Age | Commit message (Collapse) | Author | Files | Lines |
|
Add cmocka unit tests for the KDC lookaside cache.
|
|
Add a regression test for the preceding bugfix. This test uses btree
database files with known contents and byte orders with short keys and
overflow data items.
ticket: 8485
|
|
Prior to the fix for #8139, forwarded TGTs obtained across a krbtgt
re-key could fail if the preferred krbtgt enctype changed, because
krb5_c_verify_checksum() returns an bad-enctype error due to the
mismatched checksum. Add a test case for this scenario, using a new
test harness program which obtains a forwarded TGT.
|
|
|
|
Make is_string_numeric() visible outside of parse_host_string.c as
k5_is_string_numeric() so it can be tested. Make
k5_parse_host_string() return an error when address begins with ':',
for consistency with APR's apr_parse_addr_port().
[ghudson@mit.edu: squashed three commits; added t_parse_host_string to
.gitignore and clean rule; clarified commit message]
|
|
|
|
Add some missing files to .gitignore, EXTRADEPSRCS, and clean rules.
|
|
[ghudson@mit.edu: simplify test harness]
ticket: 8425
|
|
ticket: 8415
|
|
[ghudson@mit.edu: style changes]
ticket: 8386
|
|
|
|
It is a good idea to have a fairly complete .gitignore file. It is
helpful for devs to know just what shouldn't end up in the repo, as
well as preventing accidental commits and even random trash ending up
in master.
Many of the files here added from the Github gitignore project
found here:
https://github.com/github/gitignore
|
|
Add some OS specific files and Eclipse project files, as well as the
top level build directory because it is recommended in the wiki to
perform your build inside of it. Also ignore the autom4te.cache
directory.
[tlyu@mit.edu: minor commit message edits]
|
|
In src/tests, rename t_init_creds.c and t_localauth.c to icred.c and
localauth.c for consistency with the other C test programs in that
directory.
|
|
Modify adata.c to handle CAMMAC containers and display auth
indicators. Modify the test preauth module to transmit a list of
indicators (specified by a gic opt) from the clpreauth module to the
kdcpreauth module and assert them to the KDC. Add a new s4u2proxy
test harness in src/tests which can be used to exercise S4U2Proxy
without going through GSSAPI, using a second ccache containing an
existing evidence ticket.
Add tests to t_authdata.py to exercise a variety of ticket issuing
scenarios and verify that the correct auth indicators appear in each
ticket.
ticket: 8157
|
|
Create a new test harness etinfo.c which can display etype-info2
information in KDC responses. Use it to test the etype-info results
in preauth_required error e-data and AS-REP padata.
ticket: 8199
|
|
RFC 2743 states that gss_inquire_context() must always return flags,
locally_initiated, and open even if a context is not yet fully
established. Additionally, a partially established context may also
return mech_type.
Previously, the krb5 mech raised an error for inquire_context on
partially completed contexts. It now follows the rules layed out in
RFC 2743.
Add a new test program to verify that gss_inquire_context() works
correctly on both in-progress and established contexts.
[ghudson@mit.edu: minor style changes and commit message edits]
ticket: 8025
|
|
ticket: 6938
|
|
Add a new test script t_authdata.py and a C harness adata.c to test
KDC authdata handling logic. KDB module authdata is not currently
tested.
|
|
Add a new test program t_pcontok to exercise
gss_process_context_token, and run it from t_gssapi.py.
ticket: 8055
|
|
Rename hpux10.exports to hpux.exports. In the HP-UX section of
shlib.conf, remove '+s' because it just specifies a default, add a
MAKE_SHLIB_COMMAND, and set SHLIBEXT based on the host CPU.
[ghudson@mit.edu: squashed commits, condensed commit message]
ticket: 7990 (new)
target_version: 1.13
tags: pullup
|
|
ticket: 7949
|
|
krb5int_c_combine_keys is used only by SAM-2 preauth with neither the
send-encrypted-sad nor use-sad-as-key flags, so it isn't covered by
any automated function tests. Add some unit tests to make sure that
it works and returns the expected results for two randomly generated
test vectors.
ticket: 7914
target_version: 1.12.2
tags: pullup
|
|
Add a new ccache test program t_marshal.c which verifies the new
marshalling functions and also the FILE ccache type against the
expected representations of the ccache header, default principal, and
credentials.
|
|
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
|
|
ticket: 7872
|
|
Don't delete gssapi_krb5.h now that it is not generated.
[ghudson@mit.edu: also remove from generate-files-mac rule and from
.gitignore]
|
|
Add a unit test program named t_ulog. Make it map a ulog file, set up
header state where kdb_last_sno is the last serial number, and then
add an empty update. Check that the result is a ulog header with one
update at serial number 1.
ticket: 7839
|
|
Remove the GNATS-based krb5-send-pr script and replace it with a
script that instructs users to send email.
ticket: 7840 (new)
|
|
Add a test program which compares gss_pseudo_random outputs against
expected values for each enctype.
|
|
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
ticket: 7807
|
|
A few test programs didn't make it into .gitignore, OBJS, or
EXTRADEPSRCS.
|
|
|
|
|
|
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
|
Add a new pluggable interface for local authorization, and replace the
existing krb5_aname_to_localname and krb5_kuserok implementations with
implementations based on the pluggable interface.
ticket: 7583 (new)
|
|
ticket: 7585
|
|
Add seven data files for pkg-config, corresponding to the five modules
supported by krb5-config. For krb5 and krb5-gssapi, we also provide
mit- versions for callers desiring to distinguish between our
implementation and Heimdal's.
Based on a patch from Stef Walter <stefw@gnome.org>.
ticket: 7529 (new)
|
|
In preparation for adding a bunch of pkg-config data files, move
krb5-config into a new source tree subdirectory containing tools we
provide as outputs to other build systems.
|
|
Neither function correctly handled OIDs whose second arc exceeds 47
(theoretically possible if the first arc is 2). gss_str_to_oid had
additional problems: it used scanf, it didn't consistently protect
against read overrun if the input buffer wasn't null-terminated, and
it could get confused by + or - characters in the first two arcs. Fix
gss_oid_to_str and rewrite gss_str_to_oid.
Also add a test program.
ticket: 7524 (new)
|
|
Add new tests kdbtest.c and t_kdb.py. Together these exercise most of
the code in the LDAP back end. kdbtest is also run against the DB2
module, which is mostly redundant with other tests, but does exercise
the lockout logic a little more thoroughly than t_lockout.py can.
To test the LDAP back end, we look for slapd and ldapadd binaries in
the path. The system slapd is sometimes constrained by AppArmor or
the like, which we can typically work around by making a copy of the
binary. slapd detaches before listening on its server socket (this
got better in 2.4.27 but still isn't perfect), so we unfortunately
have to use a one-second sleep in the slapd setup.
|
|
sphinx-build's latex output engine creates a subdirectory with
various latex files, and a Makefile. The generated Makefile assumes
gmake, which we do not. The logic needed in this makefile is rather
simple, so we just include it in src/doc/Makefile.in, even if we
do need a rather complicated shell expression to work in the subdirectory.
ticket: 7433
tags: pullup
|
|
Sphinx's idea of the version number appears in the man pages and
compiled PDF documents, and shows up as metadata in the generated
HTML sources.
Extract the version information from the master source (patchlevel.h)
into a form usable by Sphinx.
ticket: 7433
tags: pullup
|
|
Change the make rules for the directory structure.
Update the RST sources which include other RST sources for the
loss of the krb_ prefix.
ticket: 7409
|
|
|
|
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
|
|
ticket: 7354
|
|
Add JSON support based loosely on Heimdal's heimbase code.
|
|
Add base64 support based on Heimdal's libroken base64 code.
|
|
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|