This API is used for both const and non-const strings, depending on
whether there is a deallocator passed or not, so the C type system
can't distinguish this for us.
XXX Perhaps this should be two separate APIs, one which takes
const-qualified pointers and one which takes non-const-qualified
pointers.
This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().
It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).
The point of this commit is to explore:
- GSS functionality for kinit-like actions
- credential store key/value pairs supported by the mechanisms
- document the credential store key/value pairs (in gsstool.1)
that might lead to further enhancements. But gsstool acquire-cred
is quite functional at this point!
We do a small amount of MIT interop testing in tests/kdc/check-fast.in,
which tests some MIT clients against Heimdal KDCs. This commit adds
more testing via tests/kdc/check-mit-kdc.in, wherein we set up and run
an MIT Kerberos realm and KDCs and test Heimdal clients against it.
- `test_section "..."` replaces `echo "Now we're testing ..."`
- `test_run ...` replaces `... || { ...; eval "testsfailed"; }`
- `test_run not ...` replaces `... && { ...; eval "testsfailed"; }`
`test_section` saves the output of the program and shows it only in the
case of failures.
`test_run` arranges to exit with non-zero status if a test fails.
Use `set -e` to force early exit. Conversely use `set +e` to continue
running the remaining tests when one fails -- this will be very useful
in reducing the number of CI test runs (e.g., GitHub Actions), thus
saving time and money.
This is Claude-generated code, guided by me, with minor corrections.
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
