From 19a80c56ec5d1b303b72bd7a7b058f1d9075d710 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 8 Jan 2010 23:43:05 +0000 Subject: [PATCH] pull up r23602, r23604, r23605 from trunk ------------------------------------------------------------------------ r23605 | hartmans | 2010-01-07 13:35:15 -0500 (Thu, 07 Jan 2010) | 4 lines ticket: 6624 Revert change to Makefile.in that ended up not being needed ------------------------------------------------------------------------ r23604 | hartmans | 2010-01-07 13:32:20 -0500 (Thu, 07 Jan 2010) | 10 lines Subject: automated tests for anonymous pkinit ticket: 6624 target_version: 1.8 tags: pullup Implement tests for anonymous pkinit. A certificate and private key are checked in; these tests will stop working in 2023. Note that r23602 needs to be pulled up before this ticket. ------------------------------------------------------------------------ r23602 | ghudson | 2010-01-07 12:26:58 -0500 (Thu, 07 Jan 2010) | 4 lines Make preauth_module_dir override, rather than supplement, the built-in path list, to avoid problems with running the same preauth module twice. ticket: 6624 version_fixed: 1.8 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23617 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_preauth.c | 43 +++++-------------- src/lib/krb5/krb/preauth2.c | 43 +++++-------------- src/tests/dejagnu/config/default.exp | 22 ++++++++++ .../dejagnu/krb-standalone/standalone.exp | 11 +++++ src/tests/dejagnu/pkinit-certs/ca.pem | 29 +++++++++++++ src/tests/dejagnu/pkinit-certs/kdc.pem | 25 +++++++++++ src/tests/dejagnu/pkinit-certs/privkey.pem | 27 ++++++++++++ 7 files changed, 134 insertions(+), 66 deletions(-) create mode 100644 src/tests/dejagnu/pkinit-certs/ca.pem create mode 100644 src/tests/dejagnu/pkinit-certs/kdc.pem create mode 100644 src/tests/dejagnu/pkinit-certs/privkey.pem diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 18052cf4e..c5dfb1f9b 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -391,45 +391,22 @@ static struct plugin_dir_handle preauth_plugins; /* Open plugin directories for preauth modules. */ static krb5_error_code -open_preauth_plugin_dirs(krb5_context kcontext) +open_preauth_plugin_dirs(krb5_context ctx) { static const char *path[] = { KRB5_CONF_LIBDEFAULTS, KRB5_CONF_PREAUTH_MODULE_DIR, NULL, }; char **profpath = NULL; - const char **plugindirs = NULL; - size_t nprofdirs, nobjdirs; - krb5_error_code retval; - - /* Fetch the list of paths specified in the profile, if any. */ - retval = profile_get_values(kcontext->profile, path, &profpath); - if (retval != 0 && retval != PROF_NO_RELATION) - return retval; - - /* Count the number of profile dirs. */ - nprofdirs = 0; - if (profpath) { - while (profpath[nprofdirs] != NULL) - nprofdirs++; - } - - nobjdirs = sizeof(objdirs) / sizeof(*objdirs); - plugindirs = k5alloc((nprofdirs + nobjdirs) * sizeof(char *), &retval); - if (retval != 0) - goto cleanup; - - /* Concatenate the profile and hardcoded directory lists. */ - if (profpath) - memcpy(plugindirs, profpath, nprofdirs * sizeof(char *)); - memcpy(plugindirs + nprofdirs, objdirs, nobjdirs * sizeof(char *)); - - retval = krb5int_open_plugin_dirs(plugindirs, NULL, &preauth_plugins, - &kcontext->err); - -cleanup: + const char **dirs; + krb5_error_code ret; + + ret = profile_get_values(ctx->profile, path, &profpath); + if (ret != 0 && ret != PROF_NO_RELATION) + return ret; + dirs = (profpath != NULL) ? (const char **) profpath : objdirs; + ret = krb5int_open_plugin_dirs(dirs, NULL, &preauth_plugins, &ctx->err); profile_free_list(profpath); - free(plugindirs); - return retval; + return ret; } krb5_error_code diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index d1d2827de..cf99a29b1 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -72,46 +72,23 @@ typedef struct _pa_types_t { /* Open plugin directories for preauth modules. */ static krb5_error_code -open_preauth_plugin_dirs(krb5_context kcontext) +open_preauth_plugin_dirs(krb5_context ctx) { static const char *path[] = { KRB5_CONF_LIBDEFAULTS, KRB5_CONF_PREAUTH_MODULE_DIR, NULL, }; char **profpath = NULL; - const char **plugindirs = NULL; - size_t nprofdirs, nobjdirs; - krb5_error_code retval; - - /* Fetch the list of paths specified in the profile, if any. */ - retval = profile_get_values(kcontext->profile, path, &profpath); - if (retval != 0 && retval != PROF_NO_RELATION) - return retval; - - /* Count the number of profile dirs. */ - nprofdirs = 0; - if (profpath) { - while (profpath[nprofdirs] != NULL) - nprofdirs++; - } - - nobjdirs = sizeof(objdirs) / sizeof(*objdirs); - plugindirs = k5alloc((nprofdirs + nobjdirs) * sizeof(char *), &retval); - if (retval != 0) - goto cleanup; - - /* Concatenate the profile and hardcoded directory lists. */ - if (profpath) - memcpy(plugindirs, profpath, nprofdirs * sizeof(char *)); - memcpy(plugindirs + nprofdirs, objdirs, nobjdirs * sizeof(char *)); - - retval = krb5int_open_plugin_dirs(plugindirs, NULL, - &kcontext->preauth_plugins, - &kcontext->err); + const char **dirs; + krb5_error_code ret; -cleanup: + ret = profile_get_values(ctx->profile, path, &profpath); + if (ret != 0 && ret != PROF_NO_RELATION) + return ret; + dirs = (profpath != NULL) ? (const char **) profpath : objdirs; + ret = krb5int_open_plugin_dirs(dirs, NULL, &ctx->preauth_plugins, + &ctx->err); profile_free_list(profpath); - free(plugindirs); - return retval; + return ret; } /* Create the per-krb5_context context. This means loading the modules diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 8e540b3a0..98a9a439b 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -960,7 +960,9 @@ proc setup_krb5_conf { {type client} } { global portbase global KRB5_DB_MODULE_DIR global KRB5_PA_MODULE_DIR + global srcdir + set pkinit_certs [findfile "[pwd]/$srcdir/pkinit-certs" "[pwd]/$srcdir/pkinit-certs" "$srcdir/pkinit-certs"] # Create a krb5.conf file. if { ![file exists $tmppwd/krb5.$type.conf] \ || $last_passname_conf != $multipass_name } { @@ -973,6 +975,7 @@ proc setup_krb5_conf { {type client} } { } else { puts $conffile " allow_weak_crypto = true" } + puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem" if [info exists default_tgs_enctypes($type)] { puts $conffile \ " default_tgs_enctypes = $default_tgs_enctypes($type)" @@ -1000,6 +1003,8 @@ proc setup_krb5_conf { {type client} } { # failures. If we were running the client and KDC on different # hosts, this would be okay.... #puts $conffile " kdc = $hostname:[expr 6 + $portbase]" + puts $conffile " pkinit_identity = FILE:$pkinit_certs/kdc.pem,$pkinit_certs/privkey.pem" + puts $conffile " pkinit_anchors = FILE:$pkinit_certs/ca.pem" puts $conffile " kdc = $hostname:[expr 1 + $portbase]" puts $conffile " admin_server = $hostname:[expr 4 + $portbase]" puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]" @@ -2257,6 +2262,23 @@ proc kinit_fast { name pass standalone } { return 1 } +proc kinit_anonymous { name } { + global REALMNAME + global KINIT + global spawn_id + + # Use kinit to get a ticket. + # + spawn $KINIT -5 -f -n $name@$REALMNAME + expect eof + if ![check_exit_status kinit] { + fail "kinit anonymous" + } + + pass "kinit anonymous" + return 1 +} + proc kinit_kt { name keytab standalone testname } { global REALMNAME global KINIT diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp index 068495ffd..c511798b4 100644 --- a/src/tests/dejagnu/krb-standalone/standalone.exp +++ b/src/tests/dejagnu/krb-standalone/standalone.exp @@ -138,6 +138,8 @@ proc doit { } { global KRBIV global portbase global mode + global tmppwd + global KRB5_PA_MODULE_DIR setup_kerberos_env kdc @@ -224,6 +226,15 @@ proc doit { } { # Double check that the ticket was destroyed. if ![do_klist_err "klist after destroy"] { return } + if ![add_random_key WELLKNOWN/ANONYMOUS 0] { + return + } + + # If we have anonymous then test it + if [file exists "$tmppwd/../../../util/fakedest$KRB5_PA_MODULE_DIR/pkinit.so" ] { + kinit_anonymous "WELLKNOWN/ANONYMOUS" + } + if ![add_random_key foo/bar 1] { return } diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem new file mode 100644 index 000000000..55fe02c92 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/ca.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD +VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp +ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi +ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g +bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3 +WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV +BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ +a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp +dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn +ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K +ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 +5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc +5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW +riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O +BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk +Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz +c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn +BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD +FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb +BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs +gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD +Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L +NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh +I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz +YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT +e5Tj7+29DE4I +-----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem new file mode 100644 index 000000000..5575ab579 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/kdc.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG +A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz +dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG +A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF +U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN +MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3 +pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4 +88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV +cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq +81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD +VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk +Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG +A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N +oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF +AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM +20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0 +qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l +oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5 +3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4 +feF5h5e2ZrOVREY4cKkJmJhEwsqBVA== +-----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem new file mode 100644 index 000000000..1825dec4e --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/privkey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn +ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K +ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 +5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc +5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW +riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM +dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS +SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR +iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ +/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn +lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS +Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW +MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3 +PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY +KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm +349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL +qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts +d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf +PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl +mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f +CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP +Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3 +wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr +W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh +M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc= +-----END RSA PRIVATE KEY----- -- 2.26.2