diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch index 2e34e13..b252354 100644 --- a/Default-dns_canonicalize_hostname-to-fallback.patch +++ b/Default-dns_canonicalize_hostname-to-fallback.patch @@ -1,4 +1,4 @@ -From 1e72ba5c1b74d5b78f84c5884d06e979830aeb53 Mon Sep 17 00:00:00 2001 +From d003b4aa8dce14967725d6607c54ceb884b3647c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 27 May 2020 18:48:35 -0400 Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch index 444f99a..95055df 100644 --- a/Remove-resolver-test-utility.patch +++ b/Remove-resolver-test-utility.patch @@ -1,4 +1,4 @@ -From 621cf6c98d74b025a0ca190cd279756596709ef9 Mon Sep 17 00:00:00 2001 +From c21bb26abc4799298726124d73f0c968430a87bd Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 28 May 2020 18:41:02 -0400 Subject: [PATCH] Remove resolver test utility @@ -22,10 +22,10 @@ tests/resolve is no longer used after the previous commit. delete mode 100644 src/tests/resolve/resolve.c diff --git a/src/configure.ac b/src/configure.ac -index 29be532cb..2a756d6b5 100644 +index aafc462f9..00b5ea4c5 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1542,7 +1542,6 @@ V5_AC_OUTPUT_MAKEFILE(. +@@ -1540,7 +1540,6 @@ V5_AC_OUTPUT_MAKEFILE(. appl/simple appl/simple/client appl/simple/server appl/gss-sample appl/user_user diff --git a/Replace-gssrpc-tests-with-a-Python-script.patch b/Replace-gssrpc-tests-with-a-Python-script.patch new file mode 100644 index 0000000..5632455 --- /dev/null +++ b/Replace-gssrpc-tests-with-a-Python-script.patch @@ -0,0 +1,861 @@ +From 5af211200d6c2ac82872435556f5b39edcaba541 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 15 Feb 2020 20:34:23 -0500 +Subject: [PATCH] Replace gssrpc tests with a Python script + +Replace the dejagnu RPC test framework with a short Python script to +do the same tests as fullrun.exp and gsserr.exp. Modify the server +test program to facilitate use by k5test.py. + +expire.exp, together with a comment in the client test program, was +designed to test a libdb2 btree bug via the gssrpc server-side +authentication code. That code was subsequently changed not to use +libdb2, before it was merged into the main krb5 tree (in revision 1.23 +of svc_auth_gssapi.c, according to the changelog removed in commit +2a43d772be1e45faa8e488d436b6e867371563fb). Remove the comment and do +not replace that test sequence. + +[rharwood@redhat.com: .gitignore] +--- + src/configure.ac | 2 - + src/lib/rpc/unit-test/Makefile.in | 36 +-- + src/lib/rpc/unit-test/client.c | 26 --- + src/lib/rpc/unit-test/config/unix.exp | 176 -------------- + src/lib/rpc/unit-test/lib/helpers.exp | 234 ------------------- + src/lib/rpc/unit-test/rpc_test.0/expire.exp | 49 ---- + src/lib/rpc/unit-test/rpc_test.0/fullrun.exp | 91 -------- + src/lib/rpc/unit-test/rpc_test.0/gsserr.exp | 30 --- + src/lib/rpc/unit-test/server.c | 13 +- + src/lib/rpc/unit-test/t_rpc.py | 29 +++ + 10 files changed, 41 insertions(+), 645 deletions(-) + delete mode 100644 src/lib/rpc/unit-test/config/unix.exp + delete mode 100644 src/lib/rpc/unit-test/lib/helpers.exp + delete mode 100644 src/lib/rpc/unit-test/rpc_test.0/expire.exp + delete mode 100644 src/lib/rpc/unit-test/rpc_test.0/fullrun.exp + delete mode 100644 src/lib/rpc/unit-test/rpc_test.0/gsserr.exp + create mode 100644 src/lib/rpc/unit-test/t_rpc.py + +diff --git a/src/configure.ac b/src/configure.ac +index 29be532cb..aafc462f9 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1102,8 +1102,6 @@ extern void endrpcent();], + AC_MSG_RESULT($k5_cv_type_endrpcent) + AC_DEFINE_UNQUOTED(ENDRPCENT_TYPE, $k5_cv_type_endrpcent, [Define as return type of endrpcent]) + K5_GEN_FILE(include/gssrpc/types.h:include/gssrpc/types.hin) +-PASS=tcp +-AC_SUBST(PASS) + + # for pkinit + AC_ARG_ENABLE([pkinit], +diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in +index 0b6e5203d..309ae2b21 100644 +--- a/src/lib/rpc/unit-test/Makefile.in ++++ b/src/lib/rpc/unit-test/Makefile.in +@@ -16,10 +16,6 @@ server: server.o rpc_test_svc.o $(GSSRPC_DEPLIBS) $(KRB5_BASE_DEPLIBS) + + client.o server.o: rpc_test.h + +-runenv.exp: Makefile +- $(RUN_SETUP); for i in $(RUN_VARS); do \ +- eval echo "set env\($$i\) \$$$$i"; done > runenv.exp +- + # If rpc_test.h and rpc_test_*.c do not work on your system, you can + # try using rpcgen by uncommenting these lines (be sure to uncomment + # then in the generated not Makefile.in). +@@ -34,37 +30,9 @@ runenv.exp: Makefile + # rm -f rpc_test.h rpc_test_clnt.c rpc_test_svc.c + # + +-check unit-test: unit-test-@DO_TEST@ +- +-unit-test-: +- @echo "+++" +- @echo "+++ WARNING: lib/rpc unit tests not run." +- @echo "+++ Either tcl, runtest, or Perl is unavailable." +- @echo "+++" +- @echo 'Skipped rpc tests: runtest or Perl not found' >> $(SKIPTESTS) +- +-unit-test-ok: unit-test-body +- +-PASS=@PASS@ +-unit-test-body: runenv.sh runenv.exp +- $(RM) krb5cc_rpc_test_* +- $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) +- RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \ +- trap "echo Failed, cleaning up... ; rm -f $$RPC_TEST_KEYTAB ; $(ENV_SETUP) $(STOP_SERVERS) ; trap '' 0 ; exit 1" 0 1 2 3 14 15 ; \ +- if $(ENV_SETUP) \ +- $(RUNTEST) SERVER=./server CLIENT=./client \ +- KINIT=$(BUILDTOP)/clients/kinit/kinit \ +- KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \ +- PRIOCNTL_HACK=@PRIOCNTL_HACK@ VALGRIND="$(VALGRIND)" \ +- PASS="$(PASS)" --tool rpc_test $(RUNTESTFLAGS) ; \ +- then \ +- echo Cleaning up... ; \ +- rm -f $$RPC_TEST_KEYTAB krb5cc_rpc_test_* ; \ +- $(ENV_SETUP) $(STOP_SERVERS) ; \ +- trap 0 ; exit 0 ; \ +- else exit 1 ; fi ++check-pytests: ++ $(RUNPYTEST) $(srcdir)/t_rpc.py $(PYTESTFLAGS) + + clean: + $(RM) server client +- $(RM) dbg.log rpc_test.log rpc_test.sum runenv.exp + +diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/unit-test/client.c +index 5edde49df..c9a812bc5 100644 +--- a/src/lib/rpc/unit-test/client.c ++++ b/src/lib/rpc/unit-test/client.c +@@ -231,32 +231,6 @@ main(argc, argv) + else + gssrpc_xdr_free(xdr_wrapstring, echo_resp); + +- /* +- * Test fix for secure-rpc/586, part 1: btree keys must be +- * unique. Create another context from the same credentials; it +- * should have the same expiration time and will cause the server +- * to abort if the clients are not differentiated. +- * +- * Test fix for secure-rpc/586, part 2: btree keys cannot be +- * mutated in place. To test this: a second client, *with a +- * later expiration time*, must be run. The second client should +- * destroy itself *after* the first one; if the key-mutating bug +- * is not fixed, the second client_data will be in the btree +- * before the first, but its key will be larger; thus, when the +- * first client calls AUTH_DESTROY, the server won't find it in +- * the btree and call abort. +- * +- * For unknown reasons, running just a second client didn't +- * tickle the bug; the btree code seemed to guess which node to +- * look at first. Running a total of three clients does ticket +- * the bug. Thus, the full test sequence looks like this: +- * +- * kinit -l 20m user && client server test@ddn 200 +- * sleep 1 +- * kini -l 30m user && client server test@ddn 300 +- * sleep 1 +- * kinit -l 40m user && client server test@ddn 400 +- */ + if (! auth_once) { + tmp_auth = clnt->cl_auth; + clnt->cl_auth = auth_gssapi_create_default(clnt, target); +diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/unit-test/config/unix.exp +deleted file mode 100644 +index 18da62be4..000000000 +--- a/src/lib/rpc/unit-test/config/unix.exp ++++ /dev/null +@@ -1,176 +0,0 @@ +-# +-# $Id$ +-# +- +-source runenv.exp +- +-set kill /bin/kill +-set sleep /bin/sleep +-set kinit $KINIT +-set kdestroy $KDESTROY +- +-set hostname [exec hostname] +- +-# Hack around Solaris 9 kernel race condition that causes last output +-# from a pty to get dropped. +-if { $PRIOCNTL_HACK } { +- catch {exec priocntl -s -c FX -m 30 -p 30 -i pid [getpid]} +- rename spawn oldspawn +- proc spawn { args } { +- upvar 1 spawn_id spawn_id +- set newargs {} +- set inflags 1 +- set eatnext 0 +- foreach arg $args { +- if { $arg == "-ignore" \ +- || $arg == "-open" \ +- || $arg == "-leaveopen" } { +- lappend newargs $arg +- set eatnext 1 +- continue +- } +- if [string match "-*" $arg] { +- lappend newargs $arg +- continue +- } +- if { $eatnext } { +- set eatnext 0 +- lappend newargs $arg +- continue +- } +- if { $inflags } { +- set inflags 0 +- set newargs [concat $newargs {priocntl -e -c FX -p 0}] +- } +- lappend newargs $arg +- } +- set pid [eval oldspawn $newargs] +- return $pid +- } +-} +- +-if { [string length $VALGRIND] } { +- rename spawn valgrind_aux_spawn +- proc spawn { args } { +- global VALGRIND +- upvar 1 spawn_id spawn_id +- set newargs {} +- set inflags 1 +- set eatnext 0 +- foreach arg $args { +- if { $arg == "-ignore" \ +- || $arg == "-open" \ +- || $arg == "-leaveopen" } { +- lappend newargs $arg +- set eatnext 1 +- continue +- } +- if [string match "-*" $arg] { +- lappend newargs $arg +- continue +- } +- if { $eatnext } { +- set eatnext 0 +- lappend newargs $arg +- continue +- } +- if { $inflags } { +- set inflags 0 +- # Only run valgrind for local programs, not +- # system ones. +-#&&![string match "/bin/sh" $arg] sh is used to start kadmind! +- if [string match "/" [string index $arg 0]]&&![string match "/bin/ls" $arg]&&![regexp {/kshd$} $arg] { +- set newargs [concat $newargs $VALGRIND] +- } elseif [string match "." [string index $arg 0]] { +- set newargs [concat $newargs $VALGRIND] +- } +- } +- lappend newargs $arg +- } +- set pid [eval valgrind_aux_spawn $newargs] +- return $pid +- } +-} +- +-# this will initialize the database and keytab +-load_lib "helpers.exp" +- +-proc rpc_test_version {} { +- global CLIENT +- global SERVER +- +- clone_output "$CLIENT version " +- clone_output "$SERVER version " +-} +- +-proc rpc_test_load {} { +- # +-} +- +-# rpc_test_exit -- clean up and exit +-proc rpc_test_exit {} { +- global server_id +- global server_pid +- global server_started +- global kill +- +- if {[catch { +- expect { +- -i $server_id +- eof { +- fail "server exited!" +- verbose $expect_out(buffer) 1 +- } +- timeout { pass "server survived" } +- } +- } tmp]} { +- fail "server exited! (expect failed)" +- } +-} +- +-# +-# rpc_test_start -- start the rpc_test server running +-# +-proc rpc_test_start { } { +- global SERVER PROT +- global server_id +- global server_pid +- global server_started +- global server_port +- global env +- +- if [info exists server_pid] { rpc_test_exit } +- +- set env(KRB5_KTNAME) FILE:$env(RPC_TEST_KEYTAB) +- +- verbose "% $SERVER" 1 +- set server_pid [spawn $SERVER $PROT] +- set server_id $spawn_id +- set server_started 1 +- set server_port -1 +- +- unset env(KRB5_KTNAME) +- +- set timeout 30 +- +- expect { +- -re "port: (\[0-9\]*)\r\n" { +- set server_port $expect_out(1,string) +- } +- "running" { } +- eof { +- send_error "server exited!" +- verbose $expect_out(buffer) 1 +- } +- timeout { +- send_error "server didn't start in $timeout seconds" +- verbose $expect_out(buffer) 1 +- } +- } +- +-} +- +-set MULTIPASS { +- {tcp PROT=-t dummy=[rpc_test_start]} +- {udp PROT=-u dummy=[rpc_test_start]} +-} +diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp +deleted file mode 100644 +index eb2797c53..000000000 +--- a/src/lib/rpc/unit-test/lib/helpers.exp ++++ /dev/null +@@ -1,234 +0,0 @@ +-if {[info commands exp_version] != {}} { +- set exp_version_4 [regexp {^4} [exp_version]] +-} else { +- set exp_version_4 [regexp {^4} [expect_version]] +-} +- +-# Backward compatibility until we're using expect 5 everywhere +-if {$exp_version_4} { +- global wait_error_index wait_errno_index wait_status_index +- set wait_error_index 0 +- set wait_errno_index 1 +- set wait_status_index 1 +-} else { +- set wait_error_index 2 +- set wait_errno_index 3 +- set wait_status_index 3 +-} +- +-proc set_from_env {varname default_value} { +- global env +- upvar $varname v +- +- if [info exists env($varname)] { +- set v $env($varname) +- } else { +- set v $default_value +- } +-} +-proc expect_tcl_prompt {} { +- global kadmin_tcl_spawn_id +- expect { +- -i $kadmin_tcl_spawn_id +- -re "^% $" { } +- -re . { perror "unexpected output {$expect_out(buffer)} from subprocess, expecting tcl prompt" } +- timeout { perror "timeout waiting for tcl prompt" } +- eof { perror "eof from subprocess when expecting tcl prompt" } +- } +-} +-proc send_tcl_cmd_await_echo {cmd} { +- global kadmin_tcl_spawn_id +- send -i $kadmin_tcl_spawn_id "$cmd\n" +- expect { +- -i $kadmin_tcl_spawn_id +- -ex "$cmd\r\n" { } +- timeout { perror "timeout waiting for tcl subprocess to echo input" } +- eof { perror "eof waiting for tcl subprocess to echo input" } +- } +-} +-proc expect_kadm_ok {} { +- global kadmin_tcl_spawn_id +- expect { +- -i $kadmin_tcl_spawn_id +- -re "^OK KADM5_OK \[^\n\]*\n" {} +- -re "^ERROR \[^\n\]*\n" { perror "kadmin tcl subprocess reported unexpected error" } +- -re "^marshall_new_creds: \[^\n\]*\n" { exp_continue } +- -re "^gssapi_\[^\n\]*\n" { exp_continue } +- -re "^\r?\n" { exp_continue } +- eof { perror "kadmin tcl subprocess died" } +- default { perror "didn't get ok back" } +- } +-} +-proc setup_database {} { +- global env spawn_id kadmin_tcl_spawn_id TESTDIR CANON_HOST +- +- # XXXXX +- set_from_env TOP {/x/x/x/x/x} +- send_user "TOP=$TOP\n" +- +- set_from_env TESTDIR $env(TOP)/testing +- set_from_env CLNTTCL $TESTDIR/util/kadm5_clnt_tcl +- set_from_env TCLUTIL $TESTDIR/tcl/util.t +- set env(TCLUTIL) $TCLUTIL +- set env(PATH) "$TOP/install/admin:$env(PATH)" +- +- # $VERBOSE ? +- +- if [info exists spawn_id] { set x $spawn_id } +- spawn $CLNTTCL +- set kadmin_tcl_spawn_id $spawn_id +- if [info exists x] { set spawn_id $x } +- +- expect_tcl_prompt +- # tcl 8.4 for some reason screws up autodetection of output EOL +- # translation. Work around it for now. +- send_tcl_cmd_await_echo "if { \[info commands fconfigure\] != \"\" } { fconfigure stdout -translation lf }" +- expect_tcl_prompt +- send_tcl_cmd_await_echo "source {$TCLUTIL}" +- expect_tcl_prompt +- send_tcl_cmd_await_echo "set h {$CANON_HOST}" +- expect { +- -ex "$CANON_HOST\r\n" { } +- timeout { perror "timeout waiting for subprocess" } +- eof { perror "eof from subprocess" } +- } +- expect_tcl_prompt +- +- send_tcl_cmd_await_echo {kadm5_init admin admin $KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle} +- expect_kadm_ok +- expect "^% " +- send_tcl_cmd_await_echo {kadm5_create_principal $server_handle [simple_principal server/$h] {KADM5_PRINCIPAL} admin} +- expect_kadm_ok +- expect "^% " +- send_tcl_cmd_await_echo {kadm5_randkey_principal $server_handle server/$h key null} +- expect_kadm_ok +- expect "^% " +- send_tcl_cmd_await_echo {kadm5_create_principal $server_handle [simple_principal notserver/$h] {KADM5_PRINCIPAL} admin} +- expect_kadm_ok +- expect "^% " +- send_tcl_cmd_await_echo {kadm5_randkey_principal $server_handle notserver/$h key null} +- expect_kadm_ok +- expect "^% " +- send_tcl_cmd_await_echo {kadm5_destroy $server_handle} +- expect_kadm_ok +- expect "^% " +- wait -nowait -i $spawn_id +- close -i $spawn_id +-} +- +-if ![info exists CANON_HOST] { +- set CANON_HOST $env(QUALNAME) +- setup_database +- file delete $env(RPC_TEST_KEYTAB) +- exec $env(TOP)/cli/kadmin -p admin -w admin ktadd -k $env(RPC_TEST_KEYTAB) server/$CANON_HOST +-} +- +- +-proc kinit {princ pass lifetime} { +- global kinit +- global wait_error_index wait_errno_index wait_status_index +- +- spawn -noecho $kinit -5 -l $lifetime $princ +- expect { +- -re "Password for $princ.*: " { send "$pass\n"; expect eof } +- timeout { perror "Timeout waiting for kinit"; close } +- eof +- } +- +- set ret [wait] +- if {[lindex $ret $wait_error_index] == -1} { +- perror \ +- "wait(kinit $princ) returned error [lindex $ret $wait_errno_index]" +- } else { +- if {[lindex $ret $wait_status_index] != 0} { +- perror \ +- "kinit $princ failed with [lindex $ret $wait_status_index]" +- } +- } +-} +- +-proc flush_server {} { +- global server_id +- global expect_out +- +- verbose "flushing server output" 1 +- +- while {1} { +- set timeout 5 +- +- expect { +- -i $server_id +- -re "^.+$" { +- verbose "server output: $expect_out(buffer)" +- } +- timeout { break } +- } +- } +-} +- +-proc start_client {testname ccname user password lifetime count +- {target ""}} { +- global env CLIENT PROT hostname server_port spawn_id verbose +- +- if {$target == ""} { +- set target "server@$hostname" +- } +- +- set env(KRB5CCNAME) FILE:[pwd]/krb5cc_rpc_test_$ccname +- kinit $user $password $lifetime +- +- if {$verbose > 0} { +- spawn $CLIENT -a 1 -s 1 -m 1 $PROT $hostname $server_port $target $count +- } else { +- spawn $CLIENT $PROT $hostname $server_port $target $count +- } +- +- verbose "$testname: client $ccname started" +- +- unset env(KRB5CCNAME) +-} +- +-proc eof_client {testname ccname id status} { +- verbose "$testname: eof'ing for client $ccname" 1 +- +- expect { +- -i $id +- -re "^marshall_new_creds\[^\n\]*\n" { exp_continue } +- -re "^gssapi_\[^\n\]*\n" { exp_continue } +- -re "^\r?\n" { exp_continue } +- eof { verbose $expect_out(buffer) 1 } +- timeout { +- fail "$testname: timeout waiting for client $ccname to exit" +- } +- } +- wait_client $testname $ccname $id $status +-} +- +- +-proc wait_client {testname ccname id status} { +- global env +- global kill +- global kdestroy +- global wait_error_index wait_errno_index wait_status_index +- +- verbose "$testname: waiting for client $ccname" 1 +- +- set ret [wait -i $id] +- if {[lindex $ret $wait_error_index] == -1} { +- fail \ +- "$testname: wait $ccname returned error [lindex $ret $wait_errno_index]" +- } else { +- if {[lindex $ret $wait_status_index] == $status} { +- pass "$testname: client $ccname" +- } else { +- fail "$testname: client $ccname: unexpected return status [lindex $ret $wait_status_index], should be $status." +- } +- } +- +- set env(KRB5CCNAME) FILE:[pwd]/krb5cc_rpc_test_$ccname +- if {[catch "exec $kdestroy -5"] != 0} { +- perror "$testname: cannot destroy client $ccname ccache" +- } +- +- unset env(KRB5CCNAME) +-} +diff --git a/src/lib/rpc/unit-test/rpc_test.0/expire.exp b/src/lib/rpc/unit-test/rpc_test.0/expire.exp +deleted file mode 100644 +index e19cca0ef..000000000 +--- a/src/lib/rpc/unit-test/rpc_test.0/expire.exp ++++ /dev/null +@@ -1,49 +0,0 @@ +-set timeout 40 +- +-load_lib "helpers.exp" +- +-global server_started +- +-proc expired {} { +- global spawn_id server_id +- +- start_client expired expired testuser notathena -1m 100 +- eof_client expired expired $spawn_id 2 +- +- expect { +- -i $server_id +- -re "rpc_test server: Authen.*failed:.*credential.*expired" { pass "expired" } +- timeout { fail "expired: timeout waiting for expired creds error" } +- } +- +- flush_server +-} +- +-# This test doesn't work after #6948, because the client won't try to +-# authenticate using an expired TGT. +-#if { $server_started } {expired } +- +-proc overlap {} { +- global spawn_id +- +- start_client expire 1 testuser notathena 20m 100 +- set client1_id $spawn_id +- flush_server +- +- start_client expire 2 testuser notathena 40m 300 +- set client2_id $spawn_id +- flush_server +- +- start_client expire 3 testuser notathena 60m 500 +- set client3_id $spawn_id +- flush_server +- +- eof_client expire 1 $client1_id 0 +- eof_client expire 2 $client2_id 0 +- eof_client expire 3 $client3_id 0 +- +- flush_server +-} +-if { $server_started } {overlap} +- +- +diff --git a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp b/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp +deleted file mode 100644 +index 73083de1f..000000000 +--- a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp ++++ /dev/null +@@ -1,91 +0,0 @@ +-set timeout 120 +- +-load_lib "helpers.exp" +- +-global spawn_id +-global server_id +-global server_started +- +-if { !$server_started } {return} +- +-# Start the client and do a full run +-start_client "full run" fullrun testuser notathena 8h 1026 +-set client_id $spawn_id +- +-# +-# test: did we get 11 dots? +-# +-verbose "Starting RPC echo test. This will take about 50 seconds.\n" +- +-set ver_line "rpc_test server: bad verifier\[^\r\n\]*\[\r\n]+" +- +-set dots 0 +-set server_lines 0 +-while {1} { +- expect { +- -i $server_id +- -re $ver_line { +- verbose "Got line from server." +- incr server_lines +- } +- default { +- exp_continue +- } +- +- -i $client_id +- . { +- incr dots +- verbose "$expect_out(buffer)" 1 +- if ($dots==11) { break } +- } +- eof { +- # +- # test: was the exit status right? +- # +- wait_client "full run" fullrun $client_id 0 +- break +- } +- +- timeout { +- verbose "Timeout waiting for dot\n" 1 +- fail "full run: timeout waiting for dot" +- break +- } +- } +-} +-if {$dots==11} { +- pass "fullrun: echo test" +-} else { +- fail "fullrun: echo test: expected 11 dots, got $dots" +-} +- +-# +-# test: server logged four bad verifiers? +-# +-verbose "full run: checking server output" +- +-# Small timeout, since the server should have already printed everything +-set timeout 5 +- +-while {$server_lines < 4} { +- expect { +- -i $server_id +- -re $ver_line { +- incr server_lines +- } +- -re ".+\r\n" { +- verbose "Unexpected server output: $expect_out(buffer)" +- } +- default { +- break +- } +- } +-} +- +-if {$server_lines == 4} { +- pass "fullrun: bad verifiers" +-} else { +- fail "fullrun: expected four bad verifiers, got $server_lines" +-} +- +-flush_server +diff --git a/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp b/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp +deleted file mode 100644 +index 005971989..000000000 +--- a/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp ++++ /dev/null +@@ -1,30 +0,0 @@ +-set timeout 30 +- +-load_lib "helpers.exp" +- +-global spawn_id +-global server_id +-global server_started +-global hostname +- +-if { !$server_started } {return} +- +-start_client "gss err" gsserr testuser notathena 8h 1026 notserver@$hostname +- +-eof_client "gss err" gsserr $spawn_id 2 +- +-# +-# test: server logged an authentication attempted failed? +-# +-verbose "gss err: checking server output" +- +-expect { +- -i $server_id +- -re "rpc_test server: Authent.*failed: .* not found in keytab" { +- pass "gss err: server logged auth error" +- } +- eof { fail "gss err: server exited" } +- timeout { fail "gss err: timeout waiting for server output" } +-} +- +-flush_server +diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c +index 13e99bb06..c3bbcbf8c 100644 +--- a/src/lib/rpc/unit-test/server.c ++++ b/src/lib/rpc/unit-test/server.c +@@ -37,7 +37,7 @@ static void rpc_test_badverf(gss_name_t client, gss_name_t server, + caddr_t data); + + #ifndef SERVICE_NAME +-#define SERVICE_NAME "server" ++#define SERVICE_NAME "host" + #endif + + static void usage() +@@ -120,7 +120,6 @@ main(int argc, char **argv) + prot == IPPROTO_TCP ? "tcp" : "udp"); + exit(1); + } +- printf("port: %d\n", (int)transp->xp_port); + + if (svcauth_gssapi_set_names(names, 0) == FALSE) { + fprintf(stderr, "unable to set gssapi names\n"); +@@ -144,6 +143,8 @@ main(int argc, char **argv) + signal(SIGTERM, handlesig); + #endif + printf("running\n"); ++ printf("port: %d\n", (int)transp->xp_port); ++ fflush(stdout); + + svc_run(); + fprintf(stderr, "svc_run returned"); +@@ -177,6 +178,7 @@ static void rpc_test_badverf(gss_name_t client, gss_name_t server, + inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr), + ntohs(rqst->rq_xprt->xp_raddr.sin_port), + (int) server_name.length, (char *) server_name.value); ++ fflush(stdout); + + (void) gss_release_buffer(&minor_stat, &client_name); + (void) gss_release_buffer(&minor_stat, &server_name); +@@ -211,6 +213,7 @@ void rpc_test_badauth(OM_uint32 major, OM_uint32 minor, + printf("rpc_test server: Authentication attempt failed: %s", a); + log_badauth_display_status(major, minor); + printf("\n"); ++ fflush(stdout); + } + + void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, +@@ -220,6 +223,7 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, + + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + printf("Miscellaneous RPC error: %s, %s\n", a, error); ++ fflush(stdout); + } + + void log_badauth_display_status(OM_uint32 major, OM_uint32 minor) +@@ -243,10 +247,12 @@ void log_badauth_display_status_1(OM_uint32 code, int type, int rec) + log_badauth_display_status_1(gssstat,GSS_C_GSS_CODE,1); + log_badauth_display_status_1(minor_stat, + GSS_C_MECH_CODE, 1); +- } else ++ } else { + printf("GSS-API authentication error %.*s: " + "recursive failure!\n", (int) msg.length, + (char *)msg.value); ++ } ++ fflush(stdout); + return; + } + +@@ -256,4 +262,5 @@ void log_badauth_display_status_1(OM_uint32 code, int type, int rec) + if (!msg_ctx) + break; + } ++ fflush(stdout); + } +diff --git a/src/lib/rpc/unit-test/t_rpc.py b/src/lib/rpc/unit-test/t_rpc.py +new file mode 100644 +index 000000000..4e565d25c +--- /dev/null ++++ b/src/lib/rpc/unit-test/t_rpc.py +@@ -0,0 +1,29 @@ ++import re ++ ++from k5test import * ++ ++realm = K5Realm() ++ ++server = realm.start_server(['./server', '-t'], 'running') ++line = server.stdout.readline() ++portstr = re.match(r'^port: (\d+)$', line).group(1) ++ ++realm.run(['./client', '-t', hostname, portstr, 'host@' + hostname, '1026'], ++ expected_msg='...........') ++ ++for i in range(4): ++ line = server.stdout.readline() ++ if 'rpc_test server: bad verifier from user@KRBTEST.COM at ' not in line: ++ fail('unexpected server message: ' + line) ++ output(line) ++ ++realm.addprinc('nokey/' + hostname) ++ ++realm.run(['./client', '-t', hostname, portstr, 'nokey@' + hostname, '1026'], ++ expected_code=2) ++ ++line = server.stdout.readline() ++if 'rpc_test server: Authentication attempt failed: ' not in line: ++ fail('unexpected server message: ' + line) ++ ++success('gssrpc auth_gssapi tests') diff --git a/krb5.spec b/krb5.spec index 264ff0f..3c2201e 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 4%{?dist} +Release: 5%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -60,8 +60,9 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch Patch20: Pass-channel-bindings-through-SPNEGO.patch -Patch21: Default-dns_canonicalize_hostname-to-fallback.patch -Patch22: Remove-resolver-test-utility.patch +Patch21: Replace-gssrpc-tests-with-a-Python-script.patch +Patch22: Default-dns_canonicalize_hostname-to-fallback.patch +Patch23: Remove-resolver-test-utility.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -634,6 +635,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Sat May 30 2020 Robbie Harwood - 1.18.2-5 +- Replace gssrpc tests with a Python script + * Sat May 30 2020 Robbie Harwood - 1.18.2-4 - Default dns_canonicalize_hostname to "fallback"