From 5116aa0418bb0d3f072a8cca5361503ebde44963 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 26 Mar 2003 05:42:56 +0000
Subject: [PATCH] fix test suite to reflect loss of des3-krb4

Fix a few things broken by fix for MITKRB5-SA-2003-004, since kiniting
to a des3 TGT intentionally no longer works.

Remove code to set up kadmind srvtab, as it's not needed anymore.

ticket: new
status: open
target_version: 1.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15303 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/tests/dejagnu/config/ChangeLog            |   6 ++
 src/tests/dejagnu/config/default.exp          | 100 +++---------------
 src/tests/dejagnu/krb-standalone/ChangeLog    |   9 ++
 src/tests/dejagnu/krb-standalone/v4gssftp.exp |   4 +
 .../dejagnu/krb-standalone/v4krb524d.exp      |   4 +
 .../dejagnu/krb-standalone/v4standalone.exp   |   5 +
 6 files changed, 42 insertions(+), 86 deletions(-)

diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog
index 8fd69dd2f..980203378 100644
--- a/src/tests/dejagnu/config/ChangeLog
+++ b/src/tests/dejagnu/config/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-26  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp (v4kinit): Expect failure when kiniting to a des3
+	TGT, due to fix for MITKRB5-SA-2003-004.
+	(setup_kadmind_srvtab): Remove.  It's not needed anymore.
+
 2003-03-14  Ken Raeburn  <raeburn@mit.edu>
 
 	* default.exp (setup_root_shell): If we get connection refused
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index ececbf7d7..33a751538 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -692,7 +692,6 @@ proc setup_kerberos_files { } {
 	puts $conffile "		database_name = $tmppwd/db"
 	puts $conffile "		admin_database_name = $tmppwd/adb"
 	puts $conffile "		admin_database_lockfile = $tmppwd/adb.lock"
-	puts $conffile "		admin_keytab = $tmppwd/admin-keytab"
 	puts $conffile "		key_stash_file = $tmppwd/stash"
 	puts $conffile "		acl_file = $tmppwd/acl"
 	puts $conffile "		kadmind_port = 3750"
@@ -938,83 +937,6 @@ proc restore_kerberos_env { } {
 
 }
 
-# setup_kadmind_srvtab
-# A procedure to build the srvtab for kadmind5 so that kadmin5 and it
-# may successfully communicate.
-# Returns 1 on success, 0 on failure.
-proc setup_kadmind_srvtab {  } {
-    global REALMNAME
-    global KADMIN_LOCAL
-    global KEY
-    global tmppwd
-
-    catch "exec rm -f $tmppwd/admin-keytab"
-    envstack_push
-    setup_kerberos_env kdc
-    spawn $KADMIN_LOCAL -r $REALMNAME
-    envstack_pop
-    catch expect_after
-    expect_after {
-	-re "(.*)\r\nkadmin.local:  " {
-	    fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)"
-	    catch "exec rm -f $tmppwd/admin-keytab"
-	    catch "expect_after"
-	    return 0
-	}
-	timeout {
-	    fail "kadmin.local admin-keytab (timeout)"
-	    catch "exec rm -f $tmppwd/admin-keytab"
-	    catch "expect_after"
-	    return 0
-	}
-	eof {
-	    fail "kadmin.local admin-keytab (eof)"
-	    catch "exec rm -f $tmppwd/admin-keytab"
-	    catch "expect_after"
-	    return 0
-	}
-    }
-    expect "kadmin.local:  "
-    send "xst -k admin-new-srvtab kadmin/admin\r"
-    expect "xst -k admin-new-srvtab kadmin/admin\r\n"
-    expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab."
-    expect "kadmin.local:  "
-
-    catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output
-    if ![string match "" $exec_output] {
-	verbose -log "$exec_output"
-	perror "can't mv admin-new-srvtab"
-	catch expect_after
-	return 0
-    }
-
-    send "xst -k changepw-new-srvtab kadmin/changepw\r"
-    expect "xst -k changepw-new-srvtab kadmin/changepw\r\n"
-    expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab."
-    expect "kadmin.local:  "
-    send "quit\r"
-    expect eof
-    catch expect_after
-    if ![check_exit_status "kadmin.local admin-keytab"] {
-	catch "exec rm -f $tmppwd/admin-keytab"
-	perror "kadmin.local admin-keytab exited abnormally"
-	return 0
-    }
-
-    catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output
-    if ![string match "" $exec_output] {
-	verbose -log "$exec_output"
-	perror "can't mv new admin-keytab"
-	return 0
-    }
-
-    # Make the srvtab file globally readable in case we are using a
-    # root shell and the srvtab is NFS mounted.
-    catch "exec chmod a+r $tmppwd/admin-keytab"
-
-    return 1
-}
-
 # setup_kerberos_db
 # Initialize the Kerberos database.  If the argument is non-zero, call
 # pass at relevant points.  Returns 1 on success, 0 on failure.
@@ -1270,12 +1192,7 @@ proc setup_kerberos_db { standalone } {
 	    }
 	}
     }
-    # XXX should deal with envstack inside setup_kadmind_srvtab too
-    set ret [setup_kadmind_srvtab]
     envstack_pop
-    if !$ret {
-	return 0
-    }
 
     # create the admin database lock file
     catch "exec touch $tmppwd/adb.lock"
@@ -2029,6 +1946,7 @@ proc v4kinit { name pass standalone } {
     global REALMNAME
     global KINIT
     global spawn_id
+    global des3_krbtgt
 
     # Use kinit to get a ticket.
 	#
@@ -2052,10 +1970,20 @@ proc v4kinit { name pass standalone } {
     }
     send "$pass\r"
     expect eof
-    if ![check_exit_status kinit] {
-	return 0
+    if {$des3_krbtgt == 0} {
+	if ![check_exit_status v4kinit] {
+	    return 0
+	}
+    } else {
+	# Fail if kinit is successful with a des3 TGT.
+	set status_list [wait -i $spawn_id]
+	set testname v4kinit
+	verbose "wait -i $spawn_id returned $status_list ($testname)"
+	if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } {
+	    verbose -log "exit status: $status_list"
+	    fail "$testname (exit status)"
+	}
     }
-
     if {$standalone} {
 	pass "v4kinit"
     }
diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog
index fe3f185a6..01f490230 100644
--- a/src/tests/dejagnu/krb-standalone/ChangeLog
+++ b/src/tests/dejagnu/krb-standalone/ChangeLog
@@ -1,3 +1,12 @@
+2003-03-26  Tom Yu  <tlyu@mit.edu>
+
+	* v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set.
+
+	* v4krb524d.exp (doit): Return early if $des3_krbtgt set.
+
+	* v4standalone.exp (check_and_destroy_v4_tix): Return early if
+	$des3_krbtgt set.
+
 2003-01-01  Ezra Peisach  <epeisach@bu.edu>
 
 	* standalone.exp: Only run the keytab to srvtab tests if kerberos 4
diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp
index c0b95d0ae..c4d5fd35c 100644
--- a/src/tests/dejagnu/krb-standalone/v4gssftp.exp
+++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp
@@ -179,7 +179,11 @@ proc v4ftp_test { } {
     global tmppwd
     global ftp_save_ktname
     global ftp_save_ccname
+    global des3_krbtgt
 
+    if {$des3_krbtgt} {
+	return
+    }
     # Start up the kerberos and kadmind daemons and get a srvtab and a
     # ticket file.
     if {![start_kerberos_daemons 0] \
diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp
index 5506a06b7..6e922c7e1 100644
--- a/src/tests/dejagnu/krb-standalone/v4krb524d.exp
+++ b/src/tests/dejagnu/krb-standalone/v4krb524d.exp
@@ -78,7 +78,11 @@ proc doit { } {
     global KDESTROY
     global tmppwd
     global REALMNAME
+    global des3_krbtgt
 
+    if {$des3_krbtgt} {
+	return
+    }
     # Start up the kerberos and kadmind daemons.
     if ![start_kerberos_daemons 1] {
 	return
diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp
index 62db0a794..cc42e8dab 100644
--- a/src/tests/dejagnu/krb-standalone/v4standalone.exp
+++ b/src/tests/dejagnu/krb-standalone/v4standalone.exp
@@ -26,7 +26,12 @@ if ![setup_kerberos_db 1] {
 
 proc check_and_destroy_v4_tix { client server } {
     global REALMNAME
+    global des3_krbtgt
 
+    # Skip this if we're using a des3 TGT, since that's supposed to fail.
+    if {$des3_krbtgt} {
+	return
+    }
     # Make sure that klist can see the ticket.
     if ![v4klist "$client" "$server" "v4klist"] {
 	return
-- 
2.26.2