Include more test suite changes from upstream

Resolves: #1464381

Add-PKINIT-UPN-tests-to-t_pkinit.py.patch

@@ -1,4 +1,4 @@
-From e03e4c839a67da9b6f4135999de653d22118d8a3 Mon Sep 17 00:00:00 2001
+From 2f84634c8227d2f43daf9a6135766c6e1901851f Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Fri, 9 Dec 2016 11:43:27 -0500
 Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py

Add-certauth-pluggable-interface.patch

@@ -1,4 +1,4 @@
-From f113cd5a3d043493c8d4c53dd346b290a0959de9 Mon Sep 17 00:00:00 2001
+From 14455b071bab5ed93e42df84dc0b0e5f889cb98b Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Tue, 28 Feb 2017 15:55:24 -0500
 Subject: [PATCH] Add certauth pluggable interface

Add-k5test-expected_msg-expected_trace.patch

@@ -1,4 +1,4 @@
-From 166c5212d1954c6ac8d445485c47cc88b3802907 Mon Sep 17 00:00:00 2001
+From 1f7e1ce67d885bce613030099df9a95e7671055e Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 17 Jan 2017 11:24:41 -0500
 Subject: [PATCH] Add k5test expected_msg, expected_trace

Add-test-case-for-PKINIT-DH-renegotiation.patch

@@ -0,0 +1,45 @@
+From 9cd133e626f114c9a11d6d731f7f97072d59e20f Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 11 Jan 2017 10:49:30 -0500
+Subject: [PATCH] Add test case for PKINIT DH renegotiation
+
+In t_pkinit.py, add a PKINIT test case where the KDC sends
+KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the
+KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method.
+Use the trace log to verify that the renegotiation actually takes
+place.
+
+(cherry picked from commit 7ad7eb7fd591e6c789ea24b94eccbf74ee4d79f8)
+---
+ src/tests/t_pkinit.py | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index ac4d326b6..183977750 100755
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
+@@ -174,6 +174,24 @@ realm.kinit(realm.user_princ,
+                    '-X', 'flag_RSA_PROTOCOL=yes'])
+ realm.klist(realm.user_princ)
+ 
++# Test a DH parameter renegotiation by temporarily setting a 4096-bit
++# minimum on the KDC.
++tracefile = os.path.join(realm.testdir, 'trace')
++minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
++minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
++realm.stop_kdc()
++realm.start_kdc(env=minbits_env)
++realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
++           'X509_user_identity=' + file_identity, realm.user_princ])
++with open(tracefile, 'r') as f:
++    trace = f.read()
++if ('Key parameters not accepted' not in trace or
++    'Preauth tryagain input types' not in trace or
++    'trying again with KDC-provided parameters' not in trace):
++    fail('DH renegotiation steps not found in kinit trace log')
++realm.stop_kdc()
++realm.start_kdc()
++
+ # Run the basic test - PKINIT with FILE: identity, with a password on the key,
+ # supplied by the prompter.
+ # Expect failure if the responder does nothing, and we have no prompter.

Add-test-cert-generation-to-make-certs.sh.patch

@@ -1,4 +1,4 @@
-From 44dc9a14f03408f96a38a38aa7b0547e63501bfa Mon Sep 17 00:00:00 2001
+From d81c0069df0f18574bc0beb7e45139f6d2bc3849 Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Mon, 5 Dec 2016 12:22:45 -0500
 Subject: [PATCH] Add test cert generation to make-certs.sh

Add-the-client_name-kdcpreauth-callback.patch

@@ -1,4 +1,4 @@
-From b7195f09475da34a227db8dae813a54b0353d447 Mon Sep 17 00:00:00 2001
+From 405a88caf62483bd077f6d98aa5f1adc9fbdff64 Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Tue, 4 Apr 2017 16:54:56 -0400
 Subject: [PATCH] Add the client_name() kdcpreauth callback

Correct-error-handling-bug-in-prior-commit.patch

@@ -1,4 +1,4 @@
-From ec5bfaec762cff5eea4cac43a5be59992616fc27 Mon Sep 17 00:00:00 2001
+From 7fa2848a550bda947a6e425babb3f529b7e28ab6 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 23 Mar 2017 13:42:55 -0400
 Subject: [PATCH] Correct error handling bug in prior commit

Deindent-crypto_retrieve_X509_sans.patch

@@ -1,4 +1,4 @@
-From f6fbff49c51b8126818c9036d207911c3e23b9de Mon Sep 17 00:00:00 2001
+From ca1ab893b3590ab887f7c0f4a41ad6b2fddf3421 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Wed, 4 Jan 2017 11:33:57 -0500
 Subject: [PATCH] Deindent crypto_retrieve_X509_sans()

Improve-PKINIT-UPN-SAN-matching.patch

@@ -1,4 +1,4 @@
-From c0472687218a6e2bfd7b55e7aa85633d9f8e2673 Mon Sep 17 00:00:00 2001
+From 84e4545db26e31ae69da8559128513157f533858 Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Mon, 5 Dec 2016 12:17:59 -0500
 Subject: [PATCH] Improve PKINIT UPN SAN matching

Use-GSSAPI-fallback-skiptest.patch

@@ -1,4 +1,4 @@
-From 659b4dd127cdd001e34ea4faf30885f7b1bc4945 Mon Sep 17 00:00:00 2001
+From ad17859c5d428be38bb51b6202e1ce256790beb5 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 1 Mar 2017 17:46:22 -0500
 Subject: [PATCH] Use GSSAPI fallback skiptest

Use-expected_trace-in-test-scripts.patch

@@ -0,0 +1,75 @@
+From 52eeabfdeb9a91c6e4c7124b38fa6915df37f8bf Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 17 Jan 2017 11:25:22 -0500
+Subject: [PATCH] Use expected_trace in test scripts
+
+(cherry picked from commit 7b7e5d964e5d020fdda3fb9843d9b8cf8b29a6f8)
+---
+ src/tests/t_general.py | 24 ++++++++----------------
+ src/tests/t_pkinit.py  | 15 ++++++---------
+ 2 files changed, 14 insertions(+), 25 deletions(-)
+
+diff --git a/src/tests/t_general.py b/src/tests/t_general.py
+index 6d523fe45..16bf6c5e3 100755
+--- a/src/tests/t_general.py
++++ b/src/tests/t_general.py
+@@ -47,21 +47,13 @@ if 'not found in Kerberos database' not in out:
+     fail('Expected error message not seen in kinit -C output')
+ 
+ # Spot-check KRB5_TRACE output
+-tracefile = os.path.join(realm.testdir, 'trace')
+-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
+-          input=(password('user') + "\n"))
+-f = open(tracefile, 'r')
+-trace = f.read()
+-f.close()
+-expected = ('Sending initial UDP request',
+-            'Received answer',
+-            'Selected etype info',
+-            'AS key obtained',
+-            'Decrypted AS reply',
+-            'FAST negotiation: available',
+-            'Storing user@KRBTEST.COM')
+-for e in expected:
+-    if e not in trace:
+-        fail('Expected output not in kinit trace log')
++expected_trace = ('Sending initial UDP request',
++                  'Received answer',
++                  'Selected etype info',
++                  'AS key obtained',
++                  'Decrypted AS reply',
++                  'FAST negotiation: available',
++                  'Storing user@KRBTEST.COM')
++realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
+ 
+ success('FAST kinit, trace logging')
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index 183977750..f56141564 100755
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
+@@ -176,19 +176,16 @@ realm.klist(realm.user_princ)
+ 
+ # Test a DH parameter renegotiation by temporarily setting a 4096-bit
+ # minimum on the KDC.
+-tracefile = os.path.join(realm.testdir, 'trace')
+ minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
+ minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
+ realm.stop_kdc()
+ realm.start_kdc(env=minbits_env)
+-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
+-           'X509_user_identity=' + file_identity, realm.user_princ])
+-with open(tracefile, 'r') as f:
+-    trace = f.read()
+-if ('Key parameters not accepted' not in trace or
+-    'Preauth tryagain input types' not in trace or
+-    'trying again with KDC-provided parameters' not in trace):
+-    fail('DH renegotiation steps not found in kinit trace log')
++expected_trace = ('Key parameters not accepted',
++                  'Preauth tryagain input types',
++                  'trying again with KDC-provided parameters')
++realm.kinit(realm.user_princ,
++            flags=['-X', 'X509_user_identity=%s' % file_identity],
++            expected_trace=expected_trace)
+ realm.stop_kdc()
+ realm.start_kdc()
+ 

Use-fallback-realm-for-GSSAPI-ccache-selection.patch

@@ -1,4 +1,4 @@
-From 215931cd91a160516c5fb8a5fbc8568534c49ff0 Mon Sep 17 00:00:00 2001
+From 4963152dc973e8ff74f257f64b0960a7716b480c Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Fri, 10 Feb 2017 12:53:42 -0500
 Subject: [PATCH] Use fallback realm for GSSAPI ccache selection
@@ -11,11 +11,10 @@ Modify t_ccselect.py tests to account for fallback behavior.
 
 ticket: 8549 (new)
 (cherry picked from commit 234b64bd6139d5b75dadd5abbd5bef5a162e298a)
-[rharwood@redhat.com conflicts t_ccselect.py]
 ---
- src/lib/krb5/ccache/ccselect.c | 37 +++++++++++++++++++++++++-----
- src/tests/gssapi/t_ccselect.py | 51 +++++++++++++++++++++++++++++++++---------
- 2 files changed, 73 insertions(+), 15 deletions(-)
+ src/lib/krb5/ccache/ccselect.c | 37 ++++++++++++++++++++++++++-----
+ src/tests/gssapi/t_ccselect.py | 50 +++++++++++++++++++++++++++++++++---------
+ 2 files changed, 72 insertions(+), 15 deletions(-)
 
 diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
 index 2f3071a27..ee4b83a9b 100644
@@ -90,7 +89,7 @@ index 2f3071a27..ee4b83a9b 100644
  
  void
 diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
-index 6be6b4ec0..c6201ca41 100755
+index 1ea614d30..668a2cc62 100755
 --- a/src/tests/gssapi/t_ccselect.py
 +++ b/src/tests/gssapi/t_ccselect.py
 @@ -31,12 +31,18 @@ r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000,
@@ -117,7 +116,7 @@ index 6be6b4ec0..c6201ca41 100755
  
  # refserver specifies the target as a principal in the referral realm.
  # The principal won't be treated as a host principal by the
-@@ -67,6 +73,16 @@ r1.addprinc(alice, password('alice'))
+@@ -66,6 +72,16 @@ r1.addprinc(alice, password('alice'))
  r1.addprinc(bob, password('bob'))
  r2.addprinc(zaphod, password('zaphod'))
  
@@ -134,7 +133,7 @@ index 6be6b4ec0..c6201ca41 100755
  # Get tickets for one user in each realm (zaphod will be primary).
  r1.kinit(alice, password('alice'))
  r2.kinit(zaphod, password('zaphod'))
-@@ -94,10 +110,24 @@ if output != (zaphod + '\n'):
+@@ -93,10 +109,24 @@ if output != (zaphod + '\n'):
      fail('zaphod not chosen as default initiator name for server in r1')
  
  # Check that primary cache is used if server realm is unknown.
@@ -161,7 +160,7 @@ index 6be6b4ec0..c6201ca41 100755
  
  # Get a second cred in r1 (bob will be primary).
  r1.kinit(bob, password('bob'))
-@@ -105,20 +135,21 @@ r1.kinit(bob, password('bob'))
+@@ -104,19 +134,19 @@ r1.kinit(bob, password('bob'))
  # Try some cache selections using .k5identity.
  k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
  k5id.write('%s realm=%s\n' % (alice, r1.realm))
@@ -179,10 +178,8 @@ index 6be6b4ec0..c6201ca41 100755
  output = r1.run(['./t_ccselect', refserver])
  if output != (bob + '\n'):
      fail('bob not chosen via primary cache when no .k5identity line matches.')
--output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
- if 'Can\'t find client principal noprinc' not in output:
-     fail('Expected error not seen when k5identity selects bad principal.')
+-r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1,
 +r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,
-+       expected_msg="Can't find client principal noprinc")
+        expected_msg="Can't find client principal noprinc")
  
  success('GSSAPI credential selection tests')

Use-the-canonical-client-principal-name-for-OTP.patch

@@ -1,4 +1,4 @@
-From c55b08e88c43486769dbf63a245e4097db71e0d3 Mon Sep 17 00:00:00 2001
+From 1d729e7bd01cd0a5e4db0ba16fc5058b21b4abb2 Mon Sep 17 00:00:00 2001
 From: Matt Rogers <mrogers@redhat.com>
 Date: Wed, 5 Apr 2017 16:48:55 -0400
 Subject: [PATCH] Use the canonical client principal name for OTP
@@ -8,7 +8,6 @@ canonicalized client principal (using the new client_name kdcpreauth
 callback) instead of the request client principal.
 
 ticket: 8571 (new)
-(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
 ---
  src/plugins/preauth/otp/main.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

krb5.spec

@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
 # for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 10%{?dist}
+Release: 11%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -51,29 +51,32 @@ Source39: krb5-krb5kdc.conf
 # Carry this locally until it's available in a packaged form.
 Source100: noport.c
 
-Patch1: krb5-1.12.1-pam.patch
-Patch2: krb5-1.15.1-selinux-label.patch
-Patch3: krb5-1.12-ksu-path.patch
-Patch4: krb5-1.12-ktany.patch
-Patch5: krb5-1.15-beta1-buildconf.patch
-Patch6: krb5-1.3.1-dns.patch
-Patch7: krb5-1.12-api.patch
-Patch8: krb5-1.13-dirsrv-accountlock.patch
-Patch9: krb5-1.9-debuginfo.patch
-Patch10: krb5-1.11-run_user_0.patch
-Patch11: krb5-1.11-kpasswdtest.patch
-Patch12: Build-with-Werror-implicit-int-where-supported.patch
-Patch15: Use-fallback-realm-for-GSSAPI-ccache-selection.patch
-Patch16: Use-GSSAPI-fallback-skiptest.patch
-Patch17: Improve-PKINIT-UPN-SAN-matching.patch
-Patch18: Add-test-cert-generation-to-make-certs.sh.patch
-Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
-Patch20: Deindent-crypto_retrieve_X509_sans.patch
-Patch22: Add-the-client_name-kdcpreauth-callback.patch
-Patch23: Use-the-canonical-client-principal-name-for-OTP.patch
-Patch24: Add-certauth-pluggable-interface.patch
-Patch25: Correct-error-handling-bug-in-prior-commit.patch
-Patch26: Add-k5test-expected_msg-expected_trace.patch
+Patch26: krb5-1.12.1-pam.patch
+Patch27: krb5-1.15.1-selinux-label.patch
+Patch28: krb5-1.12-ksu-path.patch
+Patch29: krb5-1.12-ktany.patch
+Patch30: krb5-1.15-beta1-buildconf.patch
+Patch31: krb5-1.3.1-dns.patch
+Patch32: krb5-1.12-api.patch
+Patch33: krb5-1.13-dirsrv-accountlock.patch
+Patch34: krb5-1.9-debuginfo.patch
+Patch35: krb5-1.11-run_user_0.patch
+Patch36: krb5-1.11-kpasswdtest.patch
+Patch37: Build-with-Werror-implicit-int-where-supported.patch
+Patch38: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
+Patch39: Add-test-case-for-PKINIT-DH-renegotiation.patch
+Patch40: Use-expected_trace-in-test-scripts.patch
+Patch41: Use-expected_msg-in-test-scripts.patch
+Patch42: Use-fallback-realm-for-GSSAPI-ccache-selection.patch
+Patch43: Use-GSSAPI-fallback-skiptest.patch
+Patch44: Improve-PKINIT-UPN-SAN-matching.patch
+Patch45: Add-test-cert-generation-to-make-certs.sh.patch
+Patch46: Deindent-crypto_retrieve_X509_sans.patch
+Patch47: Add-the-client_name-kdcpreauth-callback.patch
+Patch48: Use-the-canonical-client-principal-name-for-OTP.patch
+Patch49: Add-certauth-pluggable-interface.patch
+Patch50: Correct-error-handling-bug-in-prior-commit.patch
+Patch51: Add-k5test-expected_msg-expected_trace.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -731,6 +734,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Fri Jun 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-11
+- Include more test suite changes from upstream
+- Resolves: #1464381
+
 * Wed Jun 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-10
 - Fix custom build with -DDEBUG