From d6a7d14fc59d5867fedab67a75afd79bdb14cc26 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 16 Apr 2015 18:42:51 -0500 Subject: [PATCH] Workaround bugs exposed by test_context changes Bugs exposed by 61720a0: - test_context --client-name=... --mech-type=ntlm ... fails; - gss_acquire_cred() with desired_mech=NTLM and desired_name==GSS_C_NO_NAME fails; - gss_init_sec_context() with non-default cred handle calls the mechanism even when the given cred handle has no element for the requencet mechanism. tests/gss/check-ntlm works by accident: gss_acquire_cred() with desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are Kerberos credentials available, and then the subsequent gss_init_sec_context() call works because of the third bug described above. --- lib/gssapi/test_context.c | 25 +++++++++++++++++++++++++ tests/gss/check-ntlm.in | 3 +++ tests/gss/check-spnego.in | 15 ++++++++------- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 1d2af2c24..d40f976e2 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -591,6 +591,31 @@ main(int argc, char **argv) mechoid = string_to_oid(mech_string); if (mechs_string == NULL) { + /* + * We ought to be able to use the OID set of the one mechanism + * OID given. But there's some breakage that conspires to make + * that fail though it should succeed: + * + * - the NTLM gss_acquire_cred() refuses to work with + * desired_name == GSS_C_NO_NAME + * - the NTLM gss_import_name() also fails, so that merely + * adding --client-name to this program's invocation doesn't + * work around that + * - gss_acquire_cred() with desired_mechs == GSS_C_NO_OID_SET + * does work here because we happen to have Kerberos + * credentials in check-ntlm, and the subsequent + * gss_init_sec_context() call finds no cred element for NTLM + * but plows on anyways, surprisingly enough, and then the + * NTLM gss_init_sec_context() just works. + * + * In summary, there's some breakage in gss_init_sec_context() + * and some breakage in NTLM (and SPNEGO) that conspires against + * us here. + * + * We work around this in check-ntlm and check-spnego by adding + * --mech-types='' to the invocations of this test program that + * require it. + */ oids[0] = *mechoid; mechoid_descs.elements = &oids[0]; mechoid_descs.count = 1; diff --git a/tests/gss/check-ntlm.in b/tests/gss/check-ntlm.in index a929e6657..2968c241d 100644 --- a/tests/gss/check-ntlm.in +++ b/tests/gss/check-ntlm.in @@ -134,6 +134,7 @@ KRB5CCNAME="$cache" echo "no NTLM initiator creds" ${context} --mech-type=ntlm \ + --mech-types= \ --mutual \ --name-type=hostbased-service \ --ret-mech-type=ntlm \ @@ -145,6 +146,7 @@ ${kinit} --password-file=${objdir}/foopassword --ntlm-domain=TEST user1@${R} || echo "NTLM initiator krb5 creds" ${context} --mech-type=ntlm \ + --mech-types= \ --mutual \ --name-type=hostbased-service \ --ret-mech-type=ntlm \ @@ -153,6 +155,7 @@ ${context} --mech-type=ntlm \ echo "NTLM initiator krb5 creds (getverifymic, wrapunwrap)" ${context} --mech-type=ntlm \ + --mech-types= \ --mutual \ --name-type=hostbased-service \ --ret-mech-type=ntlm \ diff --git a/tests/gss/check-spnego.in b/tests/gss/check-spnego.in index 99a01cd66..699c0761c 100644 --- a/tests/gss/check-spnego.in +++ b/tests/gss/check-spnego.in @@ -124,7 +124,7 @@ echo "======context building for each mech" for mech in ntlm krb5 ; do echo "${mech}" - ${context} --mech-type=${mech} --ret-mech-type=${mech} \ + ${context} --mech-type=${mech} --mech-types= --ret-mech-type=${mech} \ --name-type=hostbased-service host@host.test.h5l.se || \ { exitcode=1 ; echo test failed; } done @@ -132,17 +132,18 @@ done echo "spnego" ${context} \ --mech-type=spnego \ + --mech-types= \ --ret-mech-type=krb5 \ --name-type=hostbased-service \ host@host.test.h5l.se || \ { exitcode=1 ; echo test failed; } echo "test failure cases" -${context} --mech-type=ntlm --ret-mech-type=krb5 \ +${context} --mech-type=ntlm --mech-types= --ret-mech-type=krb5 \ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ { exitcode=1 ; echo test failed; } -${context} --mech-type=krb5 --ret-mech-type=ntlm \ +${context} --mech-type=krb5 --mech-types= --ret-mech-type=ntlm \ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ { exitcode=1 ; echo test failed; } @@ -159,7 +160,7 @@ for arg in \ echo "no NTLM acceptor cred ${arg}" NTLM_ACCEPTOR_CCACHE="${cacheds}-no" - ${context} --mech-type=spnego \ + ${context} --mech-type=spnego --mech-types= \ $arg \ --client-name=user1@TEST.H5L.SE \ --name-type=hostbased-service \ @@ -170,7 +171,7 @@ for arg in \ echo "no NTLM initiator cred ${arg}" NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no" - ${context} --mech-type=spnego \ + ${context} --mech-type=spnego --mech-types= \ $arg \ --client-name=user1@TEST.H5L.SE \ --name-type=hostbased-service \ @@ -181,7 +182,7 @@ for arg in \ echo "no krb5 acceptor cred ${arg}" KRB5_KTNAME="${keytab}-no" - ${context} --mech-type=spnego \ + ${context} --mech-type=spnego --mech-types= \ $arg \ --client-name=user1@TEST.H5L.SE \ --server-no-delegate \ @@ -193,7 +194,7 @@ for arg in \ echo "no krb5 initiator cred ${arg}" KRB5CCNAME="${cache}-no" - ${context} --mech-type=spnego \ + ${context} --mech-type=spnego --mech-types= \ $arg \ --client-name=user1@TEST.H5L.SE \ --server-no-delegate \ -- 2.11.4.GIT