We build variants of kinit and test_acquire_cred that define their
own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and
getaddrinfo to print a message and abort. For getaddrinfo, we abort
only if the caller failed to specify AI_NUMERICHOST; otherwise we use
dlsym(RTLD_NEXT, "getaddrinfo") instead.
The new test tests/gss/check-nodns is like tests/gss/check-basic, but
uses kinit_auditdns and test_acquire_cred_auditdns to verify that no
DNS resolution happens.
This test should work and be effective on ELF platforms where the
getaddrinfo function is implemented by the symbol `getaddrinfo'. On
non-ELF platforms it may not be effective -- and on platforms where
the getaddrinfo function is implemented by another symbol (like
`__getaddrinfo50') it may not work, but we can cross that bridge when
we come to it.
Verified manually that the test fails, with the expected error
message and abort, without `block_dns = yes' in krb5-nodns.conf. No
automatic test of the mechanism for now because it might not work on
some platforms.
XXX check-nodns.in is copypasta of check-basic.in, should factor out
the common parts so they don't get out of sync.
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.
The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.
Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
This commit adds support for proof of posession to the kx509 protocol by
using PKCS#10 CSRs.
This allows conveyance of extReq CSR attributes requesting desired
Certificate Extensions.
NOTE: The test runs and succeeds, but the client seems to be getting
a new x-realm TGT after we set the kvno to 0 or remove the
kvno from the tickets. This means we're not really testing
the TGS paths! So this test is not yet ready.
