/tests/module/cache-cleanup-t
/tests/module/cache-t
/tests/module/expired-t
+/tests/module/fast-anon-t
/tests/module/fast-t
/tests/module/no-cache-t
/tests/module/pam-user-t
check_PROGRAMS = tests/runtests tests/module/alt-auth-t \
tests/module/bad-authtok-t tests/module/basic-t \
tests/module/cache-cleanup-t tests/module/cache-t \
- tests/module/expired-t tests/module/fast-t tests/module/no-cache-t \
- tests/module/pam-user-t tests/module/password-t \
- tests/module/pkinit-t tests/module/realm-t tests/module/stacked-t \
- tests/module/trace-t tests/pam-util/args-t tests/pam-util/fakepam-t \
- tests/pam-util/logging-t tests/pam-util/options-t \
- tests/pam-util/vector-t tests/portable/asprintf-t \
- tests/portable/mkstemp-t tests/portable/snprintf-t \
- tests/portable/strndup-t
+ tests/module/expired-t tests/module/fast-anon-t tests/module/fast-t \
+ tests/module/no-cache-t tests/module/pam-user-t \
+ tests/module/password-t tests/module/pkinit-t tests/module/realm-t \
+ tests/module/stacked-t tests/module/trace-t tests/pam-util/args-t \
+ tests/pam-util/fakepam-t tests/pam-util/logging-t \
+ tests/pam-util/options-t tests/pam-util/vector-t \
+ tests/portable/asprintf-t tests/portable/mkstemp-t \
+ tests/portable/snprintf-t tests/portable/strndup-t
tests_runtests_CPPFLAGS = -DC_TAP_SOURCE='"$(abs_top_srcdir)/tests"' \
-DC_TAP_BUILD='"$(abs_top_builddir)/tests"'
check_LIBRARIES = tests/fakepam/libfakepam.a tests/tap/libtap.a
tests_module_expired_t_LDADD = $(MODULE_OBJECTS) tests/tap/libtap.a \
portable/libportable.la $(KADM5CLNT_LDFLAGS) $(KADM5CLNT_LIBS) \
$(KRB5_LIBS)
+tests_module_fast_anon_t_LDADD = $(MODULE_OBJECTS) tests/tap/libtap.a \
+ portable/libportable.la $(KRB5_LIBS)
tests_module_fast_t_LDADD = $(MODULE_OBJECTS) tests/tap/libtap.a \
portable/libportable.la $(KRB5_LIBS)
tests_module_no_cache_t_LDADD = $(MODULE_OBJECTS) tests/tap/libtap.a \
# SPDX-License-Identifier: FSFAP
# Exclude the tests that use the pkinit.so MIT Kerberos module from valgrind
-# testing (module/fast and module/pkinit) because they cause valgrind to go
-# into an infinite loop.
+# testing (module/fast-anon and module/pkinit) because they cause valgrind to
+# go into an infinite loop.
docs/pod
docs/pod-spelling
module/cache valgrind
module/cache-cleanup valgrind
module/expired valgrind
-module/fast
+module/fast valgrind
+module/fast-anon
module/no-cache valgrind
module/pam-user valgrind
module/password valgrind
--- /dev/null
+/*
+ * Tests for anonymous FAST support in pam-krb5.
+ *
+ * Tests for anonymous Flexible Authentication Secure Tunneling, a mechanism
+ * for improving the preauthentication part of the Kerberos protocol and
+ * protecting it against various attacks.
+ *
+ * This is broken out from the other FAST tests because it uses PKINIT, and
+ * PKINIT code cannot be tested under valgrind with MIT Kerberos due to some
+ * bug in valgrind.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ * The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+
+
+/*
+ * Test whether anonymous authentication works. If this doesn't, we need to
+ * skip the tests of anonymous FAST.
+ */
+static bool
+anon_fast_works(void)
+{
+ krb5_context ctx;
+ krb5_error_code retval;
+ krb5_principal princ = NULL;
+ char *realm;
+ krb5_creds creds;
+ krb5_get_init_creds_opt *opts = NULL;
+
+ /* Construct the anonymous principal name. */
+ retval = krb5_init_context(&ctx);
+ if (retval != 0)
+ bail("cannot initialize Kerberos");
+ retval = krb5_get_default_realm(ctx, &realm);
+ if (retval != 0)
+ bail("cannot get default realm");
+ retval = krb5_build_principal_ext(
+ ctx, &princ, (unsigned int) strlen(realm), realm,
+ strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
+ strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
+ if (retval != 0)
+ bail("cannot construct anonymous principal");
+ krb5_free_default_realm(ctx, realm);
+
+ /* Obtain the credentials. */
+ memset(&creds, 0, sizeof(creds));
+ retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
+ if (retval != 0)
+ bail("cannot create credential options");
+ krb5_get_init_creds_opt_set_anonymous(opts, 1);
+ krb5_get_init_creds_opt_set_tkt_life(opts, 60);
+ retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL, NULL,
+ 0, NULL, opts);
+
+ /* Clean up. */
+ if (princ != NULL)
+ krb5_free_principal(ctx, princ);
+ if (opts != NULL)
+ krb5_get_init_creds_opt_free(ctx, opts);
+ krb5_free_cred_contents(ctx, &creds);
+
+ /* Return whether authentication succeeded. */
+ return (retval == 0);
+}
+
+
+int
+main(void)
+{
+ struct script_config config;
+ struct kerberos_config *krbconf;
+
+ /* Skip the test if FAST is not available. */
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME
+ skip_all("FAST support not available");
+#endif
+
+ /* Initialize Kerberos configuration. */
+ krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+ memset(&config, 0, sizeof(config));
+ config.user = krbconf->username;
+ config.authtok = krbconf->password;
+ config.extra[0] = krbconf->userprinc;
+ kerberos_generate_conf(krbconf->realm);
+
+ /* Skip the test if anonymous PKINIT doesn't work. */
+ if (!anon_fast_works())
+ skip_all("anonymous PKINIT failed");
+
+ /* Test anonymous FAST. */
+ plan_lazy();
+ run_script("data/scripts/fast/anonymous", &config);
+ run_script("data/scripts/fast/anonymous-debug", &config);
+
+ return 0;
+}
/*
- * Tests for FAST support in pam-krb5.
+ * Tests for authenticated FAST support in pam-krb5.
*
* Tests for Flexible Authentication Secure Tunneling, a mechanism for
* improving the preauthentication part of the Kerberos protocol and
- * protecting it against various attacks.
+ * protecting it against various attacks. This tests authenticated FAST;
+ * anonymous FAST is tested separately.
*
* Written by Russ Allbery <eagle@eyrie.org>
* Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
#include <tests/fakepam/script.h>
#include <tests/tap/kerberos.h>
-#include <tests/tap/process.h>
-#include <tests/tap/string.h>
-
-
-/*
- * Test whether anonymous authentication works. If this doesn't, we need to
- * skip the tests of anonymous FAST.
- */
-static bool
-anon_fast_works(void)
-{
- krb5_context ctx;
- krb5_error_code retval;
- krb5_principal princ = NULL;
- char *realm;
- krb5_creds creds;
- krb5_get_init_creds_opt *opts = NULL;
-
- /* Construct the anonymous principal name. */
- retval = krb5_init_context(&ctx);
- if (retval != 0)
- bail("cannot initialize Kerberos");
- retval = krb5_get_default_realm(ctx, &realm);
- if (retval != 0)
- bail("cannot get default realm");
- retval = krb5_build_principal_ext(
- ctx, &princ, (unsigned int) strlen(realm), realm,
- strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
- strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
- if (retval != 0)
- bail("cannot construct anonymous principal");
- krb5_free_default_realm(ctx, realm);
-
- /* Obtain the credentials. */
- memset(&creds, 0, sizeof(creds));
- retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
- if (retval != 0)
- bail("cannot create credential options");
- krb5_get_init_creds_opt_set_anonymous(opts, 1);
- krb5_get_init_creds_opt_set_tkt_life(opts, 60);
- retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL, NULL,
- 0, NULL, opts);
-
- /* Clean up. */
- if (princ != NULL)
- krb5_free_principal(ctx, princ);
- if (opts != NULL)
- krb5_get_init_creds_opt_free(ctx, opts);
- krb5_free_cred_contents(ctx, &creds);
- return (retval == 0);
-}
int
skip_all("FAST support not available");
#endif
- /*
- * To test FAST with an existing ticket cache, we also need a keytab, but
- * we can test anonymous FAST without that. So only say that we require a
- * password.
- */
- krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+ /* Initialize Kerberos configuration. */
+ krbconf = kerberos_setup(TAP_KRB_NEEDS_BOTH);
memset(&config, 0, sizeof(config));
config.user = krbconf->userprinc;
config.authtok = krbconf->password;
+ config.extra[0] = krbconf->cache;
/*
* Generate a testing krb5.conf file with a nonexistent default realm so
*/
kerberos_generate_conf("bogus.example.com");
+ /* Test fast_ccache */
plan_lazy();
-
- /* If we have a keytab and ticket cache available, test fast_ccache. */
- if (krbconf->keytab == NULL)
- skip_block(4, "Kerberos keytab required to test fast_ccache");
- else {
- config.extra[0] = krbconf->cache;
- run_script("data/scripts/fast/ccache", &config);
- run_script("data/scripts/fast/ccache-debug", &config);
- run_script("data/scripts/fast/no-ccache", &config);
- run_script("data/scripts/fast/no-ccache-debug", &config);
- }
-
- /*
- * Test anonymous FAST. This will require some pre-testing later. For
- * this, we need to use our real local realm.
- */
- kerberos_generate_conf(krbconf->realm);
- config.user = krbconf->username;
- config.extra[0] = krbconf->userprinc;
- if (anon_fast_works()) {
- run_script("data/scripts/fast/anonymous", &config);
- run_script("data/scripts/fast/anonymous-debug", &config);
- } else {
- skip_block(2, "Anonymous authentication required to test anon_fast");
- }
+ run_script("data/scripts/fast/ccache", &config);
+ run_script("data/scripts/fast/ccache-debug", &config);
+ run_script("data/scripts/fast/no-ccache", &config);
+ run_script("data/scripts/fast/no-ccache-debug", &config);
return 0;
}