Include more test suite changes from upstream

Resolves: #1464381
This commit is contained in:
Robbie Harwood 2017-06-23 20:45:14 +00:00
parent 58aed41605
commit db0f9d981a
15 changed files with 2755 additions and 48 deletions

View File

@ -1,4 +1,4 @@
From e03e4c839a67da9b6f4135999de653d22118d8a3 Mon Sep 17 00:00:00 2001
From 2f84634c8227d2f43daf9a6135766c6e1901851f Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 9 Dec 2016 11:43:27 -0500
Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py

View File

@ -1,4 +1,4 @@
From f113cd5a3d043493c8d4c53dd346b290a0959de9 Mon Sep 17 00:00:00 2001
From 14455b071bab5ed93e42df84dc0b0e5f889cb98b Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 28 Feb 2017 15:55:24 -0500
Subject: [PATCH] Add certauth pluggable interface

View File

@ -1,4 +1,4 @@
From 166c5212d1954c6ac8d445485c47cc88b3802907 Mon Sep 17 00:00:00 2001
From 1f7e1ce67d885bce613030099df9a95e7671055e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:24:41 -0500
Subject: [PATCH] Add k5test expected_msg, expected_trace

View File

@ -0,0 +1,45 @@
From 9cd133e626f114c9a11d6d731f7f97072d59e20f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 11 Jan 2017 10:49:30 -0500
Subject: [PATCH] Add test case for PKINIT DH renegotiation
In t_pkinit.py, add a PKINIT test case where the KDC sends
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the
KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method.
Use the trace log to verify that the renegotiation actually takes
place.
(cherry picked from commit 7ad7eb7fd591e6c789ea24b94eccbf74ee4d79f8)
---
src/tests/t_pkinit.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index ac4d326b6..183977750 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -174,6 +174,24 @@ realm.kinit(realm.user_princ,
'-X', 'flag_RSA_PROTOCOL=yes'])
realm.klist(realm.user_princ)
+# Test a DH parameter renegotiation by temporarily setting a 4096-bit
+# minimum on the KDC.
+tracefile = os.path.join(realm.testdir, 'trace')
+minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
+minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
+realm.stop_kdc()
+realm.start_kdc(env=minbits_env)
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
+ 'X509_user_identity=' + file_identity, realm.user_princ])
+with open(tracefile, 'r') as f:
+ trace = f.read()
+if ('Key parameters not accepted' not in trace or
+ 'Preauth tryagain input types' not in trace or
+ 'trying again with KDC-provided parameters' not in trace):
+ fail('DH renegotiation steps not found in kinit trace log')
+realm.stop_kdc()
+realm.start_kdc()
+
# Run the basic test - PKINIT with FILE: identity, with a password on the key,
# supplied by the prompter.
# Expect failure if the responder does nothing, and we have no prompter.

View File

@ -1,4 +1,4 @@
From 44dc9a14f03408f96a38a38aa7b0547e63501bfa Mon Sep 17 00:00:00 2001
From d81c0069df0f18574bc0beb7e45139f6d2bc3849 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:22:45 -0500
Subject: [PATCH] Add test cert generation to make-certs.sh

View File

@ -1,4 +1,4 @@
From b7195f09475da34a227db8dae813a54b0353d447 Mon Sep 17 00:00:00 2001
From 405a88caf62483bd077f6d98aa5f1adc9fbdff64 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 4 Apr 2017 16:54:56 -0400
Subject: [PATCH] Add the client_name() kdcpreauth callback

View File

@ -1,4 +1,4 @@
From ec5bfaec762cff5eea4cac43a5be59992616fc27 Mon Sep 17 00:00:00 2001
From 7fa2848a550bda947a6e425babb3f529b7e28ab6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 23 Mar 2017 13:42:55 -0400
Subject: [PATCH] Correct error handling bug in prior commit

View File

@ -1,4 +1,4 @@
From f6fbff49c51b8126818c9036d207911c3e23b9de Mon Sep 17 00:00:00 2001
From ca1ab893b3590ab887f7c0f4a41ad6b2fddf3421 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 4 Jan 2017 11:33:57 -0500
Subject: [PATCH] Deindent crypto_retrieve_X509_sans()

View File

@ -1,4 +1,4 @@
From c0472687218a6e2bfd7b55e7aa85633d9f8e2673 Mon Sep 17 00:00:00 2001
From 84e4545db26e31ae69da8559128513157f533858 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:17:59 -0500
Subject: [PATCH] Improve PKINIT UPN SAN matching

View File

@ -1,4 +1,4 @@
From 659b4dd127cdd001e34ea4faf30885f7b1bc4945 Mon Sep 17 00:00:00 2001
From ad17859c5d428be38bb51b6202e1ce256790beb5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 Mar 2017 17:46:22 -0500
Subject: [PATCH] Use GSSAPI fallback skiptest

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,75 @@
From 52eeabfdeb9a91c6e4c7124b38fa6915df37f8bf Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:25:22 -0500
Subject: [PATCH] Use expected_trace in test scripts
(cherry picked from commit 7b7e5d964e5d020fdda3fb9843d9b8cf8b29a6f8)
---
src/tests/t_general.py | 24 ++++++++----------------
src/tests/t_pkinit.py | 15 ++++++---------
2 files changed, 14 insertions(+), 25 deletions(-)
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 6d523fe45..16bf6c5e3 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -47,21 +47,13 @@ if 'not found in Kerberos database' not in out:
fail('Expected error message not seen in kinit -C output')
# Spot-check KRB5_TRACE output
-tracefile = os.path.join(realm.testdir, 'trace')
-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
- input=(password('user') + "\n"))
-f = open(tracefile, 'r')
-trace = f.read()
-f.close()
-expected = ('Sending initial UDP request',
- 'Received answer',
- 'Selected etype info',
- 'AS key obtained',
- 'Decrypted AS reply',
- 'FAST negotiation: available',
- 'Storing user@KRBTEST.COM')
-for e in expected:
- if e not in trace:
- fail('Expected output not in kinit trace log')
+expected_trace = ('Sending initial UDP request',
+ 'Received answer',
+ 'Selected etype info',
+ 'AS key obtained',
+ 'Decrypted AS reply',
+ 'FAST negotiation: available',
+ 'Storing user@KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
success('FAST kinit, trace logging')
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 183977750..f56141564 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -176,19 +176,16 @@ realm.klist(realm.user_princ)
# Test a DH parameter renegotiation by temporarily setting a 4096-bit
# minimum on the KDC.
-tracefile = os.path.join(realm.testdir, 'trace')
minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
realm.stop_kdc()
realm.start_kdc(env=minbits_env)
-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
- 'X509_user_identity=' + file_identity, realm.user_princ])
-with open(tracefile, 'r') as f:
- trace = f.read()
-if ('Key parameters not accepted' not in trace or
- 'Preauth tryagain input types' not in trace or
- 'trying again with KDC-provided parameters' not in trace):
- fail('DH renegotiation steps not found in kinit trace log')
+expected_trace = ('Key parameters not accepted',
+ 'Preauth tryagain input types',
+ 'trying again with KDC-provided parameters')
+realm.kinit(realm.user_princ,
+ flags=['-X', 'X509_user_identity=%s' % file_identity],
+ expected_trace=expected_trace)
realm.stop_kdc()
realm.start_kdc()

View File

@ -1,4 +1,4 @@
From 215931cd91a160516c5fb8a5fbc8568534c49ff0 Mon Sep 17 00:00:00 2001
From 4963152dc973e8ff74f257f64b0960a7716b480c Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 10 Feb 2017 12:53:42 -0500
Subject: [PATCH] Use fallback realm for GSSAPI ccache selection
@ -11,11 +11,10 @@ Modify t_ccselect.py tests to account for fallback behavior.
ticket: 8549 (new)
(cherry picked from commit 234b64bd6139d5b75dadd5abbd5bef5a162e298a)
[rharwood@redhat.com conflicts t_ccselect.py]
---
src/lib/krb5/ccache/ccselect.c | 37 +++++++++++++++++++++++++-----
src/tests/gssapi/t_ccselect.py | 51 +++++++++++++++++++++++++++++++++---------
2 files changed, 73 insertions(+), 15 deletions(-)
src/lib/krb5/ccache/ccselect.c | 37 ++++++++++++++++++++++++++-----
src/tests/gssapi/t_ccselect.py | 50 +++++++++++++++++++++++++++++++++---------
2 files changed, 72 insertions(+), 15 deletions(-)
diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
index 2f3071a27..ee4b83a9b 100644
@ -90,7 +89,7 @@ index 2f3071a27..ee4b83a9b 100644
void
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index 6be6b4ec0..c6201ca41 100755
index 1ea614d30..668a2cc62 100755
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -31,12 +31,18 @@ r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000,
@ -117,7 +116,7 @@ index 6be6b4ec0..c6201ca41 100755
# refserver specifies the target as a principal in the referral realm.
# The principal won't be treated as a host principal by the
@@ -67,6 +73,16 @@ r1.addprinc(alice, password('alice'))
@@ -66,6 +72,16 @@ r1.addprinc(alice, password('alice'))
r1.addprinc(bob, password('bob'))
r2.addprinc(zaphod, password('zaphod'))
@ -134,7 +133,7 @@ index 6be6b4ec0..c6201ca41 100755
# Get tickets for one user in each realm (zaphod will be primary).
r1.kinit(alice, password('alice'))
r2.kinit(zaphod, password('zaphod'))
@@ -94,10 +110,24 @@ if output != (zaphod + '\n'):
@@ -93,10 +109,24 @@ if output != (zaphod + '\n'):
fail('zaphod not chosen as default initiator name for server in r1')
# Check that primary cache is used if server realm is unknown.
@ -161,7 +160,7 @@ index 6be6b4ec0..c6201ca41 100755
# Get a second cred in r1 (bob will be primary).
r1.kinit(bob, password('bob'))
@@ -105,20 +135,21 @@ r1.kinit(bob, password('bob'))
@@ -104,19 +134,19 @@ r1.kinit(bob, password('bob'))
# Try some cache selections using .k5identity.
k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
k5id.write('%s realm=%s\n' % (alice, r1.realm))
@ -179,10 +178,8 @@ index 6be6b4ec0..c6201ca41 100755
output = r1.run(['./t_ccselect', refserver])
if output != (bob + '\n'):
fail('bob not chosen via primary cache when no .k5identity line matches.')
-output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
if 'Can\'t find client principal noprinc' not in output:
fail('Expected error not seen when k5identity selects bad principal.')
-r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1,
+r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,
+ expected_msg="Can't find client principal noprinc")
expected_msg="Can't find client principal noprinc")
success('GSSAPI credential selection tests')

View File

@ -1,4 +1,4 @@
From c55b08e88c43486769dbf63a245e4097db71e0d3 Mon Sep 17 00:00:00 2001
From 1d729e7bd01cd0a5e4db0ba16fc5058b21b4abb2 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 5 Apr 2017 16:48:55 -0400
Subject: [PATCH] Use the canonical client principal name for OTP
@ -8,7 +8,6 @@ canonicalized client principal (using the new client_name kdcpreauth
callback) instead of the request client principal.
ticket: 8571 (new)
(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
---
src/plugins/preauth/otp/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist}
Release: 10%{?dist}
Release: 11%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -51,29 +51,32 @@ Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
Source100: noport.c
Patch1: krb5-1.12.1-pam.patch
Patch2: krb5-1.15.1-selinux-label.patch
Patch3: krb5-1.12-ksu-path.patch
Patch4: krb5-1.12-ktany.patch
Patch5: krb5-1.15-beta1-buildconf.patch
Patch6: krb5-1.3.1-dns.patch
Patch7: krb5-1.12-api.patch
Patch8: krb5-1.13-dirsrv-accountlock.patch
Patch9: krb5-1.9-debuginfo.patch
Patch10: krb5-1.11-run_user_0.patch
Patch11: krb5-1.11-kpasswdtest.patch
Patch12: Build-with-Werror-implicit-int-where-supported.patch
Patch15: Use-fallback-realm-for-GSSAPI-ccache-selection.patch
Patch16: Use-GSSAPI-fallback-skiptest.patch
Patch17: Improve-PKINIT-UPN-SAN-matching.patch
Patch18: Add-test-cert-generation-to-make-certs.sh.patch
Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
Patch20: Deindent-crypto_retrieve_X509_sans.patch
Patch22: Add-the-client_name-kdcpreauth-callback.patch
Patch23: Use-the-canonical-client-principal-name-for-OTP.patch
Patch24: Add-certauth-pluggable-interface.patch
Patch25: Correct-error-handling-bug-in-prior-commit.patch
Patch26: Add-k5test-expected_msg-expected_trace.patch
Patch26: krb5-1.12.1-pam.patch
Patch27: krb5-1.15.1-selinux-label.patch
Patch28: krb5-1.12-ksu-path.patch
Patch29: krb5-1.12-ktany.patch
Patch30: krb5-1.15-beta1-buildconf.patch
Patch31: krb5-1.3.1-dns.patch
Patch32: krb5-1.12-api.patch
Patch33: krb5-1.13-dirsrv-accountlock.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
Patch37: Build-with-Werror-implicit-int-where-supported.patch
Patch38: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
Patch39: Add-test-case-for-PKINIT-DH-renegotiation.patch
Patch40: Use-expected_trace-in-test-scripts.patch
Patch41: Use-expected_msg-in-test-scripts.patch
Patch42: Use-fallback-realm-for-GSSAPI-ccache-selection.patch
Patch43: Use-GSSAPI-fallback-skiptest.patch
Patch44: Improve-PKINIT-UPN-SAN-matching.patch
Patch45: Add-test-cert-generation-to-make-certs.sh.patch
Patch46: Deindent-crypto_retrieve_X509_sans.patch
Patch47: Add-the-client_name-kdcpreauth-callback.patch
Patch48: Use-the-canonical-client-principal-name-for-OTP.patch
Patch49: Add-certauth-pluggable-interface.patch
Patch50: Correct-error-handling-bug-in-prior-commit.patch
Patch51: Add-k5test-expected_msg-expected_trace.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -731,6 +734,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri Jun 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-11
- Include more test suite changes from upstream
- Resolves: #1464381
* Wed Jun 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-10
- Fix custom build with -DDEBUG