diff options
Diffstat (limited to 'src/tests/dejagnu/krb-standalone')
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/ChangeLog | 204 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/gssapi.exp | 478 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/gssftp.exp | 105 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/kadmin.exp | 323 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/rcp.exp | 13 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/rsh.exp | 26 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/standalone.exp | 132 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/v4gssftp.exp | 501 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/v4krb524d.exp | 167 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/v4standalone.exp | 95 |
10 files changed, 1568 insertions, 476 deletions
diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog index 649fb43..e8b10f1 100644 --- a/src/tests/dejagnu/krb-standalone/ChangeLog +++ b/src/tests/dejagnu/krb-standalone/ChangeLog @@ -1,3 +1,207 @@ +2003-03-26 Tom Yu <tlyu@mit.edu> + + * v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set. + + * v4krb524d.exp (doit): Return early if $des3_krbtgt set. + + * v4standalone.exp (check_and_destroy_v4_tix): Return early if + $des3_krbtgt set. + +2002-11-03 Tom Yu <tlyu@mit.edu> + + * rsh.exp (rsh_test): Explicitly call stop_rsh_daemon upon pass + for "encrypted rsh" test, to avoid zombies. + [pullup from trunk] + +2002-02-06 Ken Raeburn <raeburn@mit.edu> + + * standalone.exp (doit): Don't use "file delete", it isn't in Tcl + version 7. + +2002-02-05 Ken Raeburn <raeburn@mit.edu> + + * standalone.exp: Move setting of KLIST and KDESTROY into + default.exp. + (doit): Call do_klist instead of implementing it here. Add a new + principal to the database, and test getting tickets using a + keytab, with multiple kvnos starting at 253 and going up past + 256; if first supported enctype supports v4, convert the keytab to + a srvtab and try getting tickets using it too. Verify that + kadmin.local can read the high kvno correctly. + + * v4standalone.exp: Move setting of KLIST and KDESTROY into + default.exp. Print correct filename in top-level error message. + (check_and_destroy_v4_tix): New proc. + (doit): Call v4kinit and check_and_destroy_v4_tix. + + * gssftp.exp (ftp_test): Bump kvno past 256, with multiple entries + in the keytab, before running test. + +2001-11-06 Tom Yu <tlyu@mit.edu> + + * rsh.exp: Fix date-grabbing regexp to deal with older versions of + expect/tcl that have limited regexp capabilities. + +2001-11-02 Tom Yu <tlyu@mit.edu> + + * rsh.exp: Fix date grabbing code so we don't try to parse the + timezone-less date out of of a syslog message. expect eof in + places to drain pty buffers and avoid deadlock. + +2001-11-02 Tom Yu <tlyu@mit.edu> + + * gssftp.exp: Remove -U flag from ftpd invocation for now, since + 1.2.x won't have it. + +2001-11-02 Tom Yu <tlyu@mit.edu> + + * v4gssftp.exp: Calling send_error from within a dejagnu test is + wrong. So is calling exit. Fix to not do these things. Expect + eof rather than "\r" so as to drain pty buffers and avoid + deadlock. + +2001-11-02 Tom Yu <tlyu@mit.edu> + + * gssftp.exp: Calling send_error from within a dejagnu test is + wrong. So is calling exit. Fix to not do these things. Expect + eof rather than "\r" so as to drain pty buffers and avoid + deadlock. + +2001-10-30 Tom Yu <tlyu@mit.edu> + + * standalone.exp: Change check for missing ccache to look for "No + credentials cache found" instead of "No credentials cache file + found" due to change in message text. + + * v4gssftp.exp: Remove -U flag frmo ftpd invocation for now, since + 1.2.x won't have it. Change check for missing ccache to look for + "No credentials cache found" instead of "No credentials cache file + found" due to change in message text. + + * v4krb524d.exp: Remove -p flag from krb524d invocation for now, + since 1.2.x won't have it. + +2001-10-26 Ezra Peisach <epeisach@mit.edu> + + * rcp.exp, rsh_exp (stop_rsh_daemon): Do not close a process and + then look for eof. Some versions of expect go through a full + timeout in this scenario and others return immediately. New order: + kill process, expect eof, close, and then wait. + [pullup from trunk] + +2001-10-25 Ezra Peisach <epeisach@mit.edu> + + * rsh.exp (rsh_test): Add stop_rsh_daemon before invoking + start_rsh_daemon again to prevent running out of ptys. + [pullup from trunk] + +2001-10-24 Mitchell Berger <mitchb@mit.edu> + + * kadmin.exp: Corrected a couple of unimportant typos. Added procedures + kadmin_addpol, kadmin_delpol, kadmin_listpols, kadmin_modpol, and + kadmin_showpol, which provide the tools with which to perform policy + tests. Added some basic policy operations to the tests of basic + kadmin functions. Added a test case to exercise the kadmind crash + that used to occur when the history number of a policy was decreased. + [pullup from trunk] + +2001-10-24 Tom Yu <tlyu@mit.edu> + + * rcp.exp (stop_rsh_daemon): Call "expect eof" to drain pty buffer + and avoid deadlock. + + * rsh.exp (stop_rsh_daemon, rsh_test): Call "expect eof" to drain + pty buffer and avoid deadlock. + [pullups from trunk] + +2001-07-04 Ezra Peisach <epeisach@mit.edu> + + * v4gssftp.exp, gssftp.exp: Test transfering a file > 1MB to + exercise PBSZ failure. + [pullup from trunk] + +2001-06-22 Tom Yu <tlyu@mit.edu> + + * gssftp.exp: Use $tmppwd rather than hardcoding tmpdir. + + * kadmin.exp: Use $tmppwd rather than hardcoding tmpdir. + + * rcp.exp: Use $tmppwd rather than hardcoding tmpdir. + + * rsh.exp: Rearrange ordering of environment setup slightly. + + * standalone.exp: Use $KLIST -5 -e so as to better debug enctype + problems. + + * v4gssftp.exp: Do check_klogin as well as check_k5login. Use + $tmppwd rather than hardcoding tmpdir. + [pullups from trunk] + +2001-06-17 Ezra Peisach <epeisach@mit.edu> + + * v4krb524d.exp: New tests for the krb524d and k524init programs. + [pullup from trunk] + +2001-06-08 Ezra Peisach <epeisach@mit.edu> + + * v4gssftp.exp: During test, set KRB5CCNAME to a non-existant + cache. Restore at end to previous setting. This prevents failures + caused when the krb5 cache contains valid information - as in the + case of this test being run immediately after the gssftp.exp test. + [pullup from trunk] + +2001-06-08 Mitchell Berger <mitchb@mit.edu> + + * gssftp.exp: Invocation of ftpd changed to use -U /dev/null and + -a so that the test may successfully be run by root without failing + (i.e. root is granted ftp access) and without opening the running + ftpd to a password attack (i.e. authorization is required). + Check for successful login messages added. + + * v4gssftp.exp: Same changes. + [pullups from trunk] + +2001-06-06 Ezra Peisach <epeisach@mit.edu> + + * v4gssftp.exp: Allow for "decrypt integrity check failed" error + minor code from GSSAPI as well. + [pullup from trunk] + +2001-04-26 Tom Yu <tlyu@mit.edu> + + * v4gssftp.exp: Allow for "no credentials cache found" error minor + code from GSSAPI. + [pullup from trunk] + +2000-11-08 Tom Yu <tlyu@mit.edu> + + * v4gssftp.exp: Fix to handle some cases of krb4 failure prior to + timing out. + [pullup from trunk] + +Tue Aug 22 11:43:14 2000 Ezra Peisach <epeisach@mit.edu> + + * v4gssftp.exp: New tests for the krb4 compatible interface to gssftp. + [pullup from trunk] + +2000-08-08 Ezra Peisach <epeisach@engrailed.mit.edu> + + * v4standalone.exp: New set of tests for basic V4 functionality. + [pullup from trunk] + +2000-07-04 Tom Yu <tlyu@mit.edu> + + * rsh.exp: Drain buffers on klist test to avoid wedging rsh on + exit under HP/UX. + [pullup from trunk] + + * gssapi.exp: Rework significantly to deal with HP/UX lossage that + probably resulted from when either the client or the server wound + up blocking on tty output. Abstract things a little more. Remove + dead duplicate code that used to deal with "-v2". Should figure + out why the "-v2" stuff disappeared mysteriously. + [pullup from trunk] + 2000-02-07 Tom Yu <tlyu@mit.edu> * kadmin.exp: Use $KDESTROY -5 to deal with changed behavior. diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/dejagnu/krb-standalone/gssapi.exp index 8f932cb..fa71728 100644 --- a/src/tests/dejagnu/krb-standalone/gssapi.exp +++ b/src/tests/dejagnu/krb-standalone/gssapi.exp @@ -113,6 +113,81 @@ proc gss_restore_env { } { } } +proc run_client {test tkfile client} { + global env + global hostname + global GSSCLIENT + global spawn_id + global gss_server_spawn_id + global REALMNAME + + set env(KRB5CCNAME) $tkfile + verbose "KRB5CCNAME=$env(KRB5CCNAME)" + verbose "spawning gssclient, identity=$client" + spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from $client" + set got_client 0 + set got_server 0 + expect_after { + -i $spawn_id + timeout { + if {!$got_client} { + verbose -log "client timeout" + fail $test + catch "expect_after" + return + } + } + eof { + if {!$got_client} { + verbose -log "client eof" + fail $test + catch "expect_after" + return + } + } + -i $gss_server_spawn_id + timeout { + if {!$got_server} { + verbose -log "server timeout" + fail $test + catch "expect_after" + return + } + } + eof { + if {!$got_server} { + verbose -log "server eof" + fail $test + catch "expect_after" + return + } + } + } + expect { + -i $gss_server_spawn_id + "Accepted connection: \"$client@$REALMNAME\"" exp_continue + "Received message: \"message from $client\"" { + set got_server 1 + if {!$got_client} { + exp_continue + } + } + -i $spawn_id + "Signature verified" { + set got_client 1 + if {!$got_server} { + exp_continue + } + } + } + catch "expect_after" + if ![check_exit_status $test] { + # check_exit_staus already calls fail for us + return + } + pass $test +} + proc doit { } { global REALMNAME global env @@ -133,70 +208,59 @@ proc doit { } { # Start up the kerberos and kadmind daemons. if ![start_kerberos_daemons 0] { - fail gsstest - return + perror "failed to start kerberos daemons" } # Use kadmin to add a key for us. if ![add_kerberos_key gsstest0 0] { - fail gsstest - return + perror "failed to set up gsstest0 key" } # Use kadmin to add a key for us. if ![add_kerberos_key gsstest1 0] { - fail gsstest - return + perror "failed to set up gsstest1 key" } # Use kadmin to add a key for us. if ![add_kerberos_key gsstest2 0] { - fail gsstest - return + perror "failed to set up gsstest2 key" } # Use kadmin to add a key for us. if ![add_kerberos_key gsstest3 0] { - fail gsstest - return + perror "faild to set up gsstest3 key" } # Use kadmin to add a service key for us. if ![add_random_key gssservice/$hostname 0] { - fail gsstest - return + perror "failed to set up gssservice/$hostname key" } # Use kdb5_edit to create a srvtab entry for gssservice if ![setup_srvtab 0 gssservice] { - fail gsstest - return + perror "failed to set up gssservice srvtab" } catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" # Use kinit to get a ticket. if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] { - fail gsstest - return + perror "failed to kinit gsstest0" } # Use kinit to get a ticket. if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] { - fail gsstest - return + perror "failed to kinit gsstest1" } # Use kinit to get a ticket. if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] { - fail gsstest - return + perror "failed to kinit gsstest2" } # Use kinit to get a ticket. if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] { - fail gsstest - return + perror "failed to kinit gsstest3" } # @@ -219,377 +283,30 @@ proc doit { } { spawn $GSSSERVER -port 5556 gssservice@$hostname set gss_server_pid [exp_pid] set gss_server_spawn_id $spawn_id - catch "exec sleep 4" - - # Start the client with client identity 0 - set env(KRB5CCNAME) $tmppwd/gss_tk_0 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest0" - expect_after { - -i $spawn_id - timeout { - fail gssclient0 - catch "expect_after" - return - } - eof { - fail gssclient0 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient0 - catch "expect_after" - return - } - eof { - fail gssclient0 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest0@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest0\"" - catch "expect_after" - if ![check_exit_status gssclient0] { - fail gssclient0 - return - } - pass gssclient0 - - # Start the client with client identity 1 - set env(KRB5CCNAME) $tmppwd/gss_tk_1 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest1" - expect_after { - -i $spawn_id - timeout { - fail gssclient1 - catch "expect_after" - return - } - eof { - fail gssclient1 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient1 - catch "expect_after" - return - } - eof { - fail gssclient1 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest1@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest1\"" - catch "expect_after" - if ![check_exit_status gssclient1] { - fail gssclient1 - return - } - pass gssclient1 - - # Start the client with client identity 2 - set env(KRB5CCNAME) $tmppwd/gss_tk_2 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest2" - expect_after { - -i $spawn_id - timeout { - fail gssclient2 - catch "expect_after" - return - } - eof { - fail gssclient2 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient2 - catch "expect_after" - return - } - eof { - fail gssclient2 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest2@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest2\"" - catch "expect_after" - if ![check_exit_status gssclient2] { - fail gssclient2 - return - } - pass gssclient2 - - # Start the client with client identity 3 - set env(KRB5CCNAME) $tmppwd/gss_tk_3 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest3" - expect_after { - -i $gss_server_spawn_id - timeout { - fail "gssclient3 (server timeout)" - catch "expect_after" - return - } - eof { - fail "gssclient3 (server eof)" - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest3@$REALMNAME\"" - # Drain some output from the verbose client side. Otherwise, this - # test sometimes fails under HP-UX. - expect -i $spawn_id "\"gsstest3@KRBTEST.COM\" to \"gssservice" - expect -i $spawn_id "Mechanism { * } supports * name" - - expect -i $gss_server_spawn_id "Received message: \"message from gsstest3\"" - catch "expect_after" - expect_after { - -i $spawn_id - timeout { - fail "gssclient3 (timeout)" - catch "expect_after" - return - } - eof { - fail "gssclient3 (eof)" - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - if ![check_exit_status gssclient3] { - fail "gssclient3 (exit status)" - return - } - pass gssclient3 - - stop_gss_server - - # Try some V2 services. - # Now start the gss-server. - spawn $GSSSERVER -port 5557 gssservice@$hostname - set gss_server_pid [exp_pid] - set gss_server_spawn_id $spawn_id - catch "exec sleep 4" + sleep 2 - # Start the client with client identity 0 - set env(KRB5CCNAME) $tmppwd/gss_tk_0 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest0" - expect_after { - -i $spawn_id - timeout { - fail gssclient0 - catch "expect_after" - return - } - eof { - fail gssclient0 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient0 - catch "expect_after" - return - } - eof { - fail gssclient0 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest0@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest0\"" - catch "expect_after" - if ![check_exit_status gssclient0] { - fail gssclient0 - return - } - pass gssclient0 - - # Start the client with client identity 1 - set env(KRB5CCNAME) $tmppwd/gss_tk_1 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest1" - expect_after { - -i $spawn_id - timeout { - fail gssclient1 - catch "expect_after" - return - } - eof { - fail gssclient1 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient1 - catch "expect_after" - return - } - eof { - fail gssclient1 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest1@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest1\"" - catch "expect_after" - if ![check_exit_status gssclient1] { - fail gssclient1 - return - } - pass gssclient1 - - # Start the client with client identity 2 - set env(KRB5CCNAME) $tmppwd/gss_tk_2 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest2" - expect_after { - -i $spawn_id - timeout { - fail gssclient2 - catch "expect_after" - return - } - eof { - fail gssclient2 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient2 - catch "expect_after" - return - } - eof { - fail gssclient2 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest2@$REALMNAME\"" - expect -i $gss_server_spawn_id "Received message: \"message from gsstest2\"" - catch "expect_after" - if ![check_exit_status gssclient2] { - fail gssclient2 - return - } - pass gssclient2 - - # Start the client with client identity 3 - set env(KRB5CCNAME) $tmppwd/gss_tk_3 - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest3" - expect_after { - -i $gss_server_spawn_id - timeout { - fail gssclient3 - catch "expect_after" - return - } - eof { - fail gssclient3 - catch "expect_after" - return - } - } - expect -i $gss_server_spawn_id "Accepted connection: \"gsstest3@$REALMNAME\"" - - # Drain some output from the verbose client side. Otherwise, this - # test sometimes fails under HP-UX. - expect -i $spawn_id "\"gsstest3@KRBTEST.COM\" to \"gssservice" - expect -i $spawn_id "Mechanism { * } supports * name" - - expect -i $gss_server_spawn_id "Received message: \"message from gsstest3\"" - catch "expect_after" - expect_after { - -i $spawn_id - timeout { - fail gssclient3 - catch "expect_after" - return - } - eof { - fail gssclient3 - catch "expect_after" - return - } - } - expect -i $spawn_id "Signature verified" - catch "expect_after" - if ![check_exit_status gssclient3] { - fail gssclient3 - return - } - pass gssclient3 + run_client gssclient0 $tmppwd/gss_tk_0 gssclient0 + run_client gssclient1 $tmppwd/gss_tk_1 gssclient1 + run_client gssclient2 $tmppwd/gss_tk_2 gssclient2 + run_client gssclient3 $tmppwd/gss_tk_3 gssclient3 stop_gss_server gss_restore_env if ![our_kdestroy $tmppwd/gss_tk_0] { - fail gsstest - return + perror "failed kdestroy gss_tk_0" 0 } if ![our_kdestroy $tmppwd/gss_tk_1] { - fail gsstest - return + perror "failed kdestroy gss_tk_1" 0 } if ![our_kdestroy $tmppwd/gss_tk_2] { - fail gsstest - return + perror "failed kdestroy gss_tk_2" 0 } if ![our_kdestroy $tmppwd/gss_tk_3] { - fail gsstest - return + perror "failed kdestroy gss_tk_3" 0 } catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3" @@ -604,7 +321,6 @@ gss_restore_env stop_kerberos_daemons if { $status != 0 } { - send_error "ERROR: error in gssapi.exp\n" - send_error "$msg\n" - exit 1 + perror "error in gssapi.exp" 0 + perror $msg 0 } diff --git a/src/tests/dejagnu/krb-standalone/gssftp.exp b/src/tests/dejagnu/krb-standalone/gssftp.exp index 2dea3a5..bda1d12 100644 --- a/src/tests/dejagnu/krb-standalone/gssftp.exp +++ b/src/tests/dejagnu/krb-standalone/gssftp.exp @@ -41,7 +41,9 @@ proc start_ftp_daemon { } { # don't need to use inetd. The 3021 is the port to listen at. # We rely on KRB5_KTNAME being set to the proper keyfile as there is # no way to cleanly set it with the gssapi API. - spawn $FTPD -p 3021 -r $tmppwd/krb5.conf + # The -a argument requires authorization, to mitigate any + # vulnerability introduced by circumventing ftpusers. + spawn $FTPD -p 3021 -a -r $tmppwd/krb5.conf set ftpd_spawn_id $spawn_id set ftpd_pid [exp_pid] @@ -64,12 +66,21 @@ proc stop_ftp_daemon { } { } # Create a file to use for ftp testing. -set file [open tmpdir/ftp-test w] +set file [open $tmppwd/ftp-test w] puts $file "This file is used for ftp testing." close $file +# Create a large file to use for ftp testing. File needs to be +# larger that 2^20 or 1MB for PBSZ testing. +set file [open $tmppwd/bigftp-test w] +puts $file "This file is used for ftp testing.\n" +seek $file 1048576 current +puts $file "This file is used for ftp testing." +close $file + + # Test that a file was copied correctly. -proc check_file { filename } { +proc check_file { filename {bigfile 0}} { if ![file exists $filename] { verbose "$filename does not exist" send_log "$filename does not exist\n" @@ -91,6 +102,24 @@ proc check_file { filename } { return 0 } + if {$bigfile} { + # + 1 for the newline + seek $file 1048577 current + if { [gets $file line] == -1 } { + verbose "$filename is truncated" + send_log "$filename is truncated\n" + close $file + return 0 + } + + if ![string match "This file is used for ftp testing." $line] { + verbose "$filename contains $line" + send_log "$filename contains $line\n" + close $file + return 0 + } + } + if { [gets $file line] != -1} { verbose "$filename is too long ($line)" send_log "$filename is too long ($line)\n" @@ -123,6 +152,7 @@ proc ftp_restore_env { } { proc ftp_test { } { global FTP global KEY + global REALMNAME global hostname global localhostname global env @@ -136,7 +166,12 @@ proc ftp_test { } { # ticket file. if {![start_kerberos_daemons 0] \ || ![add_random_key ftp/$hostname 0] \ + || ![modify_principal ftp/$hostname -kvno 254] \ || ![setup_srvtab 0 ftp] \ + || ![xst $tmppwd/srvtab ftp/$hostname] + || ![xst $tmppwd/srvtab ftp/$hostname] + || ![xst $tmppwd/srvtab ftp/$hostname] + || ![do_klist_kt $tmppwd/srvtab "gssftp keytab list"] || ![add_kerberos_key $env(USER) 0] \ || ![kinit $env(USER) $env(USER)$KEY 0]} { return @@ -185,9 +220,9 @@ proc ftp_test { } { } expect -nocase "name ($hostname:$env(USER)): " send "$env(USER)\r" -# expect "User $env(USER) logged in." -# expect "Remote system type is UNIX." -# expect "Using binary mode to transfer files." + expect "GSSAPI user $env(USER)@$REALMNAME is authorized as $env(USER)" + expect "Remote system type is UNIX." + expect "Using binary mode to transfer files." expect "ftp> " { pass $testname } @@ -236,26 +271,26 @@ proc ftp_test { } { set testname "get" - catch "exec rm -f tmpdir/copy" + catch "exec rm -f $tmppwd/copy" send "get $tmppwd/ftp-test $tmppwd/copy\r" expect "Opening BINARY mode data connection for $tmppwd/ftp-test" expect "Transfer complete" expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" expect "ftp> " - if [check_file tmpdir/copy] { + if [check_file $tmppwd/copy] { pass $testname } else { fail $testname } set testname "put" - catch "exec rm -f tmpdir/copy" + catch "exec rm -f $tmppwd/copy" send "put $tmppwd/ftp-test $tmppwd/copy\r" expect "Opening BINARY mode data connection for $tmppwd/copy" expect "Transfer complete" expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds" expect "ftp> " - if [check_file tmpdir/copy] { + if [check_file $tmppwd/copy] { pass $testname } else { fail $testname @@ -269,20 +304,33 @@ proc ftp_test { } { } set testname "lcd" - send "lcd tmpdir\r" + send "lcd $tmppwd\r" expect "Local directory now $tmppwd" expect "ftp> " { pass $testname } set testname "local get" - catch "exec rm -f tmpdir/copy" + catch "exec rm -f $tmppwd/copy" send "get ftp-test copy\r" expect "Opening BINARY mode data connection for ftp-test" expect "Transfer complete" expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" expect "ftp> " - if [check_file tmpdir/copy] { + if [check_file $tmppwd/copy] { + pass $testname + } else { + fail $testname + } + + set testname "big local get" + catch "exec rm -f $tmppwd/copy" + send "get bigftp-test copy\r" + expect "Opening BINARY mode data connection for bigftp-test" + expect "Transfer complete" + expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy 1] { pass $testname } else { fail $testname @@ -303,18 +351,38 @@ proc ftp_test { } { } set testname "encrypted get" - catch "exec rm -f tmpdir/copy" + catch "exec rm -f $tmppwd/copy" send "get ftp-test copy\r" expect "Opening BINARY mode data connection for ftp-test" expect "Transfer complete" expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" expect "ftp> " - if [check_file tmpdir/copy] { + if [check_file $tmppwd/copy] { pass $testname } else { fail $testname } + set testname "big encrypted get" + catch "exec rm -f $tmppwd/copy" + send "get bigftp-test copy\r" + expect "Opening BINARY mode data connection for bigftp-test" + expect { + -timeout 300 + "Transfer complete" {} + -re "Length .* of PROT buffer > PBSZ" { + fail "$testname (PBSZ)" + return 0 + } + } + expect -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy 1] { + pass $testname + } else { + fail $testname + } + set testname "close" send "close\r" expect "Goodbye." @@ -333,7 +401,8 @@ proc ftp_test { } { set testname "quit" send "quit\r" - expect "\r" + expect_after + expect eof if [check_exit_status $testname] { pass $testname } @@ -371,7 +440,5 @@ if [info exists home] { } if { $status != 0 } { - send_error "ERROR: error in ftp.exp\n" - send_error "$msg\n" - exit 1 + perror "error in gssftp.exp: $msg" } diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp index 8167b02..d4754e4 100644 --- a/src/tests/dejagnu/krb-standalone/kadmin.exp +++ b/src/tests/dejagnu/krb-standalone/kadmin.exp @@ -37,7 +37,7 @@ proc kadmin_add { pname password } { spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $pname" expect_after { "Cannot contact any KDC" { - fail "kadmin add$pname lost KDC" + fail "kadmin add $pname lost KDC" catch "expect_after" return 0 } @@ -162,7 +162,7 @@ proc kadmin_add_rnd { pname } { expect_after expect eof set k_stat [wait -i $spawn_id] - verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnt)" + verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnd)" catch "close -i $spawn_id" if { $good == 1 } { # @@ -437,10 +437,11 @@ proc kadmin_extract { instance name } { global KADMIN global KEY global spawn_id + global tmppwd - catch "exec rm -f tmpdir/keytab" + catch "exec rm -f $tmppwd/keytab" - spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k tmpdir/keytab $name/$instance" + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k $tmppwd/keytab $name/$instance" expect_after { "Cannot contact any KDC" { fail "kadmin xst $instance $name lost KDC" @@ -461,7 +462,7 @@ proc kadmin_extract { instance name } { expect "Enter password:" { send "adminpass$KEY\r" } -# expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:tmpdir/keytab." +# expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:$tmppwd/keytab." expect_after expect eof set k_stat [wait -i $spawn_id] @@ -644,6 +645,292 @@ proc kpasswd_cpw { princ opw npw } { } #++ +# kadmin_addpol - Test add new policy function of kadmin. +# +# Adds policy $pname. Returns 1 on success. +#-- +proc kadmin_addpol { pname } { + global REALMNAME + global KADMIN + global KADMIN_LOCAL + global KEY + global spawn_id + global tmppwd + + set good 0 + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "addpol $pname" + expect_after { + "Cannot contact any KDC" { + fail "kadmin addpol $pname lost KDC" + catch "expect_after" + return 0 + } + timeout { + fail "kadmin addpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin addpol $pname" + catch "expect_after" + return 0 + } + } + expect "Enter password:" { + send "adminpass$KEY\r" + } + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)" + catch "close -i $spawn_id" + # + # use kadmin.local to verify that a policy was created + # + spawn $KADMIN_LOCAL -r $REALMNAME + expect_after { + -i $spawn_id + timeout { + fail "kadmin addpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin addpol $pname" + catch "expect_after" + return 0 + } + } + set good 0 + expect "kadmin.local: " { send "getpol $pname\r" } + expect "Policy: $pname" { set good 1 } + expect "Maximum password life:" { verbose "got max pw life" } + expect "Minimum password life:" { verbose "got min pw life" } + expect "Minimum password length:" { verbose "got min pw length" } + expect "Minimum number of password character classes:" { + verbose "got min pw character classes" } + expect "Number of old keys kept:" { verbose "got num old keys kept" } + expect "Reference count:" { verbose "got refcount" } + expect "kadmin.local: " { send "q\r" } + + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)" + catch "close -i $spawn_id" + if { $good == 1 } { + pass "kadmin addpol $pname" + return 1 + } + else { + fail "kadmin addpol $pname" + return 0 + } +} + +#++ +# kadmin_delpol - Test delete policy function of kadmin. +# +# Deletes policy $pname. Returns 1 on success. +#-- +proc kadmin_delpol { pname } { + global REALMNAME + global KADMIN + global KADMIN_LOCAL + global KEY + global spawn_id + global tmppwd + + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delpol -force $pname" + expect_after { + "Cannot contact any KDC" { + fail "kadmin_delpol $pname lost KDC" + catch "expect_after" + return 0 + } + timeout { + fail "kadmin delpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin delpol $pname" + catch "expect_after" + return 0 + } + } + expect "Enter password:" { + send "adminpass$KEY\r" + } + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin delpol)" + catch "close -i $spawn_id" + # + # use kadmin.local to verify that the old policy is not present. + # + spawn $KADMIN_LOCAL -r $REALMNAME + expect_after { + -i $spawn_id + timeout { + fail "kadmin delpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin delpol $pname" + catch "expect_after" + return 0 + } + } + set good 0 + expect "kadmin.local: " { send "getpol $pname\r" } + expect "Policy does not exist while retrieving policy \"$pname\"." { + set good 1 + } + expect "kadmin.local: " { send "quit\r" } + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)" + catch "close -i $spawn_id" + if { $good == 1 } { + pass "kadmin delpol $pname" + return 1 + } + else { + fail "kadmin delpol $pname" + return 0 + } +} + +#++ +# kadmin_listpols - Test list policy database function of kadmin. +# +# Lists the policies. Returns 1 on success. +#-- +proc kadmin_listpols { } { + global REALMNAME + global KADMIN + global KEY + global spawn_id + + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_policies *" + expect_after { + "Cannot contact any KDC" { + fail "kadmin lpols lost KDC" + catch "expect_after" + return 0 + } + timeout { + fail "kadmin lpols" + catch "expect_after" + return 0 + } + eof { + fail "kadmin lpols" + catch "expect_after" + return 0 + } + } + expect "Enter password:" { + send "adminpass$KEY\r" + } + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin listpols)" + catch "close -i $spawn_id" + pass "kadmin lpols" + return 1 +} + +#++ +# kadmin_modpol - Test modify policy function of kadmin. +# +# Modifies policy $pname with flags $flags. Returns 1 on success. +#-- +proc kadmin_modpol { pname flags } { + global REALMNAME + global KADMIN + global KEY + global spawn_id + + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "modpol $flags $pname" + expect_after { + "Cannot contact any KDC" { + fail "kadmin modpol $pname ($flags) lost KDC" + catch "expect_after" + return 0 + } + timeout { + fail "kadmin modpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin modpol $pname" + catch "expect_after" + return 0 + } + } + expect "Enter password:" + send "adminpass$KEY\r" + # When in doubt, jam one of these in there. + expect "\r" + # Sadly, kadmin doesn't print a confirmation message for policy operations. + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin modpol)" + catch "close -i $spawn_id" + pass "kadmin modpol $pname" + return 1 +} + +#++ +# kadmin_showpol - Test show policy function of kadmin. +# +# Retrieves entry for $pname. Returns 1 on success. +#-- +proc kadmin_showpol { pname } { + global REALMNAME + global KADMIN + global KEY + global spawn_id + + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_policy $pname" + expect_after { + "Cannot contact any KDC" { + fail "kadmin showpol $pname lost KDC" + catch "expect_after" + return 0 + } + timeout { + fail "kadmin showpol $pname" + catch "expect_after" + return 0 + } + eof { + fail "kadmin showpol $pname" + catch "expect_after" + return 0 + } + } + expect "Enter password:" + send "adminpass$KEY\r" + expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r" + expect_after + expect eof + set k_stat [wait -i $spawn_id] + verbose "wait -i $spawn_id returned $k_stat (kadmin showpol)" + catch "close -i $spawn_id" + pass "kadmin showpol $pname" + return 1 +} + +#++ # kdestroy #-- proc kdestroy { } { @@ -668,6 +955,10 @@ proc kadmin_test { } { # Test basic kadmin functions. if {![kadmin_add v5principal/instance1 v5principal] \ + || ![kadmin_addpol standardpol] \ + || ![kadmin_showpol standardpol] \ + || ![kadmin_listpols] \ + || ![kadmin_modpol standardpol "-minlength 5"] \ || ![kadmin_add v4principal/instance2 v4principal] \ || ![kadmin_add_rnd v5random] \ || ![kadmin_show v5principal/instance1] \ @@ -678,11 +969,13 @@ proc kadmin_test { } { || ![kadmin_cpw_rnd v5random] \ || ![kadmin_modify v5random -allow_tix] \ || ![kadmin_modify v5random +allow_tix] \ + || ![kadmin_modify v5random "-policy standardpol"] \ || ![kadmin_list] \ || ![kadmin_extract instance1 v5principal] \ || ![kadmin_delete v5random] \ || ![kadmin_delete v4principal/instance2] \ - || ![kadmin_delete v5principal/instance1]} { + || ![kadmin_delete v5principal/instance1] \ + || ![kadmin_delpol standardpol]} { return } @@ -713,9 +1006,10 @@ proc kadmin_test { } { || ![kadmin_delete testprinc1/instance]} { return } + # now test modify changes. if {![kadmin_add testuser longtestpw] \ - || ![kinit testuser longtestpw 0] \ + || ![kinit testuser longtestpw 0] \ || ![kdestroy] \ || ![kadmin_modify testuser "-maxlife \"2500 seconds\""] \ || ![kinit testuser longtestpw 0] \ @@ -724,6 +1018,21 @@ proc kadmin_test { } { return } + # now test that reducing the history number doesn't make kadmind vulnerable. + if {![kadmin_addpol crashpol] \ + || ![kadmin_modpol crashpol "-history 5"] \ + || ![kadmin_add crash first] \ + || ![kadmin_modify crash "-policy crashpol"] \ + || ![kadmin_cpw crash second] \ + || ![kadmin_cpw crash third] \ + || ![kadmin_cpw crash fourth] \ + || ![kadmin_modpol crashpol "-history 3"] \ + || ![kadmin_cpw crash fifth] \ + || ![kadmin_delete crash] \ + || ![kadmin_delpol crashpol]} { + return + } + verbose "kadmin_test succeeded" } diff --git a/src/tests/dejagnu/krb-standalone/rcp.exp b/src/tests/dejagnu/krb-standalone/rcp.exp index a51196c..3367b3a 100644 --- a/src/tests/dejagnu/krb-standalone/rcp.exp +++ b/src/tests/dejagnu/krb-standalone/rcp.exp @@ -72,15 +72,16 @@ proc stop_rsh_daemon { } { global krshd_pid if [info exists krshd_pid] { - catch "close -i $krshd_spawn_id" catch "exec kill $krshd_pid" + catch "expect -i $krshd_spawn_id eof" + catch "close -i $krshd_spawn_id" catch "wait -i $krshd_spawn_id" unset krshd_pid } } # Create a file to use for rcp testing. -set file [open tmpdir/rcp-test w] +set file [open $tmppwd/rcp-test w] puts $file "This file is used for rcp testing." close $file @@ -125,9 +126,9 @@ proc rcp_one_test { testname options frompref topref } { global RCP global tmppwd - send_log "rm -f tmpdir/copy\n" - verbose "exec rm -f tmpdir/copy" - catch "exec rm -f tmpdir/copy" + send_log "rm -f $tmppwd/copy\n" + verbose "exec rm -f $tmppwd/copy" + catch "exec rm -f $tmppwd/copy" set from [format "%s%s" $frompref $tmppwd/rcp-test] set to [format "%s%s" $topref $tmppwd/copy] @@ -143,7 +144,7 @@ proc rcp_one_test { testname options frompref topref } { return 0 } - if ![check_file tmpdir/copy] { + if ![check_file $tmppwd/copy] { fail $testname return 0 } diff --git a/src/tests/dejagnu/krb-standalone/rsh.exp b/src/tests/dejagnu/krb-standalone/rsh.exp index 09b5222..2cd6802 100644 --- a/src/tests/dejagnu/krb-standalone/rsh.exp +++ b/src/tests/dejagnu/krb-standalone/rsh.exp @@ -27,7 +27,6 @@ if ![check_k5login rsh] { # Set up the kerberos database. if {![get_hostname] \ || ![setup_kerberos_files] \ - || ![setup_kerberos_env] \ || ![setup_kerberos_db 0]} { return } @@ -58,8 +57,9 @@ proc stop_rsh_daemon { } { global krshd_pid if [info exists krshd_pid] { - catch "close -i $krshd_spawn_id" catch "exec kill $krshd_pid" + catch "expect -i $krshd_spawn_id eof" + catch "close -i $krshd_spawn_id" catch "wait -i $krshd_spawn_id" unset krshd_pid } @@ -85,6 +85,7 @@ proc rsh_test { } { || ![add_kerberos_key host/$hostname 0] \ || ![setup_srvtab 0] \ || ![add_kerberos_key $env(USER) 0] \ + || ![setup_kerberos_env client] \ || ![kinit $env(USER) $env(USER)$KEY 0]} { return } @@ -96,7 +97,7 @@ proc rsh_test { } { set testname "date" spawn $RSH $hostname -k $REALMNAME -D 3544 -A date expect { - -re "\[A-Za-z0-9 :\]+\[\r\n\]+$" { + -re "\[A-Za-z0-9\]+ \[A-Za-z0-9\]+ +\[0-9\]+ \[0-9\]+:\[0-9\]+:\[0-9\]+ \[A-Za-z0-9\]+ \[0-9\]+\r\n" { set result $expect_out(0,string) } timeout { @@ -129,7 +130,7 @@ proc rsh_test { } { set testname "encrypted rsh" spawn $RSH $hostname -x -k $REALMNAME -D 3544 -A echo hello expect { - "hello" { } + "hello" { expect eof } timeout { fail "$testname (timeout)" set failed yes @@ -140,11 +141,13 @@ proc rsh_test { } { } } + catch "expect eof" if { $failed == "no" } { if ![check_exit_status $testname] { return } pass $testname + stop_rsh_daemon } else { catch "wait -i $spawn_id" catch "close -i $spawn_id" @@ -162,7 +165,9 @@ proc rsh_test { } { spawn $RSH $hostname -f -k $REALMNAME -D 3544 -A $BINSH -c $tmppwd/klist.wrap expect { - "Ticket cache:" { } + "Ticket cache:*\r" { + expect eof + } "klist: No credentials cache file found" { fail "$testname (not forwarded)" return @@ -191,7 +196,9 @@ proc rsh_test { } { set testname "encrypted rsh forwarding tickets" spawn $RSH $hostname -x -f -k $REALMNAME -D 3544 -A $BINSH -c $tmppwd/klist.wrap expect { - "Ticket cache:" { } + "Ticket cache:*\r" { + expect eof + } "klist: No credentials cache file found" { fail "$testname (not forwarded)" return @@ -214,13 +221,12 @@ proc rsh_test { } { stop_rsh_daemon - # Check stderr start_rsh_daemon -k set testname "rsh to stderr" spawn $RSH $hostname -k $REALMNAME -D 3544 -A $BINSH -c "'echo hello 1>&2'" expect { - "hello" { } + "hello" { expect eof } timeout { fail "$testname (timeout)" return @@ -237,11 +243,13 @@ proc rsh_test { } { pass $testname + stop_rsh_daemon + start_rsh_daemon -e set testname "encrypted rsh to stderr" spawn $RSH $hostname -x -k $REALMNAME -D 3544 -A $BINSH -c "'echo hello 1>&2'" expect { - "hello" { } + "hello" { expect eof } timeout { fail "$testname (timeout)" return diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp index e925b53..e493b65 100644 --- a/src/tests/dejagnu/krb-standalone/standalone.exp +++ b/src/tests/dejagnu/krb-standalone/standalone.exp @@ -4,14 +4,6 @@ # This mostly just calls procedures in testsuite/config/default.exp. -if ![info exists KLIST] { - set KLIST [findfile $objdir/../../clients/klist/klist] -} - -if ![info exists KDESTROY] { - set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] -} - # Set up the Kerberos files and environment. if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { return @@ -32,9 +24,12 @@ proc doit { } { global KLIST global KDESTROY global KEY + global KADMIN_LOCAL + global KTUTIL global hostname global tmppwd global spawn_id + global supported_enctypes # Start up the kerberos and kadmind daemons. if ![start_kerberos_daemons 1] { @@ -57,30 +52,9 @@ proc doit { } { } # Make sure that klist can see the ticket. - spawn $KLIST -5 - expect { - -re "Ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Default principal:\[ \]*krbtest/admin@$REALMNAME.*krbtgt/$REALMNAME@$REALMNAME\r\n" { - verbose "klist started" - } - timeout { - fail "klist" - return - } - eof { - fail "klist" - return - } - } - - expect { - "\r" { } - eof { } - } - - if ![check_exit_status "klist"] { + if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] { return } - pass "klist" # Destroy the ticket. spawn $KDESTROY -5 @@ -90,33 +64,83 @@ proc doit { } { pass "kdestroy" # Double check that the ticket was destroyed. - spawn $KLIST -5 - expect { - -re "klist: No credentials cache file found.*\r\n" { - verbose "klist started" - } - timeout { - fail "klist after kdestroy" - return + if ![do_klist_err "klist after destroy"] { return } + + if ![add_random_key foo/bar 1] { + return + } + + set keytab $tmppwd/fookeytab + catch "exec rm -f $keytab" + + modify_principal foo/bar -kvno 252 + foreach vno {253 254 255 256 257 258} { + xst $tmppwd/fookeytab foo/bar + do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno" + kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno" + do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno" + do_kdestroy "kdestroy foo/bar vno $vno" + + if [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]] { + catch "exec rm -f $tmppwd/foosrvtab" + spawn $KTUTIL + expect_after { + timeout { fail "ktutil converting keytab to srvtab" ; set ok 0 } + eof { fail "ktutil converting keytab to srvtab" ; set ok 0 } + } + expect "ktutil: " + send "rkt $tmppwd/fookeytab\r" + expect -ex "rkt $tmppwd/fookeytab\r" + expect "ktutil: " +# for debugging, just log this +# send "list\r" +# expect "ktutil: " + # + send "wst $tmppwd/foosrvtab\r" + expect -ex "wst $tmppwd/foosrvtab\r" + expect "ktutil: " +# for debugging, just log this +# send "clear\r" +# expect "ktutil: " +# send "rst $tmppwd/foosrvtab\r" +# expect "ktutil: " +# send "list\r" +# expect "ktutil: " + # okay, now quit and finish testing + send "quit\r" + expect eof + catch expect_after + if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] { + pass "ktutil converting keytab to srvtab (vno $vno)" + do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno" + kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno" + do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno" + do_kdestroy "kdestroy st foo/bar vno $vno" + } + } else { + verbose "skipping v5kinit/srvtab tests because of non-v4 enctype" } - eof { - fail "klist after kdestroy" - return + } + catch "exec rm -f $keytab" + # Check that kadmin.local can actually read the correct kvno, even + # if we don't expect kadmin to be able to. + spawn $KADMIN_LOCAL -r $REALMNAME + set ok 1 + expect_after { + timeout { fail "kadmin.local correct high kvno" ; set ok 0 } + eof { fail "kadmin.local correct high kvno" ; set ok 0 } + } + expect "kadmin.local: " + send "getprinc foo/bar\r" +# exec sleep 10 + expect "Key: vno $vno," + send "quit\r" + expect eof + if [check_exit_status "kadmin.local examine foo/bar for high kvno"] { + if $ok { + pass "kadmin.local correct high kvno" } } - # We can't use check_exit_status, because we expect an exit status - # of 1. - set status_list [wait -i $spawn_id] - verbose "wait -i $spawn_id returned $status_list (klist)" - if { [lindex $status_list 2] != 0 } { - fail "klist (bad exit status) $status_list" - return - } else { if { [lindex $status_list 3] != 1 } { - fail "klist (bad exit status) $status_list" - return - } else { - pass klist - } } } set status [catch doit msg] diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp new file mode 100644 index 0000000..1e90b2a --- /dev/null +++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp @@ -0,0 +1,501 @@ +# Kerberos ftp test. +# This is a DejaGnu test script. +# This script tests Kerberos ftp. +# Originally written by Ian Lance Taylor, Cygnus Support, <ian@cygnus.com>. +# Modified bye Ezra Peisach for GSSAPI support. + +# Find the programs we need. We use the binaries from the build tree +# if they exist. If they do not, then they must be in PATH. We +# expect $objdir to be .../kerberos/build/tests/dejagnu + +if ![info exists FTP] { + set FTP [findfile $objdir/../../appl/gssftp/ftp/ftp] +} + +if ![info exists FTPD] { + set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd] +} + +# If we do not have what is for a V4 test - return +if ![v4_compatible_enctype] { + return +} + +# Make sure .klogin is reasonable. +if ![check_k5login ftp] { + return +} + +if ![check_klogin ftp] { + return +} + +# Set up the kerberos database. +if {![get_hostname] \ + || ![setup_kerberos_files] \ + || ![setup_kerberos_env] \ + || ![setup_kerberos_db 0]} { + return +} + +# A procedure to start up the ftp daemon. + +proc start_ftp_daemon { } { + global FTPD + global tmppwd + global ftpd_spawn_id + global ftpd_pid + + # The -p argument tells it to accept a single connection, so we + # don't need to use inetd. The 3021 is the port to listen at. + # We rely on KRB5_KTNAME being set to the proper keyfile as there is + # no way to cleanly set it with the gssapi API. + # The -a argument requires authorization, to mitigate any + # vulnerability introduced by circumventing ftpusers. + spawn $FTPD -p 3021 -a -r $tmppwd/krb.conf + set ftpd_spawn_id $spawn_id + set ftpd_pid [exp_pid] + + # Give the ftp daemon a few seconds to get set up. + catch "exec sleep 2" +} + +# A procedure to stop the ftp daemon. + +proc stop_ftp_daemon { } { + global ftpd_spawn_id + global ftpd_pid + + if [info exists ftpd_pid] { + catch "close -i $ftpd_spawn_id" + catch "exec kill $ftpd_pid" + catch "wait -i $ftpd_spawn_id" + unset ftpd_pid + } +} + +# Create a file to use for ftp testing. +set file [open $tmppwd/ftp-test w] +puts $file "This file is used for ftp testing." +close $file + +# Create a large file to use for ftp testing. File needs to be +# larger that 2^20 or 1MB for PBSZ testing. +set file [open $tmppwd/bigftp-test w] +puts $file "This file is used for ftp testing.\n" +seek $file 1048576 current +puts $file "This file is used for ftp testing." +close $file + +# Test that a file was copied correctly. +proc check_file { filename {bigfile 0}} { + if ![file exists $filename] { + verbose "$filename does not exist" + send_log "$filename does not exist\n" + return 0 + } + + set file [open $filename r] + if { [gets $file line] == -1 } { + verbose "$filename is empty" + send_log "$filename is empty\n" + close $file + return 0 + } + + if ![string match "This file is used for ftp testing." $line] { + verbose "$filename contains $line" + send_log "$filename contains $line\n" + close $file + return 0 + } + + if {$bigfile} { + # + 1 for the newline + seek $file 1048577 current + if { [gets $file line] == -1 } { + verbose "$filename is truncated" + send_log "$filename is truncated\n" + close $file + return 0 + } + + if ![string match "This file is used for ftp testing." $line] { + verbose "$filename contains $line" + send_log "$filename contains $line\n" + close $file + return 0 + } + } + + if { [gets $file line] != -1} { + verbose "$filename is too long ($line)" + send_log "$filename is too long ($line)\n" + close $file + return 0 + } + + close $file + + return 1 +} + +# +# Restore environment variables possibly set. +# +proc ftp_restore_env { } { + global env + global ftp_save_ktname + global ftp_save_ccname + + catch "unset env(KRB5_KTNAME)" + if [info exists ftp_save_ktname] { + set env(KRB5_KTNAME) $ftp_save_ktname + unset ftp_save_ktname + } + + catch "unset env(KRB5CCNAME)" + if [info exists ftp_save_ccname] { + set env(KRB5CCNAME) $ftp_save_ccname + unset ftp_save_ccname + } +} + +# Wrap the tests in a procedure, so that we can kill the daemons if +# we get some sort of error. + +proc v4ftp_test { } { + global FTP + global KEY + global REALMNAME + global hostname + global localhostname + global env + global ftpd_spawn_id + global ftpd_pid + global spawn_id + global tmppwd + global ftp_save_ktname + global ftp_save_ccname + global des3_krbtgt + + if {$des3_krbtgt} { + return + } + # Start up the kerberos and kadmind daemons and get a srvtab and a + # ticket file. + if {![start_kerberos_daemons 0] \ + || ![add_random_key ftp/$hostname 0] \ + || ![setup_srvtab 0 ftp] \ + || ![add_kerberos_key $env(USER) 0] \ + || ![v4kinit $env(USER) $env(USER)$KEY 0]} { + return + } + + # + # Save settings of KRB5_KTNAME + # + if [info exists env(KRB5_KTNAME)] { + set ftp_save_ktname $env(KRB5_KTNAME) + } + + # + # set KRB5_KTNAME + # + set env(KRB5_KTNAME) FILE:$tmppwd/srvtab + verbose "KRB5_KTNAME=$env(KRB5_KTNAME)" + + # + # Save settings of KRB5CCNAME + # These tests fail if the krb5 cache happens to have a valid credential + # which can result from running the gssftp.exp test immediately + # preceeding these tests. + # + if [info exists env(KRB5CCNAME)] { + set ftp_save_ccname $env(KRB5CCNAME) + } + + # + # set KRB5_KTNAME + # + set env(KRB5CCNAME) FILE:$tmppwd/non-existant-cache + verbose "KRB5CCNAME=$env(KRB5CCNAME)" + + # Start the ftp daemon. + start_ftp_daemon + + # Make an ftp client connection to it. + spawn $FTP $hostname 3021 + + expect_after { + timeout { + fail "$testname (timeout)" + catch "expect_after" + return + } + eof { + fail "$testname (eof)" + catch "expect_after" + return + } + } + + set testname "ftp connection(v4)" + expect -nocase "connected to $hostname" + expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready." + expect -re "Using authentication type GSSAPI; ADAT must follow" + expect "GSSAPI accepted as authentication type" + expect "GSSAPI error major: Miscellaneous failure" + expect { + "GSSAPI error minor: Unsupported credentials cache format version number" {} + "GSSAPI error minor: No credentials cache found" {} + "GSSAPI error minor: Decrypt integrity check failed" {} + } + expect "GSSAPI error: initializing context" + expect "GSSAPI authentication failed" + expect -re "Using authentication type KERBEROS_V4; ADAT must follow" + expect { + "Kerberos V4 authentication succeeded" { pass "ftp authentication" } + eof { fail "ftp authentication" ; catch "expect_after" ; return } + -re "Kerberos V4 .* failed.*\r" { + fail "ftp authentication"; + send "quit\r"; catch "expect_after"; + return + } + } + expect -nocase "name ($hostname:$env(USER)): " + send "$env(USER)\r" + expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)" + expect "Remote system type is UNIX." + expect "Using binary mode to transfer files." + expect "ftp> " { + pass $testname + } + + set testname "binary(v4)" + send "binary\r" + expect "ftp> " { + pass $testname + } + + set testname "status(v4)" + send "status\r" + expect -nocase "connected to $hostname." + expect "Authentication type: KERBEROS_V4" + expect "ftp> " { + pass $testname + } + + set testname "ls(v4)" + send "ls $tmppwd/ftp-test\r" + expect -re "Opening ASCII mode data connection for .*ls." + expect -re ".* $tmppwd/ftp-test" + expect "ftp> " { + pass $testname + } + + set testname "nlist(v4)" + send "nlist $tmppwd/ftp-test\r" + expect -re "Opening ASCII mode data connection for file list." + expect -re "$tmppwd/ftp-test" + expect -re ".* Transfer complete." + expect "ftp> " { + pass $testname + } + + set testname "ls missing(v4)" + send "ls $tmppwd/ftp-testmiss\r" + expect -re "Opening ASCII mode data connection for .*ls." + expect { + -re "$tmppwd/ftp-testmiss not found" {} + -re "$tmppwd/ftp-testmiss: No such file or directory" + } + expect "ftp> " { + pass $testname + } + + + set testname "get(v4)" + catch "exec rm -f $tmppwd/copy" + send "get $tmppwd/ftp-test $tmppwd/copy\r" + expect "Opening BINARY mode data connection for $tmppwd/ftp-test" + expect "Transfer complete" + expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy] { + pass $testname + } else { + fail $testname + } + + set testname "put(v4)" + catch "exec rm -f $tmppwd/copy" + send "put $tmppwd/ftp-test $tmppwd/copy\r" + expect "Opening BINARY mode data connection for $tmppwd/copy" + expect "Transfer complete" + expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy] { + pass $testname + } else { + fail $testname + } + + set testname "cd(v4)" + send "cd $tmppwd\r" + expect "CWD command successful." + expect "ftp> " { + pass $testname + } + + set testname "lcd(v4)" + send "lcd $tmppwd\r" + expect "Local directory now $tmppwd" + expect "ftp> " { + pass $testname + } + + set testname "local get(v4)" + catch "exec rm -f $tmppwd/copy" + send "get ftp-test copy\r" + expect "Opening BINARY mode data connection for ftp-test" + expect "Transfer complete" + expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy] { + pass $testname + } else { + fail $testname + } + + set testname "big local get(v4)" + catch "exec rm -f $tmppwd/copy" + send "get bigftp-test copy\r" + expect "Opening BINARY mode data connection for bigftp-test" + expect "Transfer complete" + expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" + expect "ftp> " + if [check_file $tmppwd/copy 1] { + pass $testname + } else { + fail $testname + } + + set testname "start encryption(v4)" + send "private\r" + expect "Data channel protection level set to private" + expect "ftp> " { + pass $testname + } + + set testname "status(v4)" + send "status\r" + expect "Protection Level: private" + expect "ftp> " { + pass $testname + } + + set testname "encrypted get(v4)" + catch "exec rm -f $tmppwd/copy" + send "get ftp-test copy\r" + expect "Opening BINARY mode data connection for ftp-test" + expect "Transfer complete" + expect { + -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" {} + -re "krb_rd_priv failed for KERBEROS_V4" { + fail $testname + send "quit\r" + catch "expect_after" + return + } + } + expect "ftp> " + if [check_file $tmppwd/copy] { + pass $testname + } else { + fail $testname + } + + + # Test a large file that will overflow PBSZ size + set testname "big encrypted get(v4)" + catch "exec rm -f $tmppwd/copy" + send "get bigftp-test copy\r" + expect "Opening BINARY mode data connection for bigftp-test" + expect "Transfer complete" + expect { + -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" {} + -re "krb_rd_priv failed for KERBEROS_V4" { + fail $testname + send "quit\r" + catch "expect_after" + return + } + } + expect "ftp> " + if [check_file $tmppwd/copy 1] { + pass $testname + } else { + fail $testname + } + + set testname "close(v4)" + send "close\r" + expect "Goodbye." + expect "ftp> " + set status_list [wait -i $ftpd_spawn_id] + verbose "wait -i $ftpd_spawn_id returned $status_list ($testname)" + catch "close -i $ftpd_spawn_id" + if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } { + send_log "exit status: $status_list\n" + verbose "exit status: $status_list" + fail $testname + } else { + pass $testname + unset ftpd_pid + } + + set testname "quit(v4)" + send "quit\r" + expect_after + expect eof + if [check_exit_status $testname] { + pass $testname + } + +} + +# The ftp client will look in $HOME/.netrc for the user name to use. +# To avoid confusing the testsuite, point $HOME at a directory where +# we know there is no .netrc file. +if [info exists env(HOME)] { + set home $env(HOME) +} elseif [info exists home] { + unset home +} +set env(HOME) $tmppwd + +# Run the test. Logging in sometimes takes a while, so increase the +# timeout. +set oldtimeout $timeout +set timeout 60 +set status [catch v4ftp_test msg] +set timeout $oldtimeout + +# Shut down the kerberos daemons and the ftp daemon. +stop_kerberos_daemons + +stop_ftp_daemon + +ftp_restore_env + +# Reset $HOME, for safety in case we are going to run more tests. +if [info exists home] { + set env(HOME) $home +} else { + unset env(HOME) +} + +if { $status != 0 } { + perror "error in gssftp.exp: $msg" +} diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp new file mode 100644 index 0000000..2e17020 --- /dev/null +++ b/src/tests/dejagnu/krb-standalone/v4krb524d.exp @@ -0,0 +1,167 @@ +# Standalone Kerberos test. +# This is a DejaGnu test script. +# This script tests that the Kerberos tools can talk to each other. + +# This mostly just calls procedures in testsuite/config/default.exp. + +if ![info exists K524INIT] { + set K524INIT [findfile $objdir/../../krb524/k524init] +} + +if ![info exists KRB524D] { + set KRB524D [findfile $objdir/../../krb524/krb524d] +} + +if ![info exists KLIST] { + set KLIST [findfile $objdir/../../clients/klist/klist] +} + +if ![info exists KDESTROY] { + set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] +} + +# Set up the Kerberos files and environment. +if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { + return +} + +# If we do not have what is for a V4 test - return +if ![v4_compatible_enctype] { + return +} + +# Initialize the Kerberos database. The argument tells +# setup_kerberos_db that it is being called from here. +if ![setup_kerberos_db 1] { + return +} + +# A procedure to stop the krb524 daemon. +proc start_k524_daemon { } { + global KRB524D + global k524d_spawn_id + global k524d_pid + global REALMNAME + + spawn $KRB524D -m -r $REALMNAME -nofork + set k524d_spawn_id $spawn_id + set k524d_pid [exp_pid] + + # Give the krb524d daemon a few seconds to get set up. + catch "exec sleep 2" +} + +# A procedure to stop the krb524 daemon. +proc stop_k524_daemon { } { + global k524d_spawn_id + global k524d_pid + + if [info exists k524d_pid] { + catch "close -i $k524d_spawn_id" + catch "exec kill $k524d_pid" + catch "wait -i $k524d_spawn_id" + unset k524d_pid + } +} + +# We are about to start up a couple of daemon processes. We do all +# the rest of the tests inside a proc, so that we can easily kill the +# processes when the procedure ends. + +proc doit { } { + global env + global KEY + global K524INIT + # To pass spawn_id to the wait process + global spawn_id + global KLIST + global KDESTROY + global tmppwd + global REALMNAME + global des3_krbtgt + + if {$des3_krbtgt} { + return + } + # Start up the kerberos and kadmind daemons. + if ![start_kerberos_daemons 1] { + return + } + + # Add a user key and get a V5 ticket + if {![add_kerberos_key $env(USER) 0] \ + || ![kinit $env(USER) $env(USER)$KEY 0]} { + return + } + + # Start the krb524d daemon. + start_k524_daemon + + # The k524init program does not advertise anything on success - + #only failure. + spawn $K524INIT + expect { + -timeout 10 + -re "k524init: .*\r" { + fail "k524init" + return + } + eof {} + timeout {} + } + + + if ![check_exit_status "k524init"] { + return + } + pass "k524init" + + # Make sure that klist can see the ticket. + spawn $KLIST -4 + expect { + -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$env(USER)@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" { + verbose "klist started" + } + timeout { + fail "v4klist" + return + } + eof { + fail "v4klist" + return + } + } + + expect { + "\r" { } + eof { } + } + + if ![check_exit_status "klist"] { + return + } + pass "krb524d: v4klist" + + # Destroy the ticket. + spawn $KDESTROY -4 + if ![check_exit_status "kdestroy"] { + return + } + pass "krb524d: v4kdestroy" + + pass "krb524d: krb524d" +} + +set status [catch doit msg] + +stop_kerberos_daemons + +stop_k524_daemon + +if { $status != 0 } { + send_error "ERROR: error in v4krb524d.exp\n" + send_error "$msg\n" + exit 1 +} + + diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp new file mode 100644 index 0000000..cc42e8d --- /dev/null +++ b/src/tests/dejagnu/krb-standalone/v4standalone.exp @@ -0,0 +1,95 @@ +# Standalone Kerberos test. +# This is a DejaGnu test script. +# This script tests that the Kerberos tools can talk to each other. + +# This mostly just calls procedures in testsuite/config/default.exp. + +# Set up the Kerberos files and environment. +if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { + return +} + +# If we do not have what is for a V4 test - return +if ![v4_compatible_enctype] { + return +} + +# Initialize the Kerberos database. The argument tells +# setup_kerberos_db that it is being called from here. +if ![setup_kerberos_db 1] { + return +} + +# We are about to start up a couple of daemon processes. We do all +# the rest of the tests inside a proc, so that we can easily kill the +# processes when the procedure ends. + +proc check_and_destroy_v4_tix { client server } { + global REALMNAME + global des3_krbtgt + + # Skip this if we're using a des3 TGT, since that's supposed to fail. + if {$des3_krbtgt} { + return + } + # Make sure that klist can see the ticket. + if ![v4klist "$client" "$server" "v4klist"] { + return + } + + # Destroy the ticket. + if ![v4kdestroy "v4kdestroy"] { + return + } + + if ![v4klist_none "v4klist no tix 1"] { + return + } +} + +proc doit { } { + global REALMNAME + global KLIST + global KDESTROY + global KEY + global hostname + global spawn_id + global tmppwd + + # Start up the kerberos and kadmind daemons. + if ![start_kerberos_daemons 1] { + return + } + + # Use kadmin to add an host key. + if ![add_random_key host/$hostname 1] { + return + } + + # Use ksrvutil to create a srvtab entry. + if ![setup_srvtab 1] { + return + } + + # Use kinit to get a ticket. + if [v4kinit krbtest.admin adminpass$KEY 1] { + check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME + } + + # Use kinit with srvtab to get a ticket. + # XXX - Currently kinit doesn't support "-4 -k"! +# set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]] +# if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] { +# check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME +# } +} + +set status [catch doit msg] + +stop_kerberos_daemons + +if { $status != 0 } { + send_error "ERROR: error in v4standalone.exp\n" + send_error "$msg\n" + exit 1 +} |