent
+         *    gss_init_sec_context() call finds no cred element for NTLM
+         *    but plows on anyways, surprisingly enough, and then the
+         *    NTLM gss_init_sec_context() just works.
+         *
+         * In summary, there's some breakage in gss_init_sec_context()
+         * and some breakage in NTLM (and SPNEGO) that conspires against
+         * us here.
+         *
+         * We work around this in check-ntlm and check-spnego by adding
+         * --mech-types='' to the invocations of this test program that
+         * require it.
+         */
        oids[0] = *mechoid;
        mechoid_descs.elements = &oids[0];
        mechoid_descs.count = 1;
--- a/tests/gss/check-ntlm.in
+++ b/tests/gss/check-ntlm.in
@@ -134,6 +134,7 @@ KRB5CCNAME="$cache"

 echo "no NTLM initiator creds"
 ${context} --mech-type=ntlm \
+	--mech-types= \
 	--mutual \
        --name-type=hostbased-service \
        --ret-mech-type=ntlm \
@@ -145,6 +146,7 @@ ${kinit} --password-file=${objdir}/foopassword --ntlm-domain=TEST user1@${R} ||

 echo "NTLM initiator krb5 creds"
 ${context} --mech-type=ntlm \
+	--mech-types= \
 	--mutual \
        --name-type=hostbased-service \
        --ret-mech-type=ntlm \
@@ -153,6 +155,7 @@ ${context} --mech-type=ntlm \

 echo "NTLM initiator krb5 creds (getverifymic, wrapunwrap)"
 ${context} --mech-type=ntlm \
+	--mech-types= \
 	--mutual \
        --name-type=hostbased-service \
        --ret-mech-type=ntlm \
--- a/tests/gss/check-spnego.in
+++ b/tests/gss/check-spnego.in
@@ -124,7 +124,7 @@ echo "======context building for each mech"

 for mech in ntlm krb5 ; do 
    echo "${mech}"
-    ${context} --mech-type=${mech} --ret-mech-type=${mech} \
+    ${context} --mech-type=${mech} --mech-types= --ret-mech-type=${mech} \
        --name-type=hostbased-service host@host.test.h5l.se || \
 	{ exitcode=1 ; echo test failed; }
 done
@@ -132,17 +132,18 @@ done
 echo "spnego"
 ${context} \
    --mech-type=spnego \
+    --mech-types= \
    --ret-mech-type=krb5 \
    --name-type=hostbased-service \
    host@host.test.h5l.se || \
    { exitcode=1 ; echo test failed; }

 echo "test failure cases"
-${context} --mech-type=ntlm --ret-mech-type=krb5 \
+${context} --mech-type=ntlm --mech-types= --ret-mech-type=krb5 \
    --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
    { exitcode=1 ; echo test failed; }

-${context} --mech-type=krb5 --ret-mech-type=ntlm \
+${context} --mech-type=krb5 --mech-types= --ret-mech-type=ntlm \
    --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
    { exitcode=1 ; echo test failed; }

@@ -159,7 +160,7 @@ for arg in \

    echo "no NTLM acceptor cred ${arg}"
    NTLM_ACCEPTOR_CCACHE="${cacheds}-no"
-    ${context} --mech-type=spnego \
+    ${context} --mech-type=spnego --mech-types= \
        $arg \
 	--client-name=user1@TEST.H5L.SE \
        --name-type=hostbased-service \
@@ -170,7 +171,7 @@ for arg in \

    echo "no NTLM initiator cred ${arg}"
    NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no"
-    ${context} --mech-type=spnego \
+    ${context} --mech-type=spnego --mech-types= \
        $arg \
 	--client-name=user1@TEST.H5L.SE \
        --name-type=hostbased-service \
@@ -181,7 +182,7 @@ for arg in \

    echo "no krb5 acceptor cred ${arg}"
    KRB5_KTNAME="${keytab}-no"
-    ${context} --mech-type=spnego \
+    ${context} --mech-type=spnego --mech-types= \
        $arg \
 	--client-name=user1@TEST.H5L.SE \
 	--server-no-delegate \
@@ -193,7 +194,7 @@ for arg in \

    echo "no krb5 initiator cred ${arg}"
    KRB5CCNAME="${cache}-no"
-    ${context} --mech-type=spnego \
+    ${context} --mech-type=spnego --mech-types= \
        $arg \
 	--client-name=user1@TEST.H5L.SE \
 	--server-no-delegate \