copies of passwords before freeing memory. This reduces the lifetime
of passwords in memory.
+ Skip tests that require the stronger rule configuration in the
+ embedded CrackLib when built against system CrackLib. This avoids
+ test failures when built with system CrackLib.
+
Rework the check-valgrind target to use the new C TAP Harness valgrind
support and automatically check the valgrind log files for errors at
the end of the test suite.
AS_IF([test x"$rra_system_cracklib" = xyes],
[RRA_LIB_CRACKLIB_SWITCH
AC_CHECK_HEADERS([crack.h])
- RRA_LIB_CRACKLIB_RESTORE])
+ RRA_LIB_CRACKLIB_RESTORE
+ AC_DEFINE([HAVE_SYSTEM_CRACKLIB], 1,
+ [Define if using the system CrackLib.])])
RRA_LIB_KRB5
RRA_LIB_KRB5_SWITCH
AC_CHECK_HEADERS([krb5/pwqual_plugin.h], [], [], [RRA_INCLUDES_KRB5])
"principal": "test@EXAMPLE.ORG",
"password": "stanfordstanford",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is based on a (duplicated) dictionary word"
+ "error": "it is based on a (duplicated) dictionary word",
+ "skip_for_system_cracklib": true
},
{
"name": "in dictionary (reversed)",
"principal": "test@EXAMPLE.ORG",
"password": "enabrettib",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is based on a (reversed) dictionary word"
+ "error": "it is based on a (reversed) dictionary word",
+ "skip_for_system_cracklib": true
},
{
"name": "seven characters",
"principal": "test@EXAMPLE.ORG",
"password": "dfareas",
"code": "KADM5_PASS_Q_GENERIC",
- "error": "it is too short"
+ "error": "it is too short",
+ "skip_for_system_cracklib": true
},
{
"name": "four characters",
END_HEADER
# The list of attributes, in order, whose values go into the C struct.
-Readonly my @ATTRIBUTES => qw(name principal password code error);
+Readonly my @ATTRIBUTES => qw(
+ name principal password code error skip_for_system_cracklib
+);
# A hash of attributes that should be put in the C struct as they literally
# appear in the JSON, rather than as strings. (In other words, attributes
-# that are numbers or C constants.) Only the keys are of interest.
-Readonly my %IS_LITERAL_ATTRIBUTE => (code => 1);
+# that are numbers, booleans, or C constants.) Only the keys are of interest.
+Readonly my %IS_LITERAL_ATTRIBUTE => (
+ code => 1,
+ skip_for_system_cracklib => 1
+);
##############################################################################
# Functions
const char *name;
const char *principal;
const char *password;
+ bool skip_for_system_cracklib;
krb5_error_code code;
const char *error;
};
* out by make-c-data. It's included by the test data files.
*
* Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
* Copyright 2013
* The Board of Trustees of the Leland Stanford Junior University
*
#include <config.h>
#include <portable/kadmin.h>
#include <portable/krb5.h>
+#include <portable/stdbool.h>
struct password_test {
const char *name;
const char *password;
krb5_error_code code;
const char *error;
+ bool skip_for_system_cracklib;
};
#endif /* !TESTS_DATA_PASSWORD_TESTS_H */
run_setup((const char **) setup_argv);
/* Now, run all of the tests. */
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(verifier, &cracklib_tests[i]);
+ }
/*
* Add length restrictions and a maximum length for CrackLib. This should
is_password_test(ctx, vtable, data, &principal_tests[i]);
# ifdef HAVE_CRACKLIB
- /* Run the CrackLib tests if CrackLib is available, otherwise skip them. */
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ /*
+ * Run the CrackLib tests if CrackLib is available, otherwise skip them.
+ * If built with the system CrackLib, skip tests that are marked as only
+ * working with the tougher rules of our embedded CrackLib.
+ */
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
+ }
# else
count = ARRAY_SIZE(cracklib_tests);
skip_block(count * 2, "not built with CrackLib support");
is_int(0, code, "Plugin initialization (krb5.conf dictionary)");
if (code != 0)
bail("cannot continue after plugin initialization failure");
- for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++)
+ for (i = 0; i < ARRAY_SIZE(cracklib_tests); i++) {
+# ifdef HAVE_SYSTEM_CRACKLIB
+ if (cracklib_tests[i].skip_for_system_cracklib) {
+ skip_block(2, "not built with embedded CrackLib");
+ continue;
+ }
+# endif
is_password_test(ctx, vtable, data, &cracklib_tests[i]);
+ }
vtable->close(ctx, data);
/*
return;
}
-# Load the password tests from JSON.
+# Load the password tests from JSON, removing the CrackLib tests that may fail
+# if we were built with the system CrackLib. We don't have an easy way of
+# knowing which CrackLib heimdal-strength was linked against, so we have to
+# ignore them unconditionally. The separate plugin tests will exercise that
+# code.
my %tests;
for my $type (qw(cdb classes cracklib length letter principal sqlite)) {
my $tests = load_password_tests("$type.json");
+ if ($type eq 'cracklib') {
+ my @tests = grep { !$_->{skip_for_system_cracklib} } @{$tests};
+ $tests = [@tests];
+ }
$tests{$type} = $tests;
}