aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5')
-rw-r--r--crypto/krb5/src/tests/Makefile.in203
-rw-r--r--crypto/krb5/src/tests/adata.c381
-rw-r--r--crypto/krb5/src/tests/asn.1/Makefile.in98
-rw-r--r--crypto/krb5/src/tests/asn.1/README28
-rw-r--r--crypto/krb5/src/tests/asn.1/cammac.asn130
-rw-r--r--crypto/krb5/src/tests/asn.1/debug.h46
-rw-r--r--crypto/krb5/src/tests/asn.1/deps75
-rw-r--r--crypto/krb5/src/tests/asn.1/krb5.asn1392
-rw-r--r--crypto/krb5/src/tests/asn.1/krb5_decode_leak.c676
-rw-r--r--crypto/krb5/src/tests/asn.1/krb5_decode_test.c1315
-rw-r--r--crypto/krb5/src/tests/asn.1/krb5_encode_test.c850
-rw-r--r--crypto/krb5/src/tests/asn.1/ktest.c1796
-rw-r--r--crypto/krb5/src/tests/asn.1/ktest.h210
-rw-r--r--crypto/krb5/src/tests/asn.1/ktest_equal.c1054
-rw-r--r--crypto/krb5/src/tests/asn.1/ktest_equal.h154
-rw-r--r--crypto/krb5/src/tests/asn.1/ldap_encode.out1
-rw-r--r--crypto/krb5/src/tests/asn.1/ldap_trval.out30
-rw-r--r--crypto/krb5/src/tests/asn.1/make-vectors.c333
-rw-r--r--crypto/krb5/src/tests/asn.1/otp.asn1109
-rw-r--r--crypto/krb5/src/tests/asn.1/pkinit-agility.asn199
-rw-r--r--crypto/krb5/src/tests/asn.1/pkinit.asn1253
-rw-r--r--crypto/krb5/src/tests/asn.1/pkinit_encode.out8
-rw-r--r--crypto/krb5/src/tests/asn.1/pkinit_trval.out97
-rw-r--r--crypto/krb5/src/tests/asn.1/pkix.asn1654
-rw-r--r--crypto/krb5/src/tests/asn.1/reference_encode.out78
-rw-r--r--crypto/krb5/src/tests/asn.1/spake.asn144
-rw-r--r--crypto/krb5/src/tests/asn.1/t_trval.c105
-rw-r--r--crypto/krb5/src/tests/asn.1/trval.c742
-rw-r--r--crypto/krb5/src/tests/asn.1/trval_reference.out1584
-rw-r--r--crypto/krb5/src/tests/asn.1/utility.c142
-rw-r--r--crypto/krb5/src/tests/asn.1/utility.h57
-rw-r--r--crypto/krb5/src/tests/au_dict.json64
-rw-r--r--crypto/krb5/src/tests/conccache.c190
-rw-r--r--crypto/krb5/src/tests/create/Makefile.in17
-rw-r--r--crypto/krb5/src/tests/create/deps14
-rw-r--r--crypto/krb5/src/tests/create/kdb5_mkdums.c398
-rw-r--r--crypto/krb5/src/tests/deps181
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump11
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump.167
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump.b711
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump.ov9
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump.r1311
-rw-r--r--crypto/krb5/src/tests/dumpfiles/dump.r1811
-rw-r--r--crypto/krb5/src/tests/etinfo.c172
-rw-r--r--crypto/krb5/src/tests/forward.c93
-rw-r--r--crypto/krb5/src/tests/fuzzing/Makefile.in138
-rw-r--r--crypto/krb5/src/tests/fuzzing/README26
-rw-r--r--crypto/krb5/src/tests/fuzzing/deps222
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_aes.c104
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn.c188
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.binbin165 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.binbin168 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.binbin167 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.binbin20 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.binbin21 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin4
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin3
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.binbin40 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.binbin39 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.binbin512 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.binbin53 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.binbin197 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.binbin107 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.binbin249 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.binbin551 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.binbin274 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.binbin181 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.binbin81 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.binbin33 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.binbin280 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.binbin274 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin3
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.binbin83 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.binbin34 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.binbin53 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.binbin24 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin3
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.binbin258 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.binbin160 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.binbin426 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.binbin116 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.binbin43 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.binbin168 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.binbin46 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.binbin188 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin3
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.binbin106 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.binbin54 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.binbin39 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.binbin2 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.binbin53 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.binbin112 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.binbin64 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.binbin102 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.binbin68 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.binbin237 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.binbin197 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.binbin488 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.binbin280 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.binbin94 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_attrset.c68
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw.c65
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.binbin30 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.binbin30 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.binbin30 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.binbin30 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.binbin30 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.binbin19 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_crypto.c171
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_des.c109
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss.c73
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.binbin469 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.binbin599 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.binbin664 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/realm_query.binbin18 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.binbin212 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_json.c74
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_kdc.c72
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krad.c93
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.binbin20 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb.c170
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket.c85
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.binbin470 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.binbin505 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred.c69
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.binbin165 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.binbin173 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.binbin173 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.binbin113 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.binbin121 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.binbin121 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ.c69
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.binbin33 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.binbin37 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.binbin37 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_ndr.c67
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.binbin264 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.binbin184 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid.c65
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.binbin2 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.binbin3 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.binbin2 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.binbin4 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_pac.c93
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.binbin624 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.binbin624 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile.c87
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini5
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini6
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini6
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini5
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini3
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini6
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini2
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_util.c159
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt1
-rw-r--r--crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt1
-rw-r--r--crypto/krb5/src/tests/fuzzing/oss-fuzz.sh28
-rw-r--r--crypto/krb5/src/tests/gcred.c124
-rw-r--r--crypto/krb5/src/tests/gss-threads/Makefile.in34
-rw-r--r--crypto/krb5/src/tests/gss-threads/README165
-rw-r--r--crypto/krb5/src/tests/gss-threads/deps15
-rw-r--r--crypto/krb5/src/tests/gss-threads/gss-client.c865
-rw-r--r--crypto/krb5/src/tests/gss-threads/gss-misc.c410
-rw-r--r--crypto/krb5/src/tests/gss-threads/gss-misc.h51
-rw-r--r--crypto/krb5/src/tests/gss-threads/gss-server.c850
-rw-r--r--crypto/krb5/src/tests/gssapi/Makefile.in141
-rw-r--r--crypto/krb5/src/tests/gssapi/ccinit.c72
-rw-r--r--crypto/krb5/src/tests/gssapi/ccrefresh.c80
-rw-r--r--crypto/krb5/src/tests/gssapi/common.c282
-rw-r--r--crypto/krb5/src/tests/gssapi/common.h90
-rw-r--r--crypto/krb5/src/tests/gssapi/deps203
-rw-r--r--crypto/krb5/src/tests/gssapi/reload.c83
-rw-r--r--crypto/krb5/src/tests/gssapi/t_accname.c93
-rw-r--r--crypto/krb5/src/tests/gssapi/t_add_cred.c137
-rw-r--r--crypto/krb5/src/tests/gssapi/t_authind.py51
-rw-r--r--crypto/krb5/src/tests/gssapi/t_bindings.c124
-rw-r--r--crypto/krb5/src/tests/gssapi/t_bindings.py61
-rw-r--r--crypto/krb5/src/tests/gssapi/t_ccselect.c90
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_ccselect.py164
-rw-r--r--crypto/krb5/src/tests/gssapi/t_ciflags.c120
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_client_keytab.py189
-rw-r--r--crypto/krb5/src/tests/gssapi/t_context.c60
-rw-r--r--crypto/krb5/src/tests/gssapi/t_credstore.c140
-rw-r--r--crypto/krb5/src/tests/gssapi/t_credstore.py97
-rw-r--r--crypto/krb5/src/tests/gssapi/t_enctypes.c205
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_enctypes.py147
-rw-r--r--crypto/krb5/src/tests/gssapi/t_err.c126
-rw-r--r--crypto/krb5/src/tests/gssapi/t_export_cred.c115
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_export_cred.py50
-rw-r--r--crypto/krb5/src/tests/gssapi/t_export_name.c119
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_gssapi.py258
-rw-r--r--crypto/krb5/src/tests/gssapi/t_gssexts.c247
-rw-r--r--crypto/krb5/src/tests/gssapi/t_iakerb.c87
-rw-r--r--crypto/krb5/src/tests/gssapi/t_imp_cred.c101
-rw-r--r--crypto/krb5/src/tests/gssapi/t_imp_name.c94
-rw-r--r--crypto/krb5/src/tests/gssapi/t_inq_cred.c116
-rw-r--r--crypto/krb5/src/tests/gssapi/t_inq_ctx.c241
-rw-r--r--crypto/krb5/src/tests/gssapi/t_inq_mechs_name.c64
-rw-r--r--crypto/krb5/src/tests/gssapi/t_invalid.c795
-rw-r--r--crypto/krb5/src/tests/gssapi/t_iov.c547
-rw-r--r--crypto/krb5/src/tests/gssapi/t_lifetime.c140
-rw-r--r--crypto/krb5/src/tests/gssapi/t_namingexts.c227
-rw-r--r--crypto/krb5/src/tests/gssapi/t_negoex.py149
-rw-r--r--crypto/krb5/src/tests/gssapi/t_oid.c224
-rw-r--r--crypto/krb5/src/tests/gssapi/t_pcontok.c190
-rw-r--r--crypto/krb5/src/tests/gssapi/t_prf.c190
-rw-r--r--crypto/krb5/src/tests/gssapi/t_s4u.c334
-rwxr-xr-xcrypto/krb5/src/tests/gssapi/t_s4u.py403
-rw-r--r--crypto/krb5/src/tests/gssapi/t_s4u2proxy_krb5.c164
-rw-r--r--crypto/krb5/src/tests/gssapi/t_saslname.c165
-rw-r--r--crypto/krb5/src/tests/gssapi/t_spnego.c314
-rw-r--r--crypto/krb5/src/tests/gssapi/t_srcattrs.c63
-rw-r--r--crypto/krb5/src/tests/gssapi/t_store_cred.c114
-rw-r--r--crypto/krb5/src/tests/gssapi/t_store_cred.py80
-rw-r--r--crypto/krb5/src/tests/hammer/Makefile.in15
-rw-r--r--crypto/krb5/src/tests/hammer/deps13
-rw-r--r--crypto/krb5/src/tests/hammer/kdc5_hammer.c494
-rw-r--r--crypto/krb5/src/tests/hammer/pp.c27
-rw-r--r--crypto/krb5/src/tests/hist.c113
-rw-r--r--crypto/krb5/src/tests/hooks.c253
-rw-r--r--crypto/krb5/src/tests/hrealm.c99
-rw-r--r--crypto/krb5/src/tests/icinterleave.c128
-rw-r--r--crypto/krb5/src/tests/icred.c144
-rw-r--r--crypto/krb5/src/tests/jsonwalker.py105
-rw-r--r--crypto/krb5/src/tests/kcmserver.py336
-rw-r--r--crypto/krb5/src/tests/kdbtest.c403
-rw-r--r--crypto/krb5/src/tests/localauth.c72
-rw-r--r--crypto/krb5/src/tests/misc/Makefile.in58
-rw-r--r--crypto/krb5/src/tests/misc/deps44
-rw-r--r--crypto/krb5/src/tests/misc/test_chpw_message.c174
-rw-r--r--crypto/krb5/src/tests/misc/test_cxx_gss.cpp10
-rw-r--r--crypto/krb5/src/tests/misc/test_cxx_k5int.cpp20
-rw-r--r--crypto/krb5/src/tests/misc/test_cxx_kadm5.cpp15
-rw-r--r--crypto/krb5/src/tests/misc/test_cxx_krb5.cpp19
-rw-r--r--crypto/krb5/src/tests/misc/test_cxx_rpc.cpp14
-rw-r--r--crypto/krb5/src/tests/misc/test_getpw.c51
-rw-r--r--crypto/krb5/src/tests/misc/test_getsockname.c117
-rw-r--r--crypto/krb5/src/tests/misc/test_nfold.c66
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/ca.pem29
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/eckey.pem5
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/ecuser.pem24
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/generic.p12bin2560 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/generic.pem21
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/kdc.pem29
-rwxr-xr-xcrypto/krb5/src/tests/pkinit-certs/make-certs.sh179
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/privkey-enc.pem30
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/privkey.pem28
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-enc.p12bin2920 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn.p12bin2912 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn.pem28
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn2.p12bin2896 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn2.pem28
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn3.p12bin2912 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user-upn3.pem28
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user.p12bin2920 -> 0 bytes
-rw-r--r--crypto/krb5/src/tests/pkinit-certs/user.pem28
-rw-r--r--crypto/krb5/src/tests/plugorder.c96
-rw-r--r--crypto/krb5/src/tests/proxy-certs/ca.pem28
-rwxr-xr-xcrypto/krb5/src/tests/proxy-certs/make-certs.sh124
-rw-r--r--crypto/krb5/src/tests/proxy-certs/proxy-badsig.pem56
-rw-r--r--crypto/krb5/src/tests/proxy-certs/proxy-ideal.pem56
-rw-r--r--crypto/krb5/src/tests/proxy-certs/proxy-no-match.pem54
-rw-r--r--crypto/krb5/src/tests/proxy-certs/proxy-san.pem56
-rw-r--r--crypto/krb5/src/tests/proxy-certs/proxy-subject.pem54
-rw-r--r--crypto/krb5/src/tests/rdreq.c118
-rw-r--r--crypto/krb5/src/tests/replay.c172
-rw-r--r--crypto/krb5/src/tests/responder.c431
-rw-r--r--crypto/krb5/src/tests/s2p.c81
-rw-r--r--crypto/krb5/src/tests/s4u2proxy.c147
-rw-r--r--crypto/krb5/src/tests/s4u2self.c128
-rw-r--r--crypto/krb5/src/tests/shlib/Makefile.in23
-rw-r--r--crypto/krb5/src/tests/shlib/deps8
-rw-r--r--crypto/krb5/src/tests/shlib/t_loader.c374
-rwxr-xr-xcrypto/krb5/src/tests/t_alias.py124
-rwxr-xr-xcrypto/krb5/src/tests/t_audit.py27
-rw-r--r--crypto/krb5/src/tests/t_authdata.py362
-rwxr-xr-xcrypto/krb5/src/tests/t_bogus_kdc_req.py42
-rwxr-xr-xcrypto/krb5/src/tests/t_ccache.py202
-rw-r--r--crypto/krb5/src/tests/t_certauth.py65
-rwxr-xr-xcrypto/krb5/src/tests/t_changepw.py70
-rwxr-xr-xcrypto/krb5/src/tests/t_crossrealm.py192
-rwxr-xr-xcrypto/krb5/src/tests/t_cve-2012-1014.py29
-rwxr-xr-xcrypto/krb5/src/tests/t_cve-2012-1015.py36
-rwxr-xr-xcrypto/krb5/src/tests/t_cve-2013-1416.py13
-rwxr-xr-xcrypto/krb5/src/tests/t_cve-2013-1417.py11
-rw-r--r--crypto/krb5/src/tests/t_cve-2021-36222.py46
-rwxr-xr-xcrypto/krb5/src/tests/t_dump.py94
-rwxr-xr-xcrypto/krb5/src/tests/t_errmsg.py27
-rw-r--r--crypto/krb5/src/tests/t_etype_info.py69
-rwxr-xr-xcrypto/krb5/src/tests/t_general.py74
-rwxr-xr-xcrypto/krb5/src/tests/t_hooks.py8
-rwxr-xr-xcrypto/krb5/src/tests/t_hostrealm.py140
-rw-r--r--crypto/krb5/src/tests/t_inetd.c128
-rwxr-xr-xcrypto/krb5/src/tests/t_iprop.py520
-rw-r--r--crypto/krb5/src/tests/t_kadm5_auth.py80
-rwxr-xr-xcrypto/krb5/src/tests/t_kadm5_hook.py15
-rw-r--r--crypto/krb5/src/tests/t_kadmin.py66
-rwxr-xr-xcrypto/krb5/src/tests/t_kadmin_acl.py450
-rw-r--r--crypto/krb5/src/tests/t_kadmin_parsing.py82
-rwxr-xr-xcrypto/krb5/src/tests/t_kdb.py637
-rwxr-xr-xcrypto/krb5/src/tests/t_kdb_locking.py32
-rwxr-xr-xcrypto/krb5/src/tests/t_kdc_log.py21
-rw-r--r--crypto/krb5/src/tests/t_kdcoptions.py100
-rw-r--r--crypto/krb5/src/tests/t_kdcpolicy.py65
-rwxr-xr-xcrypto/krb5/src/tests/t_keydata.py49
-rwxr-xr-xcrypto/krb5/src/tests/t_keyrollover.py100
-rwxr-xr-xcrypto/krb5/src/tests/t_keytab.py209
-rwxr-xr-xcrypto/krb5/src/tests/t_kprop.py125
-rwxr-xr-xcrypto/krb5/src/tests/t_localauth.py154
-rwxr-xr-xcrypto/krb5/src/tests/t_mkey.py344
-rwxr-xr-xcrypto/krb5/src/tests/t_otp.py275
-rwxr-xr-xcrypto/krb5/src/tests/t_pkinit.py469
-rwxr-xr-xcrypto/krb5/src/tests/t_policy.py222
-rw-r--r--crypto/krb5/src/tests/t_preauth.py265
-rwxr-xr-xcrypto/krb5/src/tests/t_princflags.py138
-rwxr-xr-xcrypto/krb5/src/tests/t_proxy.py220
-rwxr-xr-xcrypto/krb5/src/tests/t_pwqual.py78
-rwxr-xr-xcrypto/krb5/src/tests/t_rdreq.py138
-rwxr-xr-xcrypto/krb5/src/tests/t_referral.py142
-rwxr-xr-xcrypto/krb5/src/tests/t_renew.py122
-rwxr-xr-xcrypto/krb5/src/tests/t_renprinc.py45
-rw-r--r--crypto/krb5/src/tests/t_replay.py6
-rwxr-xr-xcrypto/krb5/src/tests/t_salt.py55
-rw-r--r--crypto/krb5/src/tests/t_sendto_kdc.py45
-rwxr-xr-xcrypto/krb5/src/tests/t_sesskeynego.py94
-rwxr-xr-xcrypto/krb5/src/tests/t_skew.py55
-rwxr-xr-xcrypto/krb5/src/tests/t_sn2princ.py167
-rw-r--r--crypto/krb5/src/tests/t_spake.py149
-rwxr-xr-xcrypto/krb5/src/tests/t_stringattr.py41
-rwxr-xr-xcrypto/krb5/src/tests/t_tabdump.py86
-rw-r--r--crypto/krb5/src/tests/t_u2u.py60
-rwxr-xr-xcrypto/krb5/src/tests/t_unlockiter.py20
-rw-r--r--crypto/krb5/src/tests/t_y2038.py79
-rw-r--r--crypto/krb5/src/tests/threads/Makefile.in40
-rw-r--r--crypto/krb5/src/tests/threads/deps27
-rw-r--r--crypto/krb5/src/tests/threads/gss-perf.c455
-rw-r--r--crypto/krb5/src/tests/threads/init_ctx.c273
-rw-r--r--crypto/krb5/src/tests/threads/prof1.c105
-rw-r--r--crypto/krb5/src/tests/threads/profread.c287
-rw-r--r--crypto/krb5/src/tests/threads/t_rcache.c260
-rw-r--r--crypto/krb5/src/tests/unlockiter.c276
-rw-r--r--crypto/krb5/src/tests/verify/Makefile.in16
-rw-r--r--crypto/krb5/src/tests/verify/deps14
-rw-r--r--crypto/krb5/src/tests/verify/kdb5_verify.c440
-rw-r--r--crypto/krb5/src/tests/verify/pkey.c24
399 files changed, 0 insertions, 41351 deletions
diff --git a/crypto/krb5/src/tests/Makefile.in b/crypto/krb5/src/tests/Makefile.in
deleted file mode 100644
index 41ac0d3b2a29..000000000000
--- a/crypto/krb5/src/tests/Makefile.in
+++ /dev/null
@@ -1,203 +0,0 @@
-mydir=tests
-BUILDTOP=$(REL)..
-SUBDIRS = asn.1 create hammer verify gssapi shlib gss-threads misc threads \
- @fuzz_dir@
-
-RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
- GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND)
-
-OBJS= adata.o conccache.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \
- icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \
- replay.o responder.o s2p.o s4u2self.o s4u2proxy.o t_inetd.o \
- unlockiter.o
-EXTRADEPSRCS= adata.c conccache.c etinfo.c forward.c gcred.c hist.c hooks.c \
- hrealm.c icinterleave.c icred.c kdbtest.c localauth.c plugorder.c \
- rdreq.c replay.c responder.c s2p.c s4u2self.c s4u2proxy.c t_inetd.c \
- unlockiter.c
-
-TEST_DB = ./testdb
-TEST_REALM = FOO.TEST.REALM
-TEST_MKEY = footes
-TEST_NUM = 65
-TEST_DEPTH = 5
-TEST_PREFIX = "foo bar"
-
-KADMIN_OPTS= -d $(TEST_DB) -r $(TEST_REALM) -P $(TEST_MKEY)
-KTEST_OPTS= $(KADMIN_OPTS) -p $(TEST_PREFIX) -n $(TEST_NUM) -D $(TEST_DEPTH)
-
-adata: adata.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ adata.o $(KRB5_BASE_LIBS)
-
-conccache: conccache.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ conccache.o $(KRB5_BASE_LIBS)
-
-etinfo: etinfo.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ etinfo.o $(KRB5_BASE_LIBS)
-
-forward: forward.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ forward.o $(KRB5_BASE_LIBS)
-
-gcred: gcred.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ gcred.o $(KRB5_BASE_LIBS)
-
-hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
-
-hooks: hooks.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS)
-
-hrealm: hrealm.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS)
-
-icinterleave: icinterleave.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ icinterleave.o $(KRB5_BASE_LIBS)
-
-icred: icred.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ icred.o $(KRB5_BASE_LIBS)
-
-kdbtest: kdbtest.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ kdbtest.o $(KDB5_LIBS) $(KADMSRV_LIBS) \
- $(KRB5_BASE_LIBS)
-
-localauth: localauth.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ localauth.o $(KRB5_BASE_LIBS)
-
-plugorder: plugorder.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ plugorder.o $(KRB5_BASE_LIBS)
-
-rdreq: rdreq.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ rdreq.o $(KRB5_BASE_LIBS)
-
-replay: replay.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ replay.o $(KRB5_BASE_LIBS)
-
-responder: responder.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ responder.o $(KRB5_BASE_LIBS)
-
-s2p: s2p.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ s2p.o $(KRB5_BASE_LIBS)
-
-s4u2self: s4u2self.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ s4u2self.o $(KRB5_BASE_LIBS)
-
-s4u2proxy: s4u2proxy.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ s4u2proxy.o $(KRB5_BASE_LIBS)
-
-t_inetd: t_inetd.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ t_inetd.o $(LIBS) $(KRB5_BASE_LIBS)
-
-unlockiter: unlockiter.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ unlockiter.o $(KDB5_LIBS) $(KADMSRV_LIBS) \
- $(KRB5_BASE_LIBS)
-
-all-unix: t_inetd
-
-check-unix: kdb_check
-
-kdc.conf: Makefile
- rm -rf kdc.conf
- @echo "[realms]" > kdc.conf
- @echo "$(TEST_REALM) = {" >> kdc.conf
- @echo " key_stash_file = `pwd`/stash_file" >> kdc.conf
- @echo "}" >> kdc.conf
-
-krb5.conf: Makefile
- cat $(top_srcdir)/config-files/krb5.conf > krb5.new
- echo "[dbmodules]" >> krb5.new
- echo " db_module_dir = `pwd`/../plugins/kdb" >> krb5.new
- mv krb5.new krb5.conf
-
-kdb_check: kdc.conf krb5.conf
- $(RM) $(TEST_DB)*
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
- $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
- $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
- @echo "====> NOTE!"
- @echo "The following 'create' command is needed due to a change"
- @echo "in functionality caused by DAL integration. See ticket 3973."
- @echo ====
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
- $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
- sort $(TEST_DB).dump > $(TEST_DB).sort
- sort $(TEST_DB).dump2 > $(TEST_DB).sort2
- cmp $(TEST_DB).sort $(TEST_DB).sort2
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
- $(RM) $(TEST_DB)* stash_file
-
-check-pytests: adata conccache etinfo forward gcred hist hooks hrealm
-check-pytests: icinterleave icred kdbtest localauth plugorder rdreq replay
-check-pytests: responder s2p s4u2proxy unlockiter s4u2self
- $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_spake.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadm5_auth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_hostrealm.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadmin.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadmin_parsing.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_keydata.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_mkey.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_rdreq.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_sn2princ.py $(PYTESTFLAGS) $(OFFLINE)
- $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
- $(RM) au.log
- $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
- -i au.log
- $(RUNPYTEST) $(srcdir)/t_salt.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_etype_info.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdc_log.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_unlockiter.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_errmsg.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_authdata.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_replay.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_sendto_kdc.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_alias.py $(PYTESTFLAGS)
-
-clean:
- $(RM) adata conccache etinfo forward gcred hist hooks hrealm
- $(RM) icinterleave icred kdbtest localauth plugorder rdreq replay
- $(RM) responder s2p s4u2proxy s4u2self t_inetd unlockiter
- $(RM) krb5.conf kdc.conf
- $(RM) -rf kdc_realm/sandbox ldap
- $(RM) au.log
diff --git a/crypto/krb5/src/tests/adata.c b/crypto/krb5/src/tests/adata.c
deleted file mode 100644
index 58981c971142..000000000000
--- a/crypto/krb5/src/tests/adata.c
+++ /dev/null
@@ -1,381 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/adata.c - Test harness for KDC authorization data */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Usage: ./adata [-c ccname] [-p clientprinc] serviceprinc
- * [ad-type ad-contents ...]
- *
- * This program acquires credentials for the specified service principal, using
- * the specified or default ccache, possibly including requested authdata. The
- * resulting ticket is decrypted using the default keytab, and the authdata in
- * the ticket are displayed to stdout.
- *
- * In the requested authdata types, the type may be prefixed with '?' for an
- * AD-IF-RELEVANT container, '!' for an AD-MANDATORY-FOR-KDC container, or '^'
- * for an AD-KDC-ISSUED container checksummed with a random AES256 key.
- * Multiple prefixes may be specified for nested container.
- *
- * In the output, authdata containers will be flattened and displayed with the
- * above prefixes or '+' for an AD-CAMMAC container. AD-KDC-ISSUED and
- * AD-CAMMAC containers will be verified with the appropriate key. Nested
- * containers only display the prefix for the innermost container.
- */
-
-#include <k5-int.h>
-#include <ctype.h>
-
-static krb5_context ctx;
-
-static void display_authdata_list(krb5_authdata **list,
- krb5_enc_tkt_part *enc_tkt,
- krb5_keyblock *tktkey, char prefix_byte,
- krb5_boolean pac_ok);
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static krb5_authdatatype
-get_type_for_prefix(int prefix_byte)
-{
- if (prefix_byte == '?')
- return KRB5_AUTHDATA_IF_RELEVANT;
- if (prefix_byte == '!')
- return KRB5_AUTHDATA_MANDATORY_FOR_KDC;
- if (prefix_byte == '^')
- return KRB5_AUTHDATA_KDC_ISSUED;
- if (prefix_byte == '+')
- return KRB5_AUTHDATA_CAMMAC;
- abort();
-}
-
-static int
-get_prefix_byte(krb5_authdata *ad)
-{
- if (ad->ad_type == KRB5_AUTHDATA_IF_RELEVANT)
- return '?';
- if (ad->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC)
- return '!';
- if (ad->ad_type == KRB5_AUTHDATA_KDC_ISSUED)
- return '^';
- if (ad->ad_type == KRB5_AUTHDATA_CAMMAC)
- return '+';
- abort();
-}
-
-/* Construct a container of type ad_type for the single authdata element
- * content. For KDC-ISSUED containers, use a random checksum key. */
-static krb5_authdata *
-make_container(krb5_authdatatype ad_type, krb5_authdata *content)
-{
- krb5_authdata *list[2], **enclist, *ad;
- krb5_keyblock kb;
-
- list[0] = content;
- list[1] = NULL;
-
- if (ad_type == KRB5_AUTHDATA_KDC_ISSUED) {
- check(krb5_c_make_random_key(ctx, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- &kb));
- check(krb5_make_authdata_kdc_issued(ctx, &kb, NULL, list, &enclist));
- krb5_free_keyblock_contents(ctx, &kb);
- } else {
- check(krb5_encode_authdata_container(ctx, ad_type, list, &enclist));
- }
-
- /* Grab the first element from the encoded list and free the array. */
- ad = enclist[0];
- free(enclist);
- return ad;
-}
-
-/* Parse typestr and contents into an authdata element. */
-static krb5_authdata *
-make_authdata(const char *typestr, const char *contents)
-{
- krb5_authdata *inner_ad, *ad;
-
- if (*typestr == '?' || *typestr == '!' || *typestr == '^') {
- inner_ad = make_authdata(typestr + 1, contents);
- ad = make_container(get_type_for_prefix(*typestr), inner_ad);
- free(inner_ad->contents);
- free(inner_ad);
- return ad;
- }
-
- ad = malloc(sizeof(*ad));
- assert(ad != NULL);
- ad->magic = KV5M_AUTHDATA;
- ad->ad_type = atoi(typestr);
- ad->length = strlen(contents);
- ad->contents = (unsigned char *)strdup(contents);
- assert(ad->contents != NULL);
- return ad;
-}
-
-static krb5_authdata **
-get_container_contents(krb5_authdata *ad, krb5_keyblock *skey,
- krb5_keyblock *tktkey)
-{
- krb5_authdata **inner_ad;
-
- if (ad->ad_type == KRB5_AUTHDATA_KDC_ISSUED)
- check(krb5_verify_authdata_kdc_issued(ctx, skey, ad, NULL, &inner_ad));
- else if (ad->ad_type == KRB5_AUTHDATA_CAMMAC)
- check(k5_unwrap_cammac_svc(ctx, ad, tktkey, &inner_ad));
- else
- check(krb5_decode_authdata_container(ctx, ad->ad_type, ad, &inner_ad));
- return inner_ad;
-}
-
-static int
-compare_uint32(const void *p1, const void *p2)
-{
- uint32_t t1 = *(uint32_t *)p1, t2 = *(uint32_t *)p2;
-
- return (t1 > t2) ? 1 : (t1 == t2) ? 0 : -1;
-}
-
-static void
-display_pac(krb5_authdata *ad, krb5_enc_tkt_part *enc_tkt,
- krb5_keyblock *tktkey)
-{
- krb5_pac pac;
- size_t tlen, i;
- uint32_t *types;
-
- assert(ad->ad_type == KRB5_AUTHDATA_WIN2K_PAC);
- check(krb5_pac_parse(ctx, ad->contents, ad->length, &pac));
-
- check(krb5_pac_verify(ctx, pac, enc_tkt->times.authtime, enc_tkt->client,
- tktkey, NULL));
-
- check(krb5_pac_get_types(ctx, pac, &tlen, &types));
- qsort(types, tlen, sizeof(*types), compare_uint32);
-
- printf("[");
- for (i = 0; i < tlen; i++) {
- printf("%d", (int)types[i]);
- if (i + 1 < tlen)
- printf(", ");
- }
- printf("]");
-
- free(types);
- krb5_pac_free(ctx, pac);
-}
-
-/* Decode and display authentication indicator authdata. */
-static void
-display_auth_indicator(krb5_authdata *ad)
-{
- krb5_data **strs = NULL, **p;
-
- check(k5_authind_decode(ad, &strs));
- assert(strs != NULL);
-
- printf("[");
- for (p = strs; *p != NULL; p++) {
- printf("%.*s", (int)(*p)->length, (*p)->data);
- if (*(p + 1) != NULL)
- printf(", ");
- }
- printf("]");
- k5_free_data_ptr_list(strs);
-}
-
-/* Display ad as either a hex dump or ASCII text. */
-static void
-display_binary_or_ascii(krb5_authdata *ad)
-{
- krb5_boolean binary = FALSE;
- unsigned char *p;
-
- for (p = ad->contents; p < ad->contents + ad->length; p++) {
- if (!isascii(*p) || !isprint(*p))
- binary = TRUE;
- }
- if (binary) {
- for (p = ad->contents; p < ad->contents + ad->length; p++)
- printf("%02X", *p);
- } else {
- printf("%.*s", (int)ad->length, ad->contents);
- }
-}
-
-/* Display the contents of an authdata element, prefixed by prefix_byte. skey
- * must be the ticket session key. */
-static void
-display_authdata(krb5_authdata *ad, krb5_enc_tkt_part *enc_tkt,
- krb5_keyblock *tktkey, int prefix_byte, krb5_boolean pac_ok)
-{
- krb5_authdata **inner_ad;
-
- if (ad->ad_type == KRB5_AUTHDATA_IF_RELEVANT ||
- ad->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC ||
- ad->ad_type == KRB5_AUTHDATA_KDC_ISSUED ||
- ad->ad_type == KRB5_AUTHDATA_CAMMAC) {
- if (ad->ad_type != KRB5_AUTHDATA_IF_RELEVANT)
- pac_ok = FALSE;
- /* Decode and display the contents. */
- inner_ad = get_container_contents(ad, enc_tkt->session, tktkey);
- display_authdata_list(inner_ad, enc_tkt, tktkey, get_prefix_byte(ad),
- pac_ok);
- krb5_free_authdata(ctx, inner_ad);
- return;
- }
-
- assert(pac_ok || ad->ad_type != KRB5_AUTHDATA_WIN2K_PAC);
-
- printf("%c", prefix_byte);
- printf("%d: ", (int)ad->ad_type);
-
- if (ad->ad_type == KRB5_AUTHDATA_WIN2K_PAC)
- display_pac(ad, enc_tkt, tktkey);
- else if (ad->ad_type == KRB5_AUTHDATA_AUTH_INDICATOR)
- display_auth_indicator(ad);
- else
- display_binary_or_ascii(ad);
- printf("\n");
-}
-
-static void
-display_authdata_list(krb5_authdata **list, krb5_enc_tkt_part *tkt_enc,
- krb5_keyblock *tktkey, char prefix_byte,
- krb5_boolean pac_ok)
-{
- if (list == NULL)
- return;
- /* Only expect a PAC in the first element, if at all. */
- for (; *list != NULL; list++) {
- display_authdata(*list, tkt_enc, tktkey, prefix_byte, pac_ok);
- pac_ok = FALSE;
- }
-}
-
-int
-main(int argc, char **argv)
-{
- const char *ccname = NULL, *clientname = NULL;
- krb5_principal client, server;
- krb5_ccache ccache;
- krb5_keytab keytab;
- krb5_creds in_creds, *creds;
- krb5_ticket *ticket;
- krb5_authdata **req_authdata = NULL, *ad;
- krb5_keytab_entry ktent;
- size_t count;
- int c;
-
- check(krb5_init_context(&ctx));
-
- while ((c = getopt(argc, argv, "+c:p:")) != -1) {
- switch (c) {
- case 'c':
- ccname = optarg;
- break;
- case 'p':
- clientname = optarg;
- break;
- default:
- abort();
- }
- }
- argv += optind;
- /* Parse arguments. */
- assert(*argv != NULL);
- check(krb5_parse_name(ctx, *argv++, &server));
-
- count = 0;
- for (; argv[0] != NULL && argv[1] != NULL; argv += 2) {
- ad = make_authdata(argv[0], argv[1]);
- req_authdata = realloc(req_authdata,
- (count + 2) * sizeof(*req_authdata));
- assert(req_authdata != NULL);
- req_authdata[count++] = ad;
- req_authdata[count] = NULL;
- }
- assert(*argv == NULL);
-
- if (ccname != NULL)
- check(krb5_cc_resolve(ctx, ccname, &ccache));
- else
- check(krb5_cc_default(ctx, &ccache));
-
- if (clientname != NULL)
- check(krb5_parse_name(ctx, clientname, &client));
- else
- check(krb5_cc_get_principal(ctx, ccache, &client));
-
- memset(&in_creds, 0, sizeof(in_creds));
- in_creds.client = client;
- in_creds.server = server;
- in_creds.authdata = req_authdata;
-
- check(krb5_get_credentials(ctx, KRB5_GC_NO_STORE, ccache, &in_creds,
- &creds));
-
- assert(in_creds.authdata == NULL || creds->authdata != NULL);
-
- check(krb5_decode_ticket(&creds->ticket, &ticket));
- check(krb5_kt_default(ctx, &keytab));
- check(krb5_kt_get_entry(ctx, keytab, ticket->server, ticket->enc_part.kvno,
- ticket->enc_part.enctype, &ktent));
- check(krb5_decrypt_tkt_part(ctx, &ktent.key, ticket));
-
- display_authdata_list(ticket->enc_part2->authorization_data,
- ticket->enc_part2, &ktent.key, ' ', TRUE);
-
- while (count > 0) {
- free(req_authdata[--count]->contents);
- free(req_authdata[count]);
- }
- free(req_authdata);
- krb5_free_keytab_entry_contents(ctx, &ktent);
- krb5_free_creds(ctx, creds);
- krb5_free_ticket(ctx, ticket);
- krb5_free_principal(ctx, client);
- krb5_free_principal(ctx, server);
- krb5_cc_close(ctx, ccache);
- krb5_kt_close(ctx, keytab);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/asn.1/Makefile.in b/crypto/krb5/src/tests/asn.1/Makefile.in
deleted file mode 100644
index eabe0bd080a2..000000000000
--- a/crypto/krb5/src/tests/asn.1/Makefile.in
+++ /dev/null
@@ -1,98 +0,0 @@
-mydir=tests$(S)asn.1
-BUILDTOP=$(REL)..$(S)..
-LDAP=@LDAP@
-
-SRCS= $(srcdir)/krb5_encode_test.c $(srcdir)/krb5_decode_test.c \
- $(srcdir)/krb5_decode_leak.c $(srcdir)/ktest.c \
- $(srcdir)/ktest_equal.c $(srcdir)/utility.c \
- $(srcdir)/trval.c $(srcdir)/t_trval.c
-
-ASN1SRCS= $(srcdir)/krb5.asn1 $(srcdir)/pkix.asn1 $(srcdir)/otp.asn1 \
- $(srcdir)/pkinit.asn1 $(srcdir)/pkinit-agility.asn1 \
- $(srcdir)/cammac.asn1 $(srcdir)/spake.asn1
-
-all: krb5_encode_test krb5_decode_test krb5_decode_leak t_trval
-
-ENCOBJS = krb5_encode_test.o ktest.o ktest_equal.o utility.o trval.o
-
-krb5_encode_test: $(ENCOBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o krb5_encode_test $(ENCOBJS) $(KRB5_BASE_LIBS)
-
-DECOBJS = krb5_decode_test.o ktest.o ktest_equal.o utility.o
-
-krb5_decode_test: $(DECOBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o krb5_decode_test $(DECOBJS) $(KRB5_BASE_LIBS)
-
-LEAKOBJS = krb5_decode_leak.o ktest.o ktest_equal.o utility.o
-
-krb5_decode_leak: $(LEAKOBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o krb5_decode_leak $(LEAKOBJS) $(KRB5_BASE_LIBS)
-
-t_trval: t_trval.o
- $(CC) -o t_trval $(ALL_CFLAGS) t_trval.o
-
-check: check-encode check-encode-trval check-decode check-leak
-
-# Does not actually test for leaks unless using valgrind or a similar
-# tool, but does exercise a bunch of code.
-check-leak: krb5_decode_leak
- $(RUN_TEST) ./krb5_decode_leak
-
-check-decode: krb5_decode_test
- $(RUN_TEST) ./krb5_decode_test
-
-PKINIT_ENCODE_OUT=$(PKINIT_ENCODE_OUT-@PKINIT@)
-PKINIT_ENCODE_OUT-yes=$(srcdir)/pkinit_encode.out
-PKINIT_ENCODE_OUT-no=
-LDAP_ENCODE_OUT=$(LDAP_ENCODE_OUT-@LDAP@)
-LDAP_ENCODE_OUT-yes=$(srcdir)/ldap_encode.out
-LDAP_ENCODE_OUT-no=
-expected_encode.out: reference_encode.out pkinit_encode.out ldap_encode.out
- cat $(srcdir)/reference_encode.out $(PKINIT_ENCODE_OUT) \
- $(LDAP_ENCODE_OUT) > $@
-
-PKINIT_TRVAL_OUT=$(PKINIT_TRVAL_OUT-@PKINIT@)
-PKINIT_TRVAL_OUT-yes=$(srcdir)/pkinit_trval.out
-PKINIT_TRVAL_OUT-no=
-LDAP_TRVAL_OUT=$(LDAP_TRVAL_OUT-@LDAP@)
-LDAP_TRVAL_OUT-yes=$(srcdir)/ldap_trval.out
-LDAP_TRVAL_OUT-no=
-expected_trval.out: trval_reference.out pkinit_trval.out ldap_trval.out
- cat $(srcdir)/trval_reference.out $(PKINIT_TRVAL_OUT) \
- $(LDAP_TRVAL_OUT) > $@
-
-check-encode: krb5_encode_test expected_encode.out
- $(RUN_TEST) ./krb5_encode_test > test.out
- cmp test.out expected_encode.out
-
-check-encode-trval: krb5_encode_test expected_trval.out
- $(RUN_TEST) ./krb5_encode_test -t > trval.out
- cmp trval.out expected_trval.out
-
-# This target uses asn1c to generate encodings of sample objects, to
-# help ensure that our implementation is correct. asn1c must be in the
-# path for this to work.
-test-vectors:
- $(RM) -r vectors
- mkdir vectors
- cp $(ASN1SRCS) $(srcdir)/make-vectors.c vectors
- (cd vectors && asn1c *.asn1 && rm converter-sample.c)
- (cd vectors && $(CC) -I. -w *.c -o make-vectors)
- (cd vectors && ./make-vectors)
-
-install:
-
-clean:
- rm -f *~ *.o krb5_encode_test krb5_decode_test krb5_decode_leak test.out trval t_trval expected_encode.out expected_trval.out trval.out
-
-
-################ Dependencies ################
-krb5_decode_test.o: ktest.h utility.h ktest_equal.h debug.h
-krb5_encode_test.o: utility.h ktest.h debug.h
-trval.o: trval.c
-ktest.o: ktest.h utility.h
-ktest_equal.o: ktest_equal.h
-#utility.o: utility.h
-#utility.h: krbasn1.h asn1buf.h
-##############################################
-
diff --git a/crypto/krb5/src/tests/asn.1/README b/crypto/krb5/src/tests/asn.1/README
deleted file mode 100644
index 2c0c098099d0..000000000000
--- a/crypto/krb5/src/tests/asn.1/README
+++ /dev/null
@@ -1,28 +0,0 @@
-krb5_encode_test runs through all the functions declared in
- src/include/krb5/asn.1/krb5_encode.h. It passes various sample
- inputs to each function and prints the result to standard
- output. This output should match the contents of the file
- "reference_encode.out".
-
- Each function is first run with a relatively simple, contrived
- sample structure. Then if the structure has any optional parts,
- these parts are cleared and another run is made.
-
- Some structures (namely, those containing a krb5_kdc_req_body)
- have a third run, due to the fact that two of the kdc_req_body's
- optional fields have mutually exclusive conditions under which
- they may be omitted.
-
-
-krb5_decode_test runs through all the functions declared in
- src/include/krb5/asn.1/krb5_decode.h. It has the encodings in
- reference_encode.out hard-coded into itself. It sets up the
- krb5 structures the same way krb5_encode_test does, then passes
- its hard-coded encoding strings through the krb5 decoders.
-
- The outputs of these functions are compared to the previously
- set-up structures in memory, and the results are reported to
- standard output. If every line comes out prefixed by "OK: ",
- then the decoders are working properly. If any decoder produces
- an anomalous output, then its output line will be prefixed by
- "ERROR: "
diff --git a/crypto/krb5/src/tests/asn.1/cammac.asn1 b/crypto/krb5/src/tests/asn.1/cammac.asn1
deleted file mode 100644
index 2fc997606a1e..000000000000
--- a/crypto/krb5/src/tests/asn.1/cammac.asn1
+++ /dev/null
@@ -1,30 +0,0 @@
-KerberosV5CAMMAC DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
- AuthorizationData, PrincipalName, Checksum, UInt32, Int32
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) };
- -- as defined in RFC 4120.
-
-AD-CAMMAC ::= SEQUENCE {
- elements [0] AuthorizationData,
- kdc-verifier [1] Verifier-MAC OPTIONAL,
- svc-verifier [2] Verifier-MAC OPTIONAL,
- other-verifiers [3] SEQUENCE (SIZE (1..MAX))
- OF Verifier OPTIONAL
-}
-
-Verifier ::= CHOICE {
- mac Verifier-MAC,
- ...
-}
-
-Verifier-MAC ::= SEQUENCE {
- identifier [0] PrincipalName OPTIONAL,
- kvno [1] UInt32 OPTIONAL,
- enctype [2] Int32 OPTIONAL,
- mac [3] Checksum
-}
-
-END
diff --git a/crypto/krb5/src/tests/asn.1/debug.h b/crypto/krb5/src/tests/asn.1/debug.h
deleted file mode 100644
index 12020164891d..000000000000
--- a/crypto/krb5/src/tests/asn.1/debug.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/debug.h */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef __DEBUG_H__
-#define __DEBUG_H__
-
-/*
- assert utility macro for test programs:
- If the predicate (pred) is true, then
- OK: <message> is printed. Otherwise,
- ERROR: <message> is printed.
-
- message should be a printf format string.
-*/
-
-#include <stdio.h>
-
-#define test(pred,message) \
- if(pred) printf("OK: "); \
- else { printf("ERROR: "); error_count++; } \
- printf(message);
-
-#endif
diff --git a/crypto/krb5/src/tests/asn.1/deps b/crypto/krb5/src/tests/asn.1/deps
deleted file mode 100644
index 0b44f44a5ec7..000000000000
--- a/crypto/krb5/src/tests/asn.1/deps
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)krb5_encode_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h debug.h krb5_encode_test.c \
- ktest.h utility.h
-$(OUTPRE)krb5_decode_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h debug.h krb5_decode_test.c \
- ktest.h ktest_equal.h utility.h
-$(OUTPRE)krb5_decode_leak.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h debug.h krb5_decode_leak.c \
- ktest.h utility.h
-$(OUTPRE)ktest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h ktest.c ktest.h \
- utility.h
-$(OUTPRE)ktest_equal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h ktest_equal.c \
- ktest_equal.h
-$(OUTPRE)utility.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h utility.c utility.h
-$(OUTPRE)trval.$(OBJEXT): trval.c
-$(OUTPRE)t_trval.$(OBJEXT): t_trval.c trval.c
diff --git a/crypto/krb5/src/tests/asn.1/krb5.asn1 b/crypto/krb5/src/tests/asn.1/krb5.asn1
deleted file mode 100644
index f58637a6d9a7..000000000000
--- a/crypto/krb5/src/tests/asn.1/krb5.asn1
+++ /dev/null
@@ -1,392 +0,0 @@
-KerberosV5Spec2 {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) krb5spec2(2)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
--- OID arc for KerberosV5
---
--- This OID may be used to identify Kerberos protocol messages
--- encapsulated in other protocols.
---
--- This OID also designates the OID arc for KerberosV5-related OIDs.
---
--- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
-id-krb5 OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2)
-}
-
-Int32 ::= INTEGER (-2147483648..2147483647)
- -- signed values representable in 32 bits
-
-UInt32 ::= INTEGER (0..4294967295)
- -- unsigned 32 bit values
-
-Microseconds ::= INTEGER (0..999999)
- -- microseconds
-
-KerberosString ::= GeneralString -- (IA5String)
-
-Realm ::= KerberosString
-
-PrincipalName ::= SEQUENCE {
- name-type [0] Int32,
- name-string [1] SEQUENCE OF KerberosString
-}
-
-KerberosTime ::= GeneralizedTime -- with no fractional seconds
-
-HostAddress ::= SEQUENCE {
- addr-type [0] Int32,
- address [1] OCTET STRING
-}
-
--- NOTE: HostAddresses is always used as an OPTIONAL field and
--- should not be empty.
-HostAddresses -- NOTE: subtly different from rfc1510,
- -- but has a value mapping and encodes the same
- ::= SEQUENCE OF HostAddress
-
--- NOTE: AuthorizationData is always used as an OPTIONAL field and
--- should not be empty.
-AuthorizationData ::= SEQUENCE OF SEQUENCE {
- ad-type [0] Int32,
- ad-data [1] OCTET STRING
-}
-
-PA-DATA ::= SEQUENCE {
- -- NOTE: first tag is [1], not [0]
- padata-type [1] Int32,
- padata-value [2] OCTET STRING -- might be encoded AP-REQ
-}
-
-KerberosFlags ::= BIT STRING (SIZE (32..MAX))
- -- minimum number of bits shall be sent,
- -- but no fewer than 32
-
-EncryptedData ::= SEQUENCE {
- etype [0] Int32 -- EncryptionType --,
- kvno [1] UInt32 OPTIONAL,
- cipher [2] OCTET STRING -- ciphertext
-}
-
-EncryptionKey ::= SEQUENCE {
- keytype [0] Int32 -- actually encryption type --,
- keyvalue [1] OCTET STRING
-}
-
-Checksum ::= SEQUENCE {
- cksumtype [0] Int32,
- checksum [1] OCTET STRING
-}
-
-Ticket ::= [APPLICATION 1] SEQUENCE {
- tkt-vno [0] INTEGER (5),
- realm [1] Realm,
- sname [2] PrincipalName,
- enc-part [3] EncryptedData -- EncTicketPart
-}
-
--- Encrypted part of ticket
-EncTicketPart ::= [APPLICATION 3] SEQUENCE {
- flags [0] TicketFlags,
- key [1] EncryptionKey,
- crealm [2] Realm,
- cname [3] PrincipalName,
- transited [4] TransitedEncoding,
- authtime [5] KerberosTime,
- starttime [6] KerberosTime OPTIONAL,
- endtime [7] KerberosTime,
- renew-till [8] KerberosTime OPTIONAL,
- caddr [9] HostAddresses OPTIONAL,
- authorization-data [10] AuthorizationData OPTIONAL
-}
-
--- encoded Transited field
-TransitedEncoding ::= SEQUENCE {
- tr-type [0] Int32 -- must be registered --,
- contents [1] OCTET STRING
-}
-
-TicketFlags ::= KerberosFlags
- -- reserved(0),
- -- forwardable(1),
- -- forwarded(2),
- -- proxiable(3),
- -- proxy(4),
- -- may-postdate(5),
- -- postdated(6),
- -- invalid(7),
- -- renewable(8),
- -- initial(9),
- -- pre-authent(10),
- -- hw-authent(11),
--- the following are new since 1510
- -- transited-policy-checked(12),
- -- ok-as-delegate(13)
-
-AS-REQ ::= [APPLICATION 10] KDC-REQ
-
-TGS-REQ ::= [APPLICATION 12] KDC-REQ
-
-KDC-REQ ::= SEQUENCE {
- -- NOTE: first tag is [1], not [0]
- pvno [1] INTEGER (5) ,
- msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
- padata [3] SEQUENCE OF PA-DATA OPTIONAL
- -- NOTE: not empty --,
- req-body [4] KDC-REQ-BODY
-}
-
-KDC-REQ-BODY ::= SEQUENCE {
- kdc-options [0] KDCOptions,
- cname [1] PrincipalName OPTIONAL
- -- Used only in AS-REQ --,
- realm [2] Realm
- -- Server's realm
- -- Also client's in AS-REQ --,
- sname [3] PrincipalName OPTIONAL,
- from [4] KerberosTime OPTIONAL,
- till [5] KerberosTime,
- rtime [6] KerberosTime OPTIONAL,
- nonce [7] UInt32,
- etype [8] SEQUENCE OF Int32 -- EncryptionType
- -- in preference order --,
- addresses [9] HostAddresses OPTIONAL,
- enc-authorization-data [10] EncryptedData OPTIONAL
- -- AuthorizationData --,
- additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
- -- NOTE: not empty
-}
-
-KDCOptions ::= KerberosFlags
- -- reserved(0),
- -- forwardable(1),
- -- forwarded(2),
- -- proxiable(3),
- -- proxy(4),
- -- allow-postdate(5),
- -- postdated(6),
- -- unused7(7),
- -- renewable(8),
- -- unused9(9),
- -- unused10(10),
- -- opt-hardware-auth(11),
- -- unused12(12),
- -- unused13(13),
--- 15 is reserved for canonicalize
- -- unused15(15),
--- 26 was unused in 1510
- -- disable-transited-check(26),
---
- -- renewable-ok(27),
- -- enc-tkt-in-skey(28),
- -- renew(30),
- -- validate(31)
-
-AS-REP ::= [APPLICATION 11] KDC-REP
-
-TGS-REP ::= [APPLICATION 13] KDC-REP
-
-KDC-REP ::= SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
- padata [2] SEQUENCE OF PA-DATA OPTIONAL
- -- NOTE: not empty --,
- crealm [3] Realm,
- cname [4] PrincipalName,
- ticket [5] Ticket,
- enc-part [6] EncryptedData
- -- EncASRepPart or EncTGSRepPart,
- -- as appropriate
-}
-
-EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
-
-EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
-
-EncKDCRepPart ::= SEQUENCE {
- key [0] EncryptionKey,
- last-req [1] LastReq,
- nonce [2] UInt32,
- key-expiration [3] KerberosTime OPTIONAL,
- flags [4] TicketFlags,
- authtime [5] KerberosTime,
- starttime [6] KerberosTime OPTIONAL,
- endtime [7] KerberosTime,
- renew-till [8] KerberosTime OPTIONAL,
- srealm [9] Realm,
- sname [10] PrincipalName,
- caddr [11] HostAddresses OPTIONAL
-}
-
-LastReq ::= SEQUENCE OF SEQUENCE {
- lr-type [0] Int32,
- lr-value [1] KerberosTime
-}
-
-AP-REQ ::= [APPLICATION 14] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (14),
- ap-options [2] APOptions,
- ticket [3] Ticket,
- authenticator [4] EncryptedData -- Authenticator
-}
-
-APOptions ::= KerberosFlags
- -- reserved(0),
- -- use-session-key(1),
- -- mutual-required(2)
-
--- Unencrypted authenticator
-Authenticator ::= [APPLICATION 2] SEQUENCE {
- authenticator-vno [0] INTEGER (5),
- crealm [1] Realm,
- cname [2] PrincipalName,
- cksum [3] Checksum OPTIONAL,
- cusec [4] Microseconds,
- ctime [5] KerberosTime,
- subkey [6] EncryptionKey OPTIONAL,
- seq-number [7] UInt32 OPTIONAL,
- authorization-data [8] AuthorizationData OPTIONAL
-}
-
-AP-REP ::= [APPLICATION 15] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (15),
- enc-part [2] EncryptedData -- EncAPRepPart
-}
-
-EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
- ctime [0] KerberosTime,
- cusec [1] Microseconds,
- subkey [2] EncryptionKey OPTIONAL,
- seq-number [3] UInt32 OPTIONAL
-}
-
-KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (20),
- safe-body [2] KRB-SAFE-BODY,
- cksum [3] Checksum
-}
-
-KRB-SAFE-BODY ::= SEQUENCE {
- user-data [0] OCTET STRING,
- timestamp [1] KerberosTime OPTIONAL,
- usec [2] Microseconds OPTIONAL,
- seq-number [3] UInt32 OPTIONAL,
- s-address [4] HostAddress,
- r-address [5] HostAddress OPTIONAL
-}
-
-KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (21),
- -- NOTE: there is no [2] tag
- enc-part [3] EncryptedData -- EncKrbPrivPart
-}
-
-EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
- user-data [0] OCTET STRING,
- timestamp [1] KerberosTime OPTIONAL,
- usec [2] Microseconds OPTIONAL,
- seq-number [3] UInt32 OPTIONAL,
- s-address [4] HostAddress -- sender's addr --,
- r-address [5] HostAddress OPTIONAL -- recip's addr
-}
-
-KRB-CRED ::= [APPLICATION 22] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (22),
- tickets [2] SEQUENCE OF Ticket,
- enc-part [3] EncryptedData -- EncKrbCredPart
-}
-
-EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
- ticket-info [0] SEQUENCE OF KrbCredInfo,
- nonce [1] UInt32 OPTIONAL,
- timestamp [2] KerberosTime OPTIONAL,
- usec [3] Microseconds OPTIONAL,
- s-address [4] HostAddress OPTIONAL,
- r-address [5] HostAddress OPTIONAL
-}
-
-KrbCredInfo ::= SEQUENCE {
- key [0] EncryptionKey,
- prealm [1] Realm OPTIONAL,
- pname [2] PrincipalName OPTIONAL,
- flags [3] TicketFlags OPTIONAL,
- authtime [4] KerberosTime OPTIONAL,
- starttime [5] KerberosTime OPTIONAL,
- endtime [6] KerberosTime OPTIONAL,
- renew-till [7] KerberosTime OPTIONAL,
- srealm [8] Realm OPTIONAL,
- sname [9] PrincipalName OPTIONAL,
- caddr [10] HostAddresses OPTIONAL
-}
-
-KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
- pvno [0] INTEGER (5),
- msg-type [1] INTEGER (30),
- ctime [2] KerberosTime OPTIONAL,
- cusec [3] Microseconds OPTIONAL,
- stime [4] KerberosTime,
- susec [5] Microseconds,
- error-code [6] Int32,
- crealm [7] Realm OPTIONAL,
- cname [8] PrincipalName OPTIONAL,
- realm [9] Realm -- service realm --,
- sname [10] PrincipalName -- service name --,
- e-text [11] KerberosString OPTIONAL,
- e-data [12] OCTET STRING OPTIONAL
-}
-
-METHOD-DATA ::= SEQUENCE OF PA-DATA
-
-TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
- data-type [0] Int32,
- data-value [1] OCTET STRING OPTIONAL
-}
-
--- preauth stuff follows
-
-PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
-
-PA-ENC-TS-ENC ::= SEQUENCE {
- patimestamp [0] KerberosTime -- client's time --,
- pausec [1] Microseconds OPTIONAL
-}
-
-ETYPE-INFO-ENTRY ::= SEQUENCE {
- etype [0] Int32,
- salt [1] OCTET STRING OPTIONAL
-}
-
-ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
-
-ETYPE-INFO2-ENTRY ::= SEQUENCE {
- etype [0] Int32,
- salt [1] KerberosString OPTIONAL,
- s2kparams [2] OCTET STRING OPTIONAL
-}
-
-ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
-
-AD-IF-RELEVANT ::= AuthorizationData
-
-AD-KDCIssued ::= SEQUENCE {
- ad-checksum [0] Checksum,
- i-realm [1] Realm OPTIONAL,
- i-sname [2] PrincipalName OPTIONAL,
- elements [3] AuthorizationData
-}
-
-AD-AND-OR ::= SEQUENCE {
- condition-count [0] Int32,
- elements [1] AuthorizationData
-}
-
-AD-MANDATORY-FOR-KDC ::= AuthorizationData
-
-END
diff --git a/crypto/krb5/src/tests/asn.1/krb5_decode_leak.c b/crypto/krb5/src/tests/asn.1/krb5_decode_leak.c
deleted file mode 100644
index 2a5313b05f77..000000000000
--- a/crypto/krb5/src/tests/asn.1/krb5_decode_leak.c
+++ /dev/null
@@ -1,676 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/krb5_decode_leak.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This program is intended to help detect memory leaks in the ASN.1
- * decoder functions by exercising their failure paths. The setup
- * code for the test cases is copied from krb5_encode_test.c.
- *
- * This code does not actually detect leaks by itself; it must be run
- * through a leak-detection tool such as valgrind to do so. Simply
- * running the program will exercise a bunch of ASN.1 encoder and
- * decoder code paths but won't validate the results.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "utility.h"
-#include "ktest.h"
-#include "debug.h"
-
-krb5_context test_context;
-
-/*
- * Contrary to our usual convention, krb5_free_cred_enc_part is a
- * contents-only free function (and is assumed to be by mk_cred and
- * rd_cred) and we have no whole-structure free function for that data
- * type. So create one here.
- */
-static void
-free_cred_enc_part_whole(krb5_context ctx,
- krb5_cred_enc_part *val)
-{
- krb5_free_cred_enc_part(ctx, val);
- free(val);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_data *code;
- krb5_error_code retval;
- unsigned int i;
-
- retval = krb5_init_context(&test_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
- init_access(argv[0]);
-
-#define encode_run(value,type,typestring,description,encoder)
-
- /*
- * Encode a value. Then attempt to trigger most failure paths of
- * the decoder function by passing in corrupt encodings, which we
- * generate by perturbing each byte of the encoding in turn. Some
- * of the perturbed encodings are expected to decode successfully,
- * so we need a free function to discard successful results. Make
- * sure to define a pointer named "tmp" of the correct type in the
- * enclosing block.
- */
-#define leak_test(value, encoder, decoder, freefn) \
- retval = encoder(&(value),&(code)); \
- if (retval) { \
- com_err("krb5_decode_leak", retval, "while encoding"); \
- exit(1); \
- } \
- for (i = 0; i < code->length; i++) { \
- code->data[i] = (char)~((unsigned char)code->data[i]); \
- retval = decoder(code, &tmp); \
- code->data[i] = (char)~((unsigned char)code->data[i]); \
- if (retval == 0) \
- freefn(test_context, tmp); \
- } \
- krb5_free_data(test_context, code);
-
- /****************************************************************/
- /* encode_krb5_authenticator */
- {
- krb5_authenticator authent, *tmp;
-
- ktest_make_sample_authenticator(&authent);
- leak_test(authent, encode_krb5_authenticator,
- decode_krb5_authenticator, krb5_free_authenticator);
-
- ktest_destroy_checksum(&(authent.checksum));
- ktest_destroy_keyblock(&(authent.subkey));
- authent.seq_number = 0;
- ktest_empty_authorization_data(authent.authorization_data);
- leak_test(authent, encode_krb5_authenticator,
- decode_krb5_authenticator, krb5_free_authenticator);
-
- ktest_destroy_authorization_data(&(authent.authorization_data));
- leak_test(authent, encode_krb5_authenticator,
- decode_krb5_authenticator, krb5_free_authenticator);
- ktest_empty_authenticator(&authent);
- }
-
- /****************************************************************/
- /* encode_krb5_ticket */
- {
- krb5_ticket tkt, *tmp;
-
- ktest_make_sample_ticket(&tkt);
- leak_test(tkt, encode_krb5_ticket, decode_krb5_ticket,
- krb5_free_ticket);
- ktest_empty_ticket(&tkt);
- }
-
- /****************************************************************/
- /* encode_krb5_encryption_key */
- {
- krb5_keyblock keyblk, *tmp;
-
- ktest_make_sample_keyblock(&keyblk);
- leak_test(keyblk, encode_krb5_encryption_key,
- decode_krb5_encryption_key, krb5_free_keyblock);
- ktest_empty_keyblock(&keyblk);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_tkt_part */
- {
- krb5_ticket tkt;
- krb5_enc_tkt_part *tmp;
-
- memset(&tkt, 0, sizeof(krb5_ticket));
- tkt.enc_part2 = ealloc(sizeof(krb5_enc_tkt_part));
- ktest_make_sample_enc_tkt_part(tkt.enc_part2);
-
- leak_test(*(tkt.enc_part2), encode_krb5_enc_tkt_part,
- decode_krb5_enc_tkt_part, krb5_free_enc_tkt_part);
-
- tkt.enc_part2->times.starttime = 0;
- tkt.enc_part2->times.renew_till = 0;
- ktest_destroy_address(&(tkt.enc_part2->caddrs[1]));
- ktest_destroy_address(&(tkt.enc_part2->caddrs[0]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[1]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[0]));
-
- /* ISODE version fails on the empty caddrs field */
- ktest_destroy_addresses(&(tkt.enc_part2->caddrs));
- ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data));
-
- leak_test(*(tkt.enc_part2), encode_krb5_enc_tkt_part,
- decode_krb5_enc_tkt_part, krb5_free_enc_tkt_part);
- ktest_empty_ticket(&tkt);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_kdc_rep_part */
- {
- krb5_kdc_rep kdcr;
- krb5_enc_kdc_rep_part *tmp;
-
- memset(&kdcr, 0, sizeof(kdcr));
-
- kdcr.enc_part2 = ealloc(sizeof(krb5_enc_kdc_rep_part));
- ktest_make_sample_enc_kdc_rep_part(kdcr.enc_part2);
-
- leak_test(*(kdcr.enc_part2), encode_krb5_enc_kdc_rep_part,
- decode_krb5_enc_kdc_rep_part, krb5_free_enc_kdc_rep_part);
-
- kdcr.enc_part2->key_exp = 0;
- kdcr.enc_part2->times.starttime = 0;
- kdcr.enc_part2->flags &= ~TKT_FLG_RENEWABLE;
- ktest_destroy_addresses(&(kdcr.enc_part2->caddrs));
-
- leak_test(*(kdcr.enc_part2), encode_krb5_enc_kdc_rep_part,
- decode_krb5_enc_kdc_rep_part, krb5_free_enc_kdc_rep_part);
-
- ktest_empty_kdc_rep(&kdcr);
- }
-
- /****************************************************************/
- /* encode_krb5_as_rep */
- {
- krb5_kdc_rep kdcr, *tmp;
-
- ktest_make_sample_kdc_rep(&kdcr);
- kdcr.msg_type = KRB5_AS_REP;
- leak_test(kdcr, encode_krb5_as_rep, decode_krb5_as_rep,
- krb5_free_kdc_rep);
-
- ktest_destroy_pa_data_array(&(kdcr.padata));
- leak_test(kdcr, encode_krb5_as_rep, decode_krb5_as_rep,
- krb5_free_kdc_rep);
-
- ktest_empty_kdc_rep(&kdcr);
-
- }
-
- /****************************************************************/
- /* encode_krb5_tgs_rep */
- {
- krb5_kdc_rep kdcr, *tmp;
-
- ktest_make_sample_kdc_rep(&kdcr);
- kdcr.msg_type = KRB5_TGS_REP;
- leak_test(kdcr, encode_krb5_tgs_rep, decode_krb5_tgs_rep,
- krb5_free_kdc_rep);
-
- ktest_destroy_pa_data_array(&(kdcr.padata));
- leak_test(kdcr, encode_krb5_tgs_rep, decode_krb5_tgs_rep,
- krb5_free_kdc_rep);
-
- ktest_empty_kdc_rep(&kdcr);
-
- }
-
- /****************************************************************/
- /* encode_krb5_ap_req */
- {
- krb5_ap_req apreq, *tmp;
-
- ktest_make_sample_ap_req(&apreq);
- leak_test(apreq, encode_krb5_ap_req, decode_krb5_ap_req,
- krb5_free_ap_req);
- ktest_empty_ap_req(&apreq);
- }
-
- /****************************************************************/
- /* encode_krb5_ap_rep */
- {
- krb5_ap_rep aprep, *tmp;
-
- ktest_make_sample_ap_rep(&aprep);
- leak_test(aprep, encode_krb5_ap_rep, decode_krb5_ap_rep,
- krb5_free_ap_rep);
- ktest_empty_ap_rep(&aprep);
- }
-
- /****************************************************************/
- /* encode_krb5_ap_rep_enc_part */
- {
- krb5_ap_rep_enc_part apenc, *tmp;
-
- ktest_make_sample_ap_rep_enc_part(&apenc);
- leak_test(apenc, encode_krb5_ap_rep_enc_part,
- decode_krb5_ap_rep_enc_part, krb5_free_ap_rep_enc_part);
-
- ktest_destroy_keyblock(&(apenc.subkey));
- apenc.seq_number = 0;
- leak_test(apenc, encode_krb5_ap_rep_enc_part,
- decode_krb5_ap_rep_enc_part, krb5_free_ap_rep_enc_part);
- ktest_empty_ap_rep_enc_part(&apenc);
- }
-
- /****************************************************************/
- /* encode_krb5_as_req */
- {
- krb5_kdc_req asreq, *tmp;
-
- ktest_make_sample_kdc_req(&asreq);
- asreq.msg_type = KRB5_AS_REQ;
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(asreq, encode_krb5_as_req, decode_krb5_as_req,
- krb5_free_kdc_req);
-
- ktest_destroy_pa_data_array(&(asreq.padata));
- ktest_destroy_principal(&(asreq.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(asreq.server));
-#endif
- asreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- asreq.from = 0;
- asreq.rtime = 0;
- ktest_destroy_addresses(&(asreq.addresses));
- ktest_destroy_enc_data(&(asreq.authorization_data));
- leak_test(asreq, encode_krb5_as_req, decode_krb5_as_req,
- krb5_free_kdc_req);
-
- ktest_destroy_sequence_of_ticket(&(asreq.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(asreq.server));
-#endif
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(asreq, encode_krb5_as_req, decode_krb5_as_req,
- krb5_free_kdc_req);
- ktest_empty_kdc_req(&asreq);
- }
-
- /****************************************************************/
- /* encode_krb5_tgs_req */
- {
- krb5_kdc_req tgsreq, *tmp;
-
- ktest_make_sample_kdc_req(&tgsreq);
- tgsreq.msg_type = KRB5_TGS_REQ;
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(tgsreq, encode_krb5_tgs_req, decode_krb5_tgs_req,
- krb5_free_kdc_req);
-
- ktest_destroy_pa_data_array(&(tgsreq.padata));
- ktest_destroy_principal(&(tgsreq.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(tgsreq.server));
-#endif
- tgsreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- tgsreq.from = 0;
- tgsreq.rtime = 0;
- ktest_destroy_addresses(&(tgsreq.addresses));
- ktest_destroy_enc_data(&(tgsreq.authorization_data));
- leak_test(tgsreq, encode_krb5_tgs_req, decode_krb5_tgs_req,
- krb5_free_kdc_req);
-
- ktest_destroy_sequence_of_ticket(&(tgsreq.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(tgsreq.server));
-#endif
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(tgsreq, encode_krb5_tgs_req, decode_krb5_tgs_req,
- krb5_free_kdc_req);
- ktest_empty_kdc_req(&tgsreq);
- }
-
- /****************************************************************/
- /* encode_krb5_kdc_req_body */
- {
- krb5_kdc_req kdcrb, *tmp;
-
- memset(&kdcrb, 0, sizeof(kdcrb));
- ktest_make_sample_kdc_req_body(&kdcrb);
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(kdcrb, encode_krb5_kdc_req_body, decode_krb5_kdc_req_body,
- krb5_free_kdc_req);
-
- ktest_destroy_principal(&(kdcrb.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(kdcrb.server));
-#endif
- kdcrb.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- kdcrb.from = 0;
- kdcrb.rtime = 0;
- ktest_destroy_addresses(&(kdcrb.addresses));
- ktest_destroy_enc_data(&(kdcrb.authorization_data));
- leak_test(kdcrb, encode_krb5_kdc_req_body, decode_krb5_kdc_req_body,
- krb5_free_kdc_req);
-
- ktest_destroy_sequence_of_ticket(&(kdcrb.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(kdcrb.server));
-#endif
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- leak_test(kdcrb, encode_krb5_kdc_req_body, decode_krb5_kdc_req_body,
- krb5_free_kdc_req);
- ktest_empty_kdc_req(&kdcrb);
- }
-
- /****************************************************************/
- /* encode_krb5_safe */
- {
- krb5_safe s, *tmp;
-
- ktest_make_sample_safe(&s);
- leak_test(s, encode_krb5_safe, decode_krb5_safe, krb5_free_safe);
-
- s.timestamp = 0;
- /* s.usec should be opted out by the timestamp */
- s.seq_number = 0;
- ktest_destroy_address(&(s.r_address));
- leak_test(s, encode_krb5_safe, decode_krb5_safe, krb5_free_safe);
- ktest_empty_safe(&s);
- }
-
- /****************************************************************/
- /* encode_krb5_priv */
- {
- krb5_priv p, *tmp;
-
- ktest_make_sample_priv(&p);
- leak_test(p, encode_krb5_priv, decode_krb5_priv, krb5_free_priv);
- ktest_empty_priv(&p);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_priv_part */
- {
- krb5_priv_enc_part ep, *tmp;
-
- ktest_make_sample_priv_enc_part(&ep);
- leak_test(ep, encode_krb5_enc_priv_part, decode_krb5_enc_priv_part,
- krb5_free_priv_enc_part);
-
- ep.timestamp = 0;
- /* ep.usec should be opted out along with timestamp */
- ep.seq_number = 0;
- ktest_destroy_address(&(ep.r_address));
- leak_test(ep, encode_krb5_enc_priv_part, decode_krb5_enc_priv_part,
- krb5_free_priv_enc_part);
- ktest_empty_priv_enc_part(&ep);
- }
-
- /****************************************************************/
- /* encode_krb5_cred */
- {
- krb5_cred c, *tmp;
-
- ktest_make_sample_cred(&c);
- leak_test(c, encode_krb5_cred, decode_krb5_cred, krb5_free_cred);
- ktest_empty_cred(&c);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_cred_part */
- {
- krb5_cred_enc_part cep, *tmp;
-
- ktest_make_sample_cred_enc_part(&cep);
- leak_test(cep, encode_krb5_enc_cred_part, decode_krb5_enc_cred_part,
- free_cred_enc_part_whole);
-
- ktest_destroy_principal(&(cep.ticket_info[0]->client));
- ktest_destroy_principal(&(cep.ticket_info[0]->server));
- cep.ticket_info[0]->flags = 0;
- cep.ticket_info[0]->times.authtime = 0;
- cep.ticket_info[0]->times.starttime = 0;
- cep.ticket_info[0]->times.endtime = 0;
- cep.ticket_info[0]->times.renew_till = 0;
- ktest_destroy_addresses(&(cep.ticket_info[0]->caddrs));
- cep.nonce = 0;
- cep.timestamp = 0;
- ktest_destroy_address(&(cep.s_address));
- ktest_destroy_address(&(cep.r_address));
- leak_test(cep, encode_krb5_enc_cred_part, decode_krb5_enc_cred_part,
- free_cred_enc_part_whole);
- ktest_empty_cred_enc_part(&cep);
- }
-
- /****************************************************************/
- /* encode_krb5_error */
- {
- krb5_error kerr, *tmp;
-
- ktest_make_sample_error(&kerr);
- leak_test(kerr, encode_krb5_error, decode_krb5_error, krb5_free_error);
-
- kerr.ctime = 0;
- ktest_destroy_principal(&(kerr.client));
- ktest_empty_data(&(kerr.text));
- ktest_empty_data(&(kerr.e_data));
- leak_test(kerr, encode_krb5_error, decode_krb5_error, krb5_free_error);
-
- ktest_empty_error(&kerr);
- }
-
- /****************************************************************/
- /* encode_krb5_authdata */
- {
- krb5_authdata **ad, **tmp;
-
- ktest_make_sample_authorization_data(&ad);
- leak_test(*ad, encode_krb5_authdata, decode_krb5_authdata,
- krb5_free_authdata);
- ktest_destroy_authorization_data(&ad);
- }
-
- /****************************************************************/
- /* encode_padata_sequence and encode_typed_data */
- {
- krb5_pa_data **pa, **tmp;
-
- ktest_make_sample_pa_data_array(&pa);
- leak_test(*pa, encode_krb5_padata_sequence,
- decode_krb5_padata_sequence, krb5_free_pa_data);
- leak_test(*pa, encode_krb5_typed_data,
- decode_krb5_typed_data, krb5_free_pa_data);
- ktest_destroy_pa_data_array(&pa);
- }
-
- /****************************************************************/
- /* encode_padata_sequence (empty) */
- {
- krb5_pa_data **pa, **tmp;
-
- ktest_make_sample_empty_pa_data_array(&pa);
- leak_test(*pa, encode_krb5_padata_sequence,
- decode_krb5_padata_sequence, krb5_free_pa_data);
- ktest_destroy_pa_data_array(&pa);
- }
-
- /****************************************************************/
- /* encode_etype_info */
- {
- krb5_etype_info_entry **info, **tmp;
-
- ktest_make_sample_etype_info(&info);
- leak_test(*info, encode_krb5_etype_info, decode_krb5_etype_info,
- krb5_free_etype_info);
-
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- leak_test(*info, encode_krb5_etype_info, decode_krb5_etype_info,
- krb5_free_etype_info);
-
- ktest_destroy_etype_info_entry(info[0]); info[0] = 0;
- leak_test(*info, encode_krb5_etype_info, decode_krb5_etype_info,
- krb5_free_etype_info);
-
- ktest_destroy_etype_info(info);
- }
-
- /* encode_etype_info 2*/
- {
- krb5_etype_info_entry **info, **tmp;
-
- ktest_make_sample_etype_info2(&info);
- leak_test(*info, encode_krb5_etype_info2, decode_krb5_etype_info2,
- krb5_free_etype_info);
-
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- leak_test(*info, encode_krb5_etype_info2, decode_krb5_etype_info2,
- krb5_free_etype_info);
-
- ktest_destroy_etype_info(info);
- }
-
- /****************************************************************/
- /* encode_pa_enc_ts */
- {
- krb5_pa_enc_ts pa_enc, *tmp;
-
- ktest_make_sample_pa_enc_ts(&pa_enc);
- leak_test(pa_enc, encode_krb5_pa_enc_ts, decode_krb5_pa_enc_ts,
- krb5_free_pa_enc_ts);
- pa_enc.pausec = 0;
- leak_test(pa_enc, encode_krb5_pa_enc_ts, decode_krb5_pa_enc_ts,
- krb5_free_pa_enc_ts);
- }
-
- /****************************************************************/
- /* encode_enc_data */
- {
- krb5_enc_data enc_data, *tmp;
-
- ktest_make_sample_enc_data(&enc_data);
- leak_test(enc_data, encode_krb5_enc_data, decode_krb5_enc_data,
- krb5_free_enc_data);
- ktest_destroy_enc_data(&enc_data);
- }
- /****************************************************************/
- /* encode_krb5_sam_challenge_2 */
- {
- krb5_sam_challenge_2 sam_ch2, *tmp;
-
- ktest_make_sample_sam_challenge_2(&sam_ch2);
- leak_test(sam_ch2, encode_krb5_sam_challenge_2,
- decode_krb5_sam_challenge_2, krb5_free_sam_challenge_2);
- ktest_empty_sam_challenge_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_sam_challenge_2 */
- {
- krb5_sam_challenge_2_body body, *tmp;
-
- ktest_make_sample_sam_challenge_2_body(&body);
- leak_test(body, encode_krb5_sam_challenge_2_body,
- decode_krb5_sam_challenge_2_body,
- krb5_free_sam_challenge_2_body);
- ktest_empty_sam_challenge_2_body(&body);
- }
- /****************************************************************/
- /* encode_krb5_sam_response_2 */
- {
- krb5_sam_response_2 sam_ch2, *tmp;
-
- ktest_make_sample_sam_response_2(&sam_ch2);
- leak_test(sam_ch2, encode_krb5_sam_response_2,
- decode_krb5_sam_response_2, krb5_free_sam_response_2);
- ktest_empty_sam_response_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_sam_response_enc_2 */
- {
- krb5_enc_sam_response_enc_2 sam_ch2, *tmp;
-
- ktest_make_sample_enc_sam_response_enc_2(&sam_ch2);
- leak_test(sam_ch2, encode_krb5_enc_sam_response_enc_2,
- decode_krb5_enc_sam_response_enc_2,
- krb5_free_enc_sam_response_enc_2);
- ktest_empty_enc_sam_response_enc_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_pa_for_user */
- {
- krb5_pa_for_user foru, *tmp;
- ktest_make_sample_pa_for_user(&foru);
- leak_test(foru, encode_krb5_pa_for_user, decode_krb5_pa_for_user,
- krb5_free_pa_for_user);
- ktest_empty_pa_for_user(&foru);
- }
- /****************************************************************/
- /* encode_krb5_pa_s4u_x509_user */
- {
- krb5_pa_s4u_x509_user s4u, *tmp;
- ktest_make_sample_pa_s4u_x509_user(&s4u);
- leak_test(s4u, encode_krb5_pa_s4u_x509_user,
- decode_krb5_pa_s4u_x509_user,
- krb5_free_pa_s4u_x509_user);
- ktest_empty_pa_s4u_x509_user(&s4u);
- }
- /****************************************************************/
- /* encode_krb5_ad_kdcissued */
- {
- krb5_ad_kdcissued kdci, *tmp;
- ktest_make_sample_ad_kdcissued(&kdci);
- leak_test(kdci, encode_krb5_ad_kdcissued,
- decode_krb5_ad_kdcissued,
- krb5_free_ad_kdcissued);
- ktest_empty_ad_kdcissued(&kdci);
- }
- /****************************************************************/
- /* encode_krb5_iakerb_header */
- {
- krb5_iakerb_header ih, *tmp;
- ktest_make_sample_iakerb_header(&ih);
- leak_test(ih, encode_krb5_iakerb_header,
- decode_krb5_iakerb_header,
- krb5_free_iakerb_header);
- ktest_empty_iakerb_header(&ih);
- }
- /****************************************************************/
- /* encode_krb5_iakerb_finished */
- {
- krb5_iakerb_finished ih, *tmp;
- ktest_make_sample_iakerb_finished(&ih);
- leak_test(ih, encode_krb5_iakerb_finished,
- decode_krb5_iakerb_finished,
- krb5_free_iakerb_finished);
- ktest_empty_iakerb_finished(&ih);
- }
- /****************************************************************/
- /* encode_krb5_fast_response */
- {
- krb5_fast_response fr, *tmp;
- ktest_make_sample_fast_response(&fr);
- leak_test(fr, encode_krb5_fast_response, decode_krb5_fast_response,
- krb5_free_fast_response);
- ktest_empty_fast_response(&fr);
- }
- /****************************************************************/
- /* encode_krb5_pa_fx_fast_reply */
- {
- krb5_enc_data enc, *tmp;
- ktest_make_sample_enc_data(&enc);
- leak_test(enc, encode_krb5_pa_fx_fast_reply,
- decode_krb5_pa_fx_fast_reply, krb5_free_enc_data);
- ktest_destroy_enc_data(&enc);
- }
- krb5_free_context(test_context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/asn.1/krb5_decode_test.c b/crypto/krb5/src/tests/asn.1/krb5_decode_test.c
deleted file mode 100644
index 25ed30e42259..000000000000
--- a/crypto/krb5/src/tests/asn.1/krb5_decode_test.c
+++ /dev/null
@@ -1,1315 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/krb5_decode_test.c */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include "k5-spake.h"
-#include "ktest.h"
-#include "com_err.h"
-#include "utility.h"
-#include "ktest_equal.h"
-
-#include "debug.h"
-#include <string.h>
-
-krb5_context test_context;
-int error_count = 0;
-
-void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
-
-#ifndef DISABLE_PKINIT
-static int equal_principal(krb5_principal *ref, krb5_principal var);
-static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val);
-static void ktest_free_kdc_dh_key_info(krb5_context context,
- krb5_kdc_dh_key_info *val);
-static void ktest_free_pa_pk_as_req(krb5_context context,
- krb5_pa_pk_as_req *val);
-static void ktest_free_pa_pk_as_rep(krb5_context context,
- krb5_pa_pk_as_rep *val);
-static void ktest_free_reply_key_pack(krb5_context context,
- krb5_reply_key_pack *val);
-#endif
-#ifdef ENABLE_LDAP
-static void ktest_free_ldap_seqof_key_data(krb5_context context,
- ldap_seqof_key_data *val);
-#endif
-static void ktest_free_kkdcp_message(krb5_context context,
- krb5_kkdcp_message *val);
-
-int
-main(int argc, char **argv)
-{
- krb5_data code;
- krb5_error_code retval;
-
- retval = krb5_init_context(&test_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
- init_access(argv[0]);
-
-
-#define setup(type,constructor) \
- type ref, *var; \
- constructor(&ref); \
- do {} while (0)
-
-#define decode_run(typestring,description,encoding,decoder,comparator,cleanup) do { \
- retval = krb5_data_hex_parse(&code,encoding); \
- if (retval) { \
- com_err("krb5_decode_test", retval, "while parsing %s", typestring); \
- exit(1); \
- } \
- retval = decoder(&code,&var); \
- if (retval) { \
- com_err("krb5_decode_test", retval, "while decoding %s", typestring); \
- error_count++; \
- } \
- test(comparator(&ref,var),typestring); \
- printf("%s\n",description); \
- krb5_free_data_contents(test_context, &code); \
- cleanup(test_context, var); \
-} while (0)
-
-#define decode_fail(err,typestring,description,encoding,decoder) do { \
- retval = krb5_data_hex_parse(&code,encoding); \
- if (retval) { \
- com_err("krb5_decode_test", retval, "while parsing %s", typestring); \
- exit(1); \
- } \
- retval = decoder(&code,&var); \
- if (retval != (err)) { \
- com_err("krb5_decode_test", retval, "while decoding %s", typestring); \
- error_count++; \
- } \
- test(1,typestring); \
- printf("%s\n",description); \
- krb5_free_data_contents(test_context, &code); \
-} while (0)
-
- /****************************************************************/
- /* decode_krb5_authenticator */
- {
- setup(krb5_authenticator,ktest_make_sample_authenticator);
-
- decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0xffffff80;
- decode_run("authenticator","(80 -> seq-number 0xffffff80)",
- "62 81 A1 30 81 9E"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 03 02 01 80"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(FF -> seq-number 0xffffffff)",
- "62 81 A1 30 81 9E"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 03 02 01 FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0xff;
- decode_run("authenticator","(00FF -> seq-number 0xff)",
- "62 81 A2 30 81 9F"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 04 02 02 00 FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(00FFFFFFFF -> seq-number 0xffffffff)",
- "62 81 A5 30 81 A2"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 07 02 05 00 FF FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0x7fffffff;
- decode_run("authenticator","(7FFFFFFF -> seq-number 0x7fffffff)",
- "62 81 A4 30 81 A1"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 06 02 04 7F FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ref.seq_number = 0xffffffff;
- decode_run("authenticator","(FFFFFFFF -> seq-number 0xffffffff)",
- "62 81 A4 30 81 A1"
- " A0 03 02 01 05"
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55"
- " A2 1A 30 18"
- " A0 03 02 01 01"
- " A1 11 30 0F"
- " 1B 06 68 66 74 73 61 69"
- " 1B 05 65 78 74 72 61"
- " A3 0F 30 0D"
- " A0 03 02 01 01"
- " A1 06 04 04 31 32 33 34"
- " A4 05 02 03 01 E2 40"
- " A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A"
- " A6 13 30 11"
- " A0 03 02 01 01"
- " A1 0A 04 08 31 32 33 34 35 36 37 38"
- " A7 06 02 04 FF FF FF FF"
- " A8 24 30 22"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- " 30 0F"
- " A0 03 02 01 01"
- " A1 08 04 06 66 6F 6F 62 61 72"
- ,decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ktest_destroy_checksum(&(ref.checksum));
- ktest_destroy_keyblock(&(ref.subkey));
- ref.seq_number = 0;
- ktest_empty_authorization_data(ref.authorization_data);
- decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ktest_destroy_authorization_data(&(ref.authorization_data));
-
- decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator);
-
- ktest_empty_authenticator(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_ticket */
- {
- setup(krb5_ticket,ktest_make_sample_ticket);
- decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
- decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket);
-
-/*
- "61 80 30 80 "
- " A0 03 02 01 05 "
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 "
- " A2 80 30 80 "
- " A0 03 02 01 01 "
- " A1 80 30 80 "
- " 1B 06 68 66 74 73 61 69 "
- " 1B 05 65 78 74 72 61 "
- " 00 00 00 00 "
- " 00 00 00 00 "
- " A3 80 30 80 "
- " A0 03 02 01 00 "
- " A1 03 02 01 05 "
- " A2 17 04 15 6B 72 62 41 53 4E 2E 31 "
- " 20 74 65 73 74 20 6D 65 73 73 61 67 65 "
- " 00 00 00 00"
- "00 00 00 00"
-*/
- decode_fail(ASN1_INDEF,"ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket);
-/*
- "61 80 30 80 "
- " A0 03 02 01 05 "
- " A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 "
- " A2 80 30 80 "
- " A0 03 02 01 01 "
- " A1 80 30 80 "
- " 1B 06 68 66 74 73 61 69 "
- " 1B 05 65 78 74 72 61 "
- " 00 00 00 00 "
- " 00 00 00 00 "
- " A3 80 30 80 "
- " A0 03 02 01 00 "
- " A1 03 02 01 05 "
- " A2 17 04 15 6B 72 62 41 53 4E 2E 31 "
- " 20 74 65 73 74 20 6D 65 73 73 61 67 65 "
- " 00 00 00 00"
- " A4 03 02 01 01 "
- "00 00 00 00"
-*/
- decode_fail(ASN1_INDEF,"ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket);
-
- ktest_empty_ticket(&ref);
-
- }
-
- /****************************************************************/
- /* decode_krb5_encryption_key */
- {
- setup(krb5_keyblock,ktest_make_sample_keyblock);
-
- decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
-
- decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- decode_fail(ASN1_INDEF,"encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key);
- decode_fail(ASN1_INDEF,"encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key);
- decode_fail(ASN1_INDEF,"encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key);
- decode_fail(ASN1_INDEF,"encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key);
- ref.enctype = -1;
- decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = -255;
- decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = 255;
- decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = -2147483648U;
- decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
- ref.enctype = 2147483647;
- decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock);
-
- ktest_empty_keyblock(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_enc_tkt_part */
- {
- setup(krb5_enc_tkt_part,ktest_make_sample_enc_tkt_part);
- decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
-
- ref.times.starttime = 0;
- ref.times.renew_till = 0;
- ktest_destroy_address(&(ref.caddrs[1]));
- ktest_destroy_address(&(ref.caddrs[0]));
- ktest_destroy_authdata(&(ref.authorization_data[1]));
- ktest_destroy_authdata(&(ref.authorization_data[0]));
- /* ISODE version fails on the empty caddrs field */
- ktest_destroy_addresses(&(ref.caddrs));
- ktest_destroy_authorization_data(&(ref.authorization_data));
-
- decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part, krb5_free_enc_tkt_part);
-
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
-
- decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
-
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
-
- ref.flags &= 0xFFFFFF00;
-
- decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part);
-
- ktest_empty_enc_tkt_part(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_enc_kdc_rep_part */
- {
- setup(krb5_enc_kdc_rep_part,ktest_make_sample_enc_kdc_rep_part);
-
- decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
-
- ref.key_exp = 0;
- /* ref.times.starttime = 0;*/
- ref.times.starttime = ref.times.authtime;
- ref.times.renew_till = 0;
- ref.flags &= ~TKT_FLG_RENEWABLE;
- ktest_destroy_addresses(&(ref.caddrs));
-
- decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part);
-
- ktest_empty_enc_kdc_rep_part(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_as_rep */
- {
- setup(krb5_kdc_rep,ktest_make_sample_kdc_rep);
- ref.msg_type = KRB5_AS_REP;
-
- decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
-
-/*
- 6B 80 30 80
- A0 03 02 01 05
- A1 03 02 01 0B
- A2 80 30 80
- 30 80
- A1 03 02 01 0D
- A2 09 04 07 70 61 2D 64 61 74 61
- 00 00
- 30 80
- A1 03 02 01 0D
- A2 09 04 07 70 61 2D 64 61 74 61
- 00 00
- 00 00 00 00
- A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
- A4 80 30 80
- A0 03 02 01 01
- A1 80 30 80
- 1B 06 68 66 74 73 61 69
- 1B 05 65 78 74 72 61
- 00 00 00 00
- 00 00 00 00
- A5 80 61 80 30 80
- A0 03 02 01 05
- A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
- A2 80 30 80
- A0 03 02 01 01
- A1 80 30 80
- 1B 06 68 66 74 73 61 69
- 1B 05 65 78 74 72 61
- 00 00 00 00
- 00 00 00 00
- A3 80 30 80
- A0 03 02 01 00
- A1 03 02 01 05
- A2 17 04 15 6B 72 62 41 53 4E 2E 31
- 20 74 65 73 74 20 6D 65
- 73 73 61 67 65
- 00 00 00 00
- 00 00 00 00 00 00
- A6 80 30 80
- A0 03 02 01 00
- A1 03 02 01 05
- A2 17 04 15 6B 72 62 41 53 4E 2E 31
- 20 74 65 73 74 20 6D 65
- 73 73 61 67 65
- 00 00 00 00
- 00 00 00 00
-*/
- decode_fail(ASN1_INDEF,"as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep);
- ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep);
-
- ktest_empty_kdc_rep(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_tgs_rep */
- {
- setup(krb5_kdc_rep,ktest_make_sample_kdc_rep);
- ref.msg_type = KRB5_TGS_REP;
-
- decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
-
- ktest_destroy_pa_data_array(&(ref.padata));
- decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep);
-
- ktest_empty_kdc_rep(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_ap_req */
- {
- setup(krb5_ap_req,ktest_make_sample_ap_req);
- decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req,krb5_free_ap_req);
- ktest_empty_ap_req(&ref);
-
- }
-
- /****************************************************************/
- /* decode_krb5_ap_rep */
- {
- setup(krb5_ap_rep,ktest_make_sample_ap_rep);
- decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep,krb5_free_ap_rep);
- ktest_empty_ap_rep(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_ap_rep_enc_part */
- {
- setup(krb5_ap_rep_enc_part,ktest_make_sample_ap_rep_enc_part);
-
- decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
-
- ktest_destroy_keyblock(&(ref.subkey));
- ref.seq_number = 0;
- decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
-
- retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
- if (retval) {
- com_err("krb5_decode_test", retval, "while parsing");
- exit(1);
- }
- retval = decode_krb5_ap_rep_enc_part(&code, &var);
- if (retval != ASN1_OVERRUN) {
- printf("ERROR: ");
- error_count++;
- } else {
- printf("OK: ");
- }
- printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
- krb5_free_data_contents(test_context, &code);
- krb5_free_ap_rep_enc_part(test_context, var);
-
- ktest_empty_ap_rep_enc_part(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_as_req */
- {
- setup(krb5_kdc_req,ktest_make_sample_kdc_req);
- ref.msg_type = KRB5_AS_REQ;
-
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
-
- ktest_destroy_pa_data_array(&(ref.padata));
- ktest_destroy_principal(&(ref.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
-#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
-#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req);
-
- ktest_empty_kdc_req(&ref);
-
- }
-
-
- /****************************************************************/
- /* decode_krb5_tgs_req */
- {
- setup(krb5_kdc_req,ktest_make_sample_kdc_req);
- ref.msg_type = KRB5_TGS_REQ;
-
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
-
- ktest_destroy_pa_data_array(&(ref.padata));
- ktest_destroy_principal(&(ref.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
-#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
-
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
-#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req);
-
- ktest_empty_kdc_req(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_kdc_req_body */
- {
- krb5_kdc_req ref, *var;
- memset(&ref, 0, sizeof(krb5_kdc_req));
- ktest_make_sample_kdc_req_body(&ref);
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
-
- ktest_destroy_principal(&(ref.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(ref.server));
-#endif
- ref.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- ref.from = 0;
- ref.rtime = 0;
- ktest_destroy_addresses(&(ref.addresses));
- ktest_destroy_enc_data(&(ref.authorization_data));
- decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
-
- ktest_destroy_sequence_of_ticket(&(ref.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(ref.server));
-#endif
- ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
- ref.nktypes = 0;
- free(ref.ktype);
- ref.ktype = NULL;
- decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req);
-
- ktest_empty_kdc_req(&ref);
- }
-
-
- /****************************************************************/
- /* decode_krb5_safe */
- {
- setup(krb5_safe,ktest_make_sample_safe);
- decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
-
- ref.timestamp = 0;
- ref.usec = 0;
- ref.seq_number = 0;
- ktest_destroy_address(&(ref.r_address));
- decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe);
-
- ktest_empty_safe(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_priv */
- {
- setup(krb5_priv,ktest_make_sample_priv);
- decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv,krb5_free_priv);
- ktest_empty_priv(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_enc_priv_part */
- {
- setup(krb5_priv_enc_part,ktest_make_sample_priv_enc_part);
- decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
-
- ref.timestamp = 0;
- ref.usec = 0;
- ref.seq_number = 0;
- ktest_destroy_address(&(ref.r_address));
- decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part);
- ktest_empty_priv_enc_part(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_cred */
- {
- setup(krb5_cred,ktest_make_sample_cred);
- decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred,krb5_free_cred);
- ktest_empty_cred(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_enc_cred_part */
- {
- setup(krb5_cred_enc_part,ktest_make_sample_cred_enc_part);
- decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
- /* free_cred_enc_part does not free the pointer */
- free(var);
- ktest_destroy_principal(&(ref.ticket_info[0]->client));
- ktest_destroy_principal(&(ref.ticket_info[0]->server));
- ref.ticket_info[0]->flags = 0;
- ref.ticket_info[0]->times.authtime = 0;
- ref.ticket_info[0]->times.starttime = 0;
- ref.ticket_info[0]->times.endtime = 0;
- ref.ticket_info[0]->times.renew_till = 0;
- ktest_destroy_addresses(&(ref.ticket_info[0]->caddrs));
- ref.nonce = 0;
- ref.timestamp = 0;
- ref.usec = 0;
- ktest_destroy_address(&(ref.s_address));
- ktest_destroy_address(&(ref.r_address));
- decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
- /* free_cred_enc_part does not free the pointer */
- free(var);
-
- ktest_empty_cred_enc_part(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_error */
- {
- setup(krb5_error,ktest_make_sample_error);
- decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
-
- ref.ctime = 0;
- ktest_destroy_principal(&(ref.client));
- ktest_empty_data(&(ref.text));
- ktest_empty_data(&(ref.e_data));
- decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error,krb5_free_error);
-
- ktest_empty_error(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_authdata and krb5int_get_authdata_containee_types */
- {
- krb5_authdata **ref, **var, tmp;
- unsigned int count;
- krb5_authdatatype *types = NULL;
- ktest_make_sample_authorization_data(&ref);
- retval = krb5_data_hex_parse(&code,"30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72");
- if (retval) {
- com_err("parsing authorization_data",retval,"");
- exit(1);
- }
- retval = decode_krb5_authdata(&code,&var);
- if (retval) com_err("decoding authorization_data",retval,"");
- test(ktest_equal_authorization_data(ref,var),"authorization_data\n");
- tmp.length = code.length;
- tmp.contents = (krb5_octet *)code.data;
- retval = krb5int_get_authdata_containee_types(test_context, &tmp,
- &count, &types);
- if (retval) com_err("reading authdata types",retval,"");
- test(count == 2 && types[0] == 1 && types[1] == 1,
- "authorization_data(types only)\n");
- free(types);
- krb5_free_data_contents(test_context, &code);
- krb5_free_authdata(test_context, var);
- ktest_destroy_authorization_data(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_padata_sequence and decode_krb5_typed_data */
- {
- krb5_pa_data **ref, **var;
- ktest_make_sample_pa_data_array(&ref);
- retval = krb5_data_hex_parse(&code,"30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61");
- if (retval) {
- com_err("parsing padata_sequence",retval,"");
- exit(1);
- }
- retval = decode_krb5_padata_sequence(&code,&var);
- if (retval) com_err("decoding padata_sequence",retval,"");
- test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n");
- krb5_free_pa_data(test_context, var);
- krb5_free_data_contents(test_context, &code);
- retval = krb5_data_hex_parse(&code,"30 24 30 10 A0 03 02 01 0D A1 09 04 07 70 61 2D 64 61 74 61 30 10 A0 03 02 01 0D A1 09 04 07 70 61 2D 64 61 74 61");
- if (retval) {
- com_err("parsing padata_sequence",retval,"");
- exit(1);
- }
- retval = decode_krb5_typed_data(&code,&var);
- if (retval) com_err("decoding typed_data",retval,"");
- test(ktest_equal_sequence_of_pa_data(ref,var),"typed_data\n");
- krb5_free_pa_data(test_context, var);
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_pa_data_array(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_padata_sequence (empty) */
- {
- krb5_pa_data **ref, **var;
- ktest_make_sample_empty_pa_data_array(&ref);
- retval = krb5_data_hex_parse(&code,"30 00");
- if (retval) {
- com_err("parsing padata_sequence (empty)",retval,"");
- exit(1);
- }
- retval = decode_krb5_padata_sequence(&code,&var);
- if (retval) com_err("decoding padata_sequence (empty)",retval,"");
- test(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n");
- krb5_free_pa_data(test_context, var);
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_pa_data_array(&ref);
- }
-
- /****************************************************************/
- /* decode_etype_info */
- {
- krb5_etype_info ref, var;
-
- ktest_make_sample_etype_info(&ref);
- retval = krb5_data_hex_parse(&code,"30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32");
- if (retval) {
- com_err("krb5_decode_test", retval, "while parsing etype_info");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if (retval) {
- com_err("krb5_decode_test", retval, "while decoding etype_info");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info\n");
-
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0;
- ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0;
- krb5_free_data_contents(test_context, &code);
-
- retval = krb5_data_hex_parse(&code,"30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30");
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while parsing etype_info (only one)");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while decoding etype_info (only one)");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info (only one)\n");
-
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info_entry(ref[0]); ref[0] = 0;
- krb5_free_data_contents(test_context, &code);
-
- retval = krb5_data_hex_parse(&code,"30 00");
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while parsing etype_info (no info)");
- exit(1);
- }
- retval = decode_krb5_etype_info(&code,&var);
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while decoding etype_info (no info)");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info (no info)\n");
-
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info(ref);
- }
-
- /****************************************************************/
- /* decode_etype_info2 */
- {
- krb5_etype_info ref, var;
-
- ktest_make_sample_etype_info2(&ref);
- retval = krb5_data_hex_parse(&code,"30 51 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32");
- if (retval) {
- com_err("krb5_decode_test", retval, "while parsing etype_info2");
- exit(1);
- }
- retval = decode_krb5_etype_info2(&code,&var);
- if (retval) {
- com_err("krb5_decode_test", retval, "while decoding etype_info2");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info2\n");
-
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0;
- ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0;
- krb5_free_data_contents(test_context, &code);
-
- retval = krb5_data_hex_parse(&code,"30 20 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30");
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while parsing etype_info2 (only one)");
- exit(1);
- }
- retval = decode_krb5_etype_info2(&code,&var);
- if (retval) {
- com_err("krb5_decode_test", retval,
- "while decoding etype_info2 (only one)");
- }
- test(ktest_equal_etype_info(ref,var),"etype_info2 (only one)\n");
-
- krb5_free_data_contents(test_context, &code);
- ktest_destroy_etype_info(var);
- ktest_destroy_etype_info(ref);
- }
-
- /****************************************************************/
- /* decode_pa_enc_ts */
- {
- setup(krb5_pa_enc_ts,ktest_make_sample_pa_enc_ts);
- decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
- ref.pausec = 0;
- decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts);
- }
-
- /****************************************************************/
- /* decode_enc_data */
- {
- setup(krb5_enc_data,ktest_make_sample_enc_data);
- decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
- ref.kvno = 0xFF000000;
- decode_run("enc_data","(MSB-set kvno)","30 26 A0 03 02 01 00 A1 06 02 04 FF 00 00 00 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
- ref.kvno = 0xFFFFFFFF;
- decode_run("enc_data","(kvno=-1)","30 23 A0 03 02 01 00 A1 03 02 01 FF A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data);
- ktest_destroy_enc_data(&ref);
- }
-
- /****************************************************************/
- /* decode_sam_challenge_2 */
- {
- setup(krb5_sam_challenge_2,ktest_make_sample_sam_challenge_2);
- decode_run("sam_challenge_2","","30 22 A0 0D 30 0B 04 09 63 68 61 6C 6C 65 6E 67 65 A1 11 30 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge_2,ktest_equal_sam_challenge_2,krb5_free_sam_challenge_2);
- ktest_empty_sam_challenge_2(&ref);
-
- }
-
- /****************************************************************/
- /* decode_sam_challenge_2_body */
- {
- setup(krb5_sam_challenge_2_body,ktest_make_sample_sam_challenge_2_body);
- decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body);
- ktest_empty_sam_challenge_2_body(&ref);
-
- }
-
- /****************************************************************/
- /* decode_pa_for_user */
- {
- setup(krb5_pa_for_user,ktest_make_sample_pa_for_user);
- decode_run("pa_for_user","","30 4B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 0A 1B 08 6B 72 62 35 64 61 74 61",decode_krb5_pa_for_user,ktest_equal_pa_for_user,krb5_free_pa_for_user);
- ktest_empty_pa_for_user(&ref);
- }
-
- /****************************************************************/
- /* decode_pa_s4u_x509_user */
- {
- setup(krb5_pa_s4u_x509_user,ktest_make_sample_pa_s4u_x509_user);
- decode_run("pa_s4u_x509_user","","30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_pa_s4u_x509_user,ktest_equal_pa_s4u_x509_user,krb5_free_pa_s4u_x509_user);
- ktest_empty_pa_s4u_x509_user(&ref);
- }
-
- /****************************************************************/
- /* decode_pa_pac_req */
- {
- /* This type has no encoder and is very simple. Test two
- * hand-generated encodings. */
- krb5_pa_pac_req *req1 = NULL, *req2 = NULL;
- code = make_data("\x30\x05\xA0\x03\x01\x01\x00", 7);
- retval = decode_krb5_pa_pac_req(&code, &req1);
- if (retval) {
- com_err(argv[0], retval, "while decoding PA-PAC-REQ");
- exit(1);
- }
- code = make_data("\x30\x05\xA0\x03\x01\x01\xFF", 7);
- retval = decode_krb5_pa_pac_req(&code, &req2);
- if (retval) {
- com_err(argv[0], retval, "while decoding PA-PAC-REQ");
- exit(1);
- }
- if (req1->include_pac != 0 || req2->include_pac != 1) {
- printf("ERROR: ");
- error_count++;
- } else {
- printf("OK: ");
- }
- printf("pa_pac_rec\n");
- free(req1);
- free(req2);
- }
-
- /****************************************************************/
- /* decode_ad_kdcissued */
- {
- setup(krb5_ad_kdcissued,ktest_make_sample_ad_kdcissued);
- decode_run("ad_kdcissued","","30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_ad_kdcissued,ktest_equal_ad_kdcissued,krb5_free_ad_kdcissued);
- ktest_empty_ad_kdcissued(&ref);
- }
-
- /****************************************************************/
- /* decode_iakerb_header */
- {
- setup(krb5_iakerb_header,ktest_make_sample_iakerb_header);
- decode_run("iakerb_header","","30 18 A1 0A 0C 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_iakerb_header,ktest_equal_iakerb_header,krb5_free_iakerb_header);
- ktest_empty_iakerb_header(&ref);
- }
-
- /****************************************************************/
- /* decode_iakerb_finished */
- {
- setup(krb5_iakerb_finished,ktest_make_sample_iakerb_finished);
- decode_run("iakerb_finished","","30 11 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_iakerb_finished,ktest_equal_iakerb_finished,krb5_free_iakerb_finished);
- ktest_empty_iakerb_finished(&ref);
- }
-
- /****************************************************************/
- /* decode_fast_response */
- {
- setup(krb5_fast_response,ktest_make_sample_fast_response);
- decode_run("fast_response","","30 81 9F A0 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 5B 30 59 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 03 02 01 2A",decode_krb5_fast_response,ktest_equal_fast_response,krb5_free_fast_response);
- ktest_empty_fast_response(&ref);
- }
-
- /****************************************************************/
- /* decode_pa_fx_fast_reply */
- {
- setup(krb5_enc_data,ktest_make_sample_enc_data);
- decode_run("pa_fx_fast_reply","","A0 29 30 27 A0 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_fx_fast_reply,ktest_equal_enc_data,krb5_free_enc_data);
- ktest_destroy_enc_data(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_otp_tokeninfo */
- {
- setup(krb5_otp_tokeninfo,ktest_make_minimal_otp_tokeninfo);
- decode_run("otp_tokeninfo","(optionals NULL)","30 07 80 05 00 00 00 00 00",decode_krb5_otp_tokeninfo,ktest_equal_otp_tokeninfo,k5_free_otp_tokeninfo);
- ktest_empty_otp_tokeninfo(&ref);
- }
- {
- setup(krb5_otp_tokeninfo,ktest_make_maximal_otp_tokeninfo);
- decode_run("otp_tokeninfo","","30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8",decode_krb5_otp_tokeninfo,ktest_equal_otp_tokeninfo,k5_free_otp_tokeninfo);
- ktest_empty_otp_tokeninfo(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_pa_otp_challenge */
- {
- setup(krb5_pa_otp_challenge,ktest_make_minimal_pa_otp_challenge);
- decode_run("pa_otp_challenge","(optionals NULL)","30 15 80 08 6D 69 6E 6E 6F 6E 63 65 A2 09 30 07 80 05 00 00 00 00 00",decode_krb5_pa_otp_challenge,ktest_equal_pa_otp_challenge,k5_free_pa_otp_challenge);
- ktest_empty_pa_otp_challenge(&ref);
- }
- {
- setup(krb5_pa_otp_challenge,ktest_make_maximal_pa_otp_challenge);
- decode_run("pa_otp_challenge","","30 81 A5 80 08 6D 61 78 6E 6F 6E 63 65 81 0B 74 65 73 74 73 65 72 76 69 63 65 A2 7D 30 07 80 05 00 00 00 00 00 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8 83 07 6B 65 79 73 61 6C 74 84 04 31 32 33 34",decode_krb5_pa_otp_challenge,ktest_equal_pa_otp_challenge,k5_free_pa_otp_challenge);
- ktest_empty_pa_otp_challenge(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_pa_otp_req */
- {
- setup(krb5_pa_otp_req,ktest_make_minimal_pa_otp_req);
- decode_run("pa_otp_req","(optionals NULL)","30 2C 80 05 00 00 00 00 00 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_otp_req,ktest_equal_pa_otp_req,k5_free_pa_otp_req);
- ktest_empty_pa_otp_req(&ref);
- }
- {
- setup(krb5_pa_otp_req,ktest_make_maximal_pa_otp_req);
- decode_run("pa_otp_req","","30 81 B9 80 05 00 60 00 00 00 81 05 6E 6F 6E 63 65 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 0B 06 09 60 86 48 01 65 03 04 02 01 84 02 03 E8 85 05 66 72 6F 67 73 86 0A 6D 79 66 69 72 73 74 70 69 6E 87 05 68 61 72 6B 21 88 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 89 03 33 34 36 8A 01 02 8B 09 79 6F 75 72 74 6F 6B 65 6E 8C 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 8D 0B 45 78 61 6D 70 6C 65 63 6F 72 70",decode_krb5_pa_otp_req,ktest_equal_pa_otp_req,k5_free_pa_otp_req);
- ktest_empty_pa_otp_req(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_pa_otp_enc_req */
- {
- setup(krb5_data,ktest_make_sample_data);
- decode_run("pa_otp_enc_req","","30 0A 80 08 6B 72 62 35 64 61 74 61",decode_krb5_pa_otp_enc_req,ktest_equal_data,krb5_free_data);
- ktest_empty_data(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_kkdcp_message */
- {
- setup(krb5_kkdcp_message,ktest_make_sample_kkdcp_message);
- decode_run("kkdcp_message","","30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61",decode_krb5_kkdcp_message,ktest_equal_kkdcp_message,ktest_free_kkdcp_message);
- ktest_empty_kkdcp_message(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_cammac */
- {
- setup(krb5_cammac,ktest_make_minimal_cammac);
- decode_run("cammac","(optionals NULL)","30 12 A0 10 30 0E 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31",decode_krb5_cammac,ktest_equal_cammac,k5_free_cammac);
- ktest_empty_cammac(&ref);
- }
- {
- setup(krb5_cammac,ktest_make_maximal_cammac);
- decode_run("cammac","","30 81 F2 A0 1E 30 1C 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 30 0C A0 03 02 01 02 A1 05 04 03 61 64 32 A1 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 6B 64 63 A2 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 73 76 63 A3 52 30 50 30 13 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 31 30 39 A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 32",decode_krb5_cammac,ktest_equal_cammac,k5_free_cammac);
- ktest_empty_cammac(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_secure_cookie */
- {
- setup(krb5_secure_cookie,ktest_make_sample_secure_cookie);
- decode_run("secure_cookie","","30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61",decode_krb5_secure_cookie,ktest_equal_secure_cookie,k5_free_secure_cookie);
- ktest_empty_secure_cookie(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_spake_factor */
- {
- setup(krb5_spake_factor,ktest_make_minimal_spake_factor);
- decode_run("spake_factor","(optionals NULL)","30 05 A0 03 02 01 01",decode_krb5_spake_factor,ktest_equal_spake_factor,k5_free_spake_factor);
- ktest_empty_spake_factor(&ref);
- }
- {
- setup(krb5_spake_factor,ktest_make_maximal_spake_factor);
- decode_run("spake_factor","","30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61",decode_krb5_spake_factor,ktest_equal_spake_factor,k5_free_spake_factor);
- ktest_empty_spake_factor(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_pa_spake */
- {
- setup(krb5_pa_spake,ktest_make_support_pa_spake);
- decode_run("pa_spake","(support)","A0 0C 30 0A A0 08 30 06 02 01 01 02 01 02",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake);
- ktest_empty_pa_spake(&ref);
- }
- {
- setup(krb5_pa_spake,ktest_make_challenge_pa_spake);
- decode_run("pa_spake","(challenge)","A1 2D 30 2B A0 03 02 01 01 A1 09 04 07 54 20 76 61 6C 75 65 A2 19 30 17 30 05 A0 03 02 01 01 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake);
- ktest_empty_pa_spake(&ref);
- }
- {
- setup(krb5_pa_spake,ktest_make_response_pa_spake);
- decode_run("pa_spake","(response)","A2 34 30 32 A0 09 04 07 53 20 76 61 6C 75 65 A1 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake);
- ktest_empty_pa_spake(&ref);
- }
- {
- setup(krb5_pa_spake,ktest_make_encdata_pa_spake);
- decode_run("pa_spake","(encdata)","A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake);
- ktest_empty_pa_spake(&ref);
- }
-
-#ifndef DISABLE_PKINIT
-
- /****************************************************************/
- /* decode_krb5_pa_pk_as_req */
- {
- setup(krb5_pa_pk_as_req,ktest_make_sample_pa_pk_as_req);
- decode_run("krb5_pa_pk_as_req","","30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_pa_pk_as_req,
- ktest_equal_pa_pk_as_req,ktest_free_pa_pk_as_req);
- ktest_empty_pa_pk_as_req(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_pa_pk_as_rep */
- {
- setup(krb5_pa_pk_as_rep,ktest_make_sample_pa_pk_as_rep_dhInfo);
- decode_run("krb5_pa_pk_as_rep","(dhInfo)","A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_pa_pk_as_rep,
- ktest_equal_pa_pk_as_rep,ktest_free_pa_pk_as_rep);
- ktest_empty_pa_pk_as_rep(&ref);
- }
- {
- setup(krb5_pa_pk_as_rep,ktest_make_sample_pa_pk_as_rep_encKeyPack);
- decode_run("krb5_pa_pk_as_rep","(encKeyPack)","81 08 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_pa_pk_as_rep,
- ktest_equal_pa_pk_as_rep,ktest_free_pa_pk_as_rep);
- ktest_empty_pa_pk_as_rep(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_auth_pack */
- {
- setup(krb5_auth_pack,ktest_make_sample_auth_pack);
- decode_run("krb5_auth_pack","","30 81 89 A0 39 30 37 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 08 04 06 70 76 61 6C 75 65 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_auth_pack,
- ktest_equal_auth_pack,ktest_free_auth_pack);
- ktest_empty_auth_pack(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_kdc_dh_key_info */
- {
- setup(krb5_kdc_dh_key_info,ktest_make_sample_kdc_dh_key_info);
- decode_run("krb5_kdc_dh_key_info","","30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",
- acc.decode_krb5_kdc_dh_key_info,
- ktest_equal_kdc_dh_key_info,ktest_free_kdc_dh_key_info);
- ktest_empty_kdc_dh_key_info(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_reply_key_pack */
- {
- setup(krb5_reply_key_pack,ktest_make_sample_reply_key_pack);
- decode_run("krb5_reply_key_pack","","30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",
- acc.decode_krb5_reply_key_pack,
- ktest_equal_reply_key_pack,ktest_free_reply_key_pack);
- ktest_empty_reply_key_pack(&ref);
- }
-
- /****************************************************************/
- /* decode_krb5_principal_name */
- /* We have no encoder for this type (KerberosName from RFC 4556); the
- * encoding is hand-generated. */
- {
- krb5_principal ref, var;
-
- ktest_make_sample_principal(&ref);
- decode_run("krb5_principal_name","","30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",
- acc.decode_krb5_principal_name,equal_principal,krb5_free_principal);
- ktest_destroy_principal(&ref);
- }
-
-#endif /* not DISABLE_PKINIT */
-
-#ifdef ENABLE_LDAP
- /* ldap sequence_of_keys */
- {
- setup(ldap_seqof_key_data,ktest_make_sample_ldap_seqof_key_data);
- decode_run("ldap_seqof_key_data","","30 81 87 A0 03 02 01 01 A1 03 02 01 01 A2 03 02 01 2A A3 03 02 01 0E A4 71 30 6F 30 23 A0 10 30 0E A0 03 02 01 00 A1 07 04 05 73 61 6C 74 30 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 30 30 23 A0 10 30 0E A0 03 02 01 01 A1 07 04 05 73 61 6C 74 31 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 31 30 23 A0 10 30 0E A0 03 02 01 02 A1 07 04 05 73 61 6C 74 32 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 32",acc.asn1_ldap_decode_sequence_of_keys,ktest_equal_ldap_sequence_of_keys,ktest_free_ldap_seqof_key_data);
- ktest_empty_ldap_seqof_key_data(&ref);
- }
-
-#endif
-
- krb5_free_context(test_context);
- exit(error_count);
- return(error_count);
-}
-
-
-void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val)
-{
- if (val) {
- krb5_free_data_contents(context, &(val->ciphertext));
- free(val);
- }
-}
-
-#ifndef DISABLE_PKINIT
-
-/* Glue function to make ktest_equal_principal_data look like what decode_run
- * expects. */
-static int
-equal_principal(krb5_principal *ref, krb5_principal var)
-{
- return ktest_equal_principal_data(*ref, var);
-}
-
-static void
-ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val)
-{
- if (val)
- ktest_empty_auth_pack(val);
- free(val);
-}
-
-static void
-ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val)
-{
- if (val)
- ktest_empty_kdc_dh_key_info(val);
- free(val);
-}
-
-static void
-ktest_free_pa_pk_as_req(krb5_context context, krb5_pa_pk_as_req *val)
-{
- if (val)
- ktest_empty_pa_pk_as_req(val);
- free(val);
-}
-
-static void
-ktest_free_pa_pk_as_rep(krb5_context context, krb5_pa_pk_as_rep *val)
-{
- if (val)
- ktest_empty_pa_pk_as_rep(val);
- free(val);
-}
-
-static void
-ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val)
-{
- if (val)
- ktest_empty_reply_key_pack(val);
- free(val);
-}
-
-#endif /* not DISABLE_PKINIT */
-
-#ifdef ENABLE_LDAP
-static void
-ktest_free_ldap_seqof_key_data(krb5_context context, ldap_seqof_key_data *val)
-{
- if (val)
- ktest_empty_ldap_seqof_key_data(val);
- free(val);
-}
-#endif /* ENABLE_LDAP */
-
-static void
-ktest_free_kkdcp_message(krb5_context context,
- krb5_kkdcp_message *val)
-{
- if (val)
- ktest_empty_kkdcp_message(val);
- free(val);
-}
diff --git a/crypto/krb5/src/tests/asn.1/krb5_encode_test.c b/crypto/krb5/src/tests/asn.1/krb5_encode_test.c
deleted file mode 100644
index d7bfa5134122..000000000000
--- a/crypto/krb5/src/tests/asn.1/krb5_encode_test.c
+++ /dev/null
@@ -1,850 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/krb5_encode_test.c */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "utility.h"
-
-#include "ktest.h"
-#include "debug.h"
-
-extern int current_appl_type;
-
-krb5_context test_context;
-int error_count = 0;
-int do_trval = 0;
-int first_trval = 1;
-int trval2(FILE *, unsigned char *, int, int, int *);
-
-static void
-encoder_print_results(krb5_data *code, char *typestring, char *description)
-{
- char *code_string = NULL;
- int r, rlen;
-
- if (do_trval) {
- if (first_trval)
- first_trval = 0;
- else
- printf("\n");
- printf("encode_krb5_%s%s:\n", typestring, description);
- r = trval2(stdout, (uint8_t *)code->data, code->length, 0, &rlen);
- printf("\n");
- if (rlen < 0 || (unsigned int) rlen != code->length) {
- printf("Error: length mismatch: was %d, parsed %d\n",
- code->length, rlen);
- exit(1);
- }
- if (r != 0) {
- printf("Error: Return from trval2 is %d.\n", r);
- exit(1);
- }
- current_appl_type = -1; /* Reset type */
- } else {
- asn1_krb5_data_unparse(code,&(code_string));
- printf("encode_krb5_%s%s: %s\n", typestring, description,
- code_string);
- free(code_string);
- }
- ktest_destroy_data(&code);
-}
-
-static void
-PRS(int argc, char **argv)
-{
- extern char *optarg;
- int optchar;
- extern int print_types, print_krb5_types, print_id_and_len,
- print_constructed_length, print_skip_context,
- print_skip_tagnum, print_context_shortcut;
-
- while ((optchar = getopt(argc, argv, "tp:")) != -1) {
- switch(optchar) {
- case 't':
- do_trval = 1;
- break;
- case 'p':
- sample_principal_name = optarg;
- break;
- case '?':
- default:
- fprintf(stderr, "Usage: %s [-t] [-p principal]\n",
- argv[0]);
- exit(1);
- }
- }
- print_types = 1;
- print_krb5_types = 1;
- print_id_and_len = 0;
- print_constructed_length = 0;
- print_skip_context = 1;
- print_skip_tagnum = 1;
- print_context_shortcut = 1;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_data *code;
- krb5_error_code retval;
-
- PRS(argc, argv);
-
- retval = krb5_init_context(&test_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
- init_access(argv[0]);
-
-#define encode_run(value,typestring,description,encoder) \
- retval = encoder(&(value),&(code)); \
- if (retval) { \
- com_err("krb5_encode_test", retval,"while encoding %s", typestring); \
- exit(1); \
- } \
- encoder_print_results(code, typestring, description);
-
- /****************************************************************/
- /* encode_krb5_authenticator */
- {
- krb5_authenticator authent;
- ktest_make_sample_authenticator(&authent);
-
- encode_run(authent, "authenticator", "", encode_krb5_authenticator);
-
- ktest_destroy_checksum(&(authent.checksum));
- ktest_destroy_keyblock(&(authent.subkey));
- authent.seq_number = 0;
- ktest_empty_authorization_data(authent.authorization_data);
- encode_run(authent, "authenticator", "(optionals empty)",
- encode_krb5_authenticator);
-
- ktest_destroy_authorization_data(&(authent.authorization_data));
- encode_run(authent, "authenticator", "(optionals NULL)",
- encode_krb5_authenticator);
- ktest_empty_authenticator(&authent);
- }
-
- /****************************************************************/
- /* encode_krb5_ticket */
- {
- krb5_ticket tkt;
- ktest_make_sample_ticket(&tkt);
- encode_run(tkt, "ticket", "", encode_krb5_ticket);
- ktest_empty_ticket(&tkt);
- }
-
- /****************************************************************/
- /* encode_krb5_encryption_key */
- {
- krb5_keyblock keyblk;
- ktest_make_sample_keyblock(&keyblk);
- current_appl_type = 1005;
- encode_run(keyblk, "keyblock", "", encode_krb5_encryption_key);
- ktest_empty_keyblock(&keyblk);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_tkt_part */
- {
- krb5_ticket tkt;
- memset(&tkt, 0, sizeof(krb5_ticket));
- tkt.enc_part2 = ealloc(sizeof(krb5_enc_tkt_part));
- ktest_make_sample_enc_tkt_part(tkt.enc_part2);
-
- encode_run(*tkt.enc_part2, "enc_tkt_part", "",
- encode_krb5_enc_tkt_part);
-
- tkt.enc_part2->times.starttime = 0;
- tkt.enc_part2->times.renew_till = 0;
- ktest_destroy_address(&(tkt.enc_part2->caddrs[1]));
- ktest_destroy_address(&(tkt.enc_part2->caddrs[0]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[1]));
- ktest_destroy_authdata(&(tkt.enc_part2->authorization_data[0]));
-
- /* ISODE version fails on the empty caddrs field */
- ktest_destroy_addresses(&(tkt.enc_part2->caddrs));
- ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data));
-
- encode_run(*tkt.enc_part2, "enc_tkt_part", "(optionals NULL)",
- encode_krb5_enc_tkt_part);
- ktest_empty_ticket(&tkt);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_kdc_rep_part */
- {
- krb5_kdc_rep kdcr;
-
- memset(&kdcr, 0, sizeof(kdcr));
-
- kdcr.enc_part2 = ealloc(sizeof(krb5_enc_kdc_rep_part));
- ktest_make_sample_enc_kdc_rep_part(kdcr.enc_part2);
-
- encode_run(*kdcr.enc_part2, "enc_kdc_rep_part", "",
- encode_krb5_enc_kdc_rep_part);
-
- kdcr.enc_part2->key_exp = 0;
- kdcr.enc_part2->times.starttime = 0;
- kdcr.enc_part2->flags &= ~TKT_FLG_RENEWABLE;
- ktest_destroy_addresses(&(kdcr.enc_part2->caddrs));
-
- encode_run(*kdcr.enc_part2, "enc_kdc_rep_part", "(optionals NULL)",
- encode_krb5_enc_kdc_rep_part);
-
- ktest_empty_kdc_rep(&kdcr);
- }
-
- /****************************************************************/
- /* encode_krb5_as_rep */
- {
- krb5_kdc_rep kdcr;
- ktest_make_sample_kdc_rep(&kdcr);
-
-/* kdcr.msg_type = KRB5_TGS_REP;
- test(encode_krb5_as_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
- "encode_krb5_as_rep type check\n");
- ktest_destroy_data(&code);*/
-
- kdcr.msg_type = KRB5_AS_REP;
- encode_run(kdcr, "as_rep", "", encode_krb5_as_rep);
-
- ktest_destroy_pa_data_array(&(kdcr.padata));
- encode_run(kdcr, "as_rep", "(optionals NULL)", encode_krb5_as_rep);
-
- ktest_empty_kdc_rep(&kdcr);
-
- }
-
- /****************************************************************/
- /* encode_krb5_tgs_rep */
- {
- krb5_kdc_rep kdcr;
- ktest_make_sample_kdc_rep(&kdcr);
-
-/* kdcr.msg_type = KRB5_AS_REP;
- test(encode_krb5_tgs_rep(&kdcr,&code) == KRB5_BADMSGTYPE,
- "encode_krb5_tgs_rep type check\n");*/
-
- kdcr.msg_type = KRB5_TGS_REP;
- encode_run(kdcr, "tgs_rep", "", encode_krb5_tgs_rep);
-
- ktest_destroy_pa_data_array(&(kdcr.padata));
- encode_run(kdcr, "tgs_rep", "(optionals NULL)", encode_krb5_tgs_rep);
-
- ktest_empty_kdc_rep(&kdcr);
-
- }
-
- /****************************************************************/
- /* encode_krb5_ap_req */
- {
- krb5_ap_req apreq;
- ktest_make_sample_ap_req(&apreq);
- encode_run(apreq, "ap_req", "", encode_krb5_ap_req);
- ktest_empty_ap_req(&apreq);
- }
-
- /****************************************************************/
- /* encode_krb5_ap_rep */
- {
- krb5_ap_rep aprep;
- ktest_make_sample_ap_rep(&aprep);
- encode_run(aprep, "ap_rep", "", encode_krb5_ap_rep);
- ktest_empty_ap_rep(&aprep);
- }
-
- /****************************************************************/
- /* encode_krb5_ap_rep_enc_part */
- {
- krb5_ap_rep_enc_part apenc;
- ktest_make_sample_ap_rep_enc_part(&apenc);
- encode_run(apenc, "ap_rep_enc_part", "", encode_krb5_ap_rep_enc_part);
-
- ktest_destroy_keyblock(&(apenc.subkey));
- apenc.seq_number = 0;
- encode_run(apenc, "ap_rep_enc_part", "(optionals NULL)",
- encode_krb5_ap_rep_enc_part);
- ktest_empty_ap_rep_enc_part(&apenc);
- }
-
- /****************************************************************/
- /* encode_krb5_as_req */
- {
- krb5_kdc_req asreq;
- ktest_make_sample_kdc_req(&asreq);
- asreq.msg_type = KRB5_AS_REQ;
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(asreq, "as_req", "", encode_krb5_as_req);
-
- ktest_destroy_pa_data_array(&(asreq.padata));
- ktest_destroy_principal(&(asreq.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(asreq.server));
-#endif
- asreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- asreq.from = 0;
- asreq.rtime = 0;
- ktest_destroy_addresses(&(asreq.addresses));
- ktest_destroy_enc_data(&(asreq.authorization_data));
- encode_run(asreq, "as_req", "(optionals NULL except second_ticket)",
- encode_krb5_as_req);
- ktest_destroy_sequence_of_ticket(&(asreq.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(asreq.server));
-#endif
- asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(asreq, "as_req", "(optionals NULL except server)",
- encode_krb5_as_req);
- ktest_empty_kdc_req(&asreq);
- }
-
- /****************************************************************/
- /* encode_krb5_tgs_req */
- {
- krb5_kdc_req tgsreq;
- ktest_make_sample_kdc_req(&tgsreq);
- tgsreq.msg_type = KRB5_TGS_REQ;
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(tgsreq, "tgs_req", "", encode_krb5_tgs_req);
-
- ktest_destroy_pa_data_array(&(tgsreq.padata));
- ktest_destroy_principal(&(tgsreq.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(tgsreq.server));
-#endif
- tgsreq.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- tgsreq.from = 0;
- tgsreq.rtime = 0;
- ktest_destroy_addresses(&(tgsreq.addresses));
- ktest_destroy_enc_data(&(tgsreq.authorization_data));
- encode_run(tgsreq, "tgs_req", "(optionals NULL except second_ticket)",
- encode_krb5_tgs_req);
-
- ktest_destroy_sequence_of_ticket(&(tgsreq.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(tgsreq.server));
-#endif
- tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- encode_run(tgsreq, "tgs_req", "(optionals NULL except server)",
- encode_krb5_tgs_req);
-
- ktest_empty_kdc_req(&tgsreq);
- }
-
- /****************************************************************/
- /* encode_krb5_kdc_req_body */
- {
- krb5_kdc_req kdcrb;
- memset(&kdcrb, 0, sizeof(kdcrb));
- ktest_make_sample_kdc_req_body(&kdcrb);
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb, "kdc_req_body", "", encode_krb5_kdc_req_body);
-
- ktest_destroy_principal(&(kdcrb.client));
-#ifndef ISODE_SUCKS
- ktest_destroy_principal(&(kdcrb.server));
-#endif
- kdcrb.kdc_options |= KDC_OPT_ENC_TKT_IN_SKEY;
- kdcrb.from = 0;
- kdcrb.rtime = 0;
- ktest_destroy_addresses(&(kdcrb.addresses));
- ktest_destroy_enc_data(&(kdcrb.authorization_data));
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb, "kdc_req_body",
- "(optionals NULL except second_ticket)",
- encode_krb5_kdc_req_body);
-
- ktest_destroy_sequence_of_ticket(&(kdcrb.second_ticket));
-#ifndef ISODE_SUCKS
- ktest_make_sample_principal(&(kdcrb.server));
-#endif
- kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY;
- current_appl_type = 1007; /* Force interpretation as kdc-req-body */
- encode_run(kdcrb, "kdc_req_body", "(optionals NULL except server)",
- encode_krb5_kdc_req_body);
-
- ktest_empty_kdc_req(&kdcrb);
- }
-
- /****************************************************************/
- /* encode_krb5_safe */
- {
- krb5_safe s;
- ktest_make_sample_safe(&s);
- encode_run(s, "safe", "", encode_krb5_safe);
-
- s.timestamp = 0;
- /* s.usec should be opted out by the timestamp */
- s.seq_number = 0;
- ktest_destroy_address(&(s.r_address));
- encode_run(s, "safe", "(optionals NULL)", encode_krb5_safe);
-
- ktest_empty_safe(&s);
- }
-
- /****************************************************************/
- /* encode_krb5_priv */
- {
- krb5_priv p;
- ktest_make_sample_priv(&p);
- encode_run(p, "priv", "", encode_krb5_priv);
- ktest_empty_priv(&p);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_priv_part */
- {
- krb5_priv_enc_part ep;
- ktest_make_sample_priv_enc_part(&ep);
- encode_run(ep, "enc_priv_part", "", encode_krb5_enc_priv_part);
-
- ep.timestamp = 0;
- /* ep.usec should be opted out along with timestamp */
- ep.seq_number = 0;
- ktest_destroy_address(&(ep.r_address));
- encode_run(ep, "enc_priv_part", "(optionals NULL)",
- encode_krb5_enc_priv_part);
-
- ktest_empty_priv_enc_part(&ep);
- }
-
- /****************************************************************/
- /* encode_krb5_cred */
- {
- krb5_cred c;
- ktest_make_sample_cred(&c);
- encode_run(c, "cred", "", encode_krb5_cred);
- ktest_empty_cred(&c);
- }
-
- /****************************************************************/
- /* encode_krb5_enc_cred_part */
- {
- krb5_cred_enc_part cep;
- ktest_make_sample_cred_enc_part(&cep);
- encode_run(cep, "enc_cred_part", "", encode_krb5_enc_cred_part);
-
- ktest_destroy_principal(&(cep.ticket_info[0]->client));
- ktest_destroy_principal(&(cep.ticket_info[0]->server));
- cep.ticket_info[0]->flags = 0;
- cep.ticket_info[0]->times.authtime = 0;
- cep.ticket_info[0]->times.starttime = 0;
- cep.ticket_info[0]->times.endtime = 0;
- cep.ticket_info[0]->times.renew_till = 0;
- ktest_destroy_addresses(&(cep.ticket_info[0]->caddrs));
- cep.nonce = 0;
- cep.timestamp = 0;
- ktest_destroy_address(&(cep.s_address));
- ktest_destroy_address(&(cep.r_address));
- encode_run(cep, "enc_cred_part", "(optionals NULL)",
- encode_krb5_enc_cred_part);
-
- ktest_empty_cred_enc_part(&cep);
- }
-
- /****************************************************************/
- /* encode_krb5_error */
- {
- krb5_error kerr;
- ktest_make_sample_error(&kerr);
- encode_run(kerr, "error", "", encode_krb5_error);
-
- kerr.ctime = 0;
- ktest_destroy_principal(&(kerr.client));
- ktest_empty_data(&(kerr.text));
- ktest_empty_data(&(kerr.e_data));
- encode_run(kerr, "error", "(optionals NULL)", encode_krb5_error);
-
- ktest_empty_error(&kerr);
- }
-
- /****************************************************************/
- /* encode_krb5_authdata */
- {
- krb5_authdata **ad;
- ktest_make_sample_authorization_data(&ad);
-
- retval = encode_krb5_authdata(ad,&(code));
- if (retval) {
- com_err("encoding authorization_data",retval,"");
- exit(1);
- }
- current_appl_type = 1004; /* Force type to be authdata */
- encoder_print_results(code, "authorization_data", "");
-
- ktest_destroy_authorization_data(&ad);
- }
-
- /****************************************************************/
- /* encode_padata_sequence and encode_krb5_typed_data */
- {
- krb5_pa_data **pa;
-
- ktest_make_sample_pa_data_array(&pa);
- encode_run(*pa, "padata_sequence", "", encode_krb5_padata_sequence);
- encode_run(*pa, "typed_data", "", encode_krb5_typed_data);
- ktest_destroy_pa_data_array(&pa);
-
- ktest_make_sample_empty_pa_data_array(&pa);
- encode_run(*pa, "padata_sequence", "(empty)",
- encode_krb5_padata_sequence);
- ktest_destroy_pa_data_array(&pa);
- }
-
- /****************************************************************/
- /* encode_etype_info */
- {
- krb5_etype_info_entry **info;
-
- ktest_make_sample_etype_info(&info);
- encode_run(*info, "etype_info", "", encode_krb5_etype_info);
-
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- encode_run(*info, "etype_info", "(only 1)", encode_krb5_etype_info);
-
- ktest_destroy_etype_info_entry(info[0]); info[0] = 0;
- encode_run(*info, "etype_info", "(no info)", encode_krb5_etype_info);
-
- ktest_destroy_etype_info(info);
- }
-
- /* encode_etype_info2 */
- {
- krb5_etype_info_entry **info;
-
- ktest_make_sample_etype_info2(&info);
- encode_run(*info, "etype_info2", "", encode_krb5_etype_info2);
-
- ktest_destroy_etype_info_entry(info[2]); info[2] = 0;
- ktest_destroy_etype_info_entry(info[1]); info[1] = 0;
- encode_run(*info, "etype_info2", "(only 1)", encode_krb5_etype_info2);
-
- /* etype_info2 sequences aren't allowed to be empty. */
-
- ktest_destroy_etype_info(info);
- }
-
- /****************************************************************/
- /* encode_pa_enc_ts */
- {
- krb5_pa_enc_ts pa_enc;
- ktest_make_sample_pa_enc_ts(&pa_enc);
- encode_run(pa_enc, "pa_enc_ts", "", encode_krb5_pa_enc_ts);
- pa_enc.pausec = 0;
- encode_run(pa_enc, "pa_enc_ts (no usec)", "", encode_krb5_pa_enc_ts);
- }
-
- /****************************************************************/
- /* encode_enc_data */
- {
- krb5_enc_data enc_data;
- ktest_make_sample_enc_data(&enc_data);
- current_appl_type = 1001;
- encode_run(enc_data, "enc_data", "", encode_krb5_enc_data);
- enc_data.kvno = 0xFF000000;
- current_appl_type = 1001;
- encode_run(enc_data, "enc_data", "(MSB-set kvno)",
- encode_krb5_enc_data);
- enc_data.kvno = 0xFFFFFFFF;
- current_appl_type = 1001;
- encode_run(enc_data, "enc_data", "(kvno=-1)", encode_krb5_enc_data);
- ktest_destroy_enc_data(&enc_data);
- }
- /****************************************************************/
- /* encode_krb5_sam_challenge_2 */
- {
- krb5_sam_challenge_2 sam_ch2;
- ktest_make_sample_sam_challenge_2(&sam_ch2);
- encode_run(sam_ch2, "sam_challenge_2", "",
- encode_krb5_sam_challenge_2);
- ktest_empty_sam_challenge_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_sam_challenge_2_body */
- {
- krb5_sam_challenge_2_body body;
- ktest_make_sample_sam_challenge_2_body(&body);
- encode_run(body, "sam_challenge_2_body", "",
- encode_krb5_sam_challenge_2_body);
- ktest_empty_sam_challenge_2_body(&body);
- }
- /****************************************************************/
- /* encode_krb5_sam_response_2 */
- {
- krb5_sam_response_2 sam_ch2;
- ktest_make_sample_sam_response_2(&sam_ch2);
- encode_run(sam_ch2, "sam_response_2", "", encode_krb5_sam_response_2);
- ktest_empty_sam_response_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_sam_response_enc_2 */
- {
- krb5_enc_sam_response_enc_2 sam_ch2;
- ktest_make_sample_enc_sam_response_enc_2(&sam_ch2);
- encode_run(sam_ch2, "enc_sam_response_enc_2", "",
- encode_krb5_enc_sam_response_enc_2);
- ktest_empty_enc_sam_response_enc_2(&sam_ch2);
- }
- /****************************************************************/
- /* encode_krb5_pa_for_user */
- {
- krb5_pa_for_user s4u;
- ktest_make_sample_pa_for_user(&s4u);
- encode_run(s4u, "pa_for_user", "", encode_krb5_pa_for_user);
- ktest_empty_pa_for_user(&s4u);
- }
- /****************************************************************/
- /* encode_krb5_pa_s4u_x509_user */
- {
- krb5_pa_s4u_x509_user s4u;
- ktest_make_sample_pa_s4u_x509_user(&s4u);
- encode_run(s4u, "pa_s4u_x509_user", "", encode_krb5_pa_s4u_x509_user);
- ktest_empty_pa_s4u_x509_user(&s4u);
- }
- /****************************************************************/
- /* encode_krb5_ad_kdcissued */
- {
- krb5_ad_kdcissued kdci;
- ktest_make_sample_ad_kdcissued(&kdci);
- encode_run(kdci, "ad_kdcissued", "", encode_krb5_ad_kdcissued);
- ktest_empty_ad_kdcissued(&kdci);
- }
- /****************************************************************/
- /* encode_krb5_iakerb_header */
- {
- krb5_iakerb_header ih;
- ktest_make_sample_iakerb_header(&ih);
- encode_run(ih, "iakerb_header", "", encode_krb5_iakerb_header);
- ktest_empty_iakerb_header(&ih);
- }
- /****************************************************************/
- /* encode_krb5_iakerb_finished */
- {
- krb5_iakerb_finished ih;
- ktest_make_sample_iakerb_finished(&ih);
- encode_run(ih, "iakerb_finished", "", encode_krb5_iakerb_finished);
- ktest_empty_iakerb_finished(&ih);
- }
- /****************************************************************/
- /* encode_krb5_fast_response */
- {
- krb5_fast_response fr;
- ktest_make_sample_fast_response(&fr);
- encode_run(fr, "fast_response", "", encode_krb5_fast_response);
- ktest_empty_fast_response(&fr);
- }
- /****************************************************************/
- /* encode_krb5_pa_fx_fast_reply */
- {
- krb5_enc_data enc_data;
- ktest_make_sample_enc_data(&enc_data);
- encode_run(enc_data, "pa_fx_fast_reply", "",
- encode_krb5_pa_fx_fast_reply);
- ktest_destroy_enc_data(&enc_data);
- }
- /****************************************************************/
- /* encode_krb5_otp_tokeninfo */
- {
- krb5_otp_tokeninfo ti;
- ktest_make_minimal_otp_tokeninfo(&ti);
- encode_run(ti, "otp_tokeninfo", "(optionals NULL)",
- encode_krb5_otp_tokeninfo);
- ktest_empty_otp_tokeninfo(&ti);
- ktest_make_maximal_otp_tokeninfo(&ti);
- encode_run(ti, "otp_tokeninfo", "", encode_krb5_otp_tokeninfo);
- ktest_empty_otp_tokeninfo(&ti);
- }
- /****************************************************************/
- /* encode_krb5_pa_otp_challenge */
- {
- krb5_pa_otp_challenge ch;
- ktest_make_minimal_pa_otp_challenge(&ch);
- encode_run(ch, "pa_otp_challenge", "(optionals NULL)",
- encode_krb5_pa_otp_challenge);
- ktest_empty_pa_otp_challenge(&ch);
- ktest_make_maximal_pa_otp_challenge(&ch);
- encode_run(ch, "pa_otp_challenge", "", encode_krb5_pa_otp_challenge);
- ktest_empty_pa_otp_challenge(&ch);
- }
- /****************************************************************/
- /* encode_krb5_pa_otp_req */
- {
- krb5_pa_otp_req req;
- ktest_make_minimal_pa_otp_req(&req);
- encode_run(req, "pa_otp_req", "(optionals NULL)",
- encode_krb5_pa_otp_req);
- ktest_empty_pa_otp_req(&req);
- ktest_make_maximal_pa_otp_req(&req);
- encode_run(req, "pa_otp_req", "", encode_krb5_pa_otp_req);
- ktest_empty_pa_otp_req(&req);
- }
- /****************************************************************/
- /* encode_krb5_pa_otp_enc_request */
- {
- krb5_data d;
- ktest_make_sample_data(&d);
- encode_run(d, "pa_otp_enc_req", "", encode_krb5_pa_otp_enc_req);
- ktest_empty_data(&d);
- }
- /****************************************************************/
- /* encode_krb5_kkdcp_message */
- {
- krb5_kkdcp_message info;
- ktest_make_sample_kkdcp_message(&info);
- encode_run(info, "kkdcp_message", "", encode_krb5_kkdcp_message);
- ktest_empty_kkdcp_message(&info);
- }
- /* encode_krb5_cammac */
- {
- krb5_cammac req;
- ktest_make_minimal_cammac(&req);
- encode_run(req, "cammac", "(optionals NULL)", encode_krb5_cammac);
- ktest_empty_cammac(&req);
- ktest_make_maximal_cammac(&req);
- encode_run(req, "cammac", "", encode_krb5_cammac);
- ktest_empty_cammac(&req);
- }
- /****************************************************************/
- /* encode_krb5_secure_cookie */
- {
- krb5_secure_cookie cookie;
- ktest_make_sample_secure_cookie(&cookie);
- encode_run(cookie, "secure_cookie", "", encode_krb5_secure_cookie);
- ktest_empty_secure_cookie(&cookie);
- }
- /****************************************************************/
- /* encode_krb5_spake_factor */
- {
- krb5_spake_factor factor;
- ktest_make_minimal_spake_factor(&factor);
- encode_run(factor, "spake_factor", "(optionals NULL)",
- encode_krb5_spake_factor);
- ktest_empty_spake_factor(&factor);
- ktest_make_maximal_spake_factor(&factor);
- encode_run(factor, "spake_factor", "", encode_krb5_spake_factor);
- ktest_empty_spake_factor(&factor);
- }
- /****************************************************************/
- /* encode_krb5_pa_spake */
- {
- krb5_pa_spake pa_spake;
- ktest_make_support_pa_spake(&pa_spake);
- encode_run(pa_spake, "pa_spake", "(support)", encode_krb5_pa_spake);
- ktest_empty_pa_spake(&pa_spake);
- ktest_make_challenge_pa_spake(&pa_spake);
- encode_run(pa_spake, "pa_spake", "(challenge)", encode_krb5_pa_spake);
- ktest_empty_pa_spake(&pa_spake);
- ktest_make_response_pa_spake(&pa_spake);
- encode_run(pa_spake, "pa_spake", "(response)", encode_krb5_pa_spake);
- ktest_empty_pa_spake(&pa_spake);
- ktest_make_encdata_pa_spake(&pa_spake);
- encode_run(pa_spake, "pa_spake", "(encdata)", encode_krb5_pa_spake);
- ktest_empty_pa_spake(&pa_spake);
- }
-#ifndef DISABLE_PKINIT
- /****************************************************************/
- /* encode_krb5_pa_pk_as_req */
- {
- krb5_pa_pk_as_req req;
- ktest_make_sample_pa_pk_as_req(&req);
- encode_run(req, "pa_pk_as_req", "", acc.encode_krb5_pa_pk_as_req);
- ktest_empty_pa_pk_as_req(&req);
- }
- /****************************************************************/
- /* encode_krb5_pa_pk_as_rep */
- {
- krb5_pa_pk_as_rep rep;
- ktest_make_sample_pa_pk_as_rep_dhInfo(&rep);
- encode_run(rep, "pa_pk_as_rep", "(dhInfo)",
- acc.encode_krb5_pa_pk_as_rep);
- ktest_empty_pa_pk_as_rep(&rep);
- ktest_make_sample_pa_pk_as_rep_encKeyPack(&rep);
- encode_run(rep, "pa_pk_as_rep", "(encKeyPack)",
- acc.encode_krb5_pa_pk_as_rep);
- ktest_empty_pa_pk_as_rep(&rep);
- }
- /****************************************************************/
- /* encode_krb5_auth_pack */
- {
- krb5_auth_pack pack;
- ktest_make_sample_auth_pack(&pack);
- encode_run(pack, "auth_pack", "", acc.encode_krb5_auth_pack);
- ktest_empty_auth_pack(&pack);
- }
- /****************************************************************/
- /* encode_krb5_kdc_dh_key_info */
- {
- krb5_kdc_dh_key_info ki;
- ktest_make_sample_kdc_dh_key_info(&ki);
- encode_run(ki, "kdc_dh_key_info", "", acc.encode_krb5_kdc_dh_key_info);
- ktest_empty_kdc_dh_key_info(&ki);
- }
- /****************************************************************/
- /* encode_krb5_reply_key_pack */
- {
- krb5_reply_key_pack pack;
- ktest_make_sample_reply_key_pack(&pack);
- encode_run(pack, "reply_key_pack", "", acc.encode_krb5_reply_key_pack);
- ktest_empty_reply_key_pack(&pack);
- }
- /****************************************************************/
- /* encode_krb5_sp80056a_other_info */
- {
- krb5_sp80056a_other_info info;
- ktest_make_sample_sp80056a_other_info(&info);
- encode_run(info, "sp80056a_other_info", "",
- encode_krb5_sp80056a_other_info);
- ktest_empty_sp80056a_other_info(&info);
- }
- /****************************************************************/
- /* encode_krb5_pkinit_supp_pub_info */
- {
- krb5_pkinit_supp_pub_info info;
- ktest_make_sample_pkinit_supp_pub_info(&info);
- encode_run(info, "pkinit_supp_pub_info", "",
- encode_krb5_pkinit_supp_pub_info);
- ktest_empty_pkinit_supp_pub_info(&info);
- }
-#endif /* not DISABLE_PKINIT */
-#ifdef ENABLE_LDAP
- {
- ldap_seqof_key_data skd;
-
- ktest_make_sample_ldap_seqof_key_data(&skd);
- encode_run(skd, "ldap_seqof_key_data", "",
- acc.asn1_ldap_encode_sequence_of_keys);
- ktest_empty_ldap_seqof_key_data(&skd);
- }
-#endif
-
- krb5_free_context(test_context);
- exit(error_count);
- return(error_count);
-}
diff --git a/crypto/krb5/src/tests/asn.1/ktest.c b/crypto/krb5/src/tests/asn.1/ktest.c
deleted file mode 100644
index 20360c8ffc70..000000000000
--- a/crypto/krb5/src/tests/asn.1/ktest.c
+++ /dev/null
@@ -1,1796 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/ktest.c */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "ktest.h"
-#include "utility.h"
-#include <stdlib.h>
-
-char *sample_principal_name = "hftsai/extra@ATHENA.MIT.EDU";
-
-void
-ktest_make_sample_authenticator(krb5_authenticator *a)
-{
- ktest_make_sample_principal(&a->client);
- a->checksum = ealloc(sizeof(krb5_checksum));
- ktest_make_sample_checksum(a->checksum);
- a->cusec = SAMPLE_USEC;
- a->ctime = SAMPLE_TIME;
- a->subkey = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(a->subkey);
- a->seq_number = SAMPLE_SEQ_NUMBER;
- ktest_make_sample_authorization_data(&a->authorization_data);
-}
-
-void
-ktest_make_sample_principal(krb5_principal *p)
-{
- if (krb5_parse_name(test_context, sample_principal_name, p))
- abort();
-}
-
-void
-ktest_make_sample_checksum(krb5_checksum *cs)
-{
- cs->checksum_type = 1;
- cs->length = 4;
- cs->contents = ealloc(4);
- memcpy(cs->contents,"1234",4);
-}
-
-void
-ktest_make_sample_keyblock(krb5_keyblock *kb)
-{
- kb->magic = KV5M_KEYBLOCK;
- kb->enctype = 1;
- kb->length = 8;
- kb->contents = ealloc(8);
- memcpy(kb->contents,"12345678",8);
-}
-
-void
-ktest_make_sample_ticket(krb5_ticket *tkt)
-{
- ktest_make_sample_principal(&tkt->server);
- ktest_make_sample_enc_data(&tkt->enc_part);
- tkt->enc_part2 = NULL;
-}
-
-void
-ktest_make_sample_enc_data(krb5_enc_data *ed)
-{
- ed->kvno = 5;
- ed->enctype = 0;
- krb5_data_parse(&ed->ciphertext, "krbASN.1 test message");
-}
-
-void
-ktest_make_sample_enc_tkt_part(krb5_enc_tkt_part *etp)
-{
- etp->flags = SAMPLE_FLAGS;
- etp->session = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(etp->session);
- ktest_make_sample_principal(&etp->client);
- ktest_make_sample_transited(&etp->transited);
- ktest_make_sample_ticket_times(&etp->times);
- ktest_make_sample_addresses(&etp->caddrs);
- ktest_make_sample_authorization_data(&etp->authorization_data);
-}
-
-void
-ktest_make_sample_addresses(krb5_address ***caddrs)
-{
- int i;
-
- *caddrs = ealloc(3 * sizeof(krb5_address *));
- for (i = 0; i < 2; i++) {
- (*caddrs)[i] = ealloc(sizeof(krb5_address));
- ktest_make_sample_address((*caddrs)[i]);
- }
- (*caddrs)[2] = NULL;
-}
-
-void
-ktest_make_sample_authorization_data(krb5_authdata ***ad)
-{
- int i;
-
- *ad = ealloc(3 * sizeof(krb5_authdata *));
- for (i = 0; i <= 1; i++) {
- (*ad)[i] = ealloc(sizeof(krb5_authdata));
- ktest_make_sample_authdata((*ad)[i]);
- }
- (*ad)[2] = NULL;
-}
-
-void
-ktest_make_sample_transited(krb5_transited *t)
-{
- t->tr_type = 1;
- krb5_data_parse(&t->tr_contents, "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.");
-}
-
-void
-ktest_make_sample_ticket_times(krb5_ticket_times *tt)
-{
- tt->authtime = SAMPLE_TIME;
- tt->starttime = SAMPLE_TIME;
- tt->endtime = SAMPLE_TIME;
- tt->renew_till = SAMPLE_TIME;
-}
-
-void
-ktest_make_sample_address(krb5_address *a)
-{
- a->addrtype = ADDRTYPE_INET;
- a->length = 4;
- a->contents = ealloc(4 * sizeof(krb5_octet));
- a->contents[0] = 18;
- a->contents[1] = 208;
- a->contents[2] = 0;
- a->contents[3] = 35;
-}
-
-void
-ktest_make_sample_authdata(krb5_authdata *ad)
-{
- ad->ad_type = 1;
- ad->length = 6;
- ad->contents = ealloc(6 * sizeof(krb5_octet));
- memcpy(ad->contents, "foobar", 6);
-}
-
-void
-ktest_make_sample_enc_kdc_rep_part(krb5_enc_kdc_rep_part *ekr)
-{
- ekr->session = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(ekr->session);
- ktest_make_sample_last_req(&ekr->last_req);
- ekr->nonce = SAMPLE_NONCE;
- ekr->key_exp = SAMPLE_TIME;
- ekr->flags = SAMPLE_FLAGS;
- ekr->times.authtime = SAMPLE_TIME;
- ekr->times.starttime = SAMPLE_TIME;
- ekr->times.endtime = SAMPLE_TIME;
- ekr->times.renew_till = SAMPLE_TIME;
- ktest_make_sample_principal(&ekr->server);
- ktest_make_sample_addresses(&ekr->caddrs);
-}
-
-void
-ktest_make_sample_last_req(krb5_last_req_entry ***lr)
-{
- int i;
-
- *lr = ealloc(3 * sizeof(krb5_last_req_entry *));
- for (i = 0; i <= 1; i++)
- ktest_make_sample_last_req_entry(&(*lr)[i]);
- (*lr)[2] = NULL;
-}
-
-void
-ktest_make_sample_last_req_entry(krb5_last_req_entry **lre)
-{
- *lre = ealloc(sizeof(krb5_last_req_entry));
- (*lre)->lr_type = -5;
- (*lre)->value = SAMPLE_TIME;
-}
-
-void
-ktest_make_sample_kdc_rep(krb5_kdc_rep *kdcr)
-{
- ktest_make_sample_pa_data_array(&kdcr->padata);
- ktest_make_sample_principal(&kdcr->client);
- kdcr->ticket = ealloc(sizeof(krb5_ticket));
- ktest_make_sample_ticket(kdcr->ticket);
- ktest_make_sample_enc_data(&kdcr->enc_part);
- kdcr->enc_part2 = NULL;
-}
-
-void
-ktest_make_sample_pa_data_array(krb5_pa_data ***pad)
-{
- int i;
-
- *pad = ealloc(3 * sizeof(krb5_pa_data *));
- for (i = 0; i <= 1; i++) {
- (*pad)[i] = ealloc(sizeof(krb5_pa_data));
- ktest_make_sample_pa_data((*pad)[i]);
- }
- (*pad)[2] = NULL;
-}
-
-void
-ktest_make_sample_empty_pa_data_array(krb5_pa_data ***pad)
-{
- *pad = ealloc(sizeof(krb5_pa_data *));
- (*pad)[0] = NULL;
-}
-
-void
-ktest_make_sample_pa_data(krb5_pa_data *pad)
-{
- pad->pa_type = 13;
- pad->length = 7;
- pad->contents = ealloc(7);
- memcpy(pad->contents, "pa-data", 7);
-}
-
-void
-ktest_make_sample_ap_req(krb5_ap_req *ar)
-{
- ar->ap_options = SAMPLE_FLAGS;
- ar->ticket = ealloc(sizeof(krb5_ticket));
- ktest_make_sample_ticket(ar->ticket);
- ktest_make_sample_enc_data(&(ar->authenticator));
-}
-
-void
-ktest_make_sample_ap_rep(krb5_ap_rep *ar)
-{
- ktest_make_sample_enc_data(&ar->enc_part);
-}
-
-void
-ktest_make_sample_ap_rep_enc_part(krb5_ap_rep_enc_part *arep)
-{
- arep->ctime = SAMPLE_TIME;
- arep->cusec = SAMPLE_USEC;
- arep->subkey = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(arep->subkey);
- arep->seq_number = SAMPLE_SEQ_NUMBER;
-}
-
-void
-ktest_make_sample_kdc_req(krb5_kdc_req *kr)
-{
- /* msg_type is left up to the calling procedure */
- ktest_make_sample_pa_data_array(&kr->padata);
- kr->kdc_options = SAMPLE_FLAGS;
- ktest_make_sample_principal(&(kr->client));
- ktest_make_sample_principal(&(kr->server));
- kr->from = SAMPLE_TIME;
- kr->till = SAMPLE_TIME;
- kr->rtime = SAMPLE_TIME;
- kr->nonce = SAMPLE_NONCE;
- kr->nktypes = 2;
- kr->ktype = ealloc(2 * sizeof(krb5_enctype));
- kr->ktype[0] = 0;
- kr->ktype[1] = 1;
- ktest_make_sample_addresses(&kr->addresses);
- ktest_make_sample_enc_data(&kr->authorization_data);
- ktest_make_sample_authorization_data(&kr->unenc_authdata);
- ktest_make_sample_sequence_of_ticket(&kr->second_ticket);
-}
-
-void
-ktest_make_sample_kdc_req_body(krb5_kdc_req *krb)
-{
- krb->kdc_options = SAMPLE_FLAGS;
- ktest_make_sample_principal(&krb->client);
- ktest_make_sample_principal(&krb->server);
- krb->from = SAMPLE_TIME;
- krb->till = SAMPLE_TIME;
- krb->rtime = SAMPLE_TIME;
- krb->nonce = SAMPLE_NONCE;
- krb->nktypes = 2;
- krb->ktype = (krb5_enctype*)calloc(2,sizeof(krb5_enctype));
- krb->ktype[0] = 0;
- krb->ktype[1] = 1;
- ktest_make_sample_addresses(&krb->addresses);
- ktest_make_sample_enc_data(&krb->authorization_data);
- ktest_make_sample_authorization_data(&krb->unenc_authdata);
- ktest_make_sample_sequence_of_ticket(&krb->second_ticket);
-}
-
-void
-ktest_make_sample_safe(krb5_safe *s)
-{
- ktest_make_sample_data(&s->user_data);
- s->timestamp = SAMPLE_TIME;
- s->usec = SAMPLE_USEC;
- s->seq_number = SAMPLE_SEQ_NUMBER;
- s->s_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(s->s_address);
- s->r_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(s->r_address);
- s->checksum = ealloc(sizeof(krb5_checksum));
- ktest_make_sample_checksum(s->checksum);
-}
-
-void
-ktest_make_sample_priv(krb5_priv *p)
-{
- ktest_make_sample_enc_data(&p->enc_part);
-}
-
-void
-ktest_make_sample_priv_enc_part(krb5_priv_enc_part *pep)
-{
- ktest_make_sample_data(&(pep->user_data));
- pep->timestamp = SAMPLE_TIME;
- pep->usec = SAMPLE_USEC;
- pep->seq_number = SAMPLE_SEQ_NUMBER;
- pep->s_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(pep->s_address);
- pep->r_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(pep->r_address);
-}
-
-void
-ktest_make_sample_cred(krb5_cred *c)
-{
- ktest_make_sample_sequence_of_ticket(&c->tickets);
- ktest_make_sample_enc_data(&c->enc_part);
-}
-
-void
-ktest_make_sample_sequence_of_ticket(krb5_ticket ***sot)
-{
- int i;
-
- *sot = ealloc(3 * sizeof(krb5_ticket *));
- for (i = 0; i < 2; i++) {
- (*sot)[i] = ealloc(sizeof(krb5_ticket));
- ktest_make_sample_ticket((*sot)[i]);
- }
- (*sot)[2] = NULL;
-}
-
-void
-ktest_make_sample_cred_enc_part(krb5_cred_enc_part *cep)
-{
- cep->nonce = SAMPLE_NONCE;
- cep->timestamp = SAMPLE_TIME;
- cep->usec = SAMPLE_USEC;
- cep->s_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(cep->s_address);
- cep->r_address = ealloc(sizeof(krb5_address));
- ktest_make_sample_address(cep->r_address);
- ktest_make_sequence_of_cred_info(&cep->ticket_info);
-}
-
-void
-ktest_make_sequence_of_cred_info(krb5_cred_info ***soci)
-{
- int i;
-
- *soci = ealloc(3 * sizeof(krb5_cred_info *));
- for (i = 0; i < 2; i++) {
- (*soci)[i] = ealloc(sizeof(krb5_cred_info));
- ktest_make_sample_cred_info((*soci)[i]);
- }
- (*soci)[2] = NULL;
-}
-
-void
-ktest_make_sample_cred_info(krb5_cred_info *ci)
-{
- ci->session = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(ci->session);
- ktest_make_sample_principal(&ci->client);
- ktest_make_sample_principal(&ci->server);
- ci->flags = SAMPLE_FLAGS;
- ci->times.authtime = SAMPLE_TIME;
- ci->times.starttime = SAMPLE_TIME;
- ci->times.endtime = SAMPLE_TIME;
- ci->times.renew_till = SAMPLE_TIME;
- ktest_make_sample_addresses(&ci->caddrs);
-}
-
-void
-ktest_make_sample_error(krb5_error *kerr)
-{
- kerr->ctime = SAMPLE_TIME;
- kerr->cusec = SAMPLE_USEC;
- kerr->susec = SAMPLE_USEC;
- kerr->stime = SAMPLE_TIME;
- kerr->error = SAMPLE_ERROR;
- ktest_make_sample_principal(&kerr->client);
- ktest_make_sample_principal(&kerr->server);
- ktest_make_sample_data(&kerr->text);
- ktest_make_sample_data(&kerr->e_data);
-}
-
-void
-ktest_make_sample_data(krb5_data *d)
-{
- krb5_data_parse(d, "krb5data");
-}
-
-void
-ktest_make_sample_etype_info(krb5_etype_info_entry ***p)
-{
- krb5_etype_info_entry **info;
- int i, len;
- char *str;
-
- info = ealloc(4 * sizeof(krb5_etype_info_entry *));
- for (i = 0; i < 3; i++) {
- info[i] = ealloc(sizeof(krb5_etype_info_entry));
- info[i]->etype = i;
- len = asprintf(&str, "Morton's #%d", i);
- if (len < 0)
- abort();
- info[i]->salt = (krb5_octet *)str;
- info[i]->length = len;
- info[i]->s2kparams.data = NULL;
- info[i]->s2kparams.length = 0;
- info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
- }
- free(info[1]->salt);
- info[1]->length = KRB5_ETYPE_NO_SALT;
- info[1]->salt = 0;
- *p = info;
-}
-
-
-void
-ktest_make_sample_etype_info2(krb5_etype_info_entry ***p)
-{
- krb5_etype_info_entry **info;
- int i, len;
- char *str;
-
- info = ealloc(4 * sizeof(krb5_etype_info_entry *));
- for (i = 0; i < 3; i++) {
- info[i] = ealloc(sizeof(krb5_etype_info_entry));
- info[i]->etype = i;
- len = asprintf(&str, "Morton's #%d", i);
- if (len < 0)
- abort();
- info[i]->salt = (krb5_octet *)str;
- info[i]->length = (unsigned int)len;
- len = asprintf(&info[i]->s2kparams.data, "s2k: %d", i);
- if (len < 0)
- abort();
- info[i]->s2kparams.length = (unsigned int) len;
- info[i]->magic = KV5M_ETYPE_INFO_ENTRY;
- }
- free(info[1]->salt);
- info[1]->length = KRB5_ETYPE_NO_SALT;
- info[1]->salt = 0;
- *p = info;
-}
-
-
-void
-ktest_make_sample_pa_enc_ts(krb5_pa_enc_ts *pa_enc)
-{
- pa_enc->patimestamp = SAMPLE_TIME;
- pa_enc->pausec = SAMPLE_USEC;
-}
-
-void
-ktest_make_sample_sam_challenge_2(krb5_sam_challenge_2 *p)
-{
- /* Need a valid DER sequence encoding here; this one contains the OCTET
- * STRING "challenge". */
- krb5_data_parse(&p->sam_challenge_2_body, "\x30\x0B\x04\x09" "challenge");
- p->sam_cksum = ealloc(2 * sizeof(krb5_checksum *));
- p->sam_cksum[0] = ealloc(sizeof(krb5_checksum));
- ktest_make_sample_checksum(p->sam_cksum[0]);
- p->sam_cksum[1] = NULL;
-}
-
-void
-ktest_make_sample_sam_challenge_2_body(krb5_sam_challenge_2_body *p)
-{
- p->sam_type = 42;
- p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY;
- krb5_data_parse(&p->sam_type_name, "type name");
- p->sam_track_id = empty_data();
- krb5_data_parse(&p->sam_challenge_label, "challenge label");
- krb5_data_parse(&p->sam_challenge, "challenge ipse");
- krb5_data_parse(&p->sam_response_prompt, "response_prompt ipse");
- p->sam_pk_for_sad = empty_data();
- p->sam_nonce = 0x543210;
- p->sam_etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
-}
-
-void
-ktest_make_sample_sam_response_2(krb5_sam_response_2 *p)
-{
- p->magic = KV5M_SAM_RESPONSE;
- p->sam_type = 43; /* information */
- p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */
- krb5_data_parse(&p->sam_track_id, "track data");
- krb5_data_parse(&p->sam_enc_nonce_or_sad.ciphertext, "nonce or sad");
- p->sam_enc_nonce_or_sad.enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
- p->sam_enc_nonce_or_sad.kvno = 3382;
- p->sam_nonce = 0x543210;
-}
-
-void
-ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p)
-{
- p->magic = 83;
- p->sam_nonce = 88;
- krb5_data_parse(&p->sam_sad, "enc_sam_response_enc_2");
-}
-
-void
-ktest_make_sample_pa_for_user(krb5_pa_for_user *p)
-{
- ktest_make_sample_principal(&p->user);
- ktest_make_sample_checksum(&p->cksum);
- ktest_make_sample_data(&p->auth_package);
-}
-
-void
-ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p)
-{
- krb5_s4u_userid *u = &p->user_id;
-
- u->nonce = 13243546;
- ktest_make_sample_principal(&u->user);
- krb5_data_parse(&u->subject_cert, "pa_s4u_x509_user");
- u->options = 0x80000000;
- ktest_make_sample_checksum(&p->cksum);
-}
-
-void
-ktest_make_sample_ad_kdcissued(krb5_ad_kdcissued *p)
-{
- ktest_make_sample_checksum(&p->ad_checksum);
- ktest_make_sample_principal(&p->i_principal);
- ktest_make_sample_authorization_data(&p->elements);
-}
-
-void
-ktest_make_sample_iakerb_header(krb5_iakerb_header *ih)
-{
- ktest_make_sample_data(&(ih->target_realm));
- ih->cookie = ealloc(sizeof(krb5_data));
- ktest_make_sample_data(ih->cookie);
-}
-
-void
-ktest_make_sample_iakerb_finished(krb5_iakerb_finished *ih)
-{
- ktest_make_sample_checksum(&ih->checksum);
-}
-
-static void
-ktest_make_sample_fast_finished(krb5_fast_finished *p)
-{
- p->timestamp = SAMPLE_TIME;
- p->usec = SAMPLE_USEC;
- ktest_make_sample_principal(&p->client);
- ktest_make_sample_checksum(&p->ticket_checksum);
-}
-
-void
-ktest_make_sample_fast_response(krb5_fast_response *p)
-{
- ktest_make_sample_pa_data_array(&p->padata);
- p->strengthen_key = ealloc(sizeof(krb5_keyblock));
- ktest_make_sample_keyblock(p->strengthen_key);
- p->finished = ealloc(sizeof(krb5_fast_finished));
- ktest_make_sample_fast_finished(p->finished);
- p->nonce = SAMPLE_NONCE;
-}
-
-void
-ktest_make_sha256_alg(krb5_algorithm_identifier *p)
-{
- /* { 2 16 840 1 101 3 4 2 1 } */
- krb5_data_parse(&p->algorithm, "\x60\x86\x48\x01\x65\x03\x04\x02\x01");
- p->parameters = empty_data();
-}
-
-void
-ktest_make_sha1_alg(krb5_algorithm_identifier *p)
-{
- /* { 1 3 14 3 2 26 } */
- krb5_data_parse(&p->algorithm, "\x2b\x0e\x03\x02\x1a");
- p->parameters = empty_data();
-}
-
-void
-ktest_make_minimal_otp_tokeninfo(krb5_otp_tokeninfo *p)
-{
- memset(p, 0, sizeof(*p));
- p->length = p->format = p->iteration_count = -1;
-}
-
-void
-ktest_make_maximal_otp_tokeninfo(krb5_otp_tokeninfo *p)
-{
- p->flags = KRB5_OTP_FLAG_NEXTOTP | KRB5_OTP_FLAG_COMBINE |
- KRB5_OTP_FLAG_COLLECT_PIN | KRB5_OTP_FLAG_ENCRYPT_NONCE |
- KRB5_OTP_FLAG_SEPARATE_PIN | KRB5_OTP_FLAG_CHECK_DIGIT;
- krb5_data_parse(&p->vendor, "Examplecorp");
- krb5_data_parse(&p->challenge, "hark!");
- p->length = 10;
- p->format = 2;
- krb5_data_parse(&p->token_id, "yourtoken");
- krb5_data_parse(&p->alg_id, "urn:ietf:params:xml:ns:keyprov:pskc:hotp");
- p->supported_hash_alg = ealloc(3 * sizeof(*p->supported_hash_alg));
- p->supported_hash_alg[0] = ealloc(sizeof(*p->supported_hash_alg[0]));
- ktest_make_sha256_alg(p->supported_hash_alg[0]);
- p->supported_hash_alg[1] = ealloc(sizeof(*p->supported_hash_alg[1]));
- ktest_make_sha1_alg(p->supported_hash_alg[1]);
- p->supported_hash_alg[2] = NULL;
- p->iteration_count = 1000;
-}
-
-void
-ktest_make_minimal_pa_otp_challenge(krb5_pa_otp_challenge *p)
-{
- memset(p, 0, sizeof(*p));
- krb5_data_parse(&p->nonce, "minnonce");
- p->tokeninfo = ealloc(2 * sizeof(*p->tokeninfo));
- p->tokeninfo[0] = ealloc(sizeof(*p->tokeninfo[0]));
- ktest_make_minimal_otp_tokeninfo(p->tokeninfo[0]);
- p->tokeninfo[1] = NULL;
-}
-
-void
-ktest_make_maximal_pa_otp_challenge(krb5_pa_otp_challenge *p)
-{
- krb5_data_parse(&p->nonce, "maxnonce");
- krb5_data_parse(&p->service, "testservice");
- p->tokeninfo = ealloc(3 * sizeof(*p->tokeninfo));
- p->tokeninfo[0] = ealloc(sizeof(*p->tokeninfo[0]));
- ktest_make_minimal_otp_tokeninfo(p->tokeninfo[0]);
- p->tokeninfo[1] = ealloc(sizeof(*p->tokeninfo[1]));
- ktest_make_maximal_otp_tokeninfo(p->tokeninfo[1]);
- p->tokeninfo[2] = NULL;
- krb5_data_parse(&p->salt, "keysalt");
- krb5_data_parse(&p->s2kparams, "1234");
-}
-
-void
-ktest_make_minimal_pa_otp_req(krb5_pa_otp_req *p)
-{
- memset(p, 0, sizeof(*p));
- p->iteration_count = -1;
- p->format = -1;
- ktest_make_sample_enc_data(&p->enc_data);
-}
-
-void
-ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p)
-{
- p->flags = KRB5_OTP_FLAG_NEXTOTP | KRB5_OTP_FLAG_COMBINE;
- krb5_data_parse(&p->nonce, "nonce");
- ktest_make_sample_enc_data(&p->enc_data);
- p->hash_alg = ealloc(sizeof(*p->hash_alg));
- ktest_make_sha256_alg(p->hash_alg);
- p->iteration_count = 1000;
- krb5_data_parse(&p->otp_value, "frogs");
- krb5_data_parse(&p->pin, "myfirstpin");
- krb5_data_parse(&p->challenge, "hark!");
- p->time = SAMPLE_TIME;
- krb5_data_parse(&p->counter, "346");
- p->format = 2;
- krb5_data_parse(&p->token_id, "yourtoken");
- krb5_data_parse(&p->alg_id, "urn:ietf:params:xml:ns:keyprov:pskc:hotp");
- krb5_data_parse(&p->vendor, "Examplecorp");
-}
-
-#ifndef DISABLE_PKINIT
-
-static void
-ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p)
-{
- p->cusec = SAMPLE_USEC;
- p->ctime = SAMPLE_TIME;
- p->nonce = SAMPLE_NONCE;
- ktest_make_sample_data(&p->paChecksum);
- p->freshnessToken = ealloc(sizeof(krb5_data));
- ktest_make_sample_data(p->freshnessToken);
-}
-
-static void
-ktest_make_sample_oid(krb5_data *p)
-{
- krb5_data_parse(p, "\052\206\110\206\367\022\001\002\002");
-}
-
-static void
-ktest_make_sample_algorithm_identifier(krb5_algorithm_identifier *p)
-{
- ktest_make_sample_oid(&p->algorithm);
- /* Need a valid DER encoding here; this is the OCTET STRING "params". */
- krb5_data_parse(&p->parameters, "\x04\x06" "params");
-}
-
-static void
-ktest_make_sample_algorithm_identifier_no_params(krb5_algorithm_identifier *p)
-{
- ktest_make_sample_oid(&p->algorithm);
- p->parameters = empty_data();
-}
-
-static void
-ktest_make_sample_external_principal_identifier(
- krb5_external_principal_identifier *p)
-{
- ktest_make_sample_data(&p->subjectName);
- ktest_make_sample_data(&p->issuerAndSerialNumber);
- ktest_make_sample_data(&p->subjectKeyIdentifier);
-}
-
-void
-ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p)
-{
- ktest_make_sample_data(&p->signedAuthPack);
- p->trustedCertifiers =
- ealloc(2 * sizeof(krb5_external_principal_identifier *));
- p->trustedCertifiers[0] =
- ealloc(sizeof(krb5_external_principal_identifier));
- ktest_make_sample_external_principal_identifier(p->trustedCertifiers[0]);
- p->trustedCertifiers[1] = NULL;
- ktest_make_sample_data(&p->kdcPkId);
-}
-
-static void
-ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p)
-{
- ktest_make_sample_data(&p->dhSignedData);
- ktest_make_sample_data(&p->serverDHNonce);
- p->kdfID = ealloc(sizeof(krb5_data));
- ktest_make_sample_data(p->kdfID);
-}
-
-void
-ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p)
-{
- p->choice = choice_pa_pk_as_rep_dhInfo;
- ktest_make_sample_dh_rep_info(&p->u.dh_Info);
-}
-
-void
-ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p)
-{
- p->choice = choice_pa_pk_as_rep_encKeyPack;
- ktest_make_sample_data(&p->u.encKeyPack);
-}
-
-void
-ktest_make_sample_auth_pack(krb5_auth_pack *p)
-{
- ktest_make_sample_pk_authenticator(&p->pkAuthenticator);
- /* Need a valid DER encoding here; this is the OCTET STRING "pvalue". */
- krb5_data_parse(&p->clientPublicValue, "\x04\x06" "pvalue");
- p->supportedCMSTypes = ealloc(3 * sizeof(krb5_algorithm_identifier *));
- p->supportedCMSTypes[0] = ealloc(sizeof(krb5_algorithm_identifier));
- ktest_make_sample_algorithm_identifier(p->supportedCMSTypes[0]);
- p->supportedCMSTypes[1] = ealloc(sizeof(krb5_algorithm_identifier));
- ktest_make_sample_algorithm_identifier_no_params(p->supportedCMSTypes[1]);
- p->supportedCMSTypes[2] = NULL;
- ktest_make_sample_data(&p->clientDHNonce);
- p->supportedKDFs = ealloc(2 * sizeof(krb5_data *));
- p->supportedKDFs[0] = ealloc(sizeof(krb5_data));
- ktest_make_sample_data(p->supportedKDFs[0]);
- p->supportedKDFs[1] = NULL;
-}
-
-void
-ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
-{
- ktest_make_sample_data(&p->subjectPublicKey);
- p->nonce = SAMPLE_NONCE;
- p->dhKeyExpiration = SAMPLE_TIME;
-}
-
-void
-ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p)
-{
- ktest_make_sample_keyblock(&p->replyKey);
- ktest_make_sample_checksum(&p->asChecksum);
-}
-
-void
-ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
-{
- ktest_make_sample_algorithm_identifier_no_params(&p->algorithm_identifier);
- ktest_make_sample_principal(&p->party_u_info);
- ktest_make_sample_principal(&p->party_v_info);
- ktest_make_sample_data(&p->supp_pub_info);
-}
-
-void
-ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p)
-{
- p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
- ktest_make_sample_data(&p->as_req);
- ktest_make_sample_data(&p->pk_as_rep);
-}
-
-#endif /* not DISABLE_PKINIT */
-
-#ifdef ENABLE_LDAP
-static void
-ktest_make_sample_key_data(krb5_key_data *p, int i)
-{
- char *str;
- int len;
-
- len = asprintf(&str, "key%d", i);
- if (len < 0)
- abort();
- p->key_data_ver = 2;
- p->key_data_type[0] = 2;
- p->key_data_length[0] = (unsigned int) len;
- p->key_data_contents[0] = (krb5_octet *)str;
- len = asprintf(&str, "salt%d", i);
- if (len < 0)
- abort();
- p->key_data_type[1] = i;
- p->key_data_length[1] = (unsigned int) len;
- p->key_data_contents[1] = (krb5_octet *)str;
-}
-
-void
-ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p)
-{
- int i;
-
- p->mkvno = 14;
- p->n_key_data = 3;
- p->key_data = calloc(3,sizeof(krb5_key_data));
- p->kvno = 42;
- for (i = 0; i < 3; i++)
- ktest_make_sample_key_data(&p->key_data[i], i);
-}
-#endif
-
-void
-ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p)
-{
- krb5_kdc_req req;
- krb5_data *message;
-
- ktest_make_sample_kdc_req(&req);
- req.msg_type = KRB5_AS_REQ;
- encode_krb5_as_req(&req, &message);
- p->kerb_message = *message;
- free(message);
- ktest_empty_kdc_req(&req);
- ktest_make_sample_data(&(p->target_domain));
- p->dclocator_hint = 0;
-}
-
-static krb5_authdata *
-make_ad_element(krb5_authdatatype ad_type, const char *str)
-{
- krb5_authdata *ad;
-
- ad = ealloc(sizeof(*ad));
- ad->ad_type = ad_type;
- ad->length = strlen(str);
- ad->contents = ealloc(ad->length);
- memcpy(ad->contents, str, ad->length);
- return ad;
-}
-
-static krb5_verifier_mac *
-make_vmac(krb5_boolean include_princ, krb5_kvno kvno, krb5_enctype enctype,
- const char *cksumstr)
-{
- krb5_verifier_mac *vmac;
-
- vmac = ealloc(sizeof(*vmac));
- if (include_princ) {
- ktest_make_sample_principal(&vmac->princ);
- (void)krb5_set_principal_realm(NULL, vmac->princ, "");
- } else {
- vmac->princ = NULL;
- }
- vmac->kvno = kvno;
- vmac->enctype = enctype;
- vmac->checksum.checksum_type = 1;
- vmac->checksum.length = strlen(cksumstr);
- vmac->checksum.contents = ealloc(vmac->checksum.length);
- memcpy(vmac->checksum.contents, cksumstr, vmac->checksum.length);
- return vmac;
-}
-
-void
-ktest_make_minimal_cammac(krb5_cammac *p)
-{
- memset(p, 0, sizeof(*p));
- p->elements = ealloc(2 * sizeof(*p->elements));
- p->elements[0] = make_ad_element(1, "ad1");
- p->elements[1] = NULL;
-}
-
-void
-ktest_make_maximal_cammac(krb5_cammac *p)
-{
- p->elements = ealloc(3 * sizeof(*p->elements));
- p->elements[0] = make_ad_element(1, "ad1");
- p->elements[1] = make_ad_element(2, "ad2");
- p->elements[2] = NULL;
- p->kdc_verifier = make_vmac(TRUE, 5, 16, "cksumkdc");
- p->svc_verifier = make_vmac(TRUE, 5, 16, "cksumsvc");
- p->other_verifiers = ealloc(3 * sizeof(*p->other_verifiers));
- p->other_verifiers[0] = make_vmac(FALSE, 0, 0, "cksum1");
- p->other_verifiers[1] = make_vmac(TRUE, 5, 16, "cksum2");
- p->other_verifiers[2] = NULL;
-}
-
-void
-ktest_make_sample_secure_cookie(krb5_secure_cookie *p)
-{
- ktest_make_sample_pa_data_array(&p->data);
- p->time = SAMPLE_TIME;
-}
-
-void
-ktest_make_minimal_spake_factor(krb5_spake_factor *p)
-{
- p->type = 1;
- p->data = NULL;
-}
-
-void
-ktest_make_maximal_spake_factor(krb5_spake_factor *p)
-{
- p->type = 2;
- p->data = ealloc(sizeof(*p->data));
- krb5_data_parse(p->data, "fdata");
-}
-
-void
-ktest_make_support_pa_spake(krb5_pa_spake *p)
-{
- krb5_spake_support *s = &p->u.support;
-
- s->ngroups = 2;
- s->groups = ealloc(s->ngroups * sizeof(*s->groups));
- s->groups[0] = 1;
- s->groups[1] = 2;
- p->choice = SPAKE_MSGTYPE_SUPPORT;
-}
-
-void
-ktest_make_challenge_pa_spake(krb5_pa_spake *p)
-{
- krb5_spake_challenge *c = &p->u.challenge;
-
- c->group = 1;
- krb5_data_parse(&c->pubkey, "T value");
- c->factors = ealloc(3 * sizeof(*c->factors));
- c->factors[0] = ealloc(sizeof(*c->factors[0]));
- ktest_make_minimal_spake_factor(c->factors[0]);
- c->factors[1] = ealloc(sizeof(*c->factors[1]));
- ktest_make_maximal_spake_factor(c->factors[1]);
- c->factors[2] = NULL;
- p->choice = SPAKE_MSGTYPE_CHALLENGE;
-}
-
-void
-ktest_make_response_pa_spake(krb5_pa_spake *p)
-{
- krb5_spake_response *r = &p->u.response;
-
- krb5_data_parse(&r->pubkey, "S value");
- ktest_make_sample_enc_data(&r->factor);
- p->choice = SPAKE_MSGTYPE_RESPONSE;
-}
-
-void
-ktest_make_encdata_pa_spake(krb5_pa_spake *p)
-{
- ktest_make_sample_enc_data(&p->u.encdata);
- p->choice = SPAKE_MSGTYPE_ENCDATA;
-}
-
-/****************************************************************/
-/* destructors */
-
-void
-ktest_destroy_data(krb5_data **d)
-{
- if (*d != NULL) {
- free((*d)->data);
- free(*d);
- *d = NULL;
- }
-}
-
-void
-ktest_empty_data(krb5_data *d)
-{
- if (d->data != NULL) {
- free(d->data);
- d->data = NULL;
- d->length = 0;
- }
-}
-
-static void
-ktest_empty_checksum(krb5_checksum *cs)
-{
- free(cs->contents);
- cs->contents = NULL;
-}
-
-void
-ktest_destroy_checksum(krb5_checksum **cs)
-{
- if (*cs != NULL) {
- free((*cs)->contents);
- free(*cs);
- *cs = NULL;
- }
-}
-
-void
-ktest_empty_keyblock(krb5_keyblock *kb)
-{
- if (kb != NULL) {
- if (kb->contents) {
- free(kb->contents);
- kb->contents = NULL;
- }
- }
-}
-
-void
-ktest_destroy_keyblock(krb5_keyblock **kb)
-{
- if (*kb != NULL) {
- free((*kb)->contents);
- free(*kb);
- *kb = NULL;
- }
-}
-
-void
-ktest_empty_authorization_data(krb5_authdata **ad)
-{
- size_t i;
-
- if (*ad != NULL) {
- for (i=0; ad[i] != NULL; i++)
- ktest_destroy_authdata(&ad[i]);
- }
-}
-
-void
-ktest_destroy_authorization_data(krb5_authdata ***ad)
-{
- ktest_empty_authorization_data(*ad);
- free(*ad);
- *ad = NULL;
-}
-
-void
-ktest_destroy_authdata(krb5_authdata **ad)
-{
- if (*ad != NULL) {
- free((*ad)->contents);
- free(*ad);
- *ad = NULL;
- }
-}
-
-void
-ktest_empty_pa_data_array(krb5_pa_data **pad)
-{
- size_t i;
-
- for (i=0; pad[i] != NULL; i++)
- ktest_destroy_pa_data(&pad[i]);
-}
-
-void
-ktest_destroy_pa_data_array(krb5_pa_data ***pad)
-{
- ktest_empty_pa_data_array(*pad);
- free(*pad);
- *pad = NULL;
-}
-
-void
-ktest_destroy_pa_data(krb5_pa_data **pad)
-{
- if (*pad != NULL) {
- free((*pad)->contents);
- free(*pad);
- *pad = NULL;
- }
-}
-
-void
-ktest_destroy_address(krb5_address **a)
-{
- if (*a != NULL) {
- free((*a)->contents);
- free(*a);
- *a = NULL;
- }
-}
-
-void
-ktest_empty_addresses(krb5_address **a)
-{
- size_t i;
-
- for (i=0; a[i] != NULL; i++)
- ktest_destroy_address(&a[i]);
-}
-
-void
-ktest_destroy_addresses(krb5_address ***a)
-{
- ktest_empty_addresses(*a);
- free(*a);
- *a = NULL;
-}
-
-void
-ktest_destroy_principal(krb5_principal *p)
-{
- int i;
-
- if (*p == NULL)
- return;
- for (i=0; i<(*p)->length; i++)
- ktest_empty_data(&(*p)->data[i]);
- ktest_empty_data(&(*p)->realm);
- free((*p)->data);
- free(*p);
- *p = NULL;
-}
-
-void
-ktest_destroy_sequence_of_integer(long **soi)
-{
- free(*soi);
- *soi = NULL;
-}
-
-void
-ktest_destroy_sequence_of_ticket(krb5_ticket ***sot)
-{
- size_t i;
-
- for (i=0; (*sot)[i] != NULL; i++)
- ktest_destroy_ticket(&(*sot)[i]);
- free(*sot);
- *sot = NULL;
-}
-
-void
-ktest_destroy_ticket(krb5_ticket **tkt)
-{
- ktest_destroy_principal(&(*tkt)->server);
- ktest_destroy_enc_data(&(*tkt)->enc_part);
- /* ktest_empty_enc_tkt_part(((*tkt)->enc_part2));*/
- free(*tkt);
- *tkt = NULL;
-}
-
-void
-ktest_empty_ticket(krb5_ticket *tkt)
-{
- if (tkt->server)
- ktest_destroy_principal(&tkt->server);
- ktest_destroy_enc_data(&tkt->enc_part);
- if (tkt->enc_part2)
- ktest_destroy_enc_tkt_part(&tkt->enc_part2);
-}
-
-void
-ktest_destroy_enc_data(krb5_enc_data *ed)
-{
- ktest_empty_data(&ed->ciphertext);
- ed->kvno = 0;
-}
-
-void
-ktest_destroy_etype_info_entry(krb5_etype_info_entry *i)
-{
- if (i->salt)
- free(i->salt);
- ktest_empty_data(&i->s2kparams);
- free(i);
-}
-
-void
-ktest_destroy_etype_info(krb5_etype_info_entry **info)
-{
- size_t i;
-
- for (i = 0; info[i] != NULL; i++)
- ktest_destroy_etype_info_entry(info[i]);
- free(info);
-}
-
-void
-ktest_empty_kdc_req(krb5_kdc_req *kr)
-{
- if (kr->padata)
- ktest_destroy_pa_data_array(&kr->padata);
-
- if (kr->client)
- ktest_destroy_principal(&kr->client);
-
- if (kr->server)
- ktest_destroy_principal(&kr->server);
- free(kr->ktype);
- if (kr->addresses)
- ktest_destroy_addresses(&kr->addresses);
- ktest_destroy_enc_data(&kr->authorization_data);
- if (kr->unenc_authdata)
- ktest_destroy_authorization_data(&kr->unenc_authdata);
- if (kr->second_ticket)
- ktest_destroy_sequence_of_ticket(&kr->second_ticket);
-
-}
-
-void
-ktest_empty_kdc_rep(krb5_kdc_rep *kr)
-{
- if (kr->padata)
- ktest_destroy_pa_data_array(&kr->padata);
-
- if (kr->client)
- ktest_destroy_principal(&kr->client);
-
- if (kr->ticket)
- ktest_destroy_ticket(&kr->ticket);
-
- ktest_destroy_enc_data(&kr->enc_part);
-
- if (kr->enc_part2) {
- ktest_empty_enc_kdc_rep_part(kr->enc_part2);
- free(kr->enc_part2);
- kr->enc_part2 = NULL;
- }
-}
-
-void
-ktest_empty_authenticator(krb5_authenticator *a)
-{
- if (a->client)
- ktest_destroy_principal(&a->client);
- if (a->checksum)
- ktest_destroy_checksum(&a->checksum);
- if (a->subkey)
- ktest_destroy_keyblock(&a->subkey);
- if (a->authorization_data)
- ktest_destroy_authorization_data(&a->authorization_data);
-}
-
-void
-ktest_empty_enc_tkt_part(krb5_enc_tkt_part *etp)
-{
- if (etp->session)
- ktest_destroy_keyblock(&etp->session);
- if (etp->client)
- ktest_destroy_principal(&etp->client);
- if (etp->caddrs)
- ktest_destroy_addresses(&etp->caddrs);
- if (etp->authorization_data)
- ktest_destroy_authorization_data(&etp->authorization_data);
- ktest_destroy_transited(&etp->transited);
-}
-
-void
-ktest_destroy_enc_tkt_part(krb5_enc_tkt_part **etp)
-{
- if (*etp) {
- ktest_empty_enc_tkt_part(*etp);
- free(*etp);
- *etp = NULL;
- }
-}
-
-void
-ktest_empty_enc_kdc_rep_part(krb5_enc_kdc_rep_part *ekr)
-{
- if (ekr->session)
- ktest_destroy_keyblock(&ekr->session);
-
- if (ekr->server)
- ktest_destroy_principal(&ekr->server);
-
- if (ekr->caddrs)
- ktest_destroy_addresses(&ekr->caddrs);
- ktest_destroy_last_req(&ekr->last_req);
-}
-
-void
-ktest_destroy_transited(krb5_transited *t)
-{
- if (t->tr_contents.data)
- ktest_empty_data(&t->tr_contents);
-}
-
-void
-ktest_empty_ap_rep(krb5_ap_rep *ar)
-{
- ktest_destroy_enc_data(&ar->enc_part);
-}
-
-void
-ktest_empty_ap_req(krb5_ap_req *ar)
-{
- if (ar->ticket)
- ktest_destroy_ticket(&ar->ticket);
- ktest_destroy_enc_data(&ar->authenticator);
-}
-
-void
-ktest_empty_cred_enc_part(krb5_cred_enc_part *cep)
-{
- if (cep->s_address)
- ktest_destroy_address(&cep->s_address);
- if (cep->r_address)
- ktest_destroy_address(&cep->r_address);
- if (cep->ticket_info)
- ktest_destroy_sequence_of_cred_info(&cep->ticket_info);
-}
-
-void
-ktest_destroy_cred_info(krb5_cred_info **ci)
-{
- if ((*ci)->session)
- ktest_destroy_keyblock(&(*ci)->session);
- if ((*ci)->client)
- ktest_destroy_principal(&(*ci)->client);
- if ((*ci)->server)
- ktest_destroy_principal(&(*ci)->server);
- if ((*ci)->caddrs)
- ktest_destroy_addresses(&(*ci)->caddrs);
- free(*ci);
- *ci = NULL;
-}
-
-void
-ktest_destroy_sequence_of_cred_info(krb5_cred_info ***soci)
-{
- size_t i;
-
- for (i = 0; (*soci)[i] != NULL; i++)
- ktest_destroy_cred_info(&(*soci)[i]);
- free(*soci);
- *soci = NULL;
-}
-
-void
-ktest_empty_safe(krb5_safe *s)
-{
- ktest_empty_data(&s->user_data);
- ktest_destroy_address(&s->s_address);
- ktest_destroy_address(&s->r_address);
- ktest_destroy_checksum(&s->checksum);
-}
-
-void
-ktest_empty_priv_enc_part(krb5_priv_enc_part *pep)
-{
- ktest_empty_data(&pep->user_data);
- ktest_destroy_address(&pep->s_address);
- ktest_destroy_address(&pep->r_address);
-}
-
-void
-ktest_empty_priv(krb5_priv *p)
-{
- ktest_destroy_enc_data(&p->enc_part);
-}
-
-void
-ktest_empty_cred(krb5_cred *c)
-{
- ktest_destroy_sequence_of_ticket(&c->tickets);
- ktest_destroy_enc_data(&c->enc_part);
- /* enc_part2 */
-}
-
-void
-ktest_destroy_last_req(krb5_last_req_entry ***lr)
-{
- size_t i;
-
- if (*lr) {
- for (i=0; (*lr)[i] != NULL; i++)
- free((*lr)[i]);
-
- free(*lr);
- }
-}
-
-void
-ktest_empty_error(krb5_error *kerr)
-{
- if (kerr->client)
- ktest_destroy_principal(&kerr->client);
- if (kerr->server)
- ktest_destroy_principal(&kerr->server);
- ktest_empty_data(&kerr->text);
- ktest_empty_data(&kerr->e_data);
-}
-
-void
-ktest_empty_ap_rep_enc_part(krb5_ap_rep_enc_part *arep)
-{
- ktest_destroy_keyblock(&(arep)->subkey);
-}
-
-void
-ktest_empty_sam_challenge_2(krb5_sam_challenge_2 *p)
-{
- krb5_checksum **ck;
-
- ktest_empty_data(&p->sam_challenge_2_body);
- if (p->sam_cksum != NULL) {
- for (ck = p->sam_cksum; *ck != NULL; ck++)
- ktest_destroy_checksum(ck);
- free(p->sam_cksum);
- p->sam_cksum = NULL;
- }
-}
-
-void
-ktest_empty_sam_challenge_2_body(krb5_sam_challenge_2_body *p)
-{
- ktest_empty_data(&p->sam_type_name);
- ktest_empty_data(&p->sam_track_id);
- ktest_empty_data(&p->sam_challenge_label);
- ktest_empty_data(&p->sam_challenge);
- ktest_empty_data(&p->sam_response_prompt);
- ktest_empty_data(&p->sam_pk_for_sad);
-}
-
-void
-ktest_empty_sam_response_2(krb5_sam_response_2 *p)
-{
- ktest_empty_data(&p->sam_track_id);
- ktest_empty_data(&p->sam_enc_nonce_or_sad.ciphertext);
-}
-
-void
-ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p)
-{
- ktest_empty_data(&p->sam_sad);
-}
-
-void
-ktest_empty_pa_for_user(krb5_pa_for_user *p)
-{
- ktest_destroy_principal(&p->user);
- ktest_empty_checksum(&p->cksum);
- ktest_empty_data(&p->auth_package);
-}
-
-void
-ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p)
-{
- ktest_destroy_principal(&p->user_id.user);
- ktest_empty_data(&p->user_id.subject_cert);
- free(p->cksum.contents);
-}
-
-void
-ktest_empty_ad_kdcissued(krb5_ad_kdcissued *p)
-{
- free(p->ad_checksum.contents);
- ktest_destroy_principal(&p->i_principal);
- ktest_destroy_authorization_data(&p->elements);
-}
-
-void
-ktest_empty_iakerb_header(krb5_iakerb_header *p)
-{
- krb5_free_data_contents(NULL, &p->target_realm);
- krb5_free_data(NULL, p->cookie);
-}
-
-void
-ktest_empty_iakerb_finished(krb5_iakerb_finished *p)
-{
- krb5_free_checksum_contents(NULL, &p->checksum);
-}
-
-static void
-ktest_empty_fast_finished(krb5_fast_finished *p)
-{
- ktest_destroy_principal(&p->client);
- ktest_empty_checksum(&p->ticket_checksum);
-}
-
-void
-ktest_empty_fast_response(krb5_fast_response *p)
-{
- ktest_destroy_pa_data_array(&p->padata);
- ktest_destroy_keyblock(&p->strengthen_key);
- if (p->finished != NULL) {
- ktest_empty_fast_finished(p->finished);
- free(p->finished);
- p->finished = NULL;
- }
-}
-
-static void
-ktest_empty_algorithm_identifier(krb5_algorithm_identifier *p)
-{
- ktest_empty_data(&p->algorithm);
- ktest_empty_data(&p->parameters);
-}
-
-void
-ktest_empty_otp_tokeninfo(krb5_otp_tokeninfo *p)
-{
- krb5_algorithm_identifier **alg;
-
- p->flags = 0;
- krb5_free_data_contents(NULL, &p->vendor);
- krb5_free_data_contents(NULL, &p->challenge);
- krb5_free_data_contents(NULL, &p->token_id);
- krb5_free_data_contents(NULL, &p->alg_id);
- for (alg = p->supported_hash_alg; alg != NULL && *alg != NULL; alg++) {
- ktest_empty_algorithm_identifier(*alg);
- free(*alg);
- }
- free(p->supported_hash_alg);
- p->supported_hash_alg = NULL;
- p->length = p->format = p->iteration_count = -1;
-}
-
-void
-ktest_empty_pa_otp_challenge(krb5_pa_otp_challenge *p)
-{
- krb5_otp_tokeninfo **ti;
-
- krb5_free_data_contents(NULL, &p->nonce);
- krb5_free_data_contents(NULL, &p->service);
- for (ti = p->tokeninfo; *ti != NULL; ti++) {
- ktest_empty_otp_tokeninfo(*ti);
- free(*ti);
- }
- free(p->tokeninfo);
- p->tokeninfo = NULL;
- krb5_free_data_contents(NULL, &p->salt);
- krb5_free_data_contents(NULL, &p->s2kparams);
-}
-
-void
-ktest_empty_pa_otp_req(krb5_pa_otp_req *p)
-{
- p->flags = 0;
- krb5_free_data_contents(NULL, &p->nonce);
- ktest_destroy_enc_data(&p->enc_data);
- if (p->hash_alg != NULL)
- ktest_empty_algorithm_identifier(p->hash_alg);
- free(p->hash_alg);
- p->hash_alg = NULL;
- p->iteration_count = -1;
- krb5_free_data_contents(NULL, &p->otp_value);
- krb5_free_data_contents(NULL, &p->pin);
- krb5_free_data_contents(NULL, &p->challenge);
- p->time = 0;
- krb5_free_data_contents(NULL, &p->counter);
- p->format = -1;
- krb5_free_data_contents(NULL, &p->token_id);
- krb5_free_data_contents(NULL, &p->alg_id);
- krb5_free_data_contents(NULL, &p->vendor);
-}
-
-#ifndef DISABLE_PKINIT
-
-static void
-ktest_empty_pk_authenticator(krb5_pk_authenticator *p)
-{
- ktest_empty_data(&p->paChecksum);
- krb5_free_data(NULL, p->freshnessToken);
- p->freshnessToken = NULL;
-}
-
-static void
-ktest_empty_external_principal_identifier(
- krb5_external_principal_identifier *p)
-{
- ktest_empty_data(&p->subjectName);
- ktest_empty_data(&p->issuerAndSerialNumber);
- ktest_empty_data(&p->subjectKeyIdentifier);
-}
-
-void
-ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
-{
- krb5_external_principal_identifier **pi;
-
- ktest_empty_data(&p->signedAuthPack);
- for (pi = p->trustedCertifiers; *pi != NULL; pi++) {
- ktest_empty_external_principal_identifier(*pi);
- free(*pi);
- }
- free(p->trustedCertifiers);
- p->trustedCertifiers = NULL;
- ktest_empty_data(&p->kdcPkId);
-}
-
-static void
-ktest_empty_dh_rep_info(krb5_dh_rep_info *p)
-{
- ktest_empty_data(&p->dhSignedData);
- ktest_empty_data(&p->serverDHNonce);
- ktest_destroy_data(&p->kdfID);
-}
-
-void
-ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p)
-{
- if (p->choice == choice_pa_pk_as_rep_dhInfo)
- ktest_empty_dh_rep_info(&p->u.dh_Info);
- else if (p->choice == choice_pa_pk_as_rep_encKeyPack)
- ktest_empty_data(&p->u.encKeyPack);
- p->choice = choice_pa_pk_as_rep_UNKNOWN;
-}
-
-void
-ktest_empty_auth_pack(krb5_auth_pack *p)
-{
- krb5_algorithm_identifier **ai;
- krb5_data **d;
-
- ktest_empty_pk_authenticator(&p->pkAuthenticator);
- ktest_empty_data(&p->clientPublicValue);
- if (p->supportedCMSTypes != NULL) {
- for (ai = p->supportedCMSTypes; *ai != NULL; ai++) {
- ktest_empty_algorithm_identifier(*ai);
- free(*ai);
- }
- free(p->supportedCMSTypes);
- p->supportedCMSTypes = NULL;
- }
- ktest_empty_data(&p->clientDHNonce);
- if (p->supportedKDFs != NULL) {
- for (d = p->supportedKDFs; *d != NULL; d++) {
- ktest_empty_data(*d);
- free(*d);
- }
- free(p->supportedKDFs);
- p->supportedKDFs = NULL;
- }
-}
-
-void
-ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
-{
- ktest_empty_data(&p->subjectPublicKey);
-}
-
-void
-ktest_empty_reply_key_pack(krb5_reply_key_pack *p)
-{
- ktest_empty_keyblock(&p->replyKey);
- ktest_empty_checksum(&p->asChecksum);
-}
-
-void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p)
-{
- ktest_empty_algorithm_identifier(&p->algorithm_identifier);
- ktest_destroy_principal(&p->party_u_info);
- ktest_destroy_principal(&p->party_v_info);
- ktest_empty_data(&p->supp_pub_info);
-}
-
-void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p)
-{
- ktest_empty_data(&p->as_req);
- ktest_empty_data(&p->pk_as_rep);
-}
-
-#endif /* not DISABLE_PKINIT */
-
-#ifdef ENABLE_LDAP
-void
-ktest_empty_ldap_seqof_key_data(ldap_seqof_key_data *p)
-{
- int i;
-
- for (i = 0; i < p->n_key_data; i++) {
- free(p->key_data[i].key_data_contents[0]);
- free(p->key_data[i].key_data_contents[1]);
- }
- free(p->key_data);
-}
-#endif
-
-void
-ktest_empty_kkdcp_message(krb5_kkdcp_message *p)
-{
- ktest_empty_data(&p->kerb_message);
- ktest_empty_data(&p->target_domain);
- p->dclocator_hint = -1;
-}
-
-static void
-destroy_verifier_mac(krb5_verifier_mac **vmac)
-{
- if (*vmac == NULL)
- return;
- ktest_destroy_principal(&(*vmac)->princ);
- ktest_empty_checksum(&(*vmac)->checksum);
- free(*vmac);
- *vmac = NULL;
-}
-
-void
-ktest_empty_cammac(krb5_cammac *p)
-{
- krb5_verifier_mac **vmacp;
-
- ktest_destroy_authorization_data(&p->elements);
- destroy_verifier_mac(&p->kdc_verifier);
- destroy_verifier_mac(&p->svc_verifier);
- for (vmacp = p->other_verifiers; vmacp != NULL && *vmacp != NULL; vmacp++)
- destroy_verifier_mac(vmacp);
- free(p->other_verifiers);
- p->other_verifiers = NULL;
-}
-
-void
-ktest_empty_secure_cookie(krb5_secure_cookie *p)
-{
- ktest_destroy_pa_data_array(&p->data);
-}
-
-void
-ktest_empty_spake_factor(krb5_spake_factor *p)
-{
- krb5_free_data(NULL, p->data);
- p->data = NULL;
-}
-
-void
-ktest_empty_pa_spake(krb5_pa_spake *p)
-{
- krb5_spake_factor **f;
-
- switch (p->choice) {
- case SPAKE_MSGTYPE_SUPPORT:
- free(p->u.support.groups);
- break;
- case SPAKE_MSGTYPE_CHALLENGE:
- ktest_empty_data(&p->u.challenge.pubkey);
- for (f = p->u.challenge.factors; *f != NULL; f++) {
- ktest_empty_spake_factor(*f);
- free(*f);
- }
- free(p->u.challenge.factors);
- break;
- case SPAKE_MSGTYPE_RESPONSE:
- ktest_empty_data(&p->u.response.pubkey);
- ktest_destroy_enc_data(&p->u.response.factor);
- break;
- case SPAKE_MSGTYPE_ENCDATA:
- ktest_destroy_enc_data(&p->u.encdata);
- break;
- default:
- break;
- }
- p->choice = SPAKE_MSGTYPE_UNKNOWN;
-}
diff --git a/crypto/krb5/src/tests/asn.1/ktest.h b/crypto/krb5/src/tests/asn.1/ktest.h
deleted file mode 100644
index 3b49def88684..000000000000
--- a/crypto/krb5/src/tests/asn.1/ktest.h
+++ /dev/null
@@ -1,210 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/ktest.h */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef __KTEST_H__
-#define __KTEST_H__
-
-#include "k5-int.h"
-#include "k5-spake.h"
-#include "kdb.h"
-
-#define SAMPLE_USEC 123456
-#define SAMPLE_TIME 771228197 /* Fri Jun 10 6:03:17 GMT 1994 */
-#define SAMPLE_SEQ_NUMBER 17
-#define SAMPLE_NONCE 42
-#define SAMPLE_FLAGS 0xFEDCBA98
-#define SAMPLE_ERROR 0x3C;
-
-void ktest_make_sample_data(krb5_data *d);
-void ktest_make_sample_authenticator(krb5_authenticator *a);
-void ktest_make_sample_principal(krb5_principal *p);
-void ktest_make_sample_checksum(krb5_checksum *cs);
-void ktest_make_sample_keyblock(krb5_keyblock *kb);
-void ktest_make_sample_ticket(krb5_ticket *tkt);
-void ktest_make_sample_enc_data(krb5_enc_data *ed);
-void ktest_make_sample_enc_tkt_part(krb5_enc_tkt_part *etp);
-void ktest_make_sample_transited(krb5_transited *t);
-void ktest_make_sample_ticket_times(krb5_ticket_times *tt);
-void ktest_make_sample_addresses(krb5_address ***caddrs);
-void ktest_make_sample_address(krb5_address *a);
-void ktest_make_sample_authorization_data(krb5_authdata ***ad);
-void ktest_make_sample_authdata(krb5_authdata *ad);
-void ktest_make_sample_enc_kdc_rep_part(krb5_enc_kdc_rep_part *ekr);
-void ktest_make_sample_kdc_req(krb5_kdc_req *kr);
-
-void ktest_make_sample_last_req(krb5_last_req_entry ***lr);
-void ktest_make_sample_last_req_entry(krb5_last_req_entry **lre);
-void ktest_make_sample_kdc_rep(krb5_kdc_rep *kdcr);
-void ktest_make_sample_pa_data_array(krb5_pa_data ***pad);
-void ktest_make_sample_empty_pa_data_array(krb5_pa_data ***pad);
-void ktest_make_sample_pa_data(krb5_pa_data *pad);
-void ktest_make_sample_ap_req(krb5_ap_req *ar);
-void ktest_make_sample_ap_rep(krb5_ap_rep *ar);
-void ktest_make_sample_ap_rep_enc_part(krb5_ap_rep_enc_part *arep);
-void ktest_make_sample_kdc_req_body(krb5_kdc_req *krb);
-void ktest_make_sample_safe(krb5_safe *s);
-void ktest_make_sample_priv(krb5_priv *p);
-void ktest_make_sample_priv_enc_part(krb5_priv_enc_part *pep);
-void ktest_make_sample_cred(krb5_cred *c);
-void ktest_make_sample_cred_enc_part(krb5_cred_enc_part *cep);
-void ktest_make_sample_sequence_of_ticket(krb5_ticket ***sot);
-void ktest_make_sample_error(krb5_error *kerr);
-void ktest_make_sequence_of_cred_info(krb5_cred_info ***soci);
-void ktest_make_sample_cred_info(krb5_cred_info *ci);
-
-void ktest_make_sample_etype_info(krb5_etype_info_entry ***p);
-void ktest_make_sample_etype_info2(krb5_etype_info_entry ***p);
-void ktest_make_sample_pa_enc_ts(krb5_pa_enc_ts *am);
-void ktest_make_sample_sam_challenge_2(krb5_sam_challenge_2 *p);
-void ktest_make_sample_sam_challenge_2_body(krb5_sam_challenge_2_body *p);
-void ktest_make_sample_sam_response_2(krb5_sam_response_2 *p);
-void ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
-void ktest_make_sample_pa_for_user(krb5_pa_for_user *p);
-void ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
-void ktest_make_sample_ad_kdcissued(krb5_ad_kdcissued *p);
-void ktest_make_sample_iakerb_header(krb5_iakerb_header *p);
-void ktest_make_sample_iakerb_finished(krb5_iakerb_finished *p);
-void ktest_make_sample_fast_response(krb5_fast_response *p);
-void ktest_make_sha256_alg(krb5_algorithm_identifier *p);
-void ktest_make_sha1_alg(krb5_algorithm_identifier *p);
-void ktest_make_minimal_otp_tokeninfo(krb5_otp_tokeninfo *p);
-void ktest_make_maximal_otp_tokeninfo(krb5_otp_tokeninfo *p);
-void ktest_make_minimal_pa_otp_challenge(krb5_pa_otp_challenge *p);
-void ktest_make_maximal_pa_otp_challenge(krb5_pa_otp_challenge *p);
-void ktest_make_minimal_pa_otp_req(krb5_pa_otp_req *p);
-void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p);
-
-#ifndef DISABLE_PKINIT
-void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p);
-void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p);
-void ktest_make_sample_auth_pack(krb5_auth_pack *p);
-void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
-void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p);
-void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
-#endif
-
-#ifdef ENABLE_LDAP
-void ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p);
-#endif
-
-void ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p);
-void ktest_make_minimal_cammac(krb5_cammac *p);
-void ktest_make_maximal_cammac(krb5_cammac *p);
-void ktest_make_sample_secure_cookie(krb5_secure_cookie *p);
-void ktest_make_minimal_spake_factor(krb5_spake_factor *p);
-void ktest_make_maximal_spake_factor(krb5_spake_factor *p);
-void ktest_make_support_pa_spake(krb5_pa_spake *p);
-void ktest_make_challenge_pa_spake(krb5_pa_spake *p);
-void ktest_make_response_pa_spake(krb5_pa_spake *p);
-void ktest_make_encdata_pa_spake(krb5_pa_spake *p);
-
-/*----------------------------------------------------------------------*/
-
-void ktest_empty_authorization_data(krb5_authdata **ad);
-void ktest_destroy_authorization_data(krb5_authdata ***ad);
-void ktest_destroy_authorization_data(krb5_authdata ***ad);
-void ktest_empty_addresses(krb5_address **a);
-void ktest_destroy_addresses(krb5_address ***a);
-void ktest_destroy_address(krb5_address **a);
-void ktest_empty_pa_data_array(krb5_pa_data **pad);
-void ktest_destroy_pa_data_array(krb5_pa_data ***pad);
-void ktest_destroy_pa_data(krb5_pa_data **pad);
-
-void ktest_destroy_data(krb5_data **d);
-void ktest_empty_data(krb5_data *d);
-void ktest_destroy_principal(krb5_principal *p);
-void ktest_destroy_checksum(krb5_checksum **cs);
-void ktest_empty_keyblock(krb5_keyblock *kb);
-void ktest_destroy_keyblock(krb5_keyblock **kb);
-void ktest_destroy_authdata(krb5_authdata **ad);
-void ktest_destroy_sequence_of_integer(long **soi);
-void ktest_destroy_sequence_of_ticket(krb5_ticket ***sot);
-void ktest_destroy_ticket(krb5_ticket **tkt);
-void ktest_empty_ticket(krb5_ticket *tkt);
-void ktest_destroy_enc_data(krb5_enc_data *ed);
-void ktest_empty_error(krb5_error *kerr);
-void ktest_destroy_etype_info_entry(krb5_etype_info_entry *i);
-void ktest_destroy_etype_info(krb5_etype_info_entry **info);
-
-void ktest_empty_kdc_req(krb5_kdc_req *kr);
-void ktest_empty_kdc_rep(krb5_kdc_rep *kr);
-
-void ktest_empty_authenticator(krb5_authenticator *a);
-void ktest_empty_enc_tkt_part(krb5_enc_tkt_part *etp);
-void ktest_destroy_enc_tkt_part(krb5_enc_tkt_part **etp);
-void ktest_empty_enc_kdc_rep_part(krb5_enc_kdc_rep_part *ekr);
-void ktest_destroy_transited(krb5_transited *t);
-void ktest_empty_ap_rep(krb5_ap_rep *ar);
-void ktest_empty_ap_req(krb5_ap_req *ar);
-void ktest_empty_cred_enc_part(krb5_cred_enc_part *cep);
-void ktest_destroy_cred_info(krb5_cred_info **ci);
-void ktest_destroy_sequence_of_cred_info(krb5_cred_info ***soci);
-void ktest_empty_safe(krb5_safe *s);
-void ktest_empty_priv(krb5_priv *p);
-void ktest_empty_priv_enc_part(krb5_priv_enc_part *pep);
-void ktest_empty_cred(krb5_cred *c);
-void ktest_destroy_last_req(krb5_last_req_entry ***lr);
-void ktest_empty_ap_rep_enc_part(krb5_ap_rep_enc_part *arep);
-void ktest_empty_sam_challenge_2(krb5_sam_challenge_2 *p);
-void ktest_empty_sam_challenge_2_body(krb5_sam_challenge_2_body *p);
-void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
-void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
-void ktest_empty_pa_for_user(krb5_pa_for_user *p);
-void ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
-void ktest_empty_ad_kdcissued(krb5_ad_kdcissued *p);
-void ktest_empty_iakerb_header(krb5_iakerb_header *p);
-void ktest_empty_iakerb_finished(krb5_iakerb_finished *p);
-void ktest_empty_fast_response(krb5_fast_response *p);
-void ktest_empty_otp_tokeninfo(krb5_otp_tokeninfo *p);
-void ktest_empty_pa_otp_challenge(krb5_pa_otp_challenge *p);
-void ktest_empty_pa_otp_req(krb5_pa_otp_req *p);
-
-#ifndef DISABLE_PKINIT
-void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p);
-void ktest_empty_auth_pack(krb5_auth_pack *p);
-void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
-void ktest_empty_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p);
-void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
-#endif
-
-#ifdef ENABLE_LDAP
-void ktest_empty_ldap_seqof_key_data(ldap_seqof_key_data *p);
-#endif
-
-void ktest_empty_kkdcp_message(krb5_kkdcp_message *p);
-void ktest_empty_cammac(krb5_cammac *p);
-void ktest_empty_secure_cookie(krb5_secure_cookie *p);
-void ktest_empty_spake_factor(krb5_spake_factor *p);
-void ktest_empty_pa_spake(krb5_pa_spake *p);
-
-extern krb5_context test_context;
-extern char *sample_principal_name;
-
-#endif
diff --git a/crypto/krb5/src/tests/asn.1/ktest_equal.c b/crypto/krb5/src/tests/asn.1/ktest_equal.c
deleted file mode 100644
index 13786dd1e5e9..000000000000
--- a/crypto/krb5/src/tests/asn.1/ktest_equal.c
+++ /dev/null
@@ -1,1054 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/ktest_equal.c */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include "ktest_equal.h"
-
-#define FALSE 0
-#define TRUE 1
-
-#define struct_equal(field,comparator) \
- comparator(&(ref->field),&(var->field))
-
-#define ptr_equal(field,comparator) \
- comparator(ref->field,var->field)
-
-#define scalar_equal(field) \
- ((ref->field) == (var->field))
-
-#define len_equal(length,field,comparator) \
- ((ref->length == var->length) && \
- comparator(ref->length,ref->field,var->field))
-
-int
-ktest_equal_authenticator(krb5_authenticator *ref, krb5_authenticator *var)
-{
- int p = TRUE;
-
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(checksum,ktest_equal_checksum);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && ptr_equal(subkey,ktest_equal_keyblock);
- p = p && scalar_equal(seq_number);
- p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
- return p;
-}
-
-int
-ktest_equal_principal_data(krb5_principal_data *ref, krb5_principal_data *var)
-{
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- return(struct_equal(realm,ktest_equal_data) &&
- len_equal(length,data,ktest_equal_array_of_data) &&
- scalar_equal(type));
-}
-
-int
-ktest_equal_authdata(krb5_authdata *ref, krb5_authdata *var)
-{
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(ad_type) &&
- len_equal(length,contents,ktest_equal_array_of_octet));
-}
-
-int
-ktest_equal_checksum(krb5_checksum *ref, krb5_checksum *var)
-{
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(checksum_type) && len_equal(length,contents,ktest_equal_array_of_octet));
-}
-
-int
-ktest_equal_keyblock(krb5_keyblock *ref, krb5_keyblock *var)
-{
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- return(scalar_equal(enctype) && len_equal(length,contents,ktest_equal_array_of_octet));
-}
-
-int
-ktest_equal_data(krb5_data *ref, krb5_data *var)
-{
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- return(len_equal(length,data,ktest_equal_array_of_char));
-}
-
-int
-ktest_equal_ticket(krb5_ticket *ref, krb5_ticket *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- /* enc_part2 is irrelevant, as far as the ASN.1 code is concerned */
- return p;
-}
-
-int
-ktest_equal_enc_data(krb5_enc_data *ref, krb5_enc_data *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(enctype);
- p = p && scalar_equal(kvno);
- p = p && struct_equal(ciphertext,ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_encryption_key(krb5_keyblock *ref, krb5_keyblock *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(enctype);
- p = p && len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
-}
-
-int
-ktest_equal_enc_tkt_part(krb5_enc_tkt_part *ref, krb5_enc_tkt_part *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(flags);
- p = p && ptr_equal(session,ktest_equal_encryption_key);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && struct_equal(transited,ktest_equal_transited);
- p = p && struct_equal(times,ktest_equal_ticket_times);
- p = p && ptr_equal(caddrs,ktest_equal_addresses);
- p = p && ptr_equal(authorization_data,ktest_equal_authorization_data);
- return p;
-}
-
-int
-ktest_equal_transited(krb5_transited *ref, krb5_transited *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(tr_type);
- p = p && struct_equal(tr_contents,ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_ticket_times(krb5_ticket_times *ref, krb5_ticket_times *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(authtime);
- p = p && scalar_equal(starttime);
- p = p && scalar_equal(endtime);
- p = p && scalar_equal(renew_till);
- return p;
-}
-
-int
-ktest_equal_address(krb5_address *ref, krb5_address *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(addrtype);
- p = p && len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
-}
-
-int
-ktest_equal_enc_kdc_rep_part(krb5_enc_kdc_rep_part *ref,
- krb5_enc_kdc_rep_part *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(session,ktest_equal_keyblock);
- p = p && ptr_equal(last_req,ktest_equal_last_req);
- p = p && scalar_equal(nonce);
- p = p && scalar_equal(key_exp);
- p = p && scalar_equal(flags);
- p = p && struct_equal(times,ktest_equal_ticket_times);
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && ptr_equal(caddrs,ktest_equal_addresses);
- return p;
-}
-
-int
-ktest_equal_priv(krb5_priv *ref, krb5_priv *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- return p;
-}
-
-int
-ktest_equal_cred(krb5_cred *ref, krb5_cred *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(tickets,ktest_equal_sequence_of_ticket);
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- return p;
-}
-
-int
-ktest_equal_error(krb5_error *ref, krb5_error *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(susec);
- p = p && scalar_equal(stime);
- p = p && scalar_equal(error);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && struct_equal(text,ktest_equal_data);
- p = p && struct_equal(e_data,ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_ap_req(krb5_ap_req *ref, krb5_ap_req *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(ap_options);
- p = p && ptr_equal(ticket,ktest_equal_ticket);
- p = p && struct_equal(authenticator,ktest_equal_enc_data);
- return p;
-}
-
-int
-ktest_equal_ap_rep(krb5_ap_rep *ref, krb5_ap_rep *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- return p;
-}
-
-int
-ktest_equal_ap_rep_enc_part(krb5_ap_rep_enc_part *ref,
- krb5_ap_rep_enc_part *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(cusec);
- p = p && ptr_equal(subkey,ktest_equal_encryption_key);
- p = p && scalar_equal(seq_number);
- return p;
-}
-
-int
-ktest_equal_safe(krb5_safe *ref, krb5_safe *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(user_data,ktest_equal_data);
- p = p && scalar_equal(timestamp);
- p = p && scalar_equal(usec);
- p = p && scalar_equal(seq_number);
- p = p && ptr_equal(s_address,ktest_equal_address);
- p = p && ptr_equal(r_address,ktest_equal_address);
- p = p && ptr_equal(checksum,ktest_equal_checksum);
- return p;
-}
-
-
-int
-ktest_equal_enc_cred_part(krb5_cred_enc_part *ref, krb5_cred_enc_part *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(nonce);
- p = p && scalar_equal(timestamp);
- p = p && scalar_equal(usec);
- p = p && ptr_equal(s_address,ktest_equal_address);
- p = p && ptr_equal(r_address,ktest_equal_address);
- p = p && ptr_equal(ticket_info,ktest_equal_sequence_of_cred_info);
- return p;
-}
-
-int
-ktest_equal_enc_priv_part(krb5_priv_enc_part *ref, krb5_priv_enc_part *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(user_data,ktest_equal_data);
- p = p && scalar_equal(timestamp);
- p = p && scalar_equal(usec);
- p = p && scalar_equal(seq_number);
- p = p && ptr_equal(s_address,ktest_equal_address);
- p = p && ptr_equal(r_address,ktest_equal_address);
- return p;
-}
-
-int
-ktest_equal_as_rep(krb5_kdc_rep *ref, krb5_kdc_rep *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(msg_type);
- p = p && ptr_equal(padata,ktest_equal_sequence_of_pa_data);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(ticket,ktest_equal_ticket);
- p = p && struct_equal(enc_part,ktest_equal_enc_data);
- p = p && ptr_equal(enc_part2,ktest_equal_enc_kdc_rep_part);
- return p;
-}
-
-int
-ktest_equal_tgs_rep(krb5_kdc_rep *ref, krb5_kdc_rep *var)
-{
- return ktest_equal_as_rep(ref,var);
-}
-
-int
-ktest_equal_as_req(krb5_kdc_req *ref, krb5_kdc_req *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(msg_type);
- p = p && ptr_equal(padata,ktest_equal_sequence_of_pa_data);
- p = p && scalar_equal(kdc_options);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && scalar_equal(from);
- p = p && scalar_equal(till);
- p = p && scalar_equal(rtime);
- p = p && scalar_equal(nonce);
- p = p && len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
- p = p && ptr_equal(addresses,ktest_equal_addresses);
- p = p && struct_equal(authorization_data,ktest_equal_enc_data);
-/* This field isn't actually in the ASN.1 encoding. */
-/* p = p && ptr_equal(unenc_authdata,ktest_equal_authorization_data); */
- return p;
-}
-
-int
-ktest_equal_tgs_req(krb5_kdc_req *ref, krb5_kdc_req *var)
-{
- return ktest_equal_as_req(ref,var);
-}
-
-int
-ktest_equal_kdc_req_body(krb5_kdc_req *ref, krb5_kdc_req *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(kdc_options);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && scalar_equal(from);
- p = p && scalar_equal(till);
- p = p && scalar_equal(rtime);
- p = p && scalar_equal(nonce);
- p = p && len_equal(nktypes,ktype,ktest_equal_array_of_enctype);
- p = p && ptr_equal(addresses,ktest_equal_addresses);
- p = p && struct_equal(authorization_data,ktest_equal_enc_data);
- /* This isn't part of the ASN.1 encoding. */
- /* p = p && ptr_equal(unenc_authdata,ktest_equal_authorization_data); */
- return p;
-}
-
-int
-ktest_equal_last_req_entry(krb5_last_req_entry *ref, krb5_last_req_entry *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(lr_type);
- p = p && scalar_equal(value);
- return p;
-}
-
-int
-ktest_equal_pa_data(krb5_pa_data *ref, krb5_pa_data *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(pa_type);
- p = p && len_equal(length,contents,ktest_equal_array_of_octet);
- return p;
-}
-
-int
-ktest_equal_cred_info(krb5_cred_info *ref, krb5_cred_info *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(session,ktest_equal_keyblock);
- p = p && ptr_equal(client,ktest_equal_principal_data);
- p = p && ptr_equal(server,ktest_equal_principal_data);
- p = p && scalar_equal(flags);
- p = p && struct_equal(times,ktest_equal_ticket_times);
- p = p && ptr_equal(caddrs,ktest_equal_addresses);
-
- return p;
-}
-
-int
-ktest_equal_krb5_etype_info_entry(krb5_etype_info_entry *ref,
- krb5_etype_info_entry *var)
-{
- if (ref->etype != var->etype)
- return FALSE;
- if (ref->length != var->length)
- return FALSE;
- if (ref->length > 0 && ref->length != KRB5_ETYPE_NO_SALT)
- if (memcmp(ref->salt, var->salt, ref->length) != 0)
- return FALSE;
- return TRUE;
-}
-
-int
-ktest_equal_krb5_pa_enc_ts(krb5_pa_enc_ts *ref, krb5_pa_enc_ts *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(patimestamp);
- p = p && scalar_equal(pausec);
- return p;
-}
-
-#define equal_str(f) struct_equal(f,ktest_equal_data)
-
-int
-ktest_equal_sam_challenge_2_body(krb5_sam_challenge_2_body *ref,
- krb5_sam_challenge_2_body *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(sam_type);
- p = p && scalar_equal(sam_flags);
- p = p && equal_str(sam_type_name);
- p = p && equal_str(sam_track_id);
- p = p && equal_str(sam_challenge_label);
- p = p && equal_str(sam_challenge);
- p = p && equal_str(sam_response_prompt);
- p = p && equal_str(sam_pk_for_sad);
- p = p && scalar_equal(sam_nonce);
- p = p && scalar_equal(sam_etype);
- return p;
-}
-
-int
-ktest_equal_sam_challenge_2(krb5_sam_challenge_2 *ref,
- krb5_sam_challenge_2 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(sam_challenge_2_body);
- p = p && ptr_equal(sam_cksum,ktest_equal_sequence_of_checksum);
- return p;
-}
-
-int
-ktest_equal_pa_for_user(krb5_pa_for_user *ref, krb5_pa_for_user *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(user, ktest_equal_principal_data);
- p = p && struct_equal(cksum, ktest_equal_checksum);
- p = p && equal_str(auth_package);
- return p;
-}
-
-int
-ktest_equal_pa_s4u_x509_user(krb5_pa_s4u_x509_user *ref,
- krb5_pa_s4u_x509_user *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(user_id.nonce);
- p = p && ptr_equal(user_id.user,ktest_equal_principal_data);
- p = p && struct_equal(user_id.subject_cert,ktest_equal_data);
- p = p && scalar_equal(user_id.options);
- p = p && struct_equal(cksum,ktest_equal_checksum);
- return p;
-}
-
-int
-ktest_equal_ad_kdcissued(krb5_ad_kdcissued *ref, krb5_ad_kdcissued *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(ad_checksum,ktest_equal_checksum);
- p = p && ptr_equal(i_principal,ktest_equal_principal_data);
- p = p && ptr_equal(elements,ktest_equal_authorization_data);
- return p;
-}
-
-int
-ktest_equal_iakerb_header(krb5_iakerb_header *ref, krb5_iakerb_header *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(target_realm,ktest_equal_data);
- p = p && ptr_equal(cookie,ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_iakerb_finished(krb5_iakerb_finished *ref,
- krb5_iakerb_finished *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(checksum,ktest_equal_checksum);
- return p;
-}
-
-static int
-ktest_equal_fast_finished(krb5_fast_finished *ref, krb5_fast_finished *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(timestamp);
- p = p && scalar_equal(usec);
- p = p && ptr_equal(client, ktest_equal_principal_data);
- p = p && struct_equal(ticket_checksum, ktest_equal_checksum);
- return p;
-}
-
-int
-ktest_equal_fast_response(krb5_fast_response *ref, krb5_fast_response *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(padata, ktest_equal_sequence_of_pa_data);
- p = p && ptr_equal(strengthen_key, ktest_equal_keyblock);
- p = p && ptr_equal(finished, ktest_equal_fast_finished);
- p = p && scalar_equal(nonce);
- return p;
-}
-
-static int
-ktest_equal_algorithm_identifier(krb5_algorithm_identifier *ref,
- krb5_algorithm_identifier *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(algorithm);
- p = p && equal_str(parameters);
- return p;
-}
-
-int
-ktest_equal_otp_tokeninfo(krb5_otp_tokeninfo *ref, krb5_otp_tokeninfo *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(flags);
- p = p && equal_str(vendor);
- p = p && equal_str(challenge);
- p = p && scalar_equal(length);
- p = p && scalar_equal(format);
- p = p && equal_str(token_id);
- p = p && equal_str(alg_id);
- p = p && ptr_equal(supported_hash_alg,
- ktest_equal_sequence_of_algorithm_identifier);
- p = p && scalar_equal(iteration_count);
- return p;
-}
-
-int
-ktest_equal_pa_otp_challenge(krb5_pa_otp_challenge *ref,
- krb5_pa_otp_challenge *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(nonce);
- p = p && equal_str(service);
- p = p && ptr_equal(tokeninfo, ktest_equal_sequence_of_otp_tokeninfo);
- p = p && equal_str(salt);
- p = p && equal_str(s2kparams);
- return p;
-}
-
-int
-ktest_equal_pa_otp_req(krb5_pa_otp_req *ref, krb5_pa_otp_req *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(flags);
- p = p && equal_str(nonce);
- p = p && struct_equal(enc_data, ktest_equal_enc_data);
- p = p && ptr_equal(hash_alg, ktest_equal_algorithm_identifier);
- p = p && scalar_equal(iteration_count);
- p = p && equal_str(otp_value);
- p = p && equal_str(pin);
- p = p && equal_str(challenge);
- p = p && scalar_equal(time);
- p = p && equal_str(counter);
- p = p && scalar_equal(format);
- p = p && equal_str(token_id);
- p = p && equal_str(alg_id);
- p = p && equal_str(vendor);
- return p;
-}
-
-#ifdef ENABLE_LDAP
-static int
-equal_key_data(krb5_key_data *ref, krb5_key_data *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(key_data_type[0]);
- p = p && scalar_equal(key_data_type[1]);
- p = p && len_equal(key_data_length[0],key_data_contents[0],
- ktest_equal_array_of_octet);
- p = p && len_equal(key_data_length[1],key_data_contents[1],
- ktest_equal_array_of_octet);
- return p;
-}
-
-static int
-equal_key_data_array(int n, krb5_key_data *ref, krb5_key_data *val)
-{
- int i, p = TRUE;
- for (i = 0; i < n; i++) {
- p = p && equal_key_data(ref+i, val+i);
- }
- return p;
-}
-
-int
-ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
- ldap_seqof_key_data *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(mkvno);
- p = p && scalar_equal(kvno);
- p = p && len_equal(n_key_data,key_data,equal_key_data_array);
- return p;
-}
-#endif
-
-/**** arrays ****************************************************************/
-
-int
-ktest_equal_array_of_data(int length, krb5_data *ref, krb5_data *var)
-{
- int i,p = TRUE;
-
- if (length == 0 || ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- for (i=0; i<(length); i++) {
- p = p && ktest_equal_data(&(ref[i]),&(var[i]));
- }
- return p;
-}
-
-int
-ktest_equal_array_of_octet(unsigned int length, krb5_octet *ref,
- krb5_octet *var)
-{
- unsigned int i, p = TRUE;
-
- if (length == 0 || ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- for (i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
-}
-
-int
-ktest_equal_array_of_char(unsigned int length, char *ref, char *var)
-{
- unsigned int i, p = TRUE;
-
- if (length == 0 || ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- for (i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
-}
-
-int
-ktest_equal_array_of_enctype(int length, krb5_enctype *ref, krb5_enctype *var)
-{
- int i, p = TRUE;
-
- if (length == 0 || ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- for (i=0; i<length; i++)
- p = p && (ref[i] == var[i]);
- return p;
-}
-
-#define array_compare(comparator) \
- int i,p = TRUE; \
- if (ref == var) return TRUE; \
- if (!ref || !ref[0]) \
- return (!var || !var[0]); \
- if (!var || !var[0]) return FALSE; \
- for (i=0; ref[i] != NULL && var[i] != NULL; i++) \
- p = p && comparator(ref[i],var[i]); \
- if (ref[i] == NULL && var[i] == NULL) return p; \
- else return FALSE
-
-int
-ktest_equal_authorization_data(krb5_authdata **ref, krb5_authdata **var)
-{
- array_compare(ktest_equal_authdata);
-}
-
-int
-ktest_equal_addresses(krb5_address **ref, krb5_address **var)
-{
- array_compare(ktest_equal_address);
-}
-
-int
-ktest_equal_last_req(krb5_last_req_entry **ref, krb5_last_req_entry **var)
-{
- array_compare(ktest_equal_last_req_entry);
-}
-
-int
-ktest_equal_sequence_of_ticket(krb5_ticket **ref, krb5_ticket **var)
-{
- array_compare(ktest_equal_ticket);
-}
-
-int
-ktest_equal_sequence_of_pa_data(krb5_pa_data **ref, krb5_pa_data **var)
-{
- array_compare(ktest_equal_pa_data);
-}
-
-int
-ktest_equal_sequence_of_cred_info(krb5_cred_info **ref, krb5_cred_info **var)
-{
- array_compare(ktest_equal_cred_info);
-}
-
-int
-ktest_equal_sequence_of_principal(krb5_principal *ref, krb5_principal *var)
-{
- array_compare(ktest_equal_principal_data);
-}
-
-int
-ktest_equal_etype_info(krb5_etype_info_entry **ref, krb5_etype_info_entry **var)
-{
- array_compare(ktest_equal_krb5_etype_info_entry);
-}
-
-int
-ktest_equal_sequence_of_checksum(krb5_checksum **ref, krb5_checksum **var)
-{
- array_compare(ktest_equal_checksum);
-}
-
-int
-ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref,
- krb5_algorithm_identifier **var)
-{
- array_compare(ktest_equal_algorithm_identifier);
-}
-
-int
-ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref,
- krb5_otp_tokeninfo **var)
-{
- array_compare(ktest_equal_otp_tokeninfo);
-}
-
-int
-ktest_equal_sequence_of_spake_factor(krb5_spake_factor **ref,
- krb5_spake_factor **var)
-{
- array_compare(ktest_equal_spake_factor);
-}
-
-#ifndef DISABLE_PKINIT
-
-static int
-ktest_equal_pk_authenticator(krb5_pk_authenticator *ref,
- krb5_pk_authenticator *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(nonce);
- p = p && data_eq(ref->paChecksum, var->paChecksum);
- return p;
-}
-
-static int
-ktest_equal_external_principal_identifier(
- krb5_external_principal_identifier *ref,
- krb5_external_principal_identifier *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(subjectName);
- p = p && equal_str(issuerAndSerialNumber);
- p = p && equal_str(subjectKeyIdentifier);
- return p;
-}
-
-static int
-ktest_equal_sequence_of_external_principal_identifier(
- krb5_external_principal_identifier **ref,
- krb5_external_principal_identifier **var)
-{
- array_compare(ktest_equal_external_principal_identifier);
-}
-
-int
-ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(signedAuthPack);
- p = p && ptr_equal(trustedCertifiers,
- ktest_equal_sequence_of_external_principal_identifier);
- p = p && equal_str(kdcPkId);
- return p;
-}
-
-static int
-ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(dhSignedData);
- p = p && equal_str(serverDHNonce);
- p = p && ptr_equal(kdfID, ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_pa_pk_as_rep(krb5_pa_pk_as_rep *ref, krb5_pa_pk_as_rep *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- if (ref->choice != var->choice) return FALSE;
- if (ref->choice == choice_pa_pk_as_rep_dhInfo)
- p = p && struct_equal(u.dh_Info, ktest_equal_dh_rep_info);
- else if (ref->choice == choice_pa_pk_as_rep_encKeyPack)
- p = p && equal_str(u.encKeyPack);
- return p;
-}
-
-static int
-ktest_equal_sequence_of_data(krb5_data **ref, krb5_data **var)
-{
- array_compare(ktest_equal_data);
-}
-
-int
-ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(pkAuthenticator, ktest_equal_pk_authenticator);
- p = p && equal_str(clientPublicValue);
- p = p && ptr_equal(supportedCMSTypes,
- ktest_equal_sequence_of_algorithm_identifier);
- p = p && equal_str(clientDHNonce);
- p = p && ptr_equal(supportedKDFs, ktest_equal_sequence_of_data);
- return p;
-}
-
-int
-ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref,
- krb5_kdc_dh_key_info *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(subjectPublicKey);
- p = p && scalar_equal(nonce);
- p = p && scalar_equal(dhKeyExpiration);
- return p;
-}
-
-int
-ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(replyKey, ktest_equal_keyblock);
- p = p && struct_equal(asChecksum, ktest_equal_checksum);
- return p;
-}
-
-#endif /* not DISABLE_PKINIT */
-
-int
-ktest_equal_kkdcp_message(krb5_kkdcp_message *ref, krb5_kkdcp_message *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && data_eq(ref->kerb_message, var->kerb_message);
- p = p && data_eq(ref->target_domain, var->target_domain);
- p = p && scalar_equal(dclocator_hint);
- return p;
-}
-
-static int
-vmac_eq(krb5_verifier_mac *ref, krb5_verifier_mac *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(princ, ktest_equal_principal_data);
- p = p && scalar_equal(kvno);
- p = p && scalar_equal(enctype);
- p = p && struct_equal(checksum, ktest_equal_checksum);
- return p;
-}
-
-static int
-vmac_list_eq(krb5_verifier_mac **ref, krb5_verifier_mac **var)
-{
- array_compare(vmac_eq);
-}
-
-int
-ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(elements, ktest_equal_authorization_data);
- p = p && ptr_equal(kdc_verifier, vmac_eq);
- p = p && ptr_equal(svc_verifier, vmac_eq);
- p = p && ptr_equal(other_verifiers, vmac_list_eq);
- return p;
-}
-
-int
-ktest_equal_secure_cookie(krb5_secure_cookie *ref, krb5_secure_cookie *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ktest_equal_sequence_of_pa_data(ref->data, var->data);
- p = p && scalar_equal(time);
- return p;
-}
-
-int
-ktest_equal_spake_factor(krb5_spake_factor *ref, krb5_spake_factor *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && scalar_equal(type);
- p = p && ptr_equal(data,ktest_equal_data);
- return p;
-}
-
-int
-ktest_equal_pa_spake(krb5_pa_spake *ref, krb5_pa_spake *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- else if (ref->choice != var->choice) return FALSE;
- switch (ref->choice) {
- case SPAKE_MSGTYPE_SUPPORT:
- p = p && scalar_equal(u.support.ngroups);
- p = p && (memcmp(ref->u.support.groups,var->u.support.groups,
- ref->u.support.ngroups * sizeof(int32_t)) == 0);
- break;
- case SPAKE_MSGTYPE_CHALLENGE:
- p = p && struct_equal(u.challenge.pubkey,ktest_equal_data);
- p = p && ptr_equal(u.challenge.factors,
- ktest_equal_sequence_of_spake_factor);
- break;
- case SPAKE_MSGTYPE_RESPONSE:
- p = p && struct_equal(u.response.pubkey,ktest_equal_data);
- p = p && struct_equal(u.response.factor,ktest_equal_enc_data);
- break;
- case SPAKE_MSGTYPE_ENCDATA:
- p = p && struct_equal(u.encdata,ktest_equal_enc_data);
- break;
- default:
- break;
- }
- return p;
-}
diff --git a/crypto/krb5/src/tests/asn.1/ktest_equal.h b/crypto/krb5/src/tests/asn.1/ktest_equal.h
deleted file mode 100644
index 8c15cc0c0df5..000000000000
--- a/crypto/krb5/src/tests/asn.1/ktest_equal.h
+++ /dev/null
@@ -1,154 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/ktest_equal.h */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef __KTEST_EQUAL_H__
-#define __KTEST_EQUAL_H__
-
-#include "k5-int.h"
-#include "k5-spake.h"
-#include "kdb.h"
-
-/* int ktest_equal_structure(krb5_structure *ref, *var) */
-/* effects Returns true (non-zero) if ref and var are
- semantically equivalent (i.e. have the same values,
- but aren't necessarily the same object).
- Returns false (zero) if ref and var differ. */
-
-#define generic(funcname,type)\
-int funcname (type *ref, type *var)
-
-#define len_array(funcname,type)\
-int funcname (int length, type *ref, type *var)
-#define len_unsigned_array(funcname,type)\
-int funcname (unsigned int length, type *ref, type *var)
-
-generic(ktest_equal_authenticator,krb5_authenticator);
-generic(ktest_equal_principal_data,krb5_principal_data);
-generic(ktest_equal_checksum,krb5_checksum);
-generic(ktest_equal_keyblock,krb5_keyblock);
-generic(ktest_equal_data,krb5_data);
-generic(ktest_equal_authdata,krb5_authdata);
-generic(ktest_equal_ticket,krb5_ticket);
-generic(ktest_equal_enc_tkt_part,krb5_enc_tkt_part);
-generic(ktest_equal_transited,krb5_transited);
-generic(ktest_equal_ticket_times,krb5_ticket_times);
-generic(ktest_equal_address,krb5_address);
-generic(ktest_equal_enc_data,krb5_enc_data);
-
-generic(ktest_equal_enc_kdc_rep_part,krb5_enc_kdc_rep_part);
-generic(ktest_equal_priv,krb5_priv);
-generic(ktest_equal_cred,krb5_cred);
-generic(ktest_equal_error,krb5_error);
-generic(ktest_equal_ap_req,krb5_ap_req);
-generic(ktest_equal_ap_rep,krb5_ap_rep);
-generic(ktest_equal_ap_rep_enc_part,krb5_ap_rep_enc_part);
-generic(ktest_equal_safe,krb5_safe);
-
-generic(ktest_equal_last_req_entry,krb5_last_req_entry);
-generic(ktest_equal_pa_data,krb5_pa_data);
-generic(ktest_equal_cred_info,krb5_cred_info);
-
-generic(ktest_equal_enc_cred_part,krb5_cred_enc_part);
-generic(ktest_equal_enc_priv_part,krb5_priv_enc_part);
-generic(ktest_equal_as_rep,krb5_kdc_rep);
-generic(ktest_equal_tgs_rep,krb5_kdc_rep);
-generic(ktest_equal_as_req,krb5_kdc_req);
-generic(ktest_equal_tgs_req,krb5_kdc_req);
-generic(ktest_equal_kdc_req_body,krb5_kdc_req);
-generic(ktest_equal_encryption_key,krb5_keyblock);
-
-generic(ktest_equal_krb5_pa_enc_ts,krb5_pa_enc_ts);
-
-generic(ktest_equal_sam_challenge_2,krb5_sam_challenge_2);
-generic(ktest_equal_sam_challenge_2_body,krb5_sam_challenge_2_body);
-
-int ktest_equal_last_req(krb5_last_req_entry **ref, krb5_last_req_entry **var);
-int ktest_equal_sequence_of_ticket(krb5_ticket **ref, krb5_ticket **var);
-int ktest_equal_sequence_of_pa_data(krb5_pa_data **ref, krb5_pa_data **var);
-int ktest_equal_sequence_of_cred_info(krb5_cred_info **ref,
- krb5_cred_info **var);
-int ktest_equal_sequence_of_principal(krb5_principal *ref,
- krb5_principal *var);
-int ktest_equal_sequence_of_checksum(krb5_checksum **ref, krb5_checksum **var);
-int
-ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref,
- krb5_algorithm_identifier **var);
-int ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref,
- krb5_otp_tokeninfo **var);
-int ktest_equal_sequence_of_spake_factor(krb5_spake_factor **ref,
- krb5_spake_factor **var);
-
-len_array(ktest_equal_array_of_enctype,krb5_enctype);
-len_array(ktest_equal_array_of_data,krb5_data);
-len_unsigned_array(ktest_equal_array_of_octet,krb5_octet);
-
-int ktest_equal_authorization_data(krb5_authdata **ref, krb5_authdata **var);
-int ktest_equal_addresses(krb5_address **ref, krb5_address **var);
-int ktest_equal_array_of_char(const unsigned int length, char *ref, char *var);
-
-int ktest_equal_etype_info(krb5_etype_info_entry **ref,
- krb5_etype_info_entry **var);
-
-int ktest_equal_krb5_etype_info_entry(krb5_etype_info_entry *ref,
- krb5_etype_info_entry *var);
-int ktest_equal_pa_for_user(krb5_pa_for_user *ref, krb5_pa_for_user *var);
-int ktest_equal_pa_s4u_x509_user(krb5_pa_s4u_x509_user *ref,
- krb5_pa_s4u_x509_user *var);
-int ktest_equal_ad_kdcissued(krb5_ad_kdcissued *ref, krb5_ad_kdcissued *var);
-int ktest_equal_iakerb_header(krb5_iakerb_header *ref,
- krb5_iakerb_header *var);
-int ktest_equal_iakerb_finished(krb5_iakerb_finished *ref,
- krb5_iakerb_finished *var);
-int ktest_equal_fast_response(krb5_fast_response *ref,
- krb5_fast_response *var);
-int ktest_equal_otp_tokeninfo(krb5_otp_tokeninfo *ref,
- krb5_otp_tokeninfo *var);
-int ktest_equal_pa_otp_challenge(krb5_pa_otp_challenge *ref,
- krb5_pa_otp_challenge *var);
-int ktest_equal_pa_otp_req(krb5_pa_otp_req *ref, krb5_pa_otp_req *var);
-
-int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
- ldap_seqof_key_data *var);
-
-#ifndef DISABLE_PKINIT
-generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req);
-generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep);
-generic(ktest_equal_auth_pack, krb5_auth_pack);
-generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info);
-generic(ktest_equal_reply_key_pack, krb5_reply_key_pack);
-#endif /* not DISABLE_PKINIT */
-
-int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
- krb5_kkdcp_message *var);
-int ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var);
-
-int ktest_equal_secure_cookie(krb5_secure_cookie *ref,
- krb5_secure_cookie *var);
-
-generic(ktest_equal_spake_factor, krb5_spake_factor);
-generic(ktest_equal_pa_spake, krb5_pa_spake);
-
-#endif
diff --git a/crypto/krb5/src/tests/asn.1/ldap_encode.out b/crypto/krb5/src/tests/asn.1/ldap_encode.out
deleted file mode 100644
index 41dbc1e61921..000000000000
--- a/crypto/krb5/src/tests/asn.1/ldap_encode.out
+++ /dev/null
@@ -1 +0,0 @@
-encode_krb5_ldap_seqof_key_data: 30 81 87 A0 03 02 01 01 A1 03 02 01 01 A2 03 02 01 2A A3 03 02 01 0E A4 71 30 6F 30 23 A0 10 30 0E A0 03 02 01 00 A1 07 04 05 73 61 6C 74 30 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 30 30 23 A0 10 30 0E A0 03 02 01 01 A1 07 04 05 73 61 6C 74 31 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 31 30 23 A0 10 30 0E A0 03 02 01 02 A1 07 04 05 73 61 6C 74 32 A1 0F 30 0D A0 03 02 01 02 A1 06 04 04 6B 65 79 32
diff --git a/crypto/krb5/src/tests/asn.1/ldap_trval.out b/crypto/krb5/src/tests/asn.1/ldap_trval.out
deleted file mode 100644
index 16ea7371943f..000000000000
--- a/crypto/krb5/src/tests/asn.1/ldap_trval.out
+++ /dev/null
@@ -1,30 +0,0 @@
-
-encode_krb5_ldap_seqof_key_data:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 1
-. [1] [Integer] 1
-. [2] [Integer] 42
-. [3] [Integer] 14
-. [4] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Sequence/Sequence Of]
-. . . . [0] [Integer] 0
-. . . . [1] [Octet String] "salt0"
-. . . [1] [Sequence/Sequence Of]
-. . . . [0] [Integer] 2
-. . . . [1] [Octet String] "key0"
-. . [Sequence/Sequence Of]
-. . . [0] [Sequence/Sequence Of]
-. . . . [0] [Integer] 1
-. . . . [1] [Octet String] "salt1"
-. . . [1] [Sequence/Sequence Of]
-. . . . [0] [Integer] 2
-. . . . [1] [Octet String] "key1"
-. . [Sequence/Sequence Of]
-. . . [0] [Sequence/Sequence Of]
-. . . . [0] [Integer] 2
-. . . . [1] [Octet String] "salt2"
-. . . [1] [Sequence/Sequence Of]
-. . . . [0] [Integer] 2
-. . . . [1] [Octet String] "key2"
diff --git a/crypto/krb5/src/tests/asn.1/make-vectors.c b/crypto/krb5/src/tests/asn.1/make-vectors.c
deleted file mode 100644
index 6f2b7dd0219d..000000000000
--- a/crypto/krb5/src/tests/asn.1/make-vectors.c
+++ /dev/null
@@ -1,333 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/make-vectors.c - Generate ASN.1 test vectors using asn1c */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This program generates test vectors using asn1c, to be included in other
- * test programs which exercise the krb5 ASN.1 encoder and decoder functions.
- * It is intended to be used via "make test-vectors". Currently, test vectors
- * are only generated for a subset of newer ASN.1 objects.
- */
-
-#include <PrincipalName.h>
-#include <KRB5PrincipalName.h>
-#include <OtherInfo.h>
-#include <PkinitSuppPubInfo.h>
-#include <OTP-TOKENINFO.h>
-#include <PA-OTP-CHALLENGE.h>
-#include <PA-OTP-REQUEST.h>
-#include <PA-OTP-ENC-REQUEST.h>
-#include <AD-CAMMAC.h>
-#include <SPAKESecondFactor.h>
-#include <PA-SPAKE.h>
-
-static unsigned char buf[8192];
-static size_t buf_pos;
-
-/* PrincipalName and KRB5PrincipalName */
-static KerberosString_t comp_1 = { "hftsai", 6 };
-static KerberosString_t comp_2 = { "extra", 5 };
-static KerberosString_t *comps[] = { &comp_1, &comp_2 };
-static PrincipalName_t princ = { 1, { comps, 2, 2 } };
-static KRB5PrincipalName_t krb5princ = { { "ATHENA.MIT.EDU", 14 },
- { 1, { comps, 2, 2 } } };
-
-/* OtherInfo */
-static unsigned int krb5_arcs[] = { 1, 2, 840, 113554, 1, 2, 2 };
-static OCTET_STRING_t krb5data_ostring = { "krb5data", 8 };
-static OtherInfo_t other_info = {
- { 0 }, { 0 }, { 0 }, /* Initialized in main() */
- &krb5data_ostring, NULL
-};
-
-/* PkinitSuppPubInfo */
-static PkinitSuppPubInfo_t supp_pub_info = { 1, { "krb5data", 8 },
- { "krb5data", 8 } };
-
-/* Minimal OTP-TOKENINFO */
-static OTP_TOKENINFO_t token_info_1 = { { "\0\0\0\0", 4, 0 } };
-
-/* Maximal OTP-TOKENINFO */
-static UTF8String_t vendor = { "Examplecorp", 11 };
-static OCTET_STRING_t challenge = { "hark!", 5 };
-static Int32_t otp_length = 10;
-static OTPFormat_t otp_format; /* Initialized to 2 in main(). */
-static OCTET_STRING_t token_id = { "yourtoken", 9 };
-static AnyURI_t otp_alg = { "urn:ietf:params:xml:ns:keyprov:pskc:hotp", 40 };
-static unsigned int sha256_arcs[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
-static unsigned int sha1_arcs[] = { 1, 3, 14, 3, 2, 26 };
-static AlgorithmIdentifier_t alg_sha256, alg_sha1; /* Initialized in main(). */
-static AlgorithmIdentifier_t *algs[] = { &alg_sha256, &alg_sha1 };
-static struct supportedHashAlg hash_algs = { algs, 2, 2 };
-static Int32_t iter_count = 1000;
-/* Flags are nextOTP | combine | collect-pin | must-encrypt-nonce |
- * separate-pin-required | check-digit */
-static OTP_TOKENINFO_t token_info_2 = { { "\x77\0\0\0", 4, 0 }, &vendor,
- &challenge, &otp_length, &otp_format,
- &token_id, &otp_alg, &hash_algs,
- &iter_count };
-
-/* Minimal PA-OTP-CHALLENGE */
-static OTP_TOKENINFO_t *tinfo_1[] = { &token_info_1 };
-static PA_OTP_CHALLENGE_t challenge_1 = { { "minnonce", 8 }, NULL,
- { { tinfo_1, 1, 1 } } };
-
-/* Maximal PA-OTP-CHALLENGE */
-static OTP_TOKENINFO_t *tinfo_2[] = { &token_info_1, &token_info_2 };
-static UTF8String_t service = { "testservice", 11 };
-static KerberosString_t salt = { "keysalt", 7 };
-static OCTET_STRING_t s2kparams = { "1234", 4 };
-static PA_OTP_CHALLENGE_t challenge_2 = { { "maxnonce", 8 }, &service,
- { { tinfo_2, 2, 2 } }, &salt,
- &s2kparams };
-
-/* Minimal PA-OTP-REQUEST */
-static UInt32_t kvno = 5;
-static PA_OTP_REQUEST_t request_1 = { { "\0\0\0\0", 4, 0 }, NULL,
- { 0, &kvno,
- { "krbASN.1 test message", 21 } } };
-
-/* Maximal PA-OTP-REQUEST */
-/* Flags are nextOTP | combine */
-static OCTET_STRING_t nonce = { "nonce", 5 };
-static OCTET_STRING_t otp_value = { "frogs", 5 };
-static UTF8String_t otp_pin = { "myfirstpin", 10 };
-/* Corresponds to Unix time 771228197 */
-static KerberosTime_t otp_time = { "19940610060317Z", 15 };
-static OCTET_STRING_t counter = { "346", 3 };
-static PA_OTP_REQUEST_t request_2 = { { "\x60\0\0\0", 4, 0 }, &nonce,
- { 0, &kvno,
- { "krbASN.1 test message", 21 } },
- &alg_sha256, &iter_count, &otp_value,
- &otp_pin, &challenge, &otp_time,
- &counter, &otp_format, &token_id,
- &otp_alg, &vendor };
-
-/* PA-OTP-ENC-REQUEST */
-static PA_OTP_ENC_REQUEST_t enc_request = { { "krb5data", 8 } };
-
-/*
- * There is no ASN.1 name for a single authorization data element, so asn1c
- * declares it as "struct Member" in an inner scope. This structure must be
- * laid out identically to that one.
- */
-struct ad_element {
- Int32_t ad_type;
- OCTET_STRING_t ad_data;
- asn_struct_ctx_t _asn_ctx;
-};
-
-/* Authorization data elements and lists, for use in CAMMAC */
-static struct ad_element ad_1 = { 1, { "ad1", 3 } };
-static struct ad_element ad_2 = { 2, { "ad2", 3 } };
-static struct ad_element *adlist_1[] = { &ad_1 };
-static struct ad_element *adlist_2[] = { &ad_1, &ad_2 };
-
-/* Minimal Verifier */
-static Verifier_t verifier_1 = { Verifier_PR_mac,
- { { NULL, NULL, NULL,
- { 1, { "cksum1", 6 } } } } };
-
-/* Maximal Verifier */
-static Int32_t enctype = 16;
-static Verifier_t verifier_2 = { Verifier_PR_mac,
- { { &princ, &kvno, &enctype,
- { 1, { "cksum2", 6 } } } } };
-
-/* Minimal CAMMAC */
-static AD_CAMMAC_t cammac_1 = { { { (void *)adlist_1, 1, 1 } },
- NULL, NULL, NULL };
-
-/* Maximal CAMMAC */
-static Verifier_MAC_t vmac_1 = { &princ, &kvno, &enctype,
- { 1, { "cksumkdc", 8 } } };
-static Verifier_MAC_t vmac_2 = { &princ, &kvno, &enctype,
- { 1, { "cksumsvc", 8 } } };
-static Verifier_t *verifiers[] = { &verifier_1, &verifier_2 };
-static struct other_verifiers overfs = { { verifiers, 2, 2 } };
-static AD_CAMMAC_t cammac_2 = { { { (void *)adlist_2, 2, 2 } },
- &vmac_1, &vmac_2, &overfs };
-
-/* SPAKESecondFactor */
-static SPAKESecondFactor_t factor_1 = { 1, NULL };
-static OCTET_STRING_t factor_data = { "fdata", 5 };
-static SPAKESecondFactor_t factor_2 = { 2, &factor_data };
-
-/* PA-SPAKE (support) */
-static Int32_t group_1 = 1, group_2 = 2, *groups[] = { &group_1, &group_2 };
-static PA_SPAKE_t pa_spake_1 = { PA_SPAKE_PR_support,
- { .support = { { groups, 2, 2 } } } };
-
-/* PA-SPAKE (challenge) */
-static SPAKESecondFactor_t *factors[2] = { &factor_1, &factor_2 };
-static PA_SPAKE_t pa_spake_2 = { PA_SPAKE_PR_challenge,
- { .challenge = { 1, { "T value", 7 },
- { factors, 2, 2 } } } };
-
-/* PA-SPAKE (response) */
-UInt32_t enctype_5 = 5;
-static PA_SPAKE_t pa_spake_3 = { PA_SPAKE_PR_response,
- { .response = { { "S value", 7 },
- { 0, &enctype_5,
- { "krbASN.1 test message",
- 21 } } } } };
-
-/* PA-SPAKE (encdata) */
-static PA_SPAKE_t pa_spake_4 = { PA_SPAKE_PR_encdata,
- { .encdata = { 0, &enctype_5,
- { "krbASN.1 test message",
- 21 } } } };
-
-static int
-consume(const void *data, size_t size, void *dummy)
-{
- memcpy(buf + buf_pos, data, size);
- buf_pos += size;
- return 0;
-}
-
-/* Display a C string literal representing the contents of buf, and
- * reinitialize buf_pos for the next encoding operation. */
-static void
-printbuf(void)
-{
- size_t i;
-
- for (i = 0; i < buf_pos; i++) {
- printf("%02X", buf[i]);
- if (i + 1 < buf_pos)
- printf(" ");
- }
- buf_pos = 0;
-}
-
-int
-main(void)
-{
- /* Initialize values which can't use static initializers. */
- asn_long2INTEGER(&otp_format, 2); /* Alphanumeric */
- OBJECT_IDENTIFIER_set_arcs(&alg_sha256.algorithm, sha256_arcs,
- sizeof(*sha256_arcs),
- sizeof(sha256_arcs) / sizeof(*sha256_arcs));
- OBJECT_IDENTIFIER_set_arcs(&alg_sha1.algorithm, sha1_arcs,
- sizeof(*sha1_arcs),
- sizeof(sha1_arcs) / sizeof(*sha1_arcs));
- OBJECT_IDENTIFIER_set_arcs(&other_info.algorithmID.algorithm, krb5_arcs,
- sizeof(*krb5_arcs),
- sizeof(krb5_arcs) / sizeof(*krb5_arcs));
-
- printf("PrincipalName:\n");
- der_encode(&asn_DEF_PrincipalName, &princ, consume, NULL);
- printbuf();
-
- /* Print this encoding and also use it to initialize two fields of
- * other_info. */
- printf("\nKRB5PrincipalName:\n");
- der_encode(&asn_DEF_KRB5PrincipalName, &krb5princ, consume, NULL);
- OCTET_STRING_fromBuf(&other_info.partyUInfo, buf, buf_pos);
- OCTET_STRING_fromBuf(&other_info.partyVInfo, buf, buf_pos);
- printbuf();
-
- printf("\nOtherInfo:\n");
- der_encode(&asn_DEF_OtherInfo, &other_info, consume, NULL);
- printbuf();
- free(other_info.partyUInfo.buf);
- free(other_info.partyVInfo.buf);
-
- printf("\nPkinitSuppPubInfo:\n");
- der_encode(&asn_DEF_PkinitSuppPubInfo, &supp_pub_info, consume, NULL);
- printbuf();
-
- printf("\nMinimal OTP-TOKEN-INFO:\n");
- der_encode(&asn_DEF_OTP_TOKENINFO, &token_info_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal OTP-TOKEN-INFO:\n");
- der_encode(&asn_DEF_OTP_TOKENINFO, &token_info_2, consume, NULL);
- printbuf();
-
- printf("\nMinimal PA-OTP-CHALLENGE:\n");
- der_encode(&asn_DEF_PA_OTP_CHALLENGE, &challenge_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal PA-OTP-CHALLENGE:\n");
- der_encode(&asn_DEF_PA_OTP_CHALLENGE, &challenge_2, consume, NULL);
- printbuf();
-
- printf("\nMinimal PA-OTP-REQUEST:\n");
- der_encode(&asn_DEF_PA_OTP_REQUEST, &request_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal PA-OTP-REQUEST:\n");
- der_encode(&asn_DEF_PA_OTP_REQUEST, &request_2, consume, NULL);
- printbuf();
-
- printf("\nPA-OTP-ENC-REQUEST:\n");
- der_encode(&asn_DEF_PA_OTP_ENC_REQUEST, &enc_request, consume, NULL);
- printbuf();
-
- printf("\nMinimal Verifier:\n");
- der_encode(&asn_DEF_Verifier, &verifier_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal Verifier:\n");
- der_encode(&asn_DEF_Verifier, &verifier_2, consume, NULL);
- printbuf();
-
- printf("\nMinimal AD-CAMMAC:\n");
- der_encode(&asn_DEF_AD_CAMMAC, &cammac_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal AD-CAMMAC:\n");
- der_encode(&asn_DEF_AD_CAMMAC, &cammac_2, consume, NULL);
- printbuf();
-
- printf("\nMinimal SPAKESecondFactor:\n");
- der_encode(&asn_DEF_SPAKESecondFactor, &factor_1, consume, NULL);
- printbuf();
-
- printf("\nMaximal SPAKESecondFactor:\n");
- der_encode(&asn_DEF_SPAKESecondFactor, &factor_2, consume, NULL);
- printbuf();
-
- printf("\nPA-SPAKE (support):\n");
- der_encode(&asn_DEF_PA_SPAKE, &pa_spake_1, consume, NULL);
- printbuf();
-
- printf("\nPA-SPAKE (challenge):\n");
- der_encode(&asn_DEF_PA_SPAKE, &pa_spake_2, consume, NULL);
- printbuf();
-
- printf("\nPA-SPAKE (response):\n");
- der_encode(&asn_DEF_PA_SPAKE, &pa_spake_3, consume, NULL);
- printbuf();
-
- printf("\nPA-SPAKE (encdata):\n");
- der_encode(&asn_DEF_PA_SPAKE, &pa_spake_4, consume, NULL);
- printbuf();
-
- printf("\n");
- return 0;
-}
diff --git a/crypto/krb5/src/tests/asn.1/otp.asn1 b/crypto/krb5/src/tests/asn.1/otp.asn1
deleted file mode 100644
index 2e3243222eb2..000000000000
--- a/crypto/krb5/src/tests/asn.1/otp.asn1
+++ /dev/null
@@ -1,109 +0,0 @@
- OTPKerberos
- DEFINITIONS IMPLICIT TAGS ::=
- BEGIN
-
- IMPORTS
-
- KerberosTime, KerberosFlags, EncryptionKey, Int32,
- EncryptedData, LastReq, KerberosString
- FROM KerberosV5Spec2 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5)
- kerberosV5(2) modules(4) krb5spec2(2)}
- -- as defined in RFC 4120.
- AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso (1) identified-organization (3)
- dod (6) internet (1)
- security (5) mechanisms (5) pkix (7)
- id-mod (0) id-pkix1-explicit (18) };
- -- As defined in RFC 5280.
-
- PA-OTP-CHALLENGE ::= SEQUENCE {
- nonce [0] OCTET STRING,
- otp-service [1] UTF8String OPTIONAL,
- otp-tokenInfo [2] SEQUENCE (SIZE(1..MAX)) OF
- OTP-TOKENINFO,
- salt [3] KerberosString OPTIONAL,
- s2kparams [4] OCTET STRING OPTIONAL,
- ...
- }
-
- OTP-TOKENINFO ::= SEQUENCE {
- flags [0] OTPFlags,
- otp-vendor [1] UTF8String OPTIONAL,
- otp-challenge [2] OCTET STRING (SIZE(1..MAX))
- OPTIONAL,
- otp-length [3] Int32 OPTIONAL,
- otp-format [4] OTPFormat OPTIONAL,
- otp-tokenID [5] OCTET STRING OPTIONAL,
- otp-algID [6] AnyURI OPTIONAL,
- supportedHashAlg [7] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- iterationCount [8] Int32 OPTIONAL,
- ...
- }
-
- OTPFormat ::= INTEGER {
- decimal(0),
- hexadecimal(1),
- alphanumeric(2),
- binary(3),
- base64(4)
- }
-
- OTPFlags ::= KerberosFlags
- -- reserved(0),
- -- nextOTP(1),
- -- combine(2),
- -- collect-pin(3),
- -- do-not-collect-pin(4),
- -- must-encrypt-nonce (5),
- -- separate-pin-required (6),
- -- check-digit (7)
-
- PA-OTP-REQUEST ::= SEQUENCE {
- flags [0] OTPFlags,
- nonce [1] OCTET STRING OPTIONAL,
- encData [2] EncryptedData,
- -- PA-OTP-ENC-REQUEST or PA-ENC-TS-ENC
- -- Key usage of KEY_USAGE_OTP_REQUEST
- hashAlg [3] AlgorithmIdentifier OPTIONAL,
- iterationCount [4] Int32 OPTIONAL,
- otp-value [5] OCTET STRING OPTIONAL,
- otp-pin [6] UTF8String OPTIONAL,
- otp-challenge [7] OCTET STRING (SIZE(1..MAX)) OPTIONAL,
- otp-time [8] KerberosTime OPTIONAL,
- otp-counter [9] OCTET STRING OPTIONAL,
- otp-format [10] OTPFormat OPTIONAL,
- otp-tokenID [11] OCTET STRING OPTIONAL,
- otp-algID [12] AnyURI OPTIONAL,
- otp-vendor [13] UTF8String OPTIONAL,
- ...
- }
-
- PA-OTP-ENC-REQUEST ::= SEQUENCE {
- nonce [0] OCTET STRING,
- ...
- }
-
-
- PA-OTP-PIN-CHANGE ::= SEQUENCE {
- flags [0] PinFlags,
- pin [1] UTF8String OPTIONAL,
- minLength [2] INTEGER OPTIONAL,
- maxLength [3] INTEGER OPTIONAL,
- last-req [4] LastReq OPTIONAL,
- format [5] OTPFormat OPTIONAL,
- ...
- }
-
- PinFlags ::= KerberosFlags
- -- reserved(0),
- -- systemSetPin(1),
- -- mandatory(2)
-
- AnyURI ::= UTF8String
- (CONSTRAINED BY {
- -- MUST be a valid URI in accordance with IETF RFC 2396
- })
-
- END
diff --git a/crypto/krb5/src/tests/asn.1/pkinit-agility.asn1 b/crypto/krb5/src/tests/asn.1/pkinit-agility.asn1
deleted file mode 100644
index ea9095b0434b..000000000000
--- a/crypto/krb5/src/tests/asn.1/pkinit-agility.asn1
+++ /dev/null
@@ -1,99 +0,0 @@
-KerberosV5-PK-INIT-Agility-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5) agility (1)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
- AlgorithmIdentifier, SubjectPublicKeyInfo
- FROM PKIX1Explicit88 { iso (1)
- identified-organization (3) dod (6) internet (1)
- security (5) mechanisms (5) pkix (7) id-mod (0)
- id-pkix1-explicit (18) }
- -- As defined in RFC 3280.
-
- Ticket, Int32, Realm, EncryptionKey, Checksum
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) }
- -- as defined in RFC 4120.
-
- PKAuthenticator, DHNonce
- FROM KerberosV5-PK-INIT-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5) };
- -- as defined in RFC 4556.
-
-TD-CMS-DIGEST-ALGORITHMS-DATA ::= SEQUENCE OF
- AlgorithmIdentifier
- -- Contains the list of CMS algorithm [RFC3852]
- -- identifiers that identify the digest algorithms
- -- acceptable by the KDC for signing CMS data in
- -- the order of decreasing preference.
-
-TD-CERT-DIGEST-ALGORITHMS-DATA ::= SEQUENCE {
- allowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier,
- -- Contains the list of CMS algorithm [RFC3852]
- -- identifiers that identify the digest algorithms
- -- that are used by the CA to sign the client's
- -- X.509 certificate and acceptable by the KDC in
- -- the process of validating the client's X.509
- -- certificate, in the order of decreasing
- -- preference.
- rejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL,
- -- This identifies the digest algorithm that was
- -- used to sign the client's X.509 certificate and
- -- has been rejected by the KDC in the process of
- -- validating the client's X.509 certificate
- -- [RFC3280].
- ...
-}
-
-OtherInfo ::= SEQUENCE {
- algorithmID AlgorithmIdentifier,
- partyUInfo [0] OCTET STRING,
- partyVInfo [1] OCTET STRING,
- suppPubInfo [2] OCTET STRING OPTIONAL,
- suppPrivInfo [3] OCTET STRING OPTIONAL
-}
-
-PkinitSuppPubInfo ::= SEQUENCE {
- enctype [0] Int32,
- -- The enctype of the AS reply key.
- as-REQ [1] OCTET STRING,
- -- This contains the AS-REQ in the request.
- pk-as-rep [2] OCTET STRING,
- -- Contains the DER encoding of the type
- -- PA-PK-AS-REP [RFC4556] in the KDC reply.
- ...
-}
-
--- Renamed from AuthPack to allow asn1c to process this and pkinit.asn1
-AuthPack2 ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- clientDHNonce [3] DHNonce OPTIONAL,
- ...,
- supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
- -- Contains an unordered set of KDFs supported by the
- -- client.
- ...
-}
-
-KDFAlgorithmId ::= SEQUENCE {
- kdf-id [0] OBJECT IDENTIFIER,
- -- The object identifier of the KDF
- ...
-}
-
--- Renamed from DHRepInfo to allow asn1c to process this and pkinit.asn1
-DHRepInfo2 ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- serverDHNonce [1] DHNonce OPTIONAL,
- ...,
- kdf [2] KDFAlgorithmId OPTIONAL,
- -- The KDF picked by the KDC.
- ...
-}
-END
diff --git a/crypto/krb5/src/tests/asn.1/pkinit.asn1 b/crypto/krb5/src/tests/asn.1/pkinit.asn1
deleted file mode 100644
index 8f9d8dda270a..000000000000
--- a/crypto/krb5/src/tests/asn.1/pkinit.asn1
+++ /dev/null
@@ -1,253 +0,0 @@
-KerberosV5-PK-INIT-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
-
- SubjectPublicKeyInfo, AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso (1)
- identified-organization (3) dod (6) internet (1)
- security (5) mechanisms (5) pkix (7) id-mod (0)
- id-pkix1-explicit (18) }
- -- As defined in RFC 3280.
-
- KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) };
- -- as defined in RFC 4120.
-
-id-pkinit OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosv5(2) pkinit (3) }
-
-id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
-id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
-id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
-id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
-id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
-
-id-pkinit-san OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- x509SanAN (2) }
-
-pa-pk-as-req INTEGER ::= 16
-pa-pk-as-rep INTEGER ::= 17
-
-ad-initial-verified-cas INTEGER ::= 9
-
-td-trusted-certifiers INTEGER ::= 104
-td-invalid-certificates INTEGER ::= 105
-td-dh-parameters INTEGER ::= 109
-
-PA-PK-AS-REQ ::= SEQUENCE {
- signedAuthPack [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo
- -- is id-signedData (1.2.840.113549.1.7.2),
- -- and the content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
- -- eContent field contains the DER encoding of the
- -- type AuthPack.
- -- AuthPack is defined below.
- trustedCertifiers [1] SEQUENCE OF
- ExternalPrincipalIdentifier OPTIONAL,
- -- Contains a list of CAs, trusted by the client,
- -- that can be used to certify the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
- -- The information contained in the
- -- trustedCertifiers SHOULD be used by the KDC as
- -- hints to guide its selection of an appropriate
- -- certificate chain to return to the client.
- kdcPkId [2] IMPLICIT OCTET STRING
- OPTIONAL,
- -- Contains a CMS type SignerIdentifier encoded
- -- according to [RFC3852].
- -- Identifies, if present, a particular KDC
- -- public key that the client already has.
- ...
-}
-
-DHNonce ::= OCTET STRING
-
-ExternalPrincipalIdentifier ::= SEQUENCE {
- subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a PKIX type Name encoded according to
- -- [RFC3280].
- -- Identifies the certificate subject by the
- -- distinguished subject name.
- -- REQUIRED when there is a distinguished subject
- -- name present in the certificate.
- issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a CMS type IssuerAndSerialNumber encoded
- -- according to [RFC3852].
- -- Identifies a certificate of the subject.
- -- REQUIRED for TD-INVALID-CERTIFICATES and
- -- TD-TRUSTED-CERTIFIERS.
- subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
- -- Identifies the subject's public key by a key
- -- identifier. When an X.509 certificate is
- -- referenced, this key identifier matches the X.509
- -- subjectKeyIdentifier extension value. When other
- -- certificate formats are referenced, the documents
- -- that specify the certificate format and their use
- -- with the CMS must include details on matching the
- -- key identifier to the appropriate certificate
- -- field.
- -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
- ...
-}
-
-AuthPack ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- -- Type SubjectPublicKeyInfo is defined in
- -- [RFC3280].
- -- Specifies Diffie-Hellman domain parameters
- -- and the client's public key value [IEEE1363].
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- -- This field is present only if the client wishes
- -- to use the Diffie-Hellman key agreement method.
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- -- Type AlgorithmIdentifier is defined in
- -- [RFC3280].
- -- List of CMS algorithm [RFC3370] identifiers
- -- that identify key transport algorithms, or
- -- content encryption algorithms, or signature
- -- algorithms supported by the client in order of
- -- (decreasing) preference.
- clientDHNonce [3] DHNonce OPTIONAL,
- -- Present only if the client indicates that it
- -- wishes to reuse DH keys or to allow the KDC to
- -- do so.
- ...
-}
-
-PKAuthenticator ::= SEQUENCE {
- cusec [0] INTEGER (0..999999),
- ctime [1] KerberosTime,
- -- cusec and ctime are used as in [RFC4120], for
- -- replay prevention.
- nonce [2] INTEGER (0..4294967295),
- -- Chosen randomly; this nonce does not need to
- -- match with the nonce in the KDC-REQ-BODY.
- paChecksum [3] OCTET STRING OPTIONAL,
- -- MUST be present.
- -- Contains the SHA1 checksum, performed over
- -- KDC-REQ-BODY.
- ...
-}
-
-TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies a list of CAs trusted by the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
-TD-INVALID-CERTIFICATES ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Each ExternalPrincipalIdentifier identifies a
- -- certificate (sent by the client) with an invalid
- -- signature.
-
-KRB5PrincipalName ::= SEQUENCE {
- realm [0] Realm,
- principalName [1] PrincipalName
-}
-
-AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies the certification path based on which
- -- the client certificate was validated.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
-PA-PK-AS-REP ::= CHOICE {
- dhInfo [0] DHRepInfo,
- -- Selected when Diffie-Hellman key exchange is
- -- used.
- encKeyPack [1] IMPLICIT OCTET STRING,
- -- Selected when public key encryption is used.
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-envelopedData (1.2.840.113549.1.7.3).
- -- The content field is an EnvelopedData.
- -- The contentType field for the type EnvelopedData
- -- is id-signedData (1.2.840.113549.1.7.2).
- -- The eContentType field for the inner type
- -- SignedData (when unencrypted) is
- -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
- -- eContent field contains the DER encoding of the
- -- type ReplyKeyPack.
- -- ReplyKeyPack is defined below.
- ...
-}
-
-DHRepInfo ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded according
- -- to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-signedData (1.2.840.113549.1.7.2), and the
- -- content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
- -- eContent field contains the DER encoding of the
- -- type KDCDHKeyInfo.
- -- KDCDHKeyInfo is defined below.
- serverDHNonce [1] DHNonce OPTIONAL,
- -- Present if and only if dhKeyExpiration is
- -- present.
- ...
-}
-
-KDCDHKeyInfo ::= SEQUENCE {
- subjectPublicKey [0] BIT STRING,
- -- The KDC's DH public key.
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- nonce [1] INTEGER (0..4294967295),
- -- Contains the nonce in the pkAuthenticator field
- -- in the request if the DH keys are NOT reused,
- -- 0 otherwise.
- dhKeyExpiration [2] KerberosTime OPTIONAL,
- -- Expiration time for KDC's key pair,
- -- present if and only if the DH keys are reused.
- -- If present, the KDC's DH public key MUST not be
- -- used past the point of this expiration time.
- -- If this field is omitted then the serverDHNonce
- -- field MUST also be omitted.
- ...
-}
-
-ReplyKeyPack ::= SEQUENCE {
- replyKey [0] EncryptionKey,
- -- Contains the session key used to encrypt the
- -- enc-part field in the AS-REP, i.e., the
- -- AS reply key.
- asChecksum [1] Checksum,
- -- Contains the checksum of the AS-REQ
- -- corresponding to the containing AS-REP.
- -- The checksum is performed over the type AS-REQ.
- -- The protocol key [RFC3961] of the checksum is the
- -- replyKey and the key usage number is 6.
- -- If the replyKey's enctype is "newer" [RFC4120]
- -- [RFC4121], the checksum is the required
- -- checksum operation [RFC3961] for that enctype.
- -- The client MUST verify this checksum upon receipt
- -- of the AS-REP.
- ...
-}
-
-TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
- -- Each AlgorithmIdentifier specifies a set of
- -- Diffie-Hellman domain parameters [IEEE1363].
- -- This list is in decreasing preference order.
-END
diff --git a/crypto/krb5/src/tests/asn.1/pkinit_encode.out b/crypto/krb5/src/tests/asn.1/pkinit_encode.out
deleted file mode 100644
index a764182e1553..000000000000
--- a/crypto/krb5/src/tests/asn.1/pkinit_encode.out
+++ /dev/null
@@ -1,8 +0,0 @@
-encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
-encode_krb5_auth_pack: 30 81 89 A0 39 30 37 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 08 04 06 70 76 61 6C 75 65 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
-encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
-encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
-encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/crypto/krb5/src/tests/asn.1/pkinit_trval.out b/crypto/krb5/src/tests/asn.1/pkinit_trval.out
deleted file mode 100644
index c47bd71f67e8..000000000000
--- a/crypto/krb5/src/tests/asn.1/pkinit_trval.out
+++ /dev/null
@@ -1,97 +0,0 @@
-
-encode_krb5_pa_pk_as_req:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. . . [1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. . . [2] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. [2] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep(dhInfo):
-
-[CONT 0]
-. [Sequence/Sequence Of]
-. . [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. . [1] [Octet String] "krb5data"
-. . [2] [Sequence/Sequence Of]
-. . . [0] [Object Identifier] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep(encKeyPack):
-
-[CONT 1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_auth_pack:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 123456
-. . [1] [Generalized Time] "19940610060317Z"
-. . [2] [Integer] 42
-. . [3] [Octet String] "krb5data"
-. . [4] [Octet String] "krb5data"
-. [1] [Octet String] "pvalue"
-. [2] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. . . [Octet String] "params"
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. [3] [Octet String] "krb5data"
-. [4] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Object Identifier] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_kdc_dh_key_info:
-
-[Sequence/Sequence Of]
-. [0] [Bit String] <9>
- 00 6b 72 62 35 64 61 74 61 .krb5data
-. [1] [Integer] 42
-. [2] [Generalized Time] "19940610060317Z"
-
-encode_krb5_reply_key_pack:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "12345678"
-. [1] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "1234"
-
-encode_krb5_sp80056a_other_info:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. [0] [Octet String] <48>
- 30 2e a0 10 1b 0e 41 54 48 45 4e 41 2e 4d 49 54 0.....ATHENA.MIT
- 2e 45 44 55 a1 1a 30 18 a0 03 02 01 01 a1 11 30 .EDU..0........0
- 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 74 72 61 ...hftsai..extra
-. [1] [Octet String] <48>
- 30 2e a0 10 1b 0e 41 54 48 45 4e 41 2e 4d 49 54 0.....ATHENA.MIT
- 2e 45 44 55 a1 1a 30 18 a0 03 02 01 01 a1 11 30 .EDU..0........0
- 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 74 72 61 ...hftsai..extra
-. [2] [Octet String] "krb5data"
-
-encode_krb5_pkinit_supp_pub_info:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 20
-. [1] [Octet String] "krb5data"
-. [2] [Octet String] "krb5data"
diff --git a/crypto/krb5/src/tests/asn.1/pkix.asn1 b/crypto/krb5/src/tests/asn.1/pkix.asn1
deleted file mode 100644
index 039818833b4d..000000000000
--- a/crypto/krb5/src/tests/asn.1/pkix.asn1
+++ /dev/null
@@ -1,654 +0,0 @@
-PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
-
-DEFINITIONS EXPLICIT TAGS ::=
-
-BEGIN
-
--- EXPORTS ALL --
-
--- IMPORTS NONE --
-
--- UNIVERSAL Types defined in 1993 and 1998 ASN.1
--- and required by this specification
--- (Commented out for krb5 source tree)
-
--- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
- -- UniversalString is defined in ASN.1:1993
-
--- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
- -- BMPString is the subtype of UniversalString and models
- -- the Basic Multilingual Plane of ISO/IEC 10646
-
---UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
- -- The content of this type conforms to RFC 3629.
-
--- PKIX specific OIDs
-
-id-pkix OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) }
-
--- PKIX arcs
-
-id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
- -- arc for private certificate extensions
-id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
- -- arc for policy qualifier types
-id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
- -- arc for extended key purpose OIDS
-id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
- -- arc for access descriptors
-
--- policyQualifierIds for Internet policy qualifiers
-
-id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
- -- OID for CPS qualifier
-id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
- -- OID for user notice qualifier
-
--- access descriptor definitions
-
-id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
-id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
-id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
-id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
-
--- attribute data types
-
-Attribute ::= SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue }
- -- at least one value is required
-
-AttributeType ::= OBJECT IDENTIFIER
-
-AttributeValue ::= ANY -- DEFINED BY AttributeType
-
-AttributeTypeAndValue ::= SEQUENCE {
- type AttributeType,
- value AttributeValue }
-
--- suggested naming attributes: Definition of the following
--- information object set may be augmented to meet local
--- requirements. Note that deleting members of the set may
--- prevent interoperability with conforming implementations.
--- presented in pairs: the AttributeType followed by the
--- type definition for the corresponding AttributeValue
-
--- Arc for standard naming attributes
-
-id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
-
--- Naming attributes of type X520name
-
-id-at-name AttributeType ::= { id-at 41 }
-id-at-surname AttributeType ::= { id-at 4 }
-id-at-givenName AttributeType ::= { id-at 42 }
-id-at-initials AttributeType ::= { id-at 43 }
-id-at-generationQualifier AttributeType ::= { id-at 44 }
-
--- Naming attributes of type X520Name:
--- X520name ::= DirectoryString (SIZE (1..ub-name))
---
--- Expanded to avoid parameterized type:
-X520name ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-name)),
- printableString PrintableString (SIZE (1..ub-name)),
- universalString UniversalString (SIZE (1..ub-name)),
- utf8String UTF8String (SIZE (1..ub-name)),
- bmpString BMPString (SIZE (1..ub-name)) }
-
--- Naming attributes of type X520CommonName
-
-id-at-commonName AttributeType ::= { id-at 3 }
-
--- Naming attributes of type X520CommonName:
--- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
---
--- Expanded to avoid parameterized type:
-X520CommonName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-common-name)),
- printableString PrintableString (SIZE (1..ub-common-name)),
- universalString UniversalString (SIZE (1..ub-common-name)),
- utf8String UTF8String (SIZE (1..ub-common-name)),
- bmpString BMPString (SIZE (1..ub-common-name)) }
-
--- Naming attributes of type X520LocalityName
-
-id-at-localityName AttributeType ::= { id-at 7 }
-
--- Naming attributes of type X520LocalityName:
--- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
---
--- Expanded to avoid parameterized type:
-X520LocalityName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-locality-name)),
- printableString PrintableString (SIZE (1..ub-locality-name)),
- universalString UniversalString (SIZE (1..ub-locality-name)),
- utf8String UTF8String (SIZE (1..ub-locality-name)),
- bmpString BMPString (SIZE (1..ub-locality-name)) }
-
--- Naming attributes of type X520StateOrProvinceName
-
-id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
-
--- Naming attributes of type X520StateOrProvinceName:
--- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
---
--- Expanded to avoid parameterized type:
-X520StateOrProvinceName ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-state-name)),
- printableString PrintableString (SIZE (1..ub-state-name)),
- universalString UniversalString (SIZE (1..ub-state-name)),
- utf8String UTF8String (SIZE (1..ub-state-name)),
- bmpString BMPString (SIZE (1..ub-state-name)) }
-
--- Naming attributes of type X520OrganizationName
-
-id-at-organizationName AttributeType ::= { id-at 10 }
-
--- Naming attributes of type X520OrganizationName:
--- X520OrganizationName ::=
--- DirectoryName (SIZE (1..ub-organization-name))
---
--- Expanded to avoid parameterized type:
-X520OrganizationName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organization-name)),
- printableString PrintableString
- (SIZE (1..ub-organization-name)),
- universalString UniversalString
- (SIZE (1..ub-organization-name)),
- utf8String UTF8String
- (SIZE (1..ub-organization-name)),
- bmpString BMPString
- (SIZE (1..ub-organization-name)) }
-
--- Naming attributes of type X520OrganizationalUnitName
-
-id-at-organizationalUnitName AttributeType ::= { id-at 11 }
-
--- Naming attributes of type X520OrganizationalUnitName:
--- X520OrganizationalUnitName ::=
--- DirectoryName (SIZE (1..ub-organizational-unit-name))
---
--- Expanded to avoid parameterized type:
-X520OrganizationalUnitName ::= CHOICE {
- teletexString TeletexString
- (SIZE (1..ub-organizational-unit-name)),
- printableString PrintableString
- (SIZE (1..ub-organizational-unit-name)),
- universalString UniversalString
- (SIZE (1..ub-organizational-unit-name)),
- utf8String UTF8String
- (SIZE (1..ub-organizational-unit-name)),
- bmpString BMPString
- (SIZE (1..ub-organizational-unit-name)) }
-
--- Naming attributes of type X520Title
-
-id-at-title AttributeType ::= { id-at 12 }
-
--- Naming attributes of type X520Title:
--- X520Title ::= DirectoryName (SIZE (1..ub-title))
---
--- Expanded to avoid parameterized type:
-X520Title ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-title)),
- printableString PrintableString (SIZE (1..ub-title)),
- universalString UniversalString (SIZE (1..ub-title)),
- utf8String UTF8String (SIZE (1..ub-title)),
- bmpString BMPString (SIZE (1..ub-title)) }
-
--- Naming attributes of type X520dnQualifier
-
-id-at-dnQualifier AttributeType ::= { id-at 46 }
-
-X520dnQualifier ::= PrintableString
-
--- Naming attributes of type X520countryName (digraph from IS 3166)
-
-id-at-countryName AttributeType ::= { id-at 6 }
-
-X520countryName ::= PrintableString (SIZE (2))
-
--- Naming attributes of type X520SerialNumber
-
-id-at-serialNumber AttributeType ::= { id-at 5 }
-
-X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number))
-
--- Naming attributes of type X520Pseudonym
-
-id-at-pseudonym AttributeType ::= { id-at 65 }
-
--- Naming attributes of type X520Pseudonym:
--- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym))
---
--- Expanded to avoid parameterized type:
-X520Pseudonym ::= CHOICE {
- teletexString TeletexString (SIZE (1..ub-pseudonym)),
- printableString PrintableString (SIZE (1..ub-pseudonym)),
- universalString UniversalString (SIZE (1..ub-pseudonym)),
- utf8String UTF8String (SIZE (1..ub-pseudonym)),
- bmpString BMPString (SIZE (1..ub-pseudonym)) }
-
--- Naming attributes of type DomainComponent (from RFC 4519)
-
-id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 }
-
-DomainComponent ::= IA5String
-
--- Legacy attributes
-
-pkcs-9 OBJECT IDENTIFIER ::=
- { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
-
-id-emailAddress AttributeType ::= { pkcs-9 1 }
-
-EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
-
--- naming data types --
-
-Name ::= CHOICE { -- only one possibility for now --
- rdnSequence RDNSequence }
-
-RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-DistinguishedName ::= RDNSequence
-
-RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
-
--- Directory string type --
-
-DirectoryString ::= CHOICE {
- teletexString TeletexString (SIZE (1..MAX)),
- printableString PrintableString (SIZE (1..MAX)),
- universalString UniversalString (SIZE (1..MAX)),
- utf8String UTF8String (SIZE (1..MAX)),
- bmpString BMPString (SIZE (1..MAX)) }
-
--- certificate and CRL specific structures begin here
-
-Certificate ::= SEQUENCE {
- tbsCertificate TBSCertificate,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertificate ::= SEQUENCE {
- version [0] Version DEFAULT v1,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier,
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo,
- issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
- -- If present, version MUST be v2 or v3
- extensions [3] Extensions OPTIONAL
- -- If present, version MUST be v3 -- }
-
-Version ::= INTEGER { v1(0), v2(1), v3(2) }
-
-CertificateSerialNumber ::= INTEGER
-
-Validity ::= SEQUENCE {
- notBefore Time,
- notAfter Time }
-
-Time ::= CHOICE {
- utcTime UTCTime,
- generalTime GeneralizedTime }
-
-UniqueIdentifier ::= BIT STRING
-
-SubjectPublicKeyInfo ::= SEQUENCE {
- algorithm AlgorithmIdentifier,
- subjectPublicKey BIT STRING }
-
-Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
-
-Extension ::= SEQUENCE {
- extnID OBJECT IDENTIFIER,
- critical BOOLEAN DEFAULT FALSE,
- extnValue OCTET STRING
- -- contains the DER encoding of an ASN.1 value
- -- corresponding to the extension type identified
- -- by extnID
- }
-
--- CRL structures
-
-CertificateList ::= SEQUENCE {
- tbsCertList TBSCertList,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING }
-
-TBSCertList ::= SEQUENCE {
- version Version OPTIONAL,
- -- if present, MUST be v2
- signature AlgorithmIdentifier,
- issuer Name,
- thisUpdate Time,
- nextUpdate Time OPTIONAL,
- revokedCertificates SEQUENCE OF SEQUENCE {
- userCertificate CertificateSerialNumber,
- revocationDate Time,
- crlEntryExtensions Extensions OPTIONAL
- -- if present, version MUST be v2
- } OPTIONAL,
- crlExtensions [0] Extensions OPTIONAL }
- -- if present, version MUST be v2
-
--- Version, Time, CertificateSerialNumber, and Extensions were
--- defined earlier for use in the certificate structure
-
-AlgorithmIdentifier ::= SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters ANY DEFINED BY algorithm OPTIONAL }
- -- contains a value of the type
- -- registered for use with the
- -- algorithm object identifier value
-
--- X.400 address syntax starts here
-
-ORAddress ::= SEQUENCE {
- built-in-standard-attributes BuiltInStandardAttributes,
- built-in-domain-defined-attributes
- BuiltInDomainDefinedAttributes OPTIONAL,
- -- see also teletex-domain-defined-attributes
- extension-attributes ExtensionAttributes OPTIONAL }
-
--- Built-in Standard Attributes
-
-BuiltInStandardAttributes ::= SEQUENCE {
- country-name CountryName OPTIONAL,
- administration-domain-name AdministrationDomainName OPTIONAL,
- network-address [0] IMPLICIT NetworkAddress OPTIONAL,
- -- see also extended-network-address
- terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
- private-domain-name [2] PrivateDomainName OPTIONAL,
- organization-name [3] IMPLICIT OrganizationName OPTIONAL,
- -- see also teletex-organization-name
- numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
- OPTIONAL,
- personal-name [5] IMPLICIT PersonalName OPTIONAL,
- -- see also teletex-personal-name
- organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
- OPTIONAL }
- -- see also teletex-organizational-unit-names
-
-CountryName ::= [APPLICATION 1] CHOICE {
- x121-dcc-code NumericString
- (SIZE (ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-AdministrationDomainName ::= [APPLICATION 2] CHOICE {
- numeric NumericString (SIZE (0..ub-domain-name-length)),
- printable PrintableString (SIZE (0..ub-domain-name-length)) }
-
-NetworkAddress ::= X121Address -- see also extended-network-address
-
-X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
-
-TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
-
-PrivateDomainName ::= CHOICE {
- numeric NumericString (SIZE (1..ub-domain-name-length)),
- printable PrintableString (SIZE (1..ub-domain-name-length)) }
-
-OrganizationName ::= PrintableString
- (SIZE (1..ub-organization-name-length))
- -- see also teletex-organization-name
-
-NumericUserIdentifier ::= NumericString
- (SIZE (1..ub-numeric-user-id-length))
-
-PersonalName ::= SET {
- surname [0] IMPLICIT PrintableString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT PrintableString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT PrintableString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT PrintableString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
- -- see also teletex-personal-name
-
-OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
- OF OrganizationalUnitName
- -- see also teletex-organizational-unit-names
-
-OrganizationalUnitName ::= PrintableString (SIZE
- (1..ub-organizational-unit-name-length))
-
--- Built-in Domain-defined Attributes
-
-BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF
- BuiltInDomainDefinedAttribute
-
-BuiltInDomainDefinedAttribute ::= SEQUENCE {
- type PrintableString (SIZE
- (1..ub-domain-defined-attribute-type-length)),
- value PrintableString (SIZE
- (1..ub-domain-defined-attribute-value-length)) }
-
--- Extension Attributes
-
-ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
- ExtensionAttribute
-
-ExtensionAttribute ::= SEQUENCE {
- extension-attribute-type [0] IMPLICIT INTEGER
- (0..ub-extension-attributes),
- extension-attribute-value [1]
- ANY DEFINED BY extension-attribute-type }
-
--- Extension types and attribute values
-
-common-name INTEGER ::= 1
-
-CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
-
-teletex-common-name INTEGER ::= 2
-
-TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
-
-teletex-organization-name INTEGER ::= 3
-
-TeletexOrganizationName ::=
- TeletexString (SIZE (1..ub-organization-name-length))
-
-teletex-personal-name INTEGER ::= 4
-
-TeletexPersonalName ::= SET {
- surname [0] IMPLICIT TeletexString
- (SIZE (1..ub-surname-length)),
- given-name [1] IMPLICIT TeletexString
- (SIZE (1..ub-given-name-length)) OPTIONAL,
- initials [2] IMPLICIT TeletexString
- (SIZE (1..ub-initials-length)) OPTIONAL,
- generation-qualifier [3] IMPLICIT TeletexString
- (SIZE (1..ub-generation-qualifier-length))
- OPTIONAL }
-
-teletex-organizational-unit-names INTEGER ::= 5
-
-TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
- (1..ub-organizational-units) OF TeletexOrganizationalUnitName
-
-TeletexOrganizationalUnitName ::= TeletexString
- (SIZE (1..ub-organizational-unit-name-length))
-
-pds-name INTEGER ::= 7
-
-PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
-
-physical-delivery-country-name INTEGER ::= 8
-
-PhysicalDeliveryCountryName ::= CHOICE {
- x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
- iso-3166-alpha2-code PrintableString
- (SIZE (ub-country-name-alpha-length)) }
-
-postal-code INTEGER ::= 9
-
-PostalCode ::= CHOICE {
- numeric-code NumericString (SIZE (1..ub-postal-code-length)),
- printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
-
-physical-delivery-office-name INTEGER ::= 10
-PhysicalDeliveryOfficeName ::= PDSParameter
-
-physical-delivery-office-number INTEGER ::= 11
-
-PhysicalDeliveryOfficeNumber ::= PDSParameter
-
-extension-OR-address-components INTEGER ::= 12
-
-ExtensionORAddressComponents ::= PDSParameter
-
-physical-delivery-personal-name INTEGER ::= 13
-
-PhysicalDeliveryPersonalName ::= PDSParameter
-
-physical-delivery-organization-name INTEGER ::= 14
-
-PhysicalDeliveryOrganizationName ::= PDSParameter
-
-extension-physical-delivery-address-components INTEGER ::= 15
-
-ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
-
-unformatted-postal-address INTEGER ::= 16
-
-UnformattedPostalAddress ::= SET {
- printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
- OF PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
- teletex-string TeletexString
- (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
-
-street-address INTEGER ::= 17
-
-StreetAddress ::= PDSParameter
-
-post-office-box-address INTEGER ::= 18
-
-PostOfficeBoxAddress ::= PDSParameter
-
-poste-restante-address INTEGER ::= 19
-
-PosteRestanteAddress ::= PDSParameter
-
-unique-postal-name INTEGER ::= 20
-
-UniquePostalName ::= PDSParameter
-
-local-postal-attributes INTEGER ::= 21
-
-LocalPostalAttributes ::= PDSParameter
-
-PDSParameter ::= SET {
- printable-string PrintableString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
- teletex-string TeletexString
- (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
-
-extended-network-address INTEGER ::= 22
-
-ExtendedNetworkAddress ::= CHOICE {
- e163-4-address SEQUENCE {
- number [0] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-number-length)),
- sub-address [1] IMPLICIT NumericString
- (SIZE (1..ub-e163-4-sub-address-length))
- OPTIONAL },
- psap-address [0] IMPLICIT PresentationAddress }
-
-PresentationAddress ::= SEQUENCE {
- pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
- sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
- tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
- nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
-
-terminal-type INTEGER ::= 23
-
-TerminalType ::= INTEGER {
- telex (3),
- teletex (4),
- g3-facsimile (5),
- g4-facsimile (6),
- ia5-terminal (7),
- videotex (8) } (0..ub-integer-options)
-
--- Extension Domain-defined Attributes
-
-teletex-domain-defined-attributes INTEGER ::= 6
-
-TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
- (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
-
-TeletexDomainDefinedAttribute ::= SEQUENCE {
- type TeletexString
- (SIZE (1..ub-domain-defined-attribute-type-length)),
- value TeletexString
- (SIZE (1..ub-domain-defined-attribute-value-length)) }
-
--- specifications of Upper Bounds MUST be regarded as mandatory
--- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--- Upper Bounds
-
--- Upper Bounds
-ub-name INTEGER ::= 32768
-ub-common-name INTEGER ::= 64
-ub-locality-name INTEGER ::= 128
-ub-state-name INTEGER ::= 128
-ub-organization-name INTEGER ::= 64
-ub-organizational-unit-name INTEGER ::= 64
-ub-title INTEGER ::= 64
-ub-serial-number INTEGER ::= 64
-ub-match INTEGER ::= 128
-ub-emailaddress-length INTEGER ::= 255
-ub-common-name-length INTEGER ::= 64
-ub-country-name-alpha-length INTEGER ::= 2
-ub-country-name-numeric-length INTEGER ::= 3
-ub-domain-defined-attributes INTEGER ::= 4
-ub-domain-defined-attribute-type-length INTEGER ::= 8
-ub-domain-defined-attribute-value-length INTEGER ::= 128
-ub-domain-name-length INTEGER ::= 16
-ub-extension-attributes INTEGER ::= 256
-ub-e163-4-number-length INTEGER ::= 15
-ub-e163-4-sub-address-length INTEGER ::= 40
-ub-generation-qualifier-length INTEGER ::= 3
-ub-given-name-length INTEGER ::= 16
-ub-initials-length INTEGER ::= 5
-ub-integer-options INTEGER ::= 256
-ub-numeric-user-id-length INTEGER ::= 32
-ub-organization-name-length INTEGER ::= 64
-ub-organizational-unit-name-length INTEGER ::= 32
-ub-organizational-units INTEGER ::= 4
-ub-pds-name-length INTEGER ::= 16
-ub-pds-parameter-length INTEGER ::= 30
-ub-pds-physical-address-lines INTEGER ::= 6
-ub-postal-code-length INTEGER ::= 16
-ub-pseudonym INTEGER ::= 128
-ub-surname-length INTEGER ::= 40
-ub-terminal-id-length INTEGER ::= 24
-ub-unformatted-address-length INTEGER ::= 180
-ub-x121-address-length INTEGER ::= 16
-
--- Note - upper bounds on string types, such as TeletexString, are
--- measured in characters. Excepting PrintableString or IA5String, a
--- significantly greater number of octets will be required to hold
--- such a value. As a minimum, 16 octets, or twice the specified
--- upper bound, whichever is the larger, should be allowed for
--- TeletexString. For UTF8String or UniversalString at least four
--- times the upper bound should be allowed.
-
-END
diff --git a/crypto/krb5/src/tests/asn.1/reference_encode.out b/crypto/krb5/src/tests/asn.1/reference_encode.out
deleted file mode 100644
index 20c6ce1f3b0d..000000000000
--- a/crypto/krb5/src/tests/asn.1/reference_encode.out
+++ /dev/null
@@ -1,78 +0,0 @@
-encode_krb5_authenticator: 62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
-encode_krb5_authenticator(optionals empty): 62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
-encode_krb5_authenticator(optionals NULL): 62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
-encode_krb5_ticket: 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_keyblock: 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38
-encode_krb5_enc_tkt_part: 63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
-encode_krb5_enc_tkt_part(optionals NULL): 63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
-encode_krb5_enc_kdc_rep_part: 7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23
-encode_krb5_enc_kdc_rep_part(optionals NULL): 7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61
-encode_krb5_as_rep: 6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_as_rep(optionals NULL): 6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_tgs_rep: 6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_tgs_rep(optionals NULL): 6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_ap_req: 6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_ap_rep: 6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_ap_rep_enc_part: 7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11
-encode_krb5_ap_rep_enc_part(optionals NULL): 7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40
-encode_krb5_as_req: 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_as_req(optionals NULL except second_ticket): 6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_as_req(optionals NULL except server): 6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01
-encode_krb5_tgs_req: 6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_tgs_req(optionals NULL except second_ticket): 6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_tgs_req(optionals NULL except server): 6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01
-encode_krb5_kdc_req_body: 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_kdc_req_body(optionals NULL except second_ticket): 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_kdc_req_body(optionals NULL except server): 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01
-encode_krb5_safe: 74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_safe(optionals NULL): 74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_priv: 75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_enc_priv_part: 7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23
-encode_krb5_enc_priv_part(optionals NULL): 7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23
-encode_krb5_cred: 76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_enc_cred_part: 7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23
-encode_krb5_enc_cred_part(optionals NULL): 7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23
-encode_krb5_error: 7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61
-encode_krb5_error(optionals NULL): 7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61
-encode_krb5_authorization_data: 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
-encode_krb5_padata_sequence: 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61
-encode_krb5_typed_data: 30 24 30 10 A0 03 02 01 0D A1 09 04 07 70 61 2D 64 61 74 61 30 10 A0 03 02 01 0D A1 09 04 07 70 61 2D 64 61 74 61
-encode_krb5_padata_sequence(empty): 30 00
-encode_krb5_etype_info: 30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32
-encode_krb5_etype_info(only 1): 30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30
-encode_krb5_etype_info(no info): 30 00
-encode_krb5_etype_info2: 30 51 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32
-encode_krb5_etype_info2(only 1): 30 20 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30
-encode_krb5_pa_enc_ts: 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40
-encode_krb5_pa_enc_ts (no usec): 30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
-encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_enc_data(MSB-set kvno): 30 26 A0 03 02 01 00 A1 06 02 04 FF 00 00 00 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_enc_data(kvno=-1): 30 23 A0 03 02 01 00 A1 03 02 01 FF A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_sam_challenge_2: 30 22 A0 0D 30 0B 04 09 63 68 61 6C 6C 65 6E 67 65 A1 11 30 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14
-encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 14 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
-encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
-encode_krb5_pa_for_user: 30 4B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 0A 1B 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_ad_kdcissued: 30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
-encode_krb5_iakerb_header: 30 18 A1 0A 0C 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
-encode_krb5_iakerb_finished: 30 11 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_fast_response: 30 81 9F A0 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 5B 30 59 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 03 02 01 2A
-encode_krb5_pa_fx_fast_reply: A0 29 30 27 A0 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_otp_tokeninfo(optionals NULL): 30 07 80 05 00 00 00 00 00
-encode_krb5_otp_tokeninfo: 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8
-encode_krb5_pa_otp_challenge(optionals NULL): 30 15 80 08 6D 69 6E 6E 6F 6E 63 65 A2 09 30 07 80 05 00 00 00 00 00
-encode_krb5_pa_otp_challenge: 30 81 A5 80 08 6D 61 78 6E 6F 6E 63 65 81 0B 74 65 73 74 73 65 72 76 69 63 65 A2 7D 30 07 80 05 00 00 00 00 00 30 72 80 05 00 77 00 00 00 81 0B 45 78 61 6D 70 6C 65 63 6F 72 70 82 05 68 61 72 6B 21 83 01 0A 84 01 02 85 09 79 6F 75 72 74 6F 6B 65 6E 86 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 A7 16 30 0B 06 09 60 86 48 01 65 03 04 02 01 30 07 06 05 2B 0E 03 02 1A 88 02 03 E8 83 07 6B 65 79 73 61 6C 74 84 04 31 32 33 34
-encode_krb5_pa_otp_req(optionals NULL): 30 2C 80 05 00 00 00 00 00 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_pa_otp_req: 30 81 B9 80 05 00 60 00 00 00 81 05 6E 6F 6E 63 65 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 0B 06 09 60 86 48 01 65 03 04 02 01 84 02 03 E8 85 05 66 72 6F 67 73 86 0A 6D 79 66 69 72 73 74 70 69 6E 87 05 68 61 72 6B 21 88 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 89 03 33 34 36 8A 01 02 8B 09 79 6F 75 72 74 6F 6B 65 6E 8C 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 8D 0B 45 78 61 6D 70 6C 65 63 6F 72 70
-encode_krb5_pa_otp_enc_req: 30 0A 80 08 6B 72 62 35 64 61 74 61
-encode_krb5_kkdcp_message: 30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61
-encode_krb5_cammac(optionals NULL): 30 12 A0 10 30 0E 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31
-encode_krb5_cammac: 30 81 F2 A0 1E 30 1C 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 30 0C A0 03 02 01 02 A1 05 04 03 61 64 32 A1 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 6B 64 63 A2 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 73 76 63 A3 52 30 50 30 13 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 31 30 39 A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 32
-encode_krb5_secure_cookie: 30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61
-encode_krb5_spake_factor(optionals NULL): 30 05 A0 03 02 01 01
-encode_krb5_spake_factor: 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61
-encode_krb5_pa_spake(support): A0 0C 30 0A A0 08 30 06 02 01 01 02 01 02
-encode_krb5_pa_spake(challenge): A1 2D 30 2B A0 03 02 01 01 A1 09 04 07 54 20 76 61 6C 75 65 A2 19 30 17 30 05 A0 03 02 01 01 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61
-encode_krb5_pa_spake(response): A2 34 30 32 A0 09 04 07 53 20 76 61 6C 75 65 A1 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
-encode_krb5_pa_spake(encdata): A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65
diff --git a/crypto/krb5/src/tests/asn.1/spake.asn1 b/crypto/krb5/src/tests/asn.1/spake.asn1
deleted file mode 100644
index 50718d8ad5c1..000000000000
--- a/crypto/krb5/src/tests/asn.1/spake.asn1
+++ /dev/null
@@ -1,44 +0,0 @@
-KerberosV5SPAKE {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) spake(8)
-} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
-IMPORTS
- EncryptedData, Int32
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2) modules(4)
- krb5spec2(2) };
- -- as defined in RFC 4120.
-
-SPAKESupport ::= SEQUENCE {
- groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
- ...
-}
-
-SPAKEChallenge ::= SEQUENCE {
- group [0] Int32,
- pubkey [1] OCTET STRING,
- factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor,
- ...
-}
-
-SPAKESecondFactor ::= SEQUENCE {
- type [0] Int32,
- data [1] OCTET STRING OPTIONAL
-}
-
-SPAKEResponse ::= SEQUENCE {
- pubkey [0] OCTET STRING,
- factor [1] EncryptedData, -- SPAKESecondFactor
- ...
-}
-
-PA-SPAKE ::= CHOICE {
- support [0] SPAKESupport,
- challenge [1] SPAKEChallenge,
- response [2] SPAKEResponse,
- encdata [3] EncryptedData,
- ...
-}
-
-END
diff --git a/crypto/krb5/src/tests/asn.1/t_trval.c b/crypto/krb5/src/tests/asn.1/t_trval.c
deleted file mode 100644
index 009ed5bb9e34..000000000000
--- a/crypto/krb5/src/tests/asn.1/t_trval.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1992,1993 Trusted Information Systems, Inc.
- *
- * Permission to include this software in the Kerberos V5 distribution
- * was graciously provided by Trusted Information Systems.
- *
- * Trusted Information Systems makes no representation about the
- * suitability of this software for any purpose. It is provided
- * "as is" without express or implied warranty.
- *
- * Copyright (C) 1994 Massachusetts Institute of Technology
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/* Split out from "#ifdef STANDALONE" code previously in trval.c, so
- that trval.o could be linked into other tests too without the
- -DSTANDALONE code. */
-#include "trval.c"
-
-static void
-usage(void)
-{
- fprintf(stderr, "Usage: trval [--types] [--krb5] [--krb5decode] [--hex] [-notypebytes] [file]\n");
- exit(1);
-}
-
-/*
- * Returns true if the option was selected. Allow "-option" and
- * "--option" syntax, since we used to accept only "-option"
- */
-static int
-check_option(char *word, char *option)
-{
- if (word[0] != '-')
- return 0;
- if (word[1] == '-')
- word++;
- if (strcmp(word+1, option))
- return 0;
- return 1;
-}
-
-int
-main(int argc, char **argv)
-{
- int optflg = 1;
- FILE *fp;
- int r = 0;
-
- while (--argc > 0) {
- argv++;
- if (optflg && *(argv)[0] == '-') {
- if (check_option(*argv, "help"))
- usage();
- else if (check_option(*argv, "types"))
- print_types = 1;
- else if (check_option(*argv, "notypes"))
- print_types = 0;
- else if (check_option(*argv, "krb5"))
- print_krb5_types = 1;
- else if (check_option(*argv, "hex"))
- do_hex = 1;
- else if (check_option(*argv, "notypebytes"))
- print_id_and_len = 0;
- else if (check_option(*argv, "krb5decode")) {
- print_id_and_len = 0;
- print_krb5_types = 1;
- print_types = 1;
- } else {
- fprintf(stderr,"trval: unknown option: %s\n", *argv);
- usage();
- }
- } else {
- optflg = 0;
- if ((fp = fopen(*argv,"r")) == NULL) {
- fprintf(stderr,"trval: unable to open %s\n", *argv);
- continue;
- }
- r = trval(fp, stdout);
- fclose(fp);
- }
- }
- if (optflg) r = trval(stdin, stdout);
-
- exit(r);
-}
diff --git a/crypto/krb5/src/tests/asn.1/trval.c b/crypto/krb5/src/tests/asn.1/trval.c
deleted file mode 100644
index f84c515d5e45..000000000000
--- a/crypto/krb5/src/tests/asn.1/trval.c
+++ /dev/null
@@ -1,742 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1992,1993 Trusted Information Systems, Inc.
- *
- * Permission to include this software in the Kerberos V5 distribution
- * was graciously provided by Trusted Information Systems.
- *
- * Trusted Information Systems makes no representation about the
- * suitability of this software for any purpose. It is provided
- * "as is" without express or implied warranty.
- */
-/*
- * Copyright (C) 1994 Massachusetts Institute of Technology
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*****************************************************************************
- * trval.c.c
- *****************************************************************************/
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <ctype.h>
-#include <string.h>
-
-#define OK 0
-#define NOTOK (-1)
-
-/* IDENTIFIER OCTET = TAG CLASS | FORM OF ENCODING | TAG NUMBER */
-
-/* TAG CLASSES */
-#define ID_CLASS 0xc0 /* bits 8 and 7 */
-#define CLASS_UNIV 0x00 /* 0 = universal */
-#define CLASS_APPL 0x40 /* 1 = application */
-#define CLASS_CONT 0x80 /* 2 = context-specific */
-#define CLASS_PRIV 0xc0 /* 3 = private */
-
-/* FORM OF ENCODING */
-#define ID_FORM 0x20 /* bit 6 */
-#define FORM_PRIM 0x00 /* 0 = primitive */
-#define FORM_CONS 0x20 /* 1 = constructed */
-
-/* TAG NUMBERS */
-#define ID_TAG 0x1f /* bits 5-1 */
-#define PRIM_BOOL 0x01 /* Boolean */
-#define PRIM_INT 0x02 /* Integer */
-#define PRIM_BITS 0x03 /* Bit String */
-#define PRIM_OCTS 0x04 /* Octet String */
-#define PRIM_NULL 0x05 /* Null */
-#define PRIM_OID 0x06 /* Object Identifier */
-#define PRIM_ODE 0x07 /* Object Descriptor */
-#define CONS_EXTN 0x08 /* External */
-#define PRIM_REAL 0x09 /* Real */
-#define PRIM_ENUM 0x0a /* Enumerated type */
-#define PRIM_ENCR 0x0b /* Encrypted */
-#define PRIM_UTF8 0x0c /* UTF8String */
-#define CONS_SEQ 0x10 /* SEQUENCE/SEQUENCE OF */
-#define CONS_SET 0x11 /* SET/SET OF */
-#define DEFN_NUMS 0x12 /* Numeric String */
-#define DEFN_PRTS 0x13 /* Printable String */
-#define DEFN_T61S 0x14 /* T.61 String */
-#define DEFN_VTXS 0x15 /* Videotex String */
-#define DEFN_IA5S 0x16 /* IA5 String */
-#define DEFN_UTCT 0x17 /* UTCTime */
-#define DEFN_GENT 0x18 /* Generalized Time */
-#define DEFN_GFXS 0x19 /* Graphics string (ISO2375) */
-#define DEFN_VISS 0x1a /* Visible string */
-#define DEFN_GENS 0x1b /* General string */
-#define DEFN_CHRS 0x1c /* Character string */
-
-#define LEN_XTND 0x80 /* long or indefinite form */
-#define LEN_SMAX 127 /* largest short form */
-#define LEN_MASK 0x7f /* mask to get number of bytes in length */
-#define LEN_INDF (-1) /* indefinite length */
-
-#define KRB5 /* Do krb5 application types */
-
-int print_types = 0;
-int print_id_and_len = 1;
-int print_constructed_length = 1;
-int print_primitive_length = 1;
-int print_skip_context = 0;
-int print_skip_tagnum = 1;
-int print_context_shortcut = 0;
-int do_hex = 0;
-#ifdef KRB5
-int print_krb5_types = 0;
-#endif
-
-int current_appl_type = -1;
-
-int decode_len (FILE *, unsigned char *, int);
-int do_prim (FILE *, int, unsigned char *, int, int);
-int do_cons (FILE *, unsigned char *, int, int, int *);
-int do_prim_bitstring (FILE *, int, unsigned char *, int, int);
-int do_prim_int (FILE *, int, unsigned char *, int, int);
-int do_prim_string (FILE *, int, unsigned char *, int, int);
-void print_tag_type (FILE *, int, int);
-int trval (FILE *, FILE *);
-int trval2 (FILE *, unsigned char *, int, int, int *);
-
-
-/****************************************************************************/
-
-static int
-convert_nibble(int ch)
-{
- if (isdigit(ch))
- return (ch - '0');
- if (ch >= 'a' && ch <= 'f')
- return (ch - 'a' + 10);
- if (ch >= 'A' && ch <= 'F')
- return (ch - 'A' + 10);
- return -1;
-}
-
-int
-trval(FILE *fin, FILE *fout)
-{
- unsigned char *p;
- unsigned int maxlen;
- int len;
- int cc, cc2, n1, n2;
- int r;
- int rlen;
-
- maxlen = BUFSIZ;
- p = (unsigned char *)malloc(maxlen);
- len = 0;
- while ((cc = fgetc(fin)) != EOF) {
- if ((unsigned int) len == maxlen) {
- maxlen += BUFSIZ;
- p = (unsigned char *)realloc(p, maxlen);
- }
- if (do_hex) {
- if (cc == ' ' || cc == '\n' || cc == '\t')
- continue;
- cc2 = fgetc(fin);
- if (cc2 == EOF)
- break;
- n1 = convert_nibble(cc);
- n2 = convert_nibble(cc2);
- cc = (n1 << 4) + n2;
- }
- p[len++] = cc;
- }
- fprintf(fout, "<%d>", len);
- r = trval2(fout, p, len, 0, &rlen);
- fprintf(fout, "\n");
- (void) free(p);
- return(r);
-}
-
-int
-trval2(FILE *fp, unsigned char *enc, int len, int lev, int *rlen)
-{
- int l, eid, elen, xlen, r, rlen2 = 0;
- int rlen_ext = 0;
-
- r = OK;
- *rlen = -1;
-
- if (len < 2) {
- fprintf(fp, "missing id and length octets (%d)\n", len);
- return(NOTOK);
- }
-
- fprintf(fp, "\n");
- for (l=0; l<lev; l++) fprintf(fp, ". ");
-
-context_restart:
- eid = enc[0];
- elen = enc[1];
-
- if (print_id_and_len) {
- fprintf(fp, "%02x ", eid);
- fprintf(fp, "%02x ", elen);
- }
-
- if (elen == LEN_XTND) {
- fprintf(fp,
- "indefinite length encoding not implemented (0x%02x)\n", elen);
- return(NOTOK);
- }
-
- xlen = 0;
- if (elen & LEN_XTND) {
- xlen = elen & LEN_MASK;
- if (xlen > len - 2) {
- fprintf(fp, "extended length too long (%d > %d - 2)\n", xlen, len);
- return(NOTOK);
- }
- elen = decode_len(fp, enc+2, xlen);
- }
-
- if (elen > len - 2 - xlen) {
- fprintf(fp, "length too long (%d > %d - 2 - %d)\n", elen, len, xlen);
- return(NOTOK);
- }
-
- print_tag_type(fp, eid, lev);
-
- if (print_context_shortcut && (eid & ID_CLASS) == CLASS_CONT &&
- (eid & ID_FORM) == FORM_CONS && lev > 0) {
- rlen_ext += 2 + xlen;
- enc += 2 + xlen;
- fprintf(fp, " ");
- goto context_restart;
- }
-
- switch(eid & ID_FORM) {
- case FORM_PRIM:
- r = do_prim(fp, eid & ID_TAG, enc+2+xlen, elen, lev+1);
- *rlen = 2 + xlen + elen + rlen_ext;
- break;
- case FORM_CONS:
- if (print_constructed_length) {
- fprintf(fp, " constr");
- fprintf(fp, " <%d>", elen);
- }
- r = do_cons(fp, enc+2+xlen, elen, lev+1, &rlen2);
- *rlen = 2 + xlen + rlen2 + rlen_ext;
- break;
- }
-
- return(r);
-}
-
-int
-decode_len(FILE *fp, unsigned char *enc, int len)
-{
- int rlen;
- int i;
-
- if (print_id_and_len)
- fprintf(fp, "%02x ", enc[0]);
- rlen = enc[0];
- for (i=1; i<len; i++) {
- if (print_id_and_len)
- fprintf(fp, "%02x ", enc[i]);
- rlen = (rlen * 0x100) + enc[i];
- }
- return(rlen);
-}
-
-/*
- * This is the printing function for bit strings
- */
-int
-do_prim_bitstring(FILE *fp, int tag, unsigned char *enc, int len, int lev)
-{
- int i;
- long num = 0;
-
- if (tag != PRIM_BITS || len > 5)
- return 0;
-
- for (i=1; i < len; i++) {
- num = num << 8;
- num += enc[i];
- }
-
- fprintf(fp, " 0x%lx", num);
- if (enc[0])
- fprintf(fp, " (%d unused bits)", enc[0]);
- return 1;
-}
-
-/*
- * This is the printing function for integers
- */
-int
-do_prim_int(FILE *fp, int tag, unsigned char *enc, int len, int lev)
-{
- int i;
- long num = 0;
-
- if (tag != PRIM_INT || len > 4)
- return 0;
-
- if (enc[0] & 0x80)
- num = -1;
-
- for (i=0; i < len; i++) {
- num = num << 8;
- num += enc[i];
- }
-
- fprintf(fp, " %ld", num);
- return 1;
-}
-
-
-/*
- * This is the printing function which we use if it's a string or
- * other other type which is best printed as a string
- */
-int
-do_prim_string(FILE *fp, int tag, unsigned char *enc, int len, int lev)
-{
- int i;
-
- /*
- * Only try this printing function with "reasonable" types
- */
- if ((tag < DEFN_NUMS) && (tag != PRIM_OCTS) && (tag != PRIM_UTF8))
- return 0;
-
- for (i=0; i < len; i++)
- if (!isprint(enc[i]))
- return 0;
- fprintf(fp, " \"%.*s\"", len, enc);
- return 1;
-}
-
-int
-do_prim(FILE *fp, int tag, unsigned char *enc, int len, int lev)
-{
- int n;
- int i;
- int j;
- int width;
-
- if (do_prim_string(fp, tag, enc, len, lev))
- return OK;
- if (do_prim_int(fp, tag, enc, len, lev))
- return OK;
- if (do_prim_bitstring(fp, tag, enc, len, lev))
- return OK;
-
- if (print_primitive_length)
- fprintf(fp, " <%d>", len);
-
- width = (80 - (lev * 3) - 8) / 4;
-
- for (n = 0; n < len; n++) {
- if ((n % width) == 0) {
- fprintf(fp, "\n");
- for (i=0; i<lev; i++) fprintf(fp, " ");
- }
- fprintf(fp, "%02x ", enc[n]);
- if ((n % width) == (width-1)) {
- fprintf(fp, " ");
- for (i=n-(width-1); i<=n; i++)
- if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
- else fprintf(fp, ".");
- }
- }
- if ((j = (n % width)) != 0) {
- fprintf(fp, " ");
- for (i=0; i<width-j; i++) fprintf(fp, " ");
- for (i=n-j; i<n; i++)
- if (isprint(enc[i])) fprintf(fp, "%c", enc[i]);
- else fprintf(fp, ".");
- }
- return(OK);
-}
-
-int
-do_cons(FILE *fp, unsigned char *enc, int len, int lev, int *rlen)
-{
- int n;
- int r = 0;
- int rlen2;
- int rlent;
- int save_appl;
-
- save_appl = current_appl_type;
- for (n = 0, rlent = 0; n < len; n+=rlen2, rlent+=rlen2) {
- r = trval2(fp, enc+n, len-n, lev, &rlen2);
- current_appl_type = save_appl;
- if (r != OK) return(r);
- }
- if (rlent != len) {
- fprintf(fp, "inconsistent constructed lengths (%d != %d)\n",
- rlent, len);
- return(NOTOK);
- }
- *rlen = rlent;
- return(r);
-}
-
-struct typestring_table {
- int k1, k2;
- char *str;
- int new_appl;
-};
-
-static char *
-lookup_typestring(struct typestring_table *table, int key1, int key2)
-{
- struct typestring_table *ent;
-
- for (ent = table; ent->k1 > 0; ent++) {
- if ((ent->k1 == key1) &&
- (ent->k2 == key2)) {
- if (ent->new_appl)
- current_appl_type = ent->new_appl;
- return ent->str;
- }
- }
- return 0;
-}
-
-
-struct typestring_table univ_types[] = {
- { PRIM_BOOL, -1, "Boolean"},
- { PRIM_INT, -1, "Integer"},
- { PRIM_BITS, -1, "Bit String"},
- { PRIM_OCTS, -1, "Octet String"},
- { PRIM_NULL, -1, "Null"},
- { PRIM_OID, -1, "Object Identifier"},
- { PRIM_ODE, -1, "Object Descriptor"},
- { CONS_EXTN, -1, "External"},
- { PRIM_REAL, -1, "Real"},
- { PRIM_ENUM, -1, "Enumerated type"},
- { PRIM_ENCR, -1, "Encrypted"},
- { PRIM_UTF8, -1, "UTF8String"},
- { CONS_SEQ, -1, "Sequence/Sequence Of"},
- { CONS_SET, -1, "Set/Set Of"},
- { DEFN_NUMS, -1, "Numeric String"},
- { DEFN_PRTS, -1, "Printable String"},
- { DEFN_T61S, -1, "T.61 String"},
- { DEFN_VTXS, -1, "Videotex String"},
- { DEFN_IA5S, -1, "IA5 String"},
- { DEFN_UTCT, -1, "UTCTime"},
- { DEFN_GENT, -1, "Generalized Time"},
- { DEFN_GFXS, -1, "Graphics string (ISO2375)"},
- { DEFN_VISS, -1, "Visible string"},
- { DEFN_GENS, -1, "General string"},
- { DEFN_CHRS, -1, "Character string"},
- { -1, -1, 0}
-};
-
-#ifdef KRB5
-struct typestring_table krb5_types[] = {
- { 1, -1, "Krb5 Ticket"},
- { 2, -1, "Krb5 Authenticator"},
- { 3, -1, "Krb5 Encrypted ticket part"},
- { 10, -1, "Krb5 AS-REQ packet"},
- { 11, -1, "Krb5 AS-REP packet"},
- { 12, -1, "Krb5 TGS-REQ packet"},
- { 13, -1, "Krb5 TGS-REP packet"},
- { 14, -1, "Krb5 AP-REQ packet"},
- { 15, -1, "Krb5 AP-REP packet"},
- { 20, -1, "Krb5 SAFE packet"},
- { 21, -1, "Krb5 PRIV packet"},
- { 22, -1, "Krb5 CRED packet"},
- { 30, -1, "Krb5 ERROR packet"},
- { 25, -1, "Krb5 Encrypted AS-REP part"},
- { 26, -1, "Krb5 Encrypted TGS-REP part"},
- { 27, -1, "Krb5 Encrypted AP-REP part"},
- { 28, -1, "Krb5 Encrypted PRIV part"},
- { 29, -1, "Krb5 Encrypted CRED part"},
- { -1, -1, 0}
-};
-
-struct typestring_table krb5_fields[] = {
- { 1000, 0, "name-type"}, /* PrincipalName */
- { 1000, 1, "name-string"},
-
- { 1001, 0, "etype"}, /* Encrypted data */
- { 1001, 1, "kvno"},
- { 1001, 2, "cipher"},
-
- { 1002, 0, "addr-type"}, /* HostAddress */
- { 1002, 1, "address"},
-
- { 1003, 0, "addr-type"}, /* HostAddresses */
- { 1003, 1, "address"},
-
- { 1004, 0, "ad-type"}, /* AuthorizationData */
- { 1004, 1, "ad-data"},
-
- { 1005, 0, "keytype"}, /* EncryptionKey */
- { 1005, 1, "keyvalue"},
-
- { 1006, 0, "cksumtype"}, /* Checksum */
- { 1006, 1, "checksum"},
-
- { 1007, 0, "kdc-options"}, /* KDC-REQ-BODY */
- { 1007, 1, "cname", 1000},
- { 1007, 2, "realm"},
- { 1007, 3, "sname", 1000},
- { 1007, 4, "from"},
- { 1007, 5, "till"},
- { 1007, 6, "rtime"},
- { 1007, 7, "nonce"},
- { 1007, 8, "etype"},
- { 1007, 9, "addresses", 1003},
- { 1007, 10, "enc-authorization-data", 1001},
- { 1007, 11, "additional-tickets"},
-
- { 1008, 1, "padata-type"}, /* PA-DATA */
- { 1008, 2, "pa-data"},
-
- { 1009, 0, "user-data"}, /* KRB-SAFE-BODY */
- { 1009, 1, "timestamp"},
- { 1009, 2, "usec"},
- { 1009, 3, "seq-number"},
- { 1009, 4, "s-address", 1002},
- { 1009, 5, "r-address", 1002},
-
- { 1010, 0, "lr-type"}, /* LastReq */
- { 1010, 1, "lr-value"},
-
- { 1011, 0, "key", 1005}, /* KRB-CRED-INFO */
- { 1011, 1, "prealm"},
- { 1011, 2, "pname", 1000},
- { 1011, 3, "flags"},
- { 1011, 4, "authtime"},
- { 1011, 5, "startime"},
- { 1011, 6, "endtime"},
- { 1011, 7, "renew-till"},
- { 1011, 8, "srealm"},
- { 1011, 9, "sname", 1000},
- { 1011, 10, "caddr", 1002},
-
- { 1, 0, "tkt-vno"}, /* Ticket */
- { 1, 1, "realm"},
- { 1, 2, "sname", 1000},
- { 1, 3, "tkt-enc-part", 1001},
-
- { 2, 0, "authenticator-vno"}, /* Authenticator */
- { 2, 1, "crealm"},
- { 2, 2, "cname", 1000},
- { 2, 3, "cksum", 1006},
- { 2, 4, "cusec"},
- { 2, 5, "ctime"},
- { 2, 6, "subkey", 1005},
- { 2, 7, "seq-number"},
- { 2, 8, "authorization-data", 1004},
-
- { 3, 0, "flags"}, /* EncTicketPart */
- { 3, 1, "key", 1005},
- { 3, 2, "crealm"},
- { 3, 3, "cname", 1000},
- { 3, 4, "transited"},
- { 3, 5, "authtime"},
- { 3, 6, "starttime"},
- { 3, 7, "endtime"},
- { 3, 8, "renew-till"},
- { 3, 9, "caddr", 1003},
- { 3, 10, "authorization-data", 1004},
-
- { 10, 1, "pvno"}, /* AS-REQ */
- { 10, 2, "msg-type"},
- { 10, 3, "padata", 1008},
- { 10, 4, "req-body", 1007},
-
- { 11, 0, "pvno"}, /* AS-REP */
- { 11, 1, "msg-type"},
- { 11, 2, "padata", 1008},
- { 11, 3, "crealm"},
- { 11, 4, "cname", 1000},
- { 11, 5, "ticket"},
- { 11, 6, "enc-part", 1001},
-
- { 12, 1, "pvno"}, /* TGS-REQ */
- { 12, 2, "msg-type"},
- { 12, 3, "padata", 1008},
- { 12, 4, "req-body", 1007},
-
- { 13, 0, "pvno"}, /* TGS-REP */
- { 13, 1, "msg-type"},
- { 13, 2, "padata", 1008},
- { 13, 3, "crealm"},
- { 13, 4, "cname", 1000},
- { 13, 5, "ticket"},
- { 13, 6, "enc-part", 1001},
-
- { 14, 0, "pvno"}, /* AP-REQ */
- { 14, 1, "msg-type"},
- { 14, 2, "ap-options"},
- { 14, 3, "ticket"},
- { 14, 4, "authenticator", 1001},
-
- { 15, 0, "pvno"}, /* AP-REP */
- { 15, 1, "msg-type"},
- { 15, 2, "enc-part", 1001},
-
- { 20, 0, "pvno"}, /* KRB-SAFE */
- { 20, 1, "msg-type"},
- { 20, 2, "safe-body", 1009},
- { 20, 3, "cksum", 1006},
-
- { 21, 0, "pvno"}, /* KRB-PRIV */
- { 21, 1, "msg-type"},
- { 21, 2, "enc-part", 1001},
-
- { 22, 0, "pvno"}, /* KRB-CRED */
- { 22, 1, "msg-type"},
- { 22, 2, "tickets"},
- { 22, 3, "enc-part", 1001},
-
- { 25, 0, "key", 1005}, /* EncASRepPart */
- { 25, 1, "last-req", 1010},
- { 25, 2, "nonce"},
- { 25, 3, "key-expiration"},
- { 25, 4, "flags"},
- { 25, 5, "authtime"},
- { 25, 6, "starttime"},
- { 25, 7, "enddtime"},
- { 25, 8, "renew-till"},
- { 25, 9, "srealm"},
- { 25, 10, "sname", 1000},
- { 25, 11, "caddr", 1003},
-
- { 26, 0, "key", 1005}, /* EncTGSRepPart */
- { 26, 1, "last-req", 1010},
- { 26, 2, "nonce"},
- { 26, 3, "key-expiration"},
- { 26, 4, "flags"},
- { 26, 5, "authtime"},
- { 26, 6, "starttime"},
- { 26, 7, "enddtime"},
- { 26, 8, "renew-till"},
- { 26, 9, "srealm"},
- { 26, 10, "sname", 1000},
- { 26, 11, "caddr", 1003},
-
- { 27, 0, "ctime"}, /* EncApRepPart */
- { 27, 1, "cusec"},
- { 27, 2, "subkey", 1005},
- { 27, 3, "seq-number"},
-
- { 28, 0, "user-data"}, /* EncKrbPrivPart */
- { 28, 1, "timestamp"},
- { 28, 2, "usec"},
- { 28, 3, "seq-number"},
- { 28, 4, "s-address", 1002},
- { 28, 5, "r-address", 1002},
-
- { 29, 0, "ticket-info", 1011}, /* EncKrbCredPart */
- { 29, 1, "nonce"},
- { 29, 2, "timestamp"},
- { 29, 3, "usec"},
- { 29, 4, "s-address", 1002},
- { 29, 5, "r-address", 1002},
-
- { 30, 0, "pvno"}, /* KRB-ERROR */
- { 30, 1, "msg-type"},
- { 30, 2, "ctime"},
- { 30, 3, "cusec"},
- { 30, 4, "stime"},
- { 30, 5, "susec"},
- { 30, 6, "error-code"},
- { 30, 7, "crealm"},
- { 30, 8, "cname", 1000},
- { 30, 9, "realm"},
- { 30, 10, "sname", 1000},
- { 30, 11, "e-text"},
- { 30, 12, "e-data"},
-
- { -1, -1, 0}
-};
-#endif
-
-void
-print_tag_type(FILE *fp, int eid, int lev)
-{
- int tag = eid & ID_TAG;
- int do_space = 1;
- char *str;
-
- fprintf(fp, "[");
-
- switch(eid & ID_CLASS) {
- case CLASS_UNIV:
- if (print_types && print_skip_tagnum)
- do_space = 0;
- else
- fprintf(fp, "UNIV %d", tag);
- break;
- case CLASS_APPL:
- current_appl_type = tag;
-#ifdef KRB5
- if (print_krb5_types) {
- str = lookup_typestring(krb5_types, tag, -1);
- if (str) {
- fputs(str, fp);
- break;
- }
- }
-#endif
- fprintf(fp, "APPL %d", tag);
- break;
- case CLASS_CONT:
-#ifdef KRB5
- if (print_krb5_types && current_appl_type) {
- str = lookup_typestring(krb5_fields,
- current_appl_type, tag);
- if (str) {
- fputs(str, fp);
- break;
- }
- }
-#endif
- if (print_skip_context && lev)
- fprintf(fp, "%d", tag);
- else
- fprintf(fp, "CONT %d", tag);
- break;
- case CLASS_PRIV:
- fprintf(fp, "PRIV %d", tag);
- break;
- }
-
- if (print_types && ((eid & ID_CLASS) == CLASS_UNIV)) {
- if (do_space)
- fputs(" ", fp);
- str = lookup_typestring(univ_types, eid & ID_TAG, -1);
- if (str)
- fputs(str, fp);
- else
- fprintf(fp, "UNIV %d???", eid & ID_TAG);
- }
-
- fprintf(fp, "]");
-
-}
-
-/*****************************************************************************/
diff --git a/crypto/krb5/src/tests/asn.1/trval_reference.out b/crypto/krb5/src/tests/asn.1/trval_reference.out
deleted file mode 100644
index 29f88c5b6743..000000000000
--- a/crypto/krb5/src/tests/asn.1/trval_reference.out
+++ /dev/null
@@ -1,1584 +0,0 @@
-encode_krb5_authenticator:
-
-[Krb5 Authenticator]
-. [Sequence/Sequence Of]
-. . [authenticator-vno] [Integer] 5
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [cksum] [Sequence/Sequence Of]
-. . . [cksumtype] [Integer] 1
-. . . [checksum] [Octet String] "1234"
-. . [cusec] [Integer] 123456
-. . [ctime] [Generalized Time] "19940610060317Z"
-. . [subkey] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [seq-number] [Integer] 17
-. . [authorization-data] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [ad-type] [Integer] 1
-. . . . [ad-data] [Octet String] "foobar"
-. . . [Sequence/Sequence Of]
-. . . . [ad-type] [Integer] 1
-. . . . [ad-data] [Octet String] "foobar"
-
-encode_krb5_authenticator(optionals empty):
-
-[Krb5 Authenticator]
-. [Sequence/Sequence Of]
-. . [authenticator-vno] [Integer] 5
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [cusec] [Integer] 123456
-. . [ctime] [Generalized Time] "19940610060317Z"
-
-encode_krb5_authenticator(optionals NULL):
-
-[Krb5 Authenticator]
-. [Sequence/Sequence Of]
-. . [authenticator-vno] [Integer] 5
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [cusec] [Integer] 123456
-. . [ctime] [Generalized Time] "19940610060317Z"
-
-encode_krb5_ticket:
-
-[Krb5 Ticket]
-. [Sequence/Sequence Of]
-. . [tkt-vno] [Integer] 5
-. . [realm] [General string] "ATHENA.MIT.EDU"
-. . [sname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [tkt-enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_keyblock:
-
-[Sequence/Sequence Of]
-. [keytype] [Integer] 1
-. [keyvalue] [Octet String] "12345678"
-
-encode_krb5_enc_tkt_part:
-
-[Krb5 Encrypted ticket part]
-. [Sequence/Sequence Of]
-. . [flags] [Bit String] 0xfedcba98
-. . [key] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [transited] [Sequence/Sequence Of]
-. . . [flags] [Integer] 1
-. . . [key] [Octet String] "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS."
-. . [authtime] [Generalized Time] "19940610060317Z"
-. . [starttime] [Generalized Time] "19940610060317Z"
-. . [endtime] [Generalized Time] "19940610060317Z"
-. . [renew-till] [Generalized Time] "19940610060317Z"
-. . [caddr] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [authorization-data] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [ad-type] [Integer] 1
-. . . . [ad-data] [Octet String] "foobar"
-. . . [Sequence/Sequence Of]
-. . . . [ad-type] [Integer] 1
-. . . . [ad-data] [Octet String] "foobar"
-
-encode_krb5_enc_tkt_part(optionals NULL):
-
-[Krb5 Encrypted ticket part]
-. [Sequence/Sequence Of]
-. . [flags] [Bit String] 0xfedcba98
-. . [key] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [transited] [Sequence/Sequence Of]
-. . . [flags] [Integer] 1
-. . . [key] [Octet String] "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS."
-. . [authtime] [Generalized Time] "19940610060317Z"
-. . [endtime] [Generalized Time] "19940610060317Z"
-
-encode_krb5_enc_kdc_rep_part:
-
-[Krb5 Encrypted TGS-REP part]
-. [Sequence/Sequence Of]
-. . [key] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [last-req] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [lr-type] [Integer] -5
-. . . . [lr-value] [Generalized Time] "19940610060317Z"
-. . . [Sequence/Sequence Of]
-. . . . [lr-type] [Integer] -5
-. . . . [lr-value] [Generalized Time] "19940610060317Z"
-. . [nonce] [Integer] 42
-. . [key-expiration] [Generalized Time] "19940610060317Z"
-. . [flags] [Bit String] 0xfedcba98
-. . [authtime] [Generalized Time] "19940610060317Z"
-. . [starttime] [Generalized Time] "19940610060317Z"
-. . [enddtime] [Generalized Time] "19940610060317Z"
-. . [renew-till] [Generalized Time] "19940610060317Z"
-. . [srealm] [General string] "ATHENA.MIT.EDU"
-. . [sname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [caddr] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-
-encode_krb5_enc_kdc_rep_part(optionals NULL):
-
-[Krb5 Encrypted TGS-REP part]
-. [Sequence/Sequence Of]
-. . [key] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [last-req] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [lr-type] [Integer] -5
-. . . . [lr-value] [Generalized Time] "19940610060317Z"
-. . . [Sequence/Sequence Of]
-. . . . [lr-type] [Integer] -5
-. . . . [lr-value] [Generalized Time] "19940610060317Z"
-. . [nonce] [Integer] 42
-. . [flags] [Bit String] 0xfe5cba98
-. . [authtime] [Generalized Time] "19940610060317Z"
-. . [enddtime] [Generalized Time] "19940610060317Z"
-. . [srealm] [General string] "ATHENA.MIT.EDU"
-. . [sname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-
-encode_krb5_as_rep:
-
-[Krb5 AS-REP packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 11
-. . [padata] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [ticket] [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_as_rep(optionals NULL):
-
-[Krb5 AS-REP packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 11
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [ticket] [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_tgs_rep:
-
-[Krb5 TGS-REP packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 13
-. . [padata] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [ticket] [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_tgs_rep(optionals NULL):
-
-[Krb5 TGS-REP packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 13
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [ticket] [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_ap_req:
-
-[Krb5 AP-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 14
-. . [ap-options] [Bit String] 0xfedcba98
-. . [ticket] [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [authenticator] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_ap_rep:
-
-[Krb5 AP-REP packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 15
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_ap_rep_enc_part:
-
-[Krb5 Encrypted AP-REP part]
-. [Sequence/Sequence Of]
-. . [ctime] [Generalized Time] "19940610060317Z"
-. . [cusec] [Integer] 123456
-. . [subkey] [Sequence/Sequence Of]
-. . . [keytype] [Integer] 1
-. . . [keyvalue] [Octet String] "12345678"
-. . [seq-number] [Integer] 17
-
-encode_krb5_ap_rep_enc_part(optionals NULL):
-
-[Krb5 Encrypted AP-REP part]
-. [Sequence/Sequence Of]
-. . [ctime] [Generalized Time] "19940610060317Z"
-. . [cusec] [Integer] 123456
-
-encode_krb5_as_req:
-
-[Krb5 AS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 10
-. . [padata] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba90
-. . . [cname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [sname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [from] [Generalized Time] "19940610060317Z"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [rtime] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-. . . [addresses] [Sequence/Sequence Of]
-. . . . [Sequence/Sequence Of]
-. . . . . [addr-type] [Integer] 2
-. . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . . [Sequence/Sequence Of]
-. . . . . [addr-type] [Integer] 2
-. . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [enc-authorization-data] [Sequence/Sequence Of]
-. . . . [etype] [Integer] 0
-. . . . [kvno] [Integer] 5
-. . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . [additional-tickets] [Sequence/Sequence Of]
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_as_req(optionals NULL except second_ticket):
-
-[Krb5 AS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 10
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba98
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-. . . [additional-tickets] [Sequence/Sequence Of]
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_as_req(optionals NULL except server):
-
-[Krb5 AS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 10
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba90
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [sname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-
-encode_krb5_tgs_req:
-
-[Krb5 TGS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 12
-. . [padata] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . . [Sequence/Sequence Of]
-. . . . [padata-type] [Integer] 13
-. . . . [pa-data] [Octet String] "pa-data"
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba90
-. . . [cname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [sname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [from] [Generalized Time] "19940610060317Z"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [rtime] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-. . . [addresses] [Sequence/Sequence Of]
-. . . . [Sequence/Sequence Of]
-. . . . . [addr-type] [Integer] 2
-. . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . . [Sequence/Sequence Of]
-. . . . . [addr-type] [Integer] 2
-. . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [enc-authorization-data] [Sequence/Sequence Of]
-. . . . [etype] [Integer] 0
-. . . . [kvno] [Integer] 5
-. . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . [additional-tickets] [Sequence/Sequence Of]
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_tgs_req(optionals NULL except second_ticket):
-
-[Krb5 TGS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 12
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba98
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-. . . [additional-tickets] [Sequence/Sequence Of]
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . . [Krb5 Ticket]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [tkt-vno] [Integer] 5
-. . . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . . [sname] [Sequence/Sequence Of]
-. . . . . . . [name-type] [Integer] 1
-. . . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . . [General string] "hftsai"
-. . . . . . . . [General string] "extra"
-. . . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . . [etype] [Integer] 0
-. . . . . . . [kvno] [Integer] 5
-. . . . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_tgs_req(optionals NULL except server):
-
-[Krb5 TGS-REQ packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 12
-. . [req-body] [Sequence/Sequence Of]
-. . . [kdc-options] [Bit String] 0xfedcba90
-. . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . [sname] [Sequence/Sequence Of]
-. . . . [name-type] [Integer] 1
-. . . . [name-string] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [till] [Generalized Time] "19940610060317Z"
-. . . [nonce] [Integer] 42
-. . . [etype] [Sequence/Sequence Of]
-. . . . [Integer] 0
-. . . . [Integer] 1
-
-encode_krb5_kdc_req_body:
-
-[Sequence/Sequence Of]
-. [kdc-options] [Bit String] 0xfedcba90
-. [cname] [Sequence/Sequence Of]
-. . [name-type] [Integer] 1
-. . [name-string] [Sequence/Sequence Of]
-. . . [General string] "hftsai"
-. . . [General string] "extra"
-. [realm] [General string] "ATHENA.MIT.EDU"
-. [sname] [Sequence/Sequence Of]
-. . [name-type] [Integer] 1
-. . [name-string] [Sequence/Sequence Of]
-. . . [General string] "hftsai"
-. . . [General string] "extra"
-. [from] [Generalized Time] "19940610060317Z"
-. [till] [Generalized Time] "19940610060317Z"
-. [rtime] [Generalized Time] "19940610060317Z"
-. [nonce] [Integer] 42
-. [etype] [Sequence/Sequence Of]
-. . [Integer] 0
-. . [Integer] 1
-. [addresses] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. [enc-authorization-data] [Sequence/Sequence Of]
-. . [etype] [Integer] 0
-. . [kvno] [Integer] 5
-. . [cipher] [Octet String] "krbASN.1 test message"
-. [additional-tickets] [Sequence/Sequence Of]
-. . [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_kdc_req_body(optionals NULL except second_ticket):
-
-[Sequence/Sequence Of]
-. [kdc-options] [Bit String] 0xfedcba98
-. [realm] [General string] "ATHENA.MIT.EDU"
-. [till] [Generalized Time] "19940610060317Z"
-. [nonce] [Integer] 42
-. [etype] [Sequence/Sequence Of]
-. . [Integer] 0
-. . [Integer] 1
-. [additional-tickets] [Sequence/Sequence Of]
-. . [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [Krb5 Ticket]
-. . . [Sequence/Sequence Of]
-. . . . [tkt-vno] [Integer] 5
-. . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . [etype] [Integer] 0
-. . . . . [kvno] [Integer] 5
-. . . . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_kdc_req_body(optionals NULL except server):
-
-[Sequence/Sequence Of]
-. [kdc-options] [Bit String] 0xfedcba90
-. [realm] [General string] "ATHENA.MIT.EDU"
-. [sname] [Sequence/Sequence Of]
-. . [name-type] [Integer] 1
-. . [name-string] [Sequence/Sequence Of]
-. . . [General string] "hftsai"
-. . . [General string] "extra"
-. [till] [Generalized Time] "19940610060317Z"
-. [nonce] [Integer] 42
-. [etype] [Sequence/Sequence Of]
-. . [Integer] 0
-. . [Integer] 1
-
-encode_krb5_safe:
-
-[Krb5 SAFE packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 20
-. . [safe-body] [Sequence/Sequence Of]
-. . . [user-data] [Octet String] "krb5data"
-. . . [timestamp] [Generalized Time] "19940610060317Z"
-. . . [usec] [Integer] 123456
-. . . [seq-number] [Integer] 17
-. . . [s-address] [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [r-address] [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [cksum] [Sequence/Sequence Of]
-. . . [cksumtype] [Integer] 1
-. . . [checksum] [Octet String] "1234"
-
-encode_krb5_safe(optionals NULL):
-
-[Krb5 SAFE packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 20
-. . [safe-body] [Sequence/Sequence Of]
-. . . [user-data] [Octet String] "krb5data"
-. . . [s-address] [Sequence/Sequence Of]
-. . . . [addr-type] [Integer] 2
-. . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [cksum] [Sequence/Sequence Of]
-. . . [cksumtype] [Integer] 1
-. . . [checksum] [Octet String] "1234"
-
-encode_krb5_priv:
-
-[Krb5 PRIV packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 21
-. . [3] [Sequence/Sequence Of]
-. . . [pvno] [Integer] 0
-. . . [msg-type] [Integer] 5
-. . . [enc-part] [Octet String] "krbASN.1 test message"
-
-encode_krb5_enc_priv_part:
-
-[Krb5 Encrypted PRIV part]
-. [Sequence/Sequence Of]
-. . [user-data] [Octet String] "krb5data"
-. . [timestamp] [Generalized Time] "19940610060317Z"
-. . [usec] [Integer] 123456
-. . [seq-number] [Integer] 17
-. . [s-address] [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [r-address] [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-
-encode_krb5_enc_priv_part(optionals NULL):
-
-[Krb5 Encrypted PRIV part]
-. [Sequence/Sequence Of]
-. . [user-data] [Octet String] "krb5data"
-. . [s-address] [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-
-encode_krb5_cred:
-
-[Krb5 CRED packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 22
-. . [tickets] [Sequence/Sequence Of]
-. . . [Krb5 Ticket]
-. . . . [Sequence/Sequence Of]
-. . . . . [tkt-vno] [Integer] 5
-. . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . [sname] [Sequence/Sequence Of]
-. . . . . . [name-type] [Integer] 1
-. . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . [General string] "hftsai"
-. . . . . . . [General string] "extra"
-. . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . [etype] [Integer] 0
-. . . . . . [kvno] [Integer] 5
-. . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . . [Krb5 Ticket]
-. . . . [Sequence/Sequence Of]
-. . . . . [tkt-vno] [Integer] 5
-. . . . . [realm] [General string] "ATHENA.MIT.EDU"
-. . . . . [sname] [Sequence/Sequence Of]
-. . . . . . [name-type] [Integer] 1
-. . . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . . [General string] "hftsai"
-. . . . . . . [General string] "extra"
-. . . . . [tkt-enc-part] [Sequence/Sequence Of]
-. . . . . . [etype] [Integer] 0
-. . . . . . [kvno] [Integer] 5
-. . . . . . [cipher] [Octet String] "krbASN.1 test message"
-. . [enc-part] [Sequence/Sequence Of]
-. . . [etype] [Integer] 0
-. . . [kvno] [Integer] 5
-. . . [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_enc_cred_part:
-
-[Krb5 Encrypted CRED part]
-. [Sequence/Sequence Of]
-. . [ticket-info] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [key] [Sequence/Sequence Of]
-. . . . . [keytype] [Integer] 1
-. . . . . [keyvalue] [Octet String] "12345678"
-. . . . [prealm] [General string] "ATHENA.MIT.EDU"
-. . . . [pname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [flags] [Bit String] 0xfedcba98
-. . . . [authtime] [Generalized Time] "19940610060317Z"
-. . . . [startime] [Generalized Time] "19940610060317Z"
-. . . . [endtime] [Generalized Time] "19940610060317Z"
-. . . . [renew-till] [Generalized Time] "19940610060317Z"
-. . . . [srealm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [caddr] [Sequence/Sequence Of]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . [Sequence/Sequence Of]
-. . . . [key] [Sequence/Sequence Of]
-. . . . . [keytype] [Integer] 1
-. . . . . [keyvalue] [Octet String] "12345678"
-. . . . [prealm] [General string] "ATHENA.MIT.EDU"
-. . . . [pname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [flags] [Bit String] 0xfedcba98
-. . . . [authtime] [Generalized Time] "19940610060317Z"
-. . . . [startime] [Generalized Time] "19940610060317Z"
-. . . . [endtime] [Generalized Time] "19940610060317Z"
-. . . . [renew-till] [Generalized Time] "19940610060317Z"
-. . . . [srealm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [caddr] [Sequence/Sequence Of]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [nonce] [Integer] 42
-. . [timestamp] [Generalized Time] "19940610060317Z"
-. . [usec] [Integer] 123456
-. . [s-address] [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . [r-address] [Sequence/Sequence Of]
-. . . [addr-type] [Integer] 2
-. . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-
-encode_krb5_enc_cred_part(optionals NULL):
-
-[Krb5 Encrypted CRED part]
-. [Sequence/Sequence Of]
-. . [ticket-info] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [key] [Sequence/Sequence Of]
-. . . . . [keytype] [Integer] 1
-. . . . . [keyvalue] [Octet String] "12345678"
-. . . [Sequence/Sequence Of]
-. . . . [key] [Sequence/Sequence Of]
-. . . . . [keytype] [Integer] 1
-. . . . . [keyvalue] [Octet String] "12345678"
-. . . . [prealm] [General string] "ATHENA.MIT.EDU"
-. . . . [pname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [flags] [Bit String] 0xfedcba98
-. . . . [authtime] [Generalized Time] "19940610060317Z"
-. . . . [startime] [Generalized Time] "19940610060317Z"
-. . . . [endtime] [Generalized Time] "19940610060317Z"
-. . . . [renew-till] [Generalized Time] "19940610060317Z"
-. . . . [srealm] [General string] "ATHENA.MIT.EDU"
-. . . . [sname] [Sequence/Sequence Of]
-. . . . . [name-type] [Integer] 1
-. . . . . [name-string] [Sequence/Sequence Of]
-. . . . . . [General string] "hftsai"
-. . . . . . [General string] "extra"
-. . . . [caddr] [Sequence/Sequence Of]
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-. . . . . [Sequence/Sequence Of]
-. . . . . . [addr-type] [Integer] 2
-. . . . . . [address] [Octet String] <4>
- 12 d0 00 23 ...#
-
-encode_krb5_error:
-
-[Krb5 ERROR packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 30
-. . [ctime] [Generalized Time] "19940610060317Z"
-. . [cusec] [Integer] 123456
-. . [stime] [Generalized Time] "19940610060317Z"
-. . [susec] [Integer] 123456
-. . [error-code] [Integer] 60
-. . [crealm] [General string] "ATHENA.MIT.EDU"
-. . [cname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [realm] [General string] "ATHENA.MIT.EDU"
-. . [sname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [e-text] [General string] "krb5data"
-. . [e-data] [Octet String] "krb5data"
-
-encode_krb5_error(optionals NULL):
-
-[Krb5 ERROR packet]
-. [Sequence/Sequence Of]
-. . [pvno] [Integer] 5
-. . [msg-type] [Integer] 30
-. . [cusec] [Integer] 123456
-. . [stime] [Generalized Time] "19940610060317Z"
-. . [susec] [Integer] 123456
-. . [error-code] [Integer] 60
-. . [realm] [General string] "ATHENA.MIT.EDU"
-. . [sname] [Sequence/Sequence Of]
-. . . [name-type] [Integer] 1
-. . . [name-string] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-
-encode_krb5_authorization_data:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [ad-type] [Integer] 1
-. . [ad-data] [Octet String] "foobar"
-. [Sequence/Sequence Of]
-. . [ad-type] [Integer] 1
-. . [ad-data] [Octet String] "foobar"
-
-encode_krb5_padata_sequence:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [1] [Integer] 13
-. . [2] [Octet String] "pa-data"
-. [Sequence/Sequence Of]
-. . [1] [Integer] 13
-. . [2] [Octet String] "pa-data"
-
-encode_krb5_typed_data:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 13
-. . [1] [Octet String] "pa-data"
-. [Sequence/Sequence Of]
-. . [0] [Integer] 13
-. . [1] [Octet String] "pa-data"
-
-encode_krb5_padata_sequence(empty):
-
-[Sequence/Sequence Of]
-
-encode_krb5_etype_info:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 0
-. . [1] [Octet String] "Morton's #0"
-. [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. [Sequence/Sequence Of]
-. . [0] [Integer] 2
-. . [1] [Octet String] "Morton's #2"
-
-encode_krb5_etype_info(only 1):
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 0
-. . [1] [Octet String] "Morton's #0"
-
-encode_krb5_etype_info(no info):
-
-[Sequence/Sequence Of]
-
-encode_krb5_etype_info2:
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 0
-. . [1] [General string] "Morton's #0"
-. . [2] [Octet String] "s2k: 0"
-. [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [2] [Octet String] "s2k: 1"
-. [Sequence/Sequence Of]
-. . [0] [Integer] 2
-. . [1] [General string] "Morton's #2"
-. . [2] [Octet String] "s2k: 2"
-
-encode_krb5_etype_info2(only 1):
-
-[Sequence/Sequence Of]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 0
-. . [1] [General string] "Morton's #0"
-. . [2] [Octet String] "s2k: 0"
-
-encode_krb5_pa_enc_ts:
-
-[Sequence/Sequence Of]
-. [0] [Generalized Time] "19940610060317Z"
-. [1] [Integer] 123456
-
-encode_krb5_pa_enc_ts (no usec):
-
-[Sequence/Sequence Of]
-. [0] [Generalized Time] "19940610060317Z"
-
-encode_krb5_enc_data:
-
-[Sequence/Sequence Of]
-. [etype] [Integer] 0
-. [kvno] [Integer] 5
-. [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_enc_data(MSB-set kvno):
-
-[Sequence/Sequence Of]
-. [etype] [Integer] 0
-. [kvno] [Integer] -16777216
-. [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_enc_data(kvno=-1):
-
-[Sequence/Sequence Of]
-. [etype] [Integer] 0
-. [kvno] [Integer] -1
-. [cipher] [Octet String] "krbASN.1 test message"
-
-encode_krb5_sam_challenge_2:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [Octet String] "challenge"
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "1234"
-
-encode_krb5_sam_challenge_2_body:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 42
-. [1] [Bit String] 0x80000000
-. [2] [Octet String] "type name"
-. [4] [Octet String] "challenge label"
-. [5] [Octet String] "challenge ipse"
-. [6] [Octet String] "response_prompt ipse"
-. [8] [Integer] 5517840
-. [9] [Integer] 20
-
-encode_krb5_sam_response_2:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 43
-. [1] [Bit String] 0x80000000
-. [2] [Octet String] "track data"
-. [3] [Sequence/Sequence Of]
-. . [0] [Integer] 20
-. . [1] [Integer] 3382
-. . [2] [Octet String] "nonce or sad"
-. [4] [Integer] 5517840
-
-encode_krb5_enc_sam_response_enc_2:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 88
-. [1] [Octet String] "enc_sam_response_enc_2"
-
-encode_krb5_pa_for_user:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Sequence/Sequence Of]
-. . . [General string] "hftsai"
-. . . [General string] "extra"
-. [1] [General string] "ATHENA.MIT.EDU"
-. [2] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "1234"
-. [3] [General string] "krb5data"
-
-encode_krb5_pa_s4u_x509_user:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 13243546
-. . [1] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [2] [General string] "ATHENA.MIT.EDU"
-. . [3] [Octet String] "pa_s4u_x509_user"
-. . [4] [Bit String] 0x80000000
-. [1] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "1234"
-
-encode_krb5_ad_kdcissued:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "1234"
-. [1] [General string] "ATHENA.MIT.EDU"
-. [2] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Sequence/Sequence Of]
-. . . [General string] "hftsai"
-. . . [General string] "extra"
-. [3] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "foobar"
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "foobar"
-
-encode_krb5_iakerb_header:
-
-[Sequence/Sequence Of]
-. [1] [UTF8String] "krb5data"
-. [2] [Octet String] "krb5data"
-
-encode_krb5_iakerb_finished:
-
-[Sequence/Sequence Of]
-. [1] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "1234"
-
-encode_krb5_fast_response:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [1] [Integer] 13
-. . . [2] [Octet String] "pa-data"
-. . [Sequence/Sequence Of]
-. . . [1] [Integer] 13
-. . . [2] [Octet String] "pa-data"
-. [1] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "12345678"
-. [2] [Sequence/Sequence Of]
-. . [0] [Generalized Time] "19940610060317Z"
-. . [1] [Integer] 123456
-. . [2] [General string] "ATHENA.MIT.EDU"
-. . [3] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [4] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "1234"
-. [3] [Integer] 42
-
-encode_krb5_pa_fx_fast_reply:
-
-[CONT 0]
-. [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 0
-. . . [1] [Integer] 5
-. . . [2] [Octet String] "krbASN.1 test message"
-
-encode_krb5_otp_tokeninfo(optionals NULL):
-
-[Sequence/Sequence Of]
-. [0] <5>
- 00 00 00 00 00 .....
-
-encode_krb5_otp_tokeninfo:
-
-[Sequence/Sequence Of]
-. [0] <5>
- 00 77 00 00 00 .w...
-. [1] <11>
- 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
-. [2] <5>
- 68 61 72 6b 21 hark!
-. [3] 0x0 (10 unused bits)
-. [4] <1>
- 02 .
-. [5] <9>
- 79 6f 75 72 74 6f 6b 65 6e yourtoken
-. [6] <40>
- 75 72 6e 3a 69 65 74 66 3a 70 61 72 61 6d 73 3a urn:ietf:params:
- 78 6d 6c 3a 6e 73 3a 6b 65 79 70 72 6f 76 3a 70 xml:ns:keyprov:p
- 73 6b 63 3a 68 6f 74 70 skc:hotp
-. [7] [Sequence/Sequence Of]
-. . [Object Identifier] <9>
- 60 86 48 01 65 03 04 02 01 `.H.e....
-. [Sequence/Sequence Of]
-. . [Object Identifier] <5>
- 2b 0e 03 02 1a +....
-. [8] <2>
- 03 e8 ..
-
-encode_krb5_pa_otp_challenge(optionals NULL):
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6d 69 6e 6e 6f 6e 63 65 minnonce
-. [2] [Sequence/Sequence Of]
-. . [0] <5>
- 00 00 00 00 00 .....
-
-encode_krb5_pa_otp_challenge:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6d 61 78 6e 6f 6e 63 65 maxnonce
-. [1] <11>
- 74 65 73 74 73 65 72 76 69 63 65 testservice
-. [2] [Sequence/Sequence Of]
-. . [0] <5>
- 00 00 00 00 00 .....
-. [Sequence/Sequence Of]
-. . [0] <5>
- 00 77 00 00 00 .w...
-. . [1] <11>
- 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
-. . [2] <5>
- 68 61 72 6b 21 hark!
-. . [3] 0x0 (10 unused bits)
-. . [4] <1>
- 02 .
-. . [5] <9>
- 79 6f 75 72 74 6f 6b 65 6e yourtoken
-. . [6] <40>
- 75 72 6e 3a 69 65 74 66 3a 70 61 72 61 6d 73 urn:ietf:params
- 3a 78 6d 6c 3a 6e 73 3a 6b 65 79 70 72 6f 76 :xml:ns:keyprov
- 3a 70 73 6b 63 3a 68 6f 74 70 :pskc:hotp
-. . [7] [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 60 86 48 01 65 03 04 02 01 `.H.e....
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <5>
- 2b 0e 03 02 1a +....
-. . [8] <2>
- 03 e8 ..
-. [3] <7>
- 6b 65 79 73 61 6c 74 keysalt
-. [4] "1234"
-
-encode_krb5_pa_otp_req(optionals NULL):
-
-[Sequence/Sequence Of]
-. [0] <5>
- 00 00 00 00 00 .....
-. [2] [0] [Integer] 0
-. [1] [Integer] 5
-. [2] [Octet String] "krbASN.1 test message"
-
-encode_krb5_pa_otp_req:
-
-[Sequence/Sequence Of]
-. [0] <5>
- 00 60 00 00 00 .`...
-. [1] <5>
- 6e 6f 6e 63 65 nonce
-. [2] [0] [Integer] 0
-. [1] [Integer] 5
-. [2] [Octet String] "krbASN.1 test message"
-. [3] [Object Identifier] <9>
- 60 86 48 01 65 03 04 02 01 `.H.e....
-. [4] <2>
- 03 e8 ..
-. [5] <5>
- 66 72 6f 67 73 frogs
-. [6] <10>
- 6d 79 66 69 72 73 74 70 69 6e myfirstpin
-. [7] <5>
- 68 61 72 6b 21 hark!
-. [8] <15>
- 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5a 19940610060317Z
-. [9] <3>
- 33 34 36 346
-. [10] <1>
- 02 .
-. [11] <9>
- 79 6f 75 72 74 6f 6b 65 6e yourtoken
-. [12] "urn:ietf:params:xml:ns:keyprov:pskc:hotp"
-. [13] <11>
- 45 78 61 6d 70 6c 65 63 6f 72 70 Examplecorp
-
-encode_krb5_pa_otp_enc_req:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_kkdcp_message:
-
-[Sequence/Sequence Of]
-. [0] [Octet String] <488>
- 6a 82 01 e4 30 82 01 e0 a1 03 02 01 05 a2 03 02 j...0...........
- 01 0a a3 26 30 24 30 10 a1 03 02 01 0d a2 09 04 ...&0$0.........
- 07 70 61 2d 64 61 74 61 30 10 a1 03 02 01 0d a2 .pa-data0.......
- 09 04 07 70 61 2d 64 61 74 61 a4 82 01 aa 30 82 ...pa-data....0.
- 01 a6 a0 07 03 05 00 fe dc ba 98 a1 1a 30 18 a0 .............0..
- 03 02 01 01 a1 11 30 0f 1b 06 68 66 74 73 61 69 ......0...hftsai
- 1b 05 65 78 74 72 61 a2 10 1b 0e 41 54 48 45 4e ..extra....ATHEN
- 41 2e 4d 49 54 2e 45 44 55 a3 1a 30 18 a0 03 02 A.MIT.EDU..0....
- 01 01 a1 11 30 0f 1b 06 68 66 74 73 61 69 1b 05 ....0...hftsai..
- 65 78 74 72 61 a4 11 18 0f 31 39 39 34 30 36 31 extra....1994061
- 30 30 36 30 33 31 37 5a a5 11 18 0f 31 39 39 34 0060317Z....1994
- 30 36 31 30 30 36 30 33 31 37 5a a6 11 18 0f 31 0610060317Z....1
- 39 39 34 30 36 31 30 30 36 30 33 31 37 5a a7 03 9940610060317Z..
- 02 01 2a a8 08 30 06 02 01 00 02 01 01 a9 20 30 ..*..0........ 0
- 1e 30 0d a0 03 02 01 02 a1 06 04 04 12 d0 00 23 .0.............#
- 30 0d a0 03 02 01 02 a1 06 04 04 12 d0 00 23 aa 0.............#.
- 25 30 23 a0 03 02 01 00 a1 03 02 01 05 a2 17 04 %0#.............
- 15 6b 72 62 41 53 4e 2e 31 20 74 65 73 74 20 6d .krbASN.1 test m
- 65 73 73 61 67 65 ab 81 bf 30 81 bc 61 5c 30 5a essage...0..a\0Z
- a0 03 02 01 05 a1 10 1b 0e 41 54 48 45 4e 41 2e .........ATHENA.
- 4d 49 54 2e 45 44 55 a2 1a 30 18 a0 03 02 01 01 MIT.EDU..0......
- a1 11 30 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 ..0...hftsai..ex
- 74 72 61 a3 25 30 23 a0 03 02 01 00 a1 03 02 01 tra.%0#.........
- 05 a2 17 04 15 6b 72 62 41 53 4e 2e 31 20 74 65 .....krbASN.1 te
- 73 74 20 6d 65 73 73 61 67 65 61 5c 30 5a a0 03 st messagea\0Z..
- 02 01 05 a1 10 1b 0e 41 54 48 45 4e 41 2e 4d 49 .......ATHENA.MI
- 54 2e 45 44 55 a2 1a 30 18 a0 03 02 01 01 a1 11 T.EDU..0........
- 30 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 74 72 0...hftsai..extr
- 61 a3 25 30 23 a0 03 02 01 00 a1 03 02 01 05 a2 a.%0#...........
- 17 04 15 6b 72 62 41 53 4e 2e 31 20 74 65 73 74 ...krbASN.1 test
- 20 6d 65 73 73 61 67 65 message
-. [1] [General string] "krb5data"
-
-encode_krb5_cammac(optionals NULL):
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "ad1"
-
-encode_krb5_cammac:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "ad1"
-. . [Sequence/Sequence Of]
-. . . [0] [Integer] 2
-. . . [1] [Octet String] "ad2"
-. [1] [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [1] [Integer] 5
-. . [2] [Integer] 16
-. . [3] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "cksumkdc"
-. [2] [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [1] [Integer] 5
-. . [2] [Integer] 16
-. . [3] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Octet String] "cksumsvc"
-. [3] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [3] [Sequence/Sequence Of]
-. . . . [0] [Integer] 1
-. . . . [1] [Octet String] "cksum1"
-. . [Sequence/Sequence Of]
-. . . [0] [Sequence/Sequence Of]
-. . . . [0] [Integer] 1
-. . . . [1] [Sequence/Sequence Of]
-. . . . . [General string] "hftsai"
-. . . . . [General string] "extra"
-. . . [1] [Integer] 5
-. . . [2] [Integer] 16
-. . . [3] [Sequence/Sequence Of]
-. . . . [0] [Integer] 1
-. . . . [1] [Octet String] "cksum2"
-
-encode_krb5_secure_cookie:
-
-[Sequence/Sequence Of]
-. [Integer] 771228197
-. [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [1] [Integer] 13
-. . . [2] [Octet String] "pa-data"
-. . [Sequence/Sequence Of]
-. . . [1] [Integer] 13
-. . . [2] [Octet String] "pa-data"
-
-encode_krb5_spake_factor(optionals NULL):
-
-[Sequence/Sequence Of]
-. [0] [Integer] 1
-
-encode_krb5_spake_factor:
-
-[Sequence/Sequence Of]
-. [0] [Integer] 2
-. [1] [Octet String] "fdata"
-
-encode_krb5_pa_spake(support):
-
-[CONT 0]
-. [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [Integer] 1
-. . . [Integer] 2
-
-encode_krb5_pa_spake(challenge):
-
-[CONT 1]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "T value"
-. . [2] [Sequence/Sequence Of]
-. . . [Sequence/Sequence Of]
-. . . . [0] [Integer] 1
-. . . [Sequence/Sequence Of]
-. . . . [0] [Integer] 2
-. . . . [1] [Octet String] "fdata"
-
-encode_krb5_pa_spake(response):
-
-[CONT 2]
-. [Sequence/Sequence Of]
-. . [0] [Octet String] "S value"
-. . [1] [Sequence/Sequence Of]
-. . . [0] [Integer] 0
-. . . [1] [Integer] 5
-. . . [2] [Octet String] "krbASN.1 test message"
-
-encode_krb5_pa_spake(encdata):
-
-[CONT 3]
-. [Sequence/Sequence Of]
-. . [0] [Integer] 0
-. . [1] [Integer] 5
-. . [2] [Octet String] "krbASN.1 test message"
diff --git a/crypto/krb5/src/tests/asn.1/utility.c b/crypto/krb5/src/tests/asn.1/utility.c
deleted file mode 100644
index b1eb902a544a..000000000000
--- a/crypto/krb5/src/tests/asn.1/utility.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/utility.c */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "utility.h"
-#include "krb5.h"
-#include <stdlib.h>
-#include <stdio.h>
-#include <ctype.h>
-
-krb5int_access acc;
-
-char hexchar (const unsigned int digit);
-
-void *
-ealloc(size_t size)
-{
- void *ptr = calloc(1, size);
-
- if (ptr == NULL)
- abort();
- return ptr;
-}
-
-char *
-estrdup(const char *str)
-{
- char *newstr = strdup(str);
-
- if (newstr == NULL)
- abort();
- return newstr;
-}
-
-void
-asn1_krb5_data_unparse(const krb5_data *code, char **s)
-{
- if (*s != NULL) free(*s);
-
- if (code==NULL) {
- *s = estrdup("<NULL>");
- } else if (code->data == NULL || ((int) code->length) <= 0) {
- *s = estrdup("<EMPTY>");
- } else {
- unsigned int i;
-
- *s = ealloc(3 * code->length);
- for (i = 0; i < code->length; i++) {
- (*s)[3*i] = hexchar((unsigned char) (((code->data)[i]&0xF0)>>4));
- (*s)[3*i+1] = hexchar((unsigned char) ((code->data)[i]&0x0F));
- (*s)[3*i+2] = ' ';
- }
- (*s)[3*(code->length)-1] = '\0';
- }
-}
-
-char
-hexchar(const unsigned int digit)
-{
- if (digit<=9)
- return '0'+digit;
- else if (digit<=15)
- return 'A'+digit-10;
- else
- return 'X';
-}
-
-void
-krb5_data_parse(krb5_data *d, const char *s)
-{
- d->length = strlen(s);
- d->data = ealloc(d->length);
- memcpy(d->data, s, d->length);
-}
-
-krb5_error_code
-krb5_data_hex_parse(krb5_data *d, const char *s)
-{
- int lo;
- long v;
- const char *cp;
- char *dp;
- char buf[2];
-
- d->data = ealloc(strlen(s) / 2 + 1);
- d->length = 0;
- buf[1] = '\0';
- for (lo = 0, dp = d->data, cp = s; *cp; cp++) {
- if (*cp < 0)
- return ASN1_PARSE_ERROR;
- else if (isspace((unsigned char) *cp))
- continue;
- else if (isxdigit((unsigned char) *cp)) {
- buf[0] = *cp;
- v = strtol(buf, NULL, 16);
- } else
- return ASN1_PARSE_ERROR;
- if (lo) {
- *dp++ |= v;
- lo = 0;
- } else {
- *dp = v << 4;
- lo = 1;
- }
- }
-
- d->length = dp - d->data;
- return 0;
-}
-
-void
-init_access(const char *progname)
-{
- krb5_error_code ret;
- ret = krb5int_accessor(&acc, KRB5INT_ACCESS_VERSION);
- if (ret) {
- com_err(progname, ret, "while initializing accessor");
- exit(1);
- }
-}
diff --git a/crypto/krb5/src/tests/asn.1/utility.h b/crypto/krb5/src/tests/asn.1/utility.h
deleted file mode 100644
index e14507a0accb..000000000000
--- a/crypto/krb5/src/tests/asn.1/utility.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/asn.1/utility.h */
-/*
- * Copyright (C) 1994 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef __UTILITY_H__
-#define __UTILITY_H__
-
-#include "k5-int.h"
-
-/* Aborts on failure. ealloc returns zero-filled memory. */
-void *ealloc(size_t size);
-char *estrdup(const char *str);
-
-void asn1_krb5_data_unparse(const krb5_data *code, char **s);
-/* modifies *s;
- effects Instantiates *s with a string representation of the series
- of hex octets in *code. (e.g. "02 02 00 7F") If code==NULL,
- the string rep is "<NULL>". If code is empty (it contains no
- data or has length <= 0), the string rep is "<EMPTY>".
- If *s is non-NULL, then its currently-allocated storage
- will be freed prior to the instantiation.
- Returns ENOMEM or the string rep cannot be created. */
-
-void krb5_data_parse(krb5_data *d, const char *s);
-/* effects Parses character string *s into krb5_data *d. */
-
-krb5_error_code krb5_data_hex_parse(krb5_data *d, const char *s);
-/* requires *s is the string representation of a sequence of
- hexadecimal octets. (e.g. "02 01 00")
- effects Parses *s into krb5_data *d. */
-
-extern krb5int_access acc;
-extern void init_access(const char *progname);
-
-#endif
diff --git a/crypto/krb5/src/tests/au_dict.json b/crypto/krb5/src/tests/au_dict.json
deleted file mode 100644
index 032d60192d60..000000000000
--- a/crypto/krb5/src/tests/au_dict.json
+++ /dev/null
@@ -1,64 +0,0 @@
-{
-"event_name":"",
-"event_success":0,
-"evidence_tkt_id":"",
-"fromport":0,
-"fromaddr":{
- "type":0,
- "length":0,
- "ip":[]},
-"kdc_status":"",
-"rep_etype":0,
-"rep.ticket":{
- "authtime":0,
- "cname":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
- "end":0,
- "flags":0,
- "sess_etype":0,
- "srv_etype":0,
- "sname":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0}},
-"req.avail_etypes":[],
-"req.client":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
-"req_id":"",
-"req.kdc_options":0,
-"req.pa_type":[],
-"req.server":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
-"req.tkt_end":0,
-"s4u2proxy_user":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
-"s4u2self_user":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
-"stage":1,
-"tkt_in_id":"",
-"tkt_renewed":0,
-"tkt_out_id":"",
-"tkt_validated":0,
-"u2u_user":{
- "components":[],
- "realm":"",
- "length":0,
- "type":0},
-"violation":0
-}
diff --git a/crypto/krb5/src/tests/conccache.c b/crypto/krb5/src/tests/conccache.c
deleted file mode 100644
index 9fe530576194..000000000000
--- a/crypto/krb5/src/tests/conccache.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/conccache.c - ccache concurrent get_creds/refresh test program */
-/*
- * Copyright (C) 2021 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Usage: conccache ccname clientprinc serverprinc
- *
- * This program spawns two subprocesses. One repeatedly runs
- * krb5_get_credentials() on ccname, and the other repeatedly refreshes ccname
- * from the default keytab. If either subprocess fails, the program exits with
- * status 1. The goal is to expose time windows where cache refreshes cause
- * get_cred operations to fail.
- */
-
-#include "k5-platform.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <pthread.h>
-#include <krb5.h>
-
-/* Run this many iterations of each operation. */
-static const int iterations = 200;
-
-/* Saved command-line arguments. */
-static const char *ccname, *server_name, *client_name;
-
-static void
-check(krb5_error_code code)
-{
- if (code)
- abort();
-}
-
-static krb5_boolean
-get_cred(krb5_context context)
-{
- krb5_error_code ret;
- krb5_ccache cc;
- krb5_principal client, server;
- krb5_creds mcred, *cred;
-
- check(krb5_cc_resolve(context, ccname, &cc));
- check(krb5_parse_name(context, client_name, &client));
- check(krb5_parse_name(context, server_name, &server));
-
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client;
- mcred.server = server;
- ret = krb5_get_credentials(context, 0, cc, &mcred, &cred);
-
- krb5_free_creds(context, cred);
- krb5_free_principal(context, client);
- krb5_free_principal(context, server);
- krb5_cc_close(context, cc);
-
- return ret == 0;
-}
-
-static krb5_boolean
-refresh_cache(krb5_context context)
-{
- krb5_error_code ret;
- krb5_ccache cc;
- krb5_principal client;
- krb5_get_init_creds_opt *opt;
- krb5_creds cred;
-
- check(krb5_cc_resolve(context, ccname, &cc));
- check(krb5_parse_name(context, client_name, &client));
-
- check(krb5_get_init_creds_opt_alloc(context, &opt));
- check(krb5_get_init_creds_opt_set_out_ccache(context, opt, cc));
- ret = krb5_get_init_creds_keytab(context, &cred, client, NULL, 0, NULL,
- opt);
-
- krb5_get_init_creds_opt_free(context, opt);
- krb5_free_cred_contents(context, &cred);
- krb5_free_principal(context, client);
- krb5_cc_close(context, cc);
-
- return ret == 0;
-}
-
-static pid_t
-spawn_cred_subprocess(void)
-{
- krb5_context context;
- pid_t pid;
- int i;
-
- pid = fork();
- assert(pid >= 0);
- if (pid > 0)
- return pid;
-
- check(krb5_init_context(&context));
- for (i = 0; i < iterations; i++) {
- if (!get_cred(context)) {
- fprintf(stderr, "cred worker failed after %d successes\n", i);
- exit(1);
- }
- }
- krb5_free_context(context);
- exit(0);
-}
-
-static pid_t
-spawn_refresh_subprocess(void)
-{
- krb5_context context;
- pid_t pid;
- int i;
-
- pid = fork();
- assert(pid >= 0);
- if (pid > 0)
- return pid;
-
- check(krb5_init_context(&context));
- for (i = 0; i < iterations; i++) {
- if (!refresh_cache(context)) {
- fprintf(stderr, "refresh worker failed after %d successes\n", i);
- exit(1);
- }
- }
- krb5_free_context(context);
- exit(0);
-}
-
-int
-main(int argc, char *argv[])
-{
- krb5_context context;
- pid_t cred_pid, refresh_pid, pid;
- int cstatus, rstatus;
-
- assert(argc == 4);
- ccname = argv[1];
- client_name = argv[2];
- server_name = argv[3];
-
- /* Begin with an initialized cache. */
- check(krb5_init_context(&context));
- refresh_cache(context);
- krb5_free_context(context);
-
- cred_pid = spawn_cred_subprocess();
- refresh_pid = spawn_refresh_subprocess();
-
- pid = waitpid(cred_pid, &cstatus, 0);
- if (pid == -1)
- abort();
- pid = waitpid(refresh_pid, &rstatus, 0);
- if (pid == -1)
- abort();
-
- if (!WIFEXITED(cstatus) || WEXITSTATUS(cstatus) != 0)
- return 1;
- if (!WIFEXITED(rstatus) || WEXITSTATUS(rstatus) != 0)
- return 1;
- return 0;
-}
diff --git a/crypto/krb5/src/tests/create/Makefile.in b/crypto/krb5/src/tests/create/Makefile.in
deleted file mode 100644
index 5a44dfd8948e..000000000000
--- a/crypto/krb5/src/tests/create/Makefile.in
+++ /dev/null
@@ -1,17 +0,0 @@
-mydir=tests$(S)create
-BUILDTOP=$(REL)..$(S)..
-SRCS=$(srcdir)/kdb5_mkdums.c
-KDB5_DEP_LIBS=$(THREAD_LINKOPTS) $(DL_LIB)
-
-all: kdb5_mkdums
-
-kdb5_mkdums: kdb5_mkdums.o $(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o kdb5_mkdums kdb5_mkdums.o $(KDB5_DEP_LIBS) $(KDB5_LIBS) $(KRB5_BASE_LIBS)
-
-all: kdb5_mkdums
-
-install:
-
-clean:
- $(RM) kdb5_mkdums.o kdb5_mkdums
-
diff --git a/crypto/krb5/src/tests/create/deps b/crypto/krb5/src/tests/create/deps
deleted file mode 100644
index a8e5e285a87c..000000000000
--- a/crypto/krb5/src/tests/create/deps
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)kdb5_mkdums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SS_DEPS) \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h kdb5_mkdums.c
diff --git a/crypto/krb5/src/tests/create/kdb5_mkdums.c b/crypto/krb5/src/tests/create/kdb5_mkdums.c
deleted file mode 100644
index 61ca9f67a22e..000000000000
--- a/crypto/krb5/src/tests/create/kdb5_mkdums.c
+++ /dev/null
@@ -1,398 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/create/kdb5_mkdums.c */
-/*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- *
- * Edit a KDC database.
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include "com_err.h"
-#include <ss/ss.h>
-#include <stdio.h>
-
-
-#define REALM_SEP '@'
-#define REALM_SEP_STR "@"
-
-struct mblock {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_kvno mkvno;
-} mblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- 1
-};
-
-int set_dbname_help (char *, char *);
-
-static void
-usage(char *who, int status)
-{
- fprintf(stderr,
- "usage: %s -p prefix -n num_to_create [-d dbpathname] [-r realmname]\n",
- who);
- fprintf(stderr, "\t [-D depth] [-k enctype] [-M mkeyname]\n");
-
- exit(status);
-}
-
-int master_princ_set = 0;
-krb5_keyblock master_keyblock;
-krb5_principal master_princ;
-krb5_pointer master_random;
-krb5_context test_context;
-
-static char *progname;
-static char *cur_realm = 0;
-static char *mkey_name = 0;
-static char *mkey_password = 0;
-static krb5_boolean manual_mkey = FALSE;
-
-void add_princ (krb5_context, char *);
-
-int
-main(int argc, char *argv[])
-{
- extern char *optarg;
- int optchar, i, n;
- char tmp[4096], tmp2[BUFSIZ], *str_newprinc;
-
- krb5_error_code retval;
- char *dbname = 0;
- int enctypedone = 0;
- int num_to_create;
- char principal_string[BUFSIZ];
- char *suffix = 0;
- size_t suffix_size = 0;
- int depth;
-
- krb5_init_context(&test_context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- progname = argv[0];
-
- memset(principal_string, 0, sizeof(principal_string));
- num_to_create = 0;
- depth = 1;
-
- while ((optchar = getopt(argc, argv, "D:P:p:n:d:r:k:M:e:m")) != -1) {
- switch(optchar) {
- case 'D':
- depth = atoi(optarg); /* how deep to go */
- break;
- case 'P': /* Only used for testing!!! */
- mkey_password = optarg;
- break;
- case 'p': /* prefix name to create */
- strncpy(principal_string, optarg, sizeof(principal_string) - 1);
- principal_string[sizeof(principal_string) - 1] = '\0';
- suffix = principal_string + strlen(principal_string);
- suffix_size = sizeof(principal_string) -
- (suffix - principal_string);
- break;
- case 'n': /* how many to create */
- num_to_create = atoi(optarg);
- break;
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'r':
- cur_realm = optarg;
- break;
- case 'k':
- master_keyblock.enctype = atoi(optarg);
- enctypedone++;
- break;
- case 'M': /* master key name in DB */
- mkey_name = optarg;
- break;
- case 'm':
- manual_mkey = TRUE;
- break;
- case '?':
- default:
- usage(progname, 1);
- /*NOTREACHED*/
- }
- }
-
- if (!(num_to_create && suffix)) usage(progname, 1);
-
- if (!enctypedone)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-
- if (!krb5_c_valid_enctype(master_keyblock.enctype)) {
- com_err(progname, KRB5_PROG_ETYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- exit(1);
- }
-
- if (!dbname)
- dbname = DEFAULT_KDB_FILE; /* XXX? */
-
- if (!cur_realm) {
- if ((retval = krb5_get_default_realm(test_context, &cur_realm))) {
- com_err(progname, retval, "while retrieving default realm name");
- exit(1);
- }
- }
- if ((retval = set_dbname_help(progname, dbname)))
- exit(retval);
-
- for (n = 1; n <= num_to_create; n++) {
- /* build the new principal name */
- /* we can't pick random names because we need to generate all the names
- again given a prefix and count to test the db lib and kdb */
- (void) snprintf(suffix, suffix_size, "%d", n);
- (void) snprintf(tmp, sizeof(tmp), "%s-DEPTH-1", principal_string);
- tmp[sizeof(tmp) - 1] = '\0';
- str_newprinc = tmp;
- add_princ(test_context, str_newprinc);
-
- for (i = 2; i <= depth; i++) {
- (void) snprintf(tmp2, sizeof(tmp2), "/%s-DEPTH-%d",
- principal_string, i);
- tmp2[sizeof(tmp2) - 1] = '\0';
- strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
- str_newprinc = tmp;
- add_princ(test_context, str_newprinc);
- }
- }
-
- retval = krb5_db_fini(test_context);
- memset(master_keyblock.contents, 0,
- (size_t) master_keyblock.length);
- if (retval && retval != KRB5_KDB_DBNOTINITED) {
- com_err(progname, retval, "while closing database");
- exit(1);
- }
- if (master_princ_set)
- krb5_free_principal(test_context, master_princ);
- krb5_free_context(test_context);
- exit(0);
-}
-
-void
-add_princ(krb5_context context, char *str_newprinc)
-{
- krb5_error_code retval;
- krb5_principal newprinc;
- krb5_db_entry *newentry;
- char princ_name[4096];
-
- newentry = calloc(1, sizeof(*newentry));
- if (newentry == NULL) {
- com_err(progname, ENOMEM, "while allocating DB entry");
- return;
- }
- snprintf(princ_name, sizeof(princ_name), "%s@%s", str_newprinc, cur_realm);
- if ((retval = krb5_parse_name(context, princ_name, &newprinc))) {
- com_err(progname, retval, "while parsing '%s'", princ_name);
- return;
- }
-
- /* Add basic data */
- newentry->len = KRB5_KDB_V1_BASE_LENGTH;
- newentry->attributes = mblock.flags;
- newentry->max_life = mblock.max_life;
- newentry->max_renewable_life = mblock.max_rlife;
- newentry->expiration = mblock.expiration;
- newentry->pw_expiration = mblock.expiration;
-
- /* Add princ to db entry */
- if ((retval = krb5_copy_principal(context, newprinc, &newentry->princ))) {
- com_err(progname, retval, "while encoding princ to db entry for '%s'",
- princ_name);
- krb5_free_principal(context, newprinc);
- goto error;
- }
-
- {
- /* Add mod princ to db entry */
- krb5_timestamp now;
-
- retval = krb5_timeofday(context, &now);
- if (retval) {
- com_err(progname, retval, "while fetching date");
- krb5_free_principal(context, newprinc);
- goto error;
- }
- retval = krb5_dbe_update_mod_princ_data(context, newentry, now,
- master_princ);
- if (retval) {
- com_err(progname, retval, "while encoding mod_princ data");
- krb5_free_principal(context, newprinc);
- goto error;
- }
- }
-
- { /* Add key and salt data to db entry */
- krb5_data pwd, salt;
- krb5_keyblock key;
-
- if ((retval = krb5_principal2salt(context, newprinc, &salt))) {
- com_err(progname, retval, "while converting princ to salt for '%s'",
- princ_name);
- krb5_free_principal(context, newprinc);
- goto error;
- }
-
- krb5_free_principal(context, newprinc);
-
- pwd.length = strlen(princ_name);
- pwd.data = princ_name; /* must be able to regenerate */
- if ((retval = krb5_c_string_to_key(context, master_keyblock.enctype,
- &pwd, &salt, &key))) {
- com_err(progname,retval,"while converting password to key for '%s'",
- princ_name);
- krb5_free_data_contents(context, &salt);
- goto error;
- }
- krb5_free_data_contents(context, &salt);
-
- if ((retval = krb5_dbe_create_key_data(context, newentry))) {
- com_err(progname, retval, "while creating key_data for '%s'",
- princ_name);
- free(key.contents);
- goto error;
- }
-
- if ((retval = krb5_dbe_encrypt_key_data(context, &master_keyblock,
- &key, NULL, 1,
- newentry->key_data))) {
- com_err(progname, retval, "while encrypting key for '%s'",
- princ_name);
- free(key.contents);
- goto error;
- }
- free(key.contents);
- }
-
- if ((retval = krb5_db_put_principal(context, newentry))) {
- com_err(progname, retval, "while storing principal date");
- goto error;
- }
-
-error: /* Do cleanup of newentry regardless of error */
- krb5_db_free_principal(context, newentry);
- return;
-}
-
-int
-set_dbname_help(char *pname, char *dbname)
-{
- krb5_error_code retval;
- krb5_data pwd, scratch;
- char *args[2];
- krb5_db_entry *master_entry;
-
- /* assemble & parse the master key name */
-
- if ((retval = krb5_db_setup_mkey_name(test_context, mkey_name, cur_realm,
- 0, &master_princ))) {
- com_err(pname, retval, "while setting up master key name");
- return(1);
- }
- master_princ_set = 1;
- if (mkey_password) {
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(test_context, master_princ, &scratch);
- if (retval) {
- com_err(pname, retval, "while calculated master key salt");
- return(1);
- }
- if ((retval = krb5_c_string_to_key(test_context,
- master_keyblock.enctype,
- &pwd, &scratch,
- &master_keyblock))) {
- com_err(pname, retval,
- "while transforming master key from password");
- return(1);
- }
- free(scratch.data);
- } else {
- if ((retval = krb5_db_fetch_mkey(test_context, master_princ,
- master_keyblock.enctype, manual_mkey,
- FALSE, 0, NULL, NULL,
- &master_keyblock))) {
- com_err(pname, retval, "while reading master key");
- return(1);
- }
- }
-
- /* Ick! Current DAL interface requires that the default_realm
- field be set in the krb5_context. */
- if ((retval = krb5_set_default_realm(test_context, cur_realm))) {
- com_err(pname, retval, "setting default realm");
- return 1;
- }
- /* Pathname is passed to db2 via 'args' parameter. */
- args[1] = NULL;
- if (asprintf(&args[0], "dbname=%s", dbname) < 0) {
- com_err(pname, errno, "while setting up db parameters");
- return 1;
- }
-
- if ((retval = krb5_db_open(test_context, args, KRB5_KDB_OPEN_RO))) {
- com_err(pname, retval, "while initializing database");
- return(1);
- }
- /* Done with args */
- free(args[0]);
-
- if ((retval = krb5_db_fetch_mkey_list(test_context, master_princ,
- &master_keyblock))){
- com_err(pname, retval, "while verifying master key");
- (void) krb5_db_fini(test_context);
- return(1);
- }
- if ((retval = krb5_db_get_principal(test_context, master_princ, 0,
- &master_entry))) {
- com_err(pname, retval, "while retrieving master entry");
- (void) krb5_db_fini(test_context);
- return(1);
- }
-
- mblock.max_life = master_entry->max_life;
- mblock.max_rlife = master_entry->max_renewable_life;
- mblock.expiration = master_entry->expiration;
-
- /* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry->key_data[0].key_data_kvno;
-
- krb5_db_free_principal(test_context, master_entry);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/deps b/crypto/krb5/src/tests/deps
deleted file mode 100644
index 13eb33125ec8..000000000000
--- a/crypto/krb5/src/tests/deps
+++ /dev/null
@@ -1,181 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)adata.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h adata.c
-$(OUTPRE)conccache.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- conccache.c
-$(OUTPRE)etinfo.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h etinfo.c
-$(OUTPRE)forward.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h forward.c
-$(OUTPRE)gcred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h gcred.c
-$(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- hist.c
-$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hooks.c
-$(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hrealm.c
-$(OUTPRE)icinterleave.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h icinterleave.c
-$(OUTPRE)icred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- icred.c
-$(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h kdbtest.c
-$(OUTPRE)localauth.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h localauth.c
-$(OUTPRE)plugorder.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/krb5/pwqual_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h plugorder.c
-$(OUTPRE)rdreq.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h rdreq.c
-$(OUTPRE)replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h replay.c
-$(OUTPRE)responder.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-json.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h responder.c
-$(OUTPRE)s2p.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h s2p.c
-$(OUTPRE)s4u2self.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h s4u2self.c
-$(OUTPRE)s4u2proxy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h s4u2proxy.c
-$(OUTPRE)t_inetd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(COM_ERR_DEPS) t_inetd.c
-$(OUTPRE)unlockiter.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h unlockiter.c
diff --git a/crypto/krb5/src/tests/dumpfiles/dump b/crypto/krb5/src/tests/dumpfiles/dump
deleted file mode 100644
index 15ff87888956..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump
+++ /dev/null
@@ -1,11 +0,0 @@
-kdb5_util load_dump version 7
-princ 38 15 3 1 0 K/M@KRBTEST.COM 64 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000408c027c250e8cc3b81476414f2214d57c1ce38891e29792e87258247c73547df4d5756266931dd6686b62270e656895a31ec66bfe913b4f15226227 -1;
-princ 38 36 4 4 0 host/equal-rites.mit.edu@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20009b7f9e9edd44559c5ffb2b52beb92e57586f9bdf59ae0be7010ffa8b628928bebc7d6015211977bc34325be853e5f1eb5826ce75575414bc2696bc16 1 1 17 46 10001bfaf4d8ddd6e8767194a190e9dec2617dbc90883db767fa464325b76b97ea98f3b61c4d4234ff9aee6314a4 1 1 16 54 18008291ce8c2ccde958c2739e93ce499b088b1b8c304bce95097bd6c1bd92c3c9f64e92950767f7806d890b386ba586fdb7f8433f1c 1 1 23 46 1000a460520a9e39b1539e703a51793967247999a9a0bb7c59a61ca2b5e64a58c3b9cf8217daeddd71caae9d7fbb -1;
-princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20005ea70b11f3337975c5463baedc68b234cadf72f89828d98e3c16cb8640bba7c5ed48a4bcf7649a73a9a410e96234924bfacd4bb38f08982db02c5c5b 1 1 17 46 10001b678f8b9bb6913397202c259702c1941fd5d2892f42349a92ca908de248cd041465bb3d16d27efce1f63e30 1 1 16 54 18009ed81fe14b19549918acad7b1158b86f5971ab3bd77b2359c29147af35730167210157e510dda65f691c312ac398850d7e228c40 1 1 23 46 10001d15a249bbea104208ae0b3d83337d4c06f6edef6a6ac60ec3df7b52aeeeb388c7233a9b1e3de646949ed540 -1;
-princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
-princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
-princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
-princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
-princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
-princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
-policy testpol 0 0 1 3 1 0 0 0 0 0 0 0 - 0
diff --git a/crypto/krb5/src/tests/dumpfiles/dump.16 b/crypto/krb5/src/tests/dumpfiles/dump.16
deleted file mode 100644
index bea2ff6b4726..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump.16
+++ /dev/null
@@ -1,7 +0,0 @@
-kdb5_util load_dump version 5
-princ 38 15 1 1 0 K/M@KRBTEST.COM 64 36000 604800 0 0 0 0 0 2 28 18de675264625f6372656174696f6e404b5242544553542e434f4d00 1 1 16 54 180001361a6c58b3a273e484574c6c5739fb114ffe7d2298e767b545f332e3bda573021c97728028e7ec4942708f23f4445d4419f4ad -1;
-princ 38 24 3 2 0 kadmin/admin@KRBTEST.COM 4 10800 604800 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 18de67526b6462355f7574696c404b5242544553542e434f4d00 1 4 18de6752 1 2 16 54 1800555ff1892cdb7dd7c62b659f9659981205ebb4f9fd4446e5243f58dfc0b99a4f096080d435702e052793a90c66aea062c8b8964e 1 2 1 38 0800ca62598d281381a22fc6d5bdf25653002b6afeb8f24af6ea01c9301359527304a08bb8f5 -1;
-princ 38 27 3 2 0 kadmin/changepw@KRBTEST.COM 8196 300 604800 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 18de67526b6462355f7574696c404b5242544553542e434f4d00 1 4 18de6752 1 2 16 54 1800237a5df1fc3295e08ba18986f51f553c2d0dfff3fb8e17d19ac7777a1cd516713e5496521ba362261ab61c063090705ecf7bca01 1 2 1 38 0800685d1f82188b712b2947b63a259269b1fe53bf383bb05cdc802e2cb9d680631e512af4d4 -1;
-princ 38 38 3 2 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 604800 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 18de67526b6462355f7574696c404b5242544553542e434f4d00 1 4 18de6752 1 2 16 54 1800ed9ad2e91940a41abc9b05d7dfb736c353e3ff18272b1d3bc31e5ebc3204e15d5fd9c3caa0c57be4736831b6f03c1741d5423ff1 1 2 1 38 0800eb82c30aa8e1f5a10f0f099372e2ff3385cb5437b41abee02491673cf45c79b2c4466364 -1;
-princ 38 26 3 1 0 kadmin/history@KRBTEST.COM 0 64 604800 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 18de67526b6462355f7574696c404b5242544553542e434f4d00 1 4 18de6752 1 2 16 54 180070b4f132c63aa7d8b91f1323daa8d59bf2e04663b9b8931bcbe9a953c4fab6dda7c820db0cf9922af5ebfb7bd09101849e81f054 -1;
-princ 38 30 1 2 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 36000 604800 0 0 0 0 0 2 28 18de675264625f6372656174696f6e404b5242544553542e434f4d00 1 1 16 54 1800010572e45515fc5ee028a59a48bc86896ab5014c265304b2340d37a46c0185312e475e9245e70df0f6874c9348a2ca4389c7168f 1 1 1 38 0800d8b88190a5e7f49cdca68c0e018bafd971f1606f9af2f2e3d9e31c69071556896443ade2 -1;
diff --git a/crypto/krb5/src/tests/dumpfiles/dump.b7 b/crypto/krb5/src/tests/dumpfiles/dump.b7
deleted file mode 100644
index 8d53401150e8..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump.b7
+++ /dev/null
@@ -1,11 +0,0 @@
-kdb5_util load_dump version 4
-princ 38 15 3 1 0 K/M@KRBTEST.COM 64 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000408c027c250e8cc3b81476414f2214d57c1ce38891e29792e87258247c73547df4d5756266931dd6686b62270e656895a31ec66bfe913b4f15226227 -1;
-princ 38 36 3 4 0 host/equal-rites.mit.edu@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20009b7f9e9edd44559c5ffb2b52beb92e57586f9bdf59ae0be7010ffa8b628928bebc7d6015211977bc34325be853e5f1eb5826ce75575414bc2696bc16 1 1 17 46 10001bfaf4d8ddd6e8767194a190e9dec2617dbc90883db767fa464325b76b97ea98f3b61c4d4234ff9aee6314a4 1 1 16 54 18008291ce8c2ccde958c2739e93ce499b088b1b8c304bce95097bd6c1bd92c3c9f64e92950767f7806d890b386ba586fdb7f8433f1c 1 1 23 46 1000a460520a9e39b1539e703a51793967247999a9a0bb7c59a61ca2b5e64a58c3b9cf8217daeddd71caae9d7fbb -1;
-princ 38 24 3 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20005ea70b11f3337975c5463baedc68b234cadf72f89828d98e3c16cb8640bba7c5ed48a4bcf7649a73a9a410e96234924bfacd4bb38f08982db02c5c5b 1 1 17 46 10001b678f8b9bb6913397202c259702c1941fd5d2892f42349a92ca908de248cd041465bb3d16d27efce1f63e30 1 1 16 54 18009ed81fe14b19549918acad7b1158b86f5971ab3bd77b2359c29147af35730167210157e510dda65f691c312ac398850d7e228c40 1 1 23 46 10001d15a249bbea104208ae0b3d83337d4c06f6edef6a6ac60ec3df7b52aeeeb388c7233a9b1e3de646949ed540 -1;
-princ 38 27 3 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
-princ 38 38 3 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
-princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
-princ 38 18 3 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
-princ 38 22 3 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
-princ 38 16 3 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
-policy testpol 0 0 1 3 1 0
diff --git a/crypto/krb5/src/tests/dumpfiles/dump.ov b/crypto/krb5/src/tests/dumpfiles/dump.ov
deleted file mode 100644
index 285bef970382..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump.ov
+++ /dev/null
@@ -1,9 +0,0 @@
-OpenV*Secure V1.0
-princ host/equal-rites.mit.edu@KRBTEST.COM 0 0 0 2
-princ kadmin/admin@KRBTEST.COM 0 0 0 2
-princ kadmin/changepw@KRBTEST.COM 0 0 0 2
-princ kadmin/equal-rites.mit.edu@KRBTEST.COM 0 0 0 2
-princ nokeys@KRBTEST.COM 0 0 0 2
-princ user/admin@KRBTEST.COM 0 0 0 2
-princ user@KRBTEST.COM testpol 800 0 0 2
-policy testpol 0 0 1 3 1 0
diff --git a/crypto/krb5/src/tests/dumpfiles/dump.r13 b/crypto/krb5/src/tests/dumpfiles/dump.r13
deleted file mode 100644
index c15a75e994ec..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump.r13
+++ /dev/null
@@ -1,11 +0,0 @@
-kdb5_util load_dump version 5
-princ 38 15 3 1 0 K/M@KRBTEST.COM 64 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000408c027c250e8cc3b81476414f2214d57c1ce38891e29792e87258247c73547df4d5756266931dd6686b62270e656895a31ec66bfe913b4f15226227 -1;
-princ 38 36 4 4 0 host/equal-rites.mit.edu@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20009b7f9e9edd44559c5ffb2b52beb92e57586f9bdf59ae0be7010ffa8b628928bebc7d6015211977bc34325be853e5f1eb5826ce75575414bc2696bc16 1 1 17 46 10001bfaf4d8ddd6e8767194a190e9dec2617dbc90883db767fa464325b76b97ea98f3b61c4d4234ff9aee6314a4 1 1 16 54 18008291ce8c2ccde958c2739e93ce499b088b1b8c304bce95097bd6c1bd92c3c9f64e92950767f7806d890b386ba586fdb7f8433f1c 1 1 23 46 1000a460520a9e39b1539e703a51793967247999a9a0bb7c59a61ca2b5e64a58c3b9cf8217daeddd71caae9d7fbb -1;
-princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20005ea70b11f3337975c5463baedc68b234cadf72f89828d98e3c16cb8640bba7c5ed48a4bcf7649a73a9a410e96234924bfacd4bb38f08982db02c5c5b 1 1 17 46 10001b678f8b9bb6913397202c259702c1941fd5d2892f42349a92ca908de248cd041465bb3d16d27efce1f63e30 1 1 16 54 18009ed81fe14b19549918acad7b1158b86f5971ab3bd77b2359c29147af35730167210157e510dda65f691c312ac398850d7e228c40 1 1 23 46 10001d15a249bbea104208ae0b3d83337d4c06f6edef6a6ac60ec3df7b52aeeeb388c7233a9b1e3de646949ed540 -1;
-princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
-princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
-princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
-princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
-princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
-princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
-policy testpol 0 0 1 3 1 0
diff --git a/crypto/krb5/src/tests/dumpfiles/dump.r18 b/crypto/krb5/src/tests/dumpfiles/dump.r18
deleted file mode 100644
index b352fa281023..000000000000
--- a/crypto/krb5/src/tests/dumpfiles/dump.r18
+++ /dev/null
@@ -1,11 +0,0 @@
-kdb5_util load_dump version 6
-princ 38 15 3 1 0 K/M@KRBTEST.COM 64 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000408c027c250e8cc3b81476414f2214d57c1ce38891e29792e87258247c73547df4d5756266931dd6686b62270e656895a31ec66bfe913b4f15226227 -1;
-princ 38 36 4 4 0 host/equal-rites.mit.edu@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20009b7f9e9edd44559c5ffb2b52beb92e57586f9bdf59ae0be7010ffa8b628928bebc7d6015211977bc34325be853e5f1eb5826ce75575414bc2696bc16 1 1 17 46 10001bfaf4d8ddd6e8767194a190e9dec2617dbc90883db767fa464325b76b97ea98f3b61c4d4234ff9aee6314a4 1 1 16 54 18008291ce8c2ccde958c2739e93ce499b088b1b8c304bce95097bd6c1bd92c3c9f64e92950767f7806d890b386ba586fdb7f8433f1c 1 1 23 46 1000a460520a9e39b1539e703a51793967247999a9a0bb7c59a61ca2b5e64a58c3b9cf8217daeddd71caae9d7fbb -1;
-princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20005ea70b11f3337975c5463baedc68b234cadf72f89828d98e3c16cb8640bba7c5ed48a4bcf7649a73a9a410e96234924bfacd4bb38f08982db02c5c5b 1 1 17 46 10001b678f8b9bb6913397202c259702c1941fd5d2892f42349a92ca908de248cd041465bb3d16d27efce1f63e30 1 1 16 54 18009ed81fe14b19549918acad7b1158b86f5971ab3bd77b2359c29147af35730167210157e510dda65f691c312ac398850d7e228c40 1 1 23 46 10001d15a249bbea104208ae0b3d83337d4c06f6edef6a6ac60ec3df7b52aeeeb388c7233a9b1e3de646949ed540 -1;
-princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
-princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
-princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
-princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
-princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
-princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
-policy testpol 0 0 1 3 1 0 0 0 0
diff --git a/crypto/krb5/src/tests/etinfo.c b/crypto/krb5/src/tests/etinfo.c
deleted file mode 100644
index 6b8a4f33b9d4..000000000000
--- a/crypto/krb5/src/tests/etinfo.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/etinfo.c - Test harness for KDC etype-info behavior */
-/*
- * Copyright (C) 2015 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Send an AS-REQ to the KDC for a specified principal, with an optionally
- * specified request enctype list. Decode the output as either an AS-REP or a
- * KRB-ERROR and display the PA-ETYPE-INFO2, PA-ETYPE-INFO, and PA-PW-SALT
- * padata in the following format:
- *
- * error/asrep etype-info2/etype-info/pw-salt enctype salt [s2kparams]
- *
- * enctype is omitted for PA-PW-SALT entries. salt is displayed directly;
- * s2kparams is displayed in uppercase hex.
- */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static void
-display_etinfo(krb5_etype_info_entry **list, const char *l1, const char *l2)
-{
- krb5_etype_info_entry *info;
- char etname[256];
- unsigned int i;
-
- for (; *list != NULL; list++) {
- info = *list;
- check(krb5_enctype_to_name(info->etype, TRUE, etname, sizeof(etname)));
- printf("%s %s %s ", l1, l2, etname);
- if (info->length != KRB5_ETYPE_NO_SALT)
- printf("%.*s", info->length, info->salt);
- else
- printf("(default)");
- if (info->s2kparams.length > 0) {
- printf(" ");
- for (i = 0; i < info->s2kparams.length; i++)
- printf("%02X", (unsigned char)info->s2kparams.data[i]);
- }
- printf("\n");
- }
-}
-
-static void
-display_padata(krb5_pa_data **pa_list, const char *label)
-{
- krb5_pa_data *pa;
- krb5_data d;
- krb5_etype_info_entry **etinfo_list;
-
- for (; pa_list != NULL && *pa_list != NULL; pa_list++) {
- pa = *pa_list;
- d = make_data(pa->contents, pa->length);
- if (pa->pa_type == KRB5_PADATA_ETYPE_INFO2) {
- check(decode_krb5_etype_info2(&d, &etinfo_list));
- display_etinfo(etinfo_list, label, "etype_info2");
- krb5_free_etype_info(ctx, etinfo_list);
- } else if (pa->pa_type == KRB5_PADATA_ETYPE_INFO) {
- check(decode_krb5_etype_info(&d, &etinfo_list));
- display_etinfo(etinfo_list, label, "etype_info");
- krb5_free_etype_info(ctx, etinfo_list);
- } else if (pa->pa_type == KRB5_PADATA_PW_SALT) {
- printf("%s pw_salt %.*s\n", label, (int)d.length, d.data);
- } else if (pa->pa_type == KRB5_PADATA_AFS3_SALT) {
- printf("%s afs3_salt %.*s\n", label, (int)d.length, d.data);
- }
- }
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_principal client;
- krb5_get_init_creds_opt *opt;
- krb5_init_creds_context icc;
- krb5_data reply, request, realm;
- krb5_error *error;
- krb5_kdc_rep *asrep;
- krb5_pa_data **padata;
- krb5_preauthtype pa_type = KRB5_PADATA_NONE;
- unsigned int flags;
- int primary = 0;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s princname [patype]\n", argv[0]);
- exit(1);
- }
- check(krb5_init_context(&ctx));
- check(krb5_parse_name(ctx, argv[1], &client));
- if (argc >= 3)
- pa_type = atoi(argv[2]);
-
- check(krb5_get_init_creds_opt_alloc(ctx, &opt));
- if (pa_type != KRB5_PADATA_NONE)
- krb5_get_init_creds_opt_set_preauth_list(opt, &pa_type, 1);
-
- check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, opt, &icc));
- reply = empty_data();
- check(krb5_init_creds_step(ctx, icc, &reply, &request, &realm, &flags));
- assert(flags == KRB5_INIT_CREDS_STEP_FLAG_CONTINUE);
- check(krb5_sendto_kdc(ctx, &request, &realm, &reply, &primary, 0));
-
- if (decode_krb5_error(&reply, &error) == 0) {
- decode_krb5_padata_sequence(&error->e_data, &padata);
- if (error->error == KDC_ERR_PREAUTH_REQUIRED) {
- display_padata(padata, "error");
- } else if (error->error == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) {
- display_padata(padata, "more");
- } else {
- fprintf(stderr, "Unexpected error %d\n", (int)error->error);
- return 1;
- }
- krb5_free_pa_data(ctx, padata);
- krb5_free_error(ctx, error);
- } else if (decode_krb5_as_rep(&reply, &asrep) == 0) {
- display_padata(asrep->padata, "asrep");
- krb5_free_kdc_rep(ctx, asrep);
- } else {
- abort();
- }
-
- krb5_free_data_contents(ctx, &request);
- krb5_free_data_contents(ctx, &reply);
- krb5_free_data_contents(ctx, &realm);
- krb5_get_init_creds_opt_free(ctx, opt);
- krb5_init_creds_free(ctx, icc);
- krb5_free_principal(ctx, client);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/forward.c b/crypto/krb5/src/tests/forward.c
deleted file mode 100644
index 90f359a5866a..000000000000
--- a/crypto/krb5/src/tests/forward.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/forward.c - test harness for getting forwarded creds */
-/*
- * Copyright (C) 2016 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* This test program overwrites the default credential cache with a forwarded
- * TGT obtained using the TGT presently in the cache. */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(void)
-{
- krb5_ccache cc;
- krb5_creds mcred, tgt, *fcred;
- krb5_principal client, tgtprinc;
- krb5_flags options;
-
- /* Open the default ccache and get the client and TGT principal names. */
- check(krb5_init_context(&ctx));
- check(krb5_cc_default(ctx, &cc));
- check(krb5_cc_get_principal(ctx, cc, &client));
- check(krb5_build_principal_ext(ctx, &tgtprinc, client->realm.length,
- client->realm.data, KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME, client->realm.length,
- client->realm.data, 0));
-
- /* Fetch the TGT credential. */
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client;
- mcred.server = tgtprinc;
- check(krb5_cc_retrieve_cred(ctx, cc, 0, &mcred, &tgt));
-
- /* Get a forwarded TGT. */
- mcred.times = tgt.times;
- mcred.times.starttime = 0;
- options = (tgt.ticket_flags & KDC_TKT_COMMON_MASK) | KDC_OPT_FORWARDED;
- check(krb5_get_cred_via_tkt(ctx, &tgt, options, NULL, &mcred, &fcred));
-
- /* Reinitialize the default ccache with the forwarded TGT. */
- check(krb5_cc_initialize(ctx, cc, client));
- check(krb5_cc_store_cred(ctx, cc, fcred));
-
- krb5_free_creds(ctx, fcred);
- krb5_free_cred_contents(ctx, &tgt);
- krb5_free_principal(ctx, tgtprinc);
- krb5_free_principal(ctx, client);
- krb5_cc_close(ctx, cc);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/Makefile.in b/crypto/krb5/src/tests/fuzzing/Makefile.in
deleted file mode 100644
index 15bbbbf1a853..000000000000
--- a/crypto/krb5/src/tests/fuzzing/Makefile.in
+++ /dev/null
@@ -1,138 +0,0 @@
-mydir=tests$(S)fuzzing
-BUILDTOP=$(REL)..$(S)..
-
-LOCALINCLUDES= \
- -I$(srcdir)/../../lib/crypto/krb -I$(srcdir)/../../lib/krad \
- -I$(srcdir)/../../lib/crypto/builtin/des -I$(srcdir)/../../kdc \
- -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../util/profile \
- -I$(srcdir)/../../util/support
-
-OBJS= \
- fuzz_aes.o \
- fuzz_asn.o \
- fuzz_attrset.o \
- fuzz_chpw.o \
- fuzz_crypto.o \
- fuzz_des.o \
- fuzz_gss.o \
- fuzz_json.o \
- fuzz_kdc.o \
- fuzz_krad.o \
- fuzz_krb.o \
- fuzz_krb5_ticket.o \
- fuzz_marshal_cred.o \
- fuzz_marshal_princ.o \
- fuzz_ndr.o \
- fuzz_oid.o \
- fuzz_pac.o \
- fuzz_profile.o \
- fuzz_util.o
-
-SRCS= \
- $(srcdir)/fuzz_aes.c \
- $(srcdir)/fuzz_asn.c \
- $(srcdir)/fuzz_attrset.c \
- $(srcdir)/fuzz_chpw.c \
- $(srcdir)/fuzz_crypto.c \
- $(srcdir)/fuzz_des.c \
- $(srcdir)/fuzz_gss.c \
- $(srcdir)/fuzz_json.c \
- $(srcdir)/fuzz_kdc.c \
- $(srcdir)/fuzz_krad.c \
- $(srcdir)/fuzz_krb.c \
- $(srcdir)/fuzz_krb5_ticket.c \
- $(srcdir)/fuzz_marshal_cred.c \
- $(srcdir)/fuzz_marshal_princ.c \
- $(srcdir)/fuzz_ndr.c \
- $(srcdir)/fuzz_oid.c \
- $(srcdir)/fuzz_pac.c \
- $(srcdir)/fuzz_profile.c \
- $(srcdir)/fuzz_util.c
-
-FUZZ_TARGETS= \
- fuzz_aes \
- fuzz_asn \
- fuzz_attrset \
- fuzz_chpw \
- fuzz_crypto \
- fuzz_des \
- fuzz_gss \
- fuzz_json \
- fuzz_kdc \
- fuzz_krad \
- fuzz_krb \
- fuzz_krb5_ticket \
- fuzz_marshal_cred \
- fuzz_marshal_princ \
- fuzz_ndr \
- fuzz_oid \
- fuzz_pac \
- fuzz_profile \
- fuzz_util
-
-all: $(FUZZ_TARGETS)
-
-# OSS-Fuzz requires fuzz targets to be linked with the C++ linker,
-# even if they are written in C.
-
-fuzz_aes: fuzz_aes.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_aes.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_asn: fuzz_asn.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_asn.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_attrset: fuzz_attrset.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_attrset.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_chpw: fuzz_chpw.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_chpw.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_crypto: fuzz_crypto.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_crypto.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_des: fuzz_des.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_des.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_gss: fuzz_gss.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_gss.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_json: fuzz_json.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_json.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_kdc: fuzz_kdc.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_kdc.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_krad: fuzz_krad.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_krad.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_krb: fuzz_krb.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_krb.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_krb5_ticket: fuzz_krb5_ticket.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_krb5_ticket.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_marshal_cred: fuzz_marshal_cred.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_marshal_cred.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_marshal_princ: fuzz_marshal_princ.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_marshal_princ.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_ndr: fuzz_ndr.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_ndr.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_oid: fuzz_oid.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_oid.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_pac: fuzz_pac.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_pac.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_profile: fuzz_profile.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_profile.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-fuzz_util: fuzz_util.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_util.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
-
-install:
-
-clean:
- $(RM) $(FUZZ_TARGETS)
diff --git a/crypto/krb5/src/tests/fuzzing/README b/crypto/krb5/src/tests/fuzzing/README
deleted file mode 100644
index d1338249cdd6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/README
+++ /dev/null
@@ -1,26 +0,0 @@
-This directory builds fuzzing targets for oss-fuzz compatibility.
- If you wish to build it locally, you can do so by using the given
- guide below. Note that it only works on GNU/Linux.
-
-Export flags required for building fuzzing targets.
-```bash
-export CC=clang
-export CXX=clang++
-export CFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link"
-export CXXFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link"
-export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
-```
-
-Compilation of the fuzzing targets.
-```bash
-autoreconf
-./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \
- --enable-static --disable-shared --enable-ossfuzz
-make
-```
-
-Running fuzzing targets.
-```bash
-mkdir fuzz_${TARGET}_corpus
-./fuzz_${TARGET} fuzz_${TARGET}_corpus/ fuzz_${TARGET}_seed_corpus
-```
diff --git a/crypto/krb5/src/tests/fuzzing/deps b/crypto/krb5/src/tests/fuzzing/deps
deleted file mode 100644
index fbd77e8ea9b5..000000000000
--- a/crypto/krb5/src/tests/fuzzing/deps
+++ /dev/null
@@ -1,222 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)fuzz_aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/krb/crypto_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_aes.c
-$(OUTPRE)fuzz_asn.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_asn.c
-$(OUTPRE)fuzz_attrset.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
- $(srcdir)/../../lib/krad/internal.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_attrset.c
-$(OUTPRE)fuzz_chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_chpw.c
-$(OUTPRE)fuzz_crypto.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/krb/crypto_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_crypto.c
-$(OUTPRE)fuzz_des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/builtin/des/des_int.h \
- $(srcdir)/../../lib/crypto/builtin/des/f_cbc.c $(srcdir)/../../lib/crypto/builtin/des/f_tables.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_des.c
-$(OUTPRE)fuzz_gss.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/gssapi.h $(top_srcdir)/include/krb5.h \
- fuzz_gss.c
-$(OUTPRE)fuzz_json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_json.c
-$(OUTPRE)fuzz_kdc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
- $(srcdir)/../../kdc/extern.h $(srcdir)/../../kdc/kdc_util.h \
- $(srcdir)/../../kdc/realm_data.h $(srcdir)/../../kdc/replay.c \
- $(srcdir)/../../kdc/reqstate.h $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_kdc.c
-$(OUTPRE)fuzz_krad.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_krad.c
-$(OUTPRE)fuzz_krb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-base64.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_krb.c
-$(OUTPRE)fuzz_krb5_ticket.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_krb5_ticket.c
-$(OUTPRE)fuzz_marshal_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_marshal_cred.c
-$(OUTPRE)fuzz_marshal_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_marshal_princ.c
-$(OUTPRE)fuzz_ndr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
- $(srcdir)/../../kdc/kdc_util.h $(srcdir)/../../kdc/ndr.c \
- $(srcdir)/../../kdc/realm_data.h $(srcdir)/../../kdc/reqstate.h \
- $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \
- $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \
- $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \
- $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \
- $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_ndr.c
-$(OUTPRE)fuzz_oid.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_oid.c
-$(OUTPRE)fuzz_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_pac.c
-$(OUTPRE)fuzz_profile.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../util/profile/prof_int.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- fuzz_profile.c
-$(OUTPRE)fuzz_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../util/support/hashtab.c \
- $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-hex.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/k5-utf8.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h fuzz_util.c
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_aes.c b/crypto/krb5/src/tests/fuzzing/fuzz_aes.c
deleted file mode 100644
index ea4d8492ba19..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_aes.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_aes.c - fuzzing harness for AES encryption/decryption */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <crypto_int.h>
-
-#define kMinInputLength 48
-#define kMaxInputLength 512
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-static void
-fuzz_aes(const uint8_t *data, size_t size, size_t key_size, krb5_enctype etype)
-{
- krb5_error_code ret;
- krb5_keyblock keyblock;
- krb5_crypto_iov iov;
- krb5_key key = NULL;
- char *aeskey = NULL, *data_in = NULL;
- char encivbuf[16] = { 0 }, decivbuf[16] = { 0 };
- krb5_data enciv = make_data(encivbuf, 16), deciv = make_data(decivbuf, 16);
-
- aeskey = k5memdup(data, key_size, &ret);
- if (ret)
- return;
-
- data_in = k5memdup(data + key_size, size - key_size, &ret);
- if (ret)
- goto cleanup;
-
- keyblock.contents = (krb5_octet *)aeskey;
- keyblock.length = key_size;
- keyblock.enctype = etype;
-
- ret = krb5_k_create_key(NULL, &keyblock, &key);
- if (ret)
- goto cleanup;
-
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = make_data(data_in, size - key_size);
-
- /* iov.data.data is input and output buffer */
- ret = krb5int_aes_encrypt(key, &enciv, &iov, 1);
- if (ret)
- goto cleanup;
-
- ret = krb5int_aes_decrypt(key, &deciv, &iov, 1);
- if (ret)
- goto cleanup;
-
- /* Check that decryption result matches original plaintext. */
- ret = memcmp(data_in, data + key_size, size - key_size);
- if (ret)
- abort();
-
- (void)krb5int_aes_decrypt(key, &deciv, &iov, 1);
-
-cleanup:
- free(aeskey);
- free(data_in);
- krb5_k_free_key(NULL, key);
-}
-
-int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- fuzz_aes(data, size, 16, ENCTYPE_AES128_CTS_HMAC_SHA1_96);
- fuzz_aes(data, size, 16, ENCTYPE_AES256_CTS_HMAC_SHA1_96);
- fuzz_aes(data, size, 32, ENCTYPE_AES128_CTS_HMAC_SHA1_96);
- fuzz_aes(data, size, 32, ENCTYPE_AES256_CTS_HMAC_SHA1_96);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin b/crypto/krb5/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin
deleted file mode 100644
index 5e4c069476b7..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin
+++ /dev/null
@@ -1 +0,0 @@
-I would like the General Gau's Chicken, please, and wonton soup. \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn.c b/crypto/krb5/src/tests/fuzzing/fuzz_asn.c
deleted file mode 100644
index be3fdb71ded9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_asn.c - fuzzing harness for ASN.1 encoding/decoding */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-spake.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 2048
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-static void
-free_cred_enc_part_whole(krb5_context ctx, krb5_cred_enc_part *val)
-{
- krb5_free_cred_enc_part(ctx, val);
- free(val);
-}
-
-static void
-free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val)
-{
- if (val == NULL)
- return;
- free(val->kerb_message.data);
- free(val->target_domain.data);
- free(val);
-}
-
-#define FUZZ_ASAN(type, encoder, decoder, freefn) do { \
- type *v; \
- krb5_data *data_out = NULL; \
- \
- if ((*decoder)(&data_in, &v) != 0) \
- break; \
- \
- (*encoder)(v, &data_out); \
- krb5_free_data(context, data_out); \
- (*freefn)(context, v); \
- } while (0)
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_context context;
- krb5_data data_in;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- if (krb5_init_context(&context))
- return 0;
-
- data_in = make_data((void *)data, size);
-
- /* Adapted from krb5_decode_leak.c */
- FUZZ_ASAN(krb5_authenticator, encode_krb5_authenticator,
- decode_krb5_authenticator, krb5_free_authenticator);
- FUZZ_ASAN(krb5_ticket, encode_krb5_ticket, decode_krb5_ticket,
- krb5_free_ticket);
- FUZZ_ASAN(krb5_keyblock, encode_krb5_encryption_key,
- decode_krb5_encryption_key, krb5_free_keyblock);
- FUZZ_ASAN(krb5_enc_tkt_part, encode_krb5_enc_tkt_part,
- decode_krb5_enc_tkt_part, krb5_free_enc_tkt_part);
- FUZZ_ASAN(krb5_enc_kdc_rep_part, encode_krb5_enc_kdc_rep_part,
- decode_krb5_enc_kdc_rep_part, krb5_free_enc_kdc_rep_part);
- FUZZ_ASAN(krb5_kdc_rep, encode_krb5_as_rep, decode_krb5_as_rep,
- krb5_free_kdc_rep);
- FUZZ_ASAN(krb5_kdc_rep, encode_krb5_tgs_rep, decode_krb5_tgs_rep,
- krb5_free_kdc_rep);
- FUZZ_ASAN(krb5_ap_req, encode_krb5_ap_req, decode_krb5_ap_req,
- krb5_free_ap_req);
- FUZZ_ASAN(krb5_ap_rep, encode_krb5_ap_rep, decode_krb5_ap_rep,
- krb5_free_ap_rep);
- FUZZ_ASAN(krb5_ap_rep_enc_part, encode_krb5_ap_rep_enc_part,
- decode_krb5_ap_rep_enc_part, krb5_free_ap_rep_enc_part);
- FUZZ_ASAN(krb5_kdc_req, encode_krb5_as_req, decode_krb5_as_req,
- krb5_free_kdc_req);
- FUZZ_ASAN(krb5_kdc_req, encode_krb5_tgs_req, decode_krb5_tgs_req,
- krb5_free_kdc_req);
- FUZZ_ASAN(krb5_kdc_req, encode_krb5_kdc_req_body, decode_krb5_kdc_req_body,
- krb5_free_kdc_req);
- FUZZ_ASAN(krb5_safe, encode_krb5_safe, decode_krb5_safe, krb5_free_safe);
- FUZZ_ASAN(krb5_priv, encode_krb5_priv, decode_krb5_priv, krb5_free_priv);
- FUZZ_ASAN(krb5_priv_enc_part, encode_krb5_enc_priv_part,
- decode_krb5_enc_priv_part, krb5_free_priv_enc_part);
- FUZZ_ASAN(krb5_cred, encode_krb5_cred, decode_krb5_cred, krb5_free_cred);
- FUZZ_ASAN(krb5_cred_enc_part, encode_krb5_enc_cred_part,
- decode_krb5_enc_cred_part, free_cred_enc_part_whole);
- FUZZ_ASAN(krb5_error, encode_krb5_error, decode_krb5_error,
- krb5_free_error);
- FUZZ_ASAN(krb5_authdata *, encode_krb5_authdata, decode_krb5_authdata,
- krb5_free_authdata);
- FUZZ_ASAN(krb5_pa_data *, encode_krb5_padata_sequence,
- decode_krb5_padata_sequence, krb5_free_pa_data);
- FUZZ_ASAN(krb5_pa_data *, encode_krb5_typed_data,
- decode_krb5_typed_data, krb5_free_pa_data);
- FUZZ_ASAN(krb5_etype_info_entry *, encode_krb5_etype_info,
- decode_krb5_etype_info, krb5_free_etype_info);
- FUZZ_ASAN(krb5_etype_info_entry *, encode_krb5_etype_info2,
- decode_krb5_etype_info2, krb5_free_etype_info);
- FUZZ_ASAN(krb5_pa_enc_ts, encode_krb5_pa_enc_ts, decode_krb5_pa_enc_ts,
- krb5_free_pa_enc_ts);
- FUZZ_ASAN(krb5_enc_data, encode_krb5_enc_data, decode_krb5_enc_data,
- krb5_free_enc_data);
- FUZZ_ASAN(krb5_sam_challenge_2, encode_krb5_sam_challenge_2,
- decode_krb5_sam_challenge_2, krb5_free_sam_challenge_2);
- FUZZ_ASAN(krb5_sam_challenge_2_body, encode_krb5_sam_challenge_2_body,
- decode_krb5_sam_challenge_2_body,
- krb5_free_sam_challenge_2_body);
- FUZZ_ASAN(krb5_sam_response_2, encode_krb5_sam_response_2,
- decode_krb5_sam_response_2, krb5_free_sam_response_2);
- FUZZ_ASAN(krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2,
- decode_krb5_enc_sam_response_enc_2,
- krb5_free_enc_sam_response_enc_2);
- FUZZ_ASAN(krb5_pa_for_user, encode_krb5_pa_for_user,
- decode_krb5_pa_for_user, krb5_free_pa_for_user);
- FUZZ_ASAN(krb5_pa_s4u_x509_user, encode_krb5_pa_s4u_x509_user,
- decode_krb5_pa_s4u_x509_user, krb5_free_pa_s4u_x509_user);
- FUZZ_ASAN(krb5_ad_kdcissued, encode_krb5_ad_kdcissued,
- decode_krb5_ad_kdcissued, krb5_free_ad_kdcissued);
- FUZZ_ASAN(krb5_iakerb_header, encode_krb5_iakerb_header,
- decode_krb5_iakerb_header, krb5_free_iakerb_header);
- FUZZ_ASAN(krb5_iakerb_finished, encode_krb5_iakerb_finished,
- decode_krb5_iakerb_finished, krb5_free_iakerb_finished);
- FUZZ_ASAN(krb5_fast_response, encode_krb5_fast_response,
- decode_krb5_fast_response, krb5_free_fast_response);
- FUZZ_ASAN(krb5_enc_data, encode_krb5_pa_fx_fast_reply,
- decode_krb5_pa_fx_fast_reply, krb5_free_enc_data);
-
- /* Adapted from krb5_encode_test.c */
- FUZZ_ASAN(krb5_otp_tokeninfo, encode_krb5_otp_tokeninfo,
- decode_krb5_otp_tokeninfo, k5_free_otp_tokeninfo);
- FUZZ_ASAN(krb5_pa_otp_challenge, encode_krb5_pa_otp_challenge,
- decode_krb5_pa_otp_challenge, k5_free_pa_otp_challenge);
- FUZZ_ASAN(krb5_pa_otp_req, encode_krb5_pa_otp_req, decode_krb5_pa_otp_req,
- k5_free_pa_otp_req);
- FUZZ_ASAN(krb5_data, encode_krb5_pa_otp_enc_req,
- decode_krb5_pa_otp_enc_req, krb5_free_data);
- FUZZ_ASAN(krb5_kkdcp_message, encode_krb5_kkdcp_message,
- decode_krb5_kkdcp_message, free_kkdcp_message);
- FUZZ_ASAN(krb5_cammac, encode_krb5_cammac, decode_krb5_cammac,
- k5_free_cammac);
- FUZZ_ASAN(krb5_secure_cookie, encode_krb5_secure_cookie,
- decode_krb5_secure_cookie, k5_free_secure_cookie);
- FUZZ_ASAN(krb5_spake_factor, encode_krb5_spake_factor,
- decode_krb5_spake_factor, k5_free_spake_factor);
- FUZZ_ASAN(krb5_pa_spake, encode_krb5_pa_spake, decode_krb5_pa_spake,
- k5_free_pa_spake);
-
- /* Adapted from krb5_decode_test.c */
- {
- krb5_pa_pac_req *pa_pac_req = NULL;
-
- if (decode_krb5_pa_pac_req(&data_in, &pa_pac_req) == 0)
- free(pa_pac_req);
- }
-
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin
deleted file mode 100644
index 26c78993edb1..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin
deleted file mode 100644
index 6add5a8412c3..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin
deleted file mode 100644
index dc2f08684e14..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-b¤0¡ ¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra£0  ¡1234¤â@¥19940610060317Z¦0 ¡
-12345678§ÿÿÿÿ¨$0"0 ¡foobar0 ¡foobar \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin
deleted file mode 100644
index 727a70f7db1f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin
deleted file mode 100644
index 842a99d1b790..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0 ¡
-12345678¢0  \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin
deleted file mode 100644
index ae4a8aa5d2e9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0 ÿ¡
-12345678 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin
deleted file mode 100644
index 4bbedc1a50e4..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin
deleted file mode 100644
index c9ad2a5dc041..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0 ÿÿÿ¡
-12345678 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin
deleted file mode 100644
index 2b8b75383855..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin
deleted file mode 100644
index ff246345f64b..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin
+++ /dev/null
@@ -1,4 +0,0 @@
-0… 503 â@¡19940610060317Z¢*£1234¤
-krb5data¡pvalue¢$0"0 *†H†÷params0  *†H†÷£
-krb5data¤00  
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin
deleted file mode 100644
index cbd0fd3cb20c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin
+++ /dev/null
@@ -1 +0,0 @@
-0 00  ¡ad1 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin
deleted file mode 100644
index 522634af2864..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin
+++ /dev/null
@@ -1,3 +0,0 @@
-0ò 00  ¡ad10  ¡ad2¡=0; 0 ¡0hftsaiextra¡¢£0 ¡
-cksumkdc¢=0; 0 ¡0hftsaiextra¡¢£0 ¡
-cksumsvc£R0P0£0 ¡cksum109 0 ¡0hftsaiextra¡¢£0 ¡cksum2 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin
deleted file mode 100644
index 2cec584d9f4d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin
deleted file mode 100644
index a3427389f37e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin
deleted file mode 100644
index 5c52c94176bb..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin
deleted file mode 100644
index 973cd47bfd3d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin
+++ /dev/null
@@ -1 +0,0 @@
-0e 0  ¡1234¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra£$0"0 ¡foobar0 ¡foobar \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin
deleted file mode 100644
index 3a7dcd135f86..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin
+++ /dev/null
@@ -1 +0,0 @@
-{0 19940610060317Z¡â@ \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin
deleted file mode 100644
index 1e1861dd72a5..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin
deleted file mode 100644
index 6cb6811438de..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin
deleted file mode 100644
index 63f41f884c1a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin
deleted file mode 100644
index ff84a122e0cb..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin
+++ /dev/null
@@ -1 +0,0 @@
-0"0 ¡foobar0 ¡foobar \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin
deleted file mode 100644
index 7eb31e6e2333..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin
+++ /dev/null
@@ -1 +0,0 @@
-bO0M ¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra¤â@¥19940610060317Z \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin
deleted file mode 100644
index 33f21c8627c1..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin
deleted file mode 100644
index 968faa53ee2e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin
deleted file mode 100644
index e7d4d821db34..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin
deleted file mode 100644
index 318415638640..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin
deleted file mode 100644
index 9e2574c1c932..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin
deleted file mode 100644
index 3c6f5d549c60..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin
deleted file mode 100644
index 5f74aeb23dbf..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin
deleted file mode 100644
index a674aadb77ac..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin
deleted file mode 100644
index 439eb171ceee..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin
+++ /dev/null
@@ -1,3 +0,0 @@
-~º0· ¡¢19940610060317Z£â@¤19940610060317Z¥â@¦<§ATHENA.MIT.EDU¨0 ¡0hftsaiextra©ATHENA.MIT.EDUª0 ¡0hftsaiextra«
-krb5data¬
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin
deleted file mode 100644
index 588e77546add..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin
+++ /dev/null
@@ -1 +0,0 @@
-~`0^ ¡£â@¤19940610060317Z¥â@¦<©ATHENA.MIT.EDUª0 ¡0hftsaiextra \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin
deleted file mode 100644
index c1bacbb8596a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin
deleted file mode 100644
index 14f1ad05f376..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin
deleted file mode 100644
index c34f5bc03b23..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin
deleted file mode 100644
index 5672958b5ca6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin
deleted file mode 100644
index e4ff58a7f5b9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0Ÿ &0$0¡ ¢ pa-data0¡ ¢ pa-data¡0 ¡
-12345678¢[0Y 19940610060317Z¡â@¢ATHENA.MIT.EDU£0 ¡0hftsaiextra¤0  ¡1234£* \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin
deleted file mode 100644
index 1ef561f50189..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin
+++ /dev/null
@@ -1 +0,0 @@
-0¡0  ¡1234 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin
deleted file mode 100644
index 9d7097829438..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin
+++ /dev/null
@@ -1,3 +0,0 @@
-0¡
- krb5data¢
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin
deleted file mode 100644
index 1f274fa96923..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin
deleted file mode 100644
index b46dd44b0666..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin
deleted file mode 100644
index e925ec4d7035..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin
deleted file mode 100644
index 61a1d1dfb0cf..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin
deleted file mode 100644
index 127099627f6f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin
+++ /dev/null
@@ -1 +0,0 @@
-0 19940610060317Z \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin
deleted file mode 100644
index c1249ff70092..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0K 0 ¡0hftsaiextra¡ATHENA.MIT.EDU¢0  ¡1234£
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin
deleted file mode 100644
index 2218e2bbe1fb..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin
deleted file mode 100644
index 119997b0088d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin
deleted file mode 100644
index b5b27f372cbc..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin
deleted file mode 100644
index 3490a8d66d31..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin
deleted file mode 100644
index 52bff24122c6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin
+++ /dev/null
@@ -1,3 +0,0 @@
- (0&€krb5data¡
-krb5data¢0  
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin
deleted file mode 100644
index 35d75453dfb4..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin
+++ /dev/null
@@ -1 +0,0 @@
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin
deleted file mode 100644
index 595a37cde091..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin
deleted file mode 100644
index d394484aad4d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-  0
- 0 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin
deleted file mode 100644
index d2e4cb2a41a7..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin
+++ /dev/null
@@ -1 +0,0 @@
-¡-0+ ¡ T value¢00 0 ¡fdata \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin
deleted file mode 100644
index 51dcdc0ad82d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin
deleted file mode 100644
index 1b9a8f86155e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin
deleted file mode 100644
index def7fcb589b9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin
deleted file mode 100644
index 178ba448812b..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin
deleted file mode 100644
index 8657c7c56c90..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-0& 0 ¡
-12345678¡0  ¡1234 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin
deleted file mode 100644
index 71f6ab3cba88..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin
deleted file mode 100644
index 736c6f0b3826..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin
deleted file mode 100644
index 62942bd8aca6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin
+++ /dev/null
@@ -1 +0,0 @@
-0"  0  challenge¡00  ¡1234 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin
deleted file mode 100644
index dd624bb4a99a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin
deleted file mode 100644
index 430f6f0e2d70..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin
deleted file mode 100644
index 00a4f477bbad..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin
+++ /dev/null
@@ -1 +0,0 @@
-0,-ø%0$0¡ ¢ pa-data0¡ ¢ pa-data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin
deleted file mode 100644
index 3639de9e6360..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-00  *†H†÷ 200. ATHENA.MIT.EDU¡0 ¡0hftsaiextra¡200. ATHENA.MIT.EDU¡0 ¡0hftsaiextra¢
-krb5data \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin
deleted file mode 100644
index 6dfd6ad0b017..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin
+++ /dev/null
@@ -1 +0,0 @@
-0  \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin
deleted file mode 100644
index 0ca8532f6364..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin
deleted file mode 100644
index cd2ac5415520..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin
deleted file mode 100644
index b56f57d514ae..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin
deleted file mode 100644
index eb8a40ff78a1..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin b/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin
deleted file mode 100644
index 68efbe14af4a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_attrset.c b/crypto/krb5/src/tests/fuzzing/fuzz_attrset.c
deleted file mode 100644
index 5c1a8d604138..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_attrset.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_attrset.c - fuzzing harness for kr_attrset functions */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <internal.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_context context;
- krad_attrset *set;
- krb5_data data_in;
- uint8_t buffer[KRAD_PACKET_SIZE_MAX], auth[MD5_DIGEST_SIZE] = { 0 };
- size_t encode_len;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- ret = kr_attrset_decode(context, &data_in, "f", auth, &set);
- if (!ret)
- kr_attrset_encode(set, "f", auth, FALSE, buffer, &encode_len);
-
- krad_attrset_free(set);
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin b/crypto/krb5/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin
deleted file mode 100644
index aceceefa7a38..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin
+++ /dev/null
@@ -1,2 +0,0 @@
-
-testUserXÿÚ7ùäÊ®I·mX' \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw.c b/crypto/krb5/src/tests/fuzzing/fuzz_chpw.c
deleted file mode 100644
index dfa6dfda60b8..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_chpw.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for krb5_chpw_message.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 512
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- char *msg;
- krb5_data data_in;
- krb5_context context;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- if (krb5_init_context(&context) != 0)
- return 0;
-
- if (krb5_chpw_message(context, &data_in, &msg) == 0)
- free(msg);
-
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin
deleted file mode 100644
index cf3ccef4213b..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin
deleted file mode 100644
index 77f9336fd553..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin
deleted file mode 100644
index 7e9a56f99a28..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin
deleted file mode 100644
index 5682bd708a99..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin
deleted file mode 100644
index dda723cc1d6c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin
deleted file mode 100644
index f1f4ef55fdb4..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin b/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin
deleted file mode 100644
index 3a20212ae9cb..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin
+++ /dev/null
@@ -1 +0,0 @@
-This is a valid string. \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_crypto.c b/crypto/krb5/src/tests/fuzzing/fuzz_crypto.c
deleted file mode 100644
index 2bd52e62979c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_crypto.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_crypto.c - fuzzing harness for general crypto */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <crypto_int.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 512
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-static void
-fuzz_checksum(krb5_cksumtype sumtype, krb5_keyblock keyblock,
- krb5_keyusage usage, krb5_data data)
-{
- krb5_error_code ret;
- krb5_checksum cksum;
- krb5_boolean valid;
-
- ret = krb5_c_make_checksum(NULL, sumtype, &keyblock, usage, &data, &cksum);
- if (ret)
- return;
-
- ret = krb5_c_verify_checksum(NULL, &keyblock, usage, &data, &cksum,
- &valid);
- if (ret || !valid)
- abort();
-
- krb5_free_checksum_contents(NULL, &cksum);
-}
-
-static void
-fuzz_crypt(krb5_keyblock keyblock, krb5_enctype enctype,
- krb5_keyusage usage, krb5_data data)
-{
- krb5_error_code ret;
- krb5_enc_data encoded = { 0 };
- krb5_data decoded = empty_data();
- size_t enclen;
-
- ret = krb5_c_encrypt_length(NULL, enctype, data.length, &enclen);
- if (ret)
- return;
-
- encoded.magic = KV5M_ENC_DATA;
- encoded.enctype = enctype;
-
- ret = alloc_data(&encoded.ciphertext, enclen);
- if (ret)
- return;
-
- ret = alloc_data(&decoded, data.length);
- if (ret) {
- krb5_free_data_contents(NULL, &encoded.ciphertext);
- return;
- }
-
- ret = krb5_c_encrypt(NULL, &keyblock, usage, NULL, &data, &encoded);
- if (ret)
- goto cleanup;
-
- ret = krb5_c_decrypt(NULL, &keyblock, usage, NULL, &encoded, &decoded);
- if (ret)
- goto cleanup;
-
- if (memcmp(data.data, decoded.data, data.length) != 0)
- abort();
-
-cleanup:
- krb5_free_data_contents(NULL, &encoded.ciphertext);
- krb5_free_data_contents(NULL, &decoded);
-}
-
-static void
-fuzz_prf(krb5_keyblock keyblock, krb5_enctype enctype, krb5_data data)
-{
- krb5_error_code ret;
- krb5_data output;
- size_t prfsz;
-
- ret = krb5_c_prf_length(NULL, enctype, &prfsz);
- if (ret)
- return;
-
- ret = alloc_data(&output, prfsz);
- if (ret)
- return;
-
- krb5_c_prf(NULL, &keyblock, &data, &output);
-
- krb5_free_data_contents(NULL, &output);
-}
-
-static void
-fuzz_setup(krb5_enctype enctype, krb5_cksumtype sumtype,
- krb5_keyusage usage, krb5_data data)
-{
- krb5_error_code ret;
- krb5_keyblock keyblock;
-
- ret = krb5_c_make_random_key(NULL, enctype, &keyblock);
- if (ret)
- return;
-
- fuzz_checksum(sumtype, keyblock, usage, data);
- fuzz_crypt(keyblock, enctype, usage, data);
- fuzz_prf(keyblock, enctype, data);
-
- krb5_free_keyblock_contents(NULL, &keyblock);
-}
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_data data_in;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- fuzz_setup(ENCTYPE_DES3_CBC_SHA1, CKSUMTYPE_HMAC_SHA1_DES3, 0, data_in);
- fuzz_setup(ENCTYPE_ARCFOUR_HMAC, CKSUMTYPE_MD5_HMAC_ARCFOUR, 1, data_in);
- fuzz_setup(ENCTYPE_ARCFOUR_HMAC, CKSUMTYPE_HMAC_MD5_ARCFOUR, 2, data_in);
- fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_RSA_MD4, 3, data_in);
- fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_RSA_MD5, 4, data_in);
- fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_SHA1, 5, data_in);
- fuzz_setup(ENCTYPE_AES128_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES128,
- 6, data_in);
- fuzz_setup(ENCTYPE_AES256_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES256,
- 7, data_in);
- fuzz_setup(ENCTYPE_CAMELLIA128_CTS_CMAC, CKSUMTYPE_CMAC_CAMELLIA128,
- 8, data_in);
- fuzz_setup(ENCTYPE_CAMELLIA256_CTS_CMAC, CKSUMTYPE_CMAC_CAMELLIA256,
- 9, data_in);
- fuzz_setup(ENCTYPE_AES128_CTS_HMAC_SHA256_128,
- CKSUMTYPE_HMAC_SHA256_128_AES128, 10, data_in);
- fuzz_setup(ENCTYPE_AES256_CTS_HMAC_SHA384_192,
- CKSUMTYPE_HMAC_SHA384_192_AES256, 11, data_in);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin b/crypto/krb5/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin
deleted file mode 100644
index 13f3fcbe0588..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin
+++ /dev/null
@@ -1 +0,0 @@
-brrr \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_des.c b/crypto/krb5/src/tests/fuzzing/fuzz_des.c
deleted file mode 100644
index 08efb38b2979..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_des.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_des.c - fuzzing harness for DES functions */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <des_int.h>
-
-#include <f_cbc.c>
-
-#define kMinInputLength 32
-#define kMaxInputLength 128
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-uint8_t default_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
-
-static void
-fuzz_des(uint8_t *input, mit_des_key_schedule sched)
-{
- uint8_t encrypt[8], decrypt[8];
-
- mit_des_cbc_encrypt((const mit_des_cblock *)input,
- (mit_des_cblock *)encrypt, 8,
- sched, default_ivec, MIT_DES_ENCRYPT);
-
- mit_des_cbc_encrypt((const mit_des_cblock *)encrypt,
- (mit_des_cblock *)decrypt, 8,
- sched, default_ivec, MIT_DES_DECRYPT);
-
- if (memcmp(input, decrypt, 8) != 0)
- abort();
-}
-
-static void
-fuzz_decrypt(uint8_t *input, mit_des_key_schedule sched)
-{
- uint8_t output[8];
-
- mit_des_cbc_encrypt((const mit_des_cblock *)input,
- (mit_des_cblock *)output, 8,
- sched, default_ivec, MIT_DES_DECRYPT);
-}
-
-static void
-fuzz_cksum(uint8_t *input, mit_des_key_schedule sched)
-{
- uint8_t output[8];
-
- mit_des_cbc_cksum(input, output, 8, sched, default_ivec);
-}
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- mit_des_key_schedule sched;
- uint8_t *data_in, input[8];
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- memcpy(input, data, 8);
- ret = mit_des_key_sched(input, sched);
- if (ret)
- return 0;
-
- memcpy(input, data + 8, 8);
- fuzz_des(input, sched);
-
- memcpy(input, data + 16, 8);
- fuzz_decrypt(input, sched);
-
- data_in = k5memdup(data + 24, size - 24, &ret);
- if (ret)
- return 0;
-
- fuzz_cksum(data_in, sched);
- free(data_in);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin b/crypto/krb5/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin
deleted file mode 100644
index 6607c59ab3b3..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin
+++ /dev/null
@@ -1 +0,0 @@
-brrrrrrrrrrrrrrrrrrrrrrrrrrrrrr \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss.c b/crypto/krb5/src/tests/fuzzing/fuzz_gss.c
deleted file mode 100644
index 3c65f34fd01f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_gss.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for gss_accept_sec_context.
- */
-
-#include "autoconf.h"
-#include <krb5.h>
-#include <gssapi.h>
-#include <string.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- gss_OID doid;
- OM_uint32 minor, ret_flags, time_rec;
- gss_name_t client = GSS_C_NO_NAME;
- gss_ctx_id_t context = GSS_C_NO_CONTEXT;
- gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
- gss_buffer_desc data_in, data_out = GSS_C_EMPTY_BUFFER;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in.length = size;
- data_in.value = (void *)data;
-
- gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL,
- &data_in, GSS_C_NO_CHANNEL_BINDINGS, &client,
- &doid, &data_out, &ret_flags, &time_rec,
- &deleg_cred);
-
- gss_release_buffer(&minor, &data_out);
-
- if (context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin b/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin
deleted file mode 100644
index 9e2a8d765a81..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin b/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin
deleted file mode 100644
index 9bc9afdd7849..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin b/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin
deleted file mode 100644
index a191e0a59f0f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/realm_query.bin b/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/realm_query.bin
deleted file mode 100644
index 2178d65a04b6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/realm_query.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin b/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin
deleted file mode 100644
index 980b6484d3dc..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_json.c b/crypto/krb5/src/tests/fuzzing/fuzz_json.c
deleted file mode 100644
index a3440eaef1ca..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_json.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_json.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for k5_json_decode.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <krb5.h>
-#include <k5-json.h>
-#include <string.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- k5_json_value decoded = NULL;
- char *data_in = NULL, *data_out;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = k5memdup0(data, size, &ret);
- if (data_in == NULL)
- return 0;
-
- ret = k5_json_decode(data_in, &decoded);
- if (ret)
- goto cleanup;
-
- ret = k5_json_encode(decoded, &data_out);
- if (!ret)
- free(data_out);
-
-cleanup:
- free(data_in);
- k5_json_release(decoded);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json b/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json
deleted file mode 100644
index ece1b849b581..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json
+++ /dev/null
@@ -1 +0,0 @@
- "foo\"bar" \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json b/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json
deleted file mode 100644
index f0bd59cb5491..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json
+++ /dev/null
@@ -1 +0,0 @@
-{ "k1" : { "k2" : "s2", "k3" : "s3" }, "k4" : "s4" } \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json b/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json
deleted file mode 100644
index 9c4eec71eb1e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json
+++ /dev/null
@@ -1 +0,0 @@
- [ -1 ] \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_kdc.c b/crypto/krb5/src/tests/fuzzing/fuzz_kdc.c
deleted file mode 100644
index 59457e282c96..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_kdc.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_kdc.c - fuzzing harness for KDC replay cache */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-
-#include <replay.c>
-
-#define kMinInputLength 2
-#define kMaxInputLength 256
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_context context = NULL;
- krb5_data req, rep;
- struct entry *e;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- ret = kdc_init_lookaside(context);
- if (ret)
- goto cleanup;
-
- req = make_data((void *)data, size);
- rep = make_data((void *)data, size - 1);
-
- e = insert_entry(context, &req, &rep, 0);
- discard_entry(context, e);
-
- kdc_free_lookaside(context);
-
-cleanup:
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin b/crypto/krb5/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin
deleted file mode 100644
index 6605099dcbba..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin
+++ /dev/null
@@ -1 +0,0 @@
-I Had Strings, But now i'm free. \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krad.c b/crypto/krb5/src/tests/fuzzing/fuzz_krad.c
deleted file mode 100644
index dbafbf164fb9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krad.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_krad.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for krad_packet_decode_response,
- * krad_packet_decode_request.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <krad.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-static krad_packet *packets[3];
-
-static const krad_packet *
-iterator(void *data, krb5_boolean cancel)
-{
- krad_packet *tmp;
- int *i = data;
-
- if (cancel || packets[*i] == NULL)
- return NULL;
-
- tmp = packets[*i];
- *i += 1;
- return tmp;
-}
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- int i;
- krb5_context ctx;
- krb5_data data_in;
- const char *secret = "f";
- const krad_packet *req_1 = NULL, *req_2 = NULL;
- krad_packet *rsp_1 = NULL, *rsp_2 = NULL;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- if (krb5_init_context(&ctx) != 0)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- i = 0;
- krad_packet_decode_response(ctx, secret, &data_in, iterator, &i,
- &req_1, &rsp_1);
-
- i = 0;
- krad_packet_decode_request(ctx, secret, &data_in, iterator, &i,
- &req_2, &rsp_2);
-
- krad_packet_free(rsp_1);
- krad_packet_free(rsp_2);
- krb5_free_context(ctx);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin
deleted file mode 100644
index 02eb9a1cb5e6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb.c b/crypto/krb5/src/tests/fuzzing/fuzz_krb.c
deleted file mode 100644
index 61f16765db58..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/krb.c - fuzzing harness for miscellaneous libkrb5 functions */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 512
-
-#define ANAME_SZ 40
-#define INST_SZ 40
-#define REALM_SZ 40
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-static void
-fuzz_deltat(char *data_in)
-{
- krb5_deltat result;
- krb5_string_to_deltat(data_in, &result);
-}
-
-static void
-fuzz_host_string(char *data_in)
-{
- krb5_error_code ret;
- char *host;
- int port = -1;
-
- ret = k5_parse_host_string(data_in, 0, &host, &port);
- if (!ret)
- free(host);
-}
-
-static void
-fuzz_princ(krb5_context context, char *data_in)
-{
- krb5_error_code ret;
- krb5_principal p;
- char *princ;
-
- ret = krb5_parse_name(context, data_in, &p);
- if (ret)
- return;
-
- ret = krb5_unparse_name(context, p, &princ);
- if (!ret)
- free(princ);
-
- krb5_free_principal(context, p);
-}
-
-static void
-fuzz_principal_425(krb5_context context, char *data_in)
-{
- krb5_principal princ;
- krb5_425_conv_principal(context, data_in, data_in, data_in, &princ);
- krb5_free_principal(context, princ);
-}
-
-static void
-fuzz_principal_524(krb5_context context, char *data_in)
-{
- krb5_error_code ret;
- krb5_principal princ = 0;
- char aname[ANAME_SZ + 1], inst[INST_SZ + 1], realm[REALM_SZ + 1];
-
- aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0;
-
- ret = krb5_parse_name(context, data_in, &princ);
- if (ret)
- return;
-
- krb5_524_conv_principal(context, princ, aname, inst, realm);
- krb5_free_principal(context, princ);
-}
-
-static void
-fuzz_timestamp(char *data_in)
-{
- krb5_error_code ret;
- krb5_timestamp timestamp;
-
- ret = krb5_string_to_timestamp(data_in, &timestamp);
- if (!ret)
- ts2tt(timestamp);
-}
-
-/*
- * data_in is going to be modified during parsing.
- */
-static void
-fuzz_enctype_list(char *data_in)
-{
- krb5_error_code ret;
- krb5_context context;
- krb5_enctype *ienc, zero = 0;
-
- ret = krb5_init_context(&context);
- if (ret)
- return;
-
- ret = krb5int_parse_enctype_list(context, "", data_in, &zero, &ienc);
- if (!ret)
- free(ienc);
-
- krb5_free_context(context);
-}
-
-extern int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_context context = NULL;
- char *data_in;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- data_in = k5memdup0(data, size, &ret);
- if (ret)
- goto cleanup;
-
- fuzz_deltat(data_in);
- fuzz_host_string(data_in);
- fuzz_princ(context, data_in);
- fuzz_principal_425(context, data_in);
- fuzz_principal_524(context, data_in);
- fuzz_timestamp(data_in);
- fuzz_enctype_list(data_in);
-
- free(data_in);
-
-cleanup:
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket.c b/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket.c
deleted file mode 100644
index 0b541f444c61..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_krb5_ticket.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for krb5_decode_ticket.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <krb5.h>
-#include <string.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 2048
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_context context = NULL;
- krb5_keytab defkt = NULL;
- krb5_data data_in, *data_out;
- krb5_ticket *ticket = NULL;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- ret = krb5_kt_default(context, &defkt);
- if (ret)
- goto cleanup;
-
- ret = krb5_decode_ticket(&data_in, &ticket);
- if (ret)
- goto cleanup;
-
- ret = encode_krb5_ticket(ticket, &data_out);
- if (!ret)
- krb5_free_data(context, data_out);
-
- krb5_server_decrypt_ticket_keytab(context, defkt, ticket);
-
-cleanup:
- krb5_free_ticket(context, ticket);
- if (defkt != NULL)
- krb5_kt_close(context, defkt);
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin
deleted file mode 100644
index 645576f0014b..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin
deleted file mode 100644
index 19877645ffa7..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin
deleted file mode 100644
index eaca6be22cc5..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin
+++ /dev/null
@@ -1 +0,0 @@
--35791394m-9s \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin
deleted file mode 100644
index 47fb41b9bfe5..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin
+++ /dev/null
@@ -1 +0,0 @@
-default -aes128-cts -des-hmac-sha1 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin
deleted file mode 100644
index 8c5071abdf53..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin
+++ /dev/null
@@ -1 +0,0 @@
-aes des3-cbc-sha1-kd \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin
deleted file mode 100644
index ac635ee6a3b3..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin
+++ /dev/null
@@ -1 +0,0 @@
-camellia -camellia256-cts-cmac \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin
deleted file mode 100644
index 4ddee4c5304a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin
+++ /dev/null
@@ -1 +0,0 @@
-DEFAULT +aes -arcfour-hmac-md5 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin
deleted file mode 100644
index 5892bca7f482..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin
+++ /dev/null
@@ -1 +0,0 @@
-DEFAULT -des3 rc4-hmac rc4-hmac-exp \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin
deleted file mode 100644
index 6501ba6fef23..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin
+++ /dev/null
@@ -1 +0,0 @@
-des3 +DEFAULT \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin
deleted file mode 100644
index 09d89bf33e3c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin
+++ /dev/null
@@ -1 +0,0 @@
-aes +rc4 -DEFaulT des3-hmac-sha1 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin
deleted file mode 100644
index 6a1a02e57042..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin
+++ /dev/null
@@ -1 +0,0 @@
-70000 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin
deleted file mode 100644
index fe9049d24605..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin
+++ /dev/null
@@ -1 +0,0 @@
-test.example:F101 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin
deleted file mode 100644
index 3fc5c1775c10..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin
+++ /dev/null
@@ -1 +0,0 @@
-192.168.1.1 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin
deleted file mode 100644
index 9ca257a84aae..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin
+++ /dev/null
@@ -1 +0,0 @@
-[BEEF:CAFE:FEED:FACE:DEAD:BEEF:DEAF:BABE] \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin
deleted file mode 100644
index 3081d9b01a61..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin
+++ /dev/null
@@ -1 +0,0 @@
-[BEEF:CAFE:FEED:FACE:DEAD:BEEF:DEAF:BABE]:250 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin
deleted file mode 100644
index 4fef47ce34b1..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin
+++ /dev/null
@@ -1 +0,0 @@
-:300 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin
deleted file mode 100644
index 0dbf139f8d1a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin
+++ /dev/null
@@ -1 +0,0 @@
-350 \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin
deleted file mode 100644
index 2cfb7c29b5dc..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin
+++ /dev/null
@@ -1 +0,0 @@
-lha@SU.SE \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin b/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin
deleted file mode 100644
index 1f0e72453f70..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin
+++ /dev/null
@@ -1 +0,0 @@
-kadmin \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred.c b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred.c
deleted file mode 100644
index 07b130a839bb..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_marshal_cred.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for k5_unmarshal_cred.
- */
-
-#include "autoconf.h"
-#include <cc-int.h>
-
-#define FIRST_VERSION 1
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_creds cred;
- int version;
- struct k5buf buf;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- for (version = FIRST_VERSION; version <= 4; version++) {
- ret = k5_unmarshal_cred(data, size, version, &cred);
- if (!ret) {
- k5_buf_init_dynamic(&buf);
- k5_marshal_cred(&buf, version, &cred);
- k5_buf_free(&buf);
- }
-
- krb5_free_cred_contents(NULL, &cred);
- }
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin
deleted file mode 100644
index 829e71fdc28c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin
deleted file mode 100644
index 194215ee37a2..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin
deleted file mode 100644
index 2c9a95cfdb8f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin
deleted file mode 100644
index f2c350d7b68d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin
deleted file mode 100644
index 7e4a9da1531c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin
deleted file mode 100644
index e1fc4dfbbcd2..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ.c b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ.c
deleted file mode 100644
index b41fd626944d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_marshal_princ.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for k5_unmarshal_princ.
- */
-
-#include "autoconf.h"
-#include <cc-int.h>
-
-#define FIRST_VERSION 1
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_principal princ;
- int version;
- struct k5buf buf;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- for (version = FIRST_VERSION; version <= 4; version++) {
- ret = k5_unmarshal_princ(data, size, version, &princ);
- if (!ret) {
- k5_buf_init_dynamic(&buf);
- k5_marshal_princ(&buf, version, princ);
- k5_buf_free(&buf);
- }
-
- krb5_free_principal(NULL, princ);
- }
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin
deleted file mode 100644
index f6f1af038e1d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin
deleted file mode 100644
index fb55f77d05fe..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin b/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin
deleted file mode 100644
index 0259f34c7523..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_ndr.c b/crypto/krb5/src/tests/fuzzing/fuzz_ndr.c
deleted file mode 100644
index 7692bace72e2..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_ndr.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_ndr.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for ndr_dec_delegation_info.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <kdc_util.h>
-
-#include <ndr.c>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_data data_in, data_out = empty_data();
- struct pac_s4u_delegation_info *di;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = make_data((void *)data, size);
-
- ret = ndr_dec_delegation_info(&data_in, &di);
- if (!ret)
- (void)ndr_enc_delegation_info(di, &data_out);
-
- ndr_free_delegation_info(di);
- krb5_free_data_contents(NULL, &data_out);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin b/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin
deleted file mode 100644
index 9c0e718f0d82..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin b/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin
deleted file mode 100644
index 444bc46ba6d6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid.c b/crypto/krb5/src/tests/fuzzing/fuzz_oid.c
deleted file mode 100644
index d397d4861087..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_oid.c - fuzzing harness for GSS OID conversions */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <gssapi/gssapi_krb5.h>
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- OM_uint32 minor;
- gss_buffer_desc buf;
- gss_OID oid;
- gss_OID_desc oid_desc;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- oid_desc.elements = (void *)data;
- oid_desc.length = size;
-
- gss_oid_to_str(&minor, &oid_desc, &buf);
- gss_release_buffer(&minor, &buf);
-
- buf.value = (void *)data;
- buf.length = size;
-
- gss_str_to_oid(&minor, &buf, &oid);
- gss_release_oid(&minor, &oid);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin
deleted file mode 100644
index 16e0e90df089..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin
+++ /dev/null
@@ -1 +0,0 @@
- \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin
deleted file mode 100644
index 8b040ead36e9..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin
deleted file mode 100644
index 6b58abecd6cd..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin
deleted file mode 100644
index 09f370e38f49..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin
deleted file mode 100644
index 8fdfd1779b7e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin b/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin
deleted file mode 100644
index 091299428a98..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin
+++ /dev/null
@@ -1 +0,0 @@
-*†H†÷ \ No newline at end of file
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_pac.c b/crypto/krb5/src/tests/fuzzing/fuzz_pac.c
deleted file mode 100644
index 38488420eb67..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_pac.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_pac.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for krb5_pac_parse.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-
-#define U(x) (uint8_t *)x
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-static const krb5_keyblock kdc_keyblock = {
- 0, ENCTYPE_ARCFOUR_HMAC,
- 16, U("\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7")
-};
-
-static const krb5_keyblock member_keyblock = {
- 0, ENCTYPE_ARCFOUR_HMAC,
- 16, U("\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC")
-};
-
-static time_t authtime = 1120440609;
-static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL";
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- krb5_context context = NULL;
- krb5_pac pac;
- krb5_principal princ = NULL;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- ret = krb5_parse_name(context, user, &princ);
- if (ret)
- goto cleanup;
-
- ret = krb5_pac_parse(context, data, size, &pac);
- if (ret)
- goto cleanup;
-
- krb5_pac_verify(context, pac, authtime, princ, NULL, NULL);
- krb5_pac_verify_ext(context, pac, authtime, princ, NULL, NULL, TRUE);
- krb5_pac_verify(context, pac, authtime, princ, &member_keyblock,
- &kdc_keyblock);
-
- krb5_pac_free(context, pac);
-
-cleanup:
- krb5_free_principal(context, princ);
- krb5_free_context(context);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin b/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin
deleted file mode 100644
index c16319417396..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin b/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin
deleted file mode 100644
index 6336bef5fb04..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile.c b/crypto/krb5/src/tests/fuzzing/fuzz_profile.c
deleted file mode 100644
index e62decf7b79d..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_profile.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for profile_parse_file.
- */
-
-#include "autoconf.h"
-#include <prof_int.h>
-
-void dump_profile(struct profile_node *root, int level);
-
-#define kMinInputLength 2
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- errcode_t ret;
- FILE *fp_w, *fp_r;
- char file_name[256], *output;
- struct profile_node *root;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- snprintf(file_name, sizeof(file_name), "/tmp/libfuzzer.%d", getpid());
-
- /* Write data into the file. */
- fp_w = fopen(file_name, "w");
- if (!fp_w)
- return 1;
- fwrite(data, 1, size, fp_w);
- fclose(fp_w);
-
- /* Provide the file pointer to the parser. */
- fp_r = fopen(file_name, "r");
- if (!fp_r)
- return 1;
-
- initialize_prof_error_table();
-
- ret = profile_parse_file(fp_r, &root, NULL);
- if (!ret) {
- ret = profile_write_tree_to_buffer(root, &output);
- if (!ret)
- free(output);
-
- profile_verify_node(root);
- profile_free_node(root);
- }
-
- fclose(fp_r);
- unlink(file_name);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini
deleted file mode 100644
index 827ec25dcad6..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-# In this variant the relation is marked final.
-[section]
- subsection = {
- key* = value2
- }
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini
deleted file mode 100644
index dcf0ca96a82f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-# In this variant the subsection is marked final via a '*' at the end
-# of the tag name.
-[section]
- subsection* = {
- key = value3
- }
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini
deleted file mode 100644
index dcba07845994..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-# In this variant the subsection is marked final via a '*' after the
-# closing brace.
-[section]
- subsection = {
- key = value4
- }*
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini
deleted file mode 100644
index 58cd57d3fc3e..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-# In this variant the top-level section is marked final.
-[section]*
- subsection = {
- key = value5
- }
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf
deleted file mode 100644
index 7ef0971d6d19..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf
+++ /dev/null
@@ -1 +0,0 @@
-module /home/dark/Desktop/krb5/src/util/profile/testmod/proftest.so-nobuild:teststring
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini
deleted file mode 100644
index 97f524a95a8c..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-[section]
- var = value
-
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini
deleted file mode 100644
index 31136f3692ac..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[sec1]
-var = {
-a = 1
-include testinc2.ini
-c = 3
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini b/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini
deleted file mode 100644
index 35ea95fa5576..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[sec2]
-b = 2
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_util.c b/crypto/krb5/src/tests/fuzzing/fuzz_util.c
deleted file mode 100644
index 91641ad1cb53..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_util.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/fuzzing/fuzz_util.c */
-/*
- * Copyright (C) 2024 by Arjun. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Fuzzing harness implementation for k5_base64_decode, k5_hex_decode
- * krb5_parse_name and k5_parse_host_string.
- */
-
-#include "autoconf.h"
-#include <k5-int.h>
-#include <k5-base64.h>
-#include <k5-hex.h>
-#include <string.h>
-#include <k5-utf8.h>
-
-#include <hashtab.c>
-
-#define kMinInputLength 2
-#define kMaxInputLength 256
-
-extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
-
-static void
-fuzz_base64(const char *data_in, size_t size)
-{
- size_t len;
-
- free(k5_base64_encode(data_in, size));
- free(k5_base64_decode(data_in, &len));
-}
-
-static void
-fuzz_hashtab(const char *data_in, size_t size)
-{
- int st;
- struct k5_hashtab *ht;
-
- k5_hashtab_create(NULL, 4, &ht);
- if (ht == NULL)
- return;
-
- k5_hashtab_add(ht, data_in, size, &st);
-
- k5_hashtab_free(ht);
-}
-
-static void
-fuzz_hex(const char *data_in, size_t size)
-{
- char *hex;
- uint8_t *bytes;
- size_t len;
-
- if (k5_hex_encode(data_in, size, 0, &hex) == 0)
- free(hex);
-
- if (k5_hex_encode(data_in, size, 1, &hex) == 0)
- free(hex);
-
- if (k5_hex_decode(data_in, &bytes, &len) == 0)
- free(bytes);
-}
-
-static void
-fuzz_name(const char *data_in, size_t size)
-{
- krb5_context context;
- krb5_principal fuzzing;
-
- if (krb5_init_context(&context) != 0)
- return;
-
- krb5_parse_name(context, data_in, &fuzzing);
-
- krb5_free_principal(context, fuzzing);
- krb5_free_context(context);
-}
-
-static void
-fuzz_parse_host(const char *data_in, size_t size)
-{
- char *host_out = NULL;
- int port_out = -1;
-
- if (k5_parse_host_string(data_in, 1, &host_out, &port_out) == 0)
- free(host_out);
-}
-
-static void
-fuzz_utf8(const char *data_in, size_t size)
-{
- krb5_ucs4 u = 0;
- char *utf8;
- uint8_t *utf16;
- size_t utf16len;
-
- krb5int_utf8_to_ucs4(data_in, &u);
-
- k5_utf8_to_utf16le(data_in, &utf16, &utf16len);
- if (utf16 != NULL)
- free(utf16);
-
- k5_utf16le_to_utf8((const uint8_t *)data_in, size, &utf8);
- if (utf8 != NULL)
- free(utf8);
-}
-
-extern int
-LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
-{
- krb5_error_code ret;
- char *data_in;
-
- if (size < kMinInputLength || size > kMaxInputLength)
- return 0;
-
- data_in = k5memdup0(data, size, &ret);
- if (data_in == NULL)
- return 0;
-
- fuzz_base64(data_in, size);
- fuzz_hashtab(data_in, size);
- fuzz_hex(data_in, size);
- fuzz_name(data_in, size);
- fuzz_parse_host(data_in, size);
- fuzz_utf8(data_in, size);
-
- free(data_in);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt b/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt
deleted file mode 100644
index 68c422c56277..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt
+++ /dev/null
@@ -1 +0,0 @@
-YWJjOmRlZg==
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt b/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt
deleted file mode 100644
index c747d34aa6d4..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt
+++ /dev/null
@@ -1 +0,0 @@
-3031323334353637
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt b/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt
deleted file mode 100644
index b3968327c673..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt
+++ /dev/null
@@ -1 +0,0 @@
-test.example:75
diff --git a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt b/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt
deleted file mode 100644
index db95221bdc9f..000000000000
--- a/crypto/krb5/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt
+++ /dev/null
@@ -1 +0,0 @@
-/b@R
diff --git a/crypto/krb5/src/tests/fuzzing/oss-fuzz.sh b/crypto/krb5/src/tests/fuzzing/oss-fuzz.sh
deleted file mode 100644
index b01d4bcbd22a..000000000000
--- a/crypto/krb5/src/tests/fuzzing/oss-fuzz.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/bash -eu
-
-# This script plays the role of build.sh in OSS-Fuzz. If only minor
-# changes are required such as changing the fuzzing targets, a PR in
-# the OSS-Fuzz repository is not needed and they can be done here.
-
-# Compile krb5 for oss-fuzz.
-pushd src/
-autoreconf
-./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \
- --enable-static --disable-shared --enable-ossfuzz
-make
-popd
-
-# Copy fuzz targets and seed corpus to $OUT.
-pushd src/tests/fuzzing
-
-fuzzers=("fuzz_aes" "fuzz_asn" "fuzz_attrset" "fuzz_chpw" "fuzz_crypto"
- "fuzz_des" "fuzz_gss" "fuzz_json" "fuzz_kdc" "fuzz_krad" "fuzz_krb"
- "fuzz_krb5_ticket" "fuzz_marshal_cred" "fuzz_marshal_princ"
- "fuzz_ndr" "fuzz_oid" "fuzz_pac" "fuzz_profile" "fuzz_util")
-
-for fuzzer in "${fuzzers[@]}"; do
- cp "$fuzzer" "$OUT/$fuzzer"
- zip -r "${OUT}/${fuzzer}_seed_corpus.zip" "${fuzzer}_seed_corpus"
-done
-
-popd
diff --git a/crypto/krb5/src/tests/gcred.c b/crypto/krb5/src/tests/gcred.c
deleted file mode 100644
index 1efb9339f0fc..000000000000
--- a/crypto/krb5/src/tests/gcred.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gcred.c - Test harness for referrals */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program is intended to be run from a python script as:
- *
- * gcred [-f] [-t] nametype princname
- *
- * where nametype is one of "unknown", "principal", "srv-inst", and "srv-hst",
- * and princname is the name of the service principal. gcred acquires
- * credentials for the specified server principal. On success, gcred displays
- * the server principal name of the obtained credentials to stdout and exits
- * with status 0. On failure, gcred displays the error message for the failed
- * operation to stderr and exits with status 1.
- *
- * The -f and -t flags set the KRB5_GC_FORWARDABLE and KRB5_GC_NO_TRANSIT_CHECK
- * options respectively.
- */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_principal client, server;
- krb5_ccache ccache;
- krb5_creds in_creds, *creds;
- krb5_ticket *ticket;
- krb5_flags options = 0;
- char *name;
- int c;
-
- check(krb5_init_context(&ctx));
-
- while ((c = getopt(argc, argv, "ft")) != -1) {
- switch (c) {
- case 'f':
- options |= KRB5_GC_FORWARDABLE;
- break;
- case 't':
- options |= KRB5_GC_NO_TRANSIT_CHECK;
- break;
- default:
- abort();
- }
- }
- argc -= optind;
- argv += optind;
- assert(argc == 2);
- check(krb5_parse_name(ctx, argv[1], &server));
- if (strcmp(argv[0], "unknown") == 0)
- server->type = KRB5_NT_UNKNOWN;
- else if (strcmp(argv[0], "principal") == 0)
- server->type = KRB5_NT_PRINCIPAL;
- else if (strcmp(argv[0], "srv-inst") == 0)
- server->type = KRB5_NT_SRV_INST;
- else if (strcmp(argv[0], "srv-hst") == 0)
- server->type = KRB5_NT_SRV_HST;
- else
- abort();
-
- check(krb5_cc_default(ctx, &ccache));
- check(krb5_cc_get_principal(ctx, ccache, &client));
- memset(&in_creds, 0, sizeof(in_creds));
- in_creds.client = client;
- in_creds.server = server;
- check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds));
- check(krb5_decode_ticket(&creds->ticket, &ticket));
- check(krb5_unparse_name(ctx, ticket->server, &name));
- printf("%s\n", name);
-
- krb5_free_ticket(ctx, ticket);
- krb5_free_unparsed_name(ctx, name);
- krb5_free_creds(ctx, creds);
- krb5_free_principal(ctx, client);
- krb5_free_principal(ctx, server);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gss-threads/Makefile.in b/crypto/krb5/src/tests/gss-threads/Makefile.in
deleted file mode 100644
index fe2f33b743b2..000000000000
--- a/crypto/krb5/src/tests/gss-threads/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Derived from appl/gss-sample, January 2005.
-
-mydir=tests$(S)gss-threads
-BUILDTOP=$(REL)..$(S)..
-DEFINES = -DUSE_AUTOCONF_H -DGSSAPI_V2
-PTHREAD_LIBS=@PTHREAD_LIBS@
-
-SRCS= $(srcdir)/gss-client.c $(srcdir)/gss-misc.c $(srcdir)/gss-server.c
-
-OBJS= gss-client.o gss-misc.o gss-server.o
-
-all-unix: all-unix-@THREAD_SUPPORT@
-all-unix-1: gss-server gss-client
-all-unix-0:
-all-windows: $(OUTPRE)gss-server.exe $(OUTPRE)gss-client.exe
-
-gss-server: gss-server.o gss-misc.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) $(PTHREAD_CFLAGS) -o gss-server gss-server.o gss-misc.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-gss-client: gss-client.o gss-misc.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) $(PTHREAD_CFLAGS) -o gss-client gss-client.o gss-misc.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-$(OUTPRE)gss-server.exe: $(OUTPRE)gss-server.obj $(OUTPRE)gss-misc.obj $(GLIB) $(KLIB)
- link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib
-
-$(OUTPRE)gss-client.exe: $(OUTPRE)gss-client.obj $(OUTPRE)gss-misc.obj $(GLIB) $(KLIB)
- link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib
-
-clean-unix::
- $(RM) gss-server gss-client
-
-install-unix:
-# $(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-tclient
-# $(INSTALL_PROGRAM) gss-server $(DESTDIR)$(SERVER_BINDIR)/gss-tserver
diff --git a/crypto/krb5/src/tests/gss-threads/README b/crypto/krb5/src/tests/gss-threads/README
deleted file mode 100644
index f555b3e3a573..000000000000
--- a/crypto/krb5/src/tests/gss-threads/README
+++ /dev/null
@@ -1,165 +0,0 @@
-[Out of date; needs updating for thread safety test support. -- KR 2005-02-09]
-
-# Copyright 1993 by OpenVision Technologies, Inc.
-#
-# Permission to use, copy, modify, distribute, and sell this software
-# and its documentation for any purpose is hereby granted without fee,
-# provided that the above copyright notice appears in all copies and
-# that both that copyright notice and this permission notice appear in
-# supporting documentation, and that the name of OpenVision not be used
-# in advertising or publicity pertaining to distribution of the software
-# without specific, written prior permission. OpenVision makes no
-# representations about the suitability of this software for any
-# purpose. It is provided "as is" without express or implied warranty.
-#
-# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
-# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
-# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
-# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
-# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-This directory contains a sample GSS-API client and server
-application. In addition to serving as an example of GSS-API
-programming, this application is also intended to be a tool for
-testing the performance of GSS-API implementations.
-
-Each time the client is invoked, it performs one or more exchanges
-with the server. Each exchange with the server consists primarily of
-the following steps:
-
- 1. A TCP/IP connection is established.
-
- 2. (optional, on by default) The client and server establish a
- GSS-API context, and the server prints the identify of the
- client.
-
- / 3. The client sends a message to the server. The message may
- / be plaintext, cryptographically "signed" but not encrypted,
- | or encrypted (default).
- |
-0 or | 4. The server decrypts the message (if necessary), verifies
-more | its signature (if there is one) and prints it.
-times|
- | 5. The server sends either a signature block (the default) or an
- | empty token back to the client to acknowledge the message.
- \
- \ 6. If the server sent a signature block, the client verifies
- it and prints a message indicating that it was verified.
-
- 7. The client sends an empty block to the server to tell it
- that the exchange is finished.
-
- 8. The client and server close the TCP/IP connection and
- destroy the GSS-API context.
-
-The client also supports the -v1 flag which uses an older exchange
-format compatible with previous releases of Kerberos and with samples
-shipped in the Microsoft SDK.
-
-The server's command line usage is
-
- gss-server [-port port] [-verbose] [-once] [-inetd] [-export]
- [-logfile file] service_name
-
-where service_name is a GSS-API service name of the form
-"service@host" (or just "service", in which case the local host name
-is used). The command-line options have the following meanings:
-
--port The TCP port on which to accept connections. Default is 4444.
-
--once Tells the server to exit after a single exchange, rather than
- persisting.
-
--inetd Tells the server that it is running out of inetd, so it should
- interact with the client on stdin rather than binding to a
- network port. Implies "-once".
-
--export Tells the server to test the gss_export_sec_context function
- after establishing a context with a client.
-
--logfile
- The file to which the server should append its output, rather
- than sending it to stdout.
-
-The client's command line usage is
-
- gss-client [-port port] [-mech mechanism] [-d] [-f] [-q]
- [-seq] [-noreplay] [-nomutual]
- [-ccount count] [-mcount count] [-na] [-nw] [-nx] [-nm]
- host service_name msg
-
-where host is the host running the server, service_name is the service
-name that the server will establish connections as (if you don't
-specify the host name in the service name when running gss-server, and
-it's running on a different machine from gss-client, make sure to
-specify the server's host name in the service name you specify to
-gss-client!) and msg is the message. The command-line options have
-the following meanings:
-
--port The TCP port to which to connect. Default is 4444.
-
--mech The OID of the GSS-API mechanism to use.
-
--d Tells the client to delegate credentials to the server. For
- the Kerberos GSS-API mechanism, this means that a forwardable
- TGT will be sent to the server, which will put it in its
- credential cache (you must have acquired your tickets with
- "kinit -f" for this to work).
-
--seq Tells the client to enforce ordered message delivery via
- sequencing.
-
--noreplay Tells the client to disable the use of replay
- detection.
-
--nomutual Tells the client to disable the use of mutual authentication.
-
--f Tells the client that the "msg" argument is actually the name
- of a file whose contents should be used as the message.
-
--q Tells the client to be quiet, i.e., to only print error
- messages.
-
--ccount Specifies how many sessions the client should initiate with
- the server (the "connection count").
-
--mcount Specifies how many times the message should be sent to the
- server in each session (the "message count").
-
--na Tells the client not to do any authentication with the
- server. Implies "-nw", "-nx" and "-nm".
-
--nw Tells the client not to "wrap" messages. Implies "-nx".
-
--nx Tells the client not to encrypt messages.
-
--nm Tells the client not to ask the server to send back a
- cryptographic checksum ("MIC").
-
-To run the server on a host, you need to make sure that the principal
-corresponding to service_name is in the default keytab on the server
-host, and that the gss-server process can read the keytab. For
-example, the service name "host@server" corresponds to the Kerberos
-principal "host/server.domain.com@REALM".
-
-This sample application uses the following GSS-API functions:
-
- gss_accept_sec_context gss_inquire_names_for_mech
- gss_acquire_cred gss_oid_to_str
- gss_delete_sec_context gss_release_buffer
- gss_display_name gss_release_cred
- gss_display_status gss_release_name
- gss_export_sec_context gss_release_oid
- gss_get_mic gss_release_oid_set
- gss_import_name gss_str_to_oid
- gss_import_sec_context gss_unwrap
- gss_init_sec_context gss_verify_mic
- gss_inquire_context gss_wrap
-
-This application was originally written by Barry Jaspan of OpenVision
-Technologies, Inc. It was updated significantly by Jonathan Kamens of
-OpenVision Technologies, Inc.
-
-$Id$
diff --git a/crypto/krb5/src/tests/gss-threads/deps b/crypto/krb5/src/tests/gss-threads/deps
deleted file mode 100644
index e1c17a0604b7..000000000000
--- a/crypto/krb5/src/tests/gss-threads/deps
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)gss-client.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(top_srcdir)/include/fake-addrinfo.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h gss-client.c gss-misc.h
-$(OUTPRE)gss-misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- gss-misc.c gss-misc.h
-$(OUTPRE)gss-server.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_generic.h \
- $(top_srcdir)/include/port-sockets.h gss-misc.h gss-server.c
diff --git a/crypto/krb5/src/tests/gss-threads/gss-client.c b/crypto/krb5/src/tests/gss-threads/gss-client.c
deleted file mode 100644
index 8c006c291561..000000000000
--- a/crypto/krb5/src/tests/gss-threads/gss-client.c
+++ /dev/null
@@ -1,865 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-/*
- * Copyright (C) 2003, 2004, 2008 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-platform.h"
-#ifdef _WIN32
-#include <windows.h>
-#include <winsock.h>
-#else
-#include <unistd.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <pthread.h>
-#endif
-
-#include <gssapi/gssapi_generic.h>
-#include "gss-misc.h"
-#include "port-sockets.h"
-#include "fake-addrinfo.h"
-
-static int verbose = 1;
-
-static void
-usage(void)
-{
- fprintf(stderr, "Usage: gss-client [-port port] [-mech mechanism] [-d]\n");
- fprintf(stderr, " [-seq] [-noreplay] [-nomutual]");
- fprintf(stderr, " [-threads num]");
- fprintf(stderr, "\n");
- fprintf(stderr, " [-f] [-q] [-ccount count] [-mcount count]\n");
- fprintf(stderr, " [-v1] [-na] [-nw] [-nx] [-nm] host service msg\n");
- exit(1);
-}
-
-/*
- * Function: get_server_info
- *
- * Purpose: Sets up a socket address for the named host and port.
- *
- * Arguments:
- *
- * host (r) the target host name
- * port (r) the target port, in host byte order
- *
- * Returns: 0 on success, or -1 on failure
- *
- * Effects:
- *
- * The host name is resolved with gethostbyname(), and "saddr" is set
- * to the desired socket address. If an error occurs, an error
- * message is displayed and -1 is returned.
- */
-struct sockaddr_in saddr;
-static int
-get_server_info(char *host, u_short port)
-{
- struct hostent *hp;
-
- hp = gethostbyname(host);
- if (hp == NULL) {
- fprintf(stderr, "Unknown host: %s\n", host);
- return -1;
- }
-
- saddr.sin_family = hp->h_addrtype;
- memcpy(&saddr.sin_addr, hp->h_addr, sizeof(saddr.sin_addr));
- saddr.sin_port = htons(port);
- return 0;
-}
-
-/*
- * Function: connect_to_server
- *
- * Purpose: Opens a TCP connection to the name host and port.
- *
- * Arguments:
- *
- * host (r) the target host name
- * port (r) the target port, in host byte order
- *
- * Returns: the established socket file descriptor, or -1 on failure
- *
- * Effects:
- *
- * The host name is resolved with gethostbyname(), and the socket is
- * opened and connected. If an error occurs, an error message is
- * displayed and -1 is returned.
- */
-static int
-connect_to_server(void)
-{
- int s;
-
- s = socket(AF_INET, SOCK_STREAM, 0);
- if (s < 0) {
- perror("creating socket");
- return -1;
- }
- if (connect(s, (struct sockaddr *)&saddr, sizeof(saddr)) < 0) {
- perror("connecting to server");
- (void)closesocket(s);
- return -1;
- }
- return s;
-}
-
-/*
- * Function: client_establish_context
- *
- * Purpose: establishes a GSS-API context with a specified service and
- * returns the context handle
- *
- * Arguments:
- *
- * s (r) an established TCP connection to the service
- * service_name (r) the ASCII service name of the service
- * gss_flags (r) GSS-API delegation flag (if any)
- * auth_flag (r) whether to actually do authentication
- * v1_format (r) whether the v1 sample protocol should be used
- * oid (r) OID of the mechanism to use
- * context (w) the established GSS-API context
- * ret_flags (w) the returned flags from init_sec_context
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * service_name is imported as a GSS-API name and a GSS-API context is
- * established with the corresponding service; the service should be
- * listening on the TCP connection s. The default GSS-API mechanism
- * is used, and mutual authentication and replay detection are
- * requested.
- *
- * If successful, the context handle is returned in context. If
- * unsuccessful, the GSS-API error messages are displayed on stderr
- * and -1 is returned.
- */
-static int
-client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
- int auth_flag, int v1_format, gss_OID oid,
- gss_ctx_id_t *gss_context, OM_uint32 *ret_flags)
-{
- if (auth_flag) {
- gss_buffer_desc send_tok, recv_tok, *token_ptr;
- gss_name_t target_name;
- OM_uint32 maj_stat, min_stat, init_sec_min_stat;
- int token_flags;
-
- /*
- * Import the name into target_name. Use send_tok to save
- * local variable space.
- */
- send_tok.value = service_name;
- send_tok.length = strlen(service_name);
- maj_stat = gss_import_name(&min_stat, &send_tok,
- (gss_OID)gss_nt_service_name, &target_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("parsing name", maj_stat, min_stat);
- return -1;
- }
-
- if (!v1_format) {
- if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT,
- empty_token) < 0) {
- (void)gss_release_name(&min_stat, &target_name);
- return -1;
- }
- }
-
- /*
- * Perform the context-establishement loop.
- *
- * On each pass through the loop, token_ptr points to the token
- * to send to the server (or GSS_C_NO_BUFFER on the first pass).
- * Every generated token is stored in send_tok which is then
- * transmitted to the server; every received token is stored in
- * recv_tok, which token_ptr is then set to, to be processed by
- * the next call to gss_init_sec_context.
- *
- * GSS-API guarantees that send_tok's length will be non-zero
- * if and only if the server is expecting another token from us,
- * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if
- * and only if the server has another token to send us.
- */
-
- token_ptr = GSS_C_NO_BUFFER;
- *gss_context = GSS_C_NO_CONTEXT;
-
- do {
- maj_stat = gss_init_sec_context(&init_sec_min_stat,
- GSS_C_NO_CREDENTIAL, gss_context,
- target_name, oid, gss_flags, 0,
- NULL, token_ptr, NULL, &send_tok,
- ret_flags, NULL);
-
- if (token_ptr != GSS_C_NO_BUFFER)
- free(recv_tok.value);
-
- if (send_tok.length != 0) {
- if (verbose) {
- printf("Sending init_sec_context token (size=%d)...",
- (int)send_tok.length);
- }
- if (send_token(s, v1_format ? 0 : TOKEN_CONTEXT,
- &send_tok) < 0) {
- (void)gss_release_buffer(&min_stat, &send_tok);
- (void)gss_release_name(&min_stat, &target_name);
- if (*gss_context != GSS_C_NO_CONTEXT) {
- gss_delete_sec_context(&min_stat, gss_context,
- GSS_C_NO_BUFFER);
- *gss_context = GSS_C_NO_CONTEXT;
- }
- return -1;
- }
- }
- (void)gss_release_buffer(&min_stat, &send_tok);
-
- if (maj_stat != GSS_S_COMPLETE &&
- maj_stat != GSS_S_CONTINUE_NEEDED) {
- display_status("initializing context", maj_stat,
- init_sec_min_stat);
- (void)gss_release_name(&min_stat, &target_name);
- if (*gss_context != GSS_C_NO_CONTEXT) {
- gss_delete_sec_context(&min_stat, gss_context,
- GSS_C_NO_BUFFER);
- }
- return -1;
- }
-
- if (maj_stat == GSS_S_CONTINUE_NEEDED) {
- if (verbose)
- printf("continue needed...");
- if (recv_token(s, &token_flags, &recv_tok) < 0) {
- (void)gss_release_name(&min_stat, &target_name);
- return -1;
- }
- token_ptr = &recv_tok;
- }
- if (verbose)
- printf("\n");
- } while (maj_stat == GSS_S_CONTINUE_NEEDED);
-
- (void)gss_release_name(&min_stat, &target_name);
- } else if (send_token(s, TOKEN_NOOP, empty_token) < 0) {
- return -1;
- }
-
- return 0;
-}
-
-static void
-read_file(char *file_name, gss_buffer_t in_buf)
-{
- int fd, count;
- struct stat stat_buf;
-
- fd = open(file_name, O_RDONLY, 0);
- if (fd < 0) {
- perror("open");
- fprintf(stderr, "Couldn't open file %s\n", file_name);
- exit(2);
- }
- if (fstat(fd, &stat_buf) < 0) {
- perror("fstat");
- exit(3);
- }
- in_buf->length = stat_buf.st_size;
-
- if (in_buf->length == 0) {
- in_buf->value = NULL;
- return;
- }
-
- in_buf->value = malloc(in_buf->length);
- if (in_buf->value == NULL) {
- fprintf(stderr, "Couldn't allocate %d byte buffer for reading file\n",
- (int)in_buf->length);
- exit(4);
- }
-
- /* This code used to check for incomplete reads, but you can't get
- * an incomplete read on any file for which fstat() is meaningful. */
-
- count = read(fd, in_buf->value, in_buf->length);
- if (count < 0) {
- perror("read");
- exit(5);
- }
- if ((size_t)count < in_buf->length) {
- fprintf(stderr, "Warning, only read in %d bytes, expected %d\n",
- count, (int)in_buf->length);
- }
-}
-
-/*
- * Function: call_server
- *
- * Purpose: Call the "sign" service.
- *
- * Arguments:
- *
- * host (r) the host providing the service
- * port (r) the port to connect to on host
- * service_name (r) the GSS-API service name to authenticate to
- * gss_flags (r) GSS-API delegation flag (if any)
- * auth_flag (r) whether to do authentication
- * wrap_flag (r) whether to do message wrapping at all
- * encrypt_flag (r) whether to do encryption while wrapping
- * mic_flag (r) whether to request a MIC from the server
- * msg (r) the message to have "signed"
- * use_file (r) whether to treat msg as an input file name
- * mcount (r) the number of times to send the message
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * call_server opens a TCP connection to <host:port> and establishes a
- * GSS-API context with service_name over the connection. It then
- * seals msg in a GSS-API token with gss_wrap, sends it to the server,
- * reads back a GSS-API signature block for msg from the server, and
- * verifies it with gss_verify. -1 is returned if any step fails,
- * otherwise 0 is returned.
- */
-static int
-call_server(char *host, u_short port, gss_OID oid, char *service_name,
- OM_uint32 gss_flags, int auth_flag, int wrap_flag,
- int encrypt_flag, int mic_flag, int v1_format, char *msg,
- int use_file, size_t mcount)
-{
- gss_ctx_id_t context;
- gss_buffer_desc in_buf, out_buf, sname, tname, oid_name;
- int s, state, is_local, is_open, flags, token_flags;
- OM_uint32 ret_flags, maj_stat, min_stat, lifetime, context_flags;
- gss_name_t src_name, targ_name;
- gss_OID mechanism, name_type;
- gss_qop_t qop_state;
- gss_OID_set mech_names;
- size_t i;
-
- /* Open connection. */
- s = connect_to_server();
- if (s < 0)
- return -1;
-
- /* Establish context. */
- if (client_establish_context(s, service_name, gss_flags, auth_flag,
- v1_format, oid, &context, &ret_flags) < 0) {
- (void)closesocket(s);
- return -1;
- }
-
- if (auth_flag && verbose) {
- /* Display the flags. */
- display_ctx_flags(ret_flags);
-
- /* Get context information. */
- maj_stat = gss_inquire_context(&min_stat, context, &src_name,
- &targ_name, &lifetime, &mechanism,
- &context_flags, &is_local, &is_open);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("inquiring context", maj_stat, min_stat);
- return -1;
- }
-
- maj_stat = gss_display_name(&min_stat, src_name, &sname, &name_type);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("displaying source name", maj_stat, min_stat);
- return -1;
- }
- maj_stat = gss_display_name(&min_stat, targ_name, &tname, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("displaying target name", maj_stat, min_stat);
- return -1;
- }
- printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
- (int)sname.length, (char *)sname.value,
- (int)tname.length, (char *)tname.value, lifetime, context_flags,
- is_local ? "locally initiated" : "remotely initiated",
- is_open ? "open" : "closed");
-
- (void)gss_release_name(&min_stat, &src_name);
- (void)gss_release_name(&min_stat, &targ_name);
- (void)gss_release_buffer(&min_stat, &sname);
- (void)gss_release_buffer(&min_stat, &tname);
-
- maj_stat = gss_oid_to_str(&min_stat, name_type, &oid_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("converting oid->string", maj_stat, min_stat);
- return -1;
- }
- printf("Name type of source name is %.*s.\n", (int)oid_name.length,
- (char *)oid_name.value);
- (void)gss_release_buffer(&min_stat, &oid_name);
-
- /* Now get the names supported by the mechanism. */
- maj_stat = gss_inquire_names_for_mech(&min_stat, mechanism,
- &mech_names);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("inquiring mech names", maj_stat, min_stat);
- return -1;
- }
-
- maj_stat = gss_oid_to_str(&min_stat, mechanism, &oid_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("converting oid->string", maj_stat, min_stat);
- return -1;
- }
- printf("Mechanism %.*s supports %d names\n", (int)oid_name.length,
- (char *)oid_name.value, (int)mech_names->count);
- (void)gss_release_buffer(&min_stat, &oid_name);
-
- for (i = 0; i < mech_names->count; i++) {
- maj_stat = gss_oid_to_str(&min_stat, &mech_names->elements[i],
- &oid_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("converting oid->string", maj_stat, min_stat);
- return -1;
- }
- printf(" %d: %.*s\n", (int)i, (int)oid_name.length,
- (char *)oid_name.value);
-
- (void)gss_release_buffer(&min_stat, &oid_name);
- }
- (void)gss_release_oid_set(&min_stat, &mech_names);
- }
-
- if (use_file) {
- read_file(msg, &in_buf);
- } else {
- /* Seal the message. */
- in_buf.value = msg;
- in_buf.length = strlen(msg);
- }
-
- for (i = 0; i < mcount; i++) {
- if (wrap_flag) {
- maj_stat = gss_wrap(&min_stat, context, encrypt_flag,
- GSS_C_QOP_DEFAULT, &in_buf, &state, &out_buf);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("wrapping message", maj_stat, min_stat);
- (void)closesocket(s);
- (void)gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
- } else if (encrypt_flag && !state) {
- fprintf(stderr, "Warning! Message not encrypted.\n");
- }
- } else {
- out_buf = in_buf;
- }
-
- /* Send to server. */
- flags = 0;
- if (!v1_format) {
- flags = TOKEN_DATA | (wrap_flag ? TOKEN_WRAPPED : 0) |
- (encrypt_flag ? TOKEN_ENCRYPTED : 0) |
- (mic_flag ? TOKEN_SEND_MIC : 0);
- }
- if (send_token(s, flags, &out_buf) < 0) {
- (void)closesocket(s);
- (void)gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
- return -1;
- }
- if (out_buf.value != in_buf.value)
- (void)gss_release_buffer(&min_stat, &out_buf);
-
- /* Read signature block into out_buf. */
- if (recv_token(s, &token_flags, &out_buf) < 0) {
- (void)closesocket(s);
- (void)gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
- return -1;
- }
-
- if (mic_flag) {
- /* Verify signature block. */
- maj_stat = gss_verify_mic(&min_stat, context, &in_buf, &out_buf,
- &qop_state);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("verifying signature", maj_stat, min_stat);
- (void)closesocket(s);
- (void)gss_delete_sec_context(&min_stat, &context,
- GSS_C_NO_BUFFER);
- return -1;
- }
-
- if (verbose)
- printf("Signature verified.\n");
- } else if (verbose) {
- printf("Response received.\n");
- }
-
- free(out_buf.value);
- }
-
- if (use_file)
- free(in_buf.value);
-
- /* Send NOOP. */
- if (!v1_format)
- (void)send_token(s, TOKEN_NOOP, empty_token);
-
- if (auth_flag) {
- /* Delete context. */
- maj_stat = gss_delete_sec_context(&min_stat, &context, &out_buf);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("deleting context", maj_stat, min_stat);
- (void)closesocket(s);
- (void)gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
- return -1;
- }
-
- (void)gss_release_buffer(&min_stat, &out_buf);
- }
-
- (void)closesocket(s);
- return 0;
-}
-
-static void
-parse_oid(char *mechanism, gss_OID *oid)
-{
- char *mechstr = 0, *cp;
- gss_buffer_desc tok;
- OM_uint32 maj_stat, min_stat;
-
- if (isdigit((unsigned char)mechanism[0])) {
- if (asprintf(&mechstr, "{ %s }", mechanism) < 0) {
- fprintf(stderr, "Couldn't allocate mechanism scratch!\n");
- return;
- }
- for (cp = mechstr; *cp; cp++) {
- if (*cp == '.')
- *cp = ' ';
- }
- tok.value = mechstr;
- } else {
- tok.value = mechanism;
- }
- tok.length = strlen(tok.value);
- maj_stat = gss_str_to_oid(&min_stat, &tok, oid);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("str_to_oid", maj_stat, min_stat);
- return;
- }
- if (mechstr)
- free(mechstr);
-}
-
-static int max_threads = 1;
-
-#ifdef _WIN32
-static thread_count = 0;
-static HANDLE hMutex = NULL;
-static HANDLE hEvent = NULL;
-
-void
-init_handles(void)
-{
- hMutex = CreateMutex(NULL, FALSE, NULL);
- hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
-}
-
-void
-cleanup_handles(void)
-{
- CloseHandle(hMutex);
- CloseHandle(hEvent);
-}
-
-BOOL
-wait_and_increment_thread_counter(void)
-{
- for (;;) {
- if (WaitForSingleObject(hMutex, INFINITE) == WAIT_OBJECT_0) {
- if (thread_count < max_threads) {
- thread_count++;
- ReleaseMutex(hMutex);
- return TRUE;
- } else {
- ReleaseMutex(hMutex);
-
- if (WaitForSingleObject(hEvent, INFINITE) == WAIT_OBJECT_0)
- continue;
- else
- return FALSE;
- }
- } else {
- return FALSE;
- }
- }
-}
-
-BOOL
-decrement_and_signal_thread_counter(void)
-{
- if (WaitForSingleObject(hMutex, INFINITE) == WAIT_OBJECT_0) {
- if (thread_count == max_threads)
- SetEvent(hEvent);
- thread_count--;
- ReleaseMutex(hMutex);
- return TRUE;
- } else {
- return FALSE;
- }
-}
-
-#else /* assume pthread */
-
-static pthread_mutex_t counter_mutex = PTHREAD_MUTEX_INITIALIZER;
-static pthread_cond_t counter_cond = PTHREAD_COND_INITIALIZER;
-int counter = 0;
-
-static int
-wait_and_increment_thread_counter(void)
-{
- int err;
-
- err = pthread_mutex_lock(&counter_mutex);
- if (err) {
- perror("pthread_mutex_lock");
- return 0;
- }
- if (counter == max_threads) {
- err = pthread_cond_wait(&counter_cond, &counter_mutex);
- if (err) {
- pthread_mutex_unlock(&counter_mutex);
- perror("pthread_cond_wait");
- return 0;
- }
- }
- counter++;
- pthread_mutex_unlock(&counter_mutex);
- return 1;
-}
-
-static void
-decrement_and_signal_thread_counter(void)
-{
- int err;
-
- sleep(1);
- err = pthread_mutex_lock(&counter_mutex);
- if (err) {
- perror("pthread_mutex_lock");
- return;
- }
- if (counter == max_threads)
- pthread_cond_broadcast(&counter_cond);
- counter--;
- pthread_mutex_unlock(&counter_mutex);
-}
-
-#endif
-
-static char *service_name, *server_host, *msg;
-static char *mechanism = 0;
-static u_short port = 4444;
-static int use_file = 0;
-static OM_uint32 gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
-static OM_uint32 min_stat;
-static gss_OID oid = GSS_C_NULL_OID;
-static int mcount = 1, ccount = 1;
-static int auth_flag, wrap_flag, encrypt_flag, mic_flag, v1_format;
-
-static void *
-worker_bee(void *unused)
-{
- printf("worker bee!\n");
- if (call_server(server_host, port, oid, service_name,
- gss_flags, auth_flag, wrap_flag, encrypt_flag, mic_flag,
- v1_format, msg, use_file, mcount) < 0) {
- if (max_threads == 1)
- exit(6);
- }
-
- if (max_threads > 1)
- decrement_and_signal_thread_counter();
- free(unused);
- return NULL;
-}
-
-int
-main(int argc, char **argv)
-{
- int i;
-
- display_file = stdout;
- auth_flag = wrap_flag = encrypt_flag = mic_flag = 1;
- v1_format = 0;
-
- /* Parse arguments. */
- argc--;
- argv++;
- while (argc) {
- if (strcmp(*argv, "-port") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- port = atoi(*argv);
- } else if (strcmp(*argv, "-mech") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- mechanism = *argv;
- } else if (strcmp(*argv, "-threads") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- max_threads = atoi(*argv);
- } else if (strcmp(*argv, "-d") == 0) {
- gss_flags |= GSS_C_DELEG_FLAG;
- } else if (strcmp(*argv, "-seq") == 0) {
- gss_flags |= GSS_C_SEQUENCE_FLAG;
- } else if (strcmp(*argv, "-noreplay") == 0) {
- gss_flags &= ~GSS_C_REPLAY_FLAG;
- } else if (strcmp(*argv, "-nomutual") == 0) {
- gss_flags &= ~GSS_C_MUTUAL_FLAG;
- } else if (strcmp(*argv, "-f") == 0) {
- use_file = 1;
- } else if (strcmp(*argv, "-q") == 0) {
- verbose = 0;
- } else if (strcmp(*argv, "-ccount") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- ccount = atoi(*argv);
- if (ccount <= 0)
- usage();
- } else if (strcmp(*argv, "-mcount") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- mcount = atoi(*argv);
- if (mcount < 0)
- usage();
- } else if (strcmp(*argv, "-na") == 0) {
- auth_flag = wrap_flag = encrypt_flag = mic_flag = 0;
- } else if (strcmp(*argv, "-nw") == 0) {
- wrap_flag = 0;
- } else if (strcmp(*argv, "-nx") == 0) {
- encrypt_flag = 0;
- } else if (strcmp(*argv, "-nm") == 0) {
- mic_flag = 0;
- } else if (strcmp(*argv, "-v1") == 0) {
- v1_format = 1;
- } else {
- break;
- }
- argc--;
- argv++;
- }
- if (argc != 3)
- usage();
-
-#ifdef _WIN32
- if (max_threads < 1) {
- fprintf(stderr, "warning: there must be at least one thread\n");
- max_threads = 1;
- }
-
- init_handles();
- SetEnvironmentVariable("KERBEROSLOGIN_NEVER_PROMPT", "1");
-#endif
-
- server_host = *argv++;
- service_name = *argv++;
- msg = *argv++;
-
- if (mechanism)
- parse_oid(mechanism, &oid);
-
- if (get_server_info(server_host, port) < 0)
- exit(1);
-
- if (max_threads == 1) {
- for (i = 0; i < ccount; i++)
- worker_bee(0);
- } else {
- for (i = 0; i < ccount; i++) {
- if (wait_and_increment_thread_counter()) {
-#ifdef _WIN32
- uintptr_t handle = _beginthread(worker_bee, 0, (void *)NULL);
- if (handle == (uintptr_t)-1)
- exit(7);
-#else
- int err;
- pthread_t thr;
- err = pthread_create(&thr, 0, worker_bee, malloc(12));
- if (err) {
- perror("pthread_create");
- exit(7);
- }
- (void)pthread_detach(thr);
-#endif
- } else {
- exit(8);
- }
- }
- }
-
- if (oid != GSS_C_NULL_OID)
- (void)gss_release_oid(&min_stat, &oid);
-
-#ifdef _WIN32
- cleanup_handles();
-#else
- if (max_threads > 1)
- sleep(10);
-#endif
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gss-threads/gss-misc.c b/crypto/krb5/src/tests/gss-threads/gss-misc.c
deleted file mode 100644
index 4dd1b5dc70a2..000000000000
--- a/crypto/krb5/src/tests/gss-threads/gss-misc.c
+++ /dev/null
@@ -1,410 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-/*
- * Copyright (C) 2003, 2004 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "autoconf.h"
-#include <stdio.h>
-#ifdef _WIN32
-#include <windows.h>
-#include <winsock.h>
-#else
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#endif
-#include <errno.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <string.h>
-
-/* need struct timeval */
-#include <time.h>
-#if HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
-
-#include <gssapi/gssapi_generic.h>
-#include "gss-misc.h"
-/* for store_32_be */
-#include "k5-platform.h"
-
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#else
-extern char *malloc();
-#endif
-
-FILE *display_file;
-
-gss_buffer_desc empty_token_buf = { 0, (void *)"" };
-gss_buffer_t empty_token = &empty_token_buf;
-
-static void display_status_1(char *m, OM_uint32 code, int type);
-
-static int
-write_all(int fildes, char *buf, unsigned int nbyte)
-{
- int ret;
- char *ptr;
-
- for (ptr = buf; nbyte; ptr += ret, nbyte -= ret) {
- ret = send(fildes, ptr, nbyte, 0);
- if (ret < 0) {
- if (errno == EINTR)
- continue;
- return ret;
- } else if (ret == 0) {
- return ptr - buf;
- }
- }
-
- return ptr - buf;
-}
-
-static int
-read_all(int fildes, char *buf, unsigned int nbyte)
-{
- int ret;
- char *ptr;
- fd_set rfds;
- struct timeval tv;
-
- FD_ZERO(&rfds);
- FD_SET(fildes, &rfds);
- tv.tv_sec = 10;
- tv.tv_usec = 0;
-
- for (ptr = buf; nbyte; ptr += ret, nbyte -= ret) {
- if (select(FD_SETSIZE, &rfds, NULL, NULL, &tv) <= 0 ||
- !FD_ISSET(fildes, &rfds))
- return ptr - buf;
- ret = recv(fildes, ptr, nbyte, 0);
- if (ret < 0) {
- if (errno == EINTR)
- continue;
- return ret;
- } else if (ret == 0) {
- return ptr - buf;
- }
- }
-
- return ptr - buf;
-}
-
-/*
- * Function: send_token
- *
- * Purpose: Writes a token to a file descriptor.
- *
- * Arguments:
- *
- * s (r) an open file descriptor
- * flags (r) the flags to write
- * tok (r) the token to write
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * If the flags are non-null, send_token writes the token flags (a
- * single byte, even though they're passed in in an integer). Next,
- * the token length (as a network long) and then the token data are
- * written to the file descriptor s. It returns 0 on success, and -1
- * if an error occurs or if it could not write all the data.
- */
-int
-send_token(int s, int flags, gss_buffer_t tok)
-{
- int ret;
- unsigned char char_flags = (unsigned char)flags;
- unsigned char lenbuf[4];
-
- if (char_flags) {
- ret = write_all(s, (char *)&char_flags, 1);
- if (ret != 1) {
- perror("sending token flags");
- return -1;
- }
- }
- if (tok->length > 0xffffffffUL)
- abort();
- store_32_be(tok->length, lenbuf);
- ret = write_all(s, (char *)lenbuf, 4);
- if (ret < 0) {
- perror("sending token length");
- return -1;
- } else if (ret != 4) {
- if (display_file) {
- fprintf(display_file,
- "sending token length: %d of %d bytes written\n", ret, 4);
- }
- return -1;
- }
-
- ret = write_all(s, tok->value, tok->length);
- if (ret < 0) {
- perror("sending token data");
- return -1;
- } else if ((size_t)ret != tok->length) {
- if (display_file) {
- fprintf(display_file,
- "sending token data: %d of %d bytes written\n",
- ret, (int)tok->length);
- }
- return -1;
- }
-
- return 0;
-}
-
-/*
- * Function: recv_token
- *
- * Purpose: Reads a token from a file descriptor.
- *
- * Arguments:
- *
- * s (r) an open file descriptor
- * flags (w) the read flags
- * tok (w) the read token
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * recv_token reads the token flags (a single byte, even though
- * they're stored into an integer, then reads the token length (as a
- * network long), allocates memory to hold the data, and then reads
- * the token data from the file descriptor s. It blocks to read the
- * length and data, if necessary. On a successful return, the token
- * should be freed with gss_release_buffer. It returns 0 on success,
- * and -1 if an error occurs or if it could not read all the data.
- */
-int
-recv_token(int s, int *flags, gss_buffer_t tok)
-{
- int ret;
- unsigned char char_flags;
- unsigned char lenbuf[4];
-
- ret = read_all(s, (char *)&char_flags, 1);
- if (ret < 0) {
- perror("reading token flags");
- return -1;
- } else if (!ret) {
- if (display_file)
- fputs("reading token flags: 0 bytes read\n", display_file);
- return -1;
- } else {
- *flags = char_flags;
- }
-
- if (char_flags == 0) {
- lenbuf[0] = 0;
- ret = read_all(s, (char *)&lenbuf[1], 3);
- if (ret < 0) {
- perror("reading token length");
- return -1;
- } else if (ret != 3) {
- if (display_file) {
- fprintf(display_file,
- "reading token length: %d of %d bytes read\n", ret, 3);
- }
- return -1;
- }
- } else {
- ret = read_all(s, (char *)lenbuf, 4);
- if (ret < 0) {
- perror("reading token length");
- return -1;
- } else if (ret != 4) {
- if (display_file) {
- fprintf(display_file,
- "reading token length: %d of %d bytes read\n", ret, 4);
- }
- return -1;
- }
- }
-
- tok->length = load_32_be(lenbuf);
- tok->value = malloc(tok->length ? tok->length : 1);
- if (tok->length && tok->value == NULL) {
- if (display_file)
- fprintf(display_file, "Out of memory allocating token data\n");
- return -1;
- }
-
- ret = read_all(s, (char *)tok->value, tok->length);
- if (ret < 0) {
- perror("reading token data");
- free(tok->value);
- return -1;
- } else if ((size_t)ret != tok->length) {
- fprintf(stderr, "sending token data: %d of %d bytes written\n",
- ret, (int)tok->length);
- free(tok->value);
- return -1;
- }
-
- return 0;
-}
-
-static void
-display_status_1(char *m, OM_uint32 code, int type)
-{
- OM_uint32 min_stat;
- gss_buffer_desc msg;
- OM_uint32 msg_ctx;
-
- msg_ctx = 0;
- while (1) {
- (void)gss_display_status(&min_stat, code, type, GSS_C_NULL_OID,
- &msg_ctx, &msg);
- if (display_file) {
- fprintf(display_file, "GSS-API error %s: %s\n", m,
- (char *)msg.value);
- }
- (void)gss_release_buffer(&min_stat, &msg);
-
- if (!msg_ctx)
- break;
- }
-}
-
-/*
- * Function: display_status
- *
- * Purpose: displays GSS-API messages
- *
- * Arguments:
- *
- * msg a string to be displayed with the message
- * maj_stat the GSS-API major status code
- * min_stat the GSS-API minor status code
- *
- * Effects:
- *
- * The GSS-API messages associated with maj_stat and min_stat are
- * displayed on stderr, each preceded by "GSS-API error <msg>: " and
- * followed by a newline.
- */
-void
-display_status(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat)
-{
- display_status_1(msg, maj_stat, GSS_C_GSS_CODE);
- display_status_1(msg, min_stat, GSS_C_MECH_CODE);
-}
-
-/*
- * Function: display_ctx_flags
- *
- * Purpose: displays the flags returned by context initiation in
- * a human-readable form
- *
- * Arguments:
- *
- * int ret_flags
- *
- * Effects:
- *
- * Strings corresponding to the context flags are printed on
- * stdout, preceded by "context flag: " and followed by a newline
- */
-
-void
-display_ctx_flags(OM_uint32 flags)
-{
- if (flags & GSS_C_DELEG_FLAG)
- fprintf(display_file, "context flag: GSS_C_DELEG_FLAG\n");
- if (flags & GSS_C_MUTUAL_FLAG)
- fprintf(display_file, "context flag: GSS_C_MUTUAL_FLAG\n");
- if (flags & GSS_C_REPLAY_FLAG)
- fprintf(display_file, "context flag: GSS_C_REPLAY_FLAG\n");
- if (flags & GSS_C_SEQUENCE_FLAG)
- fprintf(display_file, "context flag: GSS_C_SEQUENCE_FLAG\n");
- if (flags & GSS_C_CONF_FLAG)
- fprintf(display_file, "context flag: GSS_C_CONF_FLAG \n");
- if (flags & GSS_C_INTEG_FLAG)
- fprintf(display_file, "context flag: GSS_C_INTEG_FLAG \n");
-}
-
-void
-print_token(gss_buffer_t tok)
-{
- size_t i;
- unsigned char *p = tok->value;
-
- if (!display_file)
- return;
- for (i = 0; i < tok->length; i++, p++) {
- fprintf(display_file, "%02x ", *p);
- if (i % 16 == 15) {
- fprintf(display_file, "\n");
- }
- }
- fprintf(display_file, "\n");
- fflush(display_file);
-}
-
-#ifdef _WIN32
-#include <sys\timeb.h>
-#include <time.h>
-
-int
-gettimeofday(struct timeval *tv, void *ignore_tz)
-{
- struct _timeb tb;
-
- _tzset();
- _ftime(&tb);
- if (tv) {
- tv->tv_sec = tb.time;
- tv->tv_usec = tb.millitm * 1000;
- }
- return 0;
-}
-
-#endif /* _WIN32 */
diff --git a/crypto/krb5/src/tests/gss-threads/gss-misc.h b/crypto/krb5/src/tests/gss-threads/gss-misc.h
deleted file mode 100644
index 1ed8fb6c4ca9..000000000000
--- a/crypto/krb5/src/tests/gss-threads/gss-misc.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _GSSMISC_H_
-#define _GSSMISC_H_
-
-#include <gssapi/gssapi_generic.h>
-#include <stdio.h>
-
-extern FILE *display_file;
-
-int send_token(int s, int flags, gss_buffer_t tok);
-int recv_token(int s, int *flags, gss_buffer_t tok);
-void display_status(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat);
-void display_ctx_flags(OM_uint32 flags);
-void print_token(gss_buffer_t tok);
-
-/* Token types */
-#define TOKEN_NOOP (1<<0)
-#define TOKEN_CONTEXT (1<<1)
-#define TOKEN_DATA (1<<2)
-#define TOKEN_MIC (1<<3)
-
-/* Token flags */
-#define TOKEN_CONTEXT_NEXT (1<<4)
-#define TOKEN_WRAPPED (1<<5)
-#define TOKEN_ENCRYPTED (1<<6)
-#define TOKEN_SEND_MIC (1<<7)
-
-extern gss_buffer_t empty_token;
-
-#endif
diff --git a/crypto/krb5/src/tests/gss-threads/gss-server.c b/crypto/krb5/src/tests/gss-threads/gss-server.c
deleted file mode 100644
index e0a37738e405..000000000000
--- a/crypto/krb5/src/tests/gss-threads/gss-server.c
+++ /dev/null
@@ -1,850 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 1994 by OpenVision Technologies, Inc.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appears in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the name of OpenVision not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. OpenVision makes no
- * representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
- * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-/*
- * Copyright (C) 2004,2008 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "autoconf.h"
-#include <stdio.h>
-#ifdef _WIN32
-#include <windows.h>
-#include <winsock.h>
-#else
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <pthread.h>
-#include <signal.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#include <ctype.h>
-
-#include <gssapi/gssapi_generic.h>
-#include "gss-misc.h"
-#include "port-sockets.h"
-
-#ifdef HAVE_STRING_H
-#include <string.h>
-#else
-#include <strings.h>
-#endif
-
-static void
-usage(void)
-{
- fprintf(stderr, "Usage: gss-server [-port port] [-verbose] [-once]");
-#ifdef _WIN32
- fprintf(stderr, " [-threads num]");
-#endif
- fprintf(stderr, "\n");
- fprintf(stderr, " [-inetd] [-export] [-logfile file] "
- "service_name\n");
- exit(1);
-}
-
-FILE *logfile;
-
-int verbose = 0;
-
-/*
- * Function: server_acquire_creds
- *
- * Purpose: imports a service name and acquires credentials for it
- *
- * Arguments:
- *
- * service_name (r) the ASCII service name
- * server_creds (w) the GSS-API service credentials
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * The service name is imported with gss_import_name, and service
- * credentials are acquired with gss_acquire_cred. If either operation
- * fails, an error message is displayed and -1 is returned; otherwise,
- * 0 is returned.
- */
-static int
-server_acquire_creds(char *service_name, gss_cred_id_t *server_creds)
-{
- gss_buffer_desc name_buf;
- gss_name_t server_name;
- OM_uint32 maj_stat, min_stat;
-
- name_buf.value = service_name;
- name_buf.length = strlen(name_buf.value) + 1;
- maj_stat = gss_import_name(&min_stat, &name_buf,
- (gss_OID)gss_nt_service_name, &server_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("importing name", maj_stat, min_stat);
- return -1;
- }
-
- maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
- GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
- server_creds, NULL, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("acquiring credentials", maj_stat, min_stat);
- return -1;
- }
-
- (void)gss_release_name(&min_stat, &server_name);
-
- return 0;
-}
-
-/*
- * Function: server_establish_context
- *
- * Purpose: establishses a GSS-API context as a specified service with
- * an incoming client, and returns the context handle and associated
- * client name
- *
- * Arguments:
- *
- * s (r) an established TCP connection to the client
- * service_creds (r) server credentials, from gss_acquire_cred
- * context (w) the established GSS-API context
- * client_name (w) the client's ASCII name
- *
- * Returns: 0 on success, -1 on failure
- *
- * Effects:
- *
- * Any valid client request is accepted. If a context is established,
- * its handle is returned in context and the client name is returned
- * in client_name and 0 is returned. If unsuccessful, an error
- * message is displayed and -1 is returned.
- */
-static int
-server_establish_context(int s, gss_cred_id_t server_creds,
- gss_ctx_id_t *context, gss_buffer_t client_name,
- OM_uint32 *ret_flags)
-{
- gss_buffer_desc send_tok, recv_tok, oid_name;
- gss_name_t client;
- gss_OID doid;
- OM_uint32 maj_stat, min_stat, acc_sec_min_stat;
- int token_flags;
-
- if (recv_token(s, &token_flags, &recv_tok) < 0)
- return -1;
-
- if (recv_tok.value) {
- free(recv_tok.value);
- recv_tok.value = NULL;
- }
-
- if (!(token_flags & TOKEN_NOOP)) {
- if (logfile) {
- fprintf(logfile, "Expected NOOP token, got %d token instead\n",
- token_flags);
- }
- return -1;
- }
-
- *context = GSS_C_NO_CONTEXT;
-
- if (token_flags & TOKEN_CONTEXT_NEXT) {
- do {
- if (recv_token(s, &token_flags, &recv_tok) < 0)
- return -1;
-
- if (verbose && logfile) {
- fprintf(logfile, "Received token (size=%d): \n",
- (int)recv_tok.length);
- print_token(&recv_tok);
- }
-
- maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context,
- server_creds, &recv_tok,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client, &doid, &send_tok,
- ret_flags, NULL, NULL);
-
- if (recv_tok.value) {
- free(recv_tok.value);
- recv_tok.value = NULL;
- }
-
- if (send_tok.length != 0) {
- if (verbose && logfile) {
- fprintf(logfile,
- "Sending accept_sec_context token (size=%d):\n",
- (int)send_tok.length);
- print_token(&send_tok);
- }
- if (send_token(s, TOKEN_CONTEXT, &send_tok) < 0) {
- if (logfile)
- fprintf(logfile, "failure sending token\n");
- return -1;
- }
-
- (void)gss_release_buffer(&min_stat, &send_tok);
- }
- if (maj_stat != GSS_S_COMPLETE &&
- maj_stat != GSS_S_CONTINUE_NEEDED) {
- display_status("accepting context", maj_stat,
- acc_sec_min_stat);
- if (*context != GSS_C_NO_CONTEXT) {
- gss_delete_sec_context(&min_stat, context,
- GSS_C_NO_BUFFER);
- }
- return -1;
- }
-
- if (verbose && logfile) {
- if (maj_stat == GSS_S_CONTINUE_NEEDED)
- fprintf(logfile, "continue needed...\n");
- else
- fprintf(logfile, "\n");
- fflush(logfile);
- }
- } while (maj_stat == GSS_S_CONTINUE_NEEDED);
-
- /* display the flags */
- display_ctx_flags(*ret_flags);
-
- if (verbose && logfile) {
- maj_stat = gss_oid_to_str(&min_stat, doid, &oid_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("converting oid->string", maj_stat, min_stat);
- return -1;
- }
- fprintf(logfile, "Accepted connection using mechanism OID %.*s.\n",
- (int)oid_name.length, (char *)oid_name.value);
- (void)gss_release_buffer(&min_stat, &oid_name);
- }
-
- maj_stat = gss_display_name(&min_stat, client, client_name, &doid);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("displaying name", maj_stat, min_stat);
- return -1;
- }
- maj_stat = gss_release_name(&min_stat, &client);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("releasing name", maj_stat, min_stat);
- return -1;
- }
- } else {
- client_name->length = *ret_flags = 0;
-
- if (logfile)
- fprintf(logfile, "Accepted unauthenticated connection.\n");
- }
-
- return 0;
-}
-
-/*
- * Function: create_socket
- *
- * Purpose: Opens a listening TCP socket.
- *
- * Arguments:
- *
- * port (r) the port number on which to listen
- *
- * Returns: the listening socket file descriptor, or -1 on failure
- *
- * Effects:
- *
- * A listening socket on the specified port and created and returned.
- * On error, an error message is displayed and -1 is returned.
- */
-static int
-create_socket(u_short port)
-{
- struct sockaddr_in saddr;
- int s, on = 1;
-
- saddr.sin_family = AF_INET;
- saddr.sin_port = htons(port);
- saddr.sin_addr.s_addr = INADDR_ANY;
-
- s = socket(AF_INET, SOCK_STREAM, 0);
- if (s < 0) {
- perror("creating socket");
- return -1;
- }
- /* Let the socket be reused right away. */
- (void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on));
- if (bind(s, (struct sockaddr *)&saddr, sizeof(saddr)) < 0) {
- perror("binding socket");
- (void)close(s);
- return -1;
- }
- if (listen(s, 5) < 0) {
- perror("listening on socket");
- (void)close(s);
- return -1;
- }
- return s;
-}
-
-static float
-timeval_subtract(struct timeval *tv1, struct timeval *tv2)
-{
- return ((tv1->tv_sec - tv2->tv_sec) +
- ((float)(tv1->tv_usec - tv2->tv_usec)) / 1000000);
-}
-
-/*
- * Yes, yes, this isn't the best place for doing this test.
- * DO NOT REMOVE THIS UNTIL A BETTER TEST HAS BEEN WRITTEN, THOUGH.
- * -TYT
- */
-static int
-test_import_export_context(gss_ctx_id_t *context)
-{
- OM_uint32 min_stat, maj_stat;
- gss_buffer_desc context_token, copied_token;
- struct timeval tm1, tm2;
-
- /* Attempt to save and then restore the context. */
- gettimeofday(&tm1, (struct timezone *)0);
- maj_stat = gss_export_sec_context(&min_stat, context, &context_token);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("exporting context", maj_stat, min_stat);
- return 1;
- }
- gettimeofday(&tm2, NULL);
- if (verbose && logfile) {
- fprintf(logfile, "Exported context: %d bytes, %7.4f seconds\n",
- (int)context_token.length, timeval_subtract(&tm2, &tm1));
- }
- copied_token.length = context_token.length;
- copied_token.value = malloc(context_token.length);
- if (copied_token.value == 0) {
- if (logfile) {
- fprintf(logfile, "Couldn't allocate memory to copy context "
- "token.\n");
- }
- return 1;
- }
- memcpy(copied_token.value, context_token.value, copied_token.length);
- maj_stat = gss_import_sec_context(&min_stat, &copied_token, context);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("importing context", maj_stat, min_stat);
- return 1;
- }
- free(copied_token.value);
- gettimeofday(&tm1, NULL);
- if (verbose && logfile) {
- fprintf(logfile, "Importing context: %7.4f seconds\n",
- timeval_subtract(&tm1, &tm2));
- }
- (void)gss_release_buffer(&min_stat, &context_token);
- return 0;
-}
-
-/*
- * Function: sign_server
- *
- * Purpose: Performs the "sign" service.
- *
- * Arguments:
- *
- * s (r) a TCP socket on which a connection has been
- * accept()ed
- * service_name (r) the ASCII name of the GSS-API service to
- * establish a context as
- * export (r) whether to test context exporting
- *
- * Returns: -1 on error
- *
- * Effects:
- *
- * sign_server establishes a context, and performs a single sign request.
- *
- * A sign request is a single GSS-API sealed token. The token is
- * unsealed and a signature block, produced with gss_sign, is returned
- * to the sender. The context is the destroyed and the connection
- * closed.
- *
- * If any error occurs, -1 is returned.
- */
-static int
-sign_server(int s, gss_cred_id_t server_creds, int export)
-{
- gss_buffer_desc client_name, xmit_buf, msg_buf;
- gss_ctx_id_t context;
- OM_uint32 maj_stat, min_stat, ret_flags;
- int i, conf_state, token_flags;
- char *cp;
-
- /* Establish a context with the client */
- if (server_establish_context(s, server_creds, &context, &client_name,
- &ret_flags) < 0)
- return -1;
-
- if (context == GSS_C_NO_CONTEXT) {
- printf("Accepted unauthenticated connection.\n");
- } else {
- printf("Accepted connection: \"%.*s\"\n", (int)client_name.length,
- (char *)client_name.value);
- (void)gss_release_buffer(&min_stat, &client_name);
-
- if (export) {
- for (i = 0; i < 3; i++) {
- if (test_import_export_context(&context))
- return -1;
- }
- }
- }
-
- do {
- /* Receive the message token */
- if (recv_token(s, &token_flags, &xmit_buf) < 0)
- return -1;
-
- if (token_flags & TOKEN_NOOP) {
- if (logfile)
- fprintf(logfile, "NOOP token\n");
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- break;
- }
-
- if (verbose && logfile) {
- fprintf(logfile, "Message token (flags=%d):\n", token_flags);
- print_token(&xmit_buf);
- }
-
- if (context == GSS_C_NO_CONTEXT &&
- (token_flags &
- (TOKEN_WRAPPED | TOKEN_ENCRYPTED | TOKEN_SEND_MIC))) {
- if (logfile) {
- fprintf(logfile, "Unauthenticated client requested "
- "authenticated services!\n");
- }
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- return -1;
- }
-
- if (token_flags & TOKEN_WRAPPED) {
- maj_stat = gss_unwrap(&min_stat, context, &xmit_buf, &msg_buf,
- &conf_state, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("unsealing message", maj_stat, min_stat);
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- return -1;
- } else if (!conf_state && (token_flags & TOKEN_ENCRYPTED)) {
- fprintf(stderr, "Warning! Message not encrypted.\n");
- }
-
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- } else {
- msg_buf = xmit_buf;
- }
-
- if (logfile) {
- fprintf(logfile, "Received message: ");
- cp = msg_buf.value;
- if (isprint((unsigned char)cp[0]) &&
- isprint((unsigned char)cp[1])) {
- fprintf(logfile, "\"%.*s\"\n", (int)msg_buf.length,
- (char *)msg_buf.value);
- } else {
- fprintf(logfile, "\n");
- print_token(&msg_buf);
- }
- }
-
- if (token_flags & TOKEN_SEND_MIC) {
- /* Produce a signature block for the message. */
- maj_stat = gss_get_mic(&min_stat, context, GSS_C_QOP_DEFAULT,
- &msg_buf, &xmit_buf);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("signing message", maj_stat, min_stat);
- return -1;
- }
-
- if (msg_buf.value) {
- free(msg_buf.value);
- msg_buf.value = 0;
- }
-
- /* Send the signature block to the client. */
- if (send_token(s, TOKEN_MIC, &xmit_buf) < 0)
- return -1;
-
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- } else {
- if (msg_buf.value) {
- free(msg_buf.value);
- msg_buf.value = 0;
- }
- if (send_token(s, TOKEN_NOOP, empty_token) < 0)
- return -1;
- }
- } while (1 /* loop will break if NOOP received */);
-
- if (context != GSS_C_NO_CONTEXT) {
- /* Delete context. */
- maj_stat = gss_delete_sec_context(&min_stat, &context, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("deleting context", maj_stat, min_stat);
- return -1;
- }
- }
-
- if (logfile)
- fflush(logfile);
-
- return 0;
-}
-
-static int max_threads = 1;
-
-#ifdef _WIN32
-static thread_count = 0;
-static HANDLE hMutex = NULL;
-static HANDLE hEvent = NULL;
-
-void
-init_handles(void)
-{
- hMutex = CreateMutex(NULL, FALSE, NULL);
- hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
-}
-
-void
-cleanup_handles(void)
-{
- CloseHandle(hMutex);
- CloseHandle(hEvent);
-}
-
-BOOL
-wait_and_increment_thread_counter(void)
-{
- for (;;) {
- if (WaitForSingleObject(hMutex, INFINITE) == WAIT_OBJECT_0) {
- if (thread_count < max_threads) {
- thread_count++;
- ReleaseMutex(hMutex);
- return TRUE;
- } else {
- ReleaseMutex(hMutex);
-
- if (WaitForSingleObject(hEvent, INFINITE) == WAIT_OBJECT_0)
- continue;
- else
- return FALSE;
- }
- } else {
- return FALSE;
- }
- }
-}
-
-BOOL
-decrement_and_signal_thread_counter(void)
-{
- if (WaitForSingleObject(hMutex, INFINITE) == WAIT_OBJECT_0) {
- if (thread_count == max_threads)
- SetEvent(hEvent);
- thread_count--;
- ReleaseMutex(hMutex);
- return TRUE;
- } else {
- return FALSE;
- }
-}
-
-#else /* assume pthread */
-
-static pthread_mutex_t counter_mutex = PTHREAD_MUTEX_INITIALIZER;
-static pthread_cond_t counter_cond = PTHREAD_COND_INITIALIZER;
-int counter = 0;
-
-static int
-wait_and_increment_thread_counter(void)
-{
- int err;
-
- err = pthread_mutex_lock(&counter_mutex);
- if (err) {
- perror("pthread_mutex_lock");
- return 0;
- }
- if (counter == max_threads) {
- err = pthread_cond_wait(&counter_cond, &counter_mutex);
- if (err) {
- pthread_mutex_unlock(&counter_mutex);
- perror("pthread_cond_wait");
- return 0;
- }
- }
- counter++;
- pthread_mutex_unlock(&counter_mutex);
- return 1;
-}
-
-static void
-decrement_and_signal_thread_counter(void)
-{
- int err;
-
- err = pthread_mutex_lock(&counter_mutex);
- if (err) {
- perror("pthread_mutex_lock");
- return;
- }
- if (counter == max_threads)
- pthread_cond_broadcast(&counter_cond);
- counter--;
- pthread_mutex_unlock(&counter_mutex);
-}
-
-#endif
-
-struct _work_plan {
- int s;
- gss_cred_id_t server_creds;
- int export;
-};
-
-static void *
-worker_bee(void *param)
-{
- struct _work_plan *work = param;
-
- /* This return value is not checked, because there's not really anything to
- * do if it fails. */
- sign_server(work->s, work->server_creds, work->export);
- closesocket(work->s);
- free(work);
-
-#if defined _WIN32 || 1
- if (max_threads > 1)
- decrement_and_signal_thread_counter();
-#endif
- return NULL;
-}
-
-int
-main(int argc, char **argv)
-{
- char *service_name;
- gss_cred_id_t server_creds;
- OM_uint32 min_stat;
- u_short port = 4444;
- int once = 0;
- int do_inetd = 0;
- int export = 0;
-
- signal(SIGPIPE, SIG_IGN);
- logfile = stdout;
- display_file = stdout;
- argc--;
- argv++;
- while (argc) {
- if (strcmp(*argv, "-port") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- port = atoi(*argv);
- } else if (strcmp(*argv, "-threads") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- max_threads = atoi(*argv);
- } else if (strcmp(*argv, "-verbose") == 0) {
- verbose = 1;
- } else if (strcmp(*argv, "-once") == 0) {
- once = 1;
- } else if (strcmp(*argv, "-inetd") == 0) {
- do_inetd = 1;
- } else if (strcmp(*argv, "-export") == 0) {
- export = 1;
- } else if (strcmp(*argv, "-logfile") == 0) {
- argc--;
- argv++;
- if (!argc)
- usage();
- /*
- * Gross hack, but it makes it unnecessary to add an extra argument
- * to disable logging, and makes the code more efficient because it
- * doesn't actually write data to /dev/null.
- */
- if (!strcmp(*argv, "/dev/null")) {
- logfile = display_file = NULL;
- } else {
- logfile = fopen(*argv, "a");
- display_file = logfile;
- if (!logfile) {
- perror(*argv);
- exit(1);
- }
- }
- } else {
- break;
- }
- argc--;
- argv++;
- }
- if (argc != 1)
- usage();
-
- if ((*argv)[0] == '-')
- usage();
-
-#ifdef _WIN32
- if (max_threads < 1) {
- fprintf(stderr, "warning: there must be at least one thread\n");
- max_threads = 1;
- }
-
- if (max_threads > 1 && do_inetd) {
- fprintf(stderr, "warning: one thread may be used in conjunction "
- "with inetd\n");
- }
-
- init_handles();
-#endif
-
- service_name = *argv;
-
- if (server_acquire_creds(service_name, &server_creds) < 0)
- return -1;
-
- if (do_inetd) {
- close(1);
- close(2);
-
- sign_server(0, server_creds, export);
- close(0);
- } else {
- int stmp;
-
- stmp = create_socket(port);
- if (stmp >= 0) {
- do {
- struct _work_plan * work = malloc(sizeof(struct _work_plan));
-
- if (work == NULL) {
- fprintf(stderr, "fatal error: out of memory");
- break;
- }
-
- /* Accept a TCP connection */
- work->s = accept(stmp, NULL, 0);
- if (work->s < 0) {
- perror("accepting connection");
- continue;
- }
-
- work->server_creds = server_creds;
- work->export = export;
-
- if (max_threads == 1) {
- worker_bee(work);
- } else {
- if (wait_and_increment_thread_counter()) {
-#ifdef _WIN32
- uintptr_t handle = _beginthread(worker_bee, 0, work);
- if (handle == (uintptr_t)-1) {
- closesocket(work->s);
- free(work);
- }
-#else
- int err;
- pthread_t thr;
- err = pthread_create(&thr, 0, worker_bee, work);
- if (err) {
- perror("pthread_create");
- closesocket(work->s);
- free(work);
- }
- (void)pthread_detach(thr);
-#endif
- } else {
- fprintf(stderr, "fatal error incrementing thread "
- "counter");
- closesocket(work->s);
- free(work);
- break;
- }
- }
- } while (!once);
-
- closesocket(stmp);
- }
- }
-
- (void)gss_release_cred(&min_stat, &server_creds);
-
-#ifdef _WIN32
- cleanup_handles();
-#else
- if (max_threads > 1) {
- while (1)
- sleep(999999);
- }
-#endif
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/Makefile.in b/crypto/krb5/src/tests/gssapi/Makefile.in
deleted file mode 100644
index 97a6ac3f3f78..000000000000
--- a/crypto/krb5/src/tests/gssapi/Makefile.in
+++ /dev/null
@@ -1,141 +0,0 @@
-mydir=tests$(S)gssapi
-BUILDTOP=$(REL)..$(S)..
-DEFINES = -DUSE_AUTOCONF_H
-
-# For t_prf.c
-LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \
- -I$(srcdir)/../../lib/gssapi/krb5 \
- -I$(srcdir)/../../lib/gssapi/generic -I../../lib/gssapi/krb5 \
- -I../../lib/gssapi/generic
-
-SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
- $(srcdir)/reload.c $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c \
- $(srcdir)/t_bindings.c $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c \
- $(srcdir)/t_context.c $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c \
- $(srcdir)/t_err.c $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \
- $(srcdir)/t_gssexts.c $(srcdir)/t_iakerb.c $(srcdir)/t_imp_cred.c \
- $(srcdir)/t_imp_name.c $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c \
- $(srcdir)/t_inq_ctx.c $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
- $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
- $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
- $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
- $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c $(srcdir)/t_store_cred.c
-
-OBJS= ccinit.o ccrefresh.o common.o reload.o t_accname.o t_add_cred.o \
- t_bindings.o t_ccselect.o t_ciflags.o t_context.o t_credstore.o \
- t_enctypes.o t_err.o t_export_cred.o t_export_name.o t_gssexts.o \
- t_iakerb.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
- t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \
- t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
- t_spnego.o t_srcattrs.o t_store_cred.o t_iakerb.o
-
-COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
-COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
-
-all: ccinit ccrefresh reload t_accname t_add_cred t_bindings t_ccselect \
- t_ciflags t_context t_credstore t_enctypes t_err t_export_cred \
- t_export_name t_gssexts t_iakerb t_imp_cred t_imp_name t_invalid \
- t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_namingexts \
- t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \
- t_srcattrs t_store_cred
-
-check-unix: t_invalid t_oid t_prf t_imp_name reload
- $(RUN_TEST) ./t_invalid
- $(RUN_TEST) ./t_oid
- $(RUN_TEST) ./t_prf
- $(RUN_TEST) ./t_imp_name
- if [ -r $(TOPLIBD)/libgssapi_krb5.so ]; then $(RUN_TEST) ./reload; fi
-
-check-pytests: ccinit ccrefresh t_accname t_add_cred t_bindings t_ccselect \
- t_ciflags t_context t_credstore t_enctypes t_err t_export_cred \
- t_export_name t_imp_cred t_inq_cred t_inq_ctx t_inq_mechs_name t_iov \
- t_lifetime t_pcontok t_s4u t_s4u2proxy_krb5 t_spnego t_srcattrs \
- t_store_cred
- $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_store_cred.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_credstore.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_bindings.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_authind.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_negoex.py $(PYTESTFLAGS)
-
-ccinit: ccinit.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS)
-ccrefresh: ccrefresh.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o ccrefresh ccrefresh.o $(KRB5_BASE_LIBS)
-reload: reload.o
- $(CC_LINK) -o $@ reload.o $(LIBS) $(DL_LIB)
-t_accname: t_accname.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS)
-t_add_cred: t_add_cred.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_add_cred.o $(COMMON_LIBS)
-t_bindings: t_bindings.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_bindings.o $(COMMON_LIBS)
-t_ccselect: t_ccselect.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS)
-t_ciflags: t_ciflags.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_ciflags.o $(COMMON_LIBS)
-t_context: t_context.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_context.o $(COMMON_LIBS)
-t_credstore: t_credstore.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_credstore.o $(COMMON_LIBS)
-t_enctypes: t_enctypes.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_enctypes.o $(COMMON_LIBS)
-t_err: t_err.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_err.o $(COMMON_LIBS)
-t_export_cred: t_export_cred.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_export_cred.o $(COMMON_LIBS)
-t_export_name: t_export_name.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_export_name.o $(COMMON_LIBS)
-t_gssexts: t_gssexts.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_gssexts.o $(COMMON_LIBS)
-t_iakerb: t_iakerb.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_iakerb.o $(COMMON_LIBS)
-t_imp_cred: t_imp_cred.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_imp_cred.o $(COMMON_LIBS)
-t_imp_name: t_imp_name.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_imp_name.o $(COMMON_LIBS)
-t_invalid: t_invalid.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_invalid.o $(COMMON_LIBS)
-t_inq_cred: t_inq_cred.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_inq_cred.o $(COMMON_LIBS)
-t_inq_ctx: t_inq_ctx.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_inq_ctx.o $(COMMON_LIBS)
-t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
-t_iov: t_iov.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
-t_lifetime: t_lifetime.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS)
-t_namingexts: t_namingexts.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
-t_pcontok: t_pcontok.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_pcontok.o $(COMMON_LIBS)
-t_oid: t_oid.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_oid.o $(COMMON_LIBS)
-t_prf: t_prf.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_prf.o $(COMMON_LIBS)
-t_s4u: t_s4u.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_s4u.o $(COMMON_LIBS)
-t_s4u2proxy_krb5: t_s4u2proxy_krb5.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_s4u2proxy_krb5.o $(COMMON_LIBS)
-t_saslname: t_saslname.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_saslname.o $(COMMON_LIBS)
-t_spnego: t_spnego.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_spnego.o $(COMMON_LIBS)
-t_srcattrs: t_srcattrs.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS)
-t_store_cred: t_store_cred.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_store_cred.o $(COMMON_LIBS)
-
-clean:
- $(RM) ccinit ccrefresh reload t_accname t_add_cred t_bindings
- $(RM) t_ccselect t_ciflags t_context t_credstore t_enctypes t_err
- $(RM) t_export_cred t_export_name t_gssexts t_iakerb t_imp_cred
- $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
- $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u
- $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs t_store_cred
diff --git a/crypto/krb5/src/tests/gssapi/ccinit.c b/crypto/krb5/src/tests/gssapi/ccinit.c
deleted file mode 100644
index b06f04404788..000000000000
--- a/crypto/krb5/src/tests/gssapi/ccinit.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/ccinit.c - Initialize an empty ccache */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program initializes a ccache without attempting to get credentials in
- * it. It is used to test some finer points of gss_acquire_cred behavior.
- */
-
-#include "k5-int.h"
-
-static void
-check(krb5_error_code code)
-{
- if (code != 0) {
- com_err("ccinit", code, NULL);
- abort();
- }
-}
-
-int
-main(int argc, char **argv)
-{
- const char *ccname, *princname;
- krb5_context context;
- krb5_principal princ;
- krb5_ccache ccache;
-
- if (argc != 3) {
- fprintf(stderr, "Usage: %s ccname princname\n", argv[0]);
- return 1;
- }
- ccname = argv[1];
- princname = argv[2];
-
- check(krb5_init_context(&context));
- check(krb5_parse_name(context, princname, &princ));
- check(krb5_cc_resolve(context, ccname, &ccache));
- check(krb5_cc_initialize(context, ccache, princ));
- krb5_cc_close(context, ccache);
- krb5_free_principal(context, princ);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/ccrefresh.c b/crypto/krb5/src/tests/gssapi/ccrefresh.c
deleted file mode 100644
index e1f04ed2ebf4..000000000000
--- a/crypto/krb5/src/tests/gssapi/ccrefresh.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/ccrefresh.c - Get or set refresh time on a ccache */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program sets the refresh time of an existing ccache to 1, forcing a
- * refresh.
- */
-
-#include "k5-int.h"
-
-static void
-check(krb5_error_code code)
-{
- if (code != 0) {
- com_err("ccrefresh", code, NULL);
- abort();
- }
-}
-
-int
-main(int argc, char **argv)
-{
- const char *ccname, *value = NULL;
- krb5_context context;
- krb5_ccache ccache;
- krb5_data d;
-
- if (argc != 2 && argc != 3) {
- fprintf(stderr, "Usage: %s ccname [value]\n", argv[0]);
- return 1;
- }
- ccname = argv[1];
- if (argc == 3)
- value = argv[2];
-
- check(krb5_init_context(&context));
- check(krb5_cc_resolve(context, ccname, &ccache));
- if (value != NULL) {
- d = string2data((char *)value);
- check(krb5_cc_set_config(context, ccache, NULL,
- KRB5_CC_CONF_REFRESH_TIME, &d));
- } else {
- check(krb5_cc_get_config(context, ccache, NULL,
- KRB5_CC_CONF_REFRESH_TIME, &d));
- printf("%.*s\n", (int)d.length, d.data);
- krb5_free_data_contents(context, &d);
- }
- krb5_cc_close(context, ccache);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/common.c b/crypto/krb5/src/tests/gssapi/common.c
deleted file mode 100644
index 34f34f7a5706..000000000000
--- a/crypto/krb5/src/tests/gssapi/common.c
+++ /dev/null
@@ -1,282 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/common.c - Common utility functions for GSSAPI test programs */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include "common.h"
-
-gss_OID_desc mech_krb5 = { 9, "\052\206\110\206\367\022\001\002\002" };
-gss_OID_desc mech_spnego = { 6, "\053\006\001\005\005\002" };
-gss_OID_desc mech_iakerb = { 6, "\053\006\001\005\002\005" };
-gss_OID_set_desc mechset_krb5 = { 1, &mech_krb5 };
-gss_OID_set_desc mechset_spnego = { 1, &mech_spnego };
-gss_OID_set_desc mechset_iakerb = { 1, &mech_iakerb };
-
-static void
-display_status(const char *msg, OM_uint32 code, int type)
-{
- OM_uint32 min_stat, msg_ctx = 0;
- gss_buffer_desc buf;
-
- do {
- (void)gss_display_status(&min_stat, code, type, GSS_C_NULL_OID,
- &msg_ctx, &buf);
- fprintf(stderr, "%s: %.*s\n", msg, (int)buf.length, (char *)buf.value);
- (void)gss_release_buffer(&min_stat, &buf);
- } while (msg_ctx != 0);
-}
-
-void
-check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor)
-{
- if (GSS_ERROR(major)) {
- display_status(msg, major, GSS_C_GSS_CODE);
- display_status(msg, minor, GSS_C_MECH_CODE);
- exit(1);
- }
-}
-
-void
-check_k5err(krb5_context context, const char *msg, krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(context, code);
- printf("%s: %s\n", msg, errmsg);
- krb5_free_error_message(context, errmsg);
- exit(1);
- }
-}
-
-void
-errout(const char *msg)
-{
- fprintf(stderr, "%s\n", msg);
- exit(1);
-}
-
-gss_name_t
-import_name(const char *str)
-{
- OM_uint32 major, minor;
- gss_name_t name;
- gss_buffer_desc buf;
- gss_OID nametype = NULL;
-
- if (*str == 'u')
- nametype = GSS_C_NT_USER_NAME;
- else if (*str == 'p')
- nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME;
- else if (*str == 'e')
- nametype = (gss_OID)GSS_KRB5_NT_ENTERPRISE_NAME;
- else if (*str == 'c')
- nametype = (gss_OID)GSS_KRB5_NT_X509_CERT;
- else if (*str == 'h')
- nametype = GSS_C_NT_HOSTBASED_SERVICE;
- if (nametype == NULL || str[1] != ':')
- errout("names must begin with u: or p: or e: or c: or h:");
- buf.value = (char *)str + 2;
- buf.length = strlen(str) - 2;
- major = gss_import_name(&minor, &buf, nametype, &name);
- check_gsserr("gss_import_name", major, minor);
- return name;
-}
-
-void
-establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
- gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ictx,
- gss_ctx_id_t *actx, gss_name_t *src_name, gss_OID *amech,
- gss_cred_id_t *deleg_cred)
-{
- establish_contexts_ex(imech, icred, acred, tname, flags, ictx, actx,
- GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_CHANNEL_BINDINGS,
- NULL, src_name, amech, deleg_cred);
-}
-
-void
-establish_contexts_ex(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
- gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ictx,
- gss_ctx_id_t *actx, gss_channel_bindings_t icb,
- gss_channel_bindings_t acb, OM_uint32 *aret_flags,
- gss_name_t *src_name, gss_OID *amech,
- gss_cred_id_t *deleg_cred)
-{
- OM_uint32 minor, imaj, amaj;
- gss_buffer_desc itok, atok;
-
- *ictx = *actx = GSS_C_NO_CONTEXT;
- imaj = amaj = GSS_S_CONTINUE_NEEDED;
- itok.value = atok.value = NULL;
- itok.length = atok.length = 0;
- for (;;) {
- (void)gss_release_buffer(&minor, &itok);
- imaj = gss_init_sec_context(&minor, icred, ictx, tname, imech, flags,
- GSS_C_INDEFINITE, icb, &atok, NULL, &itok,
- NULL, NULL);
- check_gsserr("gss_init_sec_context", imaj, minor);
- if (amaj == GSS_S_COMPLETE)
- break;
-
- (void)gss_release_buffer(&minor, &atok);
- amaj = gss_accept_sec_context(&minor, actx, acred, &itok, acb,
- src_name, amech, &atok, aret_flags, NULL,
- deleg_cred);
- check_gsserr("gss_accept_sec_context", amaj, minor);
- (void)gss_release_buffer(&minor, &itok);
- if (imaj == GSS_S_COMPLETE)
- break;
- }
-
- if (imaj != GSS_S_COMPLETE || amaj != GSS_S_COMPLETE)
- errout("One side wants to continue after the other is done");
-
- (void)gss_release_buffer(&minor, &itok);
- (void)gss_release_buffer(&minor, &atok);
-}
-
-void
-export_import_cred(gss_cred_id_t *cred)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf;
-
- major = gss_export_cred(&minor, *cred, &buf);
- check_gsserr("gss_export_cred", major, minor);
- (void)gss_release_cred(&minor, cred);
- major = gss_import_cred(&minor, &buf, cred);
- check_gsserr("gss_import_cred", major, minor);
- (void)gss_release_buffer(&minor, &buf);
-}
-
-void
-display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
-{
- gss_name_t canon;
- OM_uint32 major, minor;
- gss_buffer_desc buf;
-
- major = gss_canonicalize_name(&minor, name, mech, &canon);
- check_gsserr("gss_canonicalize_name", major, minor);
-
- major = gss_display_name(&minor, canon, &buf, NULL);
- check_gsserr("gss_display_name", major, minor);
-
- printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value);
-
- (void)gss_release_name(&minor, &canon);
- (void)gss_release_buffer(&minor, &buf);
-}
-
-void
-display_oid(const char *tag, gss_OID oid)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf;
-
- major = gss_oid_to_str(&minor, oid, &buf);
- check_gsserr("gss_oid_to_str", major, minor);
- if (tag != NULL)
- printf("%s:\t", tag);
- printf("%.*s\n", (int)buf.length, (char *)buf.value);
- (void)gss_release_buffer(&minor, &buf);
-}
-
-static void
-dump_attribute(gss_name_t name, gss_buffer_t attribute, int noisy)
-{
- OM_uint32 major, minor;
- gss_buffer_desc value;
- gss_buffer_desc display_value;
- int authenticated = 0;
- int complete = 0;
- int more = -1;
- unsigned int i;
-
- while (more != 0) {
- value.value = NULL;
- display_value.value = NULL;
-
- major = gss_get_name_attribute(&minor, name, attribute, &authenticated,
- &complete, &value, &display_value,
- &more);
- check_gsserr("gss_get_name_attribute", major, minor);
-
- printf("Attribute %.*s %s %s\n\n%.*s\n",
- (int)attribute->length, (char *)attribute->value,
- authenticated ? "Authenticated" : "",
- complete ? "Complete" : "",
- (int)display_value.length, (char *)display_value.value);
-
- if (noisy) {
- for (i = 0; i < value.length; i++) {
- if ((i % 32) == 0)
- printf("\n");
- printf("%02x", ((char *)value.value)[i] & 0xFF);
- }
- printf("\n\n");
- }
-
- (void)gss_release_buffer(&minor, &value);
- (void)gss_release_buffer(&minor, &display_value);
- }
-}
-
-void
-enumerate_attributes(gss_name_t name, int noisy)
-{
- OM_uint32 major, minor;
- int is_mechname;
- gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
- size_t i;
-
- major = gss_inquire_name(&minor, name, &is_mechname, NULL, &attrs);
- check_gsserr("gss_inquire_name", major, minor);
-
- if (attrs != GSS_C_NO_BUFFER_SET) {
- for (i = 0; i < attrs->count; i++)
- dump_attribute(name, &attrs->elements[i], noisy);
- }
-
- (void)gss_release_buffer_set(&minor, &attrs);
-}
-
-void
-print_hex(FILE *fp, gss_buffer_t buf)
-{
- size_t i;
- const unsigned char *bytes = buf->value;
-
- for (i = 0; i < buf->length; i++)
- printf("%02X", bytes[i]);
- printf("\n");
-}
diff --git a/crypto/krb5/src/tests/gssapi/common.h b/crypto/krb5/src/tests/gssapi/common.h
deleted file mode 100644
index a5c8f87e6ef6..000000000000
--- a/crypto/krb5/src/tests/gssapi/common.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/common.h - Declarations for GSSAPI test utility functions */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef COMMON_H
-#define COMMON_H
-
-#include <gssapi/gssapi_krb5.h>
-
-extern gss_OID_desc mech_krb5;
-extern gss_OID_desc mech_spnego;
-extern gss_OID_desc mech_iakerb;
-extern gss_OID_set_desc mechset_krb5;
-extern gss_OID_set_desc mechset_spnego;
-extern gss_OID_set_desc mechset_iakerb;
-
-/* Display an error message (containing msg) and exit if major is an error. */
-void check_gsserr(const char *msg, OM_uint32 major, OM_uint32 minor);
-
-/* Display an error message (containing msg) and exit if code is an error. */
-void check_k5err(krb5_context context, const char *msg, krb5_error_code code);
-
-/* Display an error message containing msg and exit. */
-void errout(const char *msg);
-
-/* Import a GSSAPI name based on a string of the form 'u:username',
- * 'p:principalname', or 'h:host@service' (or just 'h:service'). */
-gss_name_t import_name(const char *str);
-
-/* Establish contexts using gss_init_sec_context and gss_accept_sec_context. */
-void establish_contexts(gss_OID imech, gss_cred_id_t icred,
- gss_cred_id_t acred, gss_name_t tname, OM_uint32 flags,
- gss_ctx_id_t *ictx, gss_ctx_id_t *actx,
- gss_name_t *src_name, gss_OID *amech,
- gss_cred_id_t *deleg_cred);
-
-/* Establish contexts with channel bindings. */
-void establish_contexts_ex(gss_OID imech, gss_cred_id_t icred,
- gss_cred_id_t acred, gss_name_t tname,
- OM_uint32 flags, gss_ctx_id_t *ictx,
- gss_ctx_id_t *actx, gss_channel_bindings_t icb,
- gss_channel_bindings_t acb, OM_uint32 *aret_flags,
- gss_name_t *src_name, gss_OID *amech,
- gss_cred_id_t *deleg_cred);
-
-/* Export *cred to a token, then release *cred and replace it by re-importing
- * the token. */
-void export_import_cred(gss_cred_id_t *cred);
-
-/* Display name as canonicalized to mech, preceded by tag. */
-void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
-
-/* Display oid in printable form, preceded by tag (if not NULL). */
-void display_oid(const char *tag, gss_OID oid);
-
-/* Display attributes of name, including hex value if noisy is true. */
-void enumerate_attributes(gss_name_t name, int noisy);
-
-/* Display the contents of buf to fp in hex, followed by a newline. */
-void print_hex(FILE *fp, gss_buffer_t buf);
-
-#endif /* COMMON_H */
diff --git a/crypto/krb5/src/tests/gssapi/deps b/crypto/krb5/src/tests/gssapi/deps
deleted file mode 100644
index 2c55fa51799f..000000000000
--- a/crypto/krb5/src/tests/gssapi/deps
+++ /dev/null
@@ -1,203 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)ccinit.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h ccinit.c
-$(OUTPRE)ccrefresh.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h ccrefresh.c
-$(OUTPRE)common.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.c common.h
-$(OUTPRE)reload.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- reload.c
-$(OUTPRE)t_accname.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_accname.c
-$(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_add_cred.c
-$(OUTPRE)t_bindings.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_bindings.c
-$(OUTPRE)t_ccselect.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_ccselect.c
-$(OUTPRE)t_ciflags.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_ciflags.c
-$(OUTPRE)t_context.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_context.c
-$(OUTPRE)t_credstore.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_credstore.c
-$(OUTPRE)t_enctypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- common.h t_enctypes.c
-$(OUTPRE)t_err.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_err.c
-$(OUTPRE)t_export_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_export_cred.c
-$(OUTPRE)t_export_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_export_name.c
-$(OUTPRE)t_gssexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_gssexts.c
-$(OUTPRE)t_iakerb.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_iakerb.c
-$(OUTPRE)t_imp_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- common.h t_imp_cred.c
-$(OUTPRE)t_imp_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_imp_name.c
-$(OUTPRE)t_invalid.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
- $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \
- $(srcdir)/../../lib/gssapi/generic/gssapiP_generic.h \
- $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h $(srcdir)/../../lib/gssapi/generic/gssapi_generic.h \
- $(srcdir)/../../lib/gssapi/krb5/gssapiP_krb5.h $(srcdir)/../../lib/gssapi/krb5/gssapi_krb5.h \
- $(srcdir)/../../lib/gssapi/mechglue/mechglue.h $(srcdir)/../../lib/gssapi/mechglue/mglueP.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h common.h t_invalid.c
-$(OUTPRE)t_inq_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_inq_cred.c
-$(OUTPRE)t_inq_ctx.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_inq_ctx.c
-$(OUTPRE)t_inq_mechs_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_inq_mechs_name.c
-$(OUTPRE)t_iov.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_iov.c
-$(OUTPRE)t_lifetime.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_lifetime.c
-$(OUTPRE)t_namingexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_namingexts.c
-$(OUTPRE)t_oid.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_oid.c
-$(OUTPRE)t_pcontok.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- common.h t_pcontok.c
-$(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
- $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \
- $(srcdir)/../../lib/gssapi/generic/gssapiP_generic.h \
- $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h $(srcdir)/../../lib/gssapi/generic/gssapi_generic.h \
- $(srcdir)/../../lib/gssapi/krb5/gssapiP_krb5.h $(srcdir)/../../lib/gssapi/krb5/gssapi_krb5.h \
- $(srcdir)/../../lib/gssapi/mechglue/mechglue.h $(srcdir)/../../lib/gssapi/mechglue/mglueP.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \
- $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- common.h t_prf.c
-$(OUTPRE)t_s4u.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_s4u.c
-$(OUTPRE)t_s4u2proxy_krb5.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_s4u2proxy_krb5.c
-$(OUTPRE)t_saslname.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_saslname.c
-$(OUTPRE)t_spnego.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_spnego.c
-$(OUTPRE)t_srcattrs.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- common.h t_srcattrs.c
-$(OUTPRE)t_store_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
- $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- common.h t_store_cred.c
diff --git a/crypto/krb5/src/tests/gssapi/reload.c b/crypto/krb5/src/tests/gssapi/reload.c
deleted file mode 100644
index 00bda3233098..000000000000
--- a/crypto/krb5/src/tests/gssapi/reload.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/reload.c - test loading libgssapi_krb5 twice */
-/*
- * Copyright (C) 2020 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This is a regression test for ticket #8614. It ensures that libgssapi_krb5
- * can be loaded multiple times in the same process when libkrb5support is held
- * open by another library.
- */
-
-#include <gssapi/gssapi.h>
-#include <stdio.h>
-#include <dlfcn.h>
-#include <assert.h>
-
-/* Load libgssapi_krb5, briefly use it (to force the initializer to run), and
- * close it. */
-static void
-load_gssapi(void)
-{
- void *gssapi;
- OM_uint32 (*indmechs)(OM_uint32 *, gss_OID_set *);
- OM_uint32 (*reloidset)(OM_uint32 *, gss_OID_set *);
- OM_uint32 major, minor;
- gss_OID_set mechs;
-
- gssapi = dlopen("libgssapi_krb5.so", RTLD_NOW | RTLD_LOCAL);
- assert(gssapi != NULL);
- indmechs = dlsym(gssapi, "gss_indicate_mechs");
- reloidset = dlsym(gssapi, "gss_release_oid_set");
- assert(indmechs != NULL && reloidset != NULL);
- major = (*indmechs)(&minor, &mechs);
- assert(major == 0);
- (*reloidset)(&minor, &mechs);
- dlclose(gssapi);
-}
-
-int
-main(void)
-{
- void *support;
-
- /* Hold open libkrb5support to ensure that thread-local state remains */
- support = dlopen("libkrb5support.so", RTLD_NOW | RTLD_LOCAL);
- if (support == NULL) {
- fprintf(stderr, "Error loading libkrb5support: %s\n", dlerror());
- return 1;
- }
-
- load_gssapi();
- load_gssapi();
-
- dlclose(support);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_accname.c b/crypto/krb5/src/tests/gssapi/t_accname.c
deleted file mode 100644
index 30b5db54f3ae..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_accname.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2011 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "common.h"
-
-/*
- * Test program for acceptor names, intended to be run from a Python test
- * script. Establishes contexts with the default initiator name, a specified
- * principal name as target name, and a specified host-based name as acceptor
- * name (or GSS_C_NO_NAME if no acceptor name is given). If the exchange is
- * successful, queries the context for the acceptor name and prints it. If any
- * call is unsuccessful, displays an error message. Exits with status 0 if all
- * operations are successful, or 1 if not.
- *
- * Usage: ./t_accname targetname [acceptorname]
- */
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_cred_id_t acceptor_cred;
- gss_name_t target_name, acceptor_name = GSS_C_NO_NAME, real_acceptor_name;
- gss_buffer_desc namebuf;
- gss_ctx_id_t initiator_context, acceptor_context;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s targetname [acceptorname]\n", argv[0]);
- return 1;
- }
-
- /* Import target and acceptor names. */
- target_name = import_name(argv[1]);
- if (argc >= 3)
- acceptor_name = import_name(argv[2]);
-
- /* Get acceptor cred. */
- major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
- &acceptor_cred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, acceptor_cred,
- target_name, flags, &initiator_context,
- &acceptor_context, NULL, NULL, NULL);
-
- major = gss_inquire_context(&minor, acceptor_context, NULL,
- &real_acceptor_name, NULL, NULL, NULL, NULL,
- NULL);
- check_gsserr("gss_inquire_context", major, minor);
-
- namebuf.value = NULL;
- namebuf.length = 0;
- major = gss_display_name(&minor, real_acceptor_name, &namebuf, NULL);
- check_gsserr("gss_display_name", major, minor);
-
- printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value);
-
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_name(&minor, &acceptor_name);
- (void)gss_release_name(&minor, &real_acceptor_name);
- (void)gss_release_cred(&minor, &acceptor_cred);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- (void)gss_release_buffer(&minor, &namebuf);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_add_cred.c b/crypto/krb5/src/tests/gssapi/t_add_cred.c
deleted file mode 100644
index 7ab52d64496d..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_add_cred.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_add_cred.c - gss_add_cred() tests */
-/*
- * Copyright (C) 2018 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program tests the mechglue behavior of gss_add_cred(). It relies on a
- * krb5 keytab and credentials being present so that initiator and acceptor
- * credentials can be acquired, but does not use them to initiate or accept any
- * requests.
- */
-
-#include <stdio.h>
-#include <assert.h>
-
-#include "common.h"
-
-int
-main(void)
-{
- OM_uint32 minor, major;
- gss_cred_id_t cred1, cred2;
- gss_cred_usage_t usage;
- gss_name_t name;
-
- /* Check that we get the expected error if we pass neither an input nor an
- * output cred handle. */
- major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
- &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE,
- GSS_C_INDEFINITE, NULL, NULL, NULL, NULL);
- assert(major == (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED));
-
- /* Regression test for #8737: make sure that desired_name is honored when
- * creating a credential by passing in a non-matching name. */
- name = import_name("p:does/not/match@WRONG_REALM");
- major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, name, &mech_krb5,
- GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
- &cred1, NULL, NULL, NULL);
- assert(major == GSS_S_NO_CRED);
- gss_release_name(&minor, &name);
-
- /* Create cred1 with a krb5 initiator cred by passing an output handle but
- * no input handle. */
- major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
- &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE,
- GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL);
- assert(major == GSS_S_COMPLETE);
-
- /* Verify that cred1 has the expected mechanism creds. */
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_NO_CRED);
-
- /* Check that we get the expected error if we try to add another krb5 mech
- * cred to cred1. */
- major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_krb5,
- GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
- NULL, NULL, NULL, NULL);
- assert(major == GSS_S_DUPLICATE_ELEMENT);
-
- /* Add an IAKERB acceptor mech cred to cred1. */
- major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb,
- GSS_C_ACCEPT, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
- NULL, NULL, NULL, NULL);
- assert(major == GSS_S_COMPLETE);
-
- /* Verify cred1 mechanism creds. */
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
-
- /* Start over with another new cred. */
- gss_release_cred(&minor, &cred1);
- major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,
- &mech_krb5, GSS_C_ACCEPT, GSS_C_INDEFINITE,
- GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL);
- assert(major == GSS_S_COMPLETE);
-
- /* Create an expanded cred by passing both an output handle and an input
- * handle. */
- major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb,
- GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE,
- &cred2, NULL, NULL, NULL);
- assert(major == GSS_S_COMPLETE);
-
- /* Verify mechanism creds in cred1 and cred2. */
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
- major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_NO_CRED);
- major = gss_inquire_cred_by_mech(&minor, cred2, &mech_krb5, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT);
- major = gss_inquire_cred_by_mech(&minor, cred2, &mech_iakerb, NULL, NULL,
- NULL, &usage);
- assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE);
-
- gss_release_cred(&minor, &cred1);
- gss_release_cred(&minor, &cred2);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_authind.py b/crypto/krb5/src/tests/gssapi/t_authind.py
deleted file mode 100644
index e9f129de6645..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_authind.py
+++ /dev/null
@@ -1,51 +0,0 @@
-from k5test import *
-
-# Test authentication indicators. Load the test preauth module so we
-# can control the indicators asserted.
-testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
- 'clpreauth': {'module': 'test:' + testpreauth}}}
-realm = K5Realm(krb5_conf=conf)
-realm.run([kadminl, 'addprinc', '-randkey', 'service/1'])
-realm.run([kadminl, 'addprinc', '-randkey', 'service/2'])
-realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
-realm.run([kadminl, 'setstr', 'service/1', 'require_auth', 'superstrong'])
-realm.run([kadminl, 'setstr', 'service/2', 'require_auth', 'one two'])
-realm.run([kadminl, 'xst', 'service/1'])
-realm.run([kadminl, 'xst', 'service/2'])
-
-realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=superstrong'])
-out = realm.run(['./t_srcattrs', 'p:service/1'])
-if ('Attribute auth-indicators Authenticated Complete') not in out:
- fail('Expected attribute type data not seen')
-# UTF8 "superstrong"
-if '73757065727374726f6e67' not in out:
- fail('Expected auth indicator not seen in name attributes')
-
-msg = 'gss_init_sec_context: KDC policy rejects request'
-realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg)
-
-realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two'])
-out = realm.run(['./t_srcattrs', 'p:service/2'])
-# Hexadecimal "one" and "two"
-if '6f6e65' not in out or '74776f' not in out:
- fail('Expected auth indicator not seen in name attributes')
-
-realm.stop()
-
-# Test the FAST encrypted challenge auth indicator.
-kdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}}
-realm = K5Realm(kdc_conf=kdcconf)
-realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
-realm.run([kadminl, 'xst', realm.host_princ])
-realm.kinit(realm.user_princ, password('user'))
-realm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache])
-out = realm.run(['./t_srcattrs', 'p:' + realm.host_princ])
-if ('Attribute auth-indicators Authenticated Complete') not in out:
- fail('Expected attribute type not seen')
-if '66617374' not in out:
- fail('Expected auth indicator not seen in name attributes')
-
-realm.stop()
-success('GSSAPI auth indicator tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_bindings.c b/crypto/krb5/src/tests/gssapi/t_bindings.c
deleted file mode 100644
index 3d6a70acfe51..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_bindings.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 2020 by Red Hat, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-
-#include "common.h"
-
-/*
- * Establish contexts (without and with GSS_C_DCE_STYLE) with the default
- * initiator name, a specified principal name as target name, initiator
- * bindings, and acceptor bindings. If any call is unsuccessful, display an
- * error message. Output "yes" or "no" to indicate whether the contexts were
- * reported as channel-bound on the acceptor. Exit with status 0 if all
- * operations are successful, or 1 if not.
- *
- * Usage: ./t_bindings [-s] [-b] targetname icb acb
- *
- * An icb or abc value of "-" will not specify channel bindings. The -s flag
- * uses the SPNEGO mechanism instead of the krb5 mecanism. The -b flag
- * includes GSS_C_CHANNEL_BOUND in req_flags, which requests strict enforcement
- * of channel bindings by the acceptor.
- */
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 client_flags = 0;
- OM_uint32 minor, flags1, flags2;
- gss_name_t target_name;
- gss_ctx_id_t ictx, actx;
- struct gss_channel_bindings_struct icb_data = {0}, acb_data = {0};
- gss_channel_bindings_t icb = GSS_C_NO_CHANNEL_BINDINGS;
- gss_channel_bindings_t acb = GSS_C_NO_CHANNEL_BINDINGS;
- gss_OID_desc *mech = GSS_C_NO_OID;
-
- argv++;
- argc--;
-
- if (*argv != NULL && strcmp(*argv, "-s") == 0) {
- mech = &mech_spnego;
- argv++;
- argc--;
- }
-
- if (*argv != NULL && strcmp(*argv, "-b") == 0) {
- client_flags |= GSS_C_CHANNEL_BOUND_FLAG;
- argv++;
- argc--;
- }
-
- if (mech == GSS_C_NO_OID)
- mech = &mech_krb5;
-
- if (argc != 3) {
- fprintf(stderr, "Usage: t_bindings [-s] [-b] targetname icb acb\n");
- return 1;
- }
-
- target_name = import_name(argv[0]);
-
- if (strcmp(argv[1], "-") != 0) {
- icb_data.application_data.length = strlen(argv[1]);
- icb_data.application_data.value = argv[1];
- icb = &icb_data;
- }
-
- if (strcmp(argv[2], "-") != 0) {
- acb_data.application_data.length = strlen(argv[2]);
- acb_data.application_data.value = argv[2];
- acb = &acb_data;
- }
-
- establish_contexts_ex(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- target_name, client_flags, &ictx, &actx, icb, acb,
- &flags1, NULL, NULL, NULL);
-
- /* Try again with GSS_C_DCE_STYLE */
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- client_flags |= GSS_C_DCE_STYLE;
- establish_contexts_ex(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- target_name, client_flags, &ictx, &actx, icb, acb,
- &flags2, NULL, NULL, NULL);
- assert((flags1 & GSS_C_CHANNEL_BOUND_FLAG) ==
- (flags2 & GSS_C_CHANNEL_BOUND_FLAG));
- printf("%s\n", (flags1 & GSS_C_CHANNEL_BOUND_FLAG) ? "yes" : "no");
-
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- (void)gss_release_name(&minor, &target_name);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_bindings.py b/crypto/krb5/src/tests/gssapi/t_bindings.py
deleted file mode 100644
index 1bb496629b82..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_bindings.py
+++ /dev/null
@@ -1,61 +0,0 @@
-from k5test import *
-
-realm = K5Realm()
-server = 'p:' + realm.host_princ
-
-mark('krb5 channel bindings')
-realm.run(['./t_bindings', server, '-', '-'], expected_msg='no')
-realm.run(['./t_bindings', server, 'a', '-'], expected_msg='no')
-realm.run(['./t_bindings', server, 'a', 'a'], expected_msg='yes')
-realm.run(['./t_bindings', server, '-', 'a'], expected_msg='no')
-realm.run(['./t_bindings', server, 'a', 'x'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-mark('SPNEGO channel bindings')
-realm.run(['./t_bindings', '-s', server, '-', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-s', server, 'a', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-s', server, 'a', 'a'], expected_msg='yes')
-realm.run(['./t_bindings', '-s', server, '-', 'a'], expected_msg='no')
-realm.run(['./t_bindings', '-s', server, 'a', 'x'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-client_aware_conf = {'libdefaults': {'client_aware_channel_bindings': 'true'}}
-e = realm.special_env('cb_aware', False, krb5_conf=client_aware_conf)
-
-mark('krb5 client_aware_channel_bindings')
-realm.run(['./t_bindings', server, '-', '-'], env=e, expected_msg='no')
-realm.run(['./t_bindings', server, 'a', '-'], env=e, expected_msg='no')
-realm.run(['./t_bindings', server, 'a', 'a'], env=e, expected_msg='yes')
-realm.run(['./t_bindings', server, '-', 'a'], env=e,
- expected_code=1, expected_msg='Incorrect channel bindings')
-realm.run(['./t_bindings', server, 'a', 'x'], env=e,
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-mark('SPNEGO client_aware_channel_bindings')
-realm.run(['./t_bindings', '-s', server, '-', '-'], env=e, expected_msg='no')
-realm.run(['./t_bindings', '-s', server, 'a', '-'], env=e, expected_msg='no')
-realm.run(['./t_bindings', '-s', server, 'a', 'a'], env=e, expected_msg='yes')
-realm.run(['./t_bindings', '-s', server, '-', 'a'], env=e,
- expected_code=1, expected_msg='Incorrect channel bindings')
-realm.run(['./t_bindings', '-s', server, 'a', 'x'], env=e,
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-mark('krb5 GSS_C_CHANNEL_BOUND_FLAG initiator input flag')
-realm.run(['./t_bindings', '-b', server, '-', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-b', server, 'a', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-b', server, 'a', 'a'], expected_msg='yes')
-realm.run(['./t_bindings', '-b', server, '-', 'a'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-realm.run(['./t_bindings', '-b', server, 'a', 'x'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-mark('SPNEGO GSS_C_CHANNEL_BOUND_FLAG initiator input flag')
-realm.run(['./t_bindings', '-s', '-b', server, '-', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-s', '-b', server, 'a', '-'], expected_msg='no')
-realm.run(['./t_bindings', '-s', '-b', server, 'a', 'a'], expected_msg='yes')
-realm.run(['./t_bindings', '-s', '-b', server, '-', 'a'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-realm.run(['./t_bindings', '-s', '-b', server, 'a', 'x'],
- expected_code=1, expected_msg='Incorrect channel bindings')
-
-success('channel bindings tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_ccselect.c b/crypto/krb5/src/tests/gssapi/t_ccselect.c
deleted file mode 100644
index cc4f73a1f1c5..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_ccselect.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_ccselect.c - Test program for GSSAPI cred selection */
-/*
- * Copyright 2011 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-/*
- * Test program for client credential selection, intended to be run from a
- * Python test script. Establishes contexts with an optionally specified
- * initiator name, a specified target name, and the default acceptor cred. If
- * the exchange is successful, prints the initiator name as seen by the
- * acceptor. If any call is unsuccessful, displays an error message. Exits
- * with status 0 if all operations are successful, or 1 if not.
- *
- * Usage: ./t_ccselect targetname [initiatorname|-]
- */
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_cred_id_t initiator_cred = GSS_C_NO_CREDENTIAL;
- gss_name_t target_name, initiator_name = GSS_C_NO_NAME;
- gss_name_t real_initiator_name;
- gss_buffer_desc namebuf;
- gss_ctx_id_t initiator_context, acceptor_context;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s targetname [initiatorname|-]\n", argv[0]);
- return 1;
- }
-
- target_name = import_name(argv[1]);
-
- if (argc >= 3) {
- /* Get initiator cred. */
- if (strcmp(argv[2], "-") != 0)
- initiator_name = import_name(argv[2]);
- major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_INITIATE,
- &initiator_cred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
- }
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_krb5, initiator_cred, GSS_C_NO_CREDENTIAL,
- target_name, flags, &initiator_context,
- &acceptor_context, &real_initiator_name, NULL, NULL);
-
- namebuf.value = NULL;
- namebuf.length = 0;
- major = gss_display_name(&minor, real_initiator_name, &namebuf, NULL);
- check_gsserr("gss_display_name(initiator)", major, minor);
- printf("%.*s\n", (int)namebuf.length, (char *)namebuf.value);
-
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_name(&minor, &initiator_name);
- (void)gss_release_name(&minor, &real_initiator_name);
- (void)gss_release_cred(&minor, &initiator_cred);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- (void)gss_release_buffer(&minor, &namebuf);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_ccselect.py b/crypto/krb5/src/tests/gssapi/t_ccselect.py
deleted file mode 100755
index c93be672d75c..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_ccselect.py
+++ /dev/null
@@ -1,164 +0,0 @@
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-
-# Create two independent realms (no cross-realm TGTs). For the
-# fallback realm tests we need to control the precise server hostname,
-# so turn off DNS canonicalization and shortname qualification.
-conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
- 'qualify_shortname': ''}}
-r1 = K5Realm(create_user=False, krb5_conf=conf)
-r2 = K5Realm(create_user=False, krb5_conf=conf, realm='KRBTEST2.COM',
- portbase=62000, testdir=os.path.join(r1.testdir, 'r2'))
-
-host1 = 'p:' + r1.host_princ
-host2 = 'p:' + r2.host_princ
-foo = 'foo.krbtest.com'
-foo2 = 'foo.krbtest2.com'
-foobar = "foo.bar.krbtest.com"
-
-# These strings specify the target as a GSS name. The resulting
-# principal will have the host-based type, with the referral realm
-# (since k5test realms have no domain-realm mapping by default).
-# krb5_cc_select() will use the fallback realm, which is either the
-# uppercased parent domain, or the default realm if the hostname is a
-# single component.
-gssserver = 'h:host@' + foo
-gssserver2 = 'h:host@' + foo2
-gssserver_bar = 'h:host@' + foobar
-gsslocal = 'h:host@localhost'
-
-# refserver specifies the target as a principal in the referral realm.
-# The principal won't be treated as a host principal by the
-# .k5identity rules since it has unknown type.
-refserver = 'p:host/' + hostname + '@'
-
-# Verify that we can't get initiator creds with no credentials in the
-# collection.
-r1.run(['./t_ccselect', host1, '-'], expected_code=1,
- expected_msg='No Kerberos credentials available')
-
-# Make a directory collection and use it for client commands in both realms.
-ccdir = os.path.join(r1.testdir, 'cc')
-ccname = 'DIR:' + ccdir
-r1.env['KRB5CCNAME'] = ccname
-r2.env['KRB5CCNAME'] = ccname
-
-# Use .k5identity from testdir and not from the tester's homedir.
-r1.env['HOME'] = r1.testdir
-r2.env['HOME'] = r1.testdir
-
-# Create two users in r1 and one in r2.
-alice='alice@KRBTEST.COM'
-bob='bob@KRBTEST.COM'
-zaphod='zaphod@KRBTEST2.COM'
-r1.addprinc(alice, password('alice'))
-r1.addprinc(bob, password('bob'))
-r2.addprinc(zaphod, password('zaphod'))
-
-# Create host principals and keytabs for fallback realm tests.
-if hostname != 'localhost':
- r1.addprinc('host/localhost')
- r2.addprinc('host/localhost')
-r1.addprinc('host/' + foo)
-r2.addprinc('host/' + foo2)
-r1.addprinc('host/' + foobar)
-r1.extract_keytab('host/localhost', r1.keytab)
-r2.extract_keytab('host/localhost', r2.keytab)
-r1.extract_keytab('host/' + foo, r1.keytab)
-r2.extract_keytab('host/' + foo2, r2.keytab)
-r1.extract_keytab('host/' + foobar, r1.keytab)
-
-# Get tickets for one user in each realm (zaphod will be primary).
-r1.kinit(alice, password('alice'))
-r2.kinit(zaphod, password('zaphod'))
-
-# Check that we can find a cache for a specified client principal.
-output = r1.run(['./t_ccselect', host1, 'p:' + alice])
-if output != (alice + '\n'):
- fail('alice not chosen when specified')
-output = r2.run(['./t_ccselect', host2, 'p:' + zaphod])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen when specified')
-
-# Check that we can guess a cache based on the service realm.
-output = r1.run(['./t_ccselect', host1])
-if output != (alice + '\n'):
- fail('alice not chosen as default initiator cred for server in r1')
-output = r1.run(['./t_ccselect', host1, '-'])
-if output != (alice + '\n'):
- fail('alice not chosen as default initiator name for server in r1')
-output = r2.run(['./t_ccselect', host2])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen as default initiator cred for server in r1')
-output = r2.run(['./t_ccselect', host2, '-'])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen as default initiator name for server in r1')
-
-# Check that primary cache is used if server realm is unknown.
-output = r2.run(['./t_ccselect', refserver])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen via primary cache for unknown server realm')
-r1.run(['./t_ccselect', gssserver2], expected_code=1)
-# Check ccache selection using a fallback realm.
-output = r1.run(['./t_ccselect', gssserver])
-if output != (alice + '\n'):
- fail('alice not chosen via parent domain fallback')
-output = r2.run(['./t_ccselect', gssserver2])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen via parent domain fallback')
-# Check ccache selection using a fallback realm (default realm).
-output = r1.run(['./t_ccselect', gsslocal])
-if output != (alice + '\n'):
- fail('alice not chosen via default realm fallback')
-output = r2.run(['./t_ccselect', gsslocal])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen via default realm fallback')
-
-# Check that realm ccselect fallback works correctly
-r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
-r2.kinit(zaphod, password('zaphod'))
-r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
-
-# Get a second cred in r1 (bob will be primary).
-r1.kinit(bob, password('bob'))
-
-# Try some cache selections using .k5identity.
-k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
-k5id.write('%s realm=%s\n' % (alice, r1.realm))
-k5id.write('%s service=ho*t host=localhost\n' % zaphod)
-k5id.write('noprinc service=bogus')
-k5id.close()
-output = r1.run(['./t_ccselect', host1])
-if output != (alice + '\n'):
- fail('alice not chosen via .k5identity realm line.')
-output = r2.run(['./t_ccselect', gsslocal])
-if output != (zaphod + '\n'):
- fail('zaphod not chosen via .k5identity service/host line.')
-output = r1.run(['./t_ccselect', refserver])
-if output != (bob + '\n'):
- fail('bob not chosen via primary cache when no .k5identity line matches.')
-r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,
- expected_msg="Can't find client principal noprinc")
-
-success('GSSAPI credential selection tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_ciflags.c b/crypto/krb5/src/tests/gssapi/t_ciflags.c
deleted file mode 100644
index 315062c9e74a..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_ciflags.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_ciflags.c - GSS_KRB5_CRED_NO_CI_FLAGS_X tests */
-/*
- * Copyright (C) 2015 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <assert.h>
-
-#include "common.h"
-
-static void
-flagtest(gss_OID mech, gss_cred_id_t icred, gss_name_t tname,
- OM_uint32 inflags, OM_uint32 expflags)
-{
- gss_ctx_id_t ictx, actx;
- OM_uint32 major, minor, flags;
-
- establish_contexts(mech, icred, GSS_C_NO_CREDENTIAL, tname, inflags, &ictx,
- &actx, NULL, NULL, NULL);
-
- major = gss_inquire_context(&minor, actx, NULL, NULL, NULL, NULL, &flags,
- NULL, NULL);
- check_gsserr("gss_inquire_context", major, minor);
- assert(flags == expflags);
-
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_cred_id_t icred;
- gss_name_t tname;
- gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
-
- if (argc != 2) {
- fprintf(stderr, "Usage: %s targetname\n", argv[0]);
- return 1;
- }
- tname = import_name(argv[1]);
-
- /* With no flags, the initiator asserts conf, integ, trans */
- flagtest(&mech_krb5, GSS_C_NO_CREDENTIAL, tname, 0,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, GSS_C_NO_CREDENTIAL, tname, 0,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
-
- /* The initiator also asserts most flags specified by the caller. */
- flagtest(&mech_krb5, GSS_C_NO_CREDENTIAL, tname, GSS_C_SEQUENCE_FLAG,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG |
- GSS_C_SEQUENCE_FLAG);
- flagtest(&mech_spnego, GSS_C_NO_CREDENTIAL, tname, GSS_C_SEQUENCE_FLAG,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG |
- GSS_C_SEQUENCE_FLAG);
-
- /* Get a normal initiator cred and re-test with no flags. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_INITIATE, &icred, NULL,
- NULL);
- check_gsserr("gss_acquire_cred", major, minor);
- flagtest(&mech_krb5, icred, tname, 0,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, icred, tname, 0,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
-
- /* Suppress confidentiality and integrity flags on the initiator cred and
- * check that they are suppressed, but can still be asserted explicitly. */
- major = gss_set_cred_option(&minor, &icred,
- (gss_OID)GSS_KRB5_CRED_NO_CI_FLAGS_X,
- &empty_buffer);
- check_gsserr("gss_set_cred_option", major, minor);
- flagtest(&mech_krb5, icred, tname, 0, GSS_C_TRANS_FLAG);
- flagtest(&mech_krb5, icred, tname, GSS_C_CONF_FLAG,
- GSS_C_CONF_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_krb5, icred, tname, GSS_C_INTEG_FLAG,
- GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_krb5, icred, tname, GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, icred, tname, 0, GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, icred, tname, GSS_C_INTEG_FLAG,
- GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, icred, tname, GSS_C_CONF_FLAG,
- GSS_C_CONF_FLAG | GSS_C_TRANS_FLAG);
- flagtest(&mech_spnego, icred, tname, GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG,
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG);
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_cred(&minor, &icred);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_client_keytab.py b/crypto/krb5/src/tests/gssapi/t_client_keytab.py
deleted file mode 100755
index 8fdf89e420b8..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_client_keytab.py
+++ /dev/null
@@ -1,189 +0,0 @@
-from k5test import *
-
-# Set up a basic realm and a client keytab containing two user principals.
-# Point HOME at realm.testdir for tests using .k5identity.
-realm = K5Realm(get_creds=False)
-bob = 'bob@' + realm.realm
-phost = 'p:' + realm.host_princ
-puser = 'p:' + realm.user_princ
-pbob = 'p:' + bob
-gssserver = 'h:host@' + hostname
-realm.env['HOME'] = realm.testdir
-realm.addprinc(bob, password('bob'))
-realm.extract_keytab(realm.user_princ, realm.client_keytab)
-realm.extract_keytab(bob, realm.client_keytab)
-
-# Test 1: no name/cache specified, pick first principal from client keytab
-realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ)
-realm.run([kdestroy])
-
-# Test 2: no name/cache specified, pick principal from k5identity
-k5idname = os.path.join(realm.testdir, '.k5identity')
-k5id = open(k5idname, 'w')
-k5id.write('%s service=host host=%s\n' % (bob, hostname))
-k5id.close()
-realm.run(['./t_ccselect', gssserver], expected_msg=bob)
-os.remove(k5idname)
-realm.run([kdestroy])
-
-# Test 3: no name/cache specified, default ccache has name but no creds
-realm.run(['./ccinit', realm.ccache, bob])
-realm.run(['./t_ccselect', phost], expected_msg=bob)
-# Leave tickets for next test.
-
-# Test 4: name specified, non-collectable default cache doesn't match
-msg = 'Principal in credential cache does not match desired name'
-realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg)
-realm.run([kdestroy])
-
-# Test 5: name specified, nonexistent default cache
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-# Leave tickets for next test.
-
-# Test 6: name specified, matches default cache, time to refresh
-realm.run(['./ccrefresh', realm.ccache, '1'])
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-out = realm.run(['./ccrefresh', realm.ccache])
-if int(out) < 1000:
- fail('Credentials apparently not refreshed')
-realm.run([kdestroy])
-
-# Test 7: empty ccache specified, pick first principal from client keytab
-realm.run(['./t_imp_cred', phost])
-realm.klist(realm.user_princ)
-realm.run([kdestroy])
-
-# Test 8: ccache specified with name but no creds; name not in client keytab
-realm.run(['./ccinit', realm.ccache, realm.host_princ])
-realm.run(['./t_imp_cred', phost], expected_code=1,
- expected_msg='Credential cache is empty')
-realm.run([kdestroy])
-
-# Test 9: ccache specified with name but no creds; name in client keytab
-realm.run(['./ccinit', realm.ccache, bob])
-realm.run(['./t_imp_cred', phost])
-realm.klist(bob)
-# Leave tickets for next test.
-
-# Test 10: ccache specified with creds, time to refresh
-realm.run(['./ccrefresh', realm.ccache, '1'])
-realm.run(['./t_imp_cred', phost])
-realm.klist(bob)
-out = realm.run(['./ccrefresh', realm.ccache])
-if int(out) < 1000:
- fail('Credentials apparently not refreshed')
-realm.run([kdestroy])
-
-# Test 11: gss_import_cred_from with client_keytab value
-store_keytab = os.path.join(realm.testdir, 'store_keytab')
-os.rename(realm.client_keytab, store_keytab)
-realm.run(['./t_credstore', '-i', 'p:' + realm.user_princ, 'client_keytab',
- store_keytab])
-realm.klist(realm.user_princ)
-os.rename(store_keytab, realm.client_keytab)
-
-# Use a cache collection for the remaining tests.
-ccdir = os.path.join(realm.testdir, 'cc')
-ccname = 'DIR:' + ccdir
-os.mkdir(ccdir)
-realm.env['KRB5CCNAME'] = ccname
-
-# Test 12: name specified, matching cache in collection with no creds
-bobcache = os.path.join(ccdir, 'tktbob')
-realm.run(['./ccinit', bobcache, bob])
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-# Leave tickets for next test.
-
-# Test 13: name specified, matching cache in collection, time to refresh
-realm.run(['./ccrefresh', bobcache, '1'])
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-out = realm.run(['./ccrefresh', bobcache])
-if int(out) < 1000:
- fail('Credentials apparently not refreshed')
-realm.run([kdestroy, '-A'])
-
-# Test 14: name specified, collection has default for different principal
-realm.kinit(realm.user_princ, password('user'))
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-msg = 'Default principal: %s\n' % realm.user_princ
-realm.run([klist], expected_msg=msg)
-realm.run([kdestroy, '-A'])
-
-# Test 15: name specified, collection has no default cache
-realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-# Make sure the tickets we acquired didn't become the default
-realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
-realm.run([kdestroy, '-A'])
-
-# Test 16: default client keytab cannot be resolved, but valid
-# credentials exist in ccache.
-conf = {'libdefaults': {'default_client_keytab_name': '%{'}}
-bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf)
-del bad_cktname['KRB5_CLIENT_KTNAME']
-realm.kinit(realm.user_princ, password('user'))
-realm.run(['./t_ccselect', phost], env=bad_cktname,
- expected_msg=realm.user_princ)
-
-mark('refresh of manually acquired creds')
-
-# Test 17: no name/ccache specified, manually acquired creds which
-# will expire soon. Verify that creds are refreshed using the current
-# client name, with refresh_time set in the refreshed ccache.
-realm.kinit('bob', password('bob'), ['-l', '15s'])
-realm.run(['./t_ccselect', phost], expected_msg='bob')
-realm.run([klist, '-C'], expected_msg='refresh_time = ')
-
-# Test 18: no name/ccache specified, manually acquired creds with a
-# client principal not present in the client keytab. A refresh is
-# attempted but fails, and an expired ticket error results.
-realm.kinit(realm.admin_princ, password('admin'), ['-l', '-10s'])
-msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
- '/Matching credential not found')
-realm.run(['./t_ccselect', phost], expected_code=1,
- expected_msg='Ticket expired', expected_trace=msgs)
-realm.run([kdestroy, '-A'])
-
-# Test 19: host-based initiator name
-mark('host-based initiator name')
-hsvc = 'h:svc@' + hostname
-svcprinc = 'svc/%s@%s' % (hostname, realm.realm)
-realm.addprinc(svcprinc)
-realm.extract_keytab(svcprinc, realm.client_keytab)
-# On the first run we match against the keytab while getting tickets,
-# substituting the default realm.
-msgs = ('/Can\'t find client principal svc/%s@ in' % hostname,
- 'Getting initial credentials for svc/%s@' % hostname,
- 'Found entries for %s in keytab' % svcprinc,
- 'Retrieving %s from FILE:%s' % (svcprinc, realm.client_keytab),
- 'Storing %s -> %s in' % (svcprinc, realm.krbtgt_princ),
- 'Retrieving %s -> %s from' % (svcprinc, realm.krbtgt_princ),
- 'authenticator for %s -> %s' % (svcprinc, realm.host_princ))
-realm.run(['./t_ccselect', phost, hsvc], expected_trace=msgs)
-# On the second run we match against the collection.
-msgs = ('Matching svc/%s@ in collection with result: 0' % hostname,
- 'Getting credentials %s -> %s' % (svcprinc, realm.host_princ),
- 'authenticator for %s -> %s' % (svcprinc, realm.host_princ))
-realm.run(['./t_ccselect', phost, hsvc], expected_trace=msgs)
-realm.run([kdestroy, '-A'])
-
-# Test 20: host-based initiator name with fallback
-mark('host-based fallback initiator name')
-canonname = canonicalize_hostname(hostname)
-if canonname != hostname:
- hfsvc = 'h:fsvc@' + hostname
- canonprinc = 'fsvc/%s@%s' % (canonname, realm.realm)
- realm.addprinc(canonprinc)
- realm.extract_keytab(canonprinc, realm.client_keytab)
- msgs = ('/Can\'t find client principal fsvc/%s@ in' % hostname,
- 'Found entries for %s in keytab' % canonprinc,
- 'authenticator for %s -> %s' % (canonprinc, realm.host_princ))
- realm.run(['./t_ccselect', phost, hfsvc], expected_trace=msgs)
- msgs = ('Matching fsvc/%s@ in collection with result: 0' % hostname,
- 'Getting credentials %s -> %s' % (canonprinc, realm.host_princ))
- realm.run(['./t_ccselect', phost, hfsvc], expected_trace=msgs)
- realm.run([kdestroy, '-A'])
-else:
- skipped('GSS initiator name fallback test',
- '%s does not canonicalize to a different name' % hostname)
-
-success('Client keytab tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_context.c b/crypto/krb5/src/tests/gssapi/t_context.c
deleted file mode 100644
index 65381aca8bad..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_context.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_context.c - Simple context establishment harness */
-/*
- * Copyright (C) 2019 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "common.h"
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, flags;
- gss_name_t tname;
- gss_ctx_id_t ictx, actx;
-
- if (argc < 2) {
- fprintf(stderr, "Usage: %s targetname [acceptorname]\n", argv[0]);
- return 1;
- }
-
- tname = import_name(argv[1]);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_spnego, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- tname, flags, &ictx, &actx, NULL, NULL, NULL);
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_credstore.c b/crypto/krb5/src/tests/gssapi/t_credstore.c
deleted file mode 100644
index 1e3636991380..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_credstore.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2011 Red Hat, Inc.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation files
- * (the "Software"), to deal in the Software without restriction,
- * including without limitation the rights to use, copy, modify, merge,
- * publish, distribute, sublicense, and/or sell copies of the Software,
- * and to permit persons to whom the Software is furnished to do so,
- * subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
- * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
- * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
- * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static void
-usage(void)
-{
- fprintf(stderr,
- "Usage: t_credstore [-sabi] principal [{key value} ...]\n");
- exit(1);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_key_value_set_desc store;
- gss_name_t name = GSS_C_NO_NAME;
- gss_cred_usage_t cred_usage = GSS_C_BOTH;
- gss_OID_set mechs = GSS_C_NO_OID_SET;
- gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
- gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
- gss_buffer_desc itok, atok;
- krb5_boolean store_creds = FALSE, replay = FALSE;
- char opt;
-
- /* Parse options. */
- for (argv++; *argv != NULL && **argv == '-'; argv++) {
- opt = (*argv)[1];
- if (opt == 's')
- store_creds = TRUE;
- else if (opt == 'r')
- replay = TRUE;
- else if (opt == 'a')
- cred_usage = GSS_C_ACCEPT;
- else if (opt == 'b')
- cred_usage = GSS_C_BOTH;
- else if (opt == 'i')
- cred_usage = GSS_C_INITIATE;
- else
- usage();
- }
-
- /* Get the principal name. */
- if (*argv == NULL)
- usage();
- if (**argv != '\0')
- name = import_name(*argv);
- argv++;
-
- /* Put any remaining arguments into the store. */
- store.elements = calloc(argc, sizeof(struct gss_key_value_element_struct));
- if (!store.elements)
- errout("OOM");
- store.count = 0;
- while (*argv != NULL) {
- if (*(argv + 1) == NULL)
- usage();
- store.elements[store.count].key = *argv;
- store.elements[store.count].value = *(argv + 1);
- store.count++;
- argv += 2;
- }
-
- if (store_creds) {
- /* Acquire default creds and try to store them in the cred store. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
- GSS_C_INITIATE, &cred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE,
- GSS_C_NO_OID, 1, 0, &store, NULL, NULL);
- check_gsserr("gss_store_cred_into", major, minor);
-
- gss_release_cred(&minor, &cred);
- }
-
- /* Try to acquire creds from store. */
- major = gss_acquire_cred_from(&minor, name, 0, mechs, cred_usage,
- &store, &cred, NULL, NULL);
- check_gsserr("gss_acquire_cred_from", major, minor);
-
- if (replay) {
- /* Induce a replay using cred as the acceptor cred, to test the replay
- * cache indicated by the store. */
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, name,
- &mech_krb5, 0, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS,
- GSS_C_NO_BUFFER, NULL, &itok, NULL, NULL);
- check_gsserr("gss_init_sec_context", major, minor);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
-
- major = gss_accept_sec_context(&minor, &actx, cred, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(1)", major, minor);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- major = gss_accept_sec_context(&minor, &actx, cred, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(2)", major, minor);
- (void)gss_release_buffer(&minor, &itok);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- }
-
- gss_release_name(&minor, &name);
- gss_release_cred(&minor, &cred);
- free(store.elements);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_credstore.py b/crypto/krb5/src/tests/gssapi/t_credstore.py
deleted file mode 100644
index ec59dd8dac37..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_credstore.py
+++ /dev/null
@@ -1,97 +0,0 @@
-from k5test import *
-
-realm = K5Realm()
-
-mark('gss_store_cred_into() and ccache/keytab')
-storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')
-servicekeytab = os.path.join(realm.testdir, 'kt')
-service_cs = 'service/cs@%s' % realm.realm
-realm.addprinc(service_cs)
-realm.extract_keytab(service_cs, servicekeytab)
-realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
-msgs = ('Storing %s -> %s in MEMORY:' % (service_cs, realm.krbtgt_princ),
- 'Moving ccache MEMORY:',
- 'Retrieving %s from FILE:%s' % (service_cs, servicekeytab))
-realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
- 'keytab', servicekeytab], expected_trace=msgs)
-
-mark('matching')
-scc = 'FILE:' + os.path.join(realm.testdir, 'service_cache')
-realm.kinit(realm.host_princ, flags=['-k', '-c', scc])
-realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc])
-realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])
-realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])
-realm.run(['./t_credstore', '-i', 'p:wrong', 'ccache', scc],
- expected_code=1, expected_msg='does not match desired name')
-realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],
- expected_code=1, expected_msg='does not match desired name')
-realm.run(['./t_credstore', '-i', 'h:svc', 'ccache', scc],
- expected_code=1, expected_msg='does not match desired name')
-
-mark('matching (fallback)')
-canonname = canonicalize_hostname(hostname)
-if canonname != hostname:
- canonprinc = 'host/%s@%s' % (canonname, realm.realm)
- realm.addprinc(canonprinc)
- realm.extract_keytab(canonprinc, realm.keytab)
- realm.kinit(canonprinc, flags=['-k', '-c', scc])
- realm.run(['./t_credstore', '-i', 'h:host', 'ccache', scc])
- realm.run(['./t_credstore', '-i', 'h:host@' + hostname, 'ccache', scc])
- realm.run(['./t_credstore', '-i', 'h:host@' + canonname, 'ccache', scc])
- realm.run(['./t_credstore', '-i', 'p:' + canonprinc, 'ccache', scc])
- realm.run(['./t_credstore', '-i', 'p:' + realm.host_princ, 'ccache', scc],
- expected_code=1, expected_msg='does not match desired name')
- realm.run(['./t_credstore', '-i', 'h:host@-nomatch-', 'ccache', scc],
- expected_code=1, expected_msg='does not match desired name')
-else:
- skipped('fallback matching test',
- '%s does not canonicalize to a different name' % hostname)
-
-mark('rcache')
-# t_credstore -r should produce a replay error normally, but not with
-# rcache set to "none:".
-realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ],
- expected_code=1,
- expected_msg='gss_accept_sec_context(2): Request is a replay')
-realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ,
- 'rcache', 'none:'])
-
-# Test password feature.
-mark('password')
-# Must be used with a desired name.
-realm.run(['./t_credstore', '-i', '', 'password', 'pw'],
- expected_code=1, expected_msg='An invalid name was supplied')
-# Must not be used with a client keytab.
-realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ,
- 'password', 'pw', 'client_keytab', servicekeytab],
- expected_code=1, expected_msg='Credential usage type is unknown')
-# Must not be used with a ccache.
-realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ,
- 'password', 'pw', 'ccache', storagecache],
- expected_code=1, expected_msg='Credential usage type is unknown')
-# Must be acquiring initiator credentials.
-realm.run(['./t_credstore', '-a', 'u:' + realm.user_princ, 'password', 'pw'],
- expected_code=1, expected_msg='Credential usage type is unknown')
-msgs = ('Getting initial credentials for %s' % realm.user_princ,
- 'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ),
- 'Destroying ccache MEMORY:')
-realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',
- password('user')], expected_trace=msgs)
-
-mark('verify')
-msgs = ('Getting initial credentials for %s' % realm.user_princ,
- 'Storing %s -> %s in MEMORY:' % (realm.user_princ, realm.krbtgt_princ),
- 'Getting credentials %s -> %s' % (realm.user_princ, service_cs),
- 'Storing %s -> %s in MEMORY:' % (realm.user_princ, service_cs))
-realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',
- password('user'), 'keytab', servicekeytab, 'verify',
- service_cs], expected_trace=msgs)
-# Try again with verification failing due to key mismatch.
-realm.run([kadminl, 'cpw', '-randkey', service_cs])
-realm.run([kadminl, 'modprinc', '-kvno', '1', service_cs])
-errmsg = 'Cannot decrypt ticket for %s' % service_cs
-realm.run(['./t_credstore', '-i', 'u:' + realm.user_princ, 'password',
- password('user'), 'keytab', servicekeytab, 'verify',
- service_cs], expected_code=1, expected_msg=errmsg)
-
-success('Credential store tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_enctypes.c b/crypto/krb5/src/tests/gssapi/t_enctypes.c
deleted file mode 100644
index 3325db769697..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_enctypes.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_enctypes.c - gss_krb5_set_allowable_enctypes test */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-#include "common.h"
-#include "gssapi_ext.h"
-
-/*
- * This test program establishes contexts with the krb5 mech, the default
- * initiator name, a specified target name, and the default acceptor name.
- * Before the exchange, gss_set_allowable_enctypes is called for the initiator
- * and the acceptor cred if requested. If the exchange is successful, the
- * resulting contexts are exported with gss_krb5_export_lucid_sec_context,
- * checked for mismatches, and the GSS protocol and keys are displayed. Exits
- * with status 0 if all operations are successful, or 1 if not.
- *
- * Usage: ./t_enctypes [-i initenctypes] [-a accenctypes] targetname
- */
-
-static void
-usage(void)
-{
- errout("Usage: t_enctypes [-i initenctypes] [-a accenctypes] "
- "targetname");
-}
-
-/* Error out if ikey is not the same as akey. */
-static void
-check_key_match(gss_krb5_lucid_key_t *ikey, gss_krb5_lucid_key_t *akey)
-{
- if (ikey->type != akey->type || ikey->length != akey->length ||
- memcmp(ikey->data, akey->data, ikey->length) != 0)
- errout("Initiator and acceptor keys do not match");
-}
-
-/* Display the name of enctype. */
-static void
-display_enctype(krb5_enctype enctype)
-{
- char ename[128];
-
- if (krb5_enctype_to_name(enctype, FALSE, ename, sizeof(ename)) == 0)
- fputs(ename, stdout);
- else
- fputs("(unknown)", stdout);
-}
-
-int
-main(int argc, char *argv[])
-{
- krb5_error_code ret;
- krb5_context kctx = NULL;
- krb5_enctype *ienc = NULL, *aenc = NULL, zero = 0;
- OM_uint32 minor, major, flags;
- gss_name_t tname;
- gss_cred_id_t icred = GSS_C_NO_CREDENTIAL, acred = GSS_C_NO_CREDENTIAL;
- gss_ctx_id_t ictx, actx;
- gss_krb5_lucid_context_v1_t *ilucid, *alucid;
- gss_krb5_rfc1964_keydata_t *i1964, *a1964;
- gss_krb5_cfx_keydata_t *icfx, *acfx;
- gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
- gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
- unsigned int ssf;
- size_t count;
- void *lptr;
- int c;
-
- ret = krb5_init_context(&kctx);
- check_k5err(kctx, "krb5_init_context", ret);
-
- /* Parse arguments. */
- while ((c = getopt(argc, argv, "i:a:")) != -1) {
- switch (c) {
- case 'i':
- ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &ienc);
- check_k5err(kctx, "krb5_parse_enctype_list(initiator)", ret);
- break;
- case 'a':
- ret = krb5int_parse_enctype_list(kctx, "", optarg, &zero, &aenc);
- check_k5err(kctx, "krb5_parse_enctype_list(acceptor)", ret);
- break;
- default:
- usage();
- }
- }
- argc -= optind;
- argv += optind;
- if (argc != 1)
- usage();
- tname = import_name(*argv);
-
- if (ienc != NULL) {
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechset_krb5, GSS_C_INITIATE, &icred, NULL,
- NULL);
- check_gsserr("gss_acquire_cred(initiator)", major, minor);
-
- for (count = 0; ienc[count]; count++);
- major = gss_krb5_set_allowable_enctypes(&minor, icred, count, ienc);
- check_gsserr("gss_krb5_set_allowable_enctypes(init)", major, minor);
- }
- if (aenc != NULL) {
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechset_krb5, GSS_C_ACCEPT, &acred, NULL,
- NULL);
- check_gsserr("gss_acquire_cred(acceptor)", major, minor);
-
- for (count = 0; aenc[count]; count++);
- major = gss_krb5_set_allowable_enctypes(&minor, acred, count, aenc);
- check_gsserr("gss_krb5_set_allowable_enctypes(acc)", major, minor);
- }
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
- establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
- NULL, NULL, NULL);
-
- /* Query the SSF value and range-check the result. */
- major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset);
- check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor);
- if (bufset->elements[0].length != 4)
- errout("SSF buffer has unexpected length");
- ssf = load_32_be(bufset->elements[0].value);
- if (ssf < 56 || ssf > 256)
- errout("SSF value not within acceptable range (56-256)");
- (void)gss_release_buffer_set(&minor, &bufset);
-
- /* Export to lucid contexts. */
- major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
- check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
- ilucid = lptr;
- major = gss_krb5_export_lucid_sec_context(&minor, &actx, 1, &lptr);
- check_gsserr("gss_export_lucid_sec_context(acceptor)", major, minor);
- alucid = lptr;
-
- /* Grab the session keys and make sure they match. */
- if (ilucid->protocol != alucid->protocol)
- errout("Initiator/acceptor protocol mismatch");
- if (ilucid->protocol) {
- icfx = &ilucid->cfx_kd;
- acfx = &alucid->cfx_kd;
- if (icfx->have_acceptor_subkey != acfx->have_acceptor_subkey)
- errout("Initiator/acceptor have_acceptor_subkey mismatch");
- check_key_match(&icfx->ctx_key, &acfx->ctx_key);
- if (icfx->have_acceptor_subkey)
- check_key_match(&icfx->acceptor_subkey, &acfx->acceptor_subkey);
- fputs("cfx ", stdout);
- display_enctype(icfx->ctx_key.type);
- if (icfx->have_acceptor_subkey) {
- fputs(" ", stdout);
- display_enctype(icfx->acceptor_subkey.type);
- }
- fputs("\n", stdout);
- } else {
- i1964 = &ilucid->rfc1964_kd;
- a1964 = &alucid->rfc1964_kd;
- if (i1964->sign_alg != a1964->sign_alg ||
- i1964->seal_alg != a1964->seal_alg)
- errout("Initiator/acceptor sign or seal alg mismatch");
- check_key_match(&i1964->ctx_key, &a1964->ctx_key);
- fputs("rfc1964 ", stdout);
- display_enctype(i1964->ctx_key.type);
- fputs("\n", stdout);
- }
-
- krb5_free_context(kctx);
- free(ienc);
- free(aenc);
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_cred(&minor, &icred);
- (void)gss_release_cred(&minor, &acred);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- (void)gss_krb5_free_lucid_sec_context(&minor, ilucid);
- (void)gss_krb5_free_lucid_sec_context(&minor, alucid);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_enctypes.py b/crypto/krb5/src/tests/gssapi/t_enctypes.py
deleted file mode 100755
index f5f11842e21b..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_enctypes.py
+++ /dev/null
@@ -1,147 +0,0 @@
-from k5test import *
-
-# Define some convenience abbreviations for enctypes we will see in
-# test program output. For background, aes256 and aes128 are "CFX
-# enctypes", meaning that they imply support for RFC 4121, while des3
-# and rc4 are not. DES3 keys will appear as 'des3-cbc-raw' in
-# t_enctypes output because that's how GSSAPI does raw triple-DES
-# encryption without the RFC3961 framing.
-aes256 = 'aes256-cts-hmac-sha1-96'
-aes128 = 'aes128-cts-hmac-sha1-96'
-des3 = 'des3-cbc-sha1'
-d_des3 = 'DEPRECATED:des3-cbc-sha1'
-des3raw = 'des3-cbc-raw'
-d_des3raw = 'DEPRECATED:des3-cbc-raw'
-rc4 = 'arcfour-hmac'
-d_rc4 = 'DEPRECATED:arcfour-hmac'
-
-# These tests make assumptions about the default enctype lists, so set
-# them explicitly rather than relying on the library defaults.
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
- 'allow_des3': 'true', 'allow_rc4': 'true'},
- 'realms': {'$realm': {'supported_enctypes': supp}}}
-realm = K5Realm(krb5_conf=conf)
-shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
-
-# Return an argument list for running t_enctypes with optional initiator
-# and acceptor enctype lists.
-def cmdline(ienc, aenc):
- iflags = ienc and ['-i', ienc] or []
- aflags = aenc and ['-a', aenc] or []
- return ['./t_enctypes'] + iflags + aflags + ['p:' + realm.host_princ]
-
-
-# Run t_enctypes with optional initiator and acceptor enctype lists,
-# and check that it succeeds with the expected output. Also check
-# that the ticket we got has the expected encryption key and session
-# key.
-def test(msg, ienc, aenc, tktenc='', tktsession='', proto='', isubkey='',
- asubkey=None):
- shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache)
- # Run the test program and check its output.
- out = realm.run(cmdline(ienc, aenc)).split()
- if out[0] != proto or out[1] != isubkey:
- fail(msg)
- if asubkey is not None and (len(out) < 3 or out[2] != asubkey):
- fail(msg)
- lines = realm.run([klist, '-e']).splitlines()
- for ind, line in enumerate(lines):
- if realm.host_princ in line:
- if lines[ind + 1].strip() != ('Etype (skey, tkt): %s, %s' %
- (tktsession, tktenc)):
- fail(msg)
- break
-
-# Run t_enctypes with optional initiator and acceptor enctype lists,
-# and check that it fails with the expected error message.
-def test_err(msg, ienc, aenc, expected_err):
- shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache)
- realm.run(cmdline(ienc, aenc), expected_code=1, expected_msg=expected_err)
-
-
-# By default, all of the key enctypes should be aes256.
-test('noargs', None, None,
- tktenc=aes256, tktsession=aes256,
- proto='cfx', isubkey=aes256, asubkey=aes256)
-
-# When the initiator constrains the permitted session enctypes to
-# aes128, the ticket encryption key should remain aes256. The client
-# initiator will not send an RFC 4537 upgrade list because it sees no
-# other permitted enctypes, so the acceptor subkey will not be
-# upgraded from aes128.
-test('init aes128', 'aes128-cts', None,
- tktenc=aes256, tktsession=aes128,
- proto='cfx', isubkey=aes128, asubkey=aes128)
-
-# If the initiator and acceptor both constrain the permitted session
-# enctypes to aes128, we should see the same keys as above. This
-# tests that the acceptor does not mistakenly contrain the ticket
-# encryption key.
-test('both aes128', 'aes128-cts', 'aes128-cts',
- tktenc=aes256, tktsession=aes128,
- proto='cfx', isubkey=aes128, asubkey=aes128)
-
-# If only the acceptor constrains the permitted session enctypes to
-# aes128, subkey negotiation fails because the acceptor considers the
-# aes256 session key to be non-permitted.
-test_err('acc aes128', None, 'aes128-cts',
- 'Encryption type aes256-cts-hmac-sha1-96 not permitted')
-
-# If the initiator constrains the permitted session enctypes to des3,
-# no acceptor subkey will be generated because we can't upgrade to a
-# CFX enctype.
-test('init des3', 'des3', None,
- tktenc=aes256, tktsession=d_des3,
- proto='rfc1964', isubkey=des3raw, asubkey=None)
-
-# Force the ticket session key to be rc4, so we can test some subkey
-# upgrade cases. The ticket encryption key remains aes256.
-realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4'])
-
-# With no arguments, the initiator should send an upgrade list of
-# [aes256 aes128 des3] and the acceptor should upgrade to an aes256
-# subkey.
-test('upgrade noargs', None, None,
- tktenc=aes256, tktsession=d_rc4,
- proto='cfx', isubkey=rc4, asubkey=aes256)
-
-# If the initiator won't permit rc4 as a session key, it won't be able
-# to get a ticket.
-test_err('upgrade init aes', 'aes', None, 'no support for encryption type')
-
-# If the initiator permits rc4 but prefers aes128, it will send an
-# upgrade list of [aes128] and the acceptor will upgrade to aes128.
-test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
- tktenc=aes256, tktsession=d_rc4,
- proto='cfx', isubkey=rc4, asubkey=aes128)
-
-# If the initiator permits rc4 but prefers des3, it will send an
-# upgrade list of [des3], but the acceptor won't generate a subkey
-# because des3 isn't a CFX enctype.
-test('upgrade init des3+rc4', 'des3 rc4', None,
- tktenc=aes256, tktsession=d_rc4,
- proto='rfc1964', isubkey=rc4, asubkey=None)
-
-# If the acceptor permits only aes128, subkey negotiation will fail
-# because the ticket session key and initiator subkey are
-# non-permitted. (This is unfortunate if the acceptor's restriction
-# is only for the sake of the kernel, since we could upgrade to an
-# aes128 subkey, but it's the current semantics.)
-test_err('upgrade acc aes128', None, 'aes128-cts',
- 'Encryption type arcfour-hmac not permitted')
-
-# If the acceptor permits rc4 but prefers aes128, it will negotiate an
-# upgrade to aes128.
-test('upgrade acc aes128 rc4', None, 'aes128-cts rc4',
- tktenc=aes256, tktsession=d_rc4,
- proto='cfx', isubkey=rc4, asubkey=aes128)
-
-# In this test, the initiator and acceptor each prefer an AES enctype
-# to rc4, but they can't agree on which one, so no subkey is
-# generated.
-test('upgrade mismatch', 'aes128-cts rc4', 'aes256-cts rc4',
- tktenc=aes256, tktsession=d_rc4,
- proto='rfc1964', isubkey=rc4, asubkey=None)
-
-success('gss_krb5_set_allowable_enctypes tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_err.c b/crypto/krb5/src/tests/gssapi/t_err.c
deleted file mode 100644
index 3a9c47bdb1aa..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_err.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_err.c - Test accept_sec_context error generation */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This test program verifies that the krb5 gss_accept_sec_context can produce
- * error tokens and that gss_init_sec_context can interpret them.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-#include "common.h"
-
-static void
-check_replay_error(const char *msg, OM_uint32 major, OM_uint32 minor)
-{
- OM_uint32 tmpmin, msg_ctx = 0;
- const char *replay = "Request is a replay";
- gss_buffer_desc m;
-
- if (major != GSS_S_FAILURE) {
- fprintf(stderr, "%s: expected major code GSS_S_FAILURE\n", msg);
- check_gsserr(msg, major, minor);
- exit(1);
- }
-
- (void)gss_display_status(&tmpmin, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID,
- &msg_ctx, &m);
- if (m.length != strlen(replay) || memcmp(m.value, replay, m.length) != 0) {
- fprintf(stderr, "%s: expected replay error; got %.*s\n", msg,
- (int)m.length, (char *)m.value);
- exit(1);
- }
- (void)gss_release_buffer(&tmpmin, &m);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_OID mech = &mech_krb5;
- gss_name_t tname;
- gss_buffer_desc itok, atok;
- gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
-
- argv++;
- if (*argv != NULL && strcmp(*argv, "--spnego") == 0) {
- mech = &mech_spnego;
- argv++;
- }
- if (*argv == NULL || argv[1] != NULL) {
- fprintf(stderr, "Usage: t_err targetname\n");
- return 1;
- }
- tname = import_name(*argv);
-
- /* Get the initial context token. */
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
- mech, flags, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER,
- NULL, &itok, NULL, NULL);
- check_gsserr("gss_init_sec_context(1)", major, minor);
- assert(major == GSS_S_CONTINUE_NEEDED);
-
- /* Process this token into an acceptor context, then discard it. */
- major = gss_accept_sec_context(&minor, &actx, GSS_C_NO_CREDENTIAL, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL,
- NULL, &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(1)", major, minor);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- /* Process the same token again, producing a replay error. */
- major = gss_accept_sec_context(&minor, &actx, GSS_C_NO_CREDENTIAL, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL,
- NULL, &atok, NULL, NULL, NULL);
- check_replay_error("gss_accept_sec_context(2)", major, minor);
- assert(atok.length != 0);
-
- /* Send the error token back the initiator. */
- (void)gss_release_buffer(&minor, &itok);
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
- mech, flags, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, &atok,
- NULL, &itok, NULL, NULL);
- check_replay_error("gss_init_sec_context(2)", major, minor);
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_buffer(&minor, &itok);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_export_cred.c b/crypto/krb5/src/tests/gssapi/t_export_cred.c
deleted file mode 100644
index 4d7c028e6d46..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_export_cred.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2011 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "common.h"
-
-/* Display a usage error message and exit. */
-static void
-usage(void)
-{
- fprintf(stderr, "Usage: t_export_cred [-k|-s] [-i initiatorname] "
- "[-a acceptorname] targetname\n");
- exit(1);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 major, minor, flags;
- gss_name_t initiator_name = GSS_C_NO_NAME, acceptor_name = GSS_C_NO_NAME;
- gss_name_t target_name;
- gss_cred_id_t initiator_cred, acceptor_cred, delegated_cred;
- gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
- gss_ctx_id_t acceptor_context = GSS_C_NO_CONTEXT;
- gss_OID mech = GSS_C_NO_OID;
- gss_OID_set mechs = GSS_C_NO_OID_SET;
- char optchar;
-
- /* Parse arguments. */
- argv++;
- while (*argv != NULL && **argv == '-') {
- optchar = (*argv)[1];
- argv++;
- if (optchar == 'i') {
- if (*argv == NULL)
- usage();
- initiator_name = import_name(*argv++);
- } else if (optchar == 'a') {
- if (*argv == NULL)
- usage();
- acceptor_name = import_name(*argv++);
- } else if (optchar == 'k') {
- mech = &mech_krb5;
- mechs = &mechset_krb5;
- } else if (optchar == 's') {
- mech = &mech_spnego;
- mechs = &mechset_spnego;
- } else {
- usage();
- }
- }
- if (*argv == NULL || *(argv + 1) != NULL)
- usage();
- target_name = import_name(argv[0]);
-
- /* Get initiator cred and export/import it. */
- major = gss_acquire_cred(&minor, initiator_name, GSS_C_INDEFINITE, mechs,
- GSS_C_INITIATE, &initiator_cred, NULL, NULL);
- check_gsserr("gss_acquire_cred(initiator)", major, minor);
- export_import_cred(&initiator_cred);
-
- /* Get acceptor cred and export/import it. */
- major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, mechs,
- GSS_C_ACCEPT, &acceptor_cred, NULL, NULL);
- check_gsserr("gss_acquire_cred(acceptor)", major, minor);
- export_import_cred(&acceptor_cred);
-
- /* Initiate and accept a security context (one-token exchange only),
- * delegating credentials. */
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
- establish_contexts(mech, initiator_cred, acceptor_cred, target_name, flags,
- &initiator_context, &acceptor_context, NULL, NULL,
- &delegated_cred);
-
- /* Import, release, export, and store delegated creds */
- export_import_cred(&delegated_cred);
- major = gss_store_cred(&minor, delegated_cred, GSS_C_INITIATE,
- GSS_C_NULL_OID, 1, 1, NULL, NULL);
- check_gsserr("gss_store_cred", major, minor);
-
- (void)gss_release_name(&minor, &initiator_name);
- (void)gss_release_name(&minor, &acceptor_name);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_cred(&minor, &initiator_cred);
- (void)gss_release_cred(&minor, &acceptor_cred);
- (void)gss_release_cred(&minor, &delegated_cred);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_export_cred.py b/crypto/krb5/src/tests/gssapi/t_export_cred.py
deleted file mode 100755
index 89167bcc51d5..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_export_cred.py
+++ /dev/null
@@ -1,50 +0,0 @@
-from k5test import *
-
-# Test gss_export_cred and gss_import_cred for initiator creds,
-# acceptor creds, and traditional delegated creds. t_s4u.py tests
-# exporting and importing a synthesized S4U2Proxy delegated
-# credential.
-
-# Make up a filename to hold user's initial credentials.
-def ccache_savefile(realm):
- return os.path.join(realm.testdir, 'ccache.copy')
-
-# Move user's initial credentials into the save file.
-def ccache_save(realm):
- os.rename(realm.ccache, ccache_savefile(realm))
-
-# Copy user's initial credentials from the save file into the ccache.
-def ccache_restore(realm):
- shutil.copyfile(ccache_savefile(realm), realm.ccache)
-
-# Run t_export_cred with the saved ccache and verify that it stores a
-# forwarded cred into the default ccache.
-def check(realm, args):
- ccache_restore(realm)
- realm.run(['./t_export_cred'] + args)
- realm.run([klist, '-f'], expected_msg='Flags: Ff')
-
-# Check a given set of arguments with no specified mech and with krb5
-# and SPNEGO as the specified mech.
-def check_mechs(realm, args):
- check(realm, args)
- check(realm, ['-k'] + args)
- check(realm, ['-s'] + args)
-
-# Make a realm, get forwardable tickets, and save a copy for each test.
-realm = K5Realm(get_creds=False)
-realm.kinit(realm.user_princ, password('user'), ['-f'])
-ccache_save(realm)
-
-# Test with default initiator and acceptor cred.
-tname = 'p:' + realm.host_princ
-check_mechs(realm, [tname])
-
-# Test with principal-named initiator and acceptor cred.
-iname = 'p:' + realm.user_princ
-check_mechs(realm, ['-i', iname, '-a', tname, tname])
-
-# Test with host-based acceptor cred.
-check_mechs(realm, ['-a', 'h:host', tname])
-
-success('gss_export_cred/gss_import_cred tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_export_name.c b/crypto/krb5/src/tests/gssapi/t_export_name.c
deleted file mode 100644
index b7eebd4eff89..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_export_name.c
+++ /dev/null
@@ -1,119 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_export_name.c - Test program for gss_export_name behavior */
-/*
- * Copyright 2012 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Test program for gss_export_name, intended to be run from a Python test
- * script. Imports a name, canonicalizes it to a mech, exports it,
- * re-imports/exports it to compare results, and then prints the hex form of
- * the exported name followed by a newline.
- *
- * Usage: ./t_export_name [-k|-s] user:username|krb5:princ|host:service@host
- *
- * The name is imported as a username, krb5 principal, or hostbased name.
- * By default or with -k, the name is canonicalized to the krb5 mech; -s
- * indicates SPNEGO instead.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static void
-usage(void)
-{
- fprintf(stderr, "Usage: t_export_name [-k|-s] name\n");
- exit(1);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_OID mech = (gss_OID)gss_mech_krb5;
- gss_name_t name, mechname, impname;
- gss_buffer_desc buf, buf2;
- krb5_boolean use_composite = FALSE;
- gss_OID ntype;
- const char *name_arg;
- char opt;
-
- /* Parse arguments. */
- while (argc > 1 && argv[1][0] == '-') {
- opt = argv[1][1];
- argc--, argv++;
- if (opt == 'k')
- mech = &mech_krb5;
- else if (opt == 's')
- mech = &mech_spnego;
- else if (opt == 'c')
- use_composite = TRUE;
- else
- usage();
- }
- if (argc != 2)
- usage();
- name_arg = argv[1];
-
- /* Import the name. */
- name = import_name(name_arg);
-
- /* Canonicalize and export the name. */
- major = gss_canonicalize_name(&minor, name, mech, &mechname);
- check_gsserr("gss_canonicalize_name", major, minor);
- if (use_composite)
- major = gss_export_name_composite(&minor, mechname, &buf);
- else
- major = gss_export_name(&minor, mechname, &buf);
- check_gsserr("gss_export_name", major, minor);
-
- /* Import and re-export the name, and compare the results. */
- ntype = use_composite ? GSS_C_NT_COMPOSITE_EXPORT : GSS_C_NT_EXPORT_NAME;
- major = gss_import_name(&minor, &buf, ntype, &impname);
- check_gsserr("gss_import_name", major, minor);
- if (use_composite)
- major = gss_export_name_composite(&minor, impname, &buf2);
- else
- major = gss_export_name(&minor, impname, &buf2);
- check_gsserr("gss_export_name", major, minor);
- if (buf.length != buf2.length ||
- memcmp(buf.value, buf2.value, buf.length) != 0) {
- fprintf(stderr, "Mismatched results:\n");
- print_hex(stderr, &buf);
- print_hex(stderr, &buf2);
- return 1;
- }
-
- print_hex(stdout, &buf);
-
- (void)gss_release_name(&minor, &name);
- (void)gss_release_name(&minor, &mechname);
- (void)gss_release_name(&minor, &impname);
- (void)gss_release_buffer(&minor, &buf);
- (void)gss_release_buffer(&minor, &buf2);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_gssapi.py b/crypto/krb5/src/tests/gssapi/t_gssapi.py
deleted file mode 100755
index 149f46d5c914..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_gssapi.py
+++ /dev/null
@@ -1,258 +0,0 @@
-from k5test import *
-
-# Test krb5 negotiation under SPNEGO for all enctype configurations. Also
-# test IOV wrap/unwrap with and without SPNEGO.
-for realm in multipass_realms():
- realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab])
- realm.run(['./t_iov', 'p:' + realm.host_princ])
- realm.run(['./t_iov', '-s', 'p:' + realm.host_princ])
- realm.run(['./t_pcontok', 'p:' + realm.host_princ])
-
-realm = K5Realm()
-realm.run([kadminl, 'modprinc', '+preauth', realm.user_princ])
-
-remove_default = {'libdefaults': {'default_realm': None}}
-change_default = {'libdefaults': {'default_realm': 'WRONG.REALM'}}
-no_default = realm.special_env('no_default', False, krb5_conf=remove_default)
-wrong_default = realm.special_env('wrong_default', False,
- krb5_conf=change_default)
-
-# Test IAKERB with credentials.
-realm.run(['./t_iakerb', 'p:' + realm.user_princ, '-', 'h:host@' + hostname,
- 'h:host'])
-
-# Test IAKERB getting initial credentials.
-realm.run(['./t_iakerb', 'p:' + realm.user_princ, password('user'),
- 'h:host@' + hostname, 'h:host'])
-
-# Test IAKERB realm discovery.
-realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
- 'h:host'])
-
-# Test IAKERB realm discovery without default_realm set. We get an
-# error because the acceptor does not know the realm.
-realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
- 'h:host'], env=no_default, expected_code=1,
- expected_msg='The IAKERB proxy could not determine its realm')
-
-# Test again, using a GSS_KRB5_NT_PRINCIPAL_NAME acceptor name so that
-# gss_accept_sec_context() knows the realm.
-realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
- 'p:' + realm.host_princ], env=no_default)
-
-# Test IAKERB realm discovery with a non-useful default_realm set.
-realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
- 'p:' + realm.host_princ], env=wrong_default)
-
-# Test gss_add_cred().
-realm.run(['./t_add_cred'])
-
-### Test acceptor name behavior.
-
-# Create some host-based principals and put most of them into the
-# keytab. Rename one principal so that the keytab name matches the
-# key but not the client name.
-realm.run([kadminl, 'addprinc', '-randkey', 'service1/abraham'])
-realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack'])
-realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin'])
-realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight'])
-realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
-realm.run([kadminl, 'addprinc', '-randkey', 'http/localhost'])
-realm.run([kadminl, 'xst', 'service1/abraham'])
-realm.run([kadminl, 'xst', 'service1/barack'])
-realm.run([kadminl, 'xst', 'service2/calvin'])
-realm.run([kadminl, 'xst', 'http/localhost'])
-realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
-
-# Test with no default realm and no dots in the server name.
-realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost')
-realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost',
- env=no_default)
-
-# Test with no acceptor name, including client/keytab principal
-# mismatch (non-fatal) and missing keytab entry (fatal).
-realm.run(['./t_accname', 'p:service1/andrew'],
- expected_msg='service1/abraham')
-realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack')
-realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin')
-realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1,
- expected_msg=' not found in keytab')
-
-# Test with acceptor name containing service only, including
-# client/keytab hostname mismatch (non-fatal) and service name
-# mismatch (fatal).
-realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'],
- expected_msg='service1/abraham')
-realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1,
- expected_msg=' not found in keytab')
-realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
- expected_msg='service2/calvin')
-realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
- expected_msg=' found in keytab but does not match server principal')
-# Regression test for #8892 (trailing @ in name).
-realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'],
- expected_msg='service1/abraham')
-
-# Test with acceptor name containing service and host. Use the
-# client's un-canonicalized hostname as acceptor input to mirror what
-# many servers do.
-realm.run(['./t_accname', 'p:' + realm.host_princ,
- 'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ)
-realm.run(['./t_accname', 'p:host/-nomatch-',
- 'h:host@%s' % socket.gethostname()], expected_code=1,
- expected_msg=' not found in keytab')
-
-# If possible, test with an acceptor name requiring fallback to match
-# against a keytab entry.
-canonname = canonicalize_hostname(hostname)
-if canonname != hostname:
- os.rename(realm.keytab, realm.keytab + '.save')
- canonprinc = 'host/' + canonname
- realm.run([kadminl, 'addprinc', '-randkey', canonprinc])
- realm.extract_keytab(canonprinc, realm.keytab)
- # Use the canonical name for the initiator's target name, since
- # host/hostname exists in the KDB (but not the keytab).
- realm.run(['./t_accname', 'h:host@' + canonname, 'h:host@' + hostname])
- os.rename(realm.keytab + '.save', realm.keytab)
-else:
- skipped('GSS acceptor name fallback test',
- '%s does not canonicalize to a different name' % hostname)
-
-# Test krb5_gss_import_cred.
-realm.run(['./t_imp_cred', 'p:service1/barack'])
-realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
-realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
-realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1,
- expected_msg=' not found in keytab')
-
-# Verify that we can't acquire acceptor creds without a keytab.
-os.remove(realm.keytab)
-out = realm.run(['./t_accname', 'p:abc'], expected_code=1)
-if ('gss_acquire_cred: Keytab' not in out or
- 'nonexistent or empty' not in out):
- fail('Expected error message not seen for nonexistent keytab')
-
-realm.stop()
-
-# Re-run the last acceptor name test with ignore_acceptor_hostname set
-# and the principal for the mismatching hostname in the keytab.
-ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
-realm = K5Realm(krb5_conf=ignore_conf)
-realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
-realm.run([kadminl, 'xst', 'host/-nomatch-'])
-realm.run(['./t_accname', 'p:host/-nomatch-',
- 'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-')
-
-realm.stop()
-
-# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
-# transited field. (Regression test for #7639.)
-r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- create_user=False, create_host=False,
- args=[{'realm': 'A.X', 'create_user': True},
- {'realm': 'X'},
- {'realm': 'B.X', 'create_host': True}])
-os.rename(r3.keytab, r1.keytab)
-r1.run(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
-r1.stop()
-r2.stop()
-r3.stop()
-
-### Test gss_inquire_cred behavior.
-
-realm = K5Realm()
-
-# Test deferred resolution of the default ccache for initiator creds.
-realm.run(['./t_inq_cred'], expected_msg=realm.user_princ)
-realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
-realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ)
-
-# Test picking a name from the keytab for acceptor creds.
-realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ)
-realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ)
-realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ)
-
-# Test client keytab initiation (non-deferred) with a specified name.
-realm.extract_keytab(realm.user_princ, realm.client_keytab)
-os.remove(realm.ccache)
-realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
-
-# Test deferred client keytab initiation and GSS_C_BOTH cred usage.
-os.remove(realm.client_keytab)
-os.remove(realm.ccache)
-shutil.copyfile(realm.keytab, realm.client_keytab)
-realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ)
-
-# Test gss_export_name behavior.
-realm.run(['./t_export_name', 'u:x'], expected_msg=\
- '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n')
-realm.run(['./t_export_name', '-s', 'u:xyz'],
- expected_msg='0401000806062B06010505020000000378797A\n')
-realm.run(['./t_export_name', 'p:a@b'],
- expected_msg='0401000B06092A864886F71201020200000003614062\n')
-realm.run(['./t_export_name', '-s', 'p:a@b'],
- expected_msg='0401000806062B060105050200000003614062\n')
-
-# Test that composite-export tokens can be imported.
-realm.run(['./t_export_name', '-c', 'p:a@b'], expected_msg=
- '0402000B06092A864886F7120102020000000361406200000000\n')
-
-# Test gss_inquire_mechs_for_name behavior.
-krb5_mech = '{ 1 2 840 113554 1 2 2 }'
-spnego_mech = '{ 1 3 6 1 5 5 2 }'
-out = realm.run(['./t_inq_mechs_name', 'p:a@b'])
-if krb5_mech not in out:
- fail('t_inq_mechs_name (principal)')
-out = realm.run(['./t_inq_mechs_name', 'u:x'])
-if krb5_mech not in out or spnego_mech not in out:
- fail('t_inq_mecs_name (user)')
-out = realm.run(['./t_inq_mechs_name', 'h:host'])
-if krb5_mech not in out or spnego_mech not in out:
- fail('t_inq_mecs_name (hostbased)')
-
-# Test that accept_sec_context can produce an error token and
-# init_sec_context can interpret it.
-realm.run(['./t_err', 'p:' + realm.host_princ])
-realm.run(['./t_err', '--spnego', 'p:' + realm.host_princ])
-
-# Test the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option.
-realm.run(['./t_ciflags', 'p:' + realm.host_princ])
-
-# Test that inquire_context works properly, even on incomplete
-# contexts.
-realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
-
-if runenv.sizeof_time_t <= 4:
- skip_rest('y2038 GSSAPI tests', 'platform has 32-bit time_t')
-
-# Test lifetime results, using a realm with a large maximum lifetime
-# so that we can test ticket end dates after y2038.
-realm.stop()
-conf = {'realms': {'$realm': {'max_life': '9000d'}}}
-realm = K5Realm(kdc_conf=conf, get_creds=False)
-
-# Check a lifetime string result against an expected number value (or None).
-# Allow some variance due to time elapsed during the tests.
-def check_lifetime(msg, val, expected):
- if expected is None and val != 'indefinite':
- fail('%s: expected indefinite, got %s' % (msg, val))
- if expected is not None and val == 'indefinite':
- fail('%s: expected %d, got indefinite' % (msg, expected))
- if expected is not None and abs(int(val) - expected) > 100:
- fail('%s: expected %d, got %s' % (msg, expected, val))
-
-realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
-out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
-ln = out.split('\n')
-check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
-check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
-check_lifetime('acred gss_acquire_cred', ln[2], None)
-check_lifetime('acred gss_inquire_cred', ln[3], None)
-check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
-check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
-check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
-check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
-check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
-check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
-
-success('GSSAPI tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_gssexts.c b/crypto/krb5/src/tests/gssapi/t_gssexts.c
deleted file mode 100644
index 41d62b9262e6..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_gssexts.c
+++ /dev/null
@@ -1,247 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-/*
- * Test program for protocol transition (S4U2Self) and constrained delegation
- * (S4U2Proxy)
- *
- * Note: because of name canonicalization, the following tips may help
- * when configuring with Active Directory:
- *
- * - Create a computer account FOO$
- * - Set the UPN to host/foo.domain (no suffix); this is necessary to
- * be able to send an AS-REQ as this principal, otherwise you would
- * need to use the canonical name (FOO$), which will cause principal
- * comparison errors in gss_accept_sec_context().
- * - Add a SPN of host/foo.domain
- * - Configure the computer account to support constrained delegation with
- * protocol transition (Trust this computer for delegation to specified
- * services only / Use any authentication protocol)
- * - Add host/foo.domain to the keytab (possibly easiest to do this
- * with ktadd)
- *
- * For S4U2Proxy to work the TGT must be forwardable too.
- *
- * Usage eg:
- *
- * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
- * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab
- */
-
-static int use_spnego = 0;
-
-static void
-test_prf(gss_ctx_id_t initiatorContext, gss_ctx_id_t acceptorContext,
- int flags)
-{
- gss_buffer_desc constant;
- OM_uint32 major, minor;
- unsigned int i;
- gss_buffer_desc initiatorPrf;
- gss_buffer_desc acceptorPrf;
-
- constant.value = "gss prf test";
- constant.length = strlen((char *)constant.value);
-
- initiatorPrf.value = NULL;
- acceptorPrf.value = NULL;
-
- major = gss_pseudo_random(&minor, initiatorContext, flags, &constant, 19,
- &initiatorPrf);
- check_gsserr("gss_pseudo_random", major, minor);
-
- printf("%s\n", flags == GSS_C_PRF_KEY_FULL ?
- "PRF_KEY_FULL" : "PRF_KEY_PARTIAL");
-
- printf("Initiator PRF: ");
- for (i = 0; i < initiatorPrf.length; i++)
- printf("%02x ", ((char *)initiatorPrf.value)[i] & 0xFF);
- printf("\n");
-
- major = gss_pseudo_random(&minor, acceptorContext, flags, &constant, 19,
- &acceptorPrf);
- check_gsserr("gss_pseudo_random", major, minor);
-
- printf("Acceptor PRF: ");
- for (i = 0; i < acceptorPrf.length; i++)
- printf("%02x ", ((char *)acceptorPrf.value)[i] & 0xFF);
- printf("\n");
-
- if (acceptorPrf.length != initiatorPrf.length ||
- memcmp(acceptorPrf.value, initiatorPrf.value, initiatorPrf.length)) {
- fprintf(stderr, "Initiator and acceptor PRF output does not match\n");
- exit(1);
- }
-
- (void)gss_release_buffer(&minor, &initiatorPrf);
- (void)gss_release_buffer(&minor, &acceptorPrf);
-}
-
-static void
-init_accept_sec_context(gss_cred_id_t claimant_cred_handle,
- gss_cred_id_t verifier_cred_handle,
- gss_cred_id_t *deleg_cred_handle)
-{
- OM_uint32 major, minor, flags;
- gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
- gss_ctx_id_t initiator_context, acceptor_context;
- gss_OID mech;
-
- *deleg_cred_handle = GSS_C_NO_CREDENTIAL;
-
- major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL,
- NULL, NULL);
- check_gsserr("gss_inquire_cred", major, minor);
- display_canon_name("Target name", target_name, &mech_krb5);
-
- mech = use_spnego ? &mech_spnego : &mech_krb5;
- display_oid("Target mech", mech);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(mech, claimant_cred_handle, verifier_cred_handle,
- target_name, flags, &initiator_context,
- &acceptor_context, &source_name, NULL,
- deleg_cred_handle);
-
- test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_FULL);
- test_prf(initiator_context, acceptor_context, GSS_C_PRF_KEY_PARTIAL);
-
- (void)gss_release_name(&minor, &source_name);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
-}
-
-static void
-get_default_cred(const char *keytab_name, gss_OID_set mechs,
- gss_cred_id_t *impersonator_cred_handle)
-{
- OM_uint32 major = GSS_S_FAILURE, minor;
- krb5_error_code ret;
- krb5_context context = NULL;
- krb5_keytab keytab = NULL;
- krb5_principal keytab_principal = NULL;
- krb5_ccache ccache = NULL;
-
- if (keytab_name != NULL) {
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
-
- ret = krb5_kt_resolve(context, keytab_name, &keytab);
- check_k5err(context, "krb5_kt_resolve", ret);
-
- ret = krb5_cc_default(context, &ccache);
- check_k5err(context, "krb5_cc_default", ret);
-
- ret = krb5_cc_get_principal(context, ccache, &keytab_principal);
- check_k5err(context, "krb5_cc_get_principal", ret);
-
- major = gss_krb5_import_cred(&minor, ccache, keytab_principal, keytab,
- impersonator_cred_handle);
- check_gsserr("gss_krb5_import_cred", major, minor);
-
- krb5_free_principal(context, keytab_principal);
- krb5_cc_close(context, ccache);
- krb5_kt_close(context, keytab);
- krb5_free_context(context);
- } else {
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- mechs, GSS_C_BOTH, impersonator_cred_handle,
- NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
- }
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
- gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET;
- uid_t uid;
-
- if (argc < 2 || argc > 5) {
- fprintf(stderr, "Usage: %s [--spnego] [user] "
- "[proxy-target] [keytab]\n", argv[0]);
- fprintf(stderr, " proxy-target and keytab are optional\n");
- exit(1);
- }
-
- if (strcmp(argv[1], "--spnego") == 0) {
- use_spnego++;
- argc--;
- argv++;
- }
-
- user = import_name(argv[1]);
-
- major = gss_pname_to_uid(&minor, user, NULL, &uid);
- check_gsserr("gss_pname_to_uid(user)", major, minor);
-
- if (argc > 2 && strcmp(argv[2], "-") != 0)
- target = import_name(argv[2]);
-
- mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
-
- get_default_cred((argc > 3) ? argv[3] : NULL, mechs,
- &impersonator_cred_handle);
-
- printf("Protocol transition tests follow\n");
- printf("-----------------------------------\n\n");
-
- /* get S4U2Self cred */
- major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle,
- user, GSS_C_INDEFINITE, mechs,
- GSS_C_INITIATE,
- &user_cred_handle, &actual_mechs,
- NULL);
- check_gsserr("gss_acquire_cred_impersonate_name", major, minor);
-
- /* Try to store it in default ccache */
- major = gss_store_cred(&minor, user_cred_handle, GSS_C_INITIATE,
- &mechs->elements[0], 1, 1, NULL, NULL);
- check_gsserr("gss_store_cred", major, minor);
-
- init_accept_sec_context(user_cred_handle, impersonator_cred_handle,
- &delegated_cred_handle);
-
- printf("\n");
-
- (void)gss_release_name(&minor, &user);
- (void)gss_release_name(&minor, &target);
- (void)gss_release_cred(&minor, &delegated_cred_handle);
- (void)gss_release_cred(&minor, &impersonator_cred_handle);
- (void)gss_release_cred(&minor, &user_cred_handle);
- (void)gss_release_oid_set(&minor, &actual_mechs);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_iakerb.c b/crypto/krb5/src/tests/gssapi/t_iakerb.c
deleted file mode 100644
index 1bab1823fabc..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_iakerb.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_iakerb.c - IAKERB tests */
-/*
- * Copyright (C) 2024, 2025 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include "common.h"
-
-int
-main(int argc, char **argv)
-{
- OM_uint32 major, minor;
- const char *password;
- gss_name_t iname, tname, aname;
- gss_cred_id_t icred, acred;
- gss_ctx_id_t ictx, actx;
- gss_buffer_desc pwbuf;
-
- if (argc != 5) {
- fprintf(stderr, "Usage: %s initiatorname password|- targetname "
- "acceptorname\n", argv[0]);
- return 1;
- }
-
- iname = import_name(argv[1]);
- password = argv[2];
- tname = import_name(argv[3]);
- aname = import_name(argv[4]);
-
- if (strcmp(password, "-") != 0) {
- pwbuf.value = (void *)password;
- pwbuf.length = strlen(password);
- major = gss_acquire_cred_with_password(&minor, iname, &pwbuf, 0,
- &mechset_iakerb, GSS_C_INITIATE,
- &icred, NULL, NULL);
- check_gsserr("gss_acquire_cred_with_password", major, minor);
- } else {
- major = gss_acquire_cred(&minor, iname, GSS_C_INDEFINITE,
- &mechset_iakerb, GSS_C_INITIATE, &icred, NULL,
- NULL);
- check_gsserr("gss_acquire_cred(iname)", major, minor);
- }
-
- major = gss_acquire_cred(&minor, aname, GSS_C_INDEFINITE, &mechset_iakerb,
- GSS_C_ACCEPT, &acred, NULL, NULL);
- check_gsserr("gss_acquire_cred(aname)", major, minor);
-
- establish_contexts(&mech_iakerb, icred, acred, tname, 0, &ictx, &actx,
- NULL, NULL, NULL);
-
- (void)gss_release_name(&minor, &iname);
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_name(&minor, &aname);
- (void)gss_release_cred(&minor, &icred);
- (void)gss_release_cred(&minor, &acred);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_imp_cred.c b/crypto/krb5/src/tests/gssapi/t_imp_cred.c
deleted file mode 100644
index a2aa5fbaed26..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_imp_cred.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_imp_cred.c - krb5_gss_import_cred test harness */
-/*
- * Copyright 2011 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Test program for krb5_gss_import_cred, intended to be run from a Python test
- * script. Creates an initiator credential for the default ccache and an
- * acceptor principal for the default keytab (possibly using a specified keytab
- * principal), and performs a one-token context exchange using a specified
- * target principal. If the exchange is successful, queries the context for
- * the acceptor name and prints it. If any call is unsuccessful, displays an
- * error message. Exits with status 0 if all operations are successful, or 1
- * if not.
- *
- * Usage: ./t_imp_cred target-princ [keytab-princ]
- */
-
-#include "k5-platform.h"
-#include <krb5.h>
-
-#include "common.h"
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_cred_id_t initiator_cred, acceptor_cred;
- gss_ctx_id_t initiator_context, acceptor_context;
- gss_name_t target_name;
- krb5_context context = NULL;
- krb5_ccache cc;
- krb5_keytab kt;
- krb5_principal princ = NULL;
- krb5_error_code ret;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s targetname [acceptorprinc]\n", argv[0]);
- return 1;
- }
-
- /* Import the target name. */
- target_name = import_name(argv[1]);
-
- /* Acquire the krb5 objects we need. */
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
- ret = krb5_cc_default(context, &cc);
- check_k5err(context, "krb5_cc_default", ret);
- ret = krb5_kt_default(context, &kt);
- check_k5err(context, "krb5_kt_default", ret);
- if (argc >= 3) {
- ret = krb5_parse_name(context, argv[2], &princ);
- check_k5err(context, "krb5_parse_name", ret);
- }
-
- /* Get initiator cred. */
- major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred);
- check_gsserr("gss_krb5_import_cred (initiator)", major, minor);
-
- /* Get acceptor cred. */
- major = gss_krb5_import_cred(&minor, NULL, princ, kt, &acceptor_cred);
- check_gsserr("gss_krb5_import_cred (acceptor)", major, minor);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_krb5, initiator_cred, acceptor_cred, target_name,
- flags, &initiator_context, &acceptor_context, NULL,
- NULL, NULL);
-
- krb5_cc_close(context, cc);
- krb5_kt_close(context, kt);
- krb5_free_principal(context, princ);
- krb5_free_context(context);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_cred(&minor, &initiator_cred);
- (void)gss_release_cred(&minor, &acceptor_cred);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_imp_name.c b/crypto/krb5/src/tests/gssapi/t_imp_name.c
deleted file mode 100644
index e7dbcc426e2f..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_imp_name.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 1996, Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Simple test program for testing how GSSAPI import name works. (May
- * be made into a more full-fledged test program later.)
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "common.h"
-
-static const char *
-oid_str(char type)
-{
- switch (type) {
- case 'p': /* GSS_KRB5_NT_PRINCIPAL_NAME */
- return "{ 1 2 840 113554 1 2 2 1 }";
- case 'e': /* GSS_KRB5_NT_ENTERPRISE_NAME */
- return "{ 1 2 840 113554 1 2 2 6 }";
- case 'c': /* GSS_KRB5_NT_X509_CERT */
- return "{ 1 2 840 113554 1 2 2 7 }";
- case 'h': /* GSS_C_NT_HOSTBASED_SERVICE */
- return "{ 1 2 840 113554 1 2 1 4 }";
- }
- return "no_oid";
-}
-
-/* Return true if buf has the same contents as str, plus a zero byte if
- * indicated by buf_includes_nullterm. */
-static int
-buf_eq_str(gss_buffer_t buf, const char *str, int buf_includes_nullterm)
-{
- size_t len = strlen(str) + (buf_includes_nullterm ? 1 : 0);
-
- return (buf->length == len && memcmp(buf->value, str, len) == 0);
-}
-
-static void
-test_import_name(const char *name)
-{
- OM_uint32 major, minor;
- gss_name_t gss_name;
- gss_buffer_desc buf;
- gss_OID name_oid;
-
- gss_name = import_name(name);
-
- major = gss_display_name(&minor, gss_name, &buf, &name_oid);
- check_gsserr("gss_display_name", major, minor);
- if (!buf_eq_str(&buf, name + 2, 0))
- errout("wrong name string");
- (void)gss_release_buffer(&minor, &buf);
-
- major = gss_oid_to_str(&minor, name_oid, &buf);
- check_gsserr("gss_oid_to_str", major, minor);
- if (!buf_eq_str(&buf, oid_str(*name), 1))
- errout("wrong name type");
- (void)gss_release_buffer(&minor, &buf);
- (void)gss_release_name(&minor, &gss_name);
-}
-
-int
-main(int argc, char **argv)
-{
- test_import_name("p:user@MIT.EDU");
- test_import_name("e:enterprise@mit.edu@MIT.EDU");
- test_import_name("h:HOST@dc1.mit.edu");
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_inq_cred.c b/crypto/krb5/src/tests/gssapi/t_inq_cred.c
deleted file mode 100644
index 8dd331d679a7..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_inq_cred.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_inq_cred.c - Test program for gss_inquire_cred behavior */
-/*
- * Copyright 2012 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Test program for gss_inquire_cred, intended to be run from a Python test
- * script. Acquires credentials, inquires them, and prints the resulting name
- * and lifetime.
- *
- * Usage: ./t_inq_cred [-k|-s] [-a|-b|-i] [initiatorname]
- *
- * By default no mechanism is specified when acquiring credentials; -k
- * indicates the krb5 mech and -s indicates SPNEGO. By default or with -i,
- * initiator credentials are acquired; -a indicates acceptor credentials and -b
- * indicates credentials of both types. The credential is acquired with no
- * name by default; a krb5 principal name or host-based name (prefixed with
- * "gss:") may be supplied as an argument.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static void
-usage(void)
-{
- fprintf(stderr,
- "Usage: t_inq_cred [-k|-s] [-a|-b|-i] [princ|gss:service@host]\n");
- exit(1);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, lifetime;
- gss_cred_usage_t cred_usage = GSS_C_INITIATE;
- gss_OID_set mechs = GSS_C_NO_OID_SET;
- gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
- gss_name_t name = GSS_C_NO_NAME;
- gss_buffer_desc buf;
- const char *name_arg = NULL;
- char opt;
-
- while (argc > 1 && argv[1][0] == '-') {
- opt = argv[1][1];
- argc--, argv++;
- if (opt == 'a')
- cred_usage = GSS_C_ACCEPT;
- else if (opt == 'b')
- cred_usage = GSS_C_BOTH;
- else if (opt == 'i')
- cred_usage = GSS_C_INITIATE;
- else if (opt == 'k')
- mechs = &mechset_krb5;
- else if (opt == 's')
- mechs = &mechset_spnego;
- else
- usage();
- }
- if (argc > 2)
- usage();
- if (argc > 1)
- name_arg = argv[1];
-
- /* Import the name, if given. */
- if (name_arg != NULL)
- name = import_name(name_arg);
-
- /* Acquire a credential. */
- major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, cred_usage,
- &cred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- /* Inquire about the credential. */
- (void)gss_release_name(&minor, &name);
- major = gss_inquire_cred(&minor, cred, &name, &lifetime, NULL, NULL);
- check_gsserr("gss_inquire_cred", major, minor);
-
- /* Get a display form of the name. */
- buf.value = NULL;
- buf.length = 0;
- major = gss_display_name(&minor, name, &buf, NULL);
- check_gsserr("gss_display_name", major, minor);
-
- printf("name: %.*s\n", (int)buf.length, (char *)buf.value);
- printf("lifetime: %d\n", (int)lifetime);
-
- (void)gss_release_cred(&minor, &cred);
- (void)gss_release_name(&minor, &name);
- (void)gss_release_buffer(&minor, &buf);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_inq_ctx.c b/crypto/krb5/src/tests/gssapi/t_inq_ctx.c
deleted file mode 100644
index c59ca38215a0..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_inq_ctx.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2015 Red Hat, Inc.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation files
- * (the "Software"), to deal in the Software without restriction,
- * including without limitation the rights to use, copy, modify, merge,
- * publish, distribute, sublicense, and/or sell copies of the Software,
- * and to permit persons to whom the Software is furnished to do so,
- * subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
- * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
- * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
- * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-#include "common.h"
-
-
-/*
- * Test program for inquiring about a security context, intended to be run from
- * a Python test script. Partially establishes a context to test inquiring
- * about an incomplete context, and then establishes full contexts and inquires
- * them. Exits with status 0 if all operations are successful, or 1 if not.
- *
- * Usage: ./t_inq_ctx target_name
- */
-
-static void
-check_inq_context(gss_ctx_id_t context, int incomplete, gss_OID expected_mech,
- OM_uint32 expected_flags, int expected_locally_init)
-{
- OM_uint32 major, minor;
- gss_name_t out_init_name, out_accept_name;
- OM_uint32 out_lifetime;
- gss_OID out_mech_type;
- OM_uint32 out_flags;
- int out_locally_init;
- int out_open;
-
- major = gss_inquire_context(&minor, context, &out_init_name,
- &out_accept_name, &out_lifetime,
- &out_mech_type, &out_flags, &out_locally_init,
- &out_open);
- check_gsserr("gss_inquire_context", major, minor);
-
- assert(gss_oid_equal(out_mech_type, expected_mech));
- assert(out_flags == expected_flags);
- assert(out_locally_init == expected_locally_init);
- if (incomplete) {
- assert(!out_open);
- assert(out_lifetime == 0);
- assert(out_init_name == GSS_C_NO_NAME);
- assert(out_accept_name == GSS_C_NO_NAME);
- } else {
- assert(out_open);
- assert(out_lifetime > 0);
- assert(out_init_name != GSS_C_NO_NAME);
- assert(out_accept_name != GSS_C_NO_NAME);
- }
-
- (void)gss_release_name(&minor, &out_accept_name);
- (void)gss_release_name(&minor, &out_init_name);
-}
-
-/* Call gss_init_sec_context() once to create an initiator context (which will
- * be partial if flags includes GSS_C_MUTUAL_FLAG and the mech is krb5). */
-static void
-start_init_context(gss_OID mech, gss_cred_id_t cred, gss_name_t tname,
- OM_uint32 flags, gss_ctx_id_t *ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc itok = GSS_C_EMPTY_BUFFER;
-
- *ctx = GSS_C_NO_CONTEXT;
- major = gss_init_sec_context(&minor, cred, ctx, tname, mech, flags,
- GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
- NULL, NULL, &itok, NULL, NULL);
- check_gsserr("gss_init_sec_context", major, minor);
- (void)gss_release_buffer(&minor, &itok);
-}
-
-/* Call gss_init_sec_context() and gss_accept_sec_context() once to create an
- * acceptor context. */
-static void
-start_accept_context(gss_OID mech, gss_cred_id_t icred, gss_cred_id_t acred,
- gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ctx)
-{
- OM_uint32 major, minor;
- gss_ctx_id_t ictx = GSS_C_NO_CONTEXT;
- gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
-
- major = gss_init_sec_context(&minor, icred, &ictx, tname, mech, flags,
- GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
- NULL, NULL, &itok, NULL, NULL);
- check_gsserr("gss_init_sec_context", major, minor);
-
- *ctx = GSS_C_NO_CONTEXT;
- major = gss_accept_sec_context(&minor, ctx, acred, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context", major, minor);
-
- (void)gss_release_buffer(&minor, &itok);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
-}
-
-static void
-partial_iakerb_acceptor(const char *username, const char *password,
- gss_name_t tname, OM_uint32 flags, gss_ctx_id_t *ctx)
-{
- OM_uint32 major, minor;
- gss_name_t name;
- gss_buffer_desc ubuf, pwbuf;
- gss_OID_set_desc mechlist;
- gss_cred_id_t icred, acred;
-
- mechlist.count = 1;
- mechlist.elements = &mech_iakerb;
-
- /* Import the username. */
- ubuf.value = (void *)username;
- ubuf.length = strlen(username);
- major = gss_import_name(&minor, &ubuf, GSS_C_NT_USER_NAME, &name);
- check_gsserr("gss_import_name", major, minor);
-
- /* Create an IAKERB initiator cred with the username and password. */
- pwbuf.value = (void *)password;
- pwbuf.length = strlen(password);
- major = gss_acquire_cred_with_password(&minor, name, &pwbuf, 0,
- &mechlist, GSS_C_INITIATE, &icred,
- NULL, NULL);
- check_gsserr("gss_acquire_cred_with_password", major, minor);
-
- /* Create an acceptor cred with support for IAKERB. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechlist, GSS_C_ACCEPT, &acred, NULL, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- /* Begin context establishment to get a partial acceptor context. */
- start_accept_context(&mech_iakerb, icred, acred, tname, flags, ctx);
-
- (void)gss_release_name(&minor, &name);
- (void)gss_release_cred(&minor, &icred);
- (void)gss_release_cred(&minor, &acred);
-}
-
-/* Create a partially established SPNEGO acceptor. */
-static void
-partial_spnego_acceptor(gss_name_t tname, gss_ctx_id_t *ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok;
-
- /*
- * We could construct a fixed SPNEGO initiator token which forces a
- * renegotiation, but a simpler approach is to pass an empty token to
- * gss_accept_sec_context(), taking advantage of our compatibility support
- * for SPNEGO NegHints.
- */
- *ctx = GSS_C_NO_CONTEXT;
- major = gss_accept_sec_context(&minor, ctx, GSS_C_NO_CREDENTIAL, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(neghints)", major, minor);
-
- (void)gss_release_buffer(&minor, &atok);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, flags, dce_flags;
- gss_name_t tname;
- gss_ctx_id_t ictx, actx;
- const char *username, *password;
-
- if (argc != 4) {
- fprintf(stderr, "Usage: %s username password targetname\n", argv[0]);
- return 1;
- }
- username = argv[1];
- password = argv[2];
- tname = import_name(argv[3]);
-
- flags = GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG;
- start_init_context(&mech_krb5, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
- check_inq_context(ictx, 1, &mech_krb5, flags | GSS_C_TRANS_FLAG, 1);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
-
- start_init_context(&mech_iakerb, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
- check_inq_context(ictx, 1, &mech_iakerb, flags, 1);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
-
- start_init_context(&mech_spnego, GSS_C_NO_CREDENTIAL, tname, flags, &ictx);
- check_inq_context(ictx, 1, &mech_spnego, flags, 1);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
-
- dce_flags = flags | GSS_C_DCE_STYLE;
- start_accept_context(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- tname, dce_flags, &actx);
- check_inq_context(actx, 1, &mech_krb5, dce_flags | GSS_C_TRANS_FLAG, 0);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- partial_iakerb_acceptor(username, password, tname, flags, &actx);
- check_inq_context(actx, 1, &mech_iakerb, 0, 0);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- partial_spnego_acceptor(tname, &actx);
- check_inq_context(actx, 1, &mech_spnego, 0, 0);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- tname, flags, &ictx, &actx, NULL, NULL, NULL);
-
- check_inq_context(ictx, 0, &mech_krb5, flags | GSS_C_TRANS_FLAG, 1);
- check_inq_context(actx, 0, &mech_krb5,
- flags | GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG, 0);
-
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-
- (void)gss_release_name(&minor, &tname);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_inq_mechs_name.c b/crypto/krb5/src/tests/gssapi/t_inq_mechs_name.c
deleted file mode 100644
index 9f4ae4e16397..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_inq_mechs_name.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_inq_mechs_name.c - Exercise gss_inquire_mechs_for_name */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Test program to exercise gss_inquire_mechs_for_name by importing a name and
- * reporting the mech OIDs which are reported as being able to process it.
- *
- * Usage: ./t_inq_mechs_name name
- */
-
-#include <stdio.h>
-
-#include "common.h"
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_name_t name;
- gss_OID_set mechs;
- size_t i;
-
- if (argc != 2) {
- fprintf(stderr, "Usage: t_inq_mechs_for_name name\n");
- return 1;
- }
- name = import_name(argv[1]);
- major = gss_inquire_mechs_for_name(&minor, name, &mechs);
- check_gsserr("gss_inquire_mechs_for_name", major, minor);
- for (i = 0; i < mechs->count; i++)
- display_oid(NULL, &mechs->elements[i]);
- (void)gss_release_oid_set(&minor, &mechs);
- (void)gss_release_name(&minor, &name);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_invalid.c b/crypto/krb5/src/tests/gssapi/t_invalid.c
deleted file mode 100644
index a558a6813253..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_invalid.c
+++ /dev/null
@@ -1,795 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_invalid.c - Invalid message token regression tests */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This file contains regression tests for some GSSAPI invalid token
- * vulnerabilities.
- *
- * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
- * null pointer dereference. (The token must use SEAL_ALG_NONE or it will
- * be rejected.) This vulnerability also applies to IOV unwrap.
- *
- * 2. A CFX wrap token with a different value of EC between the plaintext and
- * encrypted copies will be erroneously accepted, which allows a message
- * truncation attack. This vulnerability also applies to IOV unwrap.
- *
- * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an
- * access before the beginning of the input buffer, possibly leading to a
- * crash.
- *
- * 4. A CFX wrap token with a plaintext EC value greater than the plaintext
- * length - 16 causes an integer underflow when computing the result length,
- * likely causing a crash.
- *
- * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1
- * wrapper longer than the header buffer is present.
- *
- * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
- * header causes an input buffer overrun, usually leading to either a segv
- * or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or
- * sequence number values. This vulnerability also applies to IOV unwrap.
- *
- * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
- * header causes an integer underflow when computing the ciphertext length,
- * leading to an allocation error on 32-bit platforms or a segv on 64-bit
- * platforms. A pre-CFX MIC token of this size causes an input buffer
- * overrun when comparing the checksum, perhaps leading to a segv.
- *
- * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
- * ciphertext (where padlen is the last byte of the decrypted ciphertext)
- * causes an integer underflow when computing the original message length,
- * leading to an allocation error.
- *
- * 9. In the mechglue, truncated encapsulation in the initial context token can
- * cause input buffer overruns in gss_accept_sec_context().
- */
-
-#include "k5-int.h"
-#include "common.h"
-#include "mglueP.h"
-#include "gssapiP_krb5.h"
-
-/*
- * The following samples contain:
- * - context parameters
- * - otherwise valid seal tokens where the plain text is padded with byte value
- * 100 instead of the proper value 1.
- * - valid MIC tokens for the message "message"
- * - two valid wrap tokens for the message "message", one without
- * confidentiality and one with
- */
-struct test {
- krb5_enctype enctype;
- krb5_enctype encseq_enctype;
- int sealalg;
- int signalg;
- size_t cksum_size;
- size_t keylen;
- const char *keydata;
- size_t toklen;
- const char *token;
- size_t miclen;
- const char *mic;
- size_t wrap1len;
- const char *wrap1;
- size_t wrap2len;
- const char *wrap2;
-} tests[] = {
- {
- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW,
- SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20,
- 24,
- "\x4F\xEA\x19\x19\x5E\x0E\x10\xDF\x3D\x29\xB5\x13\x8F\x01\xC7\xA7"
- "\x92\x3D\x38\xF7\x26\x73\x0D\x6D",
- 65,
- "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
- "\x00\x02\x00\xFF\xFF\xEB\xF3\x9A\x89\x24\x57\xB8\x63\x95\x25\xE8"
- "\x6E\x8E\x79\xE6\x2E\xCA\xD3\xFF\x57\x9F\x8C\xAB\xEF\xDD\x28\x10"
- "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4",
- 49,
- "\x60\x2F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x04"
- "\x00\xFF\xFF\xFF\xFF\x57\xF5\x77\xC6\xC0\x72\x26\x97\x00\x89\xB2"
- "\xEE\xD9\xD1\x90\xE7\x11\x50\x4F\xE9\x59\x18\xB1\x8F\x82\x8E\x8F\x5E",
- 65,
- "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
- "\x00\xFF\xFF\xFF\xFF\x0B\x81\x56\x4A\x02\x1B\xBE\x83\x2B\x35\x08"
- "\x7B\x49\x15\x07\x97\x6A\x64\xEF\xDD\x32\x52\xF0\xA2\xE2\x62\x9B"
- "\xA7\x72\xF7\x3D\x6B\x2D\xAC\x21\xE9\x6D\x65\x73\x73\x61\x67\x65\x01",
- 65,
- "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
- "\x00\x02\x00\xFF\xFF\x66\x5A\xE1\xC8\x4F\x69\x33\x97\x5D\x05\xE2"
- "\x86\x40\x14\x15\x14\x27\x01\x9F\x32\x9D\x82\xF4\xE1\xC5\x3E\xFA"
- "\x6D\x7D\x05\x39\xAE\x21\x44\xA0\x87\xA6\x24\xED\xFC\xA3\x53\xF1\x30"
- },
- {
- ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC,
- SEAL_ALG_MICROSOFT_RC4, SGN_ALG_HMAC_MD5, 8,
- 16,
- "\x66\x64\x41\x64\x55\x78\x21\xD0\xD0\xFD\x05\x6A\xFF\x6F\xE8\x09",
- 53,
- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
- "\x00\x10\x00\xFF\xFF\x35\xD4\x79\xF3\x8C\x47\x8F\x6E\x23\x6F\x3E"
- "\xCC\x5E\x57\x5C\x6A\x89\xF0\xA2\x03\x4F\x0B\x51\x11\xEE\x89\x7E"
- "\xD6\xF6\xB5\xD6\x51",
- 37,
- "\x60\x23\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x11"
- "\x00\xFF\xFF\xFF\xFF\x5D\xE7\x51\xF6\xFB\x6C\x25\x5B\x23\x93\x5A"
- "\x30\x20\x57\xDC\xB5",
- 53,
- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
- "\x00\xFF\xFF\xFF\xFF\xAD\xB5\x1D\x01\x39\x7B\xA2\x16\x4C\x1B\x68"
- "\x18\xEC\xAC\xD9\xE5\x9E\xD1\x41\x7A\x89\xE8\xCB\x24\x6D\x65\x73"
- "\x73\x61\x67\x65\x01",
- 53,
- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
- "\x00\x10\x00\xFF\xFF\xDD\x6D\x04\xEA\x64\x5C\xE7\x31\x50\xD0\x09"
- "\x44\x9E\x67\xA4\x30\xEC\xFB\xFF\xC0\xF7\x16\x1E\x14\x1A\x82\x42"
- "\xDD\x26\x23\x2B\x02"
- }
-};
-
-static void *
-ealloc(size_t len)
-{
- void *ptr = calloc(len, 1);
-
- if (ptr == NULL)
- abort();
- return ptr;
-}
-
-/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key.
- * The context takes ownership of subkey. */
-static gss_ctx_id_t
-make_fake_cfx_context(krb5_key subkey)
-{
- gss_union_ctx_id_t uctx;
- krb5_gss_ctx_id_t kgctx;
-
- kgctx = ealloc(sizeof(*kgctx));
- kgctx->established = 1;
- kgctx->proto = 1;
- if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
- abort();
- kgctx->mech_used = &mech_krb5;
- kgctx->sealalg = -1;
- kgctx->signalg = -1;
-
- kgctx->subkey = subkey;
- kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
-
- uctx = ealloc(sizeof(*uctx));
- uctx->mech_type = &mech_krb5;
- uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
- return (gss_ctx_id_t)uctx;
-}
-
-/* Fake up enough of a GSS context for gss_unwrap, using keys from test. */
-static gss_ctx_id_t
-make_fake_context(const struct test *test)
-{
- gss_union_ctx_id_t uctx;
- krb5_gss_ctx_id_t kgctx;
- krb5_keyblock kb;
-
- kgctx = ealloc(sizeof(*kgctx));
- kgctx->established = 1;
- if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
- abort();
- kgctx->mech_used = &mech_krb5;
- kgctx->sealalg = test->sealalg;
- kgctx->signalg = test->signalg;
- kgctx->cksum_size = test->cksum_size;
-
- kb.enctype = test->enctype;
- kb.length = test->keylen;
- kb.contents = (unsigned char *)test->keydata;
- if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0)
- abort();
-
- kb.enctype = test->encseq_enctype;
- if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0)
- abort();
-
- if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
- abort();
-
- uctx = ealloc(sizeof(*uctx));
- uctx->mech_type = &mech_krb5;
- uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
- return (gss_ctx_id_t)uctx;
-}
-
-/* Free a context created by make_fake_context. */
-static void
-free_fake_context(gss_ctx_id_t ctx)
-{
- gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)ctx;
- krb5_gss_ctx_id_t kgctx = (krb5_gss_ctx_id_t)uctx->internal_ctx_id;
-
- free(kgctx->seqstate);
- krb5_k_free_key(NULL, kgctx->subkey);
- krb5_k_free_key(NULL, kgctx->seq);
- krb5_k_free_key(NULL, kgctx->enc);
- free(kgctx);
- free(uctx);
-}
-
-/* Prefix a token (starting at the two-byte ID) with an ASN.1 header and return
- * it in an allocated block to facilitate checking by valgrind or similar. */
-static void
-make_token(unsigned char *token, size_t len, gss_buffer_t out)
-{
- char *wrapped;
-
- assert(mech_krb5.length == 9);
- assert(len + 11 < 128);
- wrapped = ealloc(len + 13);
- wrapped[0] = 0x60;
- wrapped[1] = len + 11;
- wrapped[2] = 0x06;
- wrapped[3] = 9;
- memcpy(wrapped + 4, mech_krb5.elements, 9);
- memcpy(wrapped + 13, token, len);
- out->length = len + 13;
- out->value = wrapped;
-}
-
-/* Create a 16-byte header for a CFX confidential wrap token to be processed by
- * the fake CFX context. */
-static void
-write_cfx_header(uint16_t ec, uint8_t *out)
-{
- memset(out, 0, 16);
- store_16_be(KG2_TOK_WRAP_MSG, out);
- out[2] = FLAG_WRAP_CONFIDENTIAL;
- out[3] = 0xFF;
- store_16_be(ec, out + 4);
-}
-
-/* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with
- * regular and IOV unwrap. */
-static void
-test_bogus_1964_token(gss_ctx_id_t ctx)
-{
- OM_uint32 minor, major;
- unsigned char tokbuf[128];
- gss_buffer_desc in, out;
- gss_iov_buffer_desc iov;
-
- store_16_be(KG_TOK_SIGN_MSG, tokbuf);
- store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2);
- store_16_le(SEAL_ALG_NONE, tokbuf + 4);
- store_16_le(0xFFFF, tokbuf + 6);
- memset(tokbuf + 8, 0, 16);
- make_token(tokbuf, 24, &in);
-
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- (void)gss_release_buffer(&minor, &out);
-
- iov.type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov.buffer = in;
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, &iov, 1);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
-
- free(in.value);
-}
-
-static void
-test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey)
-{
- OM_uint32 major, minor;
- uint8_t tokbuf[128], plainbuf[24];
- krb5_data plain;
- krb5_enc_data cipher;
- gss_buffer_desc in, out;
- gss_iov_buffer_desc iov[2];
-
- /* Construct a header with a plaintext EC value of 3. */
- write_cfx_header(3, tokbuf);
-
- /* Encrypt a plaintext and a copy of the header with the EC value 0. */
- memcpy(plainbuf, "truncate", 8);
- memcpy(plainbuf + 8, tokbuf, 16);
- store_16_be(0, plainbuf + 12);
- plain = make_data(plainbuf, 24);
- cipher.ciphertext.data = (char *)tokbuf + 16;
- cipher.ciphertext.length = sizeof(tokbuf) - 16;
- cipher.enctype = subkey->keyblock.enctype;
- if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
- &plain, &cipher) != 0)
- abort();
-
- /* Verify that the token is rejected by gss_unwrap(). */
- in.value = tokbuf;
- in.length = 16 + cipher.ciphertext.length;
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- (void)gss_release_buffer(&minor, &out);
-
- /* Verify that the token is rejected by gss_unwrap_iov(). */
- iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
- iov[0].buffer = in;
- iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
-}
-
-static void
-test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey)
-{
- OM_uint32 major, minor;
- uint8_t tokbuf[128], zerobyte = 0;
- krb5_data plain;
- krb5_enc_data cipher;
- gss_buffer_desc in, out;
-
- write_cfx_header(0, tokbuf);
-
- /* Encrypt a single byte, with no copy of the header. */
- plain = make_data(&zerobyte, 1);
- cipher.ciphertext.data = (char *)tokbuf + 16;
- cipher.ciphertext.length = sizeof(tokbuf) - 16;
- cipher.enctype = subkey->keyblock.enctype;
- if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
- &plain, &cipher) != 0)
- abort();
-
- /* Verify that the token is rejected by gss_unwrap(). */
- in.value = tokbuf;
- in.length = 16 + cipher.ciphertext.length;
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- (void)gss_release_buffer(&minor, &out);
-}
-
-static void
-test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey)
-{
- OM_uint32 major, minor;
- uint8_t tokbuf[128] = { 0 }, plainbuf[20];
- krb5_data plain;
- krb5_enc_data cipher;
- gss_buffer_desc in, out;
-
- /* Construct a header with an EC value of 5. */
- write_cfx_header(5, tokbuf);
-
- /* Encrypt a 4-byte plaintext plus the header. */
- memcpy(plainbuf, "abcd", 4);
- memcpy(plainbuf + 4, tokbuf, 16);
- plain = make_data(plainbuf, 20);
- cipher.ciphertext.data = (char *)tokbuf + 16;
- cipher.ciphertext.length = sizeof(tokbuf) - 16;
- cipher.enctype = subkey->keyblock.enctype;
- if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
- &plain, &cipher) != 0)
- abort();
-
- /* Verify that the token is rejected by gss_unwrap(). */
- in.value = tokbuf;
- in.length = 16 + cipher.ciphertext.length;
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- (void)gss_release_buffer(&minor, &out);
-}
-
-static void
-test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
-{
- OM_uint32 minor, major;
- uint8_t databuf[10] = { 0 };
- gss_iov_buffer_desc iov[2];
-
- /*
- * In this IOV array, the header contains a DER tag with a dangling eight
- * bytes of length field. The data IOV indicates a total token length
- * sufficient to contain the length bytes.
- */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[0].buffer.value = ealloc(2);
- iov[0].buffer.length = 2;
- memcpy(iov[0].buffer.value, "\x60\x88", 2);
- iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[1].buffer.value = databuf;
- iov[1].buffer.length = 10;
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(iov[0].buffer.value);
-}
-
-/* Verify that token is a valid MIC token for ctx and message, and that
- * changing any of the input bytes yields one of the expected errors. */
-static void
-mictest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token)
-{
- OM_uint32 major, minor;
- size_t i;
- uint8_t *p;
-
- major = gss_verify_mic(&minor, ctx, message, token, NULL);
- check_gsserr("gss_verify_mic", major, minor);
-
- p = token->value;
- for (i = 0; i < token->length; i++) {
- /* Skip sequence number bytes for RC4. */
- if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24)
- continue;
- p[i]++;
- major = gss_verify_mic(&minor, ctx, message, token, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
- abort();
- p[i]--;
- }
- p = message->value;
- for (i = 0; i < message->length; i++) {
- p[i]++;
- major = gss_verify_mic(&minor, ctx, message, token, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
- abort();
- p[i]--;
- }
-}
-
-static void
-test_cfx_verify_mic(gss_ctx_id_t ctx)
-{
- gss_buffer_desc message, token;
- uint8_t msg[] = "message";
- uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74"
- "\x67\x94\x8A\xD0";
-
- message.value = msg;
- message.length = sizeof(msg) - 1;
- token.value = mic;
- token.length = sizeof(mic) - 1;
- mictest(ctx, &message, &token);
-}
-
-static void
-test_verify_mic(gss_ctx_id_t ctx, const struct test *test)
-{
- gss_buffer_desc message, token;
- uint8_t msg[] = "message", buf[128];
-
- assert(test->miclen <= sizeof(buf));
- memcpy(buf, test->mic, test->miclen);
-
- message.value = msg;
- message.length = sizeof(msg) - 1;
- token.value = buf;
- token.length = test->miclen;
- mictest(ctx, &message, &token);
-}
-
-/* Verify that token is a valid wrap token for ctx unwrapping to message, and
- * that changing any of the token bytes yields one of the expected errors. */
-static void
-unwraptest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token)
-{
- OM_uint32 major, minor;
- gss_buffer_desc unwrapped;
- size_t i;
- uint8_t *p;
-
- major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL);
- check_gsserr("gss_unwrap", major, minor);
- if (unwrapped.length != message->length ||
- memcmp(unwrapped.value, message->value, unwrapped.length) != 0)
- abort();
- gss_release_buffer(&minor, &unwrapped);
-
- p = token->value;
- for (i = 0; i < token->length; i++) {
- /* Skip sequence number bytes for RC4. */
- if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24)
- continue;
- p[i]++;
- major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
- abort();
- p[i]--;
- }
-}
-
-static void
-test_cfx_unwrap(gss_ctx_id_t ctx)
-{
- gss_buffer_desc message, token;
- uint8_t msg[] = "message";
- uint8_t token1[] = "\x05\x04\x00\xFF\x00\x0C\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x65\x73\x73\x61\x67\x65\xDF"
- "\x57\xB9\x5E\xA2\xB1\x73\x31\xDB\xCE\x61\x62";
- uint8_t token2[] = "\x05\x04\x02\xFF\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x72\xBB\xD7\xCF\xDE\xB0\xF9\x20"
- "\xE2\x9A\x98\xA7\xA4\xE7\xC9\x9B\x30\xD3\xFE\x61\x51\x2E\x1B\x56"
- "\x88\xB7\x8A\xF5\xA9\xBF\x8F\x82\xB1\xEB\xCC\x88\xE6\x33\x13\xBF"
- "\x52\x4B\xC0\x3B\x24\x3F\x3E\xF5\xF1\xE0\x64";
-
- message.value = msg;
- message.length = sizeof(msg) - 1;
- token.value = token1;
- token.length = sizeof(token1) - 1;
- unwraptest(ctx, &message, &token);
- token.value = token2;
- token.length = sizeof(token2) - 1;
- unwraptest(ctx, &message, &token);
-}
-
-static void
-test_unwrap(gss_ctx_id_t ctx, const struct test *test)
-{
- gss_buffer_desc message, token;
- uint8_t msg[] = "message", buf[128];
-
- assert(test->wrap1len <= sizeof(buf) && test->wrap2len <= sizeof(buf));
- token.value = buf;
-
- message.value = msg;
- message.length = sizeof(msg) - 1;
- memcpy(buf, test->wrap1, test->wrap1len);
- token.length = test->wrap1len;
- unwraptest(ctx, &message, &token);
- memcpy(buf, test->wrap2, test->wrap2len);
- token.length = test->wrap2len;
- unwraptest(ctx, &message, &token);
-}
-
-/* Process wrap and MIC tokens with incomplete headers. */
-static void
-test_short_header(gss_ctx_id_t ctx)
-{
- OM_uint32 minor, major;
- unsigned char tokbuf[128];
- gss_buffer_desc in, out, empty = GSS_C_EMPTY_BUFFER;
-
- /* Seal token, 2-24 bytes */
- store_16_be(KG_TOK_SEAL_MSG, tokbuf);
- make_token(tokbuf, 2, &in);
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
- (void)gss_release_buffer(&minor, &out);
-
- /* Sign token, 2-24 bytes */
- store_16_be(KG_TOK_SIGN_MSG, tokbuf);
- make_token(tokbuf, 2, &in);
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
- (void)gss_release_buffer(&minor, &out);
-
- /* MIC token, 2-24 bytes */
- store_16_be(KG_TOK_MIC_MSG, tokbuf);
- make_token(tokbuf, 2, &in);
- major = gss_verify_mic(&minor, ctx, &empty, &in, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
-}
-
-/* Process wrap and MIC tokens with incomplete headers. */
-static void
-test_short_header_iov(gss_ctx_id_t ctx, const struct test *test)
-{
- OM_uint32 minor, major;
- unsigned char tokbuf[128];
- gss_iov_buffer_desc iov;
-
- /* IOV seal token, 16-23 bytes */
- store_16_be(KG_TOK_SEAL_MSG, tokbuf);
- store_16_le(test->signalg, tokbuf + 2);
- store_16_le(test->sealalg, tokbuf + 4);
- store_16_be(0xFFFF, tokbuf + 6);
- memset(tokbuf + 8, 0, 8);
- iov.type = GSS_IOV_BUFFER_TYPE_HEADER;
- make_token(tokbuf, 16, &iov.buffer);
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, &iov, 1);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(iov.buffer.value);
-
- /* IOV sign token, 16-23 bytes */
- store_16_be(KG_TOK_SIGN_MSG, tokbuf);
- store_16_le(test->signalg, tokbuf + 2);
- store_16_le(SEAL_ALG_NONE, tokbuf + 4);
- store_16_le(0xFFFF, tokbuf + 6);
- memset(tokbuf + 8, 0, 8);
- iov.type = GSS_IOV_BUFFER_TYPE_HEADER;
- make_token(tokbuf, 16, &iov.buffer);
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, &iov, 1);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(iov.buffer.value);
-
- /* IOV MIC token, 16-23 bytes */
- store_16_be(KG_TOK_MIC_MSG, tokbuf);
- store_16_be(test->signalg, tokbuf + 2);
- store_16_le(SEAL_ALG_NONE, tokbuf + 4);
- store_16_le(0xFFFF, tokbuf + 6);
- memset(tokbuf + 8, 0, 8);
- iov.type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN;
- make_token(tokbuf, 16, &iov.buffer);
- major = gss_verify_mic_iov(&minor, ctx, NULL, &iov, 1);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(iov.buffer.value);
-}
-
-/* Process wrap and MIC tokens with incomplete checksums. */
-static void
-test_short_checksum(gss_ctx_id_t ctx, const struct test *test)
-{
- OM_uint32 minor, major;
- unsigned char tokbuf[128];
- gss_buffer_desc in, out, empty = GSS_C_EMPTY_BUFFER;
-
- /* Can only do this with the DES3 checksum, as we can't easily get past
- * retrieving the sequence number when the checksum is only eight bytes. */
- if (test->cksum_size <= 8)
- return;
- /* Seal token, fewer than 16 + cksum_size bytes. Use the token from the
- * test data to get a valid sequence number. */
- make_token((unsigned char *)test->token + 13, 24, &in);
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
- (void)gss_release_buffer(&minor, &out);
-
- /* Sign token, fewer than 16 + cksum_size bytes. */
- memcpy(tokbuf, test->token + 13, 24);
- store_16_be(KG_TOK_SIGN_MSG, tokbuf);
- store_16_le(SEAL_ALG_NONE, tokbuf + 4);
- make_token(tokbuf, 24, &in);
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
- (void)gss_release_buffer(&minor, &out);
-
- /* MIC token, fewer than 16 + cksum_size bytes. */
- memcpy(tokbuf, test->token + 13, 24);
- store_16_be(KG_TOK_MIC_MSG, tokbuf);
- store_16_le(SEAL_ALG_NONE, tokbuf + 4);
- make_token(tokbuf, 24, &in);
- major = gss_verify_mic(&minor, ctx, &empty, &in, NULL);
- if (major != GSS_S_DEFECTIVE_TOKEN)
- abort();
- free(in.value);
-}
-
-/* Unwrap a token with a bogus padding byte in the decrypted ciphertext. */
-static void
-test_bad_pad(gss_ctx_id_t ctx, const struct test *test)
-{
- OM_uint32 minor, major;
- gss_buffer_desc in, out;
-
- in.length = test->toklen;
- in.value = (char *)test->token;
- major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
- if (major != GSS_S_BAD_SIG)
- abort();
- (void)gss_release_buffer(&minor, &out);
-}
-
-static void
-try_accept(void *value, size_t len)
-{
- OM_uint32 minor;
- gss_buffer_desc in, out;
- gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
-
- /* Copy the provided value to make input overruns more obvious. */
- in.value = ealloc(len);
- memcpy(in.value, value, len);
- in.length = len;
- (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &out, NULL, NULL, NULL);
- gss_release_buffer(&minor, &out);
- gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
- free(in.value);
-}
-
-/* Accept contexts using superficially valid but truncated encapsulations. */
-static void
-test_short_encapsulation(void)
-{
- /* Include just the initial application tag, to see if we overrun reading
- * the sequence length. */
- try_accept("\x60", 1);
-
- /* Indicate four additional sequence length bytes, to see if we overrun
- * reading them (or skipping them and reading the next byte). */
- try_accept("\x60\x84", 2);
-
- /* Include an object identifier tag but no length, to see if we overrun
- * reading the length. */
- try_accept("\x60\x40\x06", 3);
-
- /* Include an object identifier tag with a length matching the krb5 mech,
- * but no OID bytes, to see if we overrun comparing against mechs. */
- try_accept("\x60\x40\x06\x09", 4);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_keyblock kb;
- krb5_key cfx_subkey;
- gss_ctx_id_t ctx;
- size_t i;
-
- kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
- kb.length = 16;
- kb.contents = (unsigned char *)"1234567887654321";
- if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0)
- abort();
-
- ctx = make_fake_cfx_context(cfx_subkey);
- test_bogus_1964_token(ctx);
- test_cfx_altered_ec(ctx, cfx_subkey);
- test_cfx_short_plaintext(ctx, cfx_subkey);
- test_cfx_large_ec(ctx, cfx_subkey);
- test_iov_large_asn1_wrapper(ctx);
- test_cfx_verify_mic(ctx);
- test_cfx_unwrap(ctx);
- free_fake_context(ctx);
-
- for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
- ctx = make_fake_context(&tests[i]);
- test_short_header(ctx);
- test_short_header_iov(ctx, &tests[i]);
- test_short_checksum(ctx, &tests[i]);
- test_bad_pad(ctx, &tests[i]);
- test_verify_mic(ctx, &tests[i]);
- test_unwrap(ctx, &tests[i]);
- free_fake_context(ctx);
- }
-
- test_short_encapsulation();
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_iov.c b/crypto/krb5/src/tests/gssapi/t_iov.c
deleted file mode 100644
index f900b8835f79..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_iov.c
+++ /dev/null
@@ -1,547 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_iov.c - Test program for IOV functions */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stddef.h>
-#include "common.h"
-
-/* Concatenate iov (except for sign-only buffers) into a contiguous token. */
-static void
-concat_iov(gss_iov_buffer_desc *iov, size_t iovlen, char **buf_out,
- size_t *len_out)
-{
- size_t len, i;
- char *buf;
-
- /* Concatenate the result into a contiguous buffer. */
- len = 0;
- for (i = 0; i < iovlen; i++) {
- if (GSS_IOV_BUFFER_TYPE(iov[i].type) != GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
- len += iov[i].buffer.length;
- }
- buf = malloc(len);
- if (buf == NULL)
- errout("malloc failed");
- len = 0;
- for (i = 0; i < iovlen; i++) {
- if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
- continue;
- memcpy(buf + len, iov[i].buffer.value, iov[i].buffer.length);
- len += iov[i].buffer.length;
- }
- *buf_out = buf;
- *len_out = len;
-}
-
-static void
-check_encrypted(const char *msg, int conf, const char *buf, const char *plain)
-{
- int same = memcmp(buf, plain, strlen(plain)) == 0;
-
- if ((conf && same) || (!conf && !same))
- errout(msg);
-}
-
-/*
- * Wrap str in standard form (HEADER | DATA | PADDING | TRAILER) using the
- * caller-provided array iov, which must have space for four elements. Library
- * allocation will be used for the header/padding/trailer buffers, so the
- * caller must check and free them.
- */
-static void
-wrap_std(gss_ctx_id_t ctx, char *str, gss_iov_buffer_desc *iov, int conf)
-{
- OM_uint32 minor, major;
- int oconf;
-
- /* Lay out iov array. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
- iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[1].buffer.value = str;
- iov[1].buffer.length = strlen(str);
- iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
- iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
-
- /* Wrap. This will allocate header/padding/trailer buffers as necessary
- * and encrypt str in place. */
- major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 4);
- check_gsserr("gss_wrap_iov(std)", major, minor);
- if (oconf != conf)
- errout("gss_wrap_iov(std) conf");
-}
-
-/* Create standard tokens using gss_wrap_iov and ctx1, and make sure we can
- * unwrap them using ctx2 in all of the supported ways. */
-static void
-test_standard_wrap(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[4], stiov[2];
- gss_qop_t qop;
- gss_buffer_desc input, output;
- const char *string1 = "The swift brown fox jumped over the lazy dog.";
- const char *string2 = "Now is the time!";
- const char *string3 = "x";
- const char *string4 = "!@#";
- char data[1024], *fulltoken;
- size_t len;
- int oconf;
- ptrdiff_t offset;
-
- /* Wrap a standard token and unwrap it using the iov array. */
- memcpy(data, string1, strlen(string1) + 1);
- wrap_std(ctx1, data, iov, conf);
- check_encrypted("gss_wrap_iov(std1) encryption", conf, data, string1);
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
- check_gsserr("gss_unwrap_iov(std1)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(std1) conf/qop");
- if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(string1))
- errout("gss_unwrap_iov(std1) data buffer");
- if (memcmp(data, string1, iov[1].buffer.length) != 0)
- errout("gss_unwrap_iov(std1) decryption");
- (void)gss_release_iov_buffer(&minor, iov, 4);
-
- /* Wrap a standard token and unwrap it using gss_unwrap(). */
- memcpy(data, string2, strlen(string2) + 1);
- wrap_std(ctx1, data, iov, conf);
- concat_iov(iov, 4, &fulltoken, &len);
- input.value = fulltoken;
- input.length = len;
- major = gss_unwrap(&minor, ctx2, &input, &output, &oconf, &qop);
- check_gsserr("gss_unwrap(std2)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap(std2) conf/qop");
- if (output.length != strlen(string2) ||
- memcmp(output.value, string2, output.length) != 0)
- errout("gss_unwrap(std2) decryption");
- (void)gss_release_buffer(&minor, &output);
- (void)gss_release_iov_buffer(&minor, iov, 4);
- free(fulltoken);
-
- /* Wrap a standard token and unwrap it using a stream buffer. */
- memcpy(data, string3, strlen(string3) + 1);
- wrap_std(ctx1, data, iov, conf);
- concat_iov(iov, 4, &fulltoken, &len);
- stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
- stiov[0].buffer.value = fulltoken;
- stiov[0].buffer.length = len;
- stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
- check_gsserr("gss_unwrap_iov(std3)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(std3) conf/qop");
- if (stiov[1].buffer.length != strlen(string3) ||
- memcmp(stiov[1].buffer.value, string3, strlen(string3)) != 0)
- errout("gss_unwrap_iov(std3) decryption");
- offset = (char *)stiov[1].buffer.value - fulltoken;
- if (offset < 0 || (size_t)offset > len)
- errout("gss_unwrap_iov(std3) offset");
- (void)gss_release_iov_buffer(&minor, iov, 4);
- free(fulltoken);
-
- /* Wrap a token using gss_wrap and unwrap it using a stream buffer with
- * allocation and copying. */
- input.value = (char *)string4;
- input.length = strlen(string4);
- major = gss_wrap(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &input, &oconf,
- &output);
- check_gsserr("gss_wrap(std4)", major, minor);
- if (oconf != conf)
- errout("gss_wrap(std4) conf");
- stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
- stiov[0].buffer = output;
- stiov[1].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 2);
- check_gsserr("gss_unwrap_iov(std4)", major, minor);
- if (!(GSS_IOV_BUFFER_FLAGS(stiov[1].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
- errout("gss_unwrap_iov(std4) allocated");
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(std4) conf/qop");
- if (stiov[1].buffer.length != strlen(string4) ||
- memcmp(stiov[1].buffer.value, string4, strlen(string4)) != 0)
- errout("gss_unwrap_iov(std4) decryption");
- (void)gss_release_buffer(&minor, &output);
- (void)gss_release_iov_buffer(&minor, stiov, 2);
-}
-
-/*
- * Wrap an AEAD token (HEADER | SIGN_ONLY | DATA | PADDING | TRAILER) using the
- * caller-provided array iov, which must have space for five elements, and the
- * caller-provided buffer data, which must be big enough to handle the test
- * inputs. Library allocation will not be used.
- */
-static void
-wrap_aead(gss_ctx_id_t ctx, const char *sign, const char *wrap,
- gss_iov_buffer_desc *iov, char *data, int conf)
-{
- OM_uint32 major, minor;
- int oconf;
- char *ptr;
-
- /* Lay out iov array. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = (char *)sign;
- iov[1].buffer.length = strlen(sign);
- iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[2].buffer.value = (char *)wrap;
- iov[2].buffer.length = strlen(wrap);
- iov[3].type = GSS_IOV_BUFFER_TYPE_PADDING;
- iov[4].type = GSS_IOV_BUFFER_TYPE_TRAILER;
-
- /* Get header/padding/trailer lengths. */
- major = gss_wrap_iov_length(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf,
- iov, 5);
- check_gsserr("gss_wrap_iov_length(aead)", major, minor);
- if (oconf != conf)
- errout("gss_wrap_iov_length(aead) conf");
- if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
- errout("gss_wrap_iov_length(aead) sign-only buffer");
- if (iov[2].buffer.value != wrap || iov[2].buffer.length != strlen(wrap))
- errout("gss_wrap_iov_length(aead) data buffer");
-
- /* Set iov buffer pointers using returned lengths. */
- iov[0].buffer.value = data;
- ptr = data + iov[0].buffer.length;
- memcpy(ptr, wrap, strlen(wrap));
- iov[2].buffer.value = ptr;
- ptr += iov[2].buffer.length;
- iov[3].buffer.value = ptr;
- ptr += iov[3].buffer.length;
- iov[4].buffer.value = ptr;
-
- /* Wrap the AEAD token. */
- major = gss_wrap_iov(&minor, ctx, conf, GSS_C_QOP_DEFAULT, &oconf, iov, 5);
- check_gsserr("gss_wrap_iov(aead)", major, minor);
- if (oconf != conf)
- errout("gss_wrap_iov(aead) conf");
- if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
- errout("gss_wrap_iov(aead) sign-only buffer");
- if (iov[2].buffer.length != strlen(wrap))
- errout("gss_wrap_iov(aead) data buffer");
- check_encrypted("gss_wrap_iov(aead) encryption", conf, iov[2].buffer.value,
- wrap);
-}
-
-/* Create AEAD tokens using gss_wrap_iov and ctx1, and make sure we can unwrap
- * them using ctx2 in all of the supported ways. */
-static void
-test_aead(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[5], stiov[3];
- gss_qop_t qop;
- gss_buffer_desc input, assoc, output;
- const char *sign = "This data is only signed.";
- const char *wrap = "This data is wrapped in-place.";
- char data[1024], *fulltoken;
- size_t len;
- int oconf;
- ptrdiff_t offset;
-
- /* Wrap an AEAD token and unwrap it using the IOV array. */
- wrap_aead(ctx1, sign, wrap, iov, data, conf);
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 5);
- check_gsserr("gss_unwrap_iov(aead1)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(aead1) conf/qop");
- if (iov[1].buffer.value != sign || iov[1].buffer.length != strlen(sign))
- errout("gss_unwrap_iov(aead1) sign-only buffer");
- if (iov[2].buffer.length != strlen(wrap) ||
- memcmp(iov[2].buffer.value, wrap, iov[2].buffer.length) != 0)
- errout("gss_unwrap_iov(aead1) decryption");
-
- /* Wrap an AEAD token and unwrap it using gss_unwrap_aead. */
- wrap_aead(ctx1, sign, wrap, iov, data, conf);
- concat_iov(iov, 5, &fulltoken, &len);
- input.value = fulltoken;
- input.length = len;
- assoc.value = (char *)sign;
- assoc.length = strlen(sign);
- major = gss_unwrap_aead(&minor, ctx2, &input, &assoc, &output, &oconf,
- &qop);
- check_gsserr("gss_unwrap_aead(aead2)", major, minor);
- if (output.length != strlen(wrap) ||
- memcmp(output.value, wrap, output.length) != 0)
- errout("gss_unwrap_aead(aead2) decryption");
- free(fulltoken);
- (void)gss_release_buffer(&minor, &output);
-
- /* Wrap an AEAD token and unwrap it using a stream buffer. */
- wrap_aead(ctx1, sign, wrap, iov, data, conf);
- concat_iov(iov, 5, &fulltoken, &len);
- stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
- stiov[0].buffer.value = fulltoken;
- stiov[0].buffer.length = len;
- stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- stiov[1].buffer.value = (char *)sign;
- stiov[1].buffer.length = strlen(sign);
- stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
- check_gsserr("gss_unwrap_iov(aead3)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(aead3) conf/qop");
- if (stiov[2].buffer.length != strlen(wrap) ||
- memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
- errout("gss_unwrap_iov(aead3) decryption");
- offset = (char *)stiov[2].buffer.value - fulltoken;
- if (offset < 0 || (size_t)offset > len)
- errout("gss_unwrap_iov(aead3) offset");
- free(fulltoken);
- (void)gss_release_iov_buffer(&minor, iov, 4);
-
- /* Wrap a token using gss_wrap_aead and unwrap it using a stream buffer
- * with allocation and copying. */
- input.value = (char *)wrap;
- input.length = strlen(wrap);
- assoc.value = (char *)sign;
- assoc.length = strlen(sign);
- major = gss_wrap_aead(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &assoc,
- &input, &oconf, &output);
- check_gsserr("gss_wrap_aead(aead4)", major, minor);
- if (oconf != conf)
- errout("gss_wrap(aead4) conf");
- stiov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
- stiov[0].buffer = output;
- stiov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- stiov[1].buffer = assoc;
- stiov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, stiov, 3);
- check_gsserr("gss_unwrap_iov(aead4)", major, minor);
- if (!(GSS_IOV_BUFFER_FLAGS(stiov[2].type) & GSS_IOV_BUFFER_FLAG_ALLOCATED))
- errout("gss_unwrap_iov(aead4) allocated");
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(aead4) conf/qop");
- if (stiov[2].buffer.length != strlen(wrap) ||
- memcmp(stiov[2].buffer.value, wrap, strlen(wrap)) != 0)
- errout("gss_unwrap_iov(aead4) decryption");
- (void)gss_release_buffer(&minor, &output);
- (void)gss_release_iov_buffer(&minor, stiov, 3);
-}
-
-/*
- * Get a MIC for sign1, sign2, and sign3 using the caller-provided array iov,
- * which must have space for four elements, and the caller-provided buffer
- * data, which must be big enough for the MIC. If data is NULL, the library
- * will be asked to allocate the MIC buffer. The MIC will be located in
- * iov[3].buffer.
- */
-static void
-mic(gss_ctx_id_t ctx, const char *sign1, const char *sign2, const char *sign3,
- gss_iov_buffer_desc *iov, char *data)
-{
- OM_uint32 minor, major;
- krb5_boolean allocated;
-
- /* Lay out iov array. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[0].buffer.value = (char *)sign1;
- iov[0].buffer.length = strlen(sign1);
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = (char *)sign2;
- iov[1].buffer.length = strlen(sign2);
- iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[2].buffer.value = (char *)sign3;
- iov[2].buffer.length = strlen(sign3);
- iov[3].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN;
- if (data == NULL) {
- /* Ask the library to allocate the MIC buffer. */
- iov[3].type |= GSS_IOV_BUFFER_FLAG_ALLOCATE;
- } else {
- /* Get the MIC length and use the caller-provided buffer. */
- major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 4);
- check_gsserr("gss_get_mic_iov_length", major, minor);
- iov[3].buffer.value = data;
- }
- major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 4);
- check_gsserr("gss_get_mic_iov", major, minor);
- allocated = (GSS_IOV_BUFFER_FLAGS(iov[3].type) &
- GSS_IOV_BUFFER_FLAG_ALLOCATED) != 0;
- if (allocated != (data == NULL))
- errout("gss_get_mic_iov allocated");
-}
-
-static void
-test_mic(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[4];
- gss_qop_t qop;
- gss_buffer_desc concatbuf, micbuf;
- const char *sign1 = "Data and sign-only ";
- const char *sign2 = "buffers are treated ";
- const char *sign3 = "equally by gss_get_mic_iov";
- char concat[1024], data[1024];
-
- (void)snprintf(concat, sizeof(concat), "%s%s%s", sign1, sign2, sign3);
- concatbuf.value = concat;
- concatbuf.length = strlen(concat);
-
- /* MIC with a caller-provided buffer and verify with the IOV array. */
- mic(ctx1, sign1, sign2, sign3, iov, data);
- major = gss_verify_mic_iov(&minor, ctx2, &qop, iov, 4);
- check_gsserr("gss_verify_mic_iov(mic1)", major, minor);
- if (qop != GSS_C_QOP_DEFAULT)
- errout("gss_verify_mic_iov(mic1) qop");
-
- /* MIC with an allocated buffer and verify with gss_verify_mic. */
- mic(ctx1, sign1, sign2, sign3, iov, NULL);
- major = gss_verify_mic(&minor, ctx2, &concatbuf, &iov[3].buffer, &qop);
- check_gsserr("gss_verify_mic(mic2)", major, minor);
- if (qop != GSS_C_QOP_DEFAULT)
- errout("gss_verify_mic(mic2) qop");
- (void)gss_release_iov_buffer(&minor, iov, 4);
-
- /* MIC with gss_c_get_mic and verify using the IOV array (which is still
- * mostly set up from the last call to mic(). */
- major = gss_get_mic(&minor, ctx1, GSS_C_QOP_DEFAULT, &concatbuf, &micbuf);
- check_gsserr("gss_get_mic(mic3)", major, minor);
- iov[3].buffer = micbuf;
- major = gss_verify_mic_iov(&minor, ctx2, &qop, iov, 4);
- check_gsserr("gss_verify_mic_iov(mic3)", major, minor);
- if (qop != GSS_C_QOP_DEFAULT)
- errout("gss_verify_mic_iov(mic3) qop");
- (void)gss_release_buffer(&minor, &micbuf);
-}
-
-/* Create a DCE-style token and make sure we can unwrap it. */
-static void
-test_dce(gss_ctx_id_t ctx1, gss_ctx_id_t ctx2, int conf)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[4];
- gss_qop_t qop;
- const char *sign1 = "First data to be signed";
- const char *sign2 = "Second data to be signed";
- const char *wrap = "This data must align to 16 bytes";
- int oconf;
- char data[1024];
-
- /* Wrap a SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER token. */
- memcpy(data, wrap, strlen(wrap) + 1);
- iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[0].buffer.value = (char *)sign1;
- iov[0].buffer.length = strlen(sign1);
- iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[1].buffer.value = data;
- iov[1].buffer.length = strlen(wrap);
- iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[2].buffer.value = (char *)sign2;
- iov[2].buffer.length = strlen(sign2);
- iov[3].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
- major = gss_wrap_iov(&minor, ctx1, conf, GSS_C_QOP_DEFAULT, &oconf, iov,
- 4);
- check_gsserr("gss_wrap_iov(dce)", major, minor);
- if (oconf != conf)
- errout("gss_wrap_iov(dce) conf");
- if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
- errout("gss_wrap_iov(dce) sign1 buffer");
- if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
- errout("gss_wrap_iov(dce) data buffer");
- if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
- errout("gss_wrap_iov(dce) sign2 buffer");
- check_encrypted("gss_wrap_iov(dce) encryption", conf, data, wrap);
-
- /* Make sure we can unwrap it. */
- major = gss_unwrap_iov(&minor, ctx2, &oconf, &qop, iov, 4);
- check_gsserr("gss_unwrap_iov(std1)", major, minor);
- if (oconf != conf || qop != GSS_C_QOP_DEFAULT)
- errout("gss_unwrap_iov(std1) conf/qop");
- if (iov[0].buffer.value != sign1 || iov[0].buffer.length != strlen(sign1))
- errout("gss_unwrap_iov(dce) sign1 buffer");
- if (iov[1].buffer.value != data || iov[1].buffer.length != strlen(wrap))
- errout("gss_unwrap_iov(dce) data buffer");
- if (iov[2].buffer.value != sign2 || iov[2].buffer.length != strlen(sign2))
- errout("gss_unwrap_iov(dce) sign2 buffer");
- if (memcmp(data, wrap, iov[1].buffer.length) != 0)
- errout("gss_unwrap_iov(dce) decryption");
- (void)gss_release_iov_buffer(&minor, iov, 4);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, flags;
- gss_OID mech = &mech_krb5;
- gss_name_t tname;
- gss_ctx_id_t ictx, actx;
-
- /* Parse arguments. */
- argv++;
- if (*argv != NULL && strcmp(*argv, "-s") == 0) {
- mech = &mech_spnego;
- argv++;
- }
- if (*argv == NULL || *(argv + 1) != NULL)
- errout("Usage: t_iov [-s] targetname");
- tname = import_name(*argv);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG;
- establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
- flags, &ictx, &actx, NULL, NULL, NULL);
-
- /* Test standard token wrapping and unwrapping in both directions, with and
- * without confidentiality. */
- test_standard_wrap(ictx, actx, 0);
- test_standard_wrap(ictx, actx, 1);
- test_standard_wrap(actx, ictx, 0);
- test_standard_wrap(actx, ictx, 1);
-
- /* Test AEAD wrapping. */
- test_aead(ictx, actx, 0);
- test_aead(ictx, actx, 1);
- test_aead(actx, ictx, 0);
- test_aead(actx, ictx, 1);
-
- /* Test MIC tokens. */
- test_mic(ictx, actx);
- test_mic(actx, ictx);
-
- /* Test DCE wrapping with DCE-style contexts. */
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DCE_STYLE;
- establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL, tname,
- flags, &ictx, &actx, NULL, NULL, NULL);
- test_dce(ictx, actx, 0);
- test_dce(ictx, actx, 1);
- test_dce(actx, ictx, 0);
- test_dce(actx, ictx, 1);
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_lifetime.c b/crypto/krb5/src/tests/gssapi/t_lifetime.c
deleted file mode 100644
index 8dcf18621bbf..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_lifetime.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */
-/*
- * Copyright (C) 2017 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <assert.h>
-#include "common.h"
-
-/*
- * Using the default credential, exercise the GSS functions which accept or
- * produce lifetimes. Display the following results, one per line, as ASCII
- * integers or the string "indefinite":
- *
- * initiator cred lifetime according to gss_acquire_cred()
- * initiator cred lifetime according to gss_inquire_cred()
- * acceptor cred lifetime according to gss_acquire_cred()
- * acceptor cred lifetime according to gss_inquire_cred()
- * initiator context lifetime according to gss_init_sec_context()
- * initiator context lifetime according to gss_inquire_context()
- * initiator context lifetime according to gss_context_time()
- * acceptor context lifetime according to gss_init_sec_context()
- * acceptor context lifetime according to gss_inquire_context()
- * acceptor context lifetime according to gss_context_time()
- */
-
-static void
-display_time(OM_uint32 tval)
-{
- if (tval == GSS_C_INDEFINITE)
- puts("indefinite");
- else
- printf("%u\n", (unsigned int)tval);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_cred_id_t icred, acred;
- gss_name_t tname;
- gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
- gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
- OM_uint32 time_req = GSS_C_INDEFINITE, time_rec;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]);
- return 1;
- }
- tname = import_name(argv[1]);
- if (argc >= 3)
- time_req = atoll(argv[2]);
-
- /* Get initiator cred and display its lifetime according to
- * gss_acquire_cred and gss_inquire_cred. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
- GSS_C_INITIATE, &icred, NULL, &time_rec);
- check_gsserr("gss_acquire_cred(initiate)", major, minor);
- display_time(time_rec);
- major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL);
- check_gsserr("gss_inquire_cred(initiate)", major, minor);
- display_time(time_rec);
-
- /* Get acceptor cred and display its lifetime according to gss_acquire_cred
- * and gss_inquire_cred. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
- GSS_C_ACCEPT, &acred, NULL, &time_rec);
- check_gsserr("gss_acquire_cred(accept)", major, minor);
- display_time(time_rec);
- major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL);
- check_gsserr("gss_inquire_cred(accept)", major, minor);
- display_time(time_rec);
-
- /* Make an initiator context and display its lifetime according to
- * gss_init_sec_context, gss_inquire_context, and gss_context_time. */
- major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0,
- time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok,
- NULL, &itok, NULL, &time_rec);
- check_gsserr("gss_init_sec_context", major, minor);
- assert(major == GSS_S_COMPLETE);
- display_time(time_rec);
- major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL,
- NULL, NULL, NULL);
- check_gsserr("gss_inquire_context(initiate)", major, minor);
- display_time(time_rec);
- major = gss_context_time(&minor, ictx, &time_rec);
- check_gsserr("gss_context_time(initiate)", major, minor);
- display_time(time_rec);
-
- major = gss_accept_sec_context(&minor, &actx, acred, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL,
- NULL, &atok, NULL, &time_rec, NULL);
- check_gsserr("gss_accept_sec_context", major, minor);
- assert(major == GSS_S_COMPLETE);
- display_time(time_rec);
- major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL,
- NULL, NULL, NULL);
- check_gsserr("gss_inquire_context(accept)", major, minor);
- display_time(time_rec);
- major = gss_context_time(&minor, actx, &time_rec);
- check_gsserr("gss_context_time(accept)", major, minor);
- display_time(time_rec);
-
- (void)gss_release_buffer(&minor, &itok);
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_cred(&minor, &icred);
- (void)gss_release_cred(&minor, &acred);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_namingexts.c b/crypto/krb5/src/tests/gssapi/t_namingexts.c
deleted file mode 100644
index 739592b9064e..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_namingexts.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static int use_spnego = 0;
-
-static void
-display_name(const char *tag, gss_name_t name)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf;
-
- major = gss_display_name(&minor, name, &buf, NULL);
- check_gsserr("gss_display_name", major, minor);
-
- printf("%s:\t%.*s\n", tag, (int)buf.length, (char *)buf.value);
-
- (void)gss_release_buffer(&minor, &buf);
-}
-
-static void
-test_export_import_name(gss_name_t name)
-{
- OM_uint32 major, minor;
- gss_buffer_desc exported_name = GSS_C_EMPTY_BUFFER;
- gss_name_t imported_name = GSS_C_NO_NAME;
- gss_name_t imported_name_comp = GSS_C_NO_NAME;
- unsigned int i;
-
- major = gss_export_name_composite(&minor, name, &exported_name);
- check_gsserr("gss_export_name_composite", major, minor);
-
- printf("Exported name:\n");
- for (i = 0; i < exported_name.length; i++) {
- if ((i % 32) == 0)
- printf("\n");
- printf("%02x", ((char *)exported_name.value)[i] & 0xFF);
- }
- printf("\n");
-
- major = gss_import_name(&minor, &exported_name, GSS_C_NT_EXPORT_NAME,
- &imported_name);
- check_gsserr("gss_import_name", major, minor);
-
- major = gss_import_name(&minor, &exported_name, GSS_C_NT_COMPOSITE_EXPORT,
- &imported_name_comp);
- check_gsserr("gss_import_name", major, minor);
- (void)gss_release_buffer(&minor, &exported_name);
-
- printf("\n");
- display_canon_name("Re-imported name", imported_name, &mech_krb5);
- printf("Re-imported attributes:\n\n");
- enumerate_attributes(imported_name, 0);
-
- display_name("Re-imported (as composite) name", imported_name_comp);
- printf("Re-imported (as composite) attributes:\n\n");
- enumerate_attributes(imported_name_comp, 0);
-
- (void)gss_release_name(&minor, &imported_name);
- (void)gss_release_name(&minor, &imported_name_comp);
-}
-
-static void
-test_greet_authz_data(gss_name_t name)
-{
- OM_uint32 major, minor;
- gss_buffer_desc attr;
- gss_buffer_desc value;
-
- attr.value = "urn:greet:greeting";
- attr.length = strlen((char *)attr.value);
-
- major = gss_delete_name_attribute(&minor, name, &attr);
- if (major == GSS_S_UNAVAILABLE) {
- fprintf(stderr, "Warning: greet_client plugin not installed\n");
- exit(1);
- }
- check_gsserr("gss_delete_name_attribute", major, minor);
-
- value.value = "Hello, acceptor world!";
- value.length = strlen((char *)value.value);
- major = gss_set_name_attribute(&minor, name, 1, &attr, &value);
- if (major == GSS_S_UNAVAILABLE)
- return;
- check_gsserr("gss_set_name_attribute", major, minor);
-}
-
-static void
-test_map_name_to_any(gss_name_t name)
-{
- OM_uint32 major, minor;
- gss_buffer_desc type_id;
- krb5_pac pac;
- krb5_context context = NULL;
- krb5_error_code ret;
- size_t len, i;
- krb5_ui_4 *types;
-
- type_id.value = "mspac";
- type_id.length = strlen((char *)type_id.value);
-
- major = gss_map_name_to_any(&minor, name, 1, &type_id, (gss_any_t *)&pac);
- if (major == GSS_S_UNAVAILABLE)
- return;
- check_gsserr("gss_map_name_to_any", major, minor);
-
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
-
- if (krb5_pac_get_types(context, pac, &len, &types) == 0) {
- printf("PAC buffer types:");
- for (i = 0; i < len; i++)
- printf(" %d", types[i]);
- printf("\n");
- free(types);
- }
-
- (void)gss_release_any_name_mapping(&minor, name, &type_id,
- (gss_any_t *)&pac);
-}
-
-static void
-init_accept_sec_context(gss_cred_id_t verifier_cred_handle)
-{
- OM_uint32 major, minor, flags;
- gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
- gss_ctx_id_t initiator_context, acceptor_context;
- gss_OID mech = use_spnego ? &mech_spnego : &mech_krb5;
-
- major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL,
- NULL, NULL);
- check_gsserr("gss_inquire_cred", major, minor);
-
- display_canon_name("Target name", target_name, &mech_krb5);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(mech, verifier_cred_handle, verifier_cred_handle,
- target_name, flags, &initiator_context,
- &acceptor_context, &source_name, NULL, NULL);
-
- display_canon_name("Source name", source_name, &mech_krb5);
- enumerate_attributes(source_name, 1);
- test_export_import_name(source_name);
- test_map_name_to_any(source_name);
-
- (void)gss_release_name(&minor, &source_name);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
- gss_OID_set mechs, actual_mechs = GSS_C_NO_OID_SET;
- gss_name_t tmp_name, name;
-
- if (argc > 1 && strcmp(argv[1], "--spnego") == 0) {
- use_spnego++;
- argc--;
- argv++;
- }
-
- if (argc < 2) {
- fprintf(stderr, "Usage: %s [--spnego] principal [keytab]\n", argv[0]);
- exit(1);
- }
-
- tmp_name = import_name(argv[1]);
- major = gss_canonicalize_name(&minor, tmp_name, &mech_krb5, &name);
- check_gsserr("gss_canonicalze_name", major, minor);
- (void)gss_release_name(&minor, &tmp_name);
-
- test_greet_authz_data(name);
-
- if (argc >= 3) {
- major = krb5_gss_register_acceptor_identity(argv[2]);
- check_gsserr("krb5_gss_register_acceptor_identity", major, minor);
- }
-
- mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
-
- /* get default cred */
- major = gss_acquire_cred(&minor, name, GSS_C_INDEFINITE, mechs, GSS_C_BOTH,
- &cred_handle, &actual_mechs, NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- (void)gss_release_oid_set(&minor, &actual_mechs);
-
- init_accept_sec_context(cred_handle);
-
- printf("\n");
-
- (void)gss_release_cred(&minor, &cred_handle);
- (void)gss_release_oid_set(&minor, &actual_mechs);
- (void)gss_release_name(&minor, &name);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_negoex.py b/crypto/krb5/src/tests/gssapi/t_negoex.py
deleted file mode 100644
index a218899c4576..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_negoex.py
+++ /dev/null
@@ -1,149 +0,0 @@
-from k5test import *
-
-# The next arc after 2.25 is supposed to be a single-integer UUID, but
-# since our gss_str_to_oid() can't handle arc values that don't fit in
-# an unsigned long, we use random unsigned 32-bit integers instead.
-# The final octet if the OID encoding will be used to identify the
-# mechanism when changing the behavior of just one mech.
-nxtest_oid1 = '2.25.1414534758' # final octet is 102 (0x66)
-nxtest_oid2 = '2.25.1175737388' # final octet is 44 (0x2C)
-nxtest_path = os.path.join(buildtop, 'plugins', 'gssapi', 'negoextest',
- 'gss_negoextest.so')
-
-# Test gss_add_cred().
-realm = K5Realm(create_kdb=False)
-with open(realm.gss_mech_config, 'w') as f:
- f.write('negoextest %s %s\n' % (nxtest_oid1, nxtest_path))
- f.write('negoextest %s %s\n' % (nxtest_oid2, nxtest_path))
-
-def test(envvars, **kw):
- # Python 3.5: e = {**realm.env, **vars}
- e = realm.env.copy()
- e.update(envvars)
- realm.run(['./t_context', 'h:host'], env=e, **kw)
-
-# Test varying numbers of hops, and spot-check that messages are sent
-# in the appropriate sequence.
-
-mark('One hop')
-msgs = ('sending [0]INITIATOR_NEGO: c0a28569-66ac-0000-0000-000000000000 '
- 'd1b08469-2ca8-0000-0000-000000000000',
- 'sending [1]INITIATOR_META_DATA: c0a28569-66ac',
- 'sending [2]INITIATOR_META_DATA: d1b08469-2ca8',
- 'sending [3]AP_REQUEST: c0a28569-66ac',
- 'sending [4]VERIFY: c0a28569-66ac',
- 'received [0]INITIATOR_NEGO: c0a28569-66ac-0000-0000-000000000000 '
- 'd1b08469-2ca8-0000-0000-000000000000',
- 'received [1]INITIATOR_META_DATA: c0a28569-66ac',
- 'received [2]INITIATOR_META_DATA: d1b08469-2ca8',
- 'received [3]AP_REQUEST: c0a28569-66ac',
- 'received [4]VERIFY: c0a28569-66ac',
- 'sending [5]ACCEPTOR_NEGO: c0a28569-66ac-0000-0000-000000000000 '
- 'd1b08469-2ca8-0000-0000-000000000000',
- 'sending [6]ACCEPTOR_META_DATA: c0a28569-66ac',
- 'sending [7]ACCEPTOR_META_DATA: d1b08469-2ca8',
- 'sending [8]VERIFY: c0a28569-66ac',
- 'received [5]ACCEPTOR_NEGO: c0a28569-66ac-0000-0000-000000000000 '
- 'd1b08469-2ca8-0000-0000-000000000000',
- 'received [6]ACCEPTOR_META_DATA: c0a28569-66ac',
- 'received [7]ACCEPTOR_META_DATA: d1b08469-2ca8',
- 'received [8]VERIFY: c0a28569-66ac')
-test({'HOPS': '1'}, expected_trace=msgs)
-
-mark('Two hops')
-msgs = ('sending [7]CHALLENGE', 'sending [8]VERIFY', 'received [8]VERIFY',
- 'sending [9]VERIFY')
-test({'HOPS': '2'}, expected_trace=msgs)
-
-mark('Three hops')
-msgs = ('sending [8]AP_REQUEST', 'sending [9]VERIFY', 'received [8]AP_REQUEST',
- 'sending [10]VERIFY')
-test({'HOPS': '3'}, expected_trace=msgs)
-
-mark('Four hops')
-msgs = ('sending [9]CHALLENGE', 'sending [10]VERIFY', 'received [9]CHALLENGE',
- 'sending [11]VERIFY')
-test({'HOPS': '4'}, expected_trace=msgs)
-
-mark('Early keys, three hops')
-msgs = ('sending [4]VERIFY', 'sending [9]VERIFY', 'sending [10]AP_REQUEST')
-test({'HOPS': '3', 'KEY': 'always'}, expected_trace=msgs)
-
-mark('Early keys, four hops')
-msgs = ('sending [4]VERIFY', 'sending [9]VERIFY', 'sending [10]AP_REQUEST',
- 'sending [11]CHALLENGE')
-test({'HOPS': '4', 'KEY': 'always'}, expected_trace=msgs)
-
-mark('No keys')
-test({'KEY': 'never'}, expected_code=1, expected_msg='No NegoEx verify key')
-
-mark('No optimistic token')
-msgs = ('sending [3]ACCEPTOR_NEGO', 'sending [6]AP_REQUEST',
- 'sending [7]VERIFY', 'sending [8]VERIFY')
-test({'NEGOEX_NO_OPTIMISTIC_TOKEN': ''}, expected_trace=msgs)
-
-mark('First mech initiator query fail')
-msgs = ('sending [0]INITIATOR_NEGO: d1b08469-2ca8-0000-0000-000000000000',
- 'sending [2]AP_REQUEST', 'sending [3]VERIFY',
- 'sending [4]ACCEPTOR_NEGO: d1b08469-2ca8-0000-0000-000000000000',
- 'sending [6]VERIFY')
-test({'INIT_QUERY_FAIL': '102'}, expected_trace=msgs)
-
-mark('First mech acceptor query fail')
-msgs = ('sending [0]INITIATOR_NEGO: c0a28569-66ac-0000-0000-000000000000 '
- 'd1b08469-2ca8-0000-0000-000000000000',
- 'sending [3]AP_REQUEST: c0a28569-66ac',
- 'sending [4]VERIFY: c0a28569-66ac',
- 'sending [5]ACCEPTOR_NEGO: d1b08469-2ca8-0000-0000-000000000000',
- 'sending [7]AP_REQUEST: d1b08469-2ca8',
- 'sending [8]VERIFY: d1b08469-2ca8',
- 'sending [9]VERIFY: d1b08469-2ca8')
-test({'ACCEPT_QUERY_FAIL': '102'}, expected_trace=msgs)
-
-# Same messages as previous test.
-mark('First mech acceptor exchange fail')
-test({'ACCEPT_EXCHANGE_FAIL': '102'}, expected_trace=msgs)
-
-# Fail the optimistic mech's gss_exchange_meta_data() in the
-# initiator. Since the acceptor has effectively selected the
-# optimistic mech, this causes the authentication to fail.
-mark('First mech initiator exchange fail, one hop')
-test({'HOPS': '1', 'INIT_EXCHANGE_FAIL': '102'}, expected_code=1,
- expected_msg='No mutually supported NegoEx authentication schemes')
-mark('First mech initiator exchange fail, two hops, early keys')
-test({'HOPS': '2', 'INIT_EXCHANGE_FAIL': '102', 'KEY': 'always'},
- expected_code=1,
- expected_msg='No mutually supported NegoEx authentication schemes')
-mark('First mech initiator exchange fail, two hops')
-test({'HOPS': '2', 'INIT_EXCHANGE_FAIL': '102'}, expected_code=1,
- expected_msg='No mutually supported NegoEx authentication schemes')
-
-mark('First mech init_sec_context fail')
-msgs = ('sending [0]INITIATOR_NEGO: d1b08469-2ca8-0000-0000-000000000000',
- 'sending [2]AP_REQUEST', 'sending [3]VERIFY', 'sending [6]VERIFY')
-test({'INIT_FAIL': '102'}, expected_trace=msgs)
-
-mark('First mech accept_sec_context fail')
-test({'HOPS': '2', 'ACCEPT_FAIL': '102'}, expected_code=1,
- expected_msg='failure from acceptor')
-
-mark('ALERT from acceptor to initiator')
-msgs = ('sending [3]AP_REQUEST', 'sending [4]VERIFY', 'sending [8]CHALLENGE',
- 'sending [9]ALERT', 'received [9]ALERT', 'sending [10]AP_REQUEST',
- 'sending [11]VERIFY', 'sending [12]VERIFY')
-test({'HOPS': '3', 'KEY': 'init-always'}, expected_trace=msgs)
-
-mark('ALERT from initiator to acceptor')
-msgs = ('sending [3]AP_REQUEST', 'sending [7]CHALLENGE', 'sending [8]VERIFY',
- 'sending [9]AP_REQUEST', 'sending [10]ALERT', 'received [10]ALERT',
- 'sending [11]CHALLENGE', 'sending [12]VERIFY', 'sending [13]VERIFY')
-test({'HOPS': '4', 'KEY': 'accept-always'}, expected_trace=())
-
-mark('channel bindings')
-e = realm.env.copy()
-e.update({'HOPS': '1', 'GSS_INIT_BINDING': 'a', 'GSS_ACCEPT_BINDING': 'b'})
-# The test mech will verify that the bindings are communicated to the
-# mech, but does not set the channel-bound flag.
-realm.run(['./t_bindings', '-s', 'h:host', 'a', 'b'], env=e, expected_msg='no')
-
-success('NegoEx tests')
diff --git a/crypto/krb5/src/tests/gssapi/t_oid.c b/crypto/krb5/src/tests/gssapi/t_oid.c
deleted file mode 100644
index 64253133d238..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_oid.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_oid.c - Test OID manipulation functions */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static struct {
- char *canonical;
- char *variant;
- gss_OID_desc oid;
-} tests[] = {
- /* GSS_C_NT_USER_NAME */
- { "{ 1 2 840 113554 1 2 1 1 }", "1.2.840.113554.1.2.1.1",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x01\x01" } },
- /* GSS_C_NT_MACHINE_UID_NAME */
- { "{ 1 2 840 113554 1 2 1 2 }", "1 2 840 113554 1 2 1 2",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x01\x02" } },
- /* GSS_C_NT_STRING_UID_NAME */
- { "{ 1 2 840 113554 1 2 1 3 }", "{1 2 840 113554 1 2 1 3}",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x01\x03" } },
- /* GSS_C_NT_HOSTBASED_SERVICE_X */
- { "{ 1 3 6 1 5 6 2 }", "{ 1 3 6 1 5 6 2 }",
- { 6, "\x2B\x06\x01\x05\x06\x02" } },
- /* GSS_C_NT_ANONYMOUS */
- { "{ 1 3 6 1 5 6 3 }", "{ 01 03 06 01 05 06 03 }",
- { 6, "\x2B\x06\x01\x05\x06\x03" } },
- /* GSS_KRB5_NT_PRINCIPAL_NAME */
- { "{ 1 2 840 113554 1 2 2 1 }", " {01 2 840 113554 1 2 2 1 } ",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01" } },
- /* GSS_KRB5_NT_ENTERPRISE_NAME */
- { "{ 1 2 840 113554 1 2 2 6 }", " {1.2.840.113554.1.2.2.6} ",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x06" } },
- /* gss_krb5_nt_principal */
- { "{ 1 2 840 113554 1 2 2 2 }", "{1.2.840.113554.1.2.2.2}",
- { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02" } },
- /* gss_mech_krb5 */
- { "{ 1 2 840 113554 1 2 2 }", "{ 1.2.840.113554.1.2.2 }",
- { 9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02" } },
- /* gss_mech_krb5_old */
- { "{ 1 3 5 1 5 2 }", "001 . 003 . 005 . 001 . 005 . 002",
- { 5, "\x2B\x05\x01\x05\x02" } },
- /* gss_mech_krb5_wrong */
- { "{ 1 2 840 48018 1 2 2 }", "1.2.840.48018.1.2.2 trailing garbage",
- { 9, "\x2A\x86\x48\x82\xF7\x12\x01\x02\x02" } },
- /* gss_mech_iakerb */
- { "{ 1 3 6 1 5 2 5 }", "{ 1 3 6 1 5 2 5 } trailing garbage",
- { 6, "\x2B\x06\x01\x05\x02\x05" } },
- /* SPNEGO */
- { "{ 1 3 6 1 5 5 2 }", "{1 3 6 1 5 5 2} trailing garbage",
- { 6, "\x2B\x06\x01\x05\x05\x02" } },
- /* Edge cases for the first two arcs */
- { "{ 0 0 }", NULL, { 1, "\x00" } },
- { "{ 0 39 }", NULL, { 1, "\x27" } },
- { "{ 1 0 }", NULL, { 1, "\x28" } },
- { "{ 1 39 }", NULL, { 1, "\x4F" } },
- { "{ 2 0 }", NULL, { 1, "\x50" } },
- { "{ 2 40 }", NULL, { 1, "\x78" } },
- { "{ 2 47 }", NULL, { 1, "\x7F" } },
- { "{ 2 48 }", NULL, { 2, "\x81\x00" } },
- { "{ 2 16304 }", NULL, { 3, "\x81\x80\x00" } },
- /* Zero-valued arcs */
- { "{ 0 0 0 }", NULL, { 2, "\x00\x00" } },
- { "{ 0 0 1 0 }", NULL, { 3, "\x00\x01\x00" } },
- { "{ 0 0 128 0 }", NULL, { 4, "\x00\x81\x00\x00 " } },
- { "{ 0 0 0 1 }", NULL, { 3, "\x00\x00\x01" } },
- { "{ 0 0 128 0 1 0 128 }", NULL,
- { 8, "\x00\x81\x00\x00\x01\x00\x81\x00 " } }
-};
-
-static char *invalid_strings[] = {
- "",
- "{}",
- "{",
- "}",
- " ",
- " { } ",
- "x",
- "+1 1",
- "-1.1",
- "1.+0",
- "+0.1",
- "{ 1 garbage }",
- "{ 1 }",
- "{ 0 40 }",
- "{ 1 40 }",
- "{ 1 128 }",
- "{ 1 1",
- "{ 1 2 3 4 +5 }",
- "{ 1.2.-3.4.5 }"
-};
-
-static int
-oid_equal(gss_OID o1, gss_OID o2)
-{
- return o1->length == o2->length &&
- memcmp(o1->elements, o2->elements, o1->length) == 0;
-}
-
-int
-main(void)
-{
- size_t i;
- OM_uint32 major, minor;
- gss_buffer_desc buf;
- gss_OID oid;
- gss_OID_set set;
- int status = 0, present;
-
- for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
- /* Check that this test's OID converts to its canonical string form. */
- major = gss_oid_to_str(&minor, &tests[i].oid, &buf);
- check_gsserr("gss_oid_to_str", major, minor);
- if (buf.length != strlen(tests[i].canonical) + 1 ||
- memcmp(buf.value, tests[i].canonical, buf.length) != 0) {
- status = 1;
- printf("test %d: OID converts to %.*s, wanted %s\n", (int)i,
- (int)buf.length, (char *)buf.value, tests[i].canonical);
- }
- (void)gss_release_buffer(&minor, &buf);
-
- /* Check that this test's canonical string form converts to its OID. */
- buf.value = tests[i].canonical;
- buf.length = strlen(tests[i].canonical);
- major = gss_str_to_oid(&minor, &buf, &oid);
- check_gsserr("gss_str_to_oid", major, minor);
- if (!oid_equal(oid, &tests[i].oid)) {
- status = 1;
- printf("test %d: %s converts to wrong OID\n", (int)i,
- tests[i].canonical);
- display_oid("wanted", &tests[i].oid);
- display_oid("actual", oid);
- }
- (void)gss_release_oid(&minor, &oid);
-
- /* Check that this test's variant string form converts to its OID. */
- if (tests[i].variant == NULL)
- continue;
- buf.value = tests[i].variant;
- buf.length = strlen(tests[i].variant);
- major = gss_str_to_oid(&minor, &buf, &oid);
- check_gsserr("gss_str_to_oid", major, minor);
- if (!oid_equal(oid, &tests[i].oid)) {
- status = 1;
- printf("test %d: %s converts to wrong OID\n", (int)i,
- tests[i].variant);
- display_oid("wanted", &tests[i].oid);
- display_oid("actual", oid);
- }
- (void)gss_release_oid(&minor, &oid);
- }
-
- for (i = 0; i < sizeof(invalid_strings) / sizeof(*invalid_strings); i++) {
- buf.value = invalid_strings[i];
- buf.length = strlen(invalid_strings[i]);
- major = gss_str_to_oid(&minor, &buf, &oid);
- if (major == GSS_S_COMPLETE) {
- status = 1;
- printf("invalid %d: %s converted when it should not have\n",
- (int)i, invalid_strings[i]);
- (void)gss_release_oid(&minor, &oid);
- }
- }
-
- major = gss_create_empty_oid_set(&minor, &set);
- check_gsserr("gss_create_empty_oid_set", major, minor);
- for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
- major = gss_add_oid_set_member(&minor, &tests[i].oid, &set);
- check_gsserr("gss_add_oid_set_member", major, minor);
- }
- if (set->count != i) {
- status = 1;
- printf("oid set has wrong size: wanted %d, actual %d\n", (int)i,
- (int)set->count);
- }
- for (i = 0; i < set->count; i++) {
- if (!oid_equal(&set->elements[i], &tests[i].oid)) {
- status = 1;
- printf("oid set has wrong element %d\n", (int)i);
- display_oid("wanted", &tests[i].oid);
- display_oid("actual", &set->elements[i]);
- }
- major = gss_test_oid_set_member(&minor, &tests[i].oid, set, &present);
- check_gsserr("gss_test_oid_set_member", major, minor);
- if (!present) {
- status = 1;
- printf("oid set does not contain OID %d\n", (int)i);
- display_oid("wanted", &tests[i].oid);
- }
- }
- (void)gss_release_oid_set(&minor, &set);
- return status;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_pcontok.c b/crypto/krb5/src/tests/gssapi/t_pcontok.c
deleted file mode 100644
index 7368f752f030..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_pcontok.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_pcontok.c - gss_process_context_token tests */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This test program exercises krb5 gss_process_context_token. It first
- * establishes a context to a named target. Then, if the resulting context
- * uses RFC 1964, it creates a context deletion token from the acceptor to the
- * initiator and passes it to the initiator using gss_process_context_token.
- * If the established context uses RFC 4121, this program feeds a made-up
- * context token to gss_process_context_token and checks for the expected
- * error.
- */
-
-#include "k5-int.h"
-#include "common.h"
-
-#define SGN_ALG_HMAC_SHA1_DES3_KD 0x04
-#define SGN_ALG_HMAC_MD5 0x11
-
-/*
- * Create a valid RFC 1964 context deletion token using the information in *
- * lctx. We must do this by hand since we no longer create context deletion
- * tokens from gss_delete_sec_context.
- */
-static void
-make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
-{
- krb5_error_code ret;
- krb5_context context;
- krb5_keyblock seqkb;
- krb5_key seq;
- krb5_checksum cksum;
- krb5_cksumtype cktype;
- krb5_keyusage ckusage;
- krb5_crypto_iov iov;
- krb5_data d;
- size_t cksize, tlen;
- unsigned char *token, *ptr, iv[8];
- gss_krb5_lucid_key_t *lkey = &lctx->rfc1964_kd.ctx_key;
- int signalg = lctx->rfc1964_kd.sign_alg;
-
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
-
- seqkb.enctype = lkey->type;
- seqkb.length = lkey->length;
- seqkb.contents = lkey->data;
- ret = krb5_k_create_key(context, &seqkb, &seq);
- check_k5err(context, "krb5_k_create_key", ret);
-
- if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
- cktype = CKSUMTYPE_HMAC_SHA1_DES3;
- cksize = 20;
- ckusage = 23;
- } else if (signalg == SGN_ALG_HMAC_MD5) {
- cktype = CKSUMTYPE_HMAC_MD5_ARCFOUR;
- cksize = 8;
- ckusage = 15;
- } else {
- abort();
- }
-
- tlen = 20 + mech_krb5.length + cksize;
- token = malloc(tlen);
- assert(token != NULL);
-
- /* Create the ASN.1 wrapper (4 + mech_krb5.length bytes). Assume the ASN.1
- * lengths fit in one byte since deletion tokens are short. */
- ptr = token;
- *ptr++ = 0x60;
- *ptr++ = tlen - 2;
- *ptr++ = 0x06;
- *ptr++ = mech_krb5.length;
- memcpy(ptr, mech_krb5.elements, mech_krb5.length);
- ptr += mech_krb5.length;
-
- /* Create the RFC 1964 token header (8 bytes). */
- *ptr++ = 0x01;
- *ptr++ = 0x02;
- store_16_le(signalg, ptr);
- ptr += 2;
- *ptr++ = 0xFF;
- *ptr++ = 0xFF;
- *ptr++ = 0xFF;
- *ptr++ = 0xFF;
-
- /* Create the checksum (cksize bytes at offset 8 from the header). */
- d = make_data(ptr - 8, 8);
- ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum);
- check_k5err(context, "krb5_k_make_checksum", ret);
- memcpy(ptr + 8, cksum.contents, cksize);
-
- /* Create the sequence number (8 bytes). */
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = make_data(ptr, 8);
- ptr[4] = ptr[5] = ptr[6] = ptr[7] = lctx->initiate ? 0 : 0xFF;
- memcpy(iv, ptr + 8, 8);
- d = make_data(iv, 8);
- if (signalg == SGN_ALG_HMAC_MD5) {
- store_32_be(lctx->send_seq, ptr);
- ret = krb5int_arcfour_gsscrypt(&seq->keyblock, 0, &d, &iov, 1);
- check_k5err(context, "krb5int_arcfour_gsscrypt(seq)", ret);
- } else {
- store_32_le(lctx->send_seq, ptr);
- ret = krb5_k_encrypt_iov(context, seq, 24, &d, &iov, 1);
- check_k5err(context, "krb5_k_encrypt_iov(seq)", ret);
- }
-
- krb5_free_checksum_contents(context, &cksum);
- krb5_k_free_key(context, seq);
- krb5_free_context(context);
-
- out->length = tlen;
- out->value = token;
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_name_t tname;
- gss_buffer_desc token, in = GSS_C_EMPTY_BUFFER, out;
- gss_ctx_id_t ictx, actx;
- gss_krb5_lucid_context_v1_t *lctx;
- void *lptr;
-
- assert(argc == 2);
- tname = import_name(argv[1]);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- tname, flags, &ictx, &actx, NULL, NULL, NULL);
-
- /* Export the acceptor context to a lucid context so we can look inside. */
- major = gss_krb5_export_lucid_sec_context(&minor, &actx, 1, &lptr);
- check_gsserr("gss_export_lucid_sec_context", major, minor);
- lctx = lptr;
- if (!lctx->protocol) {
- /* Make an RFC 1964 context deletion token and pass it to
- * gss_process_context_token. */
- make_delete_token(lctx, &token);
- major = gss_process_context_token(&minor, ictx, &token);
- free(token.value);
- check_gsserr("gss_process_context_token", major, minor);
- /* Check for the appropriate major code from gss_wrap. */
- major = gss_wrap(&minor, ictx, 1, GSS_C_QOP_DEFAULT, &in, NULL, &out);
- assert(major == GSS_S_NO_CONTEXT);
- } else {
- /* RFC 4121 defines no context deletion token, so try passing something
- * arbitrary and check for the appropriate major code. */
- token.value = "abcd";
- token.length = 4;
- major = gss_process_context_token(&minor, ictx, &token);
- assert(major == GSS_S_DEFECTIVE_TOKEN);
- }
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_krb5_free_lucid_sec_context(&minor, lptr);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_prf.c b/crypto/krb5/src/tests/gssapi/t_prf.c
deleted file mode 100644
index f71774cdc91a..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_prf.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2014 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include "k5-hex.h"
-#include "common.h"
-#include "mglueP.h"
-#include "gssapiP_krb5.h"
-
-static const char inputstr[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
- "abcdefghijklmnopqrstuvwxyz123456789";
-
-/* For each test, out1 corresponds to key1 with an empty input, and out2
- * corresponds to key2 with the above 61-byte input string. */
-static struct {
- krb5_enctype enctype;
- const char *key1;
- const char *out1;
- const char *key2;
- const char *out2;
-} tests[] = {
- { ENCTYPE_DES3_CBC_SHA1,
- "70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2",
- "9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9"
- "AC4A333D644D21BA3EF24F4A886D143F85AC9F6377FB",
- "3452A167DF1094BA1089E0A20E9E51ABEF1525922558B69E",
- "6BF24FABC858F8DD9752E4FCD331BB831F238B5BE190"
- "4EEA42E38F7A60C588F075C5C96A67E7F8B7BD0AECF4" },
- { ENCTYPE_ARCFOUR_HMAC,
- "3BB3AE288C12B3B9D06B208A4151B3B6",
- "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
- "3C8A983AB88757CE865A22132D6100EAD63E9E291AFA",
- "6DB7B33A01BD2B72F7655CB7B3D5FA0B",
- "CDA9A544869FC84873B692663A82AFDA101C8611498B"
- "A46138B01E927C9B95EEC953B562807434037837DDDF" },
- { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- "6C742096EB896230312B73972FA28B5D",
- "94208D982FC1BB7778128BDD77904420B45C9DA699F3"
- "117BCE66E39602128EF0296611A6D191A5828530F20F",
- "FA61138C109D834A477D24C7311BE6DA",
- "0FAEDF0F842CC834FEE750487E1B622739286B975FE5"
- "B7F45AB053143C75CA0DF5D3D4BBB80F6A616C7C9027" },
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- "08FCDAFD5832611B73BA7B497FEBFF8C954B4B58031CAD9B977C3B8C25192FD6",
- "E627EFC14EF5B6D629F830C7109DEA0D3D7D36E8CD57"
- "A1F301C5452494A1928F05AFFBEE3360232209D3BE0D",
- "F5B68B7823D8944F33F41541B4E4D38C9B2934F8D16334A796645B066152B4BE",
- "112F2B2D878590653CCC7DE278E9F0AA46FA5A380B62"
- "59F774CB7C134FCD37F61A50FD0D9F89BF8FE1A6B593" },
- { ENCTYPE_CAMELLIA128_CTS_CMAC,
- "866E0466A178279A32AC0BDA92B72AEB",
- "97FBB354BF341C3A160DCC86A7A910FDA824601DF677"
- "68797BACEEBF5D250AE929DEC9760772084267F50A54",
- "D4893FD37DA1A211E12DD1E03E0F03B7",
- "1DEE2FF126CA563A2A2326B9DD3F0095013257414C83"
- "FAD4398901013D55F367C82681186B7B2FE62F746BA4" },
- { ENCTYPE_CAMELLIA256_CTS_CMAC,
- "203071B1AE77BD3D6FCE70174AF95C225B1CED46B35CF52B6479EFEB47E6B063",
- "9B30020634C10FDA28420CEE7B96B70A90A771CED43A"
- "D8346554163E5949CBAE2FB8EF36AFB6B32CE75116A0",
- "A171AD582C1AFBBAD52ABD622EE6B6A14D19BF95C6914B2BA40FFD99A88EC660",
- "A47CBB6E104DCC77E4DB48A7A474B977F2FB6A7A1AB6"
- "52317D50508AE72B7BE2E4E4BA24164E029CBACF786B" },
- { ENCTYPE_AES128_CTS_HMAC_SHA256_128,
- "089BCA48B105EA6EA77CA5D2F39DC5E7",
- "ED1736209B7C59C9F6A3AE8CCC8A7C97ADFDD11688AD"
- "F304F2F74252CBACD311A2D9253211FDA49745CE4F62",
- "3705D96080C17728A0E800EAB6E0D23C",
- "2BB41B183D76D8D5B30CBB049A7EFE9F350EFA058DC2"
- "C4D868308D354A7B199BE6FD1F22B53C038BC6036581" },
- { ENCTYPE_AES256_CTS_HMAC_SHA384_192,
- "45BD806DBF6A833A9CFFC1C94589A222367A79BC21C413718906E9F578A78467",
- "1C613AE8B77A3B4D783F3DCE6C9178FC025E87F48A44"
- "784A69CB5FC697FE266A6141905067EF78566D309085",
- "6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52",
- "D15944B0A44508D1E61213F6455F292A02298F870C01"
- "A3F74AD0345A4A6651EBE101976E933F32D44F0B5947" },
-};
-
-/* Decode hexstr into out. No length checking. */
-static size_t
-fromhex(const char *hexstr, unsigned char *out)
-{
- uint8_t *bytes;
- size_t len;
-
- if (k5_hex_decode(hexstr, &bytes, &len) != 0)
- abort();
- memcpy(out, bytes, len);
- free(bytes);
- return len;
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_ctx_id_t context;
- gss_union_ctx_id_desc uctx;
- krb5_gss_ctx_id_rec kgctx;
- krb5_key k1, k2;
- krb5_keyblock kb1, kb2;
- gss_buffer_desc in, out;
- unsigned char k1buf[32], k2buf[32], outbuf[44];
- size_t i;
-
- /*
- * Fake up just enough of a krb5 GSS context to make gss_pseudo_random
- * work, with chosen subkeys and acceptor subkeys. If we implement
- * gss_import_lucid_sec_context, we can rewrite this to use public
- * interfaces and stop using private headers and internal knowledge of the
- * implementation.
- */
- context = (gss_ctx_id_t)&uctx;
- memset(&uctx, 0, sizeof(uctx));
- uctx.mech_type = &mech_krb5;
- uctx.internal_ctx_id = (gss_ctx_id_t)&kgctx;
- memset(&kgctx, 0, sizeof(kgctx));
- kgctx.k5_context = NULL;
- kgctx.established = 1;
- kgctx.have_acceptor_subkey = 1;
- kb1.contents = k1buf;
- kb2.contents = k2buf;
- for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
- /* Set up the keys for this test. */
- kb1.enctype = tests[i].enctype;
- kb1.length = fromhex(tests[i].key1, k1buf);
- check_k5err(NULL, "create_key", krb5_k_create_key(NULL, &kb1, &k1));
- kgctx.subkey = k1;
- kb2.enctype = tests[i].enctype;
- kb2.length = fromhex(tests[i].key2, k2buf);
- check_k5err(NULL, "create_key", krb5_k_create_key(NULL, &kb2, &k2));
- kgctx.acceptor_subkey = k2;
-
- /* Generate a PRF value with the subkey and an empty input, and compare
- * it to the first expected output. */
- in.length = 0;
- in.value = NULL;
- major = gss_pseudo_random(&minor, context, GSS_C_PRF_KEY_PARTIAL, &in,
- 44, &out);
- check_gsserr("gss_pseudo_random", major, minor);
- (void)fromhex(tests[i].out1, outbuf);
- assert(out.length == 44 && memcmp(out.value, outbuf, 44) == 0);
- (void)gss_release_buffer(&minor, &out);
-
- /* Generate a PRF value with the acceptor subkey and the 61-byte input
- * string, and compare it to the second expected output. */
- in.length = strlen(inputstr);
- in.value = (char *)inputstr;
- major = gss_pseudo_random(&minor, context, GSS_C_PRF_KEY_FULL, &in, 44,
- &out);
- check_gsserr("gss_pseudo_random", major, minor);
- (void)fromhex(tests[i].out2, outbuf);
- assert(out.length == 44 && memcmp(out.value, outbuf, 44) == 0);
- (void)gss_release_buffer(&minor, &out);
-
- /* Also check that generating zero bytes of output works. */
- major = gss_pseudo_random(&minor, context, GSS_C_PRF_KEY_FULL, &in, 0,
- &out);
- check_gsserr("gss_pseudo_random", major, minor);
- assert(out.length == 0);
- (void)gss_release_buffer(&minor, &out);
-
- krb5_k_free_key(NULL, k1);
- krb5_k_free_key(NULL, k2);
- }
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_s4u.c b/crypto/krb5/src/tests/gssapi/t_s4u.c
deleted file mode 100644
index 0400f8f61f41..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_s4u.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Test program for protocol transition (S4U2Self) and constrained delegation
- * (S4U2Proxy)
- *
- * Note: because of name canonicalization, the following tips may help
- * when configuring with Active Directory:
- *
- * - Create a computer account FOO$
- * - Set the UPN to host/foo.domain (no suffix); this is necessary to
- * be able to send an AS-REQ as this principal, otherwise you would
- * need to use the canonical name (FOO$), which will cause principal
- * comparison errors in gss_accept_sec_context().
- * - Add a SPN of host/foo.domain
- * - Configure the computer account to support constrained delegation with
- * protocol transition (Trust this computer for delegation to specified
- * services only / Use any authentication protocol)
- * - Add host/foo.domain to the keytab (possibly easiest to do this
- * with ktadd)
- *
- * For S4U2Proxy to work the TGT must be forwardable too.
- *
- * Usage eg:
- *
- * kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
- * ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static int use_spnego = 0;
-
-static void
-test_greet_authz_data(gss_name_t *name)
-{
- OM_uint32 major, minor;
- gss_buffer_desc attr;
- gss_buffer_desc value;
- gss_name_t canon;
-
- major = gss_canonicalize_name(&minor, *name, &mech_krb5, &canon);
- check_gsserr("gss_canonicalize_name", major, minor);
-
- attr.value = "greet:greeting";
- attr.length = strlen((char *)attr.value);
-
- value.value = "Hello, acceptor world!";
- value.length = strlen((char *)value.value);
-
- major = gss_set_name_attribute(&minor, canon, 1, &attr, &value);
- if (major == GSS_S_UNAVAILABLE) {
- (void)gss_release_name(&minor, &canon);
- return;
- }
- check_gsserr("gss_set_name_attribute", major, minor);
- gss_release_name(&minor, name);
- *name = canon;
-}
-
-static void
-init_accept_sec_context(gss_cred_id_t claimant_cred_handle,
- gss_cred_id_t verifier_cred_handle,
- gss_cred_id_t *deleg_cred_handle)
-{
- OM_uint32 major, minor, flags;
- gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
- gss_ctx_id_t initiator_context, acceptor_context;
- gss_OID mech = GSS_C_NO_OID;
-
- *deleg_cred_handle = GSS_C_NO_CREDENTIAL;
-
- major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL,
- NULL, NULL);
- check_gsserr("gss_inquire_cred", major, minor);
-
- display_canon_name("Target name", target_name, &mech_krb5);
-
- mech = use_spnego ? &mech_spnego : &mech_krb5;
- display_oid("Target mech", mech);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(mech, claimant_cred_handle, verifier_cred_handle,
- target_name, flags, &initiator_context,
- &acceptor_context, &source_name, &mech,
- deleg_cred_handle);
-
- display_canon_name("Source name", source_name, &mech_krb5);
- display_oid("Source mech", mech);
- enumerate_attributes(source_name, 1);
-
- (void)gss_release_name(&minor, &source_name);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
-}
-
-static void
-check_ticket_count(gss_cred_id_t cred, int expected)
-{
- krb5_error_code ret;
- krb5_context context = NULL;
- krb5_creds kcred;
- krb5_cc_cursor cur;
- krb5_ccache ccache;
- int count = 0;
- gss_key_value_set_desc store;
- gss_key_value_element_desc elem;
- OM_uint32 major, minor;
- const char *ccname = "MEMORY:count";
-
- store.count = 1;
- store.elements = &elem;
- elem.key = "ccache";
- elem.value = ccname;
- major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0,
- &store, NULL, NULL);
- check_gsserr("gss_store_cred_into", major, minor);
-
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
-
- ret = krb5_cc_resolve(context, ccname, &ccache);
- check_k5err(context, "krb5_cc_resolve", ret);
-
- ret = krb5_cc_start_seq_get(context, ccache, &cur);
- check_k5err(context, "krb5_cc_start_seq_get", ret);
-
- while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) {
- if (!krb5_is_config_principal(context, kcred.server))
- count++;
- krb5_free_cred_contents(context, &kcred);
- }
-
- ret = krb5_cc_end_seq_get(context, ccache, &cur);
- check_k5err(context, "krb5_cc_end_seq_get", ret);
-
- if (expected != count) {
- printf("Expected %d tickets but got %d\n", expected, count);
- exit(1);
- }
-
- krb5_cc_destroy(context, ccache);
- krb5_free_context(context);
-}
-
-static void
-constrained_delegate(gss_OID_set desired_mechs, gss_name_t target,
- gss_cred_id_t delegated_cred_handle,
- gss_cred_id_t verifier_cred_handle)
-{
- OM_uint32 major, minor;
- gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
- gss_name_t cred_name = GSS_C_NO_NAME;
- OM_uint32 time_rec, lifetime;
- gss_cred_usage_t usage;
- gss_buffer_desc token;
- gss_OID_set mechs;
-
- printf("Constrained delegation tests follow\n");
- printf("-----------------------------------\n\n");
-
- if (gss_inquire_cred(&minor, verifier_cred_handle, &cred_name,
- &lifetime, &usage, NULL) == GSS_S_COMPLETE) {
- display_canon_name("Proxy name", cred_name, &mech_krb5);
- (void)gss_release_name(&minor, &cred_name);
- }
- display_canon_name("Target name", target, &mech_krb5);
- if (gss_inquire_cred(&minor, delegated_cred_handle, &cred_name,
- &lifetime, &usage, &mechs) == GSS_S_COMPLETE) {
- display_canon_name("Delegated name", cred_name, &mech_krb5);
- display_oid("Delegated mech", &mechs->elements[0]);
- (void)gss_release_name(&minor, &cred_name);
- }
-
- printf("\n");
-
- major = gss_init_sec_context(&minor, delegated_cred_handle,
- &initiator_context, target,
- mechs ? &mechs->elements[0] : &mech_krb5,
- GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
- GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
- GSS_C_NO_BUFFER, NULL, &token, NULL,
- &time_rec);
- check_gsserr("gss_init_sec_context", major, minor);
-
- (void)gss_release_buffer(&minor, &token);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
-
- /* Ensure a second call does not acquire new ticket. */
- major = gss_init_sec_context(&minor, delegated_cred_handle,
- &initiator_context, target,
- mechs ? &mechs->elements[0] : &mech_krb5,
- GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
- GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
- GSS_C_NO_BUFFER, NULL, &token, NULL,
- &time_rec);
- check_gsserr("gss_init_sec_context", major, minor);
-
- (void)gss_release_buffer(&minor, &token);
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_release_oid_set(&minor, &mechs);
-
- /* We expect three tickets: our TGT, the evidence ticket, and the ticket to
- * the target service. */
- check_ticket_count(delegated_cred_handle, 3);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major;
- gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
- gss_OID_set mechs;
- gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
-
- if (argc < 2 || argc > 5) {
- fprintf(stderr, "Usage: %s [--spnego] [user] "
- "[proxy-target] [keytab]\n", argv[0]);
- fprintf(stderr, " proxy-target and keytab are optional\n");
- exit(1);
- }
-
- if (strcmp(argv[1], "--spnego") == 0) {
- use_spnego++;
- argc--;
- argv++;
- }
-
- user = import_name(argv[1]);
-
- if (argc > 2 && strcmp(argv[2], "-"))
- target = import_name(argv[2]);
-
- if (argc > 3) {
- major = krb5_gss_register_acceptor_identity(argv[3]);
- check_gsserr("krb5_gss_register_acceptor_identity", major, 0);
- }
-
- /* Get default cred. */
- mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs,
- GSS_C_BOTH, &impersonator_cred_handle, NULL,
- NULL);
- check_gsserr("gss_acquire_cred", major, minor);
-
- printf("Protocol transition tests follow\n");
- printf("-----------------------------------\n\n");
-
- test_greet_authz_data(&user);
-
- /* Get S4U2Self cred. */
- major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle,
- user, GSS_C_INDEFINITE, mechs,
- GSS_C_INITIATE,
- &user_cred_handle, NULL, NULL);
- check_gsserr("gss_acquire_cred_impersonate_name", major, minor);
-
- init_accept_sec_context(user_cred_handle, impersonator_cred_handle,
- &delegated_cred_handle);
- printf("\n");
-
- if (target != GSS_C_NO_NAME &&
- delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
- constrained_delegate(mechs, target, delegated_cred_handle,
- impersonator_cred_handle);
- } else if (target != GSS_C_NO_NAME) {
- fprintf(stderr, "Warning: no delegated cred handle returned\n\n");
- fprintf(stderr, "Verify:\n\n");
- fprintf(stderr, " - The TGT for the impersonating service is "
- "forwardable\n");
- fprintf(stderr, " - The T2A4D flag set on the impersonating service's "
- "UAC\n");
- fprintf(stderr, " - The user is not marked sensitive and cannot be "
- "delegated\n");
- fprintf(stderr, "\n");
- }
-
- if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
- /* Inquire impersonator status. */
- major = gss_inquire_cred_by_oid(&minor, user_cred_handle,
- GSS_KRB5_GET_CRED_IMPERSONATOR,
- &bufset);
- check_gsserr("gss_inquire_cred_by_oid", major, minor);
- if (bufset->count == 0)
- errout("gss_inquire_cred_by_oid(user) returned NO impersonator");
- (void)gss_release_buffer_set(&minor, &bufset);
-
- major = gss_inquire_cred_by_oid(&minor, impersonator_cred_handle,
- GSS_KRB5_GET_CRED_IMPERSONATOR,
- &bufset);
- check_gsserr("gss_inquire_cred_by_oid", major, minor);
- if (bufset->count != 0)
- errout("gss_inquire_cred_by_oid(svc) returned an impersonator");
- (void)gss_release_buffer_set(&minor, &bufset);
- }
-
- (void)gss_release_name(&minor, &user);
- (void)gss_release_name(&minor, &target);
- (void)gss_release_cred(&minor, &delegated_cred_handle);
- (void)gss_release_cred(&minor, &impersonator_cred_handle);
- (void)gss_release_cred(&minor, &user_cred_handle);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_s4u.py b/crypto/krb5/src/tests/gssapi/t_s4u.py
deleted file mode 100755
index 4a1cdb235511..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_s4u.py
+++ /dev/null
@@ -1,403 +0,0 @@
-from k5test import *
-from base64 import b64encode
-import shutil
-
-realm = K5Realm(create_host=False, get_creds=False)
-usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
-storagecache = 'FILE:' + os.path.join(realm.testdir, 'save')
-
-# Create two service principals with keys in the default keytab.
-service1 = 'service/1@%s' % realm.realm
-realm.addprinc(service1)
-realm.extract_keytab(service1, realm.keytab)
-service2 = 'service/2@%s' % realm.realm
-realm.addprinc(service2)
-realm.extract_keytab(service2, realm.keytab)
-
-puser = 'p:' + realm.user_princ
-pservice1 = 'p:' + service1
-pservice2 = 'p:' + service2
-
-# Get forwardable creds for service1 in the default cache.
-realm.kinit(service1, None, ['-f', '-k'])
-
-# Try S4U2Self for user with a restricted password.
-realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
-realm.run(['./t_s4u', 'e:user', '-'])
-realm.run([kadminl, 'modprinc', '-needchange',
- '-pwexpire', '1/1/2000', realm.user_princ])
-realm.run(['./t_s4u', 'e:user', '-'])
-realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
-
-# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
-# at the S4U2Proxy step since the DB2 back end currently has no
-# support for allowing it.
-realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache])
-output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
- pservice1, pservice2], expected_code=1)
-if ('auth1: ' + realm.user_princ not in output or
- 'KDC can\'t fulfill requested option' not in output):
- fail('krb5 -> s4u2proxy')
-
-# Again with SPNEGO.
-output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
- '-', pservice1, pservice2],
- expected_code=1)
-if ('auth1: ' + realm.user_princ not in output or
- 'KDC can\'t fulfill requested option' not in output):
- fail('krb5 -> s4u2proxy (SPNEGO)')
-
-# Try krb5 -> S4U2Proxy without forwardable user creds.
-realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
-output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
- pservice1, pservice2], expected_code=1)
-if ('auth1: ' + realm.user_princ not in output or
- 'KDC can\'t fulfill requested option' not in output):
- fail('krb5 -> s4u2proxy not-forwardable')
-
-# Try S4U2Self. Ask for an S4U2Proxy step; this won't succeed because
-# service/1 isn't allowed to get a forwardable S4U2Self ticket.
-realm.run(['./t_s4u', puser, pservice2], expected_code=1,
- expected_msg='KDC can\'t fulfill requested option')
-realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1,
- expected_msg='KDC can\'t fulfill requested option')
-
-# Correct that problem and try again. As above, the S4U2Proxy step
-# won't actually succeed since we don't support that in DB2.
-realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1])
-realm.run(['./t_s4u', puser, pservice2], expected_code=1,
- expected_msg='KDC can\'t fulfill requested option')
-
-# Again with SPNEGO. This uses SPNEGO for the initial authentication,
-# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
-# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
-# directly rather than saving and reacquiring it.
-realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1,
- expected_msg='KDC can\'t fulfill requested option')
-
-realm.stop()
-
-# Set up a realm using the test KDB module so that we can do
-# successful S4U2Proxy delegations.
-testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts'},
- 'service/1': {'flags': '+ok-to-auth-as-delegate',
- 'keys': 'aes128-cts'},
- 'service/2': {'keys': 'aes128-cts'}}
-conf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': testprincs,
- 'delegation': {'service/1': 'service/2'}}}}
-realm = K5Realm(create_kdb=False, kdc_conf=conf)
-userkeytab = 'FILE:' + os.path.join(realm.testdir, 'userkeytab')
-realm.extract_keytab(realm.user_princ, userkeytab)
-realm.extract_keytab(service1, realm.keytab)
-realm.extract_keytab(service2, realm.keytab)
-realm.start_kdc()
-
-# Get forwardable creds for service1 in the default cache.
-realm.kinit(service1, None, ['-f', '-k'])
-
-# Successful krb5 -> S4U2Proxy, with krb5 and SPNEGO mechs.
-realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
- '-t', userkeytab])
-out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
- pservice1, pservice2])
-if 'auth1: user@' not in out or 'auth2: user@' not in out:
- fail('krb5 -> s4u2proxy')
-out = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
- '-', pservice1, pservice2])
-if 'auth1: user@' not in out or 'auth2: user@' not in out:
- fail('krb5 -> s4u2proxy')
-
-# Successful S4U2Self -> S4U2Proxy.
-out = realm.run(['./t_s4u', puser, pservice2])
-
-# Regression test for #8139: get a user ticket directly for service1 and
-# try krb5 -> S4U2Proxy.
-realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
- '-t', userkeytab, '-S', service1])
-out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
- pservice1, pservice2])
-if 'auth1: user@' not in out or 'auth2: user@' not in out:
- fail('krb5 -> s4u2proxy')
-
-# Simulate a krbtgt rollover and verify that the user ticket can still
-# be validated.
-realm.stop_kdc()
-newtgt_keys = ['2 aes128-cts', '1 aes128-cts']
-newtgt_princs = {'krbtgt/KRBTEST.COM': {'keys': newtgt_keys}}
-newtgt_conf = {'dbmodules': {'test': {'princs': newtgt_princs}}}
-newtgt_env = realm.special_env('newtgt', True, kdc_conf=newtgt_conf)
-realm.start_kdc(env=newtgt_env)
-out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
- pservice1, pservice2])
-if 'auth1: user@' not in out or 'auth2: user@' not in out:
- fail('krb5 -> s4u2proxy')
-
-# Get a user ticket after the krbtgt rollover and verify that
-# S4U2Proxy delegation works (also a #8139 regression test).
-realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
- '-t', userkeytab])
-out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
- pservice1, pservice2])
-if 'auth1: user@' not in out or 'auth2: user@' not in out:
- fail('krb5 -> s4u2proxy')
-
-realm.stop()
-
-mark('S4U2Self with various enctypes')
-for realm in multipass_realms(create_host=False, get_creds=False):
- service1 = 'service/1@%s' % realm.realm
- realm.addprinc(service1)
- realm.extract_keytab(service1, realm.keytab)
- realm.kinit(service1, None, ['-k'])
- realm.run(['./t_s4u', 'e:user', '-'])
-
-# Test cross realm S4U2Self using server referrals.
-mark('cross-realm S4U2Self')
-testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
- 'krbtgt/UREALM': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'other': {'keys': 'aes128-cts'}}
-kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': testprincs,
- 'alias': {'enterprise@abc': '@UREALM',
- 'user@UREALM': '@UREALM'}}}}
-kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': testprincs,
- 'alias': {'user@SREALM': '@SREALM',
- 'user@UREALM': 'user',
- 'enterprise@abc': 'user'}}}}
-r1, r2 = cross_realms(2, xtgts=(),
- args=({'realm': 'SREALM', 'kdc_conf': kdcconf1},
- {'realm': 'UREALM', 'kdc_conf': kdcconf2}),
- create_kdb=False)
-
-r1.start_kdc()
-r2.start_kdc()
-r1.extract_keytab(r1.user_princ, r1.keytab)
-r1.kinit(r1.user_princ, None, ['-k', '-t', r1.keytab])
-savefile = r1.ccache + '.save'
-shutil.copyfile(r1.ccache, savefile)
-
-# Include a regression test for #8741 by unsetting the default realm.
-remove_default = {'libdefaults': {'default_realm': None}}
-no_default = r1.special_env('no_default', False, krb5_conf=remove_default)
-msgs = ('Getting credentials user@UREALM -> user@SREALM',
- '/Matching credential not found',
- 'Getting credentials user@SREALM -> krbtgt/UREALM@SREALM',
- 'Received creds for desired service krbtgt/UREALM@SREALM',
- 'via TGT krbtgt/UREALM@SREALM after requesting user\\@SREALM@UREALM',
- 'krbtgt/SREALM@UREALM differs from requested user\\@SREALM@UREALM',
- 'via TGT krbtgt/SREALM@UREALM after requesting user@SREALM',
- 'TGS reply is for user@UREALM -> user@SREALM')
-r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default,
- expected_trace=msgs)
-
-# Test realm identification of enterprise principal names ([MS-SFU]
-# 3.1.5.1.1.1). Attach a bogus realm to the enterprise name to verify
-# that we start at the server realm.
-mark('cross-realm S4U2Self with enterprise name')
-msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
- 'Sending unauthenticated request',
- '/Realm not local to KDC',
- 'Following referral to realm UREALM',
- 'Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Identified realm of client principal as UREALM',
- 'Getting credentials enterprise\\@abc@UREALM -> user@SREALM',
- 'TGS reply is for enterprise\\@abc@UREALM -> user@SREALM')
-r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab],
- expected_trace=msgs)
-
-mark('S4U2Self using X509 certificate')
-
-# Encode name as a PEM certificate file (sort of) for use by kvno.
-def princ_cert(name):
- enc = b64encode(name.encode('ascii')).decode('ascii')
- return '-----BEGIN CERTIFICATE-----\n%s\n-----END y\n' % enc
-
-cert_path = os.path.join(r1.testdir, 'fake_cert')
-with open(cert_path, "w") as cert_file:
- cert_file.write(princ_cert('other'))
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting initial credentials for @SREALM',
- 'Identified realm of client principal as SREALM',
- 'TGS reply is for other@SREALM',
- 'Getting credentials other@SREALM',
- 'Storing other@SREALM')
-r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting credentials other@SREALM',
- 'TGS reply is for other@SREALM',
- 'Storing other@SREALM')
-r1.run([kvno, '-I', 'other', '-F', cert_path, r1.user_princ],
- expected_trace=msgs)
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting initial credentials for other@SREALM',
- 'Identified realm of client principal as SREALM',
- 'Getting credentials other@SREALM',
- 'TGS reply is for other@SREALM',
- 'Storing other@SREALM')
-r1.run([kvno, '-U', 'other', '-F', cert_path, r1.user_princ],
- expected_trace=msgs)
-
-mark('cross-realm S4U2Self using X509 certificate')
-
-with open(cert_path, "w") as cert_file:
- cert_file.write(princ_cert('user@UREALM'))
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting initial credentials for @SREALM',
- 'Identified realm of client principal as UREALM',
- 'TGS reply is for user@UREALM',
- 'Getting credentials user@UREALM',
- 'Storing user@UREALM')
-r1.run([kvno, '-F', cert_path, r1.user_princ], expected_trace=msgs)
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting credentials user@UREALM',
- 'TGS reply is for user@UREALM',
- 'Storing user@UREALM')
-r1.run([kvno, '-I', 'user@UREALM', '-F', cert_path, r1.user_princ],
- expected_trace=msgs)
-
-shutil.copyfile(savefile, r1.ccache)
-msgs = ('Getting initial credentials for enterprise\\@abc@SREALM',
- 'Identified realm of client principal as UREALM',
- 'Getting credentials enterprise\\@abc@UREALM',
- 'TGS reply is for enterprise\\@abc@UREALM',
- 'Storing enterprise\\@abc@UREALM')
-r1.run([kvno, '-U', 'enterprise@abc', '-F', cert_path, r1.user_princ],
- expected_trace=msgs)
-
-shutil.copyfile(savefile, r1.ccache)
-
-mark('S4U2Self using X509 certificate (GSSAPI)')
-
-r1.run(['./t_s4u', 'c:other', '-', r1.keytab])
-r1.run(['./t_s4u', 'c:user@UREALM', '-', r1.keytab])
-
-r1.run(['./t_s4u', '--spnego', 'c:other', '-', r1.keytab])
-r1.run(['./t_s4u', '--spnego', 'c:user@UREALM', '-', r1.keytab])
-
-r1.stop()
-r2.stop()
-
-mark('Resource-based constrained delegation')
-
-a_princs = {'krbtgt/A': {'keys': 'aes128-cts'},
- 'krbtgt/B': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'sensitive': {'keys': 'aes128-cts',
- 'flags': '+disallow_forwardable'},
- 'impersonator': {'keys': 'aes128-cts'},
- 'service1': {'keys': 'aes128-cts'},
- 'rb2': {'keys': 'aes128-cts'},
- 'rb': {'keys': 'aes128-cts'}}
-a_kconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': a_princs,
- 'rbcd': {'rb@A': 'impersonator@A',
- 'rb2@A': 'service1@A'},
- 'delegation': {'service1': 'rb2'},
- 'alias': {'rb@A': 'rb',
- 'rb@B': '@B',
- 'rb@C': '@B',
- 'service/rb.a': 'rb',
- 'service/rb.b': '@B',
- 'service/rb.c': '@B' }}}}
-
-b_princs = {'krbtgt/B': {'keys': 'aes128-cts'},
- 'krbtgt/A': {'keys': 'aes128-cts'},
- 'krbtgt/C': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'rb': {'keys': 'aes128-cts'}}
-b_kconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': b_princs,
- 'rbcd': {'rb@B': 'impersonator@A'},
- 'alias': {'rb@B': 'rb',
- 'service/rb.b': 'rb',
- 'rb@C': '@C',
- 'impersonator@A': '@A',
- 'service/rb.c': '@C'}}}}
-
-c_princs = {'krbtgt/C': {'keys': 'aes128-cts'},
- 'krbtgt/B': {'keys': 'aes128-cts'},
- 'rb': {'keys': 'aes128-cts'}}
-c_kconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'capaths': { 'A' : { 'C' : 'B' }},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': c_princs,
- 'rbcd': {'rb@C': ['impersonator@A',
- 'service1@A']},
- 'alias': {'rb@C': 'rb',
- 'service/rb.c': 'rb' }}}}
-
-ra, rb, rc = cross_realms(3, xtgts=(),
- args=({'realm': 'A', 'kdc_conf': a_kconf},
- {'realm': 'B', 'kdc_conf': b_kconf},
- {'realm': 'C', 'kdc_conf': c_kconf}),
- create_kdb=False)
-
-ra.start_kdc()
-rb.start_kdc()
-rc.start_kdc()
-
-domain_realm = {'domain_realm': {'.a':'A', '.b':'B', '.c':'C'}}
-domain_conf = ra.special_env('domain_conf', False, krb5_conf=domain_realm)
-
-ra.extract_keytab('impersonator@A', ra.keytab)
-ra.kinit('impersonator@A', None, ['-f', '-k', '-t', ra.keytab])
-
-mark('Local-realm RBCD')
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'p:rb'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'p:rb@A'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@A'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@A@'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@A@A'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.a'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.a'], env=domain_conf)
-ra.run(['./t_s4u', 'p:' + 'sensitive@A', 'h:service@rb.a'], expected_code=1)
-ra.run(['./t_s4u', 'p:' + rb.user_princ, 'h:service@rb.a'])
-
-mark('Cross-realm RBCD')
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@B'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@B@'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@B@A'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.b'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.b'], env=domain_conf)
-ra.run(['./t_s4u', 'p:' + 'sensitive@A', 'h:service@rb.b'], expected_code=1)
-ra.run(['./t_s4u', 'p:' + rb.user_princ, 'h:service@rb.b'])
-
-mark('RBCD transitive trust')
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@C'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@C@'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb@C@A'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.c'])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'h:service@rb.c'], env=domain_conf)
-ra.run(['./t_s4u', 'p:' + 'sensitive@A', 'h:service@rb.c'], expected_code=1)
-ra.run(['./t_s4u', 'p:' + rb.user_princ, 'h:service@rb.c'])
-
-# Although service1 has RBCD delegation privileges to rb2@A, it does
-# not have ok-to-auth-as-delegate and does have traditional delegation
-# privileges, so it cannot get a forwardable S4U2Self ticket.
-mark('RBCD forwardable blocked by forward delegation privileges')
-ra.extract_keytab('service1@A', ra.keytab)
-ra.kinit('service1@A', None, ['-f', '-k', '-t', ra.keytab])
-ra.run(['./t_s4u', 'p:' + ra.user_princ, 'e:rb2@A'], expected_code=1,
- expected_msg='KDC can\'t fulfill requested option')
-
-ra.stop()
-rb.stop()
-rc.stop()
-
-success('S4U test cases')
diff --git a/crypto/krb5/src/tests/gssapi/t_s4u2proxy_krb5.c b/crypto/krb5/src/tests/gssapi/t_s4u2proxy_krb5.c
deleted file mode 100644
index 0027f1f3ff38..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* -*- mode: c; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_s4u2proxy_deleg.c - Test S4U2Proxy after krb5 auth */
-/*
- * Copyright 2011 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-/*
- * Usage: ./t_s4u2proxy_krb5 [--spnego] client_cache storage_cache
- * [accname|-] service1 service2
- *
- * This program performs a regular Kerberos or SPNEGO authentication from the
- * default principal of client_cache to service1. If that authentication
- * yields delegated credentials, the program stores those credentials in
- * sorage_ccache and uses that cache to perform a second authentication to
- * service2 using S4U2Proxy.
- *
- * The default keytab must contain keys for service1 and service2. The default
- * ccache must contain a TGT for service1. This program assumes that krb5 or
- * SPNEGO authentication requires only one token exchange.
- */
-
-int
-main(int argc, char *argv[])
-{
- const char *client_ccname, *storage_ccname, *accname, *service1, *service2;
- krb5_context context = NULL;
- krb5_error_code ret;
- krb5_boolean use_spnego = FALSE;
- krb5_ccache storage_ccache = NULL;
- krb5_principal client_princ = NULL;
- OM_uint32 minor, major, flags;
- gss_buffer_desc buf = GSS_C_EMPTY_BUFFER;
- gss_OID mech;
- gss_OID_set mechs;
- gss_name_t acceptor_name = GSS_C_NO_NAME, client_name = GSS_C_NO_NAME;
- gss_name_t service1_name = GSS_C_NO_NAME, service2_name = GSS_C_NO_NAME;
- gss_cred_id_t service1_cred = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
- gss_ctx_id_t initiator_context, acceptor_context;
-
- /* Parse arguments. */
- if (argc >= 2 && strcmp(argv[1], "--spnego") == 0) {
- use_spnego = TRUE;
- argc--;
- argv++;
- }
- if (argc != 6) {
- fprintf(stderr, "./t_s4u2proxy_krb5 [--spnego] client_ccache "
- "storage_ccache [accname|-] service1 service2\n");
- return 1;
- }
- client_ccname = argv[1];
- storage_ccname = argv[2];
- accname = argv[3];
- service1 = argv[4];
- service2 = argv[5];
-
- mech = use_spnego ? &mech_spnego : &mech_krb5;
- mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
- ret = krb5_init_context(&context);
- check_k5err(context, "krb5_init_context", ret);
-
- /* Get GSS_C_BOTH acceptor credentials, using the default ccache. */
- acceptor_name = GSS_C_NO_NAME;
- if (strcmp(accname, "-") != 0)
- acceptor_name = import_name(service1);
- major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE,
- mechs, GSS_C_BOTH, &service1_cred, NULL, NULL);
- check_gsserr("gss_acquire_cred(service1)", major, minor);
-
- /* Establish contexts using the client ccache. */
- service1_name = import_name(service1);
- major = gss_krb5_ccache_name(&minor, client_ccname, NULL);
- check_gsserr("gss_krb5_ccache_name(1)", major, minor);
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(mech, GSS_C_NO_CREDENTIAL, service1_cred, service1_name,
- flags, &initiator_context, &acceptor_context,
- &client_name, NULL, &deleg_cred);
-
- /* Display and remember the client principal. */
- major = gss_display_name(&minor, client_name, &buf, NULL);
- check_gsserr("gss_display_name(1)", major, minor);
- printf("auth1: %.*s\n", (int)buf.length, (char *)buf.value);
- /* Assumes buffer is null-terminated, which in our implementation it is. */
- ret = krb5_parse_name(context, buf.value, &client_princ);
- check_k5err(context, "krb5_parse_name", ret);
- (void)gss_release_buffer(&minor, &buf);
-
- if (deleg_cred == GSS_C_NO_CREDENTIAL) {
- printf("no credential delegated.\n");
- goto cleanup;
- }
-
- /* Take the opportunity to test cred export/import on the synthesized
- * S4U2Proxy delegated cred. */
- export_import_cred(&deleg_cred);
-
- /* Store the delegated credentials. */
- ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
- check_k5err(context, "krb5_cc_resolve", ret);
- ret = krb5_cc_initialize(context, storage_ccache, client_princ);
- check_k5err(context, "krb5_cc_initialize", ret);
- major = gss_krb5_copy_ccache(&minor, deleg_cred, storage_ccache);
- check_gsserr("gss_krb5_copy_ccache", major, minor);
- ret = krb5_cc_close(context, storage_ccache);
- check_k5err(context, "krb5_cc_close", ret);
-
- (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER);
- (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER);
- (void)gss_release_name(&minor, &client_name);
- (void)gss_release_cred(&minor, &deleg_cred);
-
- /* Establish contexts using the storage ccache. */
- service2_name = import_name(service2);
- major = gss_krb5_ccache_name(&minor, storage_ccname, NULL);
- check_gsserr("gss_krb5_ccache_name(2)", major, minor);
- establish_contexts(mech, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- service2_name, flags, &initiator_context,
- &acceptor_context, &client_name, NULL, &deleg_cred);
-
- major = gss_display_name(&minor, client_name, &buf, NULL);
- check_gsserr("gss_display_name(2)", major, minor);
- printf("auth2: %.*s\n", (int)buf.length, (char *)buf.value);
- (void)gss_release_buffer(&minor, &buf);
-
-cleanup:
- (void)gss_release_name(&minor, &acceptor_name);
- (void)gss_release_name(&minor, &client_name);
- (void)gss_release_name(&minor, &service1_name);
- (void)gss_release_name(&minor, &service2_name);
- (void)gss_release_cred(&minor, &service1_cred);
- (void)gss_release_cred(&minor, &deleg_cred);
- (void)gss_delete_sec_context(&minor, &initiator_context, GSS_C_NO_BUFFER);
- (void)gss_delete_sec_context(&minor, &acceptor_context, GSS_C_NO_BUFFER);
- krb5_free_principal(context, client_princ);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_saslname.c b/crypto/krb5/src/tests/gssapi/t_saslname.c
deleted file mode 100644
index b874caf97f1b..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_saslname.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "common.h"
-
-static void
-dump_known_mech_attrs(gss_OID mech)
-{
- OM_uint32 major, minor;
- gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
- gss_OID_set known_attrs = GSS_C_NO_OID_SET;
- size_t i;
-
- major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs,
- &known_attrs);
- check_gsserr("gss_inquire_attrs_for_mech", major, minor);
-
- printf("Known attributes\n");
- printf("----------------\n");
- for (i = 0; i < known_attrs->count; i++) {
- gss_buffer_desc name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER;
-
- major = gss_display_mech_attr(&minor, &known_attrs->elements[i],
- &name, &short_desc, &long_desc);
- check_gsserr("gss_display_mech_attr", major, minor);
- printf("%.*s (%.*s): %.*s\n", (int)short_desc.length,
- (char *)short_desc.value, (int)name.length, (char *)name.value,
- (int)long_desc.length, (char *)long_desc.value);
- (void)gss_release_buffer(&minor, &name);
- (void)gss_release_buffer(&minor, &short_desc);
- (void)gss_release_buffer(&minor, &long_desc);
- }
- printf("\n");
- (void)gss_release_oid_set(&minor, &mech_attrs);
- (void)gss_release_oid_set(&minor, &known_attrs);
-}
-
-static void
-dump_mech_attrs(gss_OID mech)
-{
- OM_uint32 major, minor;
- gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
- gss_OID_set known_attrs = GSS_C_NO_OID_SET;
- size_t i;
-
- major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attrs,
- &known_attrs);
- check_gsserr("gss_inquire_attrs_for_mech", major, minor);
-
- printf("Mech attrs: ");
-
- for (i = 0; i < mech_attrs->count; i++) {
- gss_buffer_desc name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc short_desc = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc long_desc = GSS_C_EMPTY_BUFFER;
-
- major = gss_display_mech_attr(&minor, &mech_attrs->elements[i],
- &name, &short_desc, &long_desc);
- check_gsserr("gss_display_mech_attr", major, minor);
- printf("%.*s ", (int)name.length, (char *)name.value);
- (void)gss_release_buffer(&minor, &name);
- (void)gss_release_buffer(&minor, &short_desc);
- (void)gss_release_buffer(&minor, &long_desc);
- }
- printf("\n");
-
- (void)gss_release_oid_set(&minor, &mech_attrs);
- (void)gss_release_oid_set(&minor, &known_attrs);
-}
-
-int
-main(int argc, char *argv[])
-{
- gss_OID_set mechs;
- OM_uint32 major, minor;
- size_t i;
-
- major = gss_indicate_mechs(&minor, &mechs);
- check_gsserr("gss_indicate_mechs", major, minor);
- if (mechs->count > 0)
- dump_known_mech_attrs(mechs->elements);
-
- for (i = 0; i < mechs->count; i++) {
- gss_buffer_desc oidstr = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc sasl_mech_name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc mech_name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc mech_description = GSS_C_EMPTY_BUFFER;
- gss_OID oid = GSS_C_NO_OID;
-
- major = gss_oid_to_str(&minor, &mechs->elements[i], &oidstr);
- if (GSS_ERROR(major))
- continue;
-
- major = gss_inquire_saslname_for_mech(&minor, &mechs->elements[i],
- &sasl_mech_name, &mech_name,
- &mech_description);
- if (GSS_ERROR(major)) {
- gss_release_buffer(&minor, &oidstr);
- continue;
- }
-
- printf("-------------------------------------------------------------"
- "-----------------\n");
- printf("OID : %.*s\n", (int)oidstr.length,
- (char *)oidstr.value);
- printf("SASL mech : %.*s\n", (int)sasl_mech_name.length,
- (char *)sasl_mech_name.value);
- printf("Mech name : %.*s\n", (int)mech_name.length,
- (char *)mech_name.value);
- printf("Mech desc : %.*s\n", (int)mech_description.length,
- (char *)mech_description.value);
- dump_mech_attrs(&mechs->elements[i]);
- printf("-------------------------------------------------------------"
- "-----------------\n");
-
- major = gss_inquire_mech_for_saslname(&minor, &sasl_mech_name, &oid);
- check_gsserr("gss_inquire_mech_for_saslname", major, minor);
-
- if (oid == GSS_C_NO_OID ||
- (oid->length != mechs->elements[i].length &&
- memcmp(oid->elements, mechs->elements[i].elements,
- oid->length) != 0)) {
- (void)gss_release_buffer(&minor, &oidstr);
- (void)gss_oid_to_str(&minor, oid, &oidstr);
- fprintf(stderr, "Got different OID %.*s for mechanism %.*s\n",
- (int)oidstr.length, (char *)oidstr.value,
- (int)sasl_mech_name.length, (char *)sasl_mech_name.value);
- }
- (void)gss_release_buffer(&minor, &oidstr);
- (void)gss_release_buffer(&minor, &sasl_mech_name);
- (void)gss_release_buffer(&minor, &mech_name);
- (void)gss_release_buffer(&minor, &mech_description);
- }
-
- (void)gss_release_oid_set(&minor, &mechs);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_spnego.c b/crypto/krb5/src/tests/gssapi/t_spnego.c
deleted file mode 100644
index 4091739f835b..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_spnego.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 2010 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-#include "common.h"
-
-static gss_OID_desc mech_krb5_wrong = {
- 9, "\052\206\110\202\367\022\001\002\002"
-};
-gss_OID_set_desc mechset_krb5_wrong = { 1, &mech_krb5_wrong };
-
-/*
- * Test program for SPNEGO and gss_set_neg_mechs
- *
- * Example usage:
- *
- * kinit testuser
- * ./t_spnego host/test.host@REALM testhost.keytab
- */
-
-/* Replace *tok and *len with the concatenation of prefix and *tok. */
-static void
-prepend(const void *prefix, size_t plen, uint8_t **tok, size_t *len)
-{
- uint8_t *newtok;
-
- newtok = malloc(plen + *len);
- assert(newtok != NULL);
- memcpy(newtok, prefix, plen);
- memcpy(newtok + plen, *tok, *len);
- free(*tok);
- *tok = newtok;
- *len = plen + *len;
-}
-
-/* Replace *tok and *len with *tok wrapped in a DER tag with the given tag
- * byte. *len must be less than 2^16. */
-static void
-der_wrap(uint8_t tag, uint8_t **tok, size_t *len)
-{
- char lenbuf[3];
- uint8_t *wrapped;
- size_t llen;
-
- if (*len < 128) {
- lenbuf[0] = *len;
- llen = 1;
- } else if (*len < 256) {
- lenbuf[0] = 0x81;
- lenbuf[1] = *len;
- llen = 2;
- } else {
- assert(*len >> 16 == 0);
- lenbuf[0] = 0x82;
- lenbuf[1] = *len >> 8;
- lenbuf[2] = *len & 0xFF;
- llen = 3;
- }
- wrapped = malloc(1 + llen + *len);
- assert(wrapped != NULL);
- *wrapped = tag;
- memcpy(wrapped + 1, lenbuf, llen);
- memcpy(wrapped + 1 + llen, *tok, *len);
- free(*tok);
- *tok = wrapped;
- *len = 1 + llen + *len;
-}
-
-/*
- * Create a SPNEGO initiator token for the erroneous Microsoft krb5 mech OID,
- * wrapping a krb5 token ktok. The token should look like:
- *
- * 60 <len> (GSS framing sequence)
- * 06 06 2B 06 01 05 05 02 (SPNEGO OID)
- * A0 <len> (NegotiationToken choice 0, negTokenInit)
- * 30 <len> (sequence)
- * A0 0D (context tag 0, mechTypes)
- * 30 0B (sequence of)
- * 06 09 2A 86 48 82 F7 12 01 02 02 (wrong krb5 OID)
- * A2 <len> (context tag 2, mechToken)
- * 04 <len> (octet string)
- * <mech token octets>
- */
-static void
-create_mskrb5_spnego_token(gss_buffer_t ktok, gss_buffer_desc *tok_out)
-{
- uint8_t *tok;
- size_t len;
-
- len = ktok->length;
- tok = malloc(len);
- assert(tok != NULL);
- memcpy(tok, ktok->value, len);
- /* Wrap the krb5 token in OCTET STRING and [2] tags. */
- der_wrap(0x04, &tok, &len);
- der_wrap(0xA2, &tok, &len);
- /* Prepend the wrong krb5 OID inside OBJECT IDENTIFIER and [0] tags. */
- prepend("\xA0\x0D\x30\x0B\x06\x09\x2A\x86\x48\x82\xF7\x12\x01\x02\x02", 15,
- &tok, &len);
- /* Wrap the previous two things in SEQUENCE and [0] tags. */
- der_wrap(0x30, &tok, &len);
- der_wrap(0xA0, &tok, &len);
- /* Prepend the SPNEGO OID in an OBJECT IDENTIFIER tag. */
- prepend("\x06\x06\x2B\x06\x01\x05\x05\x02", 8, &tok, &len);
- /* Wrap the whole thing in an [APPLICATION 0] tag. */
- der_wrap(0x60, &tok, &len);
- tok_out->value = tok;
- tok_out->length = len;
-}
-
-/*
- * Test that the SPNEGO acceptor code accepts and properly reflects back the
- * erroneous Microsoft mech OID in the supportedMech field of the NegTokenResp
- * message. Use acred as the verifier cred handle.
- */
-static void
-test_mskrb_oid(gss_name_t tname, gss_cred_id_t acred)
-{
- OM_uint32 major, minor;
- gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
- gss_buffer_desc atok = GSS_C_EMPTY_BUFFER, ktok = GSS_C_EMPTY_BUFFER, stok;
- const unsigned char *atok_oid;
-
- /*
- * Our SPNEGO mech no longer acquires creds for the wrong mech OID, so we
- * have to construct a SPNEGO token ourselves.
- */
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, tname,
- &mech_krb5, 0, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL, &ktok,
- NULL, NULL);
- check_gsserr("gss_init_sec_context(mskrb)", major, minor);
- assert(major == GSS_S_COMPLETE);
- create_mskrb5_spnego_token(&ktok, &stok);
-
- /*
- * Look directly at the DER encoding of the response token. Since we
- * didn't request mutual authentication, the SPNEGO reply will contain no
- * underlying mech token; therefore, the encoding of the correct
- * NegotiationToken response is completely predictable:
- *
- * A1 14 (choice 1, length 20, meaning negTokenResp)
- * 30 12 (sequence, length 18)
- * A0 03 (context tag 0, length 3)
- * 0A 01 00 (enumerated value 0, meaning accept-completed)
- * A1 0B (context tag 1, length 11)
- * 06 09 (object identifier, length 9)
- * 2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID)
- *
- * So we can just compare the length to 22 and the nine bytes at offset 13
- * to the expected OID.
- */
- major = gss_accept_sec_context(&minor, &actx, acred, &stok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL,
- NULL, &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(mskrb)", major, minor);
- assert(atok.length == 22);
- atok_oid = (unsigned char *)atok.value + 13;
- assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0);
-
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- (void)gss_release_buffer(&minor, &ktok);
- (void)gss_release_buffer(&minor, &atok);
- free(stok.value);
-}
-
-/* Check that we return a compatibility NegTokenInit2 message containing
- * NegHints for an empty initiator token. */
-static void
-test_neghints(void)
-{
- OM_uint32 major, minor;
- gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok;
- gss_ctx_id_t actx = GSS_C_NO_CONTEXT;
- const char *expected =
- /* RFC 2743 token framing: [APPLICATION 0] IMPLICIT SEQUENCE followed
- * by OBJECT IDENTIFIER and the SPNEGO OID */
- "\x60\x47\x06\x06" "\x2B\x06\x01\x05\x05\x02"
- /* [0] SEQUENCE for the NegotiationToken negtokenInit choice */
- "\xA0\x3D\x30\x3B"
- /* [0] MechTypeList containing the krb5 OID */
- "\xA0\x0D\x30\x0B\x06\x09" "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"
- /* [3] NegHints containing [0] GeneralString containing the dummy
- * hintName string defined in [MS-SPNG] */
- "\xA3\x2A\x30\x28\xA0\x26\x1B\x24"
- "not_defined_in_RFC4178@please_ignore";
-
- /* Produce a hint token. */
- major = gss_accept_sec_context(&minor, &actx, GSS_C_NO_CREDENTIAL, &itok,
- GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
- &atok, NULL, NULL, NULL);
- check_gsserr("gss_accept_sec_context(neghints)", major, minor);
-
- /* Verify it against the expected contents, which are fixed as long as we
- * only list the krb5 mech in the token. */
- assert(atok.length == strlen(expected));
- assert(memcmp(atok.value, expected, atok.length) == 0);
-
- (void)gss_release_buffer(&minor, &atok);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
-}
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, major, flags;
- gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_cred_id_t initiator_cred_handle = GSS_C_NO_CREDENTIAL;
- gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
- gss_ctx_id_t initiator_context, acceptor_context;
- gss_name_t target_name, source_name = GSS_C_NO_NAME;
- gss_OID mech = GSS_C_NO_OID;
- gss_OID_desc pref_oids[2];
- gss_OID_set_desc pref_mechs;
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]);
- exit(1);
- }
-
- target_name = import_name(argv[1]);
-
- if (argc >= 3) {
- major = krb5_gss_register_acceptor_identity(argv[2]);
- check_gsserr("krb5_gss_register_acceptor_identity", major, 0);
- }
-
- /* Get default initiator cred. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechset_spnego, GSS_C_INITIATE,
- &initiator_cred_handle, NULL, NULL);
- check_gsserr("gss_acquire_cred(initiator)", major, minor);
-
- /*
- * The following test is designed to exercise SPNEGO reselection on the
- * client and server. Unfortunately, it no longer does so after tickets
- * #8217 and #8021, since SPNEGO now only acquires a single krb5 cred and
- * there is no way to expand the underlying creds with gss_set_neg_mechs().
- * To fix this we need gss_acquire_cred_with_cred() or some other way to
- * turn a cred with a specifically requested mech set into a SPNEGO cred.
- */
-
- /* Make the initiator prefer IAKERB and offer krb5 as an alternative. */
- pref_oids[0] = mech_iakerb;
- pref_oids[1] = mech_krb5;
- pref_mechs.count = 2;
- pref_mechs.elements = pref_oids;
- major = gss_set_neg_mechs(&minor, initiator_cred_handle, &pref_mechs);
- check_gsserr("gss_set_neg_mechs(initiator)", major, minor);
-
- /* Get default acceptor cred. */
- major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechset_spnego, GSS_C_ACCEPT,
- &verifier_cred_handle, &actual_mechs, NULL);
- check_gsserr("gss_acquire_cred(acceptor)", major, minor);
-
- /* Restrict the acceptor to krb5 (which will force a reselection). */
- major = gss_set_neg_mechs(&minor, verifier_cred_handle, &mechset_krb5);
- check_gsserr("gss_set_neg_mechs(acceptor)", major, minor);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_spnego, initiator_cred_handle,
- verifier_cred_handle, target_name, flags,
- &initiator_context, &acceptor_context, &source_name,
- &mech, NULL);
-
- display_canon_name("Source name", source_name, &mech_krb5);
- display_oid("Source mech", mech);
-
- /* Test acceptance of the erroneous Microsoft krb5 OID, with and without an
- * acceptor cred. */
- test_mskrb_oid(target_name, verifier_cred_handle);
- test_mskrb_oid(target_name, GSS_C_NO_CREDENTIAL);
-
- test_neghints();
-
- (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
- (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
- (void)gss_release_name(&minor, &source_name);
- (void)gss_release_name(&minor, &target_name);
- (void)gss_release_cred(&minor, &initiator_cred_handle);
- (void)gss_release_cred(&minor, &verifier_cred_handle);
- (void)gss_release_oid_set(&minor, &actual_mechs);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_srcattrs.c b/crypto/krb5/src/tests/gssapi/t_srcattrs.c
deleted file mode 100644
index e83c35690680..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_srcattrs.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* src/tests/gssapi/t_accname_authind.c - test harness for auth indicators */
-/*
- * Copyright (C) 2016 by Red Hat, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include "common.h"
-
-/* Establish a context to the given target name and enumerate the attributes of
- * the source name. */
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 minor, flags;
- gss_name_t tname, sname;
- gss_ctx_id_t ictx, actx;
-
- if (argc != 2) {
- fprintf(stderr, "Usage: %s targetname\n", argv[0]);
- return 1;
- }
- tname = import_name(argv[1]);
-
- flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
- establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, GSS_C_NO_CREDENTIAL,
- tname, flags, &ictx, &actx, &sname, NULL, NULL);
- enumerate_attributes(sname, 1);
-
- (void)gss_release_name(&minor, &tname);
- (void)gss_release_name(&minor, &sname);
- (void)gss_delete_sec_context(&minor, &ictx, NULL);
- (void)gss_delete_sec_context(&minor, &actx, NULL);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_store_cred.c b/crypto/krb5/src/tests/gssapi/t_store_cred.c
deleted file mode 100644
index b053e5243884..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_store_cred.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/gssapi/t_store_cred.c - gss_store_cred() test harness */
-/*
- * Copyright (C) 2021 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Usage: t_store_cred [-d] [-i] [-o] src_ccname [dest_ccname]
- *
- * Acquires creds from src_ccname using gss_acquire_cred_from() and then stores
- * them, using gss_store_cred_into() if -i is specified or gss_store_cred()
- * otherwise. If dest_ccname is specified with -i, it is included in the cred
- * store for the store operation; if it is specified without -i, it is set with
- * gss_krb5_ccache_name() before the store operation. If -d and/or -o are
- * specified they set the default_cred and overwrite_cred flags to true
- * respectively.
- */
-
-#include "k5-platform.h"
-#include <gssapi/gssapi_ext.h>
-#include "common.h"
-
-int
-main(int argc, char *argv[])
-{
- OM_uint32 major, minor;
- gss_key_value_set_desc store;
- gss_key_value_element_desc elem;
- gss_cred_id_t cred;
- krb5_boolean def = FALSE, into = FALSE, overwrite = FALSE;
- const char *src_ccname, *dest_ccname;
- int c;
-
- /* Parse arguments. */
- while ((c = getopt(argc, argv, "dio")) != -1) {
- switch (c) {
- case 'd':
- def = TRUE;
- break;
- case 'i':
- into = TRUE;
- break;
- case 'o':
- overwrite = TRUE;
- break;
- default:
- abort();
- }
- }
- argc -= optind;
- argv += optind;
- assert(argc == 1 || argc == 2);
- src_ccname = argv[0];
- dest_ccname = argv[1];
-
- elem.key = "ccache";
- elem.value = src_ccname;
- store.count = 1;
- store.elements = &elem;
- major = gss_acquire_cred_from(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- &mechset_krb5, GSS_C_INITIATE, &store, &cred,
- NULL, NULL);
- check_gsserr("acquire_cred", major, minor);
-
- if (into) {
- if (dest_ccname != NULL) {
- elem.key = "ccache";
- elem.value = dest_ccname;
- store.count = 1;
- } else {
- store.count = 0;
- }
- major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5,
- overwrite, def, &store, NULL, NULL);
- check_gsserr("store_cred_into", major, minor);
- } else {
- if (dest_ccname != NULL) {
- major = gss_krb5_ccache_name(&minor, dest_ccname, NULL);
- check_gsserr("ccache_name", major, minor);
- }
- major = gss_store_cred(&minor, cred, GSS_C_INITIATE, &mech_krb5,
- overwrite, def, NULL, NULL);
- check_gsserr("store_cred", major, minor);
- }
-
- gss_release_cred(&minor, &cred);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/gssapi/t_store_cred.py b/crypto/krb5/src/tests/gssapi/t_store_cred.py
deleted file mode 100644
index 00e80cf38dbc..000000000000
--- a/crypto/krb5/src/tests/gssapi/t_store_cred.py
+++ /dev/null
@@ -1,80 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_user=False)
-
-alice = 'alice@' + realm.realm
-bob = 'bob@' + realm.realm
-cc_alice = realm.ccache + '.alice'
-cc_bob = realm.ccache + '.bob'
-realm.addprinc(alice)
-realm.addprinc(bob)
-realm.extract_keytab(alice, realm.keytab)
-realm.extract_keytab(bob, realm.keytab)
-realm.kinit(alice, flags=['-k', '-c', cc_alice])
-realm.kinit(bob, flags=['-k', '-c', cc_bob])
-
-mark('FILE, default output ccache')
-realm.run(['./t_store_cred', cc_alice])
-realm.klist(alice)
-# Overwriting should fail by default, whether or not the principal matches.
-realm.run(['./t_store_cred', cc_alice], expected_code=1,
- expected_msg='The requested credential element already exists')
-realm.run(['./t_store_cred', cc_bob], expected_code=1,
- expected_msg='The requested credential element already exists')
-# Overwriting should succeed with overwrite_cred set.
-realm.run(['./t_store_cred', '-o', cc_bob])
-realm.klist(bob)
-# default_cred has no effect without a collection.
-realm.run(['./t_store_cred', '-d', '-o', cc_alice])
-realm.klist(alice)
-
-mark('FILE, gss_krb5_ccache_name()')
-cc_alternate = realm.ccache + '.alternate'
-realm.run(['./t_store_cred', cc_alice, cc_alternate])
-realm.klist(alice, ccache=cc_alternate)
-realm.run(['./t_store_cred', cc_bob, cc_alternate], expected_code=1,
- expected_msg='The requested credential element already exists')
-
-mark('FILE, gss_store_cred_into()')
-os.remove(cc_alternate)
-realm.run(['./t_store_cred', '-i', cc_alice, cc_alternate])
-realm.klist(alice, ccache=cc_alternate)
-realm.run(['./t_store_cred', '-i', cc_bob, cc_alternate], expected_code=1,
- expected_msg='The requested credential element already exists')
-
-mark('DIR, gss_krb5_ccache_name()')
-cc_dir = 'DIR:' + os.path.join(realm.testdir, 'cc')
-realm.run(['./t_store_cred', cc_alice, cc_dir])
-realm.run([klist, '-c', cc_dir], expected_code=1,
- expected_msg='No credentials cache found')
-realm.run([klist, '-l', '-c', cc_dir], expected_msg=alice)
-realm.run(['./t_store_cred', cc_alice, cc_dir], expected_code=1,
- expected_msg='The requested credential element already exists')
-realm.run(['./t_store_cred', '-o', cc_alice, cc_dir])
-realm.run([klist, '-c', cc_dir], expected_code=1,
- expected_msg='No credentials cache found')
-realm.run([klist, '-l', cc_dir], expected_msg=alice)
-realm.run(['./t_store_cred', '-d', cc_bob, cc_dir])
-# The k5test klist method does not currently work with a collection name.
-realm.run([klist, cc_dir], expected_msg=bob)
-realm.run([klist, '-l', cc_dir], expected_msg=alice)
-realm.run(['./t_store_cred', '-o', '-d', cc_alice, cc_dir])
-realm.run([klist, cc_dir], expected_msg=alice)
-realm.run([kdestroy, '-A', '-c', cc_dir])
-
-mark('DIR, gss_store_cred_into()')
-realm.run(['./t_store_cred', '-i', cc_alice, cc_dir])
-realm.run(['./t_store_cred', '-i', '-d', cc_bob, cc_dir])
-realm.run([klist, cc_dir], expected_msg=bob)
-realm.run([klist, '-l', cc_dir], expected_msg=alice)
-realm.run([kdestroy, '-A', '-c', cc_dir])
-
-mark('DIR, default output ccache')
-realm.ccache = cc_dir
-realm.env['KRB5CCNAME'] = cc_dir
-realm.run(['./t_store_cred', '-i', cc_alice, cc_dir])
-realm.run(['./t_store_cred', '-i', '-d', cc_bob, cc_dir])
-realm.run([klist], expected_msg=bob)
-realm.run([klist, '-l'], expected_msg=alice)
-
-success('gss_store_cred() tests')
diff --git a/crypto/krb5/src/tests/hammer/Makefile.in b/crypto/krb5/src/tests/hammer/Makefile.in
deleted file mode 100644
index 3f0c4354c17e..000000000000
--- a/crypto/krb5/src/tests/hammer/Makefile.in
+++ /dev/null
@@ -1,15 +0,0 @@
-mydir=tests$(S)hammer
-BUILDTOP=$(REL)..$(S)..
-
-SRCS=$(srcdir)/kdc5_hammer.c
-
-all: kdc5_hammer
-
-kdc5_hammer: kdc5_hammer.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o kdc5_hammer kdc5_hammer.o $(KRB5_BASE_LIBS)
-
-install:
-
-clean:
- $(RM) kdc5_hammer.o kdc5_hammer
-
diff --git a/crypto/krb5/src/tests/hammer/deps b/crypto/krb5/src/tests/hammer/deps
deleted file mode 100644
index f9357763ea6a..000000000000
--- a/crypto/krb5/src/tests/hammer/deps
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)kdc5_hammer.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h kdc5_hammer.c
diff --git a/crypto/krb5/src/tests/hammer/kdc5_hammer.c b/crypto/krb5/src/tests/hammer/kdc5_hammer.c
deleted file mode 100644
index 36d271387288..000000000000
--- a/crypto/krb5/src/tests/hammer/kdc5_hammer.c
+++ /dev/null
@@ -1,494 +0,0 @@
-/* tests/hammer/kdc5_hammer.c */
-/*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include <sys/time.h>
-
-#define KRB5_DEFAULT_OPTIONS 0
-#define KRB5_DEFAULT_LIFE 60*60*8 /* 8 hours */
-#define KRB5_RENEWABLE_LIFE 60*60*2 /* 2 hours */
-
-struct h_timer {
- float ht_cumulative;
- float ht_min;
- float ht_max;
- krb5_int32 ht_observations;
-};
-
-extern int optind;
-extern char *optarg;
-char *prog;
-
-static int brief;
-static char *cur_realm = 0;
-static int do_timer = 0;
-
-krb5_data tgtname = {
- 0,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME
-};
-
-int verify_cs_pair
- (krb5_context,
- char *,
- krb5_principal,
- char *,
- char *,
- int, int, int,
- krb5_ccache);
-
-int get_tgt
- (krb5_context,
- char *,
- krb5_principal *,
- krb5_ccache);
-
-static void
-usage(char *who, int status)
-{
- fprintf(stderr,
- "usage: %s -p prefix -n num_to_check [-c cachename] [-r realmname]\n",
- who);
- fprintf(stderr, "\t [-D depth]\n");
- fprintf(stderr, "\t [-P preauth type] [-R repeat_count] [-t] [-b] [-v] \n");
-
- exit(status);
-}
-
-static krb5_preauthtype * patype = NULL, patypedata[2] = { 0, -1 };
-static krb5_context test_context;
-
-struct timeval tstart_time, tend_time;
-struct timezone dontcare;
-
-struct h_timer in_tkt_times = { 0.0, 1000000.0, -1.0, 0 };
-struct h_timer tgs_req_times = { 0.0, 1000000.0, -1.0, 0 };
-/*
- * Timer macros.
- */
-#define swatch_on() ((void) gettimeofday(&tstart_time, &dontcare))
-#define swatch_eltime() ((gettimeofday(&tend_time, &dontcare)) ? -1.0 : \
- (((float) (tend_time.tv_sec - \
- tstart_time.tv_sec)) + \
- (((float) (tend_time.tv_usec - \
- tstart_time.tv_usec))/1000000.0)))
-
-int
-main(int argc, char **argv)
-{
- krb5_ccache ccache = NULL;
- char *cache_name = NULL; /* -f option */
- int option;
- int errflg = 0;
- krb5_error_code code;
- int num_to_check, n, i, j, repeat_count, counter;
- int n_tried, errors;
- char prefix[BUFSIZ], client[4096], server[4096];
- int depth;
- char ctmp[4096], ctmp2[BUFSIZ], stmp[4096], stmp2[BUFSIZ];
- krb5_principal client_princ;
- krb5_error_code retval;
-
- krb5_init_context(&test_context);
-
- if (strrchr(argv[0], '/'))
- prog = strrchr(argv[0], '/')+1;
- else
- prog = argv[0];
-
- num_to_check = 0;
- depth = 1;
- repeat_count = 1;
- brief = 0;
- n_tried = 0;
- errors = 0;
-
- while ((option = getopt(argc, argv, "D:p:n:c:R:P:e:bvr:t")) != -1) {
- switch (option) {
- case 't':
- do_timer = 1;
- break;
- case 'b':
- brief = 1;
- break;
- case 'v':
- brief = 0;
- break;
- case 'R':
- repeat_count = atoi(optarg); /* how many times? */
- break;
- case 'r':
- cur_realm = optarg;
- break;
- case 'D':
- depth = atoi(optarg); /* how deep to go */
- break;
- case 'p': /* prefix name to check */
- strncpy(prefix, optarg, sizeof(prefix) - 1);
- prefix[sizeof(prefix) - 1] = '\0';
- break;
- case 'n': /* how many to check */
- num_to_check = atoi(optarg);
- break;
- case 'P':
- patypedata[0] = atoi(optarg);
- patype = patypedata;
- break;
- case 'c':
- if (ccache == NULL) {
- cache_name = optarg;
-
- code = krb5_cc_resolve (test_context, cache_name, &ccache);
- if (code != 0) {
- com_err (prog, code, "resolving %s", cache_name);
- errflg++;
- }
- } else {
- fprintf(stderr, "Only one -c option allowed\n");
- errflg++;
- }
- break;
- case '?':
- default:
- errflg++;
- break;
- }
- }
-
- if (!(num_to_check && prefix[0]) || errflg)
- usage(prog, 1);
-
- if (!cur_realm) {
- if ((retval = krb5_get_default_realm(test_context, &cur_realm))) {
- com_err(prog, retval, "while retrieving default realm name");
- exit(1);
- }
- }
-
- if (ccache == NULL) {
- if ((code = krb5_cc_default(test_context, &ccache))) {
- com_err(prog, code, "while getting default ccache");
- exit(1);
- }
- }
-
- memset(ctmp, 0, sizeof(ctmp));
- memset(stmp, 0, sizeof(stmp));
-
- for (counter = 0; counter < repeat_count; counter++) {
- fprintf(stderr, "\nRound %d\n", counter);
-
- for (n = 1; n <= num_to_check; n++) {
- /* build the new principal name */
- /* we can't pick random names because we need to generate all the names
- again given a prefix and count to test the db lib and kdb */
- ctmp[0] = '\0';
- for (i = 1; i <= depth; i++) {
- (void) snprintf(ctmp2, sizeof(ctmp2), "%s%s%d-DEPTH-%d",
- (i != 1) ? "/" : "", prefix, n, i);
- ctmp2[sizeof(ctmp2) - 1] = '\0';
- strncat(ctmp, ctmp2, sizeof(ctmp) - 1 - strlen(ctmp));
- ctmp[sizeof(ctmp) - 1] = '\0';
- snprintf(client, sizeof(client), "%s@%s", ctmp, cur_realm);
-
- if (get_tgt (test_context, client, &client_princ, ccache)) {
- errors++;
- n_tried++;
- continue;
- }
- n_tried++;
-
- stmp[0] = '\0';
- for (j = 1; j <= depth; j++) {
- (void) snprintf(stmp2, sizeof(stmp2), "%s%s%d-DEPTH-%d",
- (j != 1) ? "/" : "", prefix, n, j);
- stmp2[sizeof (stmp2) - 1] = '\0';
- strncat(stmp, stmp2, sizeof(stmp) - 1 - strlen(stmp));
- stmp[sizeof(stmp) - 1] = '\0';
- snprintf(server, sizeof(server), "%s@%s", stmp, cur_realm);
- if (verify_cs_pair(test_context, client, client_princ,
- stmp, cur_realm, n, i, j, ccache))
- errors++;
- n_tried++;
- }
- krb5_free_principal(test_context, client_princ);
- }
- }
- }
- fprintf (stderr, "\nTried %d. Got %d errors.\n", n_tried, errors);
- if (do_timer) {
- if (in_tkt_times.ht_observations)
- fprintf(stderr,
- "%8d AS_REQ requests: %9.6f average (min: %9.6f, max:%9.6f)\n",
- in_tkt_times.ht_observations,
- in_tkt_times.ht_cumulative /
- (float) in_tkt_times.ht_observations,
- in_tkt_times.ht_min,
- in_tkt_times.ht_max);
- if (tgs_req_times.ht_observations)
- fprintf(stderr,
- "%8d TGS_REQ requests: %9.6f average (min: %9.6f, max:%9.6f)\n",
- tgs_req_times.ht_observations,
- tgs_req_times.ht_cumulative /
- (float) tgs_req_times.ht_observations,
- tgs_req_times.ht_min,
- tgs_req_times.ht_max);
- }
-
- (void) krb5_cc_close(test_context, ccache);
-
- krb5_free_context(test_context);
-
- exit(errors);
- }
-
-
-static krb5_error_code
-get_server_key(krb5_context context, krb5_principal server,
- krb5_enctype enctype, krb5_keyblock **key)
-{
- krb5_error_code retval;
- krb5_encrypt_block eblock;
- char * string;
- krb5_data salt;
- krb5_data pwd;
-
- *key = NULL;
-
- if ((retval = krb5_principal2salt(context, server, &salt)))
- return retval;
-
- if ((retval = krb5_unparse_name(context, server, &string)))
- goto cleanup_salt;
-
- pwd.data = string;
- pwd.length = strlen(string);
-
- if ((*key = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)))) {
- krb5_use_enctype(context, &eblock, enctype);
- retval = krb5_string_to_key(context, &eblock, *key, &pwd, &salt);
- if (retval) {
- free(*key);
- *key = NULL;
- }
- } else
- retval = ENOMEM;
-
- free(string);
-
-cleanup_salt:
- free(salt.data);
- return retval;
-}
-
-int
-verify_cs_pair(krb5_context context, char *p_client_str,
- krb5_principal p_client, char *service, char *hostname,
- int p_num, int c_depth, int s_depth, krb5_ccache ccache)
-{
- krb5_error_code retval;
- krb5_creds creds;
- krb5_creds * credsp = NULL;
- krb5_ticket * ticket = NULL;
- krb5_keyblock * keyblock = NULL;
- krb5_auth_context auth_context = NULL;
- krb5_data request_data = empty_data();
- char * sname;
- float dt;
-
- if (brief)
- fprintf(stderr, "\tprinc (%d) client (%d) for server (%d)\n",
- p_num, c_depth, s_depth);
- else
- fprintf(stderr, "\tclient %s for server %s\n", p_client_str,
- service);
-
- /* Initialize variables */
- memset(&creds, 0, sizeof(creds));
-
- /* Do client side */
- if (asprintf(&sname, "%s@%s", service, hostname) >= 0) {
- retval = krb5_parse_name(context, sname, &creds.server);
- free(sname);
- }
- else
- retval = ENOMEM;
- if (retval)
- return(retval);
-
- /* obtain ticket & session key */
- if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
- com_err(prog, retval, "while getting client princ for %s", hostname);
- return retval;
- }
-
- if ((retval = krb5_get_credentials(context, 0,
- ccache, &creds, &credsp))) {
- com_err(prog, retval, "while getting creds for %s", hostname);
- return retval;
- }
-
- if (do_timer)
- swatch_on();
-
- if ((retval = krb5_mk_req_extended(context, &auth_context, 0, NULL,
- credsp, &request_data))) {
- com_err(prog, retval, "while preparing AP_REQ for %s", hostname);
- goto cleanup;
- }
-
- krb5_auth_con_free(context, auth_context);
- auth_context = NULL;
-
- /* Do server side now */
- if ((retval = get_server_key(context, credsp->server,
- credsp->keyblock.enctype, &keyblock))) {
- com_err(prog, retval, "while getting server key for %s", hostname);
- goto cleanup;
- }
-
- if (krb5_auth_con_init(context, &auth_context)) {
- com_err(prog, retval, "while creating auth_context for %s", hostname);
- goto cleanup;
- }
-
- if (krb5_auth_con_setuseruserkey(context, auth_context, keyblock)) {
- com_err(prog, retval, "while setting auth_context key %s", hostname);
- goto cleanup;
- }
-
- if ((retval = krb5_rd_req(context, &auth_context, &request_data,
- NULL /* server */, 0, NULL, &ticket))) {
- com_err(prog, retval, "while decoding AP_REQ for %s", hostname);
- goto cleanup;
- }
-
- if (do_timer) {
- dt = swatch_eltime();
- tgs_req_times.ht_cumulative += dt;
- tgs_req_times.ht_observations++;
- if (dt > tgs_req_times.ht_max)
- tgs_req_times.ht_max = dt;
- if (dt < tgs_req_times.ht_min)
- tgs_req_times.ht_min = dt;
- }
-
- if (!(krb5_principal_compare(context,ticket->enc_part2->client,p_client))){
- char *returned_client;
- if ((retval = krb5_unparse_name(context, ticket->enc_part2->client,
- &returned_client)))
- com_err (prog, retval,
- "Client not as expected, but cannot unparse client name");
- else
- com_err (prog, 0, "Client not as expected (%s).", returned_client);
- retval = KRB5_PRINC_NOMATCH;
- free(returned_client);
- } else {
- retval = 0;
- }
-
-cleanup:
- krb5_free_cred_contents(context, &creds);
- krb5_free_ticket(context, ticket);
- krb5_auth_con_free(context, auth_context);
- krb5_free_keyblock(context, keyblock);
- krb5_free_data_contents(context, &request_data);
- krb5_free_creds(context, credsp);
-
- return retval;
-}
-
-int
-get_tgt(krb5_context context, char *p_client_str, krb5_principal *p_client,
- krb5_ccache ccache)
-{
- long lifetime = KRB5_DEFAULT_LIFE; /* -l option */
- krb5_error_code code;
- krb5_creds my_creds;
- krb5_timestamp start;
- float dt;
- krb5_get_init_creds_opt *options;
-
- if (!brief)
- fprintf(stderr, "\tgetting TGT for %s\n", p_client_str);
-
- if ((code = krb5_timeofday(context, &start))) {
- com_err(prog, code, "while getting time of day");
- return(-1);
- }
-
- memset(&my_creds, 0, sizeof(my_creds));
-
- if ((code = krb5_parse_name (context, p_client_str, p_client))) {
- com_err (prog, code, "when parsing name %s", p_client_str);
- return(-1);
- }
-
- code = krb5_cc_initialize (context, ccache, *p_client);
- if (code != 0) {
- com_err (prog, code, "when initializing cache");
- return(-1);
- }
-
- if (do_timer)
- swatch_on();
-
- code = krb5_get_init_creds_opt_alloc(context, &options);
- if (code != 0) {
- com_err(prog, code, "when allocating init cred options");
- return(-1);
- }
-
- krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
-
- code = krb5_get_init_creds_opt_set_out_ccache(context, options, ccache);
- if (code != 0) {
- com_err(prog, code, "when setting init cred output ccache");
- return(-1);
- }
-
- code = krb5_get_init_creds_password(context, &my_creds, *p_client,
- p_client_str, NULL, NULL, 0, NULL,
- options);
- if (do_timer) {
- dt = swatch_eltime();
- in_tkt_times.ht_cumulative += dt;
- in_tkt_times.ht_observations++;
- if (dt > in_tkt_times.ht_max)
- in_tkt_times.ht_max = dt;
- if (dt < in_tkt_times.ht_min)
- in_tkt_times.ht_min = dt;
- }
- krb5_get_init_creds_opt_free(context, options);
- krb5_free_cred_contents(context, &my_creds);
- if (code != 0) {
- com_err (prog, code, "while getting initial credentials");
- return(-1);
- }
-
- return(0);
-}
diff --git a/crypto/krb5/src/tests/hammer/pp.c b/crypto/krb5/src/tests/hammer/pp.c
deleted file mode 100644
index 5da1fac0712e..000000000000
--- a/crypto/krb5/src/tests/hammer/pp.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/hammer/pp.c */
-/*
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * For copying and distribution information, please see the file
- * <krb5/copyright.h>.
- */
-
-#include "krb5.h"
-
-void
-print_principal(p)
- krb5_principal p;
-{
- char *buf;
- krb5_error_code retval;
-
- if (retval = krb5_unparse_name(p, &buf)) {
- com_err("DEBUG: Print_principal", retval,
- "while unparsing name");
- exit(1);
- }
- printf("%s\n", buf);
- free(buf);
-}
diff --git a/crypto/krb5/src/tests/hist.c b/crypto/krb5/src/tests/hist.c
deleted file mode 100644
index b2f8ba5d781f..000000000000
--- a/crypto/krb5/src/tests/hist.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/hist.c - Perform unusual operations on history keys */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program is invoked from t_policy.py to simulate some conditions
- * normally only seen in older databases. It expects one argument, which can
- * be:
- *
- * make: The kadmin/history entry is created with two keys. (Since krb5 1.3
- * we ordinarily ensure that there's only one.)
- *
- * swap: The kadmin/history entry previously created with "make" is modified
- * to swap the order of its keys. We use this operation to simulate the case
- * where krb5 1.7 or earlier chose something other than the first history key
- * to create password history entries.
- *
- * des: The kadmin/history entry is modified to change its first key type to
- * des-cbc-crc. The key length and contents are not changed. (DES support
- * was removed in krb5 1.18.)
- */
-
-#include <k5-int.h>
-#include <kadm5/admin.h>
-
-static void
-check(krb5_error_code ret)
-{
- if (ret) {
- fprintf(stderr, "Unexpected failure, aborting\n");
- abort();
- }
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context ctx;
- krb5_db_entry *ent;
- krb5_principal hprinc;
- kadm5_principal_ent_rec kent;
- krb5_key_salt_tuple ks[2];
- krb5_key_data kd;
- kadm5_config_params params = { 0 };
- void *handle;
- char *realm;
- long mask = KADM5_PRINCIPAL | KADM5_MAX_LIFE | KADM5_ATTRIBUTES;
-
- check(kadm5_init_krb5_context(&ctx));
- check(krb5_parse_name(ctx, "kadmin/history", &hprinc));
- check(krb5_get_default_realm(ctx, &realm));
- params.mask |= KADM5_CONFIG_REALM;
- params.realm = realm;
- check(kadm5_init(ctx, "user", "", "", &params, KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_4, NULL, &handle));
- if (strcmp(argv[1], "make") == 0) {
- memset(&kent, 0, sizeof(kent));
- kent.principal = hprinc;
- kent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
- kent.attributes = 0;
- ks[0].ks_enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
- ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- ks[1].ks_enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
- ks[1].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- check(kadm5_create_principal_3(handle, &kent, mask, 2, ks, NULL));
- } else if (strcmp(argv[1], "swap") == 0) {
- check(krb5_db_get_principal(ctx, hprinc, 0, &ent));
- kd = ent->key_data[0];
- ent->key_data[0] = ent->key_data[1];
- ent->key_data[1] = kd;
- check(krb5_db_put_principal(ctx, ent));
- krb5_db_free_principal(ctx, ent);
- } else if (strcmp(argv[1], "des") == 0) {
- check(krb5_db_get_principal(ctx, hprinc, 0, &ent));
- assert(ent->n_key_data >= 1);
- ent->key_data[0].key_data_type[0] = ENCTYPE_DES_CBC_CRC;
- check(krb5_db_put_principal(ctx, ent));
- krb5_db_free_principal(ctx, ent);
- }
- krb5_free_default_realm(ctx, realm);
- kadm5_destroy(handle);
- krb5_free_principal(ctx, hprinc);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/hooks.c b/crypto/krb5/src/tests/hooks.c
deleted file mode 100644
index fabdb89800bf..000000000000
--- a/crypto/krb5/src/tests/hooks.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/hooks.c - test harness for KDC send and recv hooks */
-/*
- * Copyright (C) 2016 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check_code(krb5_error_code code, const char *file, int line)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg,
- (int)code);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-#define check(code) check_code((code), __FILE__, __LINE__)
-
-/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */
-static krb5_error_code
-test_send_as_req(krb5_context context, void *data, const krb5_data *realm,
- const krb5_data *message, krb5_data **new_message_out,
- krb5_data **reply_out)
-{
- krb5_kdc_req *as_req;
- int cmp;
-
- assert(krb5_is_as_req(message));
- check(decode_krb5_as_req(message, &as_req));
-
- assert(as_req->msg_type == KRB5_AS_REQ);
- assert(as_req->kdc_options & KDC_OPT_CANONICALIZE);
- assert(as_req->client->realm.length == realm->length);
- cmp = memcmp(as_req->client->realm.data, realm->data, realm->length);
- assert(cmp == 0);
-
- /* Remove the canonicalize flag and create a new message. */
- as_req->kdc_options &= ~KDC_OPT_CANONICALIZE;
- check(encode_krb5_as_req(as_req, new_message_out));
-
- krb5_free_kdc_req(context, as_req);
- return 0;
-}
-
-/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */
-static krb5_error_code
-test_recv_as_rep(krb5_context context, void *data, krb5_error_code code,
- const krb5_data *realm, const krb5_data *message,
- const krb5_data *reply, krb5_data **new_reply)
-{
- krb5_kdc_rep *as_rep;
-
- assert(code == 0);
- assert(krb5_is_as_rep(reply));
- check(decode_krb5_as_rep(reply, &as_rep));
-
- assert(as_rep->msg_type == KRB5_AS_REP);
- assert(as_rep->ticket->enc_part.kvno == 1);
- assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype));
-
- krb5_free_kdc_rep(context, as_rep);
- return 0;
-}
-
-/* Create a fake error reply. */
-static krb5_error_code
-test_send_error(krb5_context context, void *data, const krb5_data *realm,
- const krb5_data *message, krb5_data **new_message_out,
- krb5_data **reply_out)
-{
- krb5_error_code ret;
- krb5_error err;
- krb5_principal client, server;
- char *realm_str, *princ_str;
- int r;
-
- realm_str = k5memdup0(realm->data, realm->length, &ret);
- check(ret);
-
- r = asprintf(&princ_str, "invalid@%s", realm_str);
- assert(r > 0);
- check(krb5_parse_name(ctx, princ_str, &client));
- free(princ_str);
-
- r = asprintf(&princ_str, "krbtgt@%s", realm_str);
- assert(r > 0);
- check(krb5_parse_name(ctx, princ_str, &server));
- free(princ_str);
- free(realm_str);
-
- err.magic = KV5M_ERROR;
- err.ctime = 1971196337;
- err.cusec = 0;
- err.susec = 97008;
- err.stime = 1458219390;
- err.error = 6;
- err.client = client;
- err.server = server;
- err.text = string2data("CLIENT_NOT_FOUND");
- err.e_data = empty_data();
- check(encode_krb5_error(&err, reply_out));
-
- krb5_free_principal(ctx, client);
- krb5_free_principal(ctx, server);
- return 0;
-}
-
-static krb5_error_code
-test_recv_error(krb5_context context, void *data, krb5_error_code code,
- const krb5_data *realm, const krb5_data *message,
- const krb5_data *reply, krb5_data **new_reply)
-{
- /* The send hook created a reply, so this hook should not be executed. */
- abort();
-}
-
-/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */
-static krb5_error_code
-test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code,
- const krb5_data *realm, const krb5_data *message,
- const krb5_data *reply, krb5_data **new_reply)
-{
- krb5_kdc_rep *as_rep;
-
- assert(code == 0);
- assert(krb5_is_as_rep(reply));
- check(decode_krb5_as_rep(reply, &as_rep));
-
- as_rep->msg_type = KRB5_TGS_REP;
- check(encode_krb5_as_rep(as_rep, new_reply));
-
- krb5_free_kdc_rep(context, as_rep);
- return 0;
-}
-
-/* Return an error given by the callback data argument. */
-static krb5_error_code
-test_send_return_value(krb5_context context, void *data,
- const krb5_data *realm, const krb5_data *message,
- krb5_data **new_message_out, krb5_data **reply_out)
-{
- assert(data != NULL);
- return *(krb5_error_code *)data;
-}
-
-/* Return an error given by the callback argument. */
-static krb5_error_code
-test_recv_return_value(krb5_context context, void *data, krb5_error_code code,
- const krb5_data *realm, const krb5_data *message,
- const krb5_data *reply, krb5_data **new_reply)
-{
- assert(data != NULL);
- return *(krb5_error_code *)data;
-}
-
-int
-main(int argc, char *argv[])
-{
- const char *principal, *password;
- krb5_principal client;
- krb5_get_init_creds_opt *opts;
- krb5_creds creds;
- krb5_error_code ret, test_return_code;
-
- if (argc != 3) {
- fprintf(stderr, "Usage: %s princname password\n", argv[0]);
- exit(1);
- }
- principal = argv[1];
- password = argv[2];
-
- check(krb5_init_context(&ctx));
- check(krb5_parse_name(ctx, principal, &client));
-
- /* Use a send hook to modify an outgoing AS-REQ. The library will detect
- * the modification in the reply. */
- check(krb5_get_init_creds_opt_alloc(ctx, &opts));
- krb5_get_init_creds_opt_set_canonicalize(opts, 1);
- krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL);
- krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL);
- ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, opts);
- assert(ret == KRB5_KDCREP_MODIFIED);
- krb5_get_init_creds_opt_free(ctx, opts);
-
- /* Use a send hook to synthesize a KRB-ERROR reply. */
- krb5_set_kdc_send_hook(ctx, test_send_error, NULL);
- krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL);
- ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, NULL);
- assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN);
-
- /* Use a recv hook to modify a KDC reply. */
- krb5_set_kdc_send_hook(ctx, NULL, NULL);
- krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL);
- ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, NULL);
- assert(ret == KRB5KRB_AP_ERR_MSG_TYPE);
-
- /* Verify that the user data pointer works in the send hook. */
- test_return_code = KRB5KDC_ERR_PREAUTH_FAILED;
- krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code);
- krb5_set_kdc_recv_hook(ctx, NULL, NULL);
- ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, NULL);
- assert(ret == KRB5KDC_ERR_PREAUTH_FAILED);
-
- /* Verify that the user data pointer works in the recv hook. */
- test_return_code = KRB5KDC_ERR_NULL_KEY;
- krb5_set_kdc_send_hook(ctx, NULL, NULL);
- krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code);
- ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, NULL);
- assert(ret == KRB5KDC_ERR_NULL_KEY);
-
- krb5_free_principal(ctx, client);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/hrealm.c b/crypto/krb5/src/tests/hrealm.c
deleted file mode 100644
index f464c8fd6680..000000000000
--- a/crypto/krb5/src/tests/hrealm.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/hrealm.c - Test harness for host-realm interfaces */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This program is intended to be run from a python script as:
- *
- * hrealm -h|-f|-d [hostname]
- *
- * Calls krb5_get_host_realm, krb5_get_fallback_host_realm, or
- * krb5_default_realm depending on the option given. For the first two
- * choices, hostname or NULL is passed as the argument. The results are
- * displayed one per line.
- */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static void
-display(char **realms)
-{
- while (realms != NULL && *realms != NULL)
- printf("%s\n", *realms++);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_data d;
- char **realms, *realm;
-
- check(krb5_init_context(&ctx));
-
- /* Parse arguments. */
- if (argc < 2 || argc > 3)
- abort();
-
- if (strcmp(argv[1], "-d") == 0) {
- check(krb5_get_default_realm(ctx, &realm));
- printf("%s\n", realm);
- krb5_free_default_realm(ctx, realm);
- } else if (strcmp(argv[1], "-h") == 0) {
- check(krb5_get_host_realm(ctx, argv[2], &realms));
- display(realms);
- krb5_free_host_realm(ctx, realms);
- } else if (strcmp(argv[1], "-f") == 0) {
- assert(argc == 3);
- d = string2data(argv[2]);
- check(krb5_get_fallback_host_realm(ctx, &d, &realms));
- display(realms);
- krb5_free_host_realm(ctx, realms);
- } else {
- abort();
- }
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/icinterleave.c b/crypto/krb5/src/tests/icinterleave.c
deleted file mode 100644
index bcc87c7c4462..000000000000
--- a/crypto/krb5/src/tests/icinterleave.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/icinterleave.c - interleaved init_creds_step test harness */
-/*
- * Copyright (C) 2017 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This test harness performs multiple initial creds operations using
- * krb5_init_creds_step(), interleaving the operations to test the scoping of
- * the preauth state. All principals must have the same password (or not
- * require a password).
- */
-
-#include "k5-int.h"
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- const char *password;
- char **princstrs;
- krb5_principal client;
- krb5_init_creds_context *iccs;
- krb5_data req, *reps, realm;
- krb5_boolean any_left;
- int i, nclients, primary;
- unsigned int flags;
-
- if (argc < 3) {
- fprintf(stderr, "Usage: icinterleave password princ1 princ2 ...\n");
- exit(1);
- }
- password = argv[1];
- princstrs = argv + 2;
- nclients = argc - 2;
-
- check(krb5_init_context(&ctx));
-
- /* Create an initial creds context for each client principal. */
- iccs = calloc(nclients, sizeof(*iccs));
- assert(iccs != NULL);
- for (i = 0; i < nclients; i++) {
- check(krb5_parse_name(ctx, princstrs[i], &client));
- check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL,
- &iccs[i]));
- check(krb5_init_creds_set_password(ctx, iccs[i], password));
- krb5_free_principal(ctx, client);
- }
-
- reps = calloc(nclients, sizeof(*reps));
- assert(reps != NULL);
-
- any_left = TRUE;
- while (any_left) {
- any_left = FALSE;
- for (i = 0; i < nclients; i++) {
- if (iccs[i] == NULL)
- continue;
- any_left = TRUE;
-
- printf("step %d\n", i + 1);
-
- req = empty_data();
- realm = empty_data();
- check(krb5_init_creds_step(ctx, iccs[i], &reps[i], &req, &realm,
- &flags));
- if (!(flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) {
- printf("finish %d\n", i + 1);
- krb5_init_creds_free(ctx, iccs[i]);
- iccs[i] = NULL;
- continue;
- }
-
- primary = 0;
- krb5_free_data_contents(ctx, &reps[i]);
- check(krb5_sendto_kdc(ctx, &req, &realm, &reps[i], &primary, 0));
- krb5_free_data_contents(ctx, &req);
- krb5_free_data_contents(ctx, &realm);
- }
- }
-
- for (i = 0; i < nclients; i++)
- krb5_free_data_contents(ctx, &reps[i]);
- free(reps);
- free(iccs);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/icred.c b/crypto/krb5/src/tests/icred.c
deleted file mode 100644
index d6ce1d5d35d7..000000000000
--- a/crypto/krb5/src/tests/icred.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/icred.c - test harness for getting initial creds */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* This program exercises the init_creds APIs in ways kinit doesn't. */
-
-#include "k5-platform.h"
-#include <krb5.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- const char *ktname = NULL, *sname = NULL, *princstr, *password;
- krb5_principal client;
- krb5_init_creds_context icc;
- krb5_get_init_creds_opt *opt;
- krb5_keytab keytab = NULL;
- krb5_creds creds;
- krb5_boolean stepwise = FALSE;
- krb5_preauthtype ptypes[64];
- int c, nptypes = 0;
- char *val;
-
- check(krb5_init_context(&ctx));
- check(krb5_get_init_creds_opt_alloc(ctx, &opt));
-
- while ((c = getopt(argc, argv, "k:so:S:X:")) != -1) {
- switch (c) {
- case 'k':
- ktname = optarg;
- break;
- case 's':
- stepwise = TRUE;
- break;
- case 'o':
- assert(nptypes < 64);
- ptypes[nptypes++] = atoi(optarg);
- break;
- case 'S':
- sname = optarg;
- break;
- case 'X':
- val = strchr(optarg, '=');
- if (val != NULL)
- *val++ = '\0';
- else
- val = "yes";
- check(krb5_get_init_creds_opt_set_pa(ctx, opt, optarg, val));
- break;
- default:
- abort();
- }
- }
-
- argc -= optind;
- argv += optind;
- if (argc != 1 && argc != 2)
- abort();
- princstr = argv[0];
- password = argv[1];
-
- if (sname != NULL) {
- check(krb5_sname_to_principal(ctx, princstr, sname, KRB5_NT_SRV_HST,
- &client));
- } else {
- check(krb5_parse_name(ctx, princstr, &client));
- }
-
- if (ktname != NULL)
- check(krb5_kt_resolve(ctx, ktname, &keytab));
-
- if (nptypes > 0)
- krb5_get_init_creds_opt_set_preauth_list(opt, ptypes, nptypes);
-
- if (stepwise) {
- /* Use the stepwise interface. */
- check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc));
- if (keytab != NULL)
- check(krb5_init_creds_set_keytab(ctx, icc, keytab));
- if (password != NULL)
- check(krb5_init_creds_set_password(ctx, icc, password));
- check(krb5_init_creds_get(ctx, icc));
- krb5_init_creds_free(ctx, icc);
- } else if (keytab != NULL) {
- check(krb5_get_init_creds_keytab(ctx, &creds, client, keytab, 0, NULL,
- opt));
- krb5_free_cred_contents(ctx, &creds);
- } else {
- /* Use the traditional one-shot interface. */
- check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
- NULL, 0, NULL, opt));
- krb5_free_cred_contents(ctx, &creds);
- }
-
- if (keytab != NULL)
- krb5_kt_close(ctx, keytab);
- krb5_get_init_creds_opt_free(ctx, opt);
- krb5_free_principal(ctx, client);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/jsonwalker.py b/crypto/krb5/src/tests/jsonwalker.py
deleted file mode 100644
index 0dbdadd694ab..000000000000
--- a/crypto/krb5/src/tests/jsonwalker.py
+++ /dev/null
@@ -1,105 +0,0 @@
-import sys
-import json
-from collections import defaultdict
-from optparse import OptionParser
-
-class Parser(object):
- DEFAULTS = {int:0,
- str:'',
- list:[]}
-
- def __init__(self, defconf=None):
- self.defaults = None
- if defconf is not None:
- self.defaults = self.flatten(defconf)
-
- def run(self, logs, verbose=None):
- result = self.parse(logs)
- if len(result) != len(self.defaults):
- diff = set(self.defaults.keys()).difference(result.keys())
- print('Test failed.')
- print('The following attributes were not set:')
- for it in diff:
- print(it)
- sys.exit(1)
-
- def flatten(self, defaults):
- """
- Flattens paths to attributes.
-
- Parameters
- ----------
- defaults : a dictionaries populated with default values
-
- Returns :
- dict : with flattened attributes
- """
- result = dict()
- for path,value in self._walk(defaults):
- if path in result:
- print('Warning: attribute path %s already exists' % path)
- result[path] = value
-
- return result
-
- def parse(self, logs):
- result = defaultdict(list)
- for msg in logs:
- # each message is treated as a dictionary of dictionaries
- for a,v in self._walk(msg):
- # see if path is registered in defaults
- if a in self.defaults:
- dv = self.defaults.get(a)
- if dv is None:
- # determine default value by type
- if v is not None:
- dv = self.DEFAULTS[type(v)]
- else:
- print('Warning: attribute %s is set to None' % a)
- continue
- # by now we have default value
- if v != dv:
- # test passed
- result[a].append(v)
- return result
-
- def _walk(self, adict):
- """
- Generator that works through dictionary.
- """
- for a,v in adict.items():
- if isinstance(v,dict):
- for (attrpath,u) in self._walk(v):
- yield (a+'.'+attrpath,u)
- else:
- yield (a,v)
-
-
-if __name__ == '__main__':
-
- parser = OptionParser()
- parser.add_option("-i", "--logfile", dest="filename",
- help="input log file in json fmt", metavar="FILE")
- parser.add_option("-d", "--defaults", dest="defaults",
- help="dictionary with defaults", metavar="FILE")
-
- (options, args) = parser.parse_args()
- if options.filename is not None:
- with open(options.filename, 'r') as f:
- content = list()
- for l in f:
- content.append(json.loads(l.rstrip()))
- f.close()
- else:
- print('Input file in JSON format is required')
- exit()
-
- defaults = None
- if options.defaults is not None:
- with open(options.defaults, 'r') as f:
- defaults = json.load(f)
-
- # run test
- p = Parser(defaults)
- p.run(content)
- exit()
diff --git a/crypto/krb5/src/tests/kcmserver.py b/crypto/krb5/src/tests/kcmserver.py
deleted file mode 100644
index f6dfcb711b3a..000000000000
--- a/crypto/krb5/src/tests/kcmserver.py
+++ /dev/null
@@ -1,336 +0,0 @@
-# This is a simple KCM test server, used to exercise the KCM ccache
-# client code. It will generally throw an uncaught exception if the
-# client sends anything unexpected, so is unsuitable for production.
-# (It also imposes no namespace or access constraints, and blocks
-# while reading requests and writing responses.)
-
-# This code knows nothing about how to marshal and unmarshal principal
-# names and credentials as is required in the KCM protocol; instead,
-# it just remembers the marshalled forms and replays them to the
-# client when asked. This works because marshalled creds and
-# principal names are always the last part of marshalled request
-# arguments, and because we don't need to implement remove_cred (which
-# would need to know how to match a cred tag against previously stored
-# credentials).
-
-# The following code is useful for debugging if anything appears to be
-# going wrong in the server, since daemon output is generally not
-# visible in Python test scripts.
-#
-# import sys, traceback
-# def ehook(etype, value, tb):
-# with open('/tmp/exception', 'w') as f:
-# traceback.print_exception(etype, value, tb, file=f)
-# sys.excepthook = ehook
-
-import optparse
-import select
-import socket
-import struct
-import sys
-
-caches = {}
-cache_uuidmap = {}
-defname = b'default'
-next_unique = 1
-next_uuid = 1
-
-class KCMOpcodes(object):
- GEN_NEW = 3
- INITIALIZE = 4
- DESTROY = 5
- STORE = 6
- RETRIEVE = 7
- GET_PRINCIPAL = 8
- GET_CRED_UUID_LIST = 9
- GET_CRED_BY_UUID = 10
- REMOVE_CRED = 11
- GET_CACHE_UUID_LIST = 18
- GET_CACHE_BY_UUID = 19
- GET_DEFAULT_CACHE = 20
- SET_DEFAULT_CACHE = 21
- GET_KDC_OFFSET = 22
- SET_KDC_OFFSET = 23
- GET_CRED_LIST = 13001
- REPLACE = 13002
-
-
-class KRB5Errors(object):
- KRB5_CC_NOTFOUND = -1765328243
- KRB5_CC_END = -1765328242
- KRB5_CC_NOSUPP = -1765328137
- KRB5_FCC_NOFILE = -1765328189
- KRB5_FCC_INTERNAL = -1765328188
-
-
-def make_uuid():
- global next_uuid
- uuid = bytes(12) + struct.pack('>L', next_uuid)
- next_uuid = next_uuid + 1
- return uuid
-
-
-class Cache(object):
- def __init__(self, name):
- self.name = name
- self.princ = None
- self.uuid = make_uuid()
- self.cred_uuids = []
- self.creds = {}
- self.time_offset = 0
-
-
-def get_cache(name):
- if name in caches:
- return caches[name]
- cache = Cache(name)
- caches[name] = cache
- cache_uuidmap[cache.uuid] = cache
- return cache
-
-
-def unmarshal_name(argbytes):
- offset = argbytes.find(b'\0')
- return argbytes[0:offset], argbytes[offset+1:]
-
-
-# Find the bounds of a marshalled principal, returning it and the
-# remainder of argbytes.
-def extract_princ(argbytes):
- ncomps, rlen = struct.unpack('>LL', argbytes[4:12])
- pos = 12 + rlen
- for i in range(ncomps):
- clen, = struct.unpack('>L', argbytes[pos:pos+4])
- pos += 4 + clen
- return argbytes[0:pos], argbytes[pos:]
-
-
-# Return true if the marshalled principals p1 and p2 name the same
-# principal.
-def princ_eq(p1, p2):
- # Ignore the name-types at bytes 0..3. The remaining bytes should
- # be identical if the principals are the same.
- return p1[4:] == p2[4:]
-
-
-def op_gen_new(argbytes):
- # Does not actually check for uniqueness.
- global next_unique
- name = b'unique' + str(next_unique).encode('ascii')
- next_unique += 1
- return 0, name + b'\0'
-
-
-def op_initialize(argbytes):
- name, princ = unmarshal_name(argbytes)
- cache = get_cache(name)
- cache.princ = princ
- cache.cred_uuids = []
- cache.creds = {}
- cache.time_offset = 0
- return 0, b''
-
-
-def op_destroy(argbytes):
- name, rest = unmarshal_name(argbytes)
- cache = get_cache(name)
- del cache_uuidmap[cache.uuid]
- del caches[name]
- return 0, b''
-
-
-def op_store(argbytes):
- name, cred = unmarshal_name(argbytes)
- cache = get_cache(name)
- uuid = make_uuid()
- cache.creds[uuid] = cred
- cache.cred_uuids.append(uuid)
- return 0, b''
-
-
-def op_retrieve(argbytes):
- name, rest = unmarshal_name(argbytes)
- # Ignore the flags at rest[0:4] and the header at rest[4:8].
- # Assume there are client and server creds in the tag and match
- # only against them.
- cprinc, rest = extract_princ(rest[8:])
- sprinc, rest = extract_princ(rest)
- cache = get_cache(name)
- for cred in (cache.creds[u] for u in cache.cred_uuids):
- cred_cprinc, rest = extract_princ(cred)
- cred_sprinc, rest = extract_princ(rest)
- if princ_eq(cred_cprinc, cprinc) and princ_eq(cred_sprinc, sprinc):
- return 0, cred
- return KRB5Errors.KRB5_CC_NOTFOUND, b''
-
-
-def op_get_principal(argbytes):
- name, rest = unmarshal_name(argbytes)
- cache = get_cache(name)
- if cache.princ is None:
- return KRB5Errors.KRB5_FCC_NOFILE, b''
- return 0, cache.princ + b'\0'
-
-
-def op_get_cred_uuid_list(argbytes):
- name, rest = unmarshal_name(argbytes)
- cache = get_cache(name)
- return 0, b''.join(cache.cred_uuids)
-
-
-def op_get_cred_by_uuid(argbytes):
- name, uuid = unmarshal_name(argbytes)
- cache = get_cache(name)
- if uuid not in cache.creds:
- return KRB5Errors.KRB5_CC_END, b''
- return 0, cache.creds[uuid]
-
-
-def op_remove_cred(argbytes):
- return KRB5Errors.KRB5_CC_NOSUPP, b''
-
-
-def op_get_cache_uuid_list(argbytes):
- return 0, b''.join(cache_uuidmap.keys())
-
-
-def op_get_cache_by_uuid(argbytes):
- uuid = argbytes
- if uuid not in cache_uuidmap:
- return KRB5Errors.KRB5_CC_END, b''
- return 0, cache_uuidmap[uuid].name + b'\0'
-
-
-def op_get_default_cache(argbytes):
- return 0, defname + b'\0'
-
-
-def op_set_default_cache(argbytes):
- global defname
- defname, rest = unmarshal_name(argbytes)
- return 0, b''
-
-
-def op_get_kdc_offset(argbytes):
- name, rest = unmarshal_name(argbytes)
- cache = get_cache(name)
- return 0, struct.pack('>l', cache.time_offset)
-
-
-def op_set_kdc_offset(argbytes):
- name, obytes = unmarshal_name(argbytes)
- cache = get_cache(name)
- cache.time_offset, = struct.unpack('>l', obytes)
- return 0, b''
-
-
-def op_get_cred_list(argbytes):
- name, rest = unmarshal_name(argbytes)
- cache = get_cache(name)
- creds = [cache.creds[u] for u in cache.cred_uuids]
- return 0, (struct.pack('>L', len(creds)) +
- b''.join(struct.pack('>L', len(c)) + c for c in creds))
-
-
-def op_replace(argbytes):
- name, rest = unmarshal_name(argbytes)
- offset, = struct.unpack('>L', rest[0:4])
- princ, rest = extract_princ(rest[4:])
- ncreds, = struct.unpack('>L', rest[0:4])
- rest = rest[4:]
- creds = []
- for i in range(ncreds):
- len, = struct.unpack('>L', rest[0:4])
- creds.append(rest[4:4+len])
- rest = rest[4+len:]
-
- cache = get_cache(name)
- cache.princ = princ
- cache.cred_uuids = []
- cache.creds = {}
- cache.time_offset = offset
- for i in range(ncreds):
- uuid = make_uuid()
- cache.creds[uuid] = creds[i]
- cache.cred_uuids.append(uuid)
-
- return 0, b''
-
-
-ophandlers = {
- KCMOpcodes.GEN_NEW : op_gen_new,
- KCMOpcodes.INITIALIZE : op_initialize,
- KCMOpcodes.DESTROY : op_destroy,
- KCMOpcodes.STORE : op_store,
- KCMOpcodes.RETRIEVE : op_retrieve,
- KCMOpcodes.GET_PRINCIPAL : op_get_principal,
- KCMOpcodes.GET_CRED_UUID_LIST : op_get_cred_uuid_list,
- KCMOpcodes.GET_CRED_BY_UUID : op_get_cred_by_uuid,
- KCMOpcodes.REMOVE_CRED : op_remove_cred,
- KCMOpcodes.GET_CACHE_UUID_LIST : op_get_cache_uuid_list,
- KCMOpcodes.GET_CACHE_BY_UUID : op_get_cache_by_uuid,
- KCMOpcodes.GET_DEFAULT_CACHE : op_get_default_cache,
- KCMOpcodes.SET_DEFAULT_CACHE : op_set_default_cache,
- KCMOpcodes.GET_KDC_OFFSET : op_get_kdc_offset,
- KCMOpcodes.SET_KDC_OFFSET : op_set_kdc_offset,
- KCMOpcodes.GET_CRED_LIST : op_get_cred_list,
- KCMOpcodes.REPLACE : op_replace
-}
-
-# Read and respond to a request from the socket s.
-def service_request(s):
- lenbytes = b''
- while len(lenbytes) < 4:
- lenbytes += s.recv(4 - len(lenbytes))
- if lenbytes == b'':
- return False
-
- reqlen, = struct.unpack('>L', lenbytes)
- req = b''
- while len(req) < reqlen:
- req += s.recv(reqlen - len(req))
-
- majver, minver, op = struct.unpack('>BBH', req[:4])
- argbytes = req[4:]
-
- if op in ophandlers:
- code, payload = ophandlers[op](argbytes)
- else:
- code, payload = KRB5Errors.KRB5_FCC_INTERNAL, b''
-
- # The KCM response is the code (4 bytes) and the response payload.
- # The Heimdal IPC response is the length of the KCM response (4
- # bytes), a status code which is essentially always 0 (4 bytes),
- # and the KCM response.
- kcm_response = struct.pack('>l', code) + payload
- hipc_response = struct.pack('>LL', len(kcm_response), 0) + kcm_response
- s.sendall(hipc_response)
- return True
-
-parser = optparse.OptionParser()
-parser.add_option('-f', '--fallback', action='store_true', dest='fallback',
- default=False,
- help='Do not support RETRIEVE/GET_CRED_LIST/REPLACE')
-(options, args) = parser.parse_args()
-if options.fallback:
- del ophandlers[KCMOpcodes.RETRIEVE]
- del ophandlers[KCMOpcodes.GET_CRED_LIST]
- del ophandlers[KCMOpcodes.REPLACE]
-
-server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-server.bind(args[0])
-server.listen(5)
-select_input = [server,]
-sys.stderr.write('starting...\n')
-sys.stderr.flush()
-
-while True:
- iready, oready, xready = select.select(select_input, [], [])
- for s in iready:
- if s == server:
- client, addr = server.accept()
- select_input.append(client)
- else:
- if not service_request(s):
- select_input.remove(s)
- s.close()
diff --git a/crypto/krb5/src/tests/kdbtest.c b/crypto/krb5/src/tests/kdbtest.c
deleted file mode 100644
index 6459c3390f3d..000000000000
--- a/crypto/krb5/src/tests/kdbtest.c
+++ /dev/null
@@ -1,403 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/kdbtest.c - test program to exercise KDB modules */
-/*
- * Copyright (C) 2012 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This test program uses libkdb5 APIs to exercise as much of the LDAP and DB2
- * back ends.
- */
-
-#include <krb5.h>
-#include <kadm5/admin.h>
-#include <string.h>
-
-static krb5_context ctx;
-
-#define CHECK(code) check(code, __LINE__)
-#define CHECK_COND(val) check_cond(val, __LINE__)
-
-static void
-check(krb5_error_code code, int lineno)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "Unexpected error at line %d: %s\n", lineno, errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static void
-check_cond(int value, int lineno)
-{
- if (!value) {
- fprintf(stderr, "Unexpected result at line %d\n", lineno);
- exit(1);
- }
-}
-
-static krb5_data princ_data[2] = {
- { KV5M_DATA, 6, "xy*(z)" },
- { KV5M_DATA, 12, "+<> *()\\#\",;" }
-};
-
-static krb5_principal_data sample_princ = {
- KV5M_PRINCIPAL,
- { KV5M_DATA, 11, "KRBTEST.COM" },
- princ_data, 2, KRB5_NT_UNKNOWN
-};
-
-static krb5_principal_data xrealm_princ = {
- KV5M_PRINCIPAL,
- { KV5M_DATA, 12, "KRBTEST2.COM" },
- princ_data, 2, KRB5_NT_UNKNOWN
-};
-
-#define U(x) (unsigned char *)x
-
-/*
- * tl1 through tl4 are normalized to attributes in the LDAP back end. tl5 is
- * stored as untranslated tl-data. tl3 contains an encoded osa_princ_ent with
- * a policy reference to "<test*>".
- */
-static krb5_tl_data tl5 = { NULL, KRB5_TL_MKVNO, 2, U("\0\1") };
-static krb5_tl_data tl4 = { &tl5, KRB5_TL_LAST_ADMIN_UNLOCK, 4,
- U("\6\0\0\0") };
-static krb5_tl_data tl3 = { &tl4, KRB5_TL_KADM_DATA, 32,
- U("\x12\x34\x5C\x01\x00\x00\x00\x08"
- "\x3C\x74\x65\x73\x74\x2A\x3E\x00"
- "\x00\x00\x08\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00") };
-static krb5_tl_data tl2 = { &tl3, KRB5_TL_MOD_PRINC, 8, U("\5\6\7\0x@Y\0") };
-static krb5_tl_data tl1 = { &tl2, KRB5_TL_LAST_PWD_CHANGE, 4, U("\1\2\3\4") };
-
-/* An encoded osa_print_enc with no policy reference. */
-static krb5_tl_data tl_no_policy = { NULL, KRB5_TL_KADM_DATA, 24,
- U("\x12\x34\x5C\x01\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x02\x00\x00\x00\x00") };
-
-static krb5_key_data keys[] = {
- {
- 2, /* key_data_ver */
- 2, /* key_data_kvno */
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, KRB5_KDB_SALTTYPE_SPECIAL },
- { 32, 7 },
- { U("\x17\xF2\x75\xF2\x95\x4F\x2E\xD1"
- "\xF9\x0C\x37\x7B\xA7\xF4\xD6\xA3"
- "\x69\xAA\x01\x36\xE0\xBF\x0C\x92"
- "\x7A\xD6\x13\x3C\x69\x37\x59\xA9"),
- U("expsalt") }
- },
- {
- 2, /* key_data_ver */
- 2, /* key_data_kvno */
- { ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
- { 16, 0 },
- { U("\xDC\xEE\xB7\x0B\x3D\xE7\x65\x62"
- "\xE6\x89\x22\x6C\x76\x42\x91\x48"),
- NULL }
- }
-};
-#undef U
-
-static char polname[] = "<test*>";
-
-static krb5_db_entry sample_entry = {
- 0,
- KRB5_KDB_V1_BASE_LENGTH,
- /* mask */
- KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION |
- KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_POLICY | KADM5_MAX_RLIFE |
- KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT |
- KADM5_KEY_DATA | KADM5_TL_DATA,
- /* attributes */
- KRB5_KDB_REQUIRES_PRE_AUTH | KRB5_KDB_REQUIRES_HW_AUTH |
- KRB5_KDB_DISALLOW_SVR,
- 1234, /* max_life */
- 5678, /* max_renewable_life */
- 9012, /* expiration */
- 3456, /* pw_expiration */
- 1, /* last_success */
- 5, /* last_failed */
- 2, /* fail_auth_count */
- 5, /* n_tl_data */
- 2, /* n_key_data */
- 0, NULL, /* e_length, e_data */
- &sample_princ,
- &tl1,
- keys
-};
-
-static osa_policy_ent_rec sample_policy = {
- 0, /* version */
- polname, /* name */
- 1357, /* pw_min_life */
- 100, /* pw_max_life */
- 6, /* pw_min_length */
- 2, /* pw_min_classes */
- 3, /* pw_history_num */
- 0, /* policy_refcnt */
- 2, /* pw_max_fail */
- 60, /* pw_failcnt_interval */
- 120, /* pw_lockout_duration */
- 0, /* attributes */
- 2468, /* max_life */
- 3579, /* max_renewable_life */
- "aes", /* allowed_keysalts */
- 0, NULL /* n_tl_data, tl_data */
-};
-
-/* Compare pol against sample_policy. */
-static void
-check_policy(osa_policy_ent_t pol)
-{
- CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);
- CHECK_COND(pol->pw_min_life == sample_policy.pw_min_life);
- CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);
- CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length);
- CHECK_COND(pol->pw_min_classes == sample_policy.pw_min_classes);
- CHECK_COND(pol->pw_history_num == sample_policy.pw_history_num);
- CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);
- CHECK_COND(pol->pw_failcnt_interval == sample_policy.pw_failcnt_interval);
- CHECK_COND(pol->pw_lockout_duration == sample_policy.pw_lockout_duration);
- CHECK_COND(pol->attributes == sample_policy.attributes);
- CHECK_COND(pol->max_life == sample_policy.max_life);
- CHECK_COND(pol->max_renewable_life == sample_policy.max_renewable_life);
- CHECK_COND(strcmp(pol->allowed_keysalts,
- sample_policy.allowed_keysalts) == 0);
-}
-
-/* Compare ent against sample_entry. */
-static void
-check_entry(krb5_db_entry *ent)
-{
- krb5_int16 i, j;
- krb5_key_data *k1, *k2;
- krb5_tl_data *tl, etl;
-
- CHECK_COND(ent->attributes == sample_entry.attributes);
- CHECK_COND(ent->max_life == sample_entry.max_life);
- CHECK_COND(ent->max_renewable_life == sample_entry.max_renewable_life);
- CHECK_COND(ent->expiration == sample_entry.expiration);
- CHECK_COND(ent->pw_expiration == sample_entry.pw_expiration);
- CHECK_COND(ent->last_success == sample_entry.last_success);
- CHECK_COND(ent->last_failed == sample_entry.last_failed);
- CHECK_COND(ent->fail_auth_count == sample_entry.fail_auth_count);
- CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));
- CHECK_COND(ent->n_key_data == sample_entry.n_key_data);
- for (i = 0; i < ent->n_key_data; i++) {
- k1 = &ent->key_data[i];
- k2 = &sample_entry.key_data[i];
- CHECK_COND(k1->key_data_ver == k2->key_data_ver);
- CHECK_COND(k1->key_data_kvno == k2->key_data_kvno);
- for (j = 0; j < k1->key_data_ver; j++) {
- CHECK_COND(k1->key_data_type[j] == k2->key_data_type[j]);
- CHECK_COND(k1->key_data_length[j] == k2->key_data_length[j]);
- CHECK_COND(memcmp(k1->key_data_contents[j],
- k2->key_data_contents[j],
- k1->key_data_length[j]) == 0);
- }
- }
- for (tl = sample_entry.tl_data; tl != NULL; tl = tl->tl_data_next) {
- etl.tl_data_type = tl->tl_data_type;
- CHECK(krb5_dbe_lookup_tl_data(ctx, ent, &etl));
- CHECK_COND(tl->tl_data_length == etl.tl_data_length);
- CHECK_COND(memcmp(tl->tl_data_contents, etl.tl_data_contents,
- tl->tl_data_length) == 0);
- }
-}
-
-/* Audit a successful or failed preauth attempt for *entp. Then reload *entp
- * (by fetching sample_princ) so we can see the effect. */
-static void
-sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
-{
- /* Both back ends ignore the request, local_addr, and remote_addr
- * parameters for now. */
- krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime,
- ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
- krb5_db_free_principal(ctx, *entp);
- CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
-}
-
-static krb5_error_code
-iter_princ_handler(void *data, krb5_db_entry *ent)
-{
- int *count = data;
-
- CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));
- (*count)++;
- return 0;
-}
-
-static void
-iter_pol_handler(void *data, osa_policy_ent_t pol)
-{
- int *count = data;
-
- CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);
- (*count)++;
-}
-
-int
-main(void)
-{
- krb5_db_entry *ent;
- osa_policy_ent_t pol;
- krb5_pa_data **e_data;
- const char *status;
- int count;
-
- CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));
-
- /* If we can, revert to requiring all entries match sample_princ in
- * iter_princ_handler */
- CHECK_COND(krb5_db_inited(ctx) != 0);
- CHECK(krb5_db_create(ctx, NULL));
- CHECK(krb5_db_inited(ctx));
- CHECK(krb5_db_fini(ctx));
- CHECK_COND(krb5_db_inited(ctx) != 0);
-
- CHECK_COND(krb5_db_inited(ctx) != 0);
- CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN));
- CHECK(krb5_db_inited(ctx));
-
- /* Manipulate a policy, leaving it in place at the end. */
- CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
- CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
- CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
- CHECK(krb5_db_create_policy(ctx, &sample_policy));
- CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);
- CHECK(krb5_db_get_policy(ctx, polname, &pol));
- check_policy(pol);
- pol->pw_min_length--;
- CHECK(krb5_db_put_policy(ctx, pol));
- krb5_db_free_policy(ctx, pol);
- CHECK(krb5_db_get_policy(ctx, polname, &pol));
- CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);
- krb5_db_free_policy(ctx, pol);
- CHECK(krb5_db_delete_policy(ctx, polname));
- CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
- CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
- CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
- CHECK(krb5_db_create_policy(ctx, &sample_policy));
- count = 0;
- CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));
- CHECK_COND(count == 1);
-
- /* Create a principal. */
- CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==
- KRB5_KDB_NOENTRY);
- CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==
- KRB5_KDB_NOENTRY);
- CHECK(krb5_db_put_principal(ctx, &sample_entry));
- /* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)
- * but succeed with DB2, so don't check the result. */
- (void)krb5_db_put_principal(ctx, &sample_entry);
- /* But it should succeed in both back ends with KADM5_LOAD in mask. */
- sample_entry.mask |= KADM5_LOAD;
- CHECK(krb5_db_put_principal(ctx, &sample_entry));
- sample_entry.mask &= ~KADM5_LOAD;
- /* Fetch and compare the added principal. */
- CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));
- check_entry(ent);
-
- /* We can't set up a successful allowed-to-delegate check through existing
- * APIs yet, but we can make a failed check. */
- CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,
- &sample_princ) != 0);
-
- /* Exercise lockout code. */
- /* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */
- /* Initial state: last_success 1, last_failed 5, fail_auth_count 2,
- * last admin unlock 6 */
- /* Check succeeds due to last admin unlock. */
- CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));
- /* Failure count resets to 1 due to last admin unlock. */
- sim_preauth(8, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);
- /* Failure count resets to 1 due to failcnt_interval */
- sim_preauth(70, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);
- /* Failure count resets to 0 due to successful preauth. */
- sim_preauth(75, TRUE, &ent);
- CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);
- /* Failure count increments to 2 and stops incrementing. */
- sim_preauth(80, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);
- sim_preauth(100, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
- sim_preauth(110, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
- /* Check fails due to reaching maximum failure count. */
- CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,
- &e_data) == KRB5KDC_ERR_CLIENT_REVOKED);
- /* Check succeeds after lockout_duration has passed. */
- CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));
- /* Failure count resets to 1 on next failure. */
- sim_preauth(240, FALSE, &ent);
- CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);
-
- /* Exercise LDAP code to clear a policy reference and to set the key
- * data on an existing principal. */
- CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
- ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
- CHECK(krb5_db_put_principal(ctx, ent));
- CHECK(krb5_db_delete_policy(ctx, polname));
-
- /* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
- * from a load operation. */
- ent->mask = (sample_entry.mask & ~KADM5_POLICY) | KADM5_LOAD;
- CHECK(krb5_db_put_principal(ctx, ent));
-
- /* Exercise LDAP code to create a new principal at a DN from
- * KDB_TL_USER_INFO tl-data. */
- CHECK(krb5_db_delete_principal(ctx, &sample_princ));
- CHECK(krb5_db_put_principal(ctx, ent));
- krb5_db_free_principal(ctx, ent);
-
- /* Exercise principal iteration code. */
- count = 0;
- CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count, 0));
- CHECK_COND(count == 1);
-
- CHECK(krb5_db_fini(ctx));
- CHECK_COND(krb5_db_inited(ctx) != 0);
-
- /* It might be nice to exercise krb5_db_destroy here, but the LDAP module
- * doesn't support it. */
-
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/localauth.c b/crypto/krb5/src/tests/localauth.c
deleted file mode 100644
index a3f7e15c3c21..000000000000
--- a/crypto/krb5/src/tests/localauth.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/localauth.c - test harness for kuserok and aname_to_lname */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <krb5.h>
-#include <stdio.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_principal princ;
- char buf[1024];
-
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: localauth principal [localuser]\n");
- return 1;
- }
- check(krb5_init_context(&ctx));
- check(krb5_parse_name(ctx, argv[1], &princ));
- if (argc == 3) {
- printf("%s\n", krb5_kuserok(ctx, princ, argv[2]) ? "yes" : "no");
- } else {
- check(krb5_aname_to_localname(ctx, princ, sizeof(buf), buf));
- printf("%s\n", buf);
- }
- krb5_free_principal(ctx, princ);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/Makefile.in b/crypto/krb5/src/tests/misc/Makefile.in
deleted file mode 100644
index 81feb1d8e91f..000000000000
--- a/crypto/krb5/src/tests/misc/Makefile.in
+++ /dev/null
@@ -1,58 +0,0 @@
-mydir=tests$(S)misc
-BUILDTOP=$(REL)..$(S)..
-
-OBJS=\
- test_getpw.o \
- test_chpw_message.o
-
-SRCS=\
- $(srcdir)/test_getpw.c \
- $(srcdir)/test_chpw_message.c \
- $(srcdir)/test_getsockname.c \
- $(srcdir)/test_cxx_krb5.cpp \
- $(srcdir)/test_cxx_k5int.cpp \
- $(srcdir)/test_cxx_gss.cpp \
- $(srcdir)/test_cxx_rpc.cpp \
- $(srcdir)/test_cxx_kadm5.cpp
-
-all: test_getpw test_chpw_message
-
-check: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5
- $(RUN_TEST) ./test_getpw
- $(RUN_TEST) ./test_chpw_message
- $(RUN_TEST) ./test_cxx_krb5
- $(RUN_TEST) ./test_cxx_k5int
- $(RUN_TEST) ./test_cxx_gss
- $(RUN_TEST) ./test_cxx_rpc
- $(RUN_TEST) ./test_cxx_kadm5
-
-test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB)
- $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB)
-
-test_chpw_message: $(OUTPRE)test_chpw_message.$(OBJEXT) $(SUPPORT_DEPLIB)
- $(CC_LINK) $(ALL_CFLAGS) -o test_chpw_message $(OUTPRE)test_chpw_message.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
-
-test_getsockname: $(OUTPRE)test_getsockname.$(OBJEXT)
- $(CC_LINK) $(ALL_CFLAGS) -o test_getsockname $(OUTPRE)test_getsockname.$(OBJEXT) $(LIBS)
-
-test_cxx_krb5: $(OUTPRE)test_cxx_krb5.$(OBJEXT) $(KRB5_DEPLIB)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_krb5 $(OUTPRE)test_cxx_krb5.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
-test_cxx_k5int: $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_DEPLIB)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
-test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS)
-test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS)
-test_cxx_kadm5: $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_DEPLIBS)
- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_kadm5 $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(LIBS)
-
-test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp
-test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp
-test_cxx_rpc.$(OBJEXT): test_cxx_rpc.cpp
-test_cxx_kadm5.$(OBJEXT): test_cxx_kadm5.cpp
-
-install:
-
-clean:
- $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o
-
diff --git a/crypto/krb5/src/tests/misc/deps b/crypto/krb5/src/tests/misc/deps
deleted file mode 100644
index 2572f0c378ab..000000000000
--- a/crypto/krb5/src/tests/misc/deps
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)test_getpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- test_getpw.c
-$(OUTPRE)test_chpw_message.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- test_chpw_message.c
-$(OUTPRE)test_getsockname.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- test_getsockname.c
-$(OUTPRE)test_cxx_krb5.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/locate_plugin.h test_cxx_krb5.cpp
-$(OUTPRE)test_cxx_k5int.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-ipc_stream.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/k5-utf8.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h test_cxx_k5int.cpp
-$(OUTPRE)test_cxx_gss.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- test_cxx_gss.cpp
-$(OUTPRE)test_cxx_rpc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h test_cxx_rpc.cpp
-$(OUTPRE)test_cxx_kadm5.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h test_cxx_kadm5.cpp
diff --git a/crypto/krb5/src/tests/misc/test_chpw_message.c b/crypto/krb5/src/tests/misc/test_chpw_message.c
deleted file mode 100644
index c6fdaa137640..000000000000
--- a/crypto/krb5/src/tests/misc/test_chpw_message.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/misc/test_getpw.c */
-/*
- * Copyright (C) 2012 by the Red Hat Inc.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "autoconf.h"
-#include "krb5.h"
-
-#include <sys/types.h>
-#include <assert.h>
-#include <locale.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-static krb5_data result_utf8 = {
- 0, 23, "This is a valid string.",
-};
-
-static krb5_data result_invalid_utf8 = {
- 0, 19, "\0This is not valid.",
-};
-
-static krb5_data result_ad_complex = {
- 0, 30,
- "\0\0" /* zero bytes */
- "\0\0\0\0" /* min length */
- "\0\0\0\0" /* history */
- "\0\0\0\1" /* properties, complex */
- "\0\0\0\0\0\0\0\0" /* expire */
- "\0\0\0\0\0\0\0\0" /* min age */
-};
-
-static krb5_data result_ad_length = {
- 0, 30,
- "\0\0" /* zero bytes */
- "\0\0\0\x0d" /* min length, 13 characters */
- "\0\0\0\0" /* history */
- "\0\0\0\0" /* properties */
- "\0\0\0\0\0\0\0\0" /* expire */
- "\0\0\0\0\0\0\0\0" /* min age */
-};
-
-static krb5_data result_ad_history = {
- 0, 30,
- "\0\0" /* zero bytes */
- "\0\0\0\0" /* min length */
- "\0\0\0\x09" /* history, 9 passwords */
- "\0\0\0\0" /* properties */
- "\0\0\0\0\0\0\0\0" /* expire */
- "\0\0\0\0\0\0\0\0" /* min age */
-};
-
-static krb5_data result_ad_age = {
- 0, 30,
- "\0\0" /* zero bytes */
- "\0\0\0\0" /* min length */
- "\0\0\0\0" /* history, 9 passwords */
- "\0\0\0\0" /* properties */
- "\0\0\0\0\0\0\0\0" /* expire */
- "\0\0\x01\x92\x54\xd3\x80\0" /* min age, 2 days */
-};
-
-static krb5_data result_ad_all = {
- 0, 30,
- "\0\0" /* zero bytes */
- "\0\0\0\x05" /* min length, 5 characters */
- "\0\0\0\x0D" /* history, 13 passwords */
- "\0\0\0\x01" /* properties, complex */
- "\0\0\0\0\0\0\0\0" /* expire */
- "\0\0\0\xc9\x2a\x69\xc0\0" /* min age, 1 day */
-};
-
-static void
-check(krb5_error_code code)
-{
- if (code != 0) {
- com_err("t_vfy_increds", code, "");
- abort();
- }
-}
-
-static void
-check_msg(const char *real, const char *expected)
-{
- if (strstr(real, expected) == NULL) {
- fprintf(stderr, "Expected to see: %s\n", expected);
- abort();
- }
-}
-
-int
-main(void)
-{
- krb5_context context;
- char *msg;
-
- setlocale(LC_ALL, "C");
-
- check(krb5_init_context(&context));
-
- /* Valid utf-8 data in the result should be returned as is */
- check(krb5_chpw_message(context, &result_utf8, &msg));
- printf(" UTF8 valid: %s\n", msg);
- check_msg(msg, "This is a valid string.");
- free(msg);
-
- /* Invalid data should have a generic message. */
- check(krb5_chpw_message(context, &result_invalid_utf8, &msg));
- printf(" UTF8 invalid: %s\n", msg);
- check_msg(msg, "contact your administrator");
- free(msg);
-
- /* AD data with complex data requirement */
- check(krb5_chpw_message(context, &result_ad_complex, &msg));
- printf(" AD complex: %s\n", msg);
- check_msg(msg, "The password must include numbers or symbols.");
- check_msg(msg, "Don't include any part of your name in the password.");
- free(msg);
-
- /* AD data with min password length */
- check(krb5_chpw_message(context, &result_ad_length, &msg));
- printf(" AD length: %s\n", msg);
- check_msg(msg, "The password must contain at least 13 characters.");
- free(msg);
-
- /* AD data with history requirements */
- check(krb5_chpw_message(context, &result_ad_history, &msg));
- printf(" AD history: %s\n", msg);
- check_msg(msg, "The password must be different from the previous 9 "
- "passwords.");
- free(msg);
-
- /* AD data with minimum age */
- check(krb5_chpw_message(context, &result_ad_age, &msg));
- printf(" AD min age: %s\n", msg);
- check_msg(msg, "The password can only be changed every 2 days.");
- free(msg);
-
- /* AD data with all */
- check(krb5_chpw_message(context, &result_ad_all, &msg));
- printf(" AD all: %s\n", msg);
- check_msg(msg, "The password can only be changed once a day.");
- check_msg(msg, "The password must be different from the previous 13 "
- "passwords.");
- check_msg(msg, "The password must contain at least 5 characters.");
- check_msg(msg, "The password must include numbers or symbols.");
- check_msg(msg, "Don't include any part of your name in the password.");
- free(msg);
-
- krb5_free_context(context);
- exit(0);
-}
diff --git a/crypto/krb5/src/tests/misc/test_cxx_gss.cpp b/crypto/krb5/src/tests/misc/test_cxx_gss.cpp
deleted file mode 100644
index 91622cd8649c..000000000000
--- a/crypto/krb5/src/tests/misc/test_cxx_gss.cpp
+++ /dev/null
@@ -1,10 +0,0 @@
-// Test that the gssapi.h header is compatible with C++ application code.
-
-#include <stdio.h>
-#include "gssapi/gssapi.h"
-
-int main ()
-{
- printf("hello, world\n");
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/test_cxx_k5int.cpp b/crypto/krb5/src/tests/misc/test_cxx_k5int.cpp
deleted file mode 100644
index bb6005f64095..000000000000
--- a/crypto/krb5/src/tests/misc/test_cxx_k5int.cpp
+++ /dev/null
@@ -1,20 +0,0 @@
-// Test that the krb5 internal headers are compatible with C++ code.
-// (Some Windows-specific code is in C++ in this source tree.)
-
-#include <stdio.h>
-#include "k5-int.h"
-#include "k5-ipc_stream.h"
-#include "k5-utf8.h"
-
-int main (int argc, char *argv[])
-{
- krb5_context ctx;
-
- if (krb5_init_context(&ctx) != 0) {
- printf("krb5_init_context returned an error\n");
- return 1;
- }
- printf("hello, world\n");
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/test_cxx_kadm5.cpp b/crypto/krb5/src/tests/misc/test_cxx_kadm5.cpp
deleted file mode 100644
index 59422ed1c7af..000000000000
--- a/crypto/krb5/src/tests/misc/test_cxx_kadm5.cpp
+++ /dev/null
@@ -1,15 +0,0 @@
-// Test that the kadm5 header is compatible with C++ application code.
-
-#include "kadm5/admin.h"
-
-krb5_context ctx;
-kadm5_config_params p_in, p_out;
-int main (int argc, char *argv[])
-{
- if (argc == 47 && kadm5_get_config_params(ctx, 1, &p_in, &p_out)) {
- printf("error\n");
- return 1;
- }
- printf("hello, world\n");
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/test_cxx_krb5.cpp b/crypto/krb5/src/tests/misc/test_cxx_krb5.cpp
deleted file mode 100644
index 002120bfbcab..000000000000
--- a/crypto/krb5/src/tests/misc/test_cxx_krb5.cpp
+++ /dev/null
@@ -1,19 +0,0 @@
-// Test that the krb5.h header is compatible with C++ application code.
-
-#include <stdio.h>
-#include "krb5.h"
-#include "krb5/locate_plugin.h"
-#include "profile.h"
-
-int main (int argc, char *argv[])
-{
- krb5_context ctx;
-
- if (krb5_init_context(&ctx) != 0) {
- printf("krb5_init_context returned an error\n");
- return 1;
- }
- printf("hello, world\n");
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/test_cxx_rpc.cpp b/crypto/krb5/src/tests/misc/test_cxx_rpc.cpp
deleted file mode 100644
index a7194878322d..000000000000
--- a/crypto/krb5/src/tests/misc/test_cxx_rpc.cpp
+++ /dev/null
@@ -1,14 +0,0 @@
-// Test that the rpc.h header is compatible with C++ application code.
-
-#include "gssrpc/rpc.h"
-
-struct sockaddr_in s_in;
-int main (int argc, char *argv[])
-{
- if (argc == 47 && get_myaddress (&s_in)) {
- printf("error\n");
- return 1;
- }
- printf("hello, world\n");
- return 0;
-}
diff --git a/crypto/krb5/src/tests/misc/test_getpw.c b/crypto/krb5/src/tests/misc/test_getpw.c
deleted file mode 100644
index 59ff5d3a5d96..000000000000
--- a/crypto/krb5/src/tests/misc/test_getpw.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/misc/test_getpw.c */
-/*
- * Copyright (C) 2005 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "autoconf.h"
-#include "k5-platform.h"
-#include <stdio.h>
-#include <stdlib.h>
-#include <pwd.h>
-#include <unistd.h>
-#include <sys/types.h>
-
-int main(void)
-{
- uid_t my_uid;
- struct passwd *pwd, pwx;
- char pwbuf[BUFSIZ];
- int x;
-
- my_uid = getuid();
- printf("my uid: %ld\n", (long) my_uid);
-
- x = k5_getpwuid_r(my_uid, &pwx, pwbuf, sizeof(pwbuf), &pwd);
- printf("k5_getpwuid_r returns %d\n", x);
- if (x != 0)
- exit(1);
- printf(" username is '%s'\n", pwd->pw_name);
- exit(0);
-}
diff --git a/crypto/krb5/src/tests/misc/test_getsockname.c b/crypto/krb5/src/tests/misc/test_getsockname.c
deleted file mode 100644
index 4fb875fac0b8..000000000000
--- a/crypto/krb5/src/tests/misc/test_getsockname.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/misc/test_getsockname.c */
-/*
- * Copyright (C) 1995 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * test_getsockname.c
- *
- * This routine demonstrates a bug in the socket emulation library of
- * Solaris and other monstrosities that uses STREAMS. On other
- * machines with a real networking layer, it prints the local
- * interface address that is used to send a message to a specific
- * host. On Solaris, it prints out 0.0.0.0.
- */
-
-#include "autoconf.h"
-#include <unistd.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <string.h>
-
-int
-main(argc, argv)
- int argc;
- char *argv[];
-{
- int sock;
- GETSOCKNAME_ARG3_TYPE i;
- struct hostent *host;
- struct sockaddr_in s_sock; /* server address */
- struct sockaddr_in c_sock; /* client address */
-
- char *hostname;
-
- if (argc == 2) {
- hostname = argv[1];
- } else {
- fprintf(stderr, "Usage: %s hostname\n", argv[0]);
- exit(1);
- }
-
- /* Look up server host */
- if ((host = gethostbyname(hostname)) == (struct hostent *) 0) {
- fprintf(stderr, "%s: unknown host\n", hostname);
- exit(1);
- }
-
- /* Set server's address */
- (void) memset(&s_sock, 0, sizeof(s_sock));
-
- memcpy(&s_sock.sin_addr, host->h_addr, sizeof(s_sock.sin_addr));
-#ifdef DEBUG
- printf("s_sock.sin_addr is %s\n", inet_ntoa(s_sock.sin_addr));
-#endif
- s_sock.sin_family = AF_INET;
- s_sock.sin_port = htons(5555);
-
- /* Open a socket */
- if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
- perror("socket");
- exit(1);
- }
-
- memset(&c_sock, 0, sizeof(c_sock));
- c_sock.sin_family = AF_INET;
-
- /* Bind it to set the address; kernel will fill in port # */
- if (bind(sock, (struct sockaddr *)&c_sock, sizeof(c_sock)) < 0) {
- perror("bind");
- exit(1);
- }
-
- /* "connect" the datagram socket; this is necessary to get a local address
- properly bound for getsockname() below. */
- if (connect(sock, (struct sockaddr *)&s_sock, sizeof(s_sock)) == -1) {
- perror("connect");
- exit(1);
- }
-
- /* Get my address */
- memset(&c_sock, 0, sizeof(c_sock));
- i = sizeof(c_sock);
- if (getsockname(sock, (struct sockaddr *)&c_sock, &i) < 0) {
- perror("getsockname");
- exit(1);
- }
-
- printf("My interface address is: %s\n", inet_ntoa(c_sock.sin_addr));
-
- exit(0);
-}
diff --git a/crypto/krb5/src/tests/misc/test_nfold.c b/crypto/krb5/src/tests/misc/test_nfold.c
deleted file mode 100644
index e72502d61720..000000000000
--- a/crypto/krb5/src/tests/misc/test_nfold.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-int main(int argc, char *argv[])
-{
- int inlen, outlen, i;
- unsigned char *instr, *outstr;
-
- if (argc != 3) {
- fprintf(stderr, "%s: instr outlen\n", argv[0]);
- exit(1);
- }
-
- instr = (unsigned char *) argv[1];
- inlen = strlen(instr)*8;
- outlen = atoi(argv[2]);
- if (outlen%8) {
- fprintf(stderr, "outlen must be a multiple of 8\n");
- exit(1);
- }
-
- if ((outstr = (unsigned char *) malloc(outlen/8)) == NULL) {
- fprintf(stderr, "ENOMEM\n");
- exit(1);
- }
-
- krb5int_nfold(inlen,instr,outlen,outstr);
-
- printf("%d-fold(",outlen);
- for (i=0; i<(inlen/8); i++)
- printf("%02x",instr[i]);
- printf(") = ");
- for (i=0; i<(outlen/8); i++)
- printf("%02x",outstr[i]);
- printf("\n");
-
- exit(0);
-}
diff --git a/crypto/krb5/src/tests/pkinit-certs/ca.pem b/crypto/krb5/src/tests/pkinit-certs/ca.pem
deleted file mode 100644
index 6c782bcde5e3..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/ca.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owgacxCzAJ
-BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
-cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl
-cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk
-byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAJv9Sbc2QSbHWnZjk55JfeOdPGUsmKOcT/N7C0/0mOQq4tUCmha7ntpBoIJd
-UBDhMQayG3QHruQX7aogtOx8hoLoLUaNKgxzEZ0OLbDRMc2M+vTDpBROITGI1KPv
-QtthlS4ocqKvqBCze66N9LufzAju61CyKdB3pCykPrgDVVScfsZ1t2zCbK0SF2cf
-ZAdIyCLoGLeQ95/NL3SIx0CX9gU47AVmBkSQ+LExJRhbUSIg+puKbqJ0XVILR1B2
-ezgik2ObFND0hsRUS4v8pKnIDz0HXR2AneTESY+atjbzzelGA2zH86p4tLg0PanQ
-4x4+gpkQhzSr5Cmi3QX4XahSrmUCAwEAAaOCARgwggEUMB0GA1UdDgQWBBSSP/pz
-leX5zVcZ9hpI5GG2eQ+pqjCB1AYDVR0jBIHMMIHJgBSSP/pzleX5zVcZ9hpI5GG2
-eQ+pqqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
-dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ
-bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0
-IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE
-AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAfx04Uqh0D
-myOR1PSqEEbMWJxZXYoESnjjH4Co4doceVBTuKix/2lplD4wcvA7aMXpmkvGfP38
-dPrN1jvGd4bi/djTuxab9qB7rOeswAt+NyVHReUmuIMwgcW1UD7HXErg4EsOMjGD
-2XGhJYxGnwdURmnFwoO3yLLwo5K+C4rqPm3PbnI3W0sCA+IXepQTxuXK3dSplMMm
-0Pejw3es2s3oI9WaD2JRXvFuylw4UWYX+cyFRb+wN55Gh0rPVdxDhKCkbWNt/gTi
-/DbC+5pyQXkmy07OEGrmh4+5ae9hwejr9AukF2IZJB+oFP4i1mt9xyAOXImnWOzB
-SdHD08WHl5Gq
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/eckey.pem b/crypto/krb5/src/tests/pkinit-certs/eckey.pem
deleted file mode 100644
index 14c2efd2ac35..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/eckey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSB3T7ihe3JUeIKZI
-PCDqATKN/dNugQsaC5AKiBPC6ymhRANCAAQy0E88e1CX16/2wL2T+nE0pmlb7wBM
-0hOh6m3m2uDbVsAIRJfhEjHWsT2ODCoBvGDV6vBeIOUjE/Ro9EwnYBW5
------END PRIVATE KEY-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/ecuser.pem b/crypto/krb5/src/tests/pkinit-certs/ecuser.pem
deleted file mode 100644
index 585e53d8c5c1..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/ecuser.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIECDCCAvCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-MtBPPHtQl9ev9sC9k/pxNKZpW+8ATNIToept5trg21bACESX4RIx1rE9jgwqAbxg
-1erwXiDlIxP0aPRMJ2AVuaOCAWQwggFgMB0GA1UdDgQWBBR5MaRx7ub5YBwsS0CF
-Li18nsl49zCB1AYDVR0jBIHMMIHJgBSSP/pzleX5zVcZ9hpI5GG2eQ+pqqGBraSB
-qjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNV
-BAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQ
-S0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3Vp
-dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNV
-HRMBAf8EAjAAMDkGA1UdEQQyMDCgLgYGKwYBBQICoCQwIqANGwtLUkJURVNULkNP
-TaERMA+gAwIBAaEIMAYbBHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG
-9w0BAQsFAAOCAQEAfwlONLYPo0BNN2NyQZM3wkoldvFqidcoZiYALOcBcmllMP7H
-XQ/+en4TmbKR0RUJN6AjR9yEo92fHAYOB2L7AzR8AkOiRLjp/Pdg5kUHFTdKenTK
-DvpeiJELz9chk/vaMv1T9qvOwH2bVAyS8GrUc5n0ui5F61PrquLAmm+dpKyHDY60
-DdFaebS2gYsmy4bBv0mgcMZ+ZXnzXYmLNtdVQ3SgVGO7M8eyCqPbe/o0Lw4Gz+l0
-xgpFkptdlEogsOaJBzjrgWyBnWw6MkyyLiSY+iOxFpBGkwCxi1gtQwbcp4gMwaxc
-p5+JPM/JBfglBX1lpRhhxL8EGQvpryN9MT530w==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/generic.p12 b/crypto/krb5/src/tests/pkinit-certs/generic.p12
deleted file mode 100644
index 55a248137ca7..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/generic.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/generic.pem b/crypto/krb5/src/tests/pkinit-certs/generic.pem
deleted file mode 100644
index dde7f31a7064..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/generic.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZjCCAk4CAQgwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM
-A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex
-MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy
-d2lzZTAeFw0yNDAyMTUwNDU5MDdaFw0zNTAxMjgwNDU5MDdaMEoxCzAJBgNVBAYT
-AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP
-TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJv9Sbc2QSbHWnZjk55JfeOdPGUsmKOcT/N7C0/0mOQq4tUCmha7ntpBoIJdUBDh
-MQayG3QHruQX7aogtOx8hoLoLUaNKgxzEZ0OLbDRMc2M+vTDpBROITGI1KPvQtth
-lS4ocqKvqBCze66N9LufzAju61CyKdB3pCykPrgDVVScfsZ1t2zCbK0SF2cfZAdI
-yCLoGLeQ95/NL3SIx0CX9gU47AVmBkSQ+LExJRhbUSIg+puKbqJ0XVILR1B2ezgi
-k2ObFND0hsRUS4v8pKnIDz0HXR2AneTESY+atjbzzelGA2zH86p4tLg0PanQ4x4+
-gpkQhzSr5Cmi3QX4XahSrmUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAau8fw4h1
-hp4/gp7l+AXvq+9E/a2y2Np+H8BmlRIg8ZLyKjRR6iPjcUwFWUteSSBsFzcc+/5V
-/Qs9gAW4nRIb9zY/sPO3KMAjJGKaP3u8xWkrfVZzaqPkfOWa5RDkh9AtvpN/fVLH
-dC+hC1xlXtjJ/YugJD6OA66sxdyTjR/v++0mqaTQyTI29HqtTc9LUcpbC1OYzxS3
-8vlZZgieRU0UlBvpsR0AqCaTZPgcrIvJ0EVIk6XzgOWJAptAe3tFEVrHtZJAQG04
-TI7NN/zw17O9Sn8NVEB4RSw6CFZeEVBBfCZL99HveEd8WPU0zgYceuVl/UCpQFNi
-Av6/+n+/6KwHXg==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/kdc.pem b/crypto/krb5/src/tests/pkinit-certs/kdc.pem
deleted file mode 100644
index 4f7785854c11..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/kdc.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSTELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCb/Um3NkEmx1p2Y5OeSX3jnTxlLJijnE/zewtP9JjkKuLVApoWu57aQaCC
-XVAQ4TEGsht0B67kF+2qILTsfIaC6C1GjSoMcxGdDi2w0THNjPr0w6QUTiExiNSj
-70LbYZUuKHKir6gQs3uujfS7n8wI7utQsinQd6QspD64A1VUnH7GdbdswmytEhdn
-H2QHSMgi6Bi3kPefzS90iMdAl/YFOOwFZgZEkPixMSUYW1EiIPqbim6idF1SC0dQ
-dns4IpNjmxTQ9IbEVEuL/KSpyA89B10dgJ3kxEmPmrY2883pRgNsx/OqeLS4ND2p
-0OMePoKZEIc0q+Qpot0F+F2oUq5lAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUkj/6
-c5Xl+c1XGfYaSORhtnkPqaowgdQGA1UdIwSBzDCByYAUkj/6c5Xl+c1XGfYaSORh
-tnkPqaqhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
-dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg
-SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p
-dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E
-BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL
-S1JCVEVTVC5DT02hIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG
-A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAHGR7TUjyGt7IbqD
-MW/MfOkLtvpv1f3MhbRSmYDweGKejh2xQIONC/BlaBA2RWmhJIYTdc8wPRlcC76D
-2HLhBmGyOSy+ZTX/txGhtXm+xzNuhLF95VKDd2Z+06CMe1CptH1fvnf5YaZsUgv4
-nXmRN2i4WWrVHoWsAFCcEM6PqT9j/2485DbjtmoS7nVNvO0UKJs2vGgZYuxgYQsl
-S387YJnSbC3/VjTHGBh+R7oRZ0cBvpviWyp5Xak0kNcWAUSu3Oa1FRYDz6Cw/r7/
-wrTWxMA9W3Ygzeh+JFpYZkj5BNrwFem8UxrM/g2ZvXVS81dKGfA5spEZ/cEsAkU1
-8mWgcJY=
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/make-certs.sh b/crypto/krb5/src/tests/pkinit-certs/make-certs.sh
deleted file mode 100755
index 9fb3e414124b..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/make-certs.sh
+++ /dev/null
@@ -1,179 +0,0 @@
-#!/bin/sh -e
-
-NAMETYPE=1
-KRBTGT_NAMETYPE=2
-KEYSIZE=2048
-DAYS=4000
-REALM=KRBTEST.COM
-LOWREALM=krbtest.com
-KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
-KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
-PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
-PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
-TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
-TLS_CLIENT_EKU=1.3.6.1.5.5.7.3.2
-EMAIL_PROTECTION_EKU=1.3.6.1.5.5.7.3.4
-# Add TLS EKUs to these if we're testing with NSS and we still have to
-# piggy-back on the TLS trust settings.
-KDC_EKU_LIST=$PKINIT_KDC_EKU
-CLIENT_EKU_LIST=$PKINIT_CLIENT_EKU
-
-cat > openssl.cnf << EOF
-[req]
-prompt = no
-distinguished_name = \$ENV::SUBJECT
-
-[ca]
-CN = test CA certificate
-C = US
-ST = Massachusetts
-L = Cambridge
-O = MIT
-OU = Insecure PKINIT Kerberos test CA
-CN = pkinit test suite CA; do not use otherwise
-
-[kdc]
-C = US
-ST = Massachusetts
-O = KRBTEST.COM
-CN = KDC
-
-[user]
-C = US
-ST = Massachusetts
-O = KRBTEST.COM
-CN = user
-
-[exts_ca]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
-basicConstraints = critical,CA:TRUE
-
-[components_kdc]
-0.component=GeneralString:krbtgt
-1.component=GeneralString:$REALM
-
-[princ_kdc]
-nametype=EXPLICIT:0,INTEGER:$KRBTGT_NAMETYPE
-components=EXPLICIT:1,SEQUENCE:components_kdc
-
-[krb5princ_kdc]
-realm=EXPLICIT:0,GeneralString:$REALM
-princ=EXPLICIT:1,SEQUENCE:princ_kdc
-
-[exts_kdc]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_kdc
-extendedKeyUsage = $KDC_EKU_LIST
-
-[components_client]
-component=GeneralString:user
-
-[princ_client]
-nametype=EXPLICIT:0,INTEGER:$NAMETYPE
-components=EXPLICIT:1,SEQUENCE:components_client
-
-[krb5princ_client]
-realm=EXPLICIT:0,GeneralString:$REALM
-princ=EXPLICIT:1,SEQUENCE:princ_client
-
-[exts_client]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
-extendedKeyUsage = $CLIENT_EKU_LIST
-
-[exts_upn_client]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
-extendedKeyUsage = $CLIENT_EKU_LIST
-
-[exts_upn2_client]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
-extendedKeyUsage = $CLIENT_EKU_LIST
-
-[exts_upn3_client]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
-extendedKeyUsage = $CLIENT_EKU_LIST
-
-[exts_none]
-EOF
-
-# Generate an RSA private key and a password-protected PEM file for it..
-openssl genrsa $KEYSIZE > privkey.pem
-openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted
-
-# Generate an EC private key.
-openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > eckey.pem
-
-# Generate a "CA" certificate.
-SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
- -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
-
-serial=2
-gen_cert() {
- keyfile=${4-privkey.pem}
- SUBJECT=$1 openssl req -config openssl.cnf -new -key $keyfile -out csr
- SUBJECT=$1 openssl x509 -extfile openssl.cnf -extensions $2 \
- -set_serial $serial -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
- -in csr -out $3
- serial=$((serial + 1))
- rm -f csr
-}
-
-gen_pkcs12() {
- # Use -descert to make OpenSSL 1.1 generate files OpenSSL 3.0 can
- # read (the default uses RC2, which is only available in the
- # legacy provider in OpenSSL 3). This option causes an algorithm
- # downgrade with OpenSSL 3.0 (AES to DES3), but that isn't
- # important for test certs.
- openssl pkcs12 -export -descert -in "$1" -inkey privkey.pem -out "$2" \
- -passout pass:"$3"
-}
-
-# Generate a KDC certificate.
-gen_cert kdc exts_kdc kdc.pem
-
-# Generate a client certificate and PKCS#12 bundles.
-gen_cert user exts_client user.pem
-gen_pkcs12 user.pem user.p12
-gen_pkcs12 user.pem user-enc.p12 encrypted
-
-# Generate an EC client certificate.
-gen_cert user exts_client ecuser.pem eckey.pem
-
-# Generate a client certificate and PKCS#12 bundle with a UPN SAN.
-gen_cert user exts_upn_client user-upn.pem
-gen_pkcs12 user-upn.pem user-upn.p12
-
-# Same, but with no realm in the UPN SAN.
-gen_cert user exts_upn2_client user-upn2.pem
-gen_pkcs12 user-upn2.pem user-upn2.p12
-
-# Same, but with an uppercase realm in the UPN SAN.
-gen_cert user exts_upn3_client user-upn3.pem
-gen_pkcs12 user-upn3.pem user-upn3.p12
-
-# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
-gen_cert user exts_none generic.pem
-gen_pkcs12 generic.pem generic.p12
-
-# Clean up.
-rm -f openssl.cnf
diff --git a/crypto/krb5/src/tests/pkinit-certs/privkey-enc.pem b/crypto/krb5/src/tests/pkinit-certs/privkey-enc.pem
deleted file mode 100644
index fd36246ed4f6..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/privkey-enc.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIBw7aG13XYxwCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECPWyEPoKz4WhBIIEyKHdx+pkDxax
-dCCUZHsJ54boZxh+7f7xmO9Rjm+6+3cE+WCjPsiGHPUDtOXLxWwcrG0RAmA1GmrE
-yZbclwEMF8LcWQ3EUDMCJXBs7CEtA4XDH+EW1KsZwP+cA53ZFFikGj3sW6Ix5GLi
-Df311Eumhp3GABU57siNn+tMZJAorInth5lXBJFQoE3KJbBrSN9iQKZTOpgr4G3B
-G+qzBwrUKnZrGIp42t8op4VkB8sA6xoHh/huJB5pNygt9OZUQ+xdxvNQq+5/kJ2I
-mP/JRPSuN4GtnNA4fBB6tPv8t0L8hActkWlQ1rSJwWnWge3t4r5/3FBcAbl+zq3k
-t8A0LWgjsiQRmlKRN7GrzorOUKFv+7YAq6rc1Ek79qitUgEiFkwZZySt5+yPstMW
-vpaq2V0yDHf5Ds9uXffprhSAjnfXdT4NTg5eMeH65OEedUpVVzHauoGfFkDGaq8L
-8XgWPZPaz6GQFpU5SGk8FZn0OLLJHnHQDYo+ViL2XSuuqY8Jd7fmpzqVoHOU8k9Q
-/ONKW+E6uvkpNH6NbknceA/ip1bcdfwA/uRBckXjCc5uR0oB18M4UQPuKlcGev39
-mcdlvzQJxl2EWbB8ULazzuzOVfCAEwKc96qOkDAY94CB69f/KhBOd2QqHzdxrQ+3
-+K+YduhbfP49Vxaq4NIklS/kSSv4GEBHzEwtFxX4oqN4Er+UkBSB423nvlkSLd1g
-tR4M30lJyzmHtOEpSOZYLakviz36ZOCV/DsxrfziNG/0RB/mPLm/B5L+StqjJrTY
-Pjo3QHKb+6ShhTi+jZ8tqXa68+TZO3Q7eTgqrcn8mq9jfama0KQF/13kmUsrFXTS
-wk/nbSP10z+MhO68z7o3j+Q0Co/cXkQke4slvc3DqLNvpQdDMPLKQVxtkPBq5czr
-dbk5K2GYFLNWO5Tv2RgBGomznoAGSolz5ozIqxffVHAK4NGfhihgLO/6GujDANVz
-EX/2/IacRg0L0x7//O/GHomiFvWYnDbHhRNicERe/ji1TCxJ5glqntFjOXDumwi6
-f+mQWNWlQWtKq0IOnlHrBB+vqykAj+e+FROqJjuNI6hu4CNnrBK3Hf+NY+rXdn7l
-iCTD3ojdufqo0JDZe8dXea+B7Zu7WNAxnpW8D018DJxR2hoBvT4Po1CBaHLfxAkT
-ZGeXMjp1vZ348xBSppFpIpYjFRQBeBgSezzA66o3YIcDeHu2bTzg73DiUXNgV3RG
-OyJHmsOmN9Gax/Cx4z6/Ff7seisXpIMRU9TDrRCFKAcPHXAl3R4L6guK0I5OGwz3
-GSMxsx3PGitj0x+1ynW/Tf+EJQD33ognc+kuQfNL0XW2tNJoibZIs1WgdbDwD9RD
-X7rbb9GfSJlQUnBFG/EKU7SGmFZUVMz7we8vckZ1PfeIKfH7OWrZ2i1WxIF2WO1K
-BX4TXp0KKt+aCwf1GInQ/6aYgh5g8W2iKuz2HJeZIN+ohciNmpOynsFmHGXdbvnO
-Kw+msZEQb5AvhXf4ToiSwZLSwq3qAILN8fOQQ9ta1DjJuUtITpe6ys9xhlnriUkm
-KrY50GkimLdD6XszC2uNulAuh3o0nZplqxC9IOLh+uasEU/+xqtwTaaYBljTpH2C
-8FPAEFFUVy6lsngJEQvdjw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/privkey.pem b/crypto/krb5/src/tests/pkinit-certs/privkey.pem
deleted file mode 100644
index 2a25dc19cf82..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/privkey.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCb/Um3NkEmx1p2
-Y5OeSX3jnTxlLJijnE/zewtP9JjkKuLVApoWu57aQaCCXVAQ4TEGsht0B67kF+2q
-ILTsfIaC6C1GjSoMcxGdDi2w0THNjPr0w6QUTiExiNSj70LbYZUuKHKir6gQs3uu
-jfS7n8wI7utQsinQd6QspD64A1VUnH7GdbdswmytEhdnH2QHSMgi6Bi3kPefzS90
-iMdAl/YFOOwFZgZEkPixMSUYW1EiIPqbim6idF1SC0dQdns4IpNjmxTQ9IbEVEuL
-/KSpyA89B10dgJ3kxEmPmrY2883pRgNsx/OqeLS4ND2p0OMePoKZEIc0q+Qpot0F
-+F2oUq5lAgMBAAECggEADwzB9vY6FPa46KE01dm7VqGN+SjzVR24rQIbFkzAD4t/
-tRN6MGVLrz0TsmA0YFyJsV6vvWMcYY9Zc8eSDRr6k1i5PYxTGT5k3aVHjT6xsmY+
-tCzIANmE5FWSRnrIFYh1ry1h2gZejbXzYeT6TrvdIKOEepWl6SIR6eiy0Ggp7G7C
-SjlpT96ZtdE2RnlvcxcACtwhe3vPbkLmTCOEqeZ6LHCHIHiK4KdJgJ08OjU7Kgsr
-+vmnwTJsH5s0b5IIznfWajO4JNOpqjzFDjDctGYBwp5xF4zu3u4bKe9aleM0q/jl
-ZkibxLsFAh3Xkh89nxr3E6oBLm0F8r8M7PK5wpMShQKBgQDAipf6T6XUY+ugkKw+
-301LyoAch6WV9oT6uOJsAttmcUpUr6NXhRT3OM4oqyYsAc5JW2wbz+n6lED3j6Ez
-QEKSIFrYpjrYr9D7hqvISI9JT0PhVSPXECfifEyIR9xmLvV9WQq7NRCJMi26X9ab
-Grqpw1HNlPA/rdcc/dY0p25DlwKBgQDPZqxSnwnTa6X+r0UdR8l6kc9VuESotpbE
-0ziF222bpXmZ2GKiEU1buFORHih/e3yDvKvq+p2apyUKnEEVQg/TL8/Jzya7fEOI
-lTXcNQ/f78ef+nwEAxdRVQkWXFWHvvKUHm1rGCIY7zeOLnQ9JjBQkgG8zhUamAP1
-owLBBTstYwKBgQC+yNX9Du0HvpbdfF1g0025OwekvXiDV0m/UnHxiwcxxDJeJceZ
-0mHK8nu9apGha4ynvbIrAOMdC8gwRh76NMOCHhNGt7h5vAU9Jt2S0OtCPgvJ/N5N
-nVGYJ4iCRYqLqh5QvWlXxSYEfDc5hPuWp26tBsBJEDrbLnuH27JkbD9jMwKBgQCM
-f1VFMw+I9WehvEHpr/PA4H2/5/A7ClXgR+YGZ7s8sUBLA9btSyNIevnBWNi+Y3za
-ETm1GMkjNw9UvL0qFXJ68eylHXtzjp6BK/MslZWHcfudWCYi4aUuJ5jcWPhn2Oaj
-iGk/Hz4Z/hN4cee0dOZN7lrW+BQ7y7cC88at00lfWQKBgQC7YeW02aUPw9jMJh1x
-lDfBh+E5sdRwRQIvh3BuyTd+m/LI+3b9RSy+LIL2KFJucwKm9zR9fy33tHF2S5En
-Q+inhyXfOEygal5Rzxe3Pfx+pGZbzr6IXkhquHtjuFBwJJCrSeR66V2xDmzJfCj4
-TY+CzwOJ/EltH4ZjPwEmE0S7+w==
------END PRIVATE KEY-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-enc.p12 b/crypto/krb5/src/tests/pkinit-certs/user-enc.p12
deleted file mode 100644
index 69780bf82d14..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-enc.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn.p12 b/crypto/krb5/src/tests/pkinit-certs/user-upn.p12
deleted file mode 100644
index e91cc8a0c048..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn.pem b/crypto/krb5/src/tests/pkinit-certs/user-upn.pem
deleted file mode 100644
index 7dcd716cbbc2..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIExTCCA62gAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAm/1JtzZBJsdadmOTnkl94508ZSyYo5xP83sLT/SY5Cri1QKaFrue2kGg
-gl1QEOExBrIbdAeu5BftqiC07HyGgugtRo0qDHMRnQ4tsNExzYz69MOkFE4hMYjU
-o+9C22GVLihyoq+oELN7ro30u5/MCO7rULIp0HekLKQ+uANVVJx+xnW3bMJsrRIX
-Zx9kB0jIIugYt5D3n80vdIjHQJf2BTjsBWYGRJD4sTElGFtRIiD6m4puonRdUgtH
-UHZ7OCKTY5sU0PSGxFRLi/ykqcgPPQddHYCd5MRJj5q2NvPN6UYDbMfzqni0uDQ9
-qdDjHj6CmRCHNKvkKaLdBfhdqFKuZQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFJI/
-+nOV5fnNVxn2GkjkYbZ5D6mqMIHUBgNVHSMEgcwwgcmAFJI/+nOV5fnNVxn2Gkjk
-YbZ5D6mqoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
-EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
-AQsFAAOCAQEAbe5/xDlFplE/h6BSqXSftjyiPgRlmPPkuTwiKHfmHYHv+KXHBDFY
-wuGDu4Tdh/qisskXJGoKYfRsOox6AW3ZTcklkjvVw0V73nPo+98USWYTzKq7NriF
-rJ9skYALu/Yv6q8iEoziOyDG55LppWne5KH0Of5ctikZVthxDnjm/saSR1lNa+8A
-gB6x9uid73qw+seg1/DoOdb+uHGnKBeSUrJC9vtdfodYdeatNFDDNoxqjGPajDNT
-TGI2ace2yZAgD/ic1MzI/s2eTHfzzO+puJIPzLScdy80RYMeILQs9g+x5NhOUuMz
-YMVFE0PAQLshVggtJ9l8fmHmrrJXP9BAWw==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn2.p12 b/crypto/krb5/src/tests/pkinit-certs/user-upn2.p12
deleted file mode 100644
index e29ff5412baa..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn2.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn2.pem b/crypto/krb5/src/tests/pkinit-certs/user-upn2.pem
deleted file mode 100644
index b2d8c1dd81ba..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn2.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEuTCCA6GgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAm/1JtzZBJsdadmOTnkl94508ZSyYo5xP83sLT/SY5Cri1QKaFrue2kGg
-gl1QEOExBrIbdAeu5BftqiC07HyGgugtRo0qDHMRnQ4tsNExzYz69MOkFE4hMYjU
-o+9C22GVLihyoq+oELN7ro30u5/MCO7rULIp0HekLKQ+uANVVJx+xnW3bMJsrRIX
-Zx9kB0jIIugYt5D3n80vdIjHQJf2BTjsBWYGRJD4sTElGFtRIiD6m4puonRdUgtH
-UHZ7OCKTY5sU0PSGxFRLi/ykqcgPPQddHYCd5MRJj5q2NvPN6UYDbMfzqni0uDQ9
-qdDjHj6CmRCHNKvkKaLdBfhdqFKuZQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFJI/
-+nOV5fnNVxn2GkjkYbZ5D6mqMIHUBgNVHSMEgcwwgcmAFJI/+nOV5fnNVxn2Gkjk
-YbZ5D6mqoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM
-BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAFN2R
-gVMM5HNoXuwBPcpNsP5AVSoQRTAv6UUxAjTPLGH5mE6LGW8/JxM0R5x0PdVyU3u7
-zq4qa10XdGJpSt94cD6m7R61Sw6ru9PBtHmB0oUfkWRa2+SJpjmcwyc86W0XRBhr
-OhD0QGOnF1hGyTYzPViGxRZFVMiqXsWuAJ4i6uTyyPeeN+UuehQ3SsVEA1csrKMy
-dNT7FKQBvUTBnSZ9rxphGBrw/NZQyG74KxG5W3Nsnq89VK6+ESJcsUOT55WrHRwE
-CwKoeX+otyj8ptOwKaaje0DZnSXTXqEag4G4PgH4ovd+ehad0JaE4jtQTm+Vy15W
-cwHSMGSA+Kq1Hsqhhw==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn3.p12 b/crypto/krb5/src/tests/pkinit-certs/user-upn3.p12
deleted file mode 100644
index 93a30422bde5..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn3.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/user-upn3.pem b/crypto/krb5/src/tests/pkinit-certs/user-upn3.pem
deleted file mode 100644
index 618f005267b2..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user-upn3.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIExTCCA62gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAm/1JtzZBJsdadmOTnkl94508ZSyYo5xP83sLT/SY5Cri1QKaFrue2kGg
-gl1QEOExBrIbdAeu5BftqiC07HyGgugtRo0qDHMRnQ4tsNExzYz69MOkFE4hMYjU
-o+9C22GVLihyoq+oELN7ro30u5/MCO7rULIp0HekLKQ+uANVVJx+xnW3bMJsrRIX
-Zx9kB0jIIugYt5D3n80vdIjHQJf2BTjsBWYGRJD4sTElGFtRIiD6m4puonRdUgtH
-UHZ7OCKTY5sU0PSGxFRLi/ykqcgPPQddHYCd5MRJj5q2NvPN6UYDbMfzqni0uDQ9
-qdDjHj6CmRCHNKvkKaLdBfhdqFKuZQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFJI/
-+nOV5fnNVxn2GkjkYbZ5D6mqMIHUBgNVHSMEgcwwgcmAFJI/+nOV5fnNVxn2Gkjk
-YbZ5D6mqoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
-EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
-AQsFAAOCAQEASLN4+MiZUQwBzQ3ezt1B8Zx8jHL7a16s1H5v1J2Dwne/pM/risjg
-ZAlv65IlKEp2E6cqcmCPajlZ967vJr1qC+OSV2AZuL8HZlg+ISacoII9T97X9/UJ
-AJfOWBN6y0DQ7s6OLSunf0+mAw+LKmFoIQeO5+DvU4chEYkcs6NbbAos/He1Wgq/
-RTz9J3EhGuoDVgqq/avrTsgW9HyrHsG+Y/6n4cX2lq+VV7h8fG91hC073Rz9QMFY
-q/pBqFqIE/FrgA4YbpOrSx6m+eOyFSAWTLtmlJmROiNYo4ZuGmBtrDntet+YK75A
-8Rsfbapjn4SKJzgJseVgUbEEMOFcugQBfQ==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/pkinit-certs/user.p12 b/crypto/krb5/src/tests/pkinit-certs/user.p12
deleted file mode 100644
index 0f854cae6f03..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user.p12
+++ /dev/null
Binary files differ
diff --git a/crypto/krb5/src/tests/pkinit-certs/user.pem b/crypto/krb5/src/tests/pkinit-certs/user.pem
deleted file mode 100644
index 7493de52c193..000000000000
--- a/crypto/krb5/src/tests/pkinit-certs/user.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTI0MDIxNTA0NTkwN1oXDTM1MDEyODA0NTkwN1owSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAm/1JtzZBJsdadmOTnkl94508ZSyYo5xP83sLT/SY5Cri1QKaFrue2kGg
-gl1QEOExBrIbdAeu5BftqiC07HyGgugtRo0qDHMRnQ4tsNExzYz69MOkFE4hMYjU
-o+9C22GVLihyoq+oELN7ro30u5/MCO7rULIp0HekLKQ+uANVVJx+xnW3bMJsrRIX
-Zx9kB0jIIugYt5D3n80vdIjHQJf2BTjsBWYGRJD4sTElGFtRIiD6m4puonRdUgtH
-UHZ7OCKTY5sU0PSGxFRLi/ykqcgPPQddHYCd5MRJj5q2NvPN6UYDbMfzqni0uDQ9
-qdDjHj6CmRCHNKvkKaLdBfhdqFKuZQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFJI/
-+nOV5fnNVxn2GkjkYbZ5D6mqMIHUBgNVHSMEgcwwgcmAFJI/+nOV5fnNVxn2Gkjk
-YbZ5D6mqoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b
-C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF
-AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQBRWsxPb9miF9xf8rEIfVko0qBy8doEJsPE
-IVD9Jz/Ml/TBZRLbi1b94l15Fto/Z6XKf8jrnBs4krf6tU2D5PUZXZYZ6tr/2kkY
-IpmoOkEoQX8gtcZfaq2OJzsKHnAJT159EVydyYahHU66i4aNvho74oAafrVTyk8B
-PHCHFs0MUct8DoNwrbnfH0cjqEdVOmjjvBN0yA+RxOa543XnQqkSmCuIJKoD6pUa
-07rE372iERgIjDnzCogiEo9cCBBqDfgsbr0ah1QbWJTJvnsFuxT43tBNurRjNPoX
-Jj6xAzhQLCuvqtKtWlAUOHut18YbVGXVT+3tm7+C6iA44JvMl9m1
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/plugorder.c b/crypto/krb5/src/tests/plugorder.c
deleted file mode 100644
index a2b7e34eead5..000000000000
--- a/crypto/krb5/src/tests/plugorder.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/plugorder.c - Test harness to display the order of loaded plugins */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This file registers a few dummy built-in pwqual modules, then prints out the
- * order of pwqual modules returned by k5_plugin_load_all. The choice of the
- * pwqual interface is mostly arbitrary; it is an interface which libkrb5
- * itself doesn't use, for which we have a test module.
- */
-
-#include "k5-int.h"
-#include <krb5/pwqual_plugin.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static krb5_error_code
-blt1(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
-{
- ((krb5_pwqual_vtable)vtable)->name = "blt1";
- return 0;
-}
-
-static krb5_error_code
-blt2(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
-{
- ((krb5_pwqual_vtable)vtable)->name = "blt2";
- return 0;
-}
-
-static krb5_error_code
-blt3(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable)
-{
- ((krb5_pwqual_vtable)vtable)->name = "blt3";
- return 0;
-}
-
-int
-main(void)
-{
- krb5_plugin_initvt_fn *modules = NULL, *mod;
- struct krb5_pwqual_vtable_st vt;
-
- check(krb5_init_context(&ctx));
- check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt1", blt1));
- check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt2", blt2));
- check(k5_plugin_register(ctx, PLUGIN_INTERFACE_PWQUAL, "blt3", blt3));
- check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &modules));
- for (mod = modules; *mod != NULL; mod++) {
- check((*mod)(ctx, 1, 1, (krb5_plugin_vtable)&vt));
- printf("%s\n", vt.name);
- }
- k5_plugin_free_modules(ctx, modules);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/proxy-certs/ca.pem b/crypto/krb5/src/tests/proxy-certs/ca.pem
deleted file mode 100644
index ee24cba81c2a..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/ca.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMIGZMQswCQYDVQQGEwJVUzEWMBQG
-A1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQK
-DANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNV
-BAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWK
-KayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9
-uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTH
-EO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9
-B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd
-3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABo4IB
-CjCCAQYwHQYDVR0OBBYEFPf/vJvFMCwrABeCC0sq7RGfYeIiMIHGBgNVHSMEgb4w
-gbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGfpIGcMIGZMQswCQYDVQQGEwJVUzEW
-MBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYD
-VQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJlIEtlcmJlcm9zIHRlc3QgQ0ExLDAq
-BgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsG
-A1UdDwQEAwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBz
-q/t9amz4ahTFNc0v69NZrfCBgo7DWBHxXuE0Gov2/RBPwP/+Efrd4+1Tl5fSv6We
-N/cttEUTTM3Z7wtof3mkSQwkozwWpaHXm31St+0FbTuHNpN4i0Uae5lsO8/pTz/L
-VqsVLjGGpkZKP831BO9oJJbwUASNc2dpLs94pojlSlSZzf/u/T+k0wltgZexnQpU
-5IrdPIqteB32ym2XjZWSCS29jL3zoZ/y8UAPIOR/Zi77wNCehOuBx2bzc/P6RNLa
-CuuPMhDu8PPYVB3rfJInmF5wT5jQ9YX4UUb0qYXDRff5/l26fEjLHQSrA/iMqdIW
-dsDwkqTcy1lOjcP3xOMq
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/proxy-certs/make-certs.sh b/crypto/krb5/src/tests/proxy-certs/make-certs.sh
deleted file mode 100755
index 7a40e2b98987..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/make-certs.sh
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/bin/sh -e
-
-PWD=`pwd`
-NAMETYPE=1
-KEYSIZE=2048
-DAYS=4000
-REALM=KRBTEST.COM
-TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
-PROXY_EKU_LIST=$TLS_SERVER_EKU
-
-cat > openssl.cnf << EOF
-[req]
-prompt = no
-distinguished_name = \$ENV::SUBJECT
-
-[ca]
-default_ca = test_ca
-
-[test_ca]
-new_certs_dir = $PWD
-serial = $PWD/ca.srl
-database = $PWD/ca.db
-certificate = $PWD/ca.pem
-private_key = $PWD/privkey.pem
-default_days = $DAYS
-x509_extensions = exts_proxy
-policy = proxyname
-default_md = sha256
-unique_subject = no
-email_in_dn = no
-
-[signer]
-CN = test CA certificate
-C = US
-ST = Massachusetts
-L = Cambridge
-O = MIT
-OU = Insecure Kerberos test CA
-CN = test suite CA; do not use otherwise
-
-[proxy]
-C = US
-ST = Massachusetts
-O = KRBTEST.COM
-CN = PROXYinSubject
-
-[localhost]
-C = US
-ST = Massachusetts
-O = KRBTEST.COM
-CN = localhost
-
-[proxyname]
-C = supplied
-ST = supplied
-O = supplied
-CN = supplied
-
-[exts_ca]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
-basicConstraints = critical,CA:TRUE
-
-[exts_proxy]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-subjectAltName = DNS:proxyŠubjectÄltÑame,DNS:proxySubjectAltName,IP:127.0.0.1,IP:::1,DNS:localhost
-extendedKeyUsage = $PROXY_EKU_LIST
-
-[exts_proxy_no_san]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-basicConstraints = critical,CA:FALSE
-extendedKeyUsage = $PROXY_EKU_LIST
-EOF
-
-# Generate a private key.
-openssl genrsa $KEYSIZE > privkey.pem
-
-# Generate a "CA" certificate.
-SUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
- -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
-
-# Generate proxy certificate signing requests.
-SUBJECT=proxy openssl req -config openssl.cnf -new -key privkey.pem \
- -out proxy.csr
-SUBJECT=localhost openssl req -config openssl.cnf -new -key privkey.pem \
- -out localhost.csr
-
-# Issue the certificate with the right name in a subjectAltName.
-echo 02 > ca.srl
-cat /dev/null > ca.db
-SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \
- -batch -days $DAYS -notext -out tmp.pem -in proxy.csr
-cat privkey.pem tmp.pem > proxy-san.pem
-
-# Issue a certificate that only has the name in the subject field
-SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \
- -batch -days $DAYS -notext -out tmp.pem -in localhost.csr
-cat privkey.pem tmp.pem > proxy-subject.pem
-
-# Issue a certificate that doesn't include any matching name values.
-SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy_no_san \
- -batch -days $DAYS -notext -out tmp.pem -in proxy.csr
-cat privkey.pem tmp.pem > proxy-no-match.pem
-
-# Issue a certificate that contains all matching name values.
-SUBJECT=proxy openssl ca -config openssl.cnf -extensions exts_proxy \
- -batch -days $DAYS -notext -out tmp.pem -in localhost.csr
-cat privkey.pem tmp.pem > proxy-ideal.pem
-
-# Corrupt the signature on the certificate.
-SUBJECT=proxy openssl x509 -outform der -in proxy-ideal.pem -out bad.der
-length=`od -Ad bad.der | tail -n 1 | awk '{print $1}'`
-dd if=/dev/zero bs=1 of=bad.der count=16 seek=`expr $length - 16`
-SUBJECT=proxy openssl x509 -inform der -in bad.der -out tmp.pem
-cat privkey.pem tmp.pem > proxy-badsig.pem
-
-# Clean up.
-rm -f openssl.cnf proxy.csr localhost.csr privkey.pem ca.db ca.db.old ca.srl ca.srl.old ca.db.attr ca.db.attr.old 02.pem 03.pem 04.pem 05.pem tmp.pem bad.der
diff --git a/crypto/krb5/src/tests/proxy-certs/proxy-badsig.pem b/crypto/krb5/src/tests/proxy-certs/proxy-badsig.pem
deleted file mode 100644
index 40001d974730..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/proxy-badsig.pem
+++ /dev/null
@@ -1,56 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
-kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
-e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
-SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
-j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
-zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
-HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
-q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
-zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
-ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
-21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
-YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
-1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
-AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
-47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
-RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
-lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
-tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
-hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
-5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
-yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
-vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
-CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
-X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
-Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
-eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
-b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
-Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
-3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
-ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
-GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC
-C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
-dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG
-A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs
-dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE
-DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU
-8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5
-FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7
-QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj
-x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz
-Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUAAAAAAAAAAAAAAAAAAAA
-AA==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/proxy-certs/proxy-ideal.pem b/crypto/krb5/src/tests/proxy-certs/proxy-ideal.pem
deleted file mode 100644
index 3bb09dc94129..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/proxy-ideal.pem
+++ /dev/null
@@ -1,56 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
-kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
-e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
-SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
-j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
-zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
-HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
-q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
-zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
-ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
-21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
-YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
-1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
-AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
-47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
-RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
-lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
-tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
-hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
-5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
-yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
-vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
-CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
-X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
-Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIE3TCCA8WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
-eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
-b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
-Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
-3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
-ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
-GDy+ZCKmxf8Zu/8SwwIDAQABo4IBdzCCAXMwHQYDVR0OBBYEFPf/vJvFMCwrABeC
-C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
-dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMFkG
-A1UdEQRSMFCCFnByb3h5xaB1YmplY3TDhGx0w5FhbWWCE3Byb3h5U3ViamVjdEFs
-dE5hbWWHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDATBgNVHSUE
-DDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAsMRJnxdbnpm5VlCFwNyU
-8ra1wCjj+ZH0POVCM4iXQ77bV6UBpcqlaQUvR7R/H1Bt5t3Cp0ycN/dy+RcXtj+5
-FA84bRM767rsakxTEwjOjWw6GiK6bGjBfQ4F6Q97ELmiM0OZgmW8D56UHZxrI+o7
-QrKWBpFf1UA8n/BmupHBtyW3gudtJS9a71u6lBRydPFqJ4l8YxHckbgPFceSRbRj
-x7E2pQVQ0p2nvG/NVyuC+2L29p81KAsG3vPzwOOfr1Tnpl1/B4R0+XEIy33KHpbz
-Ceyitz6k16fOVNxMI59W2OACPTQ/s99kygh+cARRPfEUPjDcJpS1gRZ6kDKRh6Np
-ig==
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/proxy-certs/proxy-no-match.pem b/crypto/krb5/src/tests/proxy-certs/proxy-no-match.pem
deleted file mode 100644
index 7464e40db29c..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/proxy-no-match.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
-kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
-e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
-SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
-j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
-zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
-HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
-q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
-zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
-ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
-21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
-YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
-1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
-AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
-47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
-RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
-lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
-tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
-hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
-5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
-yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
-vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
-CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
-X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
-Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIEhzCCA2+gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE
-AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3
-tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/
-Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4
-Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8
-rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM
-NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU9/+8m8Uw
-LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h
-4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz
-MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z
-ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg
-ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC
-MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAI0Ons8g
-6aXdZsKSmp1hbwNUvsY5GNl/QHVJIMQbe9zNVkW9Hp286fzkMar6peTB9MEnhzJ5
-5mbJM9DkugzgJeG0+HwsSdjAQCOcG4jSQ3SaASETOo58LsaG/yssIaZiZdJBrzNb
-1D5fJVVpopZMZ/mKUNB/2ofUVGVBZCdfyOoIbVSkkm1UHJ9liLFK1ZNPDTX60613
-YNl4BydTiXtEg+IOYgmFXuZj310dDZUMHuYdzAM5j+6i2JaIcK4PgDE+yG9Oj9N+
-uKjj0iHWyoZW49y9Hq/oiMegi2X4XZBtbZlEUu4OkpBJ1QG0MTaz/vN94sHiLOzS
-81b7+2BMgHd51+E=
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/proxy-certs/proxy-san.pem b/crypto/krb5/src/tests/proxy-certs/proxy-san.pem
deleted file mode 100644
index 8eaeceece186..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/proxy-san.pem
+++ /dev/null
@@ -1,56 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
-kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
-e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
-SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
-j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
-zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
-HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
-q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
-zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
-ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
-21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
-YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
-1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
-AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
-47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
-RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
-lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
-tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
-hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
-5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
-yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
-vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
-CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
-X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
-Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIE4jCCA8qgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaMFQxCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTEXMBUGA1UE
-AwwOUFJPWFlpblN1YmplY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDngcJ5NNR7XbumqMryvbw0YzDavbH6FYoprIfk2ao6qfCfNEeRkTlSORrND+H3
-tLotnphvzDeYkTJfU91w0BEPDaZs48WTk325ecFvoBmiDuGH3Ax7/+D1rs+kpqd/
-Dr19JWACvj1MUWIugq7JOAeIk4HtiA/RtMcQ7iUuq6w9AzXqVENJ2heDja50CHe4
-Fj5AOzbeyctKIH72+3yC3qBeJphvcEE5az0Hc8qzfvg32Q4+yByP7yTJH8z6r5F8
-rluKpLdx7+zG89XQqx6H//W4nGVtALA6IF3dMtYcuFb0XuvMRy/OfUx9yTfmzRcM
-NGUbFEYYPL5kIqbF/xm7/xLDAgMBAAGjggF3MIIBczAdBgNVHQ4EFgQU9/+8m8Uw
-LCsAF4ILSyrtEZ9h4iIwgcYGA1UdIwSBvjCBu4AU9/+8m8UwLCsAF4ILSyrtEZ9h
-4iKhgZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz
-MRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEiMCAGA1UECwwZSW5z
-ZWN1cmUgS2VyYmVyb3MgdGVzdCBDQTEsMCoGA1UEAwwjdGVzdCBzdWl0ZSBDQTsg
-ZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0PBAQDAgPoMAwGA1UdEwEB/wQC
-MAAwWQYDVR0RBFIwUIIWcHJveHnFoHViamVjdMOEbHTDkWFtZYITcHJveHlTdWJq
-ZWN0QWx0TmFtZYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAAYIJbG9jYWxob3N0MBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQDQI1/zeNAWvXAG
-CTJk+hFLNx7xzd28/vWGkumK60rSmLVLZNDlvfmNJZ/kd7d0YZFvZDvbzhugXigI
-5N54664XreRwXA7QkgD2laFd/Rzq+6NdhyMCno7V6j1VZUm6/FWgfYjfGEBvbGNv
-Ue50fyRSQBmFv3p87Av/Zc0OMjted0zOYUxUPH0OL+2e4BL/suo05Q5DZq+J8Dni
-7SJbDC0fp5mKVLQ500zIRwUF2y5TE4olBsYBoaMDxQl+HoG6XpzaVslTKXAvzFMk
-8beI2BmqUId1OSLa3TOKnbsK8K/MPnSnB5StINt1+ZtTjjV+dY3xB6ZC+G1Pl6Ta
-00C7EWul
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/proxy-certs/proxy-subject.pem b/crypto/krb5/src/tests/proxy-certs/proxy-subject.pem
deleted file mode 100644
index 3846aece6a08..000000000000
--- a/crypto/krb5/src/tests/proxy-certs/proxy-subject.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA54HCeTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRH
-kZE5UjkazQ/h97S6LZ6Yb8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wM
-e//g9a7PpKanfw69fSVgAr49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRD
-SdoXg42udAh3uBY+QDs23snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgc
-j+8kyR/M+q+RfK5biqS3ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcv
-zn1Mfck35s0XDDRlGxRGGDy+ZCKmxf8Zu/8SwwIDAQABAoIBAGxzOBQpsIReQ6Lu
-HaybP4hXEzLVfIOIBaJCJaMKaJl0tLkP95r0qiKfh7OahiPRMQpf6k8tHrpFApDv
-q6PGhMdFgLov9YWNqW7y37AYEwn86KAJcHvCQbM2AiXCwGJgGFqA4LpIPlT7JwBc
-zd6LddQALfSFMcvuYPbIaPi1CUnGy/AAyxGjUrc60KO57NbI+dHSTOwTHO1QjOz9
-ESk4fb34beUuZQzR6s/s1N0k09GJyklLpAAblRs5M6w9IlAn781eRLUAHTafLm4b
-21J9k2Q2UaOofn0Cvh8ggyJMiYqAJ0CsRy5pJroEyboA51WU+8THNFkNtRX5SxY5
-YY3xE7ECgYEA/qkq7BPMkr/SnBPm32G1Eux5eLVd65qbox0oTLodZbusuxutqXTp
-1MseDPQtHlrq6CQBizwElx//pdKnIiU9iBS/QkMR9CviitMTt+WrWRrM54/A4CJP
-AU2Jg7b2DmhW1ombHHiBZ1tWzyiv9zxrtwR8kmKqv9aTOuPn4l7jY5kCgYEA6Llr
-47pQjp/YhkBBvlriRwM9RXek++ythgsWvEswORaUalnaZ9gxZOKKas35GLDDuVyT
-RnEhIqVlTg9iz6x5fXRtm6VzQvy9yFLzPMnlwsiSnRNOfMVIETUTOhNgm45tYY8f
-lN5bcdY6k6VZ/g/N3zqddnxkjocrd6lAayjjIrsCgYEAyZLYAcPuQx6JM7fhIGIz
-tQXvZKeS7yITHbq/onQTPuqd4AEZpi9/w0r/v1srt4JZvGR7wF1CeOkAL56dYr69
-hNB/T5DNTkvKZv6K9h5aUg6PsJ8uGXuus6ZPOi4BeAgI7IpBd/i+3TQEc7eOCZIO
-5PAtNqXY6D6NjajGbH2VWckCgYA2KRDmyrF8v86QT9v9BQGsLSDRTerjhk1L6MC9
-yXHLl2mq5oZhrHqyU9aKzKywBlNGjDjqJ+HiQkO1SvdgBW+wtqvbkUGl0VQJjuR0
-vTfvgOY+EAQwHWmMN6Hl3iSZjyf9kGV1K9p0P7saKV0sN1leHjIPJRvx35tKGeWY
-CsfxiQKBgQCVUvsX/HeWyc4bxxMuzw8JniUG2JftZqIC1haHEFNElASjt4hARM7Y
-X/dkpYPXOZaN+qfvP949rS1WPXRtwMjt7bYzm7MGbXW7OiGGY3LV2CuVmbXJupvr
-Usvi+YnpqKDY/miOYd+541NJm76AQTSgQ8K7XitX7Beddh1U9e17mg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIEgjCCA2qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-A1UECgwDTUlUMSIwIAYDVQQLDBlJbnNlY3VyZSBLZXJiZXJvcyB0ZXN0IENBMSww
-KgYDVQQDDCN0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZTAeFw0x
-OTExMTIxODMwMzRaFw0zMDEwMjUxODMwMzRaME8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNPTTESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA54HC
-eTTUe127pqjK8r28NGMw2r2x+hWKKayH5NmqOqnwnzRHkZE5UjkazQ/h97S6LZ6Y
-b8w3mJEyX1PdcNARDw2mbOPFk5N9uXnBb6AZog7hh9wMe//g9a7PpKanfw69fSVg
-Ar49TFFiLoKuyTgHiJOB7YgP0bTHEO4lLqusPQM16lRDSdoXg42udAh3uBY+QDs2
-3snLSiB+9vt8gt6gXiaYb3BBOWs9B3PKs374N9kOPsgcj+8kyR/M+q+RfK5biqS3
-ce/sxvPV0Kseh//1uJxlbQCwOiBd3TLWHLhW9F7rzEcvzn1Mfck35s0XDDRlGxRG
-GDy+ZCKmxf8Zu/8SwwIDAQABo4IBHDCCARgwHQYDVR0OBBYEFPf/vJvFMCwrABeC
-C0sq7RGfYeIiMIHGBgNVHSMEgb4wgbuAFPf/vJvFMCwrABeCC0sq7RGfYeIioYGf
-pIGcMIGZMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAG
-A1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxIjAgBgNVBAsMGUluc2VjdXJl
-IEtlcmJlcm9zIHRlc3QgQ0ExLDAqBgNVBAMMI3Rlc3Qgc3VpdGUgQ0E7IGRvIG5v
-dCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBdg7Gk/RqQpTfD
-vyFB1GPWRcLYpYW4GQh3e/dcesmwjwT8Nsd4Mzq9mA9TzJIXwffUQ8de85L5+9Oh
-k4yiwRS3vDCP0fr+GZMpBqkBVunJIHQnm+RWxT42+0kBxxmO/fqp5ztND8gGBLiW
-QPHb+mSCFgmgwnRuW+UI3TZ965oZfd2oRjjHjr51cgxcXndqnNws/kakMpxSM+KT
-+ICHNz5og79nC7zpVqu0Cd56stPXbrFeU+bnN5UT9sOZNOYstWZmS8u+ddDuJwhS
-ijJZgtQNOIuBfD2TLfDmg/QfLeh5hhgBVyXC5o8g6KEtjPgm+44OF3vNZeuwVPaf
-L58YyPcO
------END CERTIFICATE-----
diff --git a/crypto/krb5/src/tests/rdreq.c b/crypto/krb5/src/tests/rdreq.c
deleted file mode 100644
index 52bec18c9147..000000000000
--- a/crypto/krb5/src/tests/rdreq.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/rdreq.c - Test harness for krb5_rd_req */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include <krb5.h>
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_principal client_princ, tkt_princ, server_princ;
- krb5_ccache ccache;
- krb5_creds *cred, mcred;
- krb5_auth_context auth_con;
- krb5_data apreq;
- krb5_error_code ret, code;
- const char *tkt_name, *server_name, *emsg;
-
- /* Parse arguments. */
- if (argc < 2 || argc > 3) {
- fprintf(stderr, "Usage: rdreq tktname [servername]\n");
- exit(1);
- }
- tkt_name = argv[1];
- server_name = argv[2];
-
- if (krb5_init_context(&context) != 0)
- abort();
-
- /* Parse the requested principal names. */
- if (krb5_parse_name(context, tkt_name, &tkt_princ) != 0)
- abort();
- if (server_name != NULL) {
- if (krb5_parse_name(context, server_name, &server_princ) != 0)
- abort();
- server_princ->type = KRB5_NT_SRV_HST;
- } else {
- server_princ = NULL;
- }
-
- /* Produce an AP-REQ message. */
- if (krb5_cc_default(context, &ccache) != 0)
- abort();
- if (krb5_cc_get_principal(context, ccache, &client_princ) != 0)
- abort();
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client_princ;
- mcred.server = tkt_princ;
- if (krb5_get_credentials(context, 0, ccache, &mcred, &cred) != 0)
- abort();
- auth_con = NULL;
- if (krb5_mk_req_extended(context, &auth_con, 0, NULL, cred, &apreq) != 0)
- abort();
-
- /* Consume the AP-REQ message without using a replay cache. */
- krb5_auth_con_free(context, auth_con);
- if (krb5_auth_con_init(context, &auth_con) != 0)
- abort();
- if (krb5_auth_con_setflags(context, auth_con, 0) != 0)
- abort();
- ret = krb5_rd_req(context, &auth_con, &apreq, server_princ, NULL, NULL,
- NULL);
-
- /* Display the result. */
- if (ret) {
- code = ret - ERROR_TABLE_BASE_krb5;
- if (code < 0 || code > 127)
- code = 60; /* KRB_ERR_GENERIC */
- emsg = krb5_get_error_message(context, ret);
- printf("%d %s\n", code, emsg);
- krb5_free_error_message(context, emsg);
- } else {
- printf("0 success\n");
- }
-
- krb5_free_data_contents(context, &apreq);
- assert(apreq.length == 0);
- krb5_auth_con_free(context, auth_con);
- krb5_free_creds(context, cred);
- krb5_cc_close(context, ccache);
- krb5_free_principal(context, client_princ);
- krb5_free_principal(context, tkt_princ);
- krb5_free_principal(context, server_princ);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/replay.c b/crypto/krb5/src/tests/replay.c
deleted file mode 100644
index 1703123d2957..000000000000
--- a/crypto/krb5/src/tests/replay.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/replay.c - test replay cache using libkrb5 functions */
-/*
- * Copyright (C) 2019 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-
-int
-main(int argc, char **argv)
-{
- krb5_error_code ret;
- krb5_context ctx;
- krb5_auth_context c_authcon, s_authcon, s_authcon2;
- krb5_rcache rc;
- krb5_ccache cc;
- krb5_principal client, server;
- krb5_creds mcred, *cred, **tmpcreds;
- krb5_data der_apreq, der_krbsafe, der_krbpriv, *der_krbcred, tmpdata;
- krb5_address addr;
- struct in_addr inaddr;
- const char *server_name;
-
- assert(argc == 2);
- server_name = argv[1];
-
- /* Create client and server auth contexts. (They will use a replay cache
- * by default.) */
- ret = krb5_init_context(&ctx);
- assert(ret == 0);
- ret = krb5_auth_con_init(ctx, &c_authcon);
- assert(ret == 0);
- ret = krb5_auth_con_init(ctx, &s_authcon);
- assert(ret == 0);
-
- /* Set dummy addresses for the auth contexts. */
- memset(&inaddr, 0, sizeof(inaddr));
- addr.addrtype = ADDRTYPE_INET;
- addr.length = sizeof(inaddr);
- addr.contents = (uint8_t *)&inaddr;
- ret = krb5_auth_con_setaddrs(ctx, c_authcon, &addr, &addr);
- assert(ret == 0);
- ret = krb5_auth_con_setaddrs(ctx, s_authcon, &addr, &addr);
- assert(ret == 0);
-
- /* Set up replay caches for the auth contexts. */
- tmpdata = string2data("testclient");
- ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);
- assert(ret == 0);
- ret = krb5_auth_con_setrcache(ctx, c_authcon, rc);
- assert(ret == 0);
- tmpdata = string2data("testserver");
- ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);
- assert(ret == 0);
- ret = krb5_auth_con_setrcache(ctx, s_authcon, rc);
- assert(ret == 0);
-
- /* Construct the client and server principal names. */
- ret = krb5_cc_default(ctx, &cc);
- assert(ret == 0);
- ret = krb5_cc_get_principal(ctx, cc, &client);
- assert(ret == 0);
- ret = krb5_parse_name(ctx, server_name, &server);
- assert(ret == 0);
-
- /* Get credentials for the client. */
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client;
- mcred.server = server;
- ret = krb5_get_credentials(ctx, 0, cc, &mcred, &cred);
- assert(ret == 0);
-
- /* Send an AP-REP to establish the sessions. */
- ret = krb5_mk_req_extended(ctx, &c_authcon, 0, NULL, cred, &der_apreq);
- assert(ret == 0);
- ret = krb5_rd_req(ctx, &s_authcon, &der_apreq, NULL, NULL, NULL, NULL);
- assert(ret == 0);
-
- /* Set up another server auth context with the same rcache name and replay
- * the AP-REQ. */
- ret = krb5_auth_con_init(ctx, &s_authcon2);
- assert(ret == 0);
- tmpdata = string2data("testserver");
- ret = krb5_get_server_rcache(ctx, &tmpdata, &rc);
- assert(ret == 0);
- ret = krb5_auth_con_setrcache(ctx, s_authcon2, rc);
- assert(ret == 0);
- ret = krb5_rd_req(ctx, &s_authcon2, &der_apreq, NULL, NULL, NULL, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
- krb5_auth_con_free(ctx, s_authcon2);
-
- /* Make a KRB-SAFE message with the client auth context. */
- tmpdata = string2data("safemsg");
- ret = krb5_mk_safe(ctx, c_authcon, &tmpdata, &der_krbsafe, NULL);
- assert(ret == 0);
- /* Play it back to the client to detect a reflection. */
- ret = krb5_rd_safe(ctx, c_authcon, &der_krbsafe, &tmpdata, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
- /* Send it to the server auth context twice, to detect a replay. */
- ret = krb5_rd_safe(ctx, s_authcon, &der_krbsafe, &tmpdata, NULL);
- assert(ret == 0);
- krb5_free_data_contents(ctx, &tmpdata);
- ret = krb5_rd_safe(ctx, s_authcon, &der_krbsafe, &tmpdata, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
-
- /* Make a KRB-PRIV message with the client auth context. */
- tmpdata = string2data("safemsg");
- ret = krb5_mk_priv(ctx, c_authcon, &tmpdata, &der_krbpriv, NULL);
- assert(ret == 0);
- /* Play it back to the client to detect a reflection. */
- ret = krb5_rd_priv(ctx, c_authcon, &der_krbpriv, &tmpdata, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
- /* Send it to the server auth context twice, to detect a replay. */
- ret = krb5_rd_priv(ctx, s_authcon, &der_krbpriv, &tmpdata, NULL);
- assert(ret == 0);
- krb5_free_data_contents(ctx, &tmpdata);
- ret = krb5_rd_priv(ctx, s_authcon, &der_krbpriv, &tmpdata, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
-
- /* Make a KRB-CRED message with the client auth context. */
- tmpdata = string2data("safemsg");
- ret = krb5_mk_1cred(ctx, c_authcon, cred, &der_krbcred, NULL);
- assert(ret == 0);
- /* Play it back to the client to detect a reflection. */
- ret = krb5_rd_cred(ctx, c_authcon, der_krbcred, &tmpcreds, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
- /* Send it to the server auth context twice, to detect a replay. */
- ret = krb5_rd_cred(ctx, s_authcon, der_krbcred, &tmpcreds, NULL);
- assert(ret == 0);
- krb5_free_tgt_creds(ctx, tmpcreds);
- ret = krb5_rd_cred(ctx, s_authcon, der_krbcred, &tmpcreds, NULL);
- assert(ret == KRB5KRB_AP_ERR_REPEAT);
-
- krb5_free_data_contents(ctx, &der_apreq);
- krb5_free_data_contents(ctx, &der_krbsafe);
- krb5_free_data_contents(ctx, &der_krbpriv);
- krb5_free_data(ctx, der_krbcred);
- krb5_free_creds(ctx, cred);
- krb5_cc_close(ctx, cc);
- krb5_free_principal(ctx, client);
- krb5_free_principal(ctx, server);
- krb5_auth_con_free(ctx, c_authcon);
- krb5_auth_con_free(ctx, s_authcon);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/responder.c b/crypto/krb5/src/tests/responder.c
deleted file mode 100644
index 82f870ea5d4b..000000000000
--- a/crypto/krb5/src/tests/responder.c
+++ /dev/null
@@ -1,431 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/responder.c - Test harness for responder callbacks and the like. */
-/*
- * Copyright 2013 Red Hat, Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * A helper for testing PKINIT and responder callbacks.
- *
- * This test helper takes multiple options and one argument.
- *
- * responder [options] principal
- * -X preauth_option -> preauth options, as for kinit
- * -x challenge -> expected responder challenge, of the form
- * "question=challenge"
- * -r response -> provide a reponder answer, in the form
- * "question=answer"
- * -c -> print the pkinit challenge
- * -p identity=pin -> provide a pkinit answer, in the form "identity=pin"
- * -o index=value:pin -> provide an OTP answer, in the form "index=value:pin"
- * principal -> client principal name
- *
- * If the responder callback isn't called, that's treated as an error.
- *
- * If an expected responder challenge is specified, when the responder
- * callback is called, the challenge associated with the specified question is
- * compared against the specified value. If the value provided to the
- * callback doesn't parse as JSON, a literal string compare is performed,
- * otherwise both values are parsed as JSON and then re-encoded before
- * comparison. In either case, the comparison must succeed.
- *
- * Any missing data or mismatches are treated as errors.
- */
-
-#include <k5-platform.h>
-#include <k5-json.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <krb5.h>
-
-struct responder_data {
- krb5_boolean called;
- krb5_boolean print_pkinit_challenge;
- const char *challenge;
- const char *response;
- const char *pkinit_answer;
- const char *otp_answer;
-};
-
-static krb5_error_code
-responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx)
-{
- krb5_error_code err;
- char *key, *value, *pin, *encoded1, *encoded2;
- const char *challenge;
- k5_json_value decoded1, decoded2;
- k5_json_object ids;
- k5_json_number val;
- krb5_int32 token_flags;
- struct responder_data *data = rawdata;
- krb5_responder_pkinit_challenge *chl;
- krb5_responder_otp_challenge *ochl;
- unsigned int i, n;
-
- data->called = TRUE;
-
- /* Check that a particular challenge has the specified expected value. */
- if (data->challenge != NULL) {
- /* Separate the challenge name and its expected value. */
- key = strdup(data->challenge);
- if (key == NULL)
- exit(ENOMEM);
- value = key + strcspn(key, "=");
- if (*value != '\0')
- *value++ = '\0';
- /* Read the challenge. */
- challenge = krb5_responder_get_challenge(ctx, rctx, key);
- err = k5_json_decode(value, &decoded1);
- /* Check for "no challenge". */
- if (challenge == NULL && *value == '\0') {
- fprintf(stderr, "OK: (no challenge) == (no challenge)\n");
- } else if (err != 0) {
- /* It's not JSON, so assume we're just after a string compare. */
- if (strcmp(challenge, value) == 0) {
- fprintf(stderr, "OK: \"%s\" == \"%s\"\n", challenge, value);
- } else {
- fprintf(stderr, "ERROR: \"%s\" != \"%s\"\n", challenge, value);
- exit(1);
- }
- } else {
- /* Assume we're after a JSON compare - decode the actual value. */
- err = k5_json_decode(challenge, &decoded2);
- if (err != 0) {
- fprintf(stderr, "error decoding \"%s\"\n", challenge);
- exit(1);
- }
- /* Re-encode the expected challenge and the actual challenge... */
- err = k5_json_encode(decoded1, &encoded1);
- if (err != 0) {
- fprintf(stderr, "error encoding json data\n");
- exit(1);
- }
- err = k5_json_encode(decoded2, &encoded2);
- if (err != 0) {
- fprintf(stderr, "error encoding json data\n");
- exit(1);
- }
- k5_json_release(decoded1);
- k5_json_release(decoded2);
- /* ... and see if they look the same. */
- if (strcmp(encoded1, encoded2) == 0) {
- fprintf(stderr, "OK: \"%s\" == \"%s\"\n", encoded1, encoded2);
- } else {
- fprintf(stderr, "ERROR: \"%s\" != \"%s\"\n", encoded1,
- encoded2);
- exit(1);
- }
- free(encoded1);
- free(encoded2);
- }
- free(key);
- }
-
- /* Provide a particular response for a challenge. */
- if (data->response != NULL) {
- /* Separate the challenge and its data content... */
- key = strdup(data->response);
- if (key == NULL)
- exit(ENOMEM);
- value = key + strcspn(key, "=");
- if (*value != '\0')
- *value++ = '\0';
- /* ... and pass it in. */
- err = krb5_responder_set_answer(ctx, rctx, key, value);
- if (err != 0) {
- fprintf(stderr, "error setting response\n");
- exit(1);
- }
- free(key);
- }
-
- if (data->print_pkinit_challenge) {
- /* Read the PKINIT challenge, formatted as a structure. */
- err = krb5_responder_pkinit_get_challenge(ctx, rctx, &chl);
- if (err != 0) {
- fprintf(stderr, "error getting pkinit challenge\n");
- exit(1);
- }
- if (chl != NULL) {
- for (n = 0; chl->identities[n] != NULL; n++)
- continue;
- for (i = 0; chl->identities[i] != NULL; i++) {
- if (chl->identities[i]->token_flags != -1) {
- printf("identity %u/%u: %s (flags=0x%lx)\n", i + 1, n,
- chl->identities[i]->identity,
- (long)chl->identities[i]->token_flags);
- } else {
- printf("identity %u/%u: %s\n", i + 1, n,
- chl->identities[i]->identity);
- }
- }
- }
- krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
- }
-
- /* Provide a particular response for the PKINIT challenge. */
- if (data->pkinit_answer != NULL) {
- /* Read the PKINIT challenge, formatted as a structure. */
- err = krb5_responder_pkinit_get_challenge(ctx, rctx, &chl);
- if (err != 0) {
- fprintf(stderr, "error getting pkinit challenge\n");
- exit(1);
- }
- /*
- * In case order matters, if the identity starts with "FILE:", exercise
- * the set_answer function, with the real answer second.
- */
- if (chl != NULL &&
- chl->identities != NULL &&
- chl->identities[0] != NULL) {
- if (strncmp(chl->identities[0]->identity, "FILE:", 5) == 0)
- krb5_responder_pkinit_set_answer(ctx, rctx, "foo", "bar");
- }
- /* Provide the real answer. */
- key = strdup(data->pkinit_answer);
- if (key == NULL)
- exit(ENOMEM);
- value = strrchr(key, '=');
- if (value != NULL)
- *value++ = '\0';
- else
- value = "";
- err = krb5_responder_pkinit_set_answer(ctx, rctx, key, value);
- if (err != 0) {
- fprintf(stderr, "error setting response\n");
- exit(1);
- }
- free(key);
- /*
- * In case order matters, if the identity starts with "PKCS12:",
- * exercise the set_answer function, with the real answer first.
- */
- if (chl != NULL &&
- chl->identities != NULL &&
- chl->identities[0] != NULL) {
- if (strncmp(chl->identities[0]->identity, "PKCS12:", 7) == 0)
- krb5_responder_pkinit_set_answer(ctx, rctx, "foo", "bar");
- }
- krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
- }
-
- /*
- * Something we always check: read the PKINIT challenge, both as a
- * structure and in JSON form, reconstruct the JSON form from the
- * structure's contents, and check that they're the same.
- */
- challenge = krb5_responder_get_challenge(ctx, rctx,
- KRB5_RESPONDER_QUESTION_PKINIT);
- if (challenge != NULL) {
- krb5_responder_pkinit_get_challenge(ctx, rctx, &chl);
- if (chl == NULL) {
- fprintf(stderr, "pkinit raw challenge set, "
- "but structure is NULL\n");
- exit(1);
- }
- if (k5_json_object_create(&ids) != 0) {
- fprintf(stderr, "error creating json objects\n");
- exit(1);
- }
- for (i = 0; chl->identities[i] != NULL; i++) {
- token_flags = chl->identities[i]->token_flags;
- if (k5_json_number_create(token_flags, &val) != 0) {
- fprintf(stderr, "error creating json number\n");
- exit(1);
- }
- if (k5_json_object_set(ids, chl->identities[i]->identity,
- val) != 0) {
- fprintf(stderr, "error adding json number to object\n");
- exit(1);
- }
- k5_json_release(val);
- }
- /* Encode the structure... */
- err = k5_json_encode(ids, &encoded1);
- if (err != 0) {
- fprintf(stderr, "error encoding json data\n");
- exit(1);
- }
- k5_json_release(ids);
- /* ... and see if they look the same. */
- if (strcmp(encoded1, challenge) != 0) {
- fprintf(stderr, "\"%s\" != \"%s\"\n", encoded1, challenge);
- exit(1);
- }
- krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
- free(encoded1);
- }
-
- /* Provide a particular response for an OTP challenge. */
- if (data->otp_answer != NULL) {
- if (krb5_responder_otp_get_challenge(ctx, rctx, &ochl) == 0) {
- key = strchr(data->otp_answer, '=');
- if (key != NULL) {
- /* Make a copy of the answer that we can chop up. */
- key = strdup(data->otp_answer);
- if (key == NULL)
- return ENOMEM;
- /* Isolate the ti value. */
- value = strchr(key, '=');
- *value++ = '\0';
- n = atoi(key);
- /* Break the value and PIN apart. */
- pin = strchr(value, ':');
- if (pin != NULL)
- *pin++ = '\0';
- err = krb5_responder_otp_set_answer(ctx, rctx, n, value, pin);
- if (err != 0) {
- fprintf(stderr, "error setting response\n");
- exit(1);
- }
- free(key);
- }
- krb5_responder_otp_challenge_free(ctx, rctx, ochl);
- }
- }
-
- return 0;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_ccache ccache;
- krb5_get_init_creds_opt *opts;
- krb5_principal principal;
- krb5_creds creds;
- krb5_error_code err;
- const char *errmsg;
- char *opt, *val;
- struct responder_data response;
- int c;
-
- err = krb5_init_context(&context);
- if (err != 0) {
- fprintf(stderr, "error starting Kerberos: %s\n", error_message(err));
- return err;
- }
- err = krb5_get_init_creds_opt_alloc(context, &opts);
- if (err != 0) {
- fprintf(stderr, "error initializing options: %s\n",
- error_message(err));
- return err;
- }
- err = krb5_cc_default(context, &ccache);
- if (err != 0) {
- fprintf(stderr, "error resolving default ccache: %s\n",
- error_message(err));
- return err;
- }
- err = krb5_get_init_creds_opt_set_out_ccache(context, opts, ccache);
- if (err != 0) {
- fprintf(stderr, "error setting output ccache: %s\n",
- error_message(err));
- return err;
- }
-
- memset(&response, 0, sizeof(response));
- while ((c = getopt(argc, argv, "X:x:cr:p:")) != -1) {
- switch (c) {
- case 'X':
- /* Like kinit, set a generic preauth option. */
- opt = strdup(optarg);
- val = opt + strcspn(opt, "=");
- if (*val != '\0') {
- *val++ = '\0';
- }
- err = krb5_get_init_creds_opt_set_pa(context, opts, opt, val);
- if (err != 0) {
- fprintf(stderr, "error setting option \"%s\": %s\n", opt,
- error_message(err));
- return err;
- }
- free(opt);
- break;
- case 'x':
- /* Check that a particular question has a specific challenge. */
- response.challenge = optarg;
- break;
- case 'c':
- /* Note that we want a dump of the PKINIT challenge structure. */
- response.print_pkinit_challenge = TRUE;
- break;
- case 'r':
- /* Set a verbatim response for a verbatim challenge. */
- response.response = optarg;
- break;
- case 'p':
- /* Set a PKINIT answer for a specific PKINIT identity. */
- response.pkinit_answer = optarg;
- break;
- case 'o':
- /* Set an OTP answer for a specific OTP tokeninfo. */
- response.otp_answer = optarg;
- break;
- }
- }
-
- if (argc > optind) {
- err = krb5_parse_name(context, argv[optind], &principal);
- if (err != 0) {
- fprintf(stderr, "error parsing name \"%s\": %s", argv[optind],
- error_message(err));
- return err;
- }
- } else {
- fprintf(stderr, "error: no principal name provided\n");
- return -1;
- }
-
- err = krb5_get_init_creds_opt_set_responder(context, opts,
- responder, &response);
- if (err != 0) {
- fprintf(stderr, "error setting responder: %s\n", error_message(err));
- return err;
- }
- memset(&creds, 0, sizeof(creds));
- err = krb5_get_init_creds_password(context, &creds, principal, NULL,
- NULL, NULL, 0, NULL, opts);
- if (err == 0)
- krb5_free_cred_contents(context, &creds);
- krb5_free_principal(context, principal);
- krb5_get_init_creds_opt_free(context, opts);
- krb5_cc_close(context, ccache);
-
- if (!response.called) {
- fprintf(stderr, "error: responder callback wasn't called\n");
- err = 1;
- } else if (err) {
- errmsg = krb5_get_error_message(context, err);
- fprintf(stderr, "error: krb5_get_init_creds_password failed: %s\n",
- errmsg);
- krb5_free_error_message(context, errmsg);
- err = 2;
- }
- krb5_free_context(context);
- return err;
-}
diff --git a/crypto/krb5/src/tests/s2p.c b/crypto/krb5/src/tests/s2p.c
deleted file mode 100644
index 8fb2a94d6a47..000000000000
--- a/crypto/krb5/src/tests/s2p.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/s2p.c - krb5_name_to_principal test harness */
-/*
- * Copyright (C) 2013 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-#include <krb5.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_principal princ;
- krb5_int32 type;
- const char *service, *hostname;
- char *name;
-
- /* Parse arguments. */
- assert(argc == 4);
- hostname = argv[1];
- service = argv[2];
- if (strcmp(argv[3], "unknown") == 0)
- type = KRB5_NT_UNKNOWN;
- else if (strcmp(argv[3], "srv-hst") == 0)
- type = KRB5_NT_SRV_HST;
- else
- abort();
-
- check(krb5_init_context(&ctx));
- check(krb5_sname_to_principal(ctx, hostname, service, type, &princ));
- check(krb5_unparse_name(ctx, princ, &name));
- printf("%s\n", name);
-
- krb5_free_unparsed_name(ctx, name);
- krb5_free_principal(ctx, princ);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/s4u2proxy.c b/crypto/krb5/src/tests/s4u2proxy.c
deleted file mode 100644
index 3786bad2ca7d..000000000000
--- a/crypto/krb5/src/tests/s4u2proxy.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/s4u2proxy.c - S4U2Proxy test harness */
-/*
- * Copyright (C) 2015 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Usage: s4u2proxy evccname targetname [ad-type ad-contents]
- *
- * evccname contains an evidence ticket. The default ccache contains a TGT for
- * the intermediate service. The default keytab contains a key for the
- * intermediate service. An S4U2Proxy request is made to get a ticket from
- * evccname's default principal to the target service. The resulting cred is
- * stored in the default ccache.
- */
-
-#include <k5-int.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static krb5_authdata **
-make_request_authdata(int type, const char *contents)
-{
- krb5_authdata *ad;
- krb5_authdata **req_authdata;
-
- ad = malloc(sizeof(*ad));
- assert(ad != NULL);
- ad->magic = KV5M_AUTHDATA;
- ad->ad_type = type;
- ad->length = strlen(contents);
- ad->contents = (unsigned char *)strdup(contents);
- assert(ad->contents != NULL);
-
- req_authdata = malloc(2 * sizeof(*req_authdata));
- assert(req_authdata != NULL);
- req_authdata[0] = ad;
- req_authdata[1] = NULL;
-
- return req_authdata;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_ccache defcc, evcc;
- krb5_principal client_name, int_name, target_name;
- krb5_keytab defkt;
- krb5_creds mcred, ev_cred, *new_cred;
- krb5_ticket *ev_ticket;
- krb5_authdata **req_authdata = NULL;
-
- if (argc == 5) {
- req_authdata = make_request_authdata(atoi(argv[3]), argv[4]);
- argc -= 2;
- }
-
- assert(argc == 3);
- check(krb5_init_context(&context));
-
- /* Open the default ccache, evidence ticket ccache, and default keytab. */
- check(krb5_cc_default(context, &defcc));
- check(krb5_cc_resolve(context, argv[1], &evcc));
- check(krb5_kt_default(context, &defkt));
-
- /* Determine the client name, intermediate name, and target name. */
- check(krb5_cc_get_principal(context, evcc, &client_name));
- check(krb5_cc_get_principal(context, defcc, &int_name));
- check(krb5_parse_name(context, argv[2], &target_name));
-
- /* Retrieve and decrypt the evidence ticket. */
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client_name;
- mcred.server = int_name;
- check(krb5_cc_retrieve_cred(context, evcc, 0, &mcred, &ev_cred));
- check(krb5_decode_ticket(&ev_cred.ticket, &ev_ticket));
- check(krb5_server_decrypt_ticket_keytab(context, defkt, ev_ticket));
-
- /* Make an S4U2Proxy request for the target service. */
- mcred.client = client_name;
- mcred.server = target_name;
- mcred.authdata = req_authdata;
- check(krb5_get_credentials_for_proxy(context, KRB5_GC_NO_STORE |
- KRB5_GC_CANONICALIZE, defcc,
- &mcred, ev_ticket, &new_cred));
-
- assert(data_eq(new_cred->second_ticket, ev_cred.ticket));
- assert(new_cred->second_ticket.length != 0);
-
- /* Store the new cred in the default ccache. */
- check(krb5_cc_store_cred(context, defcc, new_cred));
-
- assert(req_authdata == NULL || new_cred->authdata != NULL);
-
- krb5_cc_close(context, defcc);
- krb5_cc_close(context, evcc);
- krb5_kt_close(context, defkt);
- krb5_free_principal(context, client_name);
- krb5_free_principal(context, int_name);
- krb5_free_principal(context, target_name);
- krb5_free_cred_contents(context, &ev_cred);
- krb5_free_ticket(context, ev_ticket);
- krb5_free_creds(context, new_cred);
- krb5_free_authdata(context, req_authdata);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/s4u2self.c b/crypto/krb5/src/tests/s4u2self.c
deleted file mode 100644
index c8e48229c234..000000000000
--- a/crypto/krb5/src/tests/s4u2self.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 2019 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Usage: s4u2self user self out_cache [ad-type ad-contents]
- *
- * The default ccache contains a TGT for the intermediate service self. An
- * S4U2Self request is made to self. The resulting cred is stored in
- * out_cache.
- */
-
-#include <k5-int.h>
-
-static krb5_context ctx;
-
-static void
-check(krb5_error_code code)
-{
- const char *errmsg;
-
- if (code) {
- errmsg = krb5_get_error_message(ctx, code);
- fprintf(stderr, "%s\n", errmsg);
- krb5_free_error_message(ctx, errmsg);
- exit(1);
- }
-}
-
-static krb5_authdata **
-make_request_authdata(int type, const char *contents)
-{
- krb5_authdata *ad;
- krb5_authdata **req_authdata;
-
- ad = malloc(sizeof(*ad));
- assert(ad != NULL);
- ad->magic = KV5M_AUTHDATA;
- ad->ad_type = type;
- ad->length = strlen(contents);
- ad->contents = (unsigned char *)strdup(contents);
- assert(ad->contents != NULL);
-
- req_authdata = malloc(2 * sizeof(*req_authdata));
- assert(req_authdata != NULL);
- req_authdata[0] = ad;
- req_authdata[1] = NULL;
-
- return req_authdata;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_ccache defcc, ocache;
- krb5_principal client, self;
- krb5_creds mcred, *new_cred;
- krb5_authdata **req_authdata = NULL;
-
- if (argc == 6) {
- req_authdata = make_request_authdata(atoi(argv[4]), argv[5]);
- argc -= 2;
- }
-
- assert(argc == 4);
- check(krb5_init_context(&context));
-
- /* Open the default ccache. */
- check(krb5_cc_default(context, &defcc));
-
- check(krb5_parse_name(context, argv[1], &client));
- check(krb5_parse_name(context, argv[2], &self));
-
- memset(&mcred, 0, sizeof(mcred));
- mcred.client = client;
- mcred.server = self;
- mcred.authdata = req_authdata;
- check(krb5_get_credentials_for_user(context, KRB5_GC_NO_STORE |
- KRB5_GC_CANONICALIZE, defcc,
- &mcred, NULL, &new_cred));
-
- if (strcmp(argv[3], "-") == 0) {
- check(krb5_cc_store_cred(context, defcc, new_cred));
- } else {
- check(krb5_cc_resolve(context, argv[3], &ocache));
- check(krb5_cc_initialize(context, ocache, new_cred->client));
- check(krb5_cc_store_cred(context, ocache, new_cred));
- krb5_cc_close(context, ocache);
- }
-
- assert(req_authdata == NULL || new_cred->authdata != NULL);
-
- krb5_cc_close(context, defcc);
- krb5_free_principal(context, client);
- krb5_free_principal(context, self);
- krb5_free_creds(context, new_cred);
- krb5_free_authdata(context, req_authdata);
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/shlib/Makefile.in b/crypto/krb5/src/tests/shlib/Makefile.in
deleted file mode 100644
index ce67be45b561..000000000000
--- a/crypto/krb5/src/tests/shlib/Makefile.in
+++ /dev/null
@@ -1,23 +0,0 @@
-mydir=tests$(S)shlib
-BUILDTOP=$(REL)..$(S)..
-
-#VALGRIND=valgrind
-#VALGRINDFLAGS=--tool=memcheck --leak-check=yes --show-reachable=yes
-
-SRCS=$(srcdir)/t_loader.c
-
-all:
-
-run-t_loader: t_loader
- $(RUN_TEST) ./t_loader
-
-t_loader: t_loader.o
- $(CC_LINK) -o t_loader t_loader.o $(DL_LIB)
-
-check-unix:
-
-install:
-
-clean:
- $(RM) t_loader.o t_loader
-
diff --git a/crypto/krb5/src/tests/shlib/deps b/crypto/krb5/src/tests/shlib/deps
deleted file mode 100644
index be6b824f01df..000000000000
--- a/crypto/krb5/src/tests/shlib/deps
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)t_loader.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- t_loader.c
diff --git a/crypto/krb5/src/tests/shlib/t_loader.c b/crypto/krb5/src/tests/shlib/t_loader.c
deleted file mode 100644
index 203f023f69e3..000000000000
--- a/crypto/krb5/src/tests/shlib/t_loader.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/shlib/t_loader.c */
-/*
- * Copyright (C) 2005 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-platform.h"
-#include "krb5.h"
-#include "gssapi/gssapi.h"
-#define HAVE_DLOPEN 1
-
-static int verbose = 1;
-
-#ifdef HAVE_DLFCN_H
-# include <dlfcn.h>
-#endif
-/* Solaris man page recommends link.h too */
-
-/* lazy = 1 means resolve symbols later, 0 means now; any
- other flags we should be testing? On Windows, maybe?
-
- Return value is the library handle. On error, print a message and
- exit. */
-#define do_open(LIB,REV,FLAGS) do_open_1(LIB,REV,FLAGS,__LINE__)
-static void *do_open_1(const char *libname, const char *rev, int lazy, int line);
-
-/* Look up a function symbol in the library and return a pointer.
-
- The return value may need casting to the correct type. On error,
- print a message and exit. */
-static void *get_sym_1(void *libhandle, const char *sym, int line);
-#define get_sym(LIB, NAME) get_sym_1(LIB, NAME, __LINE__)
-#define GET_FSYM(TYPE, LIB, NAME) ((TYPE) get_sym(LIB, NAME))
-#define get_gfun(LIB, NAME) ((OM_uint32 KRB5_CALLCONV(*)()) get_sym(LIB, NAME))
-
-/* Close dynamically-opened library.
-
- If the OS reports an error in doing so, print a message and
- exit. */
-#define do_close(X) do_close_1(X, __LINE__)
-static void do_close_1(void *libhandle, int line);
-
-#ifdef HAVE_DLOPEN
-
-#ifdef _AIX
-# define SHLIB_SUFFIX ".a"
-#else
-# define SHLIB_SUFFIX ".so"
-#endif
-
-#define HORIZ 25
-
-static void *do_open_1(const char *libname, const char *rev,
- int lazy, int line)
-{
- void *p;
- char *namebuf;
- int r;
-
- if (verbose)
- printf("from line %d: do_open(%s)...%*s", line, libname,
- HORIZ-strlen(libname), "");
-#ifdef _AIX
- r = asprintf(&namebuf, "lib%s%s", libname, SHLIB_SUFFIX);
-#else
- r = asprintf(&namebuf, "lib%s%s(shr.o.%s)", libname, SHLIB_SUFFIX, rev);
-#endif
- if (r < 0) {
- perror("asprintf");
- exit(1);
- }
-
-#ifndef RTLD_MEMBER
-#define RTLD_MEMBER 0
-#endif
- p = dlopen(namebuf, (lazy ? RTLD_LAZY : RTLD_NOW) | RTLD_MEMBER);
- if (p == 0) {
- fprintf(stderr, "dlopen of %s failed: %s\n", namebuf, dlerror());
- exit(1);
- }
- free(namebuf);
- if (verbose)
- printf("done: %p\n", p);
- return p;
-}
-
-#define SYM_PREFIX ""
-static void *get_sym_1(void *libhandle, const char *symname, int line)
-{
- void *s;
-
- /* Bah. Fix this later, if we care. */
- assert(strlen(SYM_PREFIX) == 0);
-
- if (verbose)
- printf("from line %d: get_sym(%s)...%*s", line, symname,
- HORIZ-strlen(symname), "");
-
- s = dlsym(libhandle, symname);
- if (s == 0) {
- fprintf(stderr, "symbol %s not found\n", symname);
- exit(1);
- }
- if (verbose)
- printf("done: %p\n", s);
- return s;
-}
-
-static void do_close_1(void *libhandle, int line)
-{
- if (verbose) {
- char pbuf[3*sizeof(libhandle)+4];
- snprintf(pbuf, sizeof(pbuf), "%p", libhandle);
- printf("from line %d: do_close(%s)...%*s", line, pbuf,
- HORIZ-1-strlen(pbuf), "");
- }
- if (dlclose(libhandle) != 0) {
- fprintf(stderr, "dlclose failed: %s\n", dlerror());
- exit(1);
- }
- if (verbose)
- printf("done\n");
-}
-
-#elif defined _WIN32
-
-static void *do_open(const char *libname, int lazy)
-{
- /* To be written? */
- abort();
-}
-
-static void *get_sym(void *libhandle, const char *symname)
-{
- abort();
-}
-
-static void do_close(void *libhandle)
-{
- abort();
-}
-
-#else
-
-static void *do_open(const char *libname, int lazy)
-{
- printf("don't know how to do dynamic loading here, punting\n");
- exit(0);
-}
-
-static void *get_sym(void *libhandle, const char *symname)
-{
- abort();
-}
-
-static void do_close(void *libhandle)
-{
- abort();
-}
-
-#endif
-
-int main(void)
-{
- void *celib, *k5lib, *gsslib, *celib2;
-
- (void) setvbuf(stdout, 0, _IONBF, 0);
-
- celib = do_open("com_err", "3.0", 0);
- k5lib = do_open("krb5", "3.2", 0);
- gsslib = do_open("gssapi_krb5", "2.2", 0);
- celib2 = do_open("com_err", "3.0", 0);
- do_close(celib2);
- {
- typedef krb5_error_code KRB5_CALLCONV (*ict)(krb5_context *);
- typedef void KRB5_CALLCONV (*fct)(krb5_context);
-
- ict init_context = (ict) get_sym(k5lib, "krb5_init_context");
- fct free_context = (fct) get_sym(k5lib, "krb5_free_context");
- krb5_context ctx;
- krb5_error_code err;
-
-#define CALLING(S) (verbose ? printf("at line %d: calling %s...%*s", __LINE__, #S, (int)(HORIZ+1-strlen(#S)), "") : 0)
-#define DONE() (verbose ? printf("done\n") : 0)
-
- CALLING(krb5_init_context);
- err = init_context(&ctx);
- DONE();
- if (err) {
- fprintf(stderr, "error 0x%lx initializing context\n",
- (unsigned long) err);
- exit(1);
- }
- CALLING(krb5_free_context);
- free_context(ctx);
- DONE();
- }
- celib2 = do_open("com_err", "3.0", 0);
- do_close(celib);
- do_close(k5lib);
- do_close(celib2);
- do_close(gsslib);
-
- /* Test gssapi_krb5 without having loaded anything else. */
- gsslib = do_open("gssapi_krb5", "2.2", 1);
- {
- OM_uint32 KRB5_CALLCONV (*init_sec_context)(OM_uint32 *, gss_cred_id_t,
- gss_ctx_id_t *, gss_name_t,
- gss_OID,
- OM_uint32, OM_uint32,
- gss_channel_bindings_t,
- gss_buffer_t, gss_OID *,
- gss_buffer_t,
- OM_uint32 *, OM_uint32 *)
- = get_gfun(gsslib, "gss_init_sec_context");
- OM_uint32 KRB5_CALLCONV (*import_name)(OM_uint32 *, gss_buffer_t,
- gss_OID, gss_name_t *)
- = get_gfun(gsslib, "gss_import_name");
- OM_uint32 KRB5_CALLCONV (*release_buffer)(OM_uint32 *, gss_buffer_t)
- = get_gfun(gsslib, "gss_release_buffer");
- OM_uint32 KRB5_CALLCONV (*release_name)(OM_uint32 *, gss_name_t *)
- = get_gfun(gsslib, "gss_release_name");
- OM_uint32 KRB5_CALLCONV (*delete_sec_context)(OM_uint32 *,
- gss_ctx_id_t *,
- gss_buffer_t)
- = get_gfun(gsslib, "gss_delete_sec_context");
-
- OM_uint32 gmaj, gmin;
- OM_uint32 retflags;
- gss_ctx_id_t gctx = GSS_C_NO_CONTEXT;
- gss_buffer_desc token;
- gss_name_t target;
- static gss_buffer_desc target_name_buf = {
- 9, "x@mit.edu"
- };
- static gss_OID_desc service_name = {
- 10, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
- };
-
- CALLING(gss_import_name);
- gmaj = import_name(&gmin, &target_name_buf, &service_name, &target);
- DONE();
- if (gmaj != GSS_S_COMPLETE) {
- fprintf(stderr,
- "import_name reports error major 0x%lx minor 0x%lx(%ld)\n",
- (unsigned long) gmaj, (unsigned long) gmin,
- (signed long) gmin);
- exit(1);
- }
- /* This will probably get different errors, depending on
- whether we have tickets at the time. Doesn't matter much,
- we're ignoring the error and testing whether we're doing
- cleanup properly. (Though the internal cleanup needed in
- the two cases might be different.) */
- CALLING(gss_init_sec_context);
- gmaj = init_sec_context(&gmin, GSS_C_NO_CREDENTIAL, &gctx, target,
- GSS_C_NULL_OID, 0, 0, NULL, GSS_C_NO_BUFFER,
- NULL, &token, &retflags, NULL);
- DONE();
- /* Ignore success/failure indication. */
- if (token.length) {
- CALLING(gss_release_buffer);
- release_buffer(&gmin, &token);
- DONE();
- }
- CALLING(gss_release_name);
- release_name(&gmin, &target);
- DONE();
- if (gctx != GSS_C_NO_CONTEXT) {
- CALLING(gss_delete_sec_context);
- delete_sec_context(&gmin, gctx, GSS_C_NO_BUFFER);
- DONE();
- }
- }
- do_close(gsslib);
-
- /* Test gssapi_krb5 with com_err already loaded, then unload
- com_err first. */
- celib = do_open("com_err", "3.0", 1);
- gsslib = do_open("gssapi_krb5", "2.2", 1);
- {
- OM_uint32 KRB5_CALLCONV (*init_sec_context)(OM_uint32 *, gss_cred_id_t,
- gss_ctx_id_t *, gss_name_t,
- gss_OID,
- OM_uint32, OM_uint32,
- gss_channel_bindings_t,
- gss_buffer_t, gss_OID *,
- gss_buffer_t,
- OM_uint32 *, OM_uint32 *)
- = get_gfun(gsslib, "gss_init_sec_context");
- OM_uint32 KRB5_CALLCONV (*import_name)(OM_uint32 *, gss_buffer_t,
- gss_OID, gss_name_t *)
- = get_gfun(gsslib, "gss_import_name");
- OM_uint32 KRB5_CALLCONV (*release_buffer)(OM_uint32 *, gss_buffer_t)
- = get_gfun(gsslib, "gss_release_buffer");
- OM_uint32 KRB5_CALLCONV (*release_name)(OM_uint32 *, gss_name_t *)
- = get_gfun(gsslib, "gss_release_name");
- OM_uint32 KRB5_CALLCONV (*delete_sec_context)(OM_uint32 *,
- gss_ctx_id_t *,
- gss_buffer_t)
- = get_gfun(gsslib, "gss_delete_sec_context");
-
- OM_uint32 gmaj, gmin;
- OM_uint32 retflags;
- gss_ctx_id_t gctx = GSS_C_NO_CONTEXT;
- gss_buffer_desc token;
- gss_name_t target;
- static gss_buffer_desc target_name_buf = {
- 9, "x@mit.edu"
- };
- static gss_OID_desc service_name = {
- 10, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
- };
-
- CALLING(gss_import_name);
- gmaj = import_name(&gmin, &target_name_buf, &service_name, &target);
- DONE();
- if (gmaj != GSS_S_COMPLETE) {
- fprintf(stderr,
- "import_name reports error major 0x%lx minor 0x%lx(%ld)\n",
- (unsigned long) gmaj, (unsigned long) gmin,
- (signed long) gmin);
- exit(1);
- }
- /* This will probably get different errors, depending on
- whether we have tickets at the time. Doesn't matter much,
- we're ignoring the error and testing whether we're doing
- cleanup properly. (Though the internal cleanup needed in
- the two cases might be different.) */
- CALLING(gss_init_sec_context);
- gmaj = init_sec_context(&gmin, GSS_C_NO_CREDENTIAL, &gctx, target,
- GSS_C_NULL_OID, 0, 0, NULL, GSS_C_NO_BUFFER,
- NULL, &token, &retflags, NULL);
- DONE();
- /* Ignore success/failure indication. */
- if (token.length) {
- CALLING(gss_release_buffer);
- release_buffer(&gmin, &token);
- DONE();
- }
- CALLING(gss_release_name);
- release_name(&gmin, &target);
- DONE();
- if (gctx != GSS_C_NO_CONTEXT) {
- CALLING(gss_delete_sec_context);
- delete_sec_context(&gmin, gctx, GSS_C_NO_BUFFER);
- DONE();
- }
- }
- do_close(celib);
- do_close(gsslib);
-
- return 0;
-}
diff --git a/crypto/krb5/src/tests/t_alias.py b/crypto/krb5/src/tests/t_alias.py
deleted file mode 100755
index f52163241143..000000000000
--- a/crypto/krb5/src/tests/t_alias.py
+++ /dev/null
@@ -1,124 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_host=False)
-
-mark('getprinc')
-realm.addprinc('canon')
-realm.run([kadminl, 'alias', 'alias', 'canon@KRBTEST.COM'])
-realm.run([kadminl, 'getprinc', 'alias'],
- expected_msg='Principal: canon@KRBTEST.COM')
-
-mark('delprinc')
-realm.run([kadminl, 'delprinc', 'alias'])
-realm.run([kadminl, 'getprinc', 'alias'], expected_code=1,
- expected_msg='does not exist')
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg=': canon@KRBTEST.COM')
-
-mark('no specified realm')
-realm.run([kadminl, 'alias', 'alias', 'canon'])
-realm.run([kadminl, 'getprinc', 'alias'], expected_msg=': canon@KRBTEST.COM')
-
-mark('cross-realm')
-realm.run([kadminl, 'alias', 'x', 'y@OTHER.REALM'], expected_code=1,
- expected_msg='Alias target must be within the same realm')
-
-mark('alias as service principal')
-realm.extract_keytab('alias', realm.keytab)
-realm.run([kvno, 'alias'])
-realm.klist('user@KRBTEST.COM', 'alias@KRBTEST.COM')
-
-mark('alias as client principal')
-realm.kinit('alias', flags=['-k'])
-realm.klist('alias@KRBTEST.COM')
-realm.kinit('alias', flags=['-k', '-C'])
-realm.klist('canon@KRBTEST.COM')
-
-mark('chain')
-realm.run([kadminl, 'alias', 'a1', 'canon'])
-realm.run([kadminl, 'alias', 'a2', 'a1'])
-realm.run([kadminl, 'alias', 'a3', 'a2'])
-realm.run([kadminl, 'alias', 'a4', 'a3'])
-realm.run([kadminl, 'alias', 'a5', 'a4'])
-realm.run([kadminl, 'alias', 'a6', 'a5'])
-realm.run([kadminl, 'alias', 'a7', 'a6'])
-realm.run([kadminl, 'alias', 'a8', 'a7'])
-realm.run([kadminl, 'alias', 'a9', 'a8'])
-realm.run([kadminl, 'alias', 'a10', 'a9'])
-realm.run([kadminl, 'alias', 'a11', 'a10'])
-realm.run([kvno, 'a1'])
-realm.run([kvno, 'a2'])
-realm.run([kvno, 'a3'])
-realm.run([kvno, 'a4'])
-realm.run([kvno, 'a5'])
-realm.run([kvno, 'a6'])
-realm.run([kvno, 'a7'])
-realm.run([kvno, 'a8'])
-realm.run([kvno, 'a9'])
-realm.run([kvno, 'a10'])
-realm.run([kvno, 'a11'], expected_code=1,
- expected_msg='Server a11@KRBTEST.COM not found in Kerberos database')
-
-mark('circular chain')
-realm.run([kadminl, 'alias', 'selfalias', 'selfalias'])
-realm.run([kvno, 'selfalias'], expected_code=1,
- expected_msg='Server selfalias@KRBTEST.COM not found')
-
-mark('blocking creations')
-realm.run([kadminl, 'addprinc', '-nokey', 'alias'], expected_code=1,
- expected_msg='already exists')
-realm.run([kadminl, 'alias', 'alias', 'canon'], expected_code=1,
- expected_msg='already exists')
-realm.run([kadminl, 'renprinc', 'user', 'alias'], expected_code=1,
- expected_msg='already exists')
-
-# Non-resolving aliases being overwritable is emergent behavior;
-# change the tests if the behavior changes.
-mark('not blocking creations')
-realm.run([kadminl, 'alias', 'xa1', 'x'])
-realm.run([kadminl, 'alias', 'xa2', 'x'])
-realm.run([kadminl, 'alias', 'xa3', 'x'])
-realm.addprinc('xa1')
-realm.run([kadminl, 'getprinc', 'xa1'], expected_msg=': xa1@KRBTEST.COM')
-realm.run([kadminl, 'alias', 'xa2', 'canon'])
-realm.run([kadminl, 'getprinc', 'xa2'], expected_msg=': canon@KRBTEST.COM')
-realm.run([kadminl, 'renprinc', 'xa1', 'xa3'])
-realm.run([kadminl, 'getprinc', 'xa3'], expected_msg=': xa3@KRBTEST.COM')
-
-mark('renprinc')
-realm.run([kadminl, 'renprinc', 'alias', 'nalias'], expected_code=1,
- expected_msg='Operation unsupported on alias principal name')
-
-mark('modprinc')
-realm.run([kadminl, 'modprinc', '+preauth', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='REQUIRES_PRE_AUTH')
-
-mark('cpw')
-realm.run([kadminl, 'cpw', '-pw', 'pw', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='vno 2,')
-realm.run([kadminl, 'cpw', '-e', 'aes256-cts', '-pw', 'pw', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='vno 3,')
-realm.run([kadminl, 'cpw', '-randkey', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='vno 4,')
-realm.run([kadminl, 'cpw', '-e', 'aes256-cts', '-randkey', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='vno 5,')
-
-mark('listprincs')
-realm.run([kadminl, 'listprincs'], expected_msg='alias@KRBTEST.COM')
-
-mark('purgekeys')
-realm.run([kadminl, 'purgekeys', '-all', 'alias'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_msg='Number of keys: 0')
-
-mark('setstr')
-realm.run([kadminl, 'setstr', 'alias', 'key', 'value'])
-realm.run([kadminl, 'getstrs', 'canon'], expected_msg='key: value')
-
-mark('getstrs')
-realm.run([kadminl, 'getstrs', 'alias'], expected_msg='key: value')
-
-mark('delstr')
-realm.run([kadminl, 'delstr', 'alias', 'key'])
-realm.run([kadminl, 'getstrs', 'canon'],
- expected_msg='(No string attributes.)')
-
-success('alias tests')
diff --git a/crypto/krb5/src/tests/t_audit.py b/crypto/krb5/src/tests/t_audit.py
deleted file mode 100755
index e48f4ebc96b9..000000000000
--- a/crypto/krb5/src/tests/t_audit.py
+++ /dev/null
@@ -1,27 +0,0 @@
-from k5test import *
-
-conf = {'plugins': {'audit': {
- 'module': 'test:$plugins/audit/test/k5audit_test.so'}}}
-
-realm = K5Realm(krb5_conf=conf, get_creds=False)
-realm.addprinc('target')
-realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', realm.host_princ])
-
-# Make normal AS and TGS requests so they will be audited.
-realm.kinit(realm.host_princ, flags=['-k', '-f'])
-realm.run([kvno, 'target'])
-
-# Make S4U2Self and S4U2Proxy requests so they will be audited. The
-# S4U2Proxy request is expected to fail.
-realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'],
- expected_code=1, expected_msg='KDC can\'t fulfill requested option')
-
-# Make a U2U request so it will be audited.
-uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver')
-uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient')
-port_arg = str(realm.server_port())
-realm.start_server([uuserver, port_arg], 'Server started')
-realm.run([uuclient, hostname, 'testing message', port_arg],
- expected_msg='Hello')
-
-success('Audit tests')
diff --git a/crypto/krb5/src/tests/t_authdata.py b/crypto/krb5/src/tests/t_authdata.py
deleted file mode 100644
index bde1c3684422..000000000000
--- a/crypto/krb5/src/tests/t_authdata.py
+++ /dev/null
@@ -1,362 +0,0 @@
-from k5test import *
-
-# Load the sample KDC authdata module. Allow renewable tickets.
-greet_path = os.path.join(buildtop, 'plugins', 'authdata', 'greet_server',
- 'greet_server.so')
-conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}},
- 'plugins': {'kdcauthdata': {'module': 'greet:' + greet_path}}}
-realm = K5Realm(krb5_conf=conf)
-
-# With no requested authdata, we expect to see PAC (128) in an
-# if-relevant container and the greet authdata in a kdc-issued
-# container.
-mark('baseline authdata')
-out = realm.run(['./adata', realm.host_princ])
-if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out:
- fail('expected authdata not seen for basic request')
-
-# Requested authdata is copied into the ticket, with KDC-only types
-# filtered out. (128 is win2k-pac, which should be filtered.)
-mark('request authdata')
-out = realm.run(['./adata', realm.host_princ, '-5', 'test1', '?-6', 'test2',
- '128', 'fakepac', '?128', 'ifrelfakepac',
- '^-8', 'fakekdcissued', '?^-8', 'ifrelfakekdcissued'])
-if ' -5: test1' not in out or '?-6: test2' not in out:
- fail('expected authdata not seen for request with authdata')
-if 'fake' in out:
- fail('KDC-only authdata not filtered for request with authdata')
-
-mark('AD-MANDATORY-FOR-KDC')
-realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
- expected_code=1, expected_msg='KDC policy rejects request')
-
-# The no_auth_data_required server flag should suppress the PAC, but
-# not module or request authdata.
-mark('no_auth_data_required server flag')
-realm.run([kadminl, 'ank', '-randkey', '+no_auth_data_required', 'noauth'])
-realm.extract_keytab('noauth', realm.keytab)
-out = realm.run(['./adata', 'noauth', '-2', 'test'])
-if '^-42: Hello' not in out or ' -2: test' not in out:
- fail('expected authdata not seen for no_auth_data_required request')
-if '128: ' in out:
- fail('PAC authdata seen for no_auth_data_required request')
-
-# Cross-realm TGT requests should not suppress PAC or request
-# authdata.
-mark('cross-realm')
-realm.addprinc('krbtgt/XREALM')
-realm.extract_keytab('krbtgt/XREALM', realm.keytab)
-out = realm.run(['./adata', 'krbtgt/XREALM', '-3', 'test'])
-if '128:' not in out or '^-42: Hello' not in out or ' -3: test' not in out:
- fail('expected authdata not seen for cross-realm TGT request')
-
-mark('pac_privsvr_enctype')
-# Change the privsvr enctype and make sure we can still verify the PAC
-# on a service ticket in a TGS request.
-realm.run([kadminl, 'setstr', realm.host_princ,
- 'pac_privsvr_enctype', 'aes128-sha1'])
-realm.kinit(realm.user_princ, password('user'),
- ['-S', realm.host_princ, '-r', '1h'])
-realm.kinit(realm.user_princ, None, ['-S', realm.host_princ, '-R'])
-# Remove the attribute and make sure the previously-issued service
-# ticket PAC no longer verifies.
-realm.run([kadminl, 'delstr', realm.host_princ, 'pac_privsvr_enctype'])
-realm.kinit(realm.user_princ, None, ['-S', realm.host_princ, '-R'],
- expected_code=1, expected_msg='Message stream modified')
-
-realm.stop()
-
-if not pkinit_enabled:
- skipped('anonymous ticket authdata tests', 'PKINIT not built')
-else:
- # Set up a realm with PKINIT support and get anonymous tickets.
- realm = K5Realm(krb5_conf=conf, get_creds=False, pkinit=True)
- realm.addprinc('WELLKNOWN/ANONYMOUS')
- realm.kinit('@%s' % realm.realm, flags=['-n'])
-
- # PAC and module authdata should be suppressed for anonymous
- # tickets, but not request authdata.
- mark('anonymous')
- out = realm.run(['./adata', realm.host_princ, '-4', 'test'])
- if ' -4: test' not in out:
- fail('expected authdata not seen for anonymous request')
- if '128: ' in out or '-42: ' in out:
- fail('PAC or greet authdata seen for anonymous request')
-
-realm.stop()
-
-# Test authentication indicators. Load the test preauth module so we
-# can control the indicators asserted.
-testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-krb5conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
- 'clpreauth': {'module': 'test:' + testpreauth}}}
-realm, realm2 = cross_realms(2, args=({'realm': 'LOCAL'},
- {'realm': 'FOREIGN'}),
- krb5_conf=krb5conf, get_creds=False)
-realm.run([kadminl, 'modprinc', '+requires_preauth', '-maxrenewlife', '2 days',
- realm.user_princ])
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.host_princ])
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.krbtgt_princ])
-realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-realm.extract_keytab(realm.host_princ, realm.keytab)
-realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
-realm2.extract_keytab(realm2.krbtgt_princ, realm.keytab)
-realm2.extract_keytab(realm2.host_princ, realm.keytab)
-realm2.extract_keytab('krbtgt/LOCAL', realm.keytab)
-
-# AS request to local-realm service
-mark('AS-REQ to local service auth indicator')
-realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
-# Ticket modification request
-mark('ticket modification auth indicator')
-realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
-# AS request to cross TGT
-mark('AS-REQ to cross TGT auth indicator')
-realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN'])
-realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
-
-# Multiple indicators
-mark('AS multiple indicators')
-realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl indcl2 indcl3'])
-realm.run(['./adata', realm.krbtgt_princ],
- expected_msg='+97: [indcl, indcl2, indcl3]')
-
-# AS request to local TGT (resulting creds are used for TGS tests)
-mark('AS-REQ to local TGT auth indicator')
-realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl'])
-realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]')
-
-# Local TGS request for local realm service
-mark('TGS-REQ to local service auth indicator')
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
-# Local TGS request for cross TGT service
-mark('TGS-REQ to cross TGT auth indicator')
-realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
-
-# We don't yet have support for passing auth indicators across realms,
-# so just verify that indicators don't survive cross-realm requests.
-mark('TGS-REQ to foreign service auth indicator')
-out = realm.run(['./adata', realm2.krbtgt_princ])
-if '97:' in out:
- fail('auth-indicator seen in cross TGT request to local TGT')
-out = realm.run(['./adata', 'krbtgt/LOCAL@FOREIGN'])
-if '97:' in out:
- fail('auth-indicator seen in cross TGT request to cross TGT')
-out = realm.run(['./adata', realm2.host_princ])
-if '97:' in out:
- fail('auth-indicator seen in cross TGT request to service')
-
-# Test that the CAMMAC signature still works during a krbtgt rollover.
-mark('CAMMAC signature across krbtgt rollover')
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
-# Test indicator enforcement.
-mark('auth indicator enforcement')
-realm.addprinc('restricted')
-realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
-realm.kinit(realm.user_princ, password('user'), ['-S', 'restricted'],
- expected_code=1, expected_msg='KDC policy rejects request')
-realm.run([kvno, 'restricted'], expected_code=1,
- expected_msg='KDC policy rejects request')
-realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl'])
-realm.run([kvno, 'restricted'])
-realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2'])
-realm.run([kvno, 'restricted'], expected_code=1)
-realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'a b c ind2'])
-realm.run([kvno, 'restricted'])
-
-# Regression test for one manifestation of #8139: ensure that
-# forwarded TGTs obtained across a TGT re-key still work when the
-# preferred krbtgt enctype changes.
-mark('#8139 regression test')
-realm.kinit(realm.user_princ, password('user'), ['-f'])
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'des3-cbc-sha1',
- realm.krbtgt_princ])
-realm.run(['./forward'])
-realm.run([kvno, realm.host_princ])
-
-# Repeat the above test using a renewed TGT.
-mark('#8139 regression test (renewed TGT)')
-realm.kinit(realm.user_princ, password('user'), ['-r', '2d'])
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes128-cts',
- realm.krbtgt_princ])
-realm.kinit(realm.user_princ, None, ['-R'])
-realm.run([kvno, realm.host_princ])
-
-realm.stop()
-realm2.stop()
-
-# Load the test KDB module to allow successful S4U2Proxy
-# auth-indicator requests and to detect whether replaced_reply_key is
-# set.
-testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
- 'krbtgt/FOREIGN': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'rservice': {'keys': 'aes128-cts',
- 'strings': 'require_auth:strong'},
- 'service/1': {'keys': 'aes128-cts',
- 'flags': '+ok_to_auth_as_delegate'},
- 'service/2': {'keys': 'aes128-cts'},
- 'noauthdata': {'keys': 'aes128-cts',
- 'flags': '+no_auth_data_required'}}
-kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': testprincs,
- 'delegation': {'service/1': 'service/2'}}}}
-realm = K5Realm(krb5_conf=krb5conf, kdc_conf=kdcconf, create_kdb=False,
- pkinit=True)
-usercache = 'FILE:' + os.path.join(realm.testdir, 'usercache')
-realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
-realm.extract_keytab(realm.user_princ, realm.keytab)
-realm.extract_keytab('ruser', realm.keytab)
-realm.extract_keytab('service/1', realm.keytab)
-realm.extract_keytab('service/2', realm.keytab)
-realm.extract_keytab('noauthdata', realm.keytab)
-realm.start_kdc()
-
-if not pkinit_enabled:
- skipped('replaced_reply_key test', 'PKINIT not built')
-else:
- # Check that replaced_reply_key is set in issue_pac() when PKINIT
- # is used. The test KDB module will indicate this by including a
- # fake PAC_CREDENTIAL_INFO(2) buffer in the PAC.
- mark('PKINIT (replaced_reply_key set)')
- realm.pkinit(realm.user_princ)
- realm.run(['./adata', realm.krbtgt_princ],
- expected_msg='?128: [1, 2, 6, 7, 10]')
-
-# S4U2Self (should have no indicators since client did not authenticate)
-mark('S4U2Self (no auth indicators expected)')
-realm.kinit('service/1', None, ['-k', '-f', '-X', 'indicators=inds1'])
-realm.run([kvno, '-U', 'user', 'service/1'])
-out = realm.run(['./adata', '-p', realm.user_princ, 'service/1'])
-if '97:' in out:
- fail('auth-indicator present in S4U2Self response')
-
-# Get another S4U2Self ticket with requested authdata.
-realm.run(['./s4u2self', 'user', 'service/1', '-', '-2', 'self_ad'])
-realm.run(['./adata', '-p', realm.user_princ, 'service/1', '-2', 'self_ad'],
- expected_msg=' -2: self_ad')
-
-# S4U2Proxy (indicators should come from evidence ticket, not TGT)
-mark('S4U2Proxy (auth indicators from evidence ticket expected)')
-realm.kinit(realm.user_princ, None, ['-k', '-f', '-X', 'indicators=indcl',
- '-S', 'service/1', '-c', usercache])
-realm.run(['./s4u2proxy', usercache, 'service/2'])
-out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
-if '+97: [indcl]' not in out or '[inds1]' in out:
- fail('correct auth-indicator not seen for S4U2Proxy req')
-# Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included.
-if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out:
- fail('PAC with delegation info not seen for S4U2Proxy req')
-
-# Get another S4U2Proxy ticket including request-authdata.
-realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad'])
-realm.run(['./adata', '-p', realm.user_princ, 'service/2', '-2', 'proxy_ad'],
- expected_msg=' -2: proxy_ad')
-
-# Get an S4U2Proxy ticket using an evidence ticket obtained by S4U2Self,
-# with request authdata in both steps.
-realm.run(['./s4u2self', 'user2', 'service/1', usercache, '-2', 'self_ad'])
-realm.run(['./s4u2proxy', usercache, 'service/2', '-2', 'proxy_ad'])
-out = realm.run(['./adata', '-p', 'user2', 'service/2', '-2', 'proxy_ad'])
-if ' -2: self_ad' not in out or ' -2: proxy_ad' not in out:
- fail('expected authdata not seen in S4U2Proxy ticket')
-
-# Test alteration of auth indicators by KDB module (AS and TGS).
-realm.kinit(realm.user_princ, None, ['-k', '-X', 'indicators=dummy dbincr1'])
-realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [dbincr2]')
-realm.run(['./adata', 'service/1'], expected_msg='+97: [dbincr3]')
-realm.kinit(realm.user_princ, None,
- ['-k', '-X', 'indicators=strong', '-S', 'rservice'])
-# Test enforcement of altered indicators during AS request.
-realm.kinit(realm.user_princ, None,
- ['-k', '-X', 'indicators=strong dbincr1', '-S', 'rservice'],
- expected_code=1)
-
-# Test that the PAC is suppressed in an AS request by a negative PAC
-# request.
-mark('AS-REQ PAC client supression')
-realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac'])
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '128:' in out:
- fail('PAC not suppressed by --no-request-pac')
-
-mark('S4U2Proxy with a foreign client')
-
-a_princs = {'krbtgt/A': {'keys': 'aes128-cts'},
- 'krbtgt/B': {'keys': 'aes128-cts'},
- 'impersonator': {'keys': 'aes128-cts'},
- 'impersonator2': {'keys': 'aes128-cts'},
- 'resource': {'keys': 'aes128-cts'}}
-a_kconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'delegation': {'impersonator' : 'resource'},
- 'princs': a_princs,
- 'alias': {'service/rb.b': '@B'}}}}
-
-b_princs = {'krbtgt/B': {'keys': 'aes128-cts'},
- 'krbtgt/A': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'rb': {'keys': 'aes128-cts'}}
-b_kconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': b_princs,
- 'rbcd': {'rb@B': 'impersonator2@A'},
- 'alias': {'service/rb.b': 'rb',
- 'impersonator2@A': '@A'}}}}
-
-ra, rb = cross_realms(2, xtgts=(),
- args=({'realm': 'A', 'kdc_conf': a_kconf},
- {'realm': 'B', 'kdc_conf': b_kconf}),
- create_kdb=False)
-
-ra.start_kdc()
-rb.start_kdc()
-
-ra.extract_keytab('impersonator@A', ra.keytab)
-ra.extract_keytab('impersonator2@A', ra.keytab)
-rb.extract_keytab('user@B', rb.keytab)
-
-usercache = 'FILE:' + os.path.join(rb.testdir, 'usercache')
-rb.kinit(rb.user_princ, None, ['-k', '-f', '-c', usercache])
-rb.run([kvno, '-C', 'impersonator@A', '-c', usercache])
-
-ra.kinit('impersonator@A', None, ['-f', '-k', '-t', ra.keytab])
-ra.run(['./s4u2proxy', usercache, 'resource@A'])
-
-mark('Cross realm S4U authdata tests')
-
-ra.kinit('impersonator2@A', None, ['-f', '-k', '-t', ra.keytab])
-ra.run(['./s4u2self', rb.user_princ, 'impersonator2@A', usercache, '-2',
- 'cross_s4u_self_ad'])
-out = ra.run(['./adata', '-c', usercache, '-p', rb.user_princ,
- 'impersonator2@A', '-2', 'cross_s4u_self_ad'])
-if out.count(' -2: cross_s4u_self_ad') != 1:
- fail('expected one cross_s4u_self_ad, got: %s' % count)
-
-ra.run(['./s4u2proxy', usercache, 'service/rb.b', '-2',
- 'cross_s4u_proxy_ad'])
-rb.extract_keytab('service/rb.b', ra.keytab)
-out = ra.run(['./adata', '-p', rb.user_princ, 'service/rb.b', '-2',
- 'cross_s4u_proxy_ad'])
-if out.count(' -2: cross_s4u_self_ad') != 1:
- fail('expected one cross_s4u_self_ad, got: %s' % count)
-if out.count(' -2: cross_s4u_proxy_ad') != 1:
- fail('expected one cross_s4u_proxy_ad, got: %s' % count)
-
-ra.stop()
-rb.stop()
-
-success('Authorization data tests')
diff --git a/crypto/krb5/src/tests/t_bogus_kdc_req.py b/crypto/krb5/src/tests/t_bogus_kdc_req.py
deleted file mode 100755
index a101c0e1010b..000000000000
--- a/crypto/krb5/src/tests/t_bogus_kdc_req.py
+++ /dev/null
@@ -1,42 +0,0 @@
-import base64
-import socket
-from k5test import *
-
-realm = K5Realm()
-
-# Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
-# and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
-# from failures in decode_krb5_as_req() and decode_krb5_tgs_req().
-
-s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-a = (hostname, realm.portbase)
-
-
-# Bogus AS-REQ
-
-x1 = base64.b16decode('6AFF')
-s.sendto(x1, a)
-
-# Make sure kinit still works.
-
-realm.kinit(realm.user_princ, password('user'))
-
-# Bogus TGS-REQ
-
-x2 = base64.b16decode('6CFF')
-s.sendto(x2, a)
-
-# Make sure kinit still works.
-
-realm.kinit(realm.user_princ, password('user'))
-
-# Not a KDC-REQ, even a little bit
-
-x3 = base64.b16decode('FFFF')
-s.sendto(x3, a)
-
-# Make sure kinit still works.
-
-realm.kinit(realm.user_princ, password('user'))
-
-success('Bogus KDC-REQ test')
diff --git a/crypto/krb5/src/tests/t_ccache.py b/crypto/krb5/src/tests/t_ccache.py
deleted file mode 100755
index 11c94976ba5b..000000000000
--- a/crypto/krb5/src/tests/t_ccache.py
+++ /dev/null
@@ -1,202 +0,0 @@
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-import tempfile
-
-socketdir = tempfile.TemporaryDirectory()
-kcm_socket_path = os.path.join(socketdir.name, 'kcm')
-conf = {'libdefaults': {'kcm_socket': kcm_socket_path,
- 'kcm_mach_service': '-'}}
-realm = K5Realm(krb5_conf=conf)
-
-realm.addprinc('contest')
-realm.extract_keytab('contest', realm.keytab)
-realm.run(['./conccache', realm.ccache + '.contest', 'contest',
- realm.host_princ])
-
-keyctl = which('keyctl')
-out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
-test_keyring = (keyctl is not None and
- 'Unknown credential cache type' not in out)
-if not test_keyring:
- skipped('keyring ccache tests', 'keyring support not built')
-
-# Test kdestroy and klist of a non-existent ccache.
-mark('no ccache')
-realm.run([kdestroy])
-realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
-
-# Test kinit with an inaccessible ccache.
-mark('inaccessible ccache')
-realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
- expected_code=1, expected_msg='Failed to store credentials')
-
-# Test klist -s with a single ccache.
-mark('klist -s single ccache')
-realm.run([klist, '-s'], expected_code=1)
-realm.kinit(realm.user_princ, password('user'))
-realm.run([klist, '-s'])
-realm.kinit(realm.user_princ, password('user'), ['-l', '-10s'])
-realm.run([klist, '-s'], expected_code=1)
-realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
-realm.run([klist, '-s'])
-realm.run([kdestroy])
-realm.run([klist, '-s'], expected_code=1)
-
-realm.addprinc('alice', password('alice'))
-realm.addprinc('bob', password('bob'))
-realm.addprinc('carol', password('carol'))
-realm.addprinc('doug', password('doug'))
-
-def collection_test(realm, ccname):
- cctype = ccname.partition(':')[0]
- oldccname = realm.env['KRB5CCNAME']
- realm.env['KRB5CCNAME'] = ccname
-
- mark('%s collection, single cache' % cctype)
- realm.run([klist, '-A', '-s'], expected_code=1)
- realm.kinit('alice', password('alice'))
- realm.run([klist], expected_msg='Default principal: alice@')
- realm.run([klist, '-A', '-s'])
- realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
- realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')
- out = realm.run([klist])
- if out.count(realm.host_princ) != 1:
- fail('Wrong number of service tickets in cache')
- realm.run([kdestroy])
- output = realm.run([klist], expected_code=1)
- if 'No credentials cache' not in output and 'not found' not in output:
- fail('Initial kdestroy failed to destroy primary cache.')
- output = realm.run([klist, '-l'], expected_code=1)
- if not output.endswith('---\n') or output.count('\n') != 2:
- fail('Initial kdestroy failed to empty cache collection.')
- realm.run([klist, '-A', '-s'], expected_code=1)
-
- mark('%s collection, multiple caches' % cctype)
- realm.kinit('alice', password('alice'))
- realm.kinit('carol', password('carol'))
- output = realm.run([klist, '-l'])
- if '---\ncarol@' not in output or '\nalice@' not in output:
- fail('klist -l did not show expected output after two kinits.')
- realm.kinit('alice', password('alice'))
- output = realm.run([klist, '-l'])
- if '---\nalice@' not in output or output.count('\n') != 4:
- fail('klist -l did not show expected output after re-kinit for alice.')
- realm.kinit('doug', password('doug'))
- realm.kinit('bob', password('bob'))
- output = realm.run([klist, '-A', ccname])
- if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
- 'carol@' not in output or 'doug@' not in output or \
- output.count('Default principal:') != 4:
- fail('klist -A did not show expected output after kinit doug+bob.')
- realm.run([kswitch, '-p', 'carol'])
- output = realm.run([klist, '-l'])
- if '---\ncarol@' not in output or output.count('\n') != 6:
- fail('klist -l did not show expected output after kswitch to carol.')
-
- # Switch to specifying the collection name on the command line
- # (only works with klist/kdestroy for now, not kinit/kswitch).
- realm.env['KRB5CCNAME'] = oldccname
-
- mark('%s collection, command-line specifier' % cctype)
- realm.run([kdestroy, '-c', ccname])
- output = realm.run([klist, '-l', ccname])
- if 'carol@' in output or 'bob@' not in output or output.count('\n') != 5:
- fail('kdestroy failed to remove only primary ccache.')
- realm.run([klist, '-s', ccname], expected_code=1)
- realm.run([klist, '-A', '-s', ccname])
- realm.run([kdestroy, '-p', 'alice', '-c', ccname])
- output = realm.run([klist, '-l', ccname])
- if 'alice@' in output or 'bob@' not in output or output.count('\n') != 4:
- fail('kdestroy -p failed to remove alice')
- realm.run([kdestroy, '-A', '-c', ccname])
- output = realm.run([klist, '-l', ccname], expected_code=1)
- if not output.endswith('---\n') or output.count('\n') != 2:
- fail('kdestroy -a failed to empty cache collection.')
- realm.run([klist, '-A', '-s', ccname], expected_code=1)
-
-
-collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
-
-# Test KCM with and without RETRIEVE and GET_CRED_LIST support.
-kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')
-kcmd = realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],
- 'starting...')
-collection_test(realm, 'KCM:')
-stop_daemon(kcmd)
-os.remove(kcm_socket_path)
-realm.start_server([sys.executable, kcmserver_path, '-f', kcm_socket_path],
- 'starting...')
-collection_test(realm, 'KCM:')
-
-if test_keyring:
- def cleanup_keyring(anchor, name):
- out = realm.run(['keyctl', 'list', anchor])
- if ('keyring: ' + name + '\n') in out:
- keyid = realm.run(['keyctl', 'search', anchor, 'keyring', name])
- realm.run(['keyctl', 'unlink', keyid.strip(), anchor])
-
- # Use realm.testdir as the collection name to avoid conflicts with
- # other build trees.
- cname = realm.testdir
- col_ringname = '_krb_' + cname
-
- cleanup_keyring('@s', col_ringname)
- collection_test(realm, 'KEYRING:session:' + cname)
- cleanup_keyring('@s', col_ringname)
-
- # Test legacy keyring cache linkage.
- mark('legacy keyring cache linkage')
- realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
- realm.run([kdestroy, '-A'])
- realm.kinit(realm.user_princ, password('user'))
- msg = 'KEYRING:legacy:' + cname + ':' + cname
- realm.run([klist, '-l'], expected_msg=msg)
- # Make sure this cache is linked to the session keyring.
- id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
- realm.run([keyctl, 'list', id.strip()],
- expected_msg='user: __krb5_princ__')
- # Remove the collection keyring. When the collection is
- # reinitialized, the legacy cache should reappear inside it
- # automatically as the primary cache.
- cleanup_keyring('@s', col_ringname)
- realm.run([klist], expected_msg=realm.user_princ)
- coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
- msg = id.strip() + ':'
- realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg)
- # Destroy the cache and check that it is unlinked from the session keyring.
- realm.run([kdestroy])
- realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
- cleanup_keyring('@s', col_ringname)
-
-# Test parameter expansion in default_ccache_name
-mark('default_ccache_name parameter expansion')
-realm.stop()
-conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
-realm = K5Realm(krb5_conf=conf, create_kdb=False)
-del realm.env['KRB5CCNAME']
-uidstr = str(os.getuid())
-msg = 'testdir/abc%s' % uidstr
-realm.run([klist], expected_code=1, expected_msg=msg)
-
-success('Credential cache tests')
diff --git a/crypto/krb5/src/tests/t_certauth.py b/crypto/krb5/src/tests/t_certauth.py
deleted file mode 100644
index 82a98a81c4fc..000000000000
--- a/crypto/krb5/src/tests/t_certauth.py
+++ /dev/null
@@ -1,65 +0,0 @@
-from k5test import *
-
-# Skip this test if pkinit wasn't built.
-if not pkinit_enabled:
- skip_rest('certauth tests', 'PKINIT module not built')
-
-modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
- 'certauth_test.so')
-krb5_conf = {'plugins': {'certauth': {
- 'module': ['test1:' + modpath, 'test2:' + modpath, 'test3:' + modpath],
- 'enable_only': ['test1', 'test2', 'test3']}}}
-kdc_conf = {'realms': {'$realm': {
- 'default_principal_flags': '+preauth',
- 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
-
-realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, get_creds=False,
- pkinit=True)
-realm.addprinc('nocert')
-
-def check_indicators(inds):
- msg = '+97: [%s]' % inds
- realm.run(['./adata', realm.host_princ], expected_msg=msg)
-
-# Test that authentication fails if no module accepts.
-realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')
-
-# Let the test2 module match user to CN=user, with indicators.
-realm.pkinit(realm.user_princ)
-realm.klist(realm.user_princ)
-check_indicators('test1, test2, user, indpkinit1, indpkinit2')
-
-# Let the test2 module mismatch with user2 to CN=user.
-realm.addprinc('user2@KRBTEST.COM')
-realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
-
-# Test the KRB5_CERTAUTH_HWAUTH return code.
-mark('hw-authent flag tests')
-# First test +requires_hwauth without causing the hw-authent ticket
-# flag to be set. This currently results in a preauth loop.
-realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
-realm.pkinit(realm.user_princ, expected_code=1,
- expected_msg='Looping detected')
-# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH and try again.
-# Authentication should succeed whether or not another module accepts,
-# but not if another module rejects.
-realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'ok'])
-realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'ok'])
-realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'ok'])
-realm.pkinit(realm.user_princ)
-check_indicators('test1, test2, user, hwauth:ok, indpkinit1, indpkinit2')
-realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
-realm.pkinit('nocert')
-check_indicators('test1, hwauth:ok, indpkinit1, indpkinit2')
-
-# Cause the test3 module to return KRB5_CERTAUTH_HWAUTH_PASS and try
-# again. Authentication should succeed only if another module accepts.
-realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'pass'])
-realm.run([kadminl, 'setstr', 'user2', 'hwauth', 'pass'])
-realm.run([kadminl, 'setstr', 'nocert', 'hwauth', 'pass'])
-realm.pkinit(realm.user_princ)
-check_indicators('test1, test2, user, hwauth:pass, indpkinit1, indpkinit2')
-realm.pkinit('user2', expected_code=1, expected_msg='Certificate mismatch')
-realm.pkinit('nocert', expected_code=1, expected_msg='Client name mismatch')
-
-success("certauth tests")
diff --git a/crypto/krb5/src/tests/t_changepw.py b/crypto/krb5/src/tests/t_changepw.py
deleted file mode 100755
index 7e8a66397713..000000000000
--- a/crypto/krb5/src/tests/t_changepw.py
+++ /dev/null
@@ -1,70 +0,0 @@
-from k5test import *
-
-# Also listen on a UNIX domain sockets for kpasswd.
-unix_conf = {'realms': {'$realm': {
- 'kdc_listen': '$port0, $testdir/krb5.sock',
- 'kadmind_listen': '$port1, $testdir/kadmin.sock',
- 'kpasswd_listen': '$port2, $testdir/kpasswd.sock'}}}
-realm = K5Realm(create_host=False,get_creds=False, kdc_conf=unix_conf)
-realm.start_kadmind()
-realm.prep_kadmin()
-
-# Mark a principal as expired and change its password through kinit.
-mark('password change via kinit')
-realm.run([kadminl, 'modprinc', '-pwexpire', '1 day ago', 'user'])
-pwinput = password('user') + '\nabcd\nabcd\n'
-realm.run([kinit, realm.user_princ], input=pwinput)
-
-# Regression test for #7868 (preauth options ignored when
-# krb5_get_init_creds_password() initiates a password change). This
-# time use the REQUIRES_PWCHANGE bit instead of the password
-# expiration time.
-mark('password change via kinit with FAST')
-realm.run([kadminl, 'modprinc', '+needchange', 'user'])
-pwinput = 'abcd\nefgh\nefgh\n'
-out, trace = realm.run([kinit, '-T', realm.ccache, realm.user_princ],
- input=pwinput, return_trace=True)
-# Check that FAST was used when getting the kadmin/changepw ticket.
-getting_changepw = fast_used_for_changepw = False
-for line in trace.splitlines():
- if 'Getting initial credentials for user@' in line:
- getting_changepw_ticket = False
- if 'Setting initial creds service to kadmin/changepw' in line:
- getting_changepw_ticket = True
- if getting_changepw_ticket and 'Using FAST' in line:
- fast_used_for_changepw = True
-if not fast_used_for_changepw:
- fail('FAST was not used to get kadmin/changepw ticket')
-
-# Test that passwords specified via kadmin and kpasswd are usable with
-# kinit.
-mark('password change usability by kinit')
-realm.run([kadminl, 'addprinc', '-pw', 'pw1', 'testprinc'])
-# Run kpasswd with an active cache to exercise automatic FAST use.
-realm.kinit('testprinc', 'pw1')
-realm.run([kpasswd, 'testprinc'], input='pw1\npw2\npw2\n')
-realm.kinit('testprinc', 'pw2')
-realm.run([kdestroy])
-realm.run([kpasswd, 'testprinc'], input='pw2\npw3\npw3\n')
-realm.kinit('testprinc', 'pw3')
-realm.run([kdestroy])
-realm.run_kadmin(['cpw', '-pw', 'pw4', 'testprinc'])
-realm.kinit('testprinc', 'pw4')
-realm.run([kdestroy])
-realm.run([kadminl, 'delprinc', 'testprinc'])
-
-mark('password change over UNIX domain socket')
-
-unix_cli_conf = {'realms': {'$realm': {
- 'kdc': '$testdir/krb5.sock',
- 'admin_server': '$testdir/kadmin.sock',
- 'kpasswd_server': '$testdir/kpasswd.sock'}}}
-unix_cli = realm.special_env('unix_cli', False, krb5_conf=unix_cli_conf)
-
-realm.run([kadminl, 'addprinc', '-pw', 'pw1', 'testprinc'])
-msgs = ('Sending TCP request to UNIX domain socket',)
-realm.run([kpasswd, 'testprinc'], input='pw1\npw2\npw2\n', env=unix_cli,
- expected_trace=msgs)
-realm.run([kadminl, 'delprinc', 'testprinc'])
-
-success('Password change tests')
diff --git a/crypto/krb5/src/tests/t_crossrealm.py b/crypto/krb5/src/tests/t_crossrealm.py
deleted file mode 100755
index 28b397cfb7aa..000000000000
--- a/crypto/krb5/src/tests/t_crossrealm.py
+++ /dev/null
@@ -1,192 +0,0 @@
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-
-def test_kvno(r, princ, test, env=None):
- r.run([kvno, princ], env=env, expected_msg=princ)
-
-
-def stop(*realms):
- for r in realms:
- r.stop()
-
-
-# Verify that the princs appear as the service principals in the klist
-# output for the realm r, in order.
-def check_klist(r, princs):
- out = r.run([klist])
- count = 0
- seen_header = False
- for l in out.split('\n'):
- if l.startswith('Valid starting'):
- seen_header = True
- continue
- if not seen_header or l == '':
- continue
- if count >= len(princs):
- fail('too many entries in klist output')
- svcprinc = l.split()[4]
- if svcprinc != princs[count]:
- fail('saw service princ %s in klist output, expected %s' %
- (svcprinc, princs[count]))
- count += 1
- if count != len(princs):
- fail('not enough entries in klist output')
-
-
-def tgt(r1, r2):
- return 'krbtgt/%s@%s' % (r1.realm, r2.realm)
-
-
-# Basic two-realm test with cross TGTs in both directions.
-mark('two realms')
-r1, r2 = cross_realms(2)
-test_kvno(r1, r2.host_princ, 'basic r1->r2')
-check_klist(r1, (tgt(r1, r1), tgt(r2, r1), r2.host_princ))
-test_kvno(r2, r1.host_princ, 'basic r2->r1')
-check_klist(r2, (tgt(r2, r2), tgt(r1, r2), r1.host_princ))
-stop(r1, r2)
-
-# Test the KDC domain walk for hierarchically arranged realms. The
-# client in A.X will ask for a cross TGT to B.X, but A.X's KDC only
-# has a TGT for the intermediate realm X, so it will return that
-# instead. The client will use that to get a TGT for B.X.
-mark('hierarchical realms')
-r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A.X'}, {'realm': 'X'},
- {'realm': 'B.X'}))
-test_kvno(r1, r3.host_princ, 'KDC domain walk')
-check_klist(r1, (tgt(r1, r1), r3.host_princ))
-
-# Test start_realm in this setup.
-r1.run([kvno, '--out-cache', r1.ccache, r2.krbtgt_princ])
-r1.run([klist, '-C'], expected_msg='config: start_realm = X')
-msgs = ('Requesting TGT krbtgt/B.X@X using TGT krbtgt/X@X',
- 'Received TGT for service realm: krbtgt/B.X@X')
-r1.run([kvno, r3.host_princ], expected_trace=msgs)
-
-stop(r1, r2, r3)
-
-# Test client capaths. The client in A will ask for a cross TGT to D,
-# but A's KDC won't have it and won't know an intermediate to return.
-# The client will walk its A->D capaths to get TGTs for B, then C,
-# then D. The KDCs for C and D need capaths settings to avoid failing
-# transited checks, including a capaths for A->C.
-mark('client capaths')
-capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}}}
-r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A'},
- {'realm': 'B'},
- {'realm': 'C', 'krb5_conf': capaths},
- {'realm': 'D', 'krb5_conf': capaths}))
-r1client = r1.special_env('client', False, krb5_conf=capaths)
-test_kvno(r1, r4.host_princ, 'client capaths', r1client)
-check_klist(r1, (tgt(r1, r1), tgt(r2, r1), tgt(r3, r2), tgt(r4, r3),
- r4.host_princ))
-stop(r1, r2, r3, r4)
-
-# Test KDC capaths. The KDCs for A and B have appropriate capaths
-# settings to determine intermediate TGTs to return, but the client
-# has no idea.
-mark('kdc capaths')
-capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}}
-r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A', 'krb5_conf': capaths},
- {'realm': 'B', 'krb5_conf': capaths},
- {'realm': 'C', 'krb5_conf': capaths},
- {'realm': 'D', 'krb5_conf': capaths}))
-r1client = r1.special_env('client', False, krb5_conf={'capaths': None})
-test_kvno(r1, r4.host_princ, 'KDC capaths', r1client)
-check_klist(r1, (tgt(r1, r1), r4.host_princ))
-stop(r1, r2, r3, r4)
-
-# A capaths value of '.' should enforce direct cross-realm, with no
-# intermediate.
-mark('direct cross-realm enforcement')
-capaths = {'capaths': {'A.X': {'B.X': '.'}}}
-r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A.X', 'krb5_conf': capaths},
- {'realm': 'X'}, {'realm': 'B.X'}))
-r1.run([kvno, r3.host_princ], expected_code=1,
- expected_msg='Server krbtgt/B.X@A.X not found in Kerberos database')
-stop(r1, r2, r3)
-
-# Test transited error. The KDC for C does not recognize B as an
-# intermediate realm for A->C, so it refuses to issue a service
-# ticket.
-mark('transited error (three realms)')
-capaths = {'capaths': {'A': {'C': 'B'}}}
-r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A', 'krb5_conf': capaths},
- {'realm': 'B'}, {'realm': 'C'}))
-r1.run([kvno, r3.host_princ], expected_code=1,
- expected_msg='KDC policy rejects request')
-check_klist(r1, (tgt(r1, r1), tgt(r3, r2)))
-stop(r1, r2, r3)
-
-# Test server transited checking. The KDC for C recognizes B as an
-# intermediate realm for A->C, but the server environment does not.
-# The server should honor the ticket if the transited-policy-checked
-# flag is set, but not if it isn't. (It is only possible for our KDC
-# to issue a ticket without the transited-policy-checked flag with
-# reject_bad_transit=false.)
-mark('server transited checking')
-capaths = {'capaths': {'A': {'C': 'B'}}}
-noreject = {'realms': {'$realm': {'reject_bad_transit': 'false'}}}
-r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A', 'krb5_conf': capaths},
- {'realm': 'B'},
- {'realm': 'C', 'krb5_conf': capaths,
- 'kdc_conf': noreject}))
-r3server = r3.special_env('server', False, krb5_conf={'capaths': None})
-# Process a ticket with the transited-policy-checked flag set.
-shutil.copy(r1.ccache, r1.ccache + '.copy')
-r1.run(['./gcred', 'principal', r3.host_princ])
-os.rename(r1.ccache, r3.ccache)
-r3.run(['./rdreq', r3.host_princ], env=r3server, expected_msg='0 success')
-# Try again with the transited-policy-checked flag unset.
-os.rename(r1.ccache + '.copy', r1.ccache)
-r1.run(['./gcred', '-t', 'principal', r3.host_princ])
-os.rename(r1.ccache, r3.ccache)
-r3.run(['./rdreq', r3.host_princ], env=r3server,
- expected_msg='43 Illegal cross-realm ticket')
-stop(r1, r2, r3)
-
-# Test a four-realm scenario. This test used to result in an "Illegal
-# cross-realm ticket" error as the KDC for D would refuse to process
-# the cross-realm ticket from C. Now that we honor the
-# transited-policy-checked flag in krb5_rd_req(), it instead issues a
-# policy error as in the three-realm scenario.
-mark('transited error (four realms)')
-capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}}
-r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- args=({'realm': 'A', 'krb5_conf': capaths},
- {'realm': 'B', 'krb5_conf': capaths},
- {'realm': 'C', 'krb5_conf': capaths},
- {'realm': 'D'}))
-r1.run([kvno, r4.host_princ], expected_code=1,
- expected_msg='KDC policy rejects request')
-check_klist(r1, (tgt(r1, r1), tgt(r4, r3)))
-stop(r1, r2, r3, r4)
-
-success('Cross-realm tests')
diff --git a/crypto/krb5/src/tests/t_cve-2012-1014.py b/crypto/krb5/src/tests/t_cve-2012-1014.py
deleted file mode 100755
index 8447e0ee7d91..000000000000
--- a/crypto/krb5/src/tests/t_cve-2012-1014.py
+++ /dev/null
@@ -1,29 +0,0 @@
-import base64
-import socket
-from k5test import *
-
-realm = K5Realm()
-
-# CVE-2012-1014 KDC dereferences uninitialized pointer
-
-# Affects only krb5-1.10.x.
-
-s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-a = (hostname, realm.portbase)
-
-x1 = base64.b16decode('6A5E305BA103020105A2030201')
-x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' +
- '0CA003020101A10530031B0141A2031B' +
- '0141A30E300CA003020101A10530031B' +
- '0141A511180F31393934303631303036' +
- '303331375AA70302012AA80530030201' +
- '01')
-
-for x in range(11, 128):
- s.sendto(x1 + bytes([x]) + x2, a)
-
-# Make sure kinit still works.
-
-realm.kinit(realm.user_princ, password('user'))
-
-success('CVE-2012-1014 regression test')
diff --git a/crypto/krb5/src/tests/t_cve-2012-1015.py b/crypto/krb5/src/tests/t_cve-2012-1015.py
deleted file mode 100755
index ae5678cac0b5..000000000000
--- a/crypto/krb5/src/tests/t_cve-2012-1015.py
+++ /dev/null
@@ -1,36 +0,0 @@
-import base64
-import socket
-from k5test import *
-
-realm = K5Realm()
-
-# CVE-2012-1015 KDC frees uninitialized pointer
-
-# Force a failure in krb5_c_make_checksum(), which causes the cleanup
-# code in kdc_handle_protected_negotiation() to free an uninitialized
-# pointer in an unpatched KDC.
-
-s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-a = (hostname, realm.portbase)
-
-x1 = base64.b16decode('6A81A030819DA103020105A20302010A' +
- 'A30E300C300AA10402020095A2020400' +
- 'A48180307EA00703050000000000A120' +
- '301EA003020101A11730151B066B7262' +
- '7467741B0B4B5242544553542E434F4D' +
- 'A20D1B0B4B5242544553542E434F4DA3' +
- '20301EA003020101A11730151B066B72' +
- '627467741B0B4B5242544553542E434F' +
- '4DA511180F3139393430363130303630' +
- '3331375AA7030201')
-
-x2 = base64.b16decode('A8083006020106020112')
-
-for x in range(0, 128):
- s.sendto(x1 + bytes([x]) + x2, a)
-
-# Make sure kinit still works.
-
-realm.kinit(realm.user_princ, password('user'))
-
-success('CVE-2012-1015 regression test')
diff --git a/crypto/krb5/src/tests/t_cve-2013-1416.py b/crypto/krb5/src/tests/t_cve-2013-1416.py
deleted file mode 100755
index 8c4391a86cd2..000000000000
--- a/crypto/krb5/src/tests/t_cve-2013-1416.py
+++ /dev/null
@@ -1,13 +0,0 @@
-from k5test import *
-
-realm = K5Realm()
-
-# CVE-2013-1416 KDC dereferences null pointer
-
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, '/test'], expected_code=1)
-realm.run([kvno, 'test/'], expected_code=1)
-realm.run([kvno, '/'], expected_code=1)
-# Make sure KDC is still running.
-realm.kinit(realm.user_princ, password('user'))
-success('CVE-2013-1416 regression test')
diff --git a/crypto/krb5/src/tests/t_cve-2013-1417.py b/crypto/krb5/src/tests/t_cve-2013-1417.py
deleted file mode 100755
index ce47d21ca7b2..000000000000
--- a/crypto/krb5/src/tests/t_cve-2013-1417.py
+++ /dev/null
@@ -1,11 +0,0 @@
-from k5test import *
-
-realm = K5Realm(realm='TEST')
-
-# CVE-2013-1417 KDC dereferences null pointer
-
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, '-S', 'host', 'example.com'], expected_code=1)
-# Make sure KDC is still running.
-realm.kinit(realm.user_princ, password('user'))
-success('CVE-2013-1417 regression test')
diff --git a/crypto/krb5/src/tests/t_cve-2021-36222.py b/crypto/krb5/src/tests/t_cve-2021-36222.py
deleted file mode 100644
index 57e04993bc07..000000000000
--- a/crypto/krb5/src/tests/t_cve-2021-36222.py
+++ /dev/null
@@ -1,46 +0,0 @@
-import socket
-from k5test import *
-
-realm = K5Realm()
-
-# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
-# without FAST
-
-s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-a = (hostname, realm.portbase)
-
-m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
- 'A103' '0201' '05' # [1] pvno = 5
- 'A203' '0201' '0A' # [2] msg-type = 10
- 'A30E' '300C' # [3] padata = SEQUENCE OF
- '300A' # SEQUENCE
- 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
- 'A202' '0400' # [2] padata-value = ""
- 'A48180' '307E' # [4] req-body = SEQUENCE
- 'A007' '0305' '0000000000' # [0] kdc-options = 0
- 'A120' '301E' # [1] cname = SEQUENCE
- 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
- 'A117' '3015' # [1] name-string = SEQUENCE-OF
- '1B06' '6B7262746774' # krbtgt
- '1B0B' '4B5242544553542E434F4D'
- # KRBTEST.COM
- 'A20D' '1B0B' '4B5242544553542E434F4D'
- # [2] realm = KRBTEST.COM
- 'A320' '301E' # [3] sname = SEQUENCE
- 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
- 'A117' '3015' # [1] name-string = SEQUENCE-OF
- '1B06' '6B7262746774' # krbtgt
- '1B0B' '4B5242544553542E434F4D'
- # KRBTEST.COM
- 'A511' '180F' '31393934303631303036303331375A'
- # [5] till = 19940610060317Z
- 'A703' '0201' '00' # [7] nonce = 0
- 'A808' '3006' # [8] etype = SEQUENCE OF
- '020112' '020111') # aes256-cts aes128-cts
-
-s.sendto(bytes.fromhex(m), a)
-
-# Make sure kinit still works.
-realm.kinit(realm.user_princ, password('user'))
-
-success('CVE-2021-36222 regression test')
diff --git a/crypto/krb5/src/tests/t_dump.py b/crypto/krb5/src/tests/t_dump.py
deleted file mode 100755
index 5d692df9974e..000000000000
--- a/crypto/krb5/src/tests/t_dump.py
+++ /dev/null
@@ -1,94 +0,0 @@
-from k5test import *
-from filecmp import cmp
-
-def dump_compare(realm, opt, srcfile):
- mark('dump comparison against %s' % os.path.basename(srcfile))
- realm.run([kdb5_util, 'dump'] + opt + [dumpfile])
- if not cmp(srcfile, dumpfile, False):
- fail('Dump output does not match %s' % srcfile)
-
-
-def load_dump_check_compare(realm, opt, srcfile):
- mark('load check from %s' % os.path.basename(srcfile))
- realm.run([kdb5_util, 'destroy', '-f'])
- realm.run([kdb5_util, 'load'] + opt + [srcfile])
- realm.run([kadminl, 'getprincs'], expected_msg='user@')
- realm.run([kadminl, 'getprinc', 'nokeys'],
- expected_msg='Number of keys: 0')
- realm.run([kadminl, 'getpols'], expected_msg='testpol')
- dump_compare(realm, opt, srcfile)
-
-
-for realm in multidb_realms(start_kdc=False):
-
- # Make sure we can dump and load an ordinary database, and that
- # principals and policies survive a dump/load cycle.
-
- realm.run([kadminl, 'addpol', 'fred'])
-
- # Create a dump file.
- dumpfile = os.path.join(realm.testdir, 'dump')
- realm.run([kdb5_util, 'dump', dumpfile])
-
- # Write additional policy records to the dump. Use the 1.8 format for
- # one of them, to test retroactive compatibility (for issue #8213).
- f = open('testdir/dump', 'a')
- f.write('policy\tcompat\t0\t0\t3\t4\t5\t0\t0\t0\t0\n')
- f.write('policy\tbarney\t0\t0\t1\t1\t1\t0\t0\t0\t0\t0\t0\t0\t-\t1\t2\t28\t'
- 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00\n')
- f.close()
-
- # Destroy and load the database; check that the policies exist.
- # Spot-check principal and policy fields.
- mark('reload after dump')
- realm.run([kdb5_util, 'destroy', '-f'])
- realm.run([kdb5_util, 'load', dumpfile])
- out = realm.run([kadminl, 'getprincs'])
- if realm.user_princ not in out or realm.host_princ not in out:
- fail('Missing principal after load')
- out = realm.run([kadminl, 'getprinc', realm.user_princ])
- if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out:
- fail('Principal has wrong value after load')
- out = realm.run([kadminl, 'getpols'])
- if 'fred\n' not in out or 'barney\n' not in out:
- fail('Missing policy after load')
- realm.run([kadminl, 'getpol', 'compat'],
- expected_msg='Number of old keys kept: 5')
- realm.run([kadminl, 'getpol', 'barney'],
- expected_msg='Number of old keys kept: 1')
-
- # Dump/load again, and make sure everything is still there.
- mark('second reload')
- realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kdb5_util, 'load', dumpfile])
- out = realm.run([kadminl, 'getprincs'])
- if realm.user_princ not in out or realm.host_princ not in out:
- fail('Missing principal after load')
- out = realm.run([kadminl, 'getpols'])
- if 'compat\n' not in out or 'fred\n' not in out or 'barney\n' not in out:
- fail('Missing policy after second load')
-
- srcdumpdir = os.path.join(srctop, 'tests', 'dumpfiles')
- srcdump = os.path.join(srcdumpdir, 'dump')
- srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18')
- srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13')
- srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7')
-
- # Load a dump file from the source directory.
- realm.run([kdb5_util, 'destroy', '-f'])
- realm.run([kdb5_util, 'load', srcdump])
- realm.run([kdb5_util, 'stash', '-P', 'master'])
-
- # Dump the resulting DB in each non-iprop format and compare with
- # expected outputs.
- dump_compare(realm, [], srcdump)
- dump_compare(realm, ['-r18'], srcdump_r18)
- dump_compare(realm, ['-r13'], srcdump_r13)
- dump_compare(realm, ['-b7'], srcdump_b7)
-
- # Load each format of dump, check it, re-dump it, and compare.
- load_dump_check_compare(realm, ['-r18'], srcdump_r18)
- load_dump_check_compare(realm, ['-r13'], srcdump_r13)
- load_dump_check_compare(realm, ['-b7'], srcdump_b7)
-
-success('Dump/load tests')
diff --git a/crypto/krb5/src/tests/t_errmsg.py b/crypto/krb5/src/tests/t_errmsg.py
deleted file mode 100755
index 4aacf4e0a4b7..000000000000
--- a/crypto/krb5/src/tests/t_errmsg.py
+++ /dev/null
@@ -1,27 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_kdb=False)
-
-# Test err_fmt, using klist -c to induce errors.
-fmt1 = 'FOO Error: %M (see http://localhost:1234/%C for more information)'
-conf1 = {'libdefaults': {'err_fmt': fmt1}}
-e1 = realm.special_env('fmt1', False, krb5_conf=conf1)
-out = realm.run([klist, '-c', 'testdir/xx/yy'], env=e1, expected_code=1)
-if out != ('klist: FOO Error: No credentials cache found (filename: '
- 'testdir/xx/yy) (see http://localhost:1234/-1765328189 for more '
- 'information)\n'):
- fail('err_fmt expansion failed')
-conf2 = {'libdefaults': {'err_fmt': '%M - %C'}}
-e2 = realm.special_env('fmt2', False, krb5_conf=conf2)
-out = realm.run([klist, '-c', 'testdir/xx/yy'], env=e2, expected_code=1)
-if out != ('klist: No credentials cache found (filename: testdir/xx/yy) - '
- '-1765328189\n'):
- fail('err_fmt expansion failed')
-conf3 = {'libdefaults': {'err_fmt': '%%%M %-% %C%'}}
-e3 = realm.special_env('fmt3', False, krb5_conf=conf3)
-out = realm.run([klist, '-c', 'testdir/xx/yy'], env=e3, expected_code=1)
-if out != ('klist: %No credentials cache found (filename: testdir/xx/yy) %-% '
- '-1765328189%\n'):
- fail('err_fmt expansion failed')
-
-success('error message tests')
diff --git a/crypto/krb5/src/tests/t_etype_info.py b/crypto/krb5/src/tests/t_etype_info.py
deleted file mode 100644
index 38cf96ca8f92..000000000000
--- a/crypto/krb5/src/tests/t_etype_info.py
+++ /dev/null
@@ -1,69 +0,0 @@
-from k5test import *
-
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
-realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
-
-realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth',
- 'preauthuser'])
-realm.run([kadminl, 'addprinc', '-pw', 'pw', '-e', 'rc4-hmac',
- '+requires_preauth', 'rc4user'])
-realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser'])
-
-
-# Run the test harness for the given principal and request enctype
-# list. Compare the output to the expected lines, ignoring order.
-def test_etinfo(princ, enctypes, expected_lines):
- mark('etinfo test: %s %s' % (princ.partition('@')[0], enctypes))
- conf = {'libdefaults': {'default_tkt_enctypes': enctypes}}
- etypes_env = realm.special_env('etypes', False, krb5_conf=conf)
- lines = realm.run(['./etinfo', princ], env=etypes_env).splitlines()
- if sorted(lines) != sorted(expected_lines):
- fail('Unexpected output for princ %s, etypes %s' % (princ, enctypes))
-
-
-# With no newer enctypes in the request, PA-ETYPE-INFO2,
-# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
-# key for the most preferred matching enctype.
-test_etinfo('user', 'rc4-hmac-exp des3 rc4',
- ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser',
- 'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser',
- 'asrep pw_salt KRBTEST.COMuser'])
-
-# With a newer enctype in the request (even if it is not the most
-# preferred enctype and doesn't match any keys), only PA-ETYPE-INFO2
-# appears.
-test_etinfo('user', 'rc4 aes256-cts',
- ['asrep etype_info2 rc4-hmac KRBTEST.COMuser'])
-
-# In preauth-required errors, PA-PW-SALT does not appear, but the same
-# etype-info2 values are expected.
-test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4',
- ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser',
- 'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser'])
-test_etinfo('preauthuser', 'rc4 aes256-cts',
- ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
-
-# If no keys are found matching the request enctypes, a
-# preauth-required error can be generated with no etype-info at all
-# (to allow for preauth mechs which don't depend on long-term keys).
-# An AS-REP cannot be generated without preauth as there is no reply
-# key.
-test_etinfo('rc4user', 'des3', [])
-test_etinfo('nokeyuser', 'des3', [])
-
-# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
-# error if the client does optimistic preauth.
-mark('MORE_PREAUTH_DATA_REQUIRED test')
-realm.stop()
-testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
- 'clpreauth': {'module': 'test:' + testpreauth}}}
-realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
-realm.run([kadminl, 'setstr', realm.user_princ, '2rt', '2rtval'])
-out = realm.run(['./etinfo', realm.user_princ, '-123'])
-if out != 'more etype_info2 aes256-cts KRBTEST.COMuser\n':
- fail('Unexpected output for MORE_PREAUTH_DATA_REQUIRED test')
-
-success('KDC etype-info tests')
diff --git a/crypto/krb5/src/tests/t_general.py b/crypto/krb5/src/tests/t_general.py
deleted file mode 100755
index 8e81db1a2739..000000000000
--- a/crypto/krb5/src/tests/t_general.py
+++ /dev/null
@@ -1,74 +0,0 @@
-from k5test import *
-
-for realm in multipass_realms(create_host=False):
- # Check that kinit fails appropriately with the wrong password.
- mark('kinit wrong password failure')
- msg = 'Password incorrect while getting initial credentials'
- realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
- expected_msg=msg)
-
- # Check that we can kinit as a different principal.
- mark('kinit with specified principal')
- realm.kinit(realm.admin_princ, password('admin'))
- realm.klist(realm.admin_princ)
-
- # Test FAST kinit.
- mark('FAST kinit')
- fastpw = password('fast')
- realm.run([kadminl, 'ank', '-pw', fastpw, '+requires_preauth',
- 'user/fast'])
- realm.kinit('user/fast', fastpw)
- realm.kinit('user/fast', fastpw, flags=['-T', realm.ccache])
- realm.klist('user/fast@%s' % realm.realm)
-
- # Test kinit against kdb keytab
- realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ])
-
-# Test that we can get initial creds with an empty password via the
-# API. We have to disable the "empty" pwqual module to create a
-# principal with an empty password. (Regression test for #7642.)
-mark('initial creds with empty password')
-conf={'plugins': {'pwqual': {'disable': 'empty'}}}
-realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
-realm.run([kadminl, 'addprinc', '-pw', '', 'user'])
-realm.run(['./icred', 'user', ''])
-realm.run(['./icred', '-s', 'user', ''])
-realm.stop()
-
-realm = K5Realm(create_host=False)
-
-# Regression test for #6428 (KDC should prefer account expiration
-# error to password expiration error).
-mark('#6428 regression test')
-realm.run([kadminl, 'addprinc', '-randkey', '-pwexpire', 'yesterday', 'xpr'])
-realm.run(['./icred', 'xpr'], expected_code=1,
- expected_msg='Password has expired')
-realm.run([kadminl, 'modprinc', '-expire', 'yesterday', 'xpr'])
-realm.run(['./icred', 'xpr'], expected_code=1,
- expected_msg="Client's entry in database has expired")
-
-# Regression test for #8454 (responder callback isn't used when
-# preauth is not required).
-mark('#8454 regression test')
-realm.run(['./responder', '-r', 'password=%s' % password('user'),
- realm.user_princ])
-
-# Test that WRONG_REALM responses aren't treated as referrals unless
-# they contain a crealm field pointing to a different realm.
-# (Regression test for #8060.)
-mark('#8060 regression test')
-realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1,
- expected_msg='not found in Kerberos database')
-
-# Spot-check KRB5_TRACE output
-mark('KRB5_TRACE spot check')
-expected_trace = ('Sending initial UDP request',
- 'Received answer',
- 'Selected etype info',
- 'AS key obtained',
- 'Decrypted AS reply',
- 'FAST negotiation: available',
- 'Storing user@KRBTEST.COM')
-realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
-
-success('FAST kinit, trace logging')
diff --git a/crypto/krb5/src/tests/t_hooks.py b/crypto/krb5/src/tests/t_hooks.py
deleted file mode 100755
index 4fd3822e8f2b..000000000000
--- a/crypto/krb5/src/tests/t_hooks.py
+++ /dev/null
@@ -1,8 +0,0 @@
-from k5test import *
-
-# Test that KDC send and recv hooks work correctly.
-realm = K5Realm(create_host=False, get_creds=False)
-realm.run(['./hooks', realm.user_princ, password('user')])
-realm.stop()
-
-success('send and recv hook tests')
diff --git a/crypto/krb5/src/tests/t_hostrealm.py b/crypto/krb5/src/tests/t_hostrealm.py
deleted file mode 100755
index 40b0e1e0590a..000000000000
--- a/crypto/krb5/src/tests/t_hostrealm.py
+++ /dev/null
@@ -1,140 +0,0 @@
-from k5test import *
-
-plugin = os.path.join(buildtop, "plugins", "hostrealm", "test",
- "hostrealm_test.so")
-
-# Disable the "dns" module (we can't easily test TXT lookups) and
-# arrange the remaining modules in an order which makes sense for most
-# tests.
-conf = {'plugins': {'hostrealm': {'module': ['test1:' + plugin,
- 'test2:' + plugin],
- 'enable_only': ['test2', 'profile',
- 'domain', 'test1']}},
- 'domain_realm': {'.x': 'DOTMATCH', 'x': 'MATCH', '.1': 'NUMMATCH'}}
-realm = K5Realm(krb5_conf=conf, create_kdb=False)
-
-def test(realm, args, expected_realms, msg, env=None):
- out = realm.run(['./hrealm'] + args, env=env)
- if out.split('\n') != expected_realms + ['']:
- fail(msg)
-
-def test_error(realm, args, expected_error, msg, env=None):
- realm.run(['./hrealm'] + args, env=env, expected_code=1,
- expected_msg=expected_error)
-
-def testh(realm, host, expected_realms, msg, env=None):
- test(realm, ['-h', host], expected_realms, msg, env=env)
-def testf(realm, host, expected_realms, msg, env=None):
- test(realm, ['-f', host], expected_realms, msg, env=env)
-def testd(realm, expected_realm, msg, env=None):
- test(realm, ['-d'], [expected_realm], msg, env=env)
-def testh_error(realm, host, expected_error, msg, env=None):
- test_error(realm, ['-h', host], expected_error, msg, env=env)
-def testf_error(realm, host, expected_error, msg, env=None):
- test_error(realm, ['-f', host], expected_error, msg, env=env)
-def testd_error(realm, expected_error, msg, env=None):
- test_error(realm, ['-d'], expected_error, msg, env=env)
-
-###
-### krb5_get_host_realm tests
-###
-
-# The test2 module returns a fatal error on hosts beginning with 'z',
-# and an answer on hosts beginning with 'a'.
-mark('test2 module')
-testh_error(realm, 'zoo', 'service not available', 'host_realm test2 z')
-testh(realm, 'abacus', ['a'], 'host_realm test2 a')
-
-# The profile module gives answers for hostnames equal to or ending in
-# 'X', due to [domain_realms]. There is also an entry for hostnames
-# ending in '1', but hostnames which appear to be IP or IPv6 addresses
-# should instead fall through to test1.
-mark('profile module')
-testh(realm, 'x', ['MATCH'], 'host_realm profile x')
-testh(realm, '.x', ['DOTMATCH'], 'host_realm profile .x')
-testh(realm, 'b.x', ['DOTMATCH'], 'host_realm profile b.x')
-testh(realm, '.b.c.x', ['DOTMATCH'], 'host_realm profile .b.c.x')
-testh(realm, 'b.1', ['NUMMATCH'], 'host_realm profile b.1')
-testh(realm, '4.3.2.1', ['4', '3', '2', '1'], 'host_realm profile 4.3.2.1')
-testh(realm, 'b:c.x', ['b:c', 'x'], 'host_realm profile b:c.x')
-# hostname cleaning should convert "X." to "x" before matching.
-testh(realm, 'X.', ['MATCH'], 'host_realm profile X.')
-
-# The test1 module returns a list of the hostname components.
-mark('test1 module')
-testh(realm, 'b.c.d', ['b', 'c', 'd'], 'host_realm test1')
-
-# If no module returns a result, we should get the referral realm.
-mark('no result')
-testh(realm, '', [''], 'host_realm referral realm')
-
-###
-### krb5_get_fallback_host_realm tests
-###
-
-# Return a special environment with realm_try_domains set to n.
-def try_env(realm, testname, n):
- conf = {'libdefaults': {'realm_try_domains': str(n)}}
- return realm.special_env(testname, False, krb5_conf=conf)
-
-# The domain module will answer with the uppercased parent domain,
-# with no special configuration.
-mark('fallback: domain module')
-testf(realm, 'a.b.c', ['B.C'], 'fallback_realm domain a.b.c')
-
-# With realm_try_domains = 0, the hostname itself will be looked up as
-# a realm and returned if found.
-mark('fallback: realm_try_domains = 0')
-try0 = try_env(realm, 'try0', 0)
-testf(realm, 'krbtest.com', ['KRBTEST.COM'], 'fallback_realm try0', env=try0)
-testf(realm, 'a.b.krbtest.com', ['B.KRBTEST.COM'],
- 'fallback_realm try0 grandparent', env=try0)
-testf(realm, 'a.b.c', ['B.C'], 'fallback_realm try0 nomatch', env=try0)
-
-# With realm_try_domains = 2, the parent and grandparent will be
-# checked as well, but it stops there.
-mark('fallback: realm_try_domains = 2')
-try2 = try_env(realm, 'try2', 2)
-testf(realm, 'krbtest.com', ['KRBTEST.COM'], 'fallback_realm try2', env=try2)
-testf(realm, 'a.b.krbtest.com', ['KRBTEST.COM'],
- 'fallback_realm try2 grandparent', env=try2)
-testf(realm, 'a.b.c.krbtest.com', ['B.C.KRBTEST.COM'],
- 'fallback_realm try2 great-grandparent', env=try2)
-
-# The test1 module answers with a list of components. Use an IPv4
-# address to bypass the domain module.
-mark('fallback: test1 module')
-testf(realm, '1.2.3.4', ['1', '2', '3', '4'], 'fallback_realm test1')
-
-# If no module answers, the default realm is returned. The test2
-# module returns an error when we try to look that up.
-mark('fallback: default realm')
-testf_error(realm, '', 'service not available', 'fallback_realm default')
-
-###
-### krb5_get_default_realm tests
-###
-
-# The test2 module returns an error.
-mark('default_realm: test2 module')
-testd_error(realm, 'service not available', 'default_realm test2')
-
-# The profile module returns the default realm from the profile.
-# Disable test2 to expose this behavior.
-mark('default_realm: profile module')
-disable_conf = {'plugins': {'hostrealm': {'disable': 'test2'}}}
-notest2 = realm.special_env('notest2', False, krb5_conf=disable_conf)
-testd(realm, 'KRBTEST.COM', 'default_realm profile', env=notest2)
-
-# The test1 module returns a list of two realms, of which we can only
-# see the first. Remove the profile default_realm setting to expose
-# this behavior.
-mark('default_realm: test1 module')
-remove_default = {'libdefaults': {'default_realm': None}}
-# Python 3.5+: nodefault_conf = {**disable_conf, **remove_default}
-nodefault_conf = dict(list(disable_conf.items()) +
- list(remove_default.items()))
-nodefault = realm.special_env('nodefault', False, krb5_conf=nodefault_conf)
-testd(realm, 'one', 'default_realm test1', env=nodefault)
-
-success('hostrealm interface tests')
diff --git a/crypto/krb5/src/tests/t_inetd.c b/crypto/krb5/src/tests/t_inetd.c
deleted file mode 100644
index 3790467c7bad..000000000000
--- a/crypto/krb5/src/tests/t_inetd.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/t_inetd.c */
-/*
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * A simple program to simulate starting a process from inetd.
- *
- * Unlike a proper inetd situation, environment variables are passed
- * to the client.
- *
- * usage: t_inetd port program argv0 ...
- */
-
-#include "autoconf.h"
-
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <signal.h>
-
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-#include "com_err.h"
-
-
-char *progname;
-
-static void
-usage(void)
-{
- fprintf(stderr, "%s: port program argv0 argv1 ...\n", progname);
- exit(1);
-}
-
-int
-main(int argc, char **argv)
-{
- unsigned short port;
- char *path;
- int sock, acc;
- int one = 1;
- struct sockaddr_in l_inaddr, f_inaddr; /* local, foreign address */
- socklen_t namelen = sizeof(f_inaddr);
-
- progname = argv[0];
-
- if(argc <= 3) usage();
-
- if(atoi(argv[1]) == 0) usage();
-
- port = htons(atoi(argv[1]));
- path = argv[2];
-
- if ((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
- com_err(progname, errno, "creating socket");
- exit(3);
- }
-
- (void) setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *)&one,
- sizeof (one));
-
- memset(&l_inaddr, 0, sizeof(l_inaddr));
- l_inaddr.sin_family = AF_INET;
- l_inaddr.sin_addr.s_addr = 0;
- l_inaddr.sin_port = port;
-
- if (bind(sock, (struct sockaddr *)&l_inaddr, sizeof(l_inaddr))) {
- com_err(progname, errno, "binding socket");
- exit(3);
- }
-
- if (listen(sock, 1) == -1) {
- com_err(progname, errno, "listening");
- exit(3);
- }
-
- printf("Ready!\n");
- fflush(stdout);
- if ((acc = accept(sock, (struct sockaddr *)&f_inaddr,
- &namelen)) == -1) {
- com_err(progname, errno, "accepting");
- exit(3);
- }
-
- dup2(acc, 0);
- dup2(acc, 1);
- dup2(acc, 2);
- close(sock);
- sock = 0;
-
- if(execv(path, &argv[3]))
- fprintf(stderr, "t_inetd: Could not exec %s\n", path);
- exit(1);
-}
diff --git a/crypto/krb5/src/tests/t_iprop.py b/crypto/krb5/src/tests/t_iprop.py
deleted file mode 100755
index 1f1634f31fa3..000000000000
--- a/crypto/krb5/src/tests/t_iprop.py
+++ /dev/null
@@ -1,520 +0,0 @@
-import os
-import re
-
-from k5test import *
-
-# On macOS with System Integrity Protection enabled, this script hangs
-# in the wait_for_prop() call after starting the first kpropd process,
-# most likely due to signal restrictions preventing the listening
-# child from informing the parent that a full resync was processed.
-if which('csrutil'):
- out = subprocess.check_output(['csrutil', 'status'],
- universal_newlines=True)
- if 'status: enabled' in out:
- skip_rest('iprop tests', 'System Integrity Protection is enabled')
-
-# Read lines from kpropd output until we are synchronized. Error if
-# full_expected is true and we didn't see a full propagation or vice
-# versa.
-def wait_for_prop(kpropd, full_expected, expected_old, expected_new):
- output('*** Waiting for sync from kpropd\n')
- full_seen = sleep_seen = False
- old_sno = new_sno = -1
- while True:
- line = kpropd.stdout.readline()
- if line == '':
- fail('kpropd process exited unexpectedly')
- output('kpropd: ' + line)
-
- m = re.match(r'Calling iprop_get_updates_1 \(sno=(\d+) ', line)
- if m:
- if not full_seen:
- old_sno = int(m.group(1))
- # Also record this as the new sno, in case we get back
- # UPDATE_NIL.
- new_sno = int(m.group(1))
-
- m = re.match(r'Got incremental updates \(sno=(\d+) ', line)
- if m:
- new_sno = int(m.group(1))
-
- if 'KDC is synchronized' in line or 'Incremental updates:' in line:
- break
-
- # After a full resync request, these lines could appear in
- # either order.
- if 'Waiting for' in line:
- sleep_seen = True
- if 'load process for full propagation completed' in line:
- full_seen = True
-
- # Detect some failure conditions.
- if 'Still waiting for full resync' in line:
- fail('kadmind gave consecutive full resyncs')
- if 'Rejected connection' in line:
- fail('kpropd rejected kprop connection')
- if 'get updates failed' in line:
- fail('iprop_get_updates failed')
- if 'permission denied' in line:
- fail('kadmind denied update')
- if ('error from primary' in line or
- 'error returned from primary' in line):
- fail('kadmind reported error')
- if 'invalid return' in line:
- fail('kadmind returned invalid result')
-
- if full_expected and not full_seen:
- fail('Expected full dump but saw only incremental')
- if full_seen and not full_expected:
- fail('Expected incremental prop but saw full dump')
- if old_sno != expected_old:
- fail('Expected old serial %d from kpropd sync' % expected_old)
- if new_sno != expected_new:
- fail('Expected new serial %d from kpropd sync' % expected_new)
-
- # Wait until kpropd is sleeping before continuing, to avoid races.
- # (This is imperfect since there's there is a short window between
- # the fprintf and the sleep; kpropd will need design changes to
- # fix that.)
- while True:
- line = kpropd.stdout.readline()
- output('kpropd: ' + line)
- if 'Waiting for' in line:
- break
- output('*** Sync complete\n')
-
-# Verify the output of kproplog against the expected number of
-# entries, first and last serial number, and a list of principal names
-# for the update entrires.
-def check_ulog(num, first, last, entries, env=None, bsize=2048):
- out = realm.run([kproplog], env=env)
- if 'Entry block size : ' + str(bsize) + '\n' not in out:
- fail('Expected block size %d' % bsize)
- if 'Number of entries : ' + str(num) + '\n' not in out:
- fail('Expected %d entries' % num)
- if last:
- firststr = first and str(first) or 'None'
- if 'First serial # : ' + firststr + '\n' not in out:
- fail('Expected first serial number %d' % first)
- laststr = last and str(last) or 'None'
- if 'Last serial # : ' + laststr + '\n' not in out:
- fail('Expected last serial number %d' % last)
- assert(len(entries) == num)
- ser = first - 1
- entindex = 0
- for line in out.splitlines():
- m = re.match(r'\tUpdate serial # : (\d+)$', line)
- if m:
- ser = ser + 1
- if m.group(1) != str(ser):
- fail('Expected serial number %d in update entry' % ser)
- m = re.match(r'\tUpdate principal : (.*)$', line)
- if m:
- eprinc = entries[ser - first]
- if eprinc == None:
- fail('Expected dummy update entry %d' % ser)
- elif m.group(1) != eprinc:
- fail('Expected princ %s in update entry %d' % (eprinc, ser))
- if line == '\tDummy entry':
- eprinc = entries[ser - first]
- if eprinc != None:
- fail('Expected princ %s in update entry %d' % (eprinc, ser))
-
-# replica1 will receive updates from primary, and replica2 will
-# receive updates from replica1. Because of the awkward way iprop and
-# kprop port configuration currently works, we need separate config
-# files for the replica and primary sides of replica1, but they use
-# the same DB and ulog file.
-conf = {'realms': {'$realm': {'iprop_enable': 'true',
- 'iprop_logfile': '$testdir/db.ulog'}}}
-conf_rep1 = {'realms': {'$realm': {'iprop_replica_poll': '600',
- 'iprop_logfile': '$testdir/ulog.replica1'}},
- 'dbmodules': {'db': {'database_name': '$testdir/db.replica1'}}}
-conf_rep1m = {'realms': {'$realm': {'iprop_logfile': '$testdir/ulog.replica1',
- 'iprop_port': '$port8'}},
- 'dbmodules': {'db': {'database_name': '$testdir/db.replica1'}}}
-conf_rep2 = {'realms': {'$realm': {'iprop_replica_poll': '600',
- 'iprop_logfile': '$testdir/ulog.replica2',
- 'iprop_port': '$port8'}},
- 'dbmodules': {'db': {'database_name': '$testdir/db.replica2'}}}
-
-conf_foo = {'libdefaults': {'default_realm': 'FOO'},
- 'domain_realm': {hostname: 'FOO'}}
-conf_rep3 = {'realms': {'$realm': {'iprop_replica_poll': '600',
- 'iprop_logfile': '$testdir/ulog.replica3',
- 'iprop_port': '$port8'},
- 'FOO': {'iprop_logfile': '$testdir/ulog.replica3'}},
- 'dbmodules': {'db': {'database_name': '$testdir/db.replica3'}}}
-
-krb5_conf_rep4 = {'domain_realm': {hostname: 'FOO'}}
-conf_rep4 = {'realms': {'$realm': {'iprop_replica_poll': '600',
- 'iprop_logfile': '$testdir/ulog.replica4',
- 'iprop_port': '$port8'}},
- 'dbmodules': {'db': {'database_name': '$testdir/db.replica4'}}}
-
-for realm in multidb_realms(kdc_conf=conf, create_user=False,
- start_kadmind=True):
- replica1 = realm.special_env('replica1', True, kdc_conf=conf_rep1)
- replica1m = realm.special_env('replica1m', True, krb5_conf=conf_foo,
- kdc_conf=conf_rep1m)
- replica2 = realm.special_env('replica2', True, kdc_conf=conf_rep2)
-
- # A default_realm and domain_realm that do not match the KDC's
- # realm. The FOO realm iprop_logfile setting is needed to run
- # kproplog during a replica3 test, since kproplog has no realm
- # option.
- replica3 = realm.special_env('replica3', True, krb5_conf=conf_foo,
- kdc_conf=conf_rep3)
-
- # A default realm and a domain realm map that differ.
- replica4 = realm.special_env('replica4', True, krb5_conf=krb5_conf_rep4,
- kdc_conf=conf_rep4)
-
- # Define some principal names. pr3 is long enough to cause internal
- # reallocs, but not long enough to grow the basic ulog entry size.
- pr1 = 'wakawaka@' + realm.realm
- pr2 = 'w@' + realm.realm
- c = 'chocolate-flavored-school-bus'
- cs = c + '/'
- pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c +
- '@' + realm.realm)
-
- # Create the kpropd ACL file.
- acl_file = os.path.join(realm.testdir, 'kpropd-acl')
- acl = open(acl_file, 'w')
- acl.write(realm.host_princ + '\n')
- acl.close()
-
- ulog = os.path.join(realm.testdir, 'db.ulog')
- if not os.path.exists(ulog):
- fail('update log not created: ' + ulog)
-
- # Create the principal used to authenticate kpropd to kadmind.
- kiprop_princ = 'kiprop/' + hostname
- realm.addprinc(kiprop_princ)
- realm.extract_keytab(kiprop_princ, realm.keytab)
-
- # Create the initial replica databases.
- dumpfile = os.path.join(realm.testdir, 'dump')
- realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kdb5_util, 'load', dumpfile], replica1)
- realm.run([kdb5_util, 'load', dumpfile], replica2)
- realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], replica3)
- realm.run([kdb5_util, 'load', dumpfile], replica4)
-
- # Reinitialize the primary ulog so we know exactly what to expect
- # in it.
- realm.run([kproplog, '-R'])
- check_ulog(1, 1, 1, [None])
-
- # Make some changes to the primary DB.
- realm.addprinc(pr1)
- realm.addprinc(pr3)
- realm.addprinc(pr2)
- realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
- realm.run([kadminl, 'modprinc', '+allow_tix', pr2])
- check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2])
-
- # Start kpropd for replica1 and get a full dump from primary.
- mark('propagate M->1 full')
- kpropd1 = realm.start_kpropd(replica1, ['-d'])
- wait_for_prop(kpropd1, True, 1, 6)
- out = realm.run([kadminl, 'listprincs'], env=replica1)
- if pr1 not in out or pr2 not in out or pr3 not in out:
- fail('replica1 does not have all principals from primary')
- check_ulog(1, 6, 6, [None], replica1)
-
- # Make a change and check that it propagates incrementally.
- mark('propagate M->1 incremental')
- realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
- check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 6, 7)
- check_ulog(2, 6, 7, [None, pr2], replica1)
- realm.run([kadminl, 'getprinc', pr2], env=replica1,
- expected_msg='Attributes: DISALLOW_ALL_TIX')
-
- # Start kadmind -proponly for replica1. (Use the replica1m
- # environment which defines iprop_port to $port8.)
- replica1_out_dump_path = os.path.join(realm.testdir, 'dump.replica1.out')
- replica2_in_dump_path = os.path.join(realm.testdir, 'dump.replica2.in')
- replica2_kprop_port = str(realm.portbase + 9)
- kadmind_proponly = realm.start_server([kadmind, '-r', realm.realm,
- '-nofork', '-proponly',
- '-p', kdb5_util,
- '-K', kprop, '-k',
- replica2_kprop_port,
- '-F', replica1_out_dump_path],
- 'starting...', replica1m)
-
- # Test similar default_realm and domain_realm map settings with -r realm.
- mark('propagate 1->3 full')
- replica3_in_dump_path = os.path.join(realm.testdir, 'dump.replica3.in')
- kpropd3 = realm.start_server([kpropd, '-d', '-D', '-r', realm.realm, '-P',
- replica2_kprop_port, '-f',
- replica3_in_dump_path, '-p', kdb5_util, '-a',
- acl_file, '-A', hostname], 'ready', replica3)
- wait_for_prop(kpropd3, True, 1, 7)
- out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], env=replica3)
- if pr1 not in out or pr2 not in out or pr3 not in out:
- fail('replica3 does not have all principals from replica1')
- check_ulog(1, 7, 7, [None], env=replica3)
-
- # Test an incremental propagation for the kpropd -r case.
- mark('propagate M->1->3 incremental')
- realm.run([kadminl, 'modprinc', '-maxlife', '20 minutes', pr1])
- check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 7, 8)
- check_ulog(3, 6, 8, [None, pr2, pr1], replica1)
- realm.run([kadminl, 'getprinc', pr1], env=replica1,
- expected_msg='Maximum ticket life: 0 days 00:20:00')
- kpropd3.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd3, False, 7, 8)
- check_ulog(2, 7, 8, [None, pr1], replica3)
- realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=replica3,
- expected_msg='Maximum ticket life: 0 days 00:20:00')
- stop_daemon(kpropd3)
-
- # Test dissimilar default_realm and domain_realm map settings (no
- # -r realm).
- mark('propagate 1->4 full')
- replica4_in_dump_path = os.path.join(realm.testdir, 'dump.replica4.in')
- kpropd4 = realm.start_server([kpropd, '-d', '-D', '-P',
- replica2_kprop_port, '-f',
- replica4_in_dump_path, '-p', kdb5_util,
- '-a', acl_file, '-A', hostname], 'ready',
- replica4)
- wait_for_prop(kpropd4, True, 1, 8)
- out = realm.run([kadminl, 'listprincs'], env=replica4)
- if pr1 not in out or pr2 not in out or pr3 not in out:
- fail('replica4 does not have all principals from replica1')
- stop_daemon(kpropd4)
-
- # Start kpropd for replica2. The -A option isn't needed since
- # we're talking to the same host as primary (we specify it anyway
- # to exercise the code), but replica2 defines iprop_port to $port8
- # so it will talk to replica1. Get a full dump from replica1.
- mark('propagate 1->2 full')
- kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P',
- replica2_kprop_port, '-f',
- replica2_in_dump_path, '-p', kdb5_util,
- '-a', acl_file, '-A', hostname], 'ready',
- replica2)
- wait_for_prop(kpropd2, True, 1, 8)
- check_ulog(2, 7, 8, [None, pr1], replica2)
- out = realm.run([kadminl, 'listprincs'], env=replica1)
- if pr1 not in out or pr2 not in out or pr3 not in out:
- fail('replica2 does not have all principals from replica1')
-
- # Make another change and check that it propagates incrementally
- # to both replicas.
- mark('propagate M->1->2 incremental')
- realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1])
- check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 8, 9)
- check_ulog(4, 6, 9, [None, pr2, pr1, pr1], replica1)
- realm.run([kadminl, 'getprinc', pr1], env=replica1,
- expected_msg='Maximum renewable life: 0 days 22:00:00\n')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 8, 9)
- check_ulog(3, 7, 9, [None, pr1, pr1], replica2)
- realm.run([kadminl, 'getprinc', pr1], env=replica2,
- expected_msg='Maximum renewable life: 0 days 22:00:00\n')
-
- # Reset the ulog on replica1 to force a full resync from primary.
- # The resync will use the old dump file and then propagate
- # changes. replica2 should still be in sync with replica1 after
- # the resync, so make sure it doesn't take a full resync.
- mark('propagate M->1->2 full')
- realm.run([kproplog, '-R'], replica1)
- check_ulog(1, 1, 1, [None], replica1)
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 1, 9)
- check_ulog(4, 6, 9, [None, pr2, pr1, pr1], replica1)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 9, 9)
- check_ulog(3, 7, 9, [None, pr1, pr1], replica2)
-
- # Make another change and check that it propagates incrementally to
- # both replicas.
- mark('propagate M->1->2 incremental (after reset)')
- realm.run([kadminl, 'modprinc', '+allow_tix', pr2])
- check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 9, 10)
- check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], replica1)
- realm.run([kadminl, 'getprinc', pr2], env=replica1,
- expected_msg='Attributes:\n')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 9, 10)
- check_ulog(4, 7, 10, [None, pr1, pr1, pr2], replica2)
- realm.run([kadminl, 'getprinc', pr2], env=replica2,
- expected_msg='Attributes:\n')
-
- # Create a policy and check that it propagates via full resync.
- mark('propagate M->1->2 full (new policy)')
- realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol'])
- check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 10, 1)
- check_ulog(1, 1, 1, [None], replica1)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica1,
- expected_msg='Minimum number of password character classes: 2')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 10, 1)
- check_ulog(1, 1, 1, [None], replica2)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica2,
- expected_msg='Minimum number of password character classes: 2')
-
- # Modify the policy and test that it also propagates via full resync.
- mark('propagate M->1->2 full (policy change)')
- realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol'])
- check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 1, 1)
- check_ulog(1, 1, 1, [None], replica1)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica1,
- expected_msg='Minimum password length: 17')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 1, 1)
- check_ulog(1, 1, 1, [None], replica2)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica2,
- expected_msg='Minimum password length: 17')
-
- # Delete the policy and test that it propagates via full resync.
- mark('propgate M->1->2 full (policy delete)')
- realm.run([kadminl, 'delpol', 'testpol'])
- check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 1, 1)
- check_ulog(1, 1, 1, [None], replica1)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica1, expected_code=1,
- expected_msg='Policy does not exist')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 1, 1)
- check_ulog(1, 1, 1, [None], replica2)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica2, expected_code=1,
- expected_msg='Policy does not exist')
-
- # Modify a principal on the primary and test that it propagates
- # incrementally.
- mark('propagate M->1->2 incremental (after policy changes)')
- realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1])
- check_ulog(2, 1, 2, [None, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 1, 2)
- check_ulog(2, 1, 2, [None, pr1], replica1)
- realm.run([kadminl, 'getprinc', pr1], env=replica1,
- expected_msg='Maximum ticket life: 0 days 00:10:00')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 1, 2)
- check_ulog(2, 1, 2, [None, pr1], replica2)
- realm.run([kadminl, 'getprinc', pr1], env=replica2,
- expected_msg='Maximum ticket life: 0 days 00:10:00')
-
- # Delete a principal and test that it propagates incrementally.
- mark('propagate M->1->2 incremental (princ delete)')
- realm.run([kadminl, 'delprinc', pr3])
- check_ulog(3, 1, 3, [None, pr1, pr3])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 2, 3)
- check_ulog(3, 1, 3, [None, pr1, pr3], replica1)
- realm.run([kadminl, 'getprinc', pr3], env=replica1, expected_code=1,
- expected_msg='Principal does not exist')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 2, 3)
- check_ulog(3, 1, 3, [None, pr1, pr3], replica2)
- realm.run([kadminl, 'getprinc', pr3], env=replica2, expected_code=1,
- expected_msg='Principal does not exist')
-
- # Rename a principal and test that it propagates incrementally.
- mark('propagate M->1->2 incremental (princ rename)')
- renpr = "quacked@" + realm.realm
- realm.run([kadminl, 'renprinc', pr1, renpr])
- check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 3, 6)
- check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], replica1)
- realm.run([kadminl, 'getprinc', pr1], env=replica1, expected_code=1,
- expected_msg='Principal does not exist')
- realm.run([kadminl, 'getprinc', renpr], env=replica1)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 3, 6)
- check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], replica2)
- realm.run([kadminl, 'getprinc', pr1], env=replica2, expected_code=1,
- expected_msg='Principal does not exist')
- realm.run([kadminl, 'getprinc', renpr], env=replica2)
-
- pr1 = renpr
-
- # Reset the ulog on the primary to force a full resync.
- mark('propagate M->1->2 full (ulog reset)')
- realm.run([kproplog, '-R'])
- check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 6, 1)
- check_ulog(1, 1, 1, [None], replica1)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 6, 1)
- check_ulog(1, 1, 1, [None], replica2)
-
- # Create an update large enough to cause a block resize, and make
- # sure that it propagates incrementally.
- mark('block resize')
- cmd = [kadminl, 'cpw',
- '-e', 'aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2',
- '-randkey', '-keepold', pr2]
- n = 6
- for i in range(n):
- realm.run(cmd)
- check_ulog(n + 1, 1, n + 1, [None] + n * [pr2], bsize=4096)
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 1, n + 1)
- check_ulog(n + 1, 1, n + 1, [None] + n * [pr2], replica1, bsize=4096)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 1, n + 1)
- check_ulog(n + 1, 1, n + 1, [None] + n * [pr2], replica2, bsize=4096)
-
- # Reset the ulog again.
- realm.run([kproplog, '-R'])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 7, 1)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 7, 1)
- realm.stop_kpropd(kpropd1)
-
- # Stop the kprop daemons so we can test kpropd -t.
- stop_daemon(kpropd2)
- stop_daemon(kadmind_proponly)
- mark('kpropd -t')
-
- # Test the case where no updates are needed.
- out = realm.run_kpropd_once(replica1, ['-d'])
- if 'KDC is synchronized' not in out:
- fail('Expected synchronized from kpropd -t')
- check_ulog(1, 1, 1, [None], replica1)
-
- # Make a change on the primary and fetch it incrementally.
- realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1])
- check_ulog(2, 1, 2, [None, pr1])
- out = realm.run_kpropd_once(replica1, ['-d'])
- if 'Got incremental updates (sno=2 ' not in out:
- fail('Expected full dump and synchronized from kpropd -t')
- check_ulog(2, 1, 2, [None, pr1], replica1)
- realm.run([kadminl, 'getprinc', pr1], env=replica1,
- expected_msg='Maximum ticket life: 0 days 00:05:00')
-
- # Propagate a policy change via full resync.
- realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol'])
- check_ulog(1, 1, 1, [None])
- out = realm.run_kpropd_once(replica1, ['-d'])
- if ('Full propagation transfer finished' not in out or
- 'KDC is synchronized' not in out):
- fail('Expected full dump and synchronized from kpropd -t')
- check_ulog(1, 1, 1, [None], replica1)
- realm.run([kadminl, 'getpol', 'testpol'], env=replica1,
- expected_msg='Minimum number of password character classes: 3')
-
-success('iprop tests')
diff --git a/crypto/krb5/src/tests/t_kadm5_auth.py b/crypto/krb5/src/tests/t_kadm5_auth.py
deleted file mode 100644
index 6e0f42b08740..000000000000
--- a/crypto/krb5/src/tests/t_kadm5_auth.py
+++ /dev/null
@@ -1,80 +0,0 @@
-from k5test import *
-
-# Create a realm with the welcomer and bouncer kadm5_auth test modules
-# in place of the builtin modules.
-modpath = os.path.join(buildtop, 'plugins', 'kadm5_auth', 'test',
- 'kadm5_auth_test.so')
-conf = {'plugins': {'kadm5_auth': {'module': ['welcomer:' + modpath,
- 'bouncer:' + modpath],
- 'enable_only': ['welcomer', 'bouncer']}}}
-realm = K5Realm(krb5_conf=conf, create_host=False)
-realm.start_kadmind()
-realm.prep_kadmin()
-
-# addprinc: welcomer accepts with policy VIP, bouncer denies maxlife.
-realm.run_kadmin(['addprinc', '-randkey', 'princ'], expected_code=1)
-realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', 'princ'])
-realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', '-maxlife', '3',
- 'princ'], expected_code=1)
-
-# modprinc: welcomer accepts with only maxrenewlife, bouncer denies
-# with even-component target principal.
-realm.run_kadmin(['modprinc', '-maxlife', '3', 'princ'], expected_code=1)
-realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'princ'])
-realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'user/admin'],
- expected_code=1)
-
-# setstr: welcomer accepts with key 'note', bouncer denies with value
-# length > 10.
-realm.run_kadmin(['setstr', 'princ', 'somekey', 'someval'], expected_code=1)
-realm.run_kadmin(['setstr', 'princ', 'note', 'abc'])
-realm.run_kadmin(['setstr', 'princ', 'note', 'abcdefghijkl'], expected_code=1)
-
-# delprinc: welcomer accepts with target principal beginning with 'd',
-# bouncer denies with "nodelete" string attribute.
-realm.run_kadmin(['delprinc', 'user'], expected_code=1)
-realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
-realm.run_kadmin(['delprinc', 'deltest'])
-realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
-realm.run([kadminl, 'setstr', 'deltest', 'nodelete', 'yes'])
-realm.run_kadmin(['delprinc', 'deltest'], expected_code=1)
-
-# renprinc: welcomer accepts with same-length first components, bouncer
-# refuses with source principal beginning with 'a'.
-realm.run_kadmin(['renprinc', 'princ', 'xyz'], expected_code=1)
-realm.run_kadmin(['renprinc', 'princ', 'abcde'])
-realm.run_kadmin(['renprinc', 'abcde', 'fghij'], expected_code=1)
-
-# addpol: welcomer accepts with minlength 3, bouncer denies with name
-# length <= 3.
-realm.run_kadmin(['addpol', 'testpol'], expected_code=1)
-realm.run_kadmin(['addpol', '-minlength', '3', 'testpol'])
-realm.run_kadmin(['addpol', '-minlength', '3', 'abc'], expected_code=1)
-
-# modpol: welcomer accepts changes to minlife, bouncer denies with
-# minlife > 10.
-realm.run_kadmin(['modpol', '-minlength', '4', 'testpol'], expected_code=1)
-realm.run_kadmin(['modpol', '-minlife', '8', 'testpol'])
-realm.run_kadmin(['modpol', '-minlife', '11', 'testpol'], expected_code=1)
-
-# getpol: welcomer accepts if policy and client policy have same length,
-# bouncer denies if policy name begins with 'x'.
-realm.run([kadminl, 'addpol', 'aaaa'])
-realm.run([kadminl, 'addpol', 'bbbb'])
-realm.run([kadminl, 'addpol', 'xxxx'])
-realm.run([kadminl, 'modprinc', '-policy', 'aaaa', 'user/admin'])
-realm.run_kadmin(['getpol', 'testpol'], expected_code=1)
-realm.run_kadmin(['getpol', 'bbbb'])
-realm.run_kadmin(['getpol', 'xxxx'], expected_code=1)
-
-# end: welcomer counts operations using "ends" string attribute on
-# "opcount" principal. kadmind is dumb and invokes the end method for
-# every RPC operation including init, so we expect four calls to the
-# end operation.
-realm.run([kadminl, 'addprinc', '-nokey', 'opcount'])
-realm.run([kadminl, 'setstr', 'opcount', 'ends', '0'])
-realm.run_kadmin(['getprinc', 'user'])
-realm.run_kadmin(['getpol', 'bbbb'])
-realm.run([kadminl, 'getstrs', 'opcount'], expected_msg='ends: 4')
-
-success('kadm5_auth pluggable interface tests')
diff --git a/crypto/krb5/src/tests/t_kadm5_hook.py b/crypto/krb5/src/tests/t_kadm5_hook.py
deleted file mode 100755
index 32fab781db7d..000000000000
--- a/crypto/krb5/src/tests/t_kadm5_hook.py
+++ /dev/null
@@ -1,15 +0,0 @@
-from k5test import *
-
-plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test",
- "kadm5_hook_test.so")
-
-hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}}
-
-realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False)
-realm.run([kadminl, 'addprinc', '-randkey', 'test'],
- expected_msg='create: stage precommit')
-
-realm.run([kadminl, 'renprinc', 'test', 'test2'],
- expected_msg='rename: stage precommit')
-
-success('kadm5_hook')
diff --git a/crypto/krb5/src/tests/t_kadmin.py b/crypto/krb5/src/tests/t_kadmin.py
deleted file mode 100644
index 98453d92e060..000000000000
--- a/crypto/krb5/src/tests/t_kadmin.py
+++ /dev/null
@@ -1,66 +0,0 @@
-from k5test import *
-
-realm = K5Realm(start_kadmind=True)
-
-# Create a principal. Test -q option and keyboard entry of the admin
-# password and principal password. Verify creation with kadmin.local.
-realm.run([kadmin, '-q', 'addprinc princ/pw'],
- input=password('admin') + '\npw1\npw1\n')
-realm.run([kadminl, 'getprinc', 'princ/pw'],
- expected_msg='Principal: princ/pw@KRBTEST.COM')
-
-# Run the remaining tests with a cache for efficiency.
-realm.prep_kadmin()
-
-realm.run_kadmin(['addpol', 'standardpol'])
-realm.run_kadmin(['listpols'], expected_msg='standardpol')
-realm.run_kadmin(['modpol', '-minlength', '5', 'standardpol'])
-realm.run_kadmin(['getpol', 'standardpol'],
- expected_msg='Minimum password length: 5')
-
-realm.run_kadmin(['addprinc', '-randkey', 'princ/random'])
-realm.run([kadminl, 'getprinc', 'princ/random'],
- expected_msg='Principal: princ/random@KRBTEST.COM')
-
-realm.run_kadmin(['cpw', 'princ/pw'], input='newpw\nnewpw\n')
-realm.run_kadmin(['cpw', '-randkey', 'princ/random'])
-
-realm.run_kadmin(['modprinc', '-allow_tix', 'princ/random'])
-realm.run_kadmin(['modprinc', '+allow_tix', 'princ/random'])
-realm.run_kadmin(['modprinc', '-policy', 'standardpol', 'princ/random'])
-
-realm.run_kadmin(['listprincs'], expected_msg='princ/random@KRBTEST.COM')
-
-realm.run_kadmin(['ktadd', 'princ/pw'])
-
-realm.run_kadmin(['delprinc', 'princ/random'])
-realm.run([kadminl, 'getprinc', 'princ/random'], expected_code=1,
- expected_msg='Principal does not exist')
-realm.run_kadmin(['delprinc', 'princ/pw'])
-realm.run([kadminl, 'getprinc', 'princ/pw'], expected_code=1,
- expected_msg='Principal does not exist')
-
-realm.run_kadmin(['delpol', 'standardpol'])
-realm.run([kadminl, 'getpol', 'standardpol'], expected_code=1,
- expected_msg='Policy does not exist')
-
-# Regression test for #2877 (fixed-sized GSSRPC buffers can't
-# accomodate large listprinc results).
-mark('large listprincs result')
-for i in range(200):
- realm.run_kadmin(['addprinc', '-randkey', 'foo%d' % i])
-realm.run_kadmin(['listprincs'], expected_msg='foo199')
-
-# Test kadmin -k with the default principal, with and without
-# fallback. This operation requires canonicalization against the
-# keytab in krb5_get_init_creds_keytab() as the
-# krb5_sname_to_principal() result won't have a realm. Try with and
-# without without fallback processing since the code paths are
-# different.
-mark('kadmin -k')
-realm.run([kadmin, '-k', 'getprinc', realm.host_princ])
-no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
-no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
-realm.run([kadmin, '-k', 'getprinc', realm.host_princ], env=no_canon)
-
-success('kadmin and kpasswd tests')
diff --git a/crypto/krb5/src/tests/t_kadmin_acl.py b/crypto/krb5/src/tests/t_kadmin_acl.py
deleted file mode 100755
index fe762d57c34b..000000000000
--- a/crypto/krb5/src/tests/t_kadmin_acl.py
+++ /dev/null
@@ -1,450 +0,0 @@
-from k5test import *
-import os
-
-realm = K5Realm(create_host=False, create_user=False)
-
-def make_client(name):
- global realm
- realm.addprinc(name, password(name))
- ccache = os.path.join(realm.testdir,
- 'kadmin_ccache_' + name.replace('/', '_'))
- realm.kinit(name, password(name),
- flags=['-S', 'kadmin/admin', '-c', ccache])
- return ccache
-
-def kadmin_as(client, query, **kwargs):
- global realm
- return realm.run([kadmin, '-c', client] + query, **kwargs)
-
-all_add = make_client('all_add')
-all_changepw = make_client('all_changepw')
-all_delete = make_client('all_delete')
-all_inquire = make_client('all_inquire')
-all_list = make_client('all_list')
-all_modify = make_client('all_modify')
-all_rename = make_client('all_rename')
-all_wildcard = make_client('all_wildcard')
-all_extract = make_client('all_extract')
-all_alias = make_client('all_alias')
-some_add = make_client('some_add')
-some_changepw = make_client('some_changepw')
-some_delete = make_client('some_delete')
-some_inquire = make_client('some_inquire')
-some_modify = make_client('some_modify')
-some_rename = make_client('some_rename')
-some_extract = make_client('some_extract')
-some_alias = make_client('some_alias')
-restricted_add = make_client('restricted_add')
-restricted_modify = make_client('restricted_modify')
-restricted_rename = make_client('restricted_rename')
-restricted_alias = make_client('restricted_alias')
-wctarget = make_client('wctarget')
-admin = make_client('user/admin')
-none = make_client('none')
-restrictions = make_client('restrictions')
-onetwothreefour = make_client('one/two/three/four')
-
-realm.run([kadminl, 'alias', 'aliastonone', 'none'])
-aliastonone = os.path.join(realm.testdir, 'kadmin_ccache_aliastonone')
-realm.kinit('aliastonone', password('none'),
- flags=['-S', 'kadmin/admin', '-c', aliastonone])
-
-realm.run([kadminl, 'alias', 'aliastounselected', 'unselected'])
-realm.run([kadminl, 'alias', 'aliastoselected', 'selected'])
-
-realm.run([kadminl, 'addpol', '-minlife', '1 day', 'minlife'])
-
-f = open(os.path.join(realm.testdir, 'acl'), 'w')
-f.write('''
-all_add a
-all_changepw c
-all_delete d
-all_inquire i
-all_list l
-all_modify im
-all_rename ad
-all_wildcard x
-all_extract ie
-all_alias am
-some_add a selected
-some_add a aliastounselected
-some_changepw c selected
-some_changepw c aliastounselected
-some_delete d selected
-some_delete d aliastounselected
-some_inquire i selected
-some_inquire i aliastounselected
-some_modify im selected
-some_modify im aliastounselected
-some_extract ie selected
-some_extract ie aliastounselected
-some_rename d from
-some_rename a to
-some_alias a aliasname
-some_alias m canon
-restricted_add a * +preauth
-restricted_modify im * +preauth
-restricted_rename ad * +preauth
-restricted_alias ai * +preauth
-
-*/* d *2/*1
-# The next line is a regression test for #8154; it is not used directly.
-one/*/*/five l
-*/two/*/* d *3/*1/*2
-*/admin a
-wctarget a wild/*
-restrictions a type1 -policy minlife
-restrictions a type2 -clearpolicy
-restrictions a type3 -maxlife 1h -maxrenewlife 2h
-''')
-f.close()
-
-realm.start_kadmind()
-
-# cpw can generate four different RPC calls depending on options.
-realm.addprinc('selected', 'oldpw')
-realm.addprinc('unselected', 'oldpw')
-for pw in (['-pw', 'newpw'], ['-randkey']):
- for ks in ([], ['-e', 'aes256-cts']):
- mark('cpw: %s %s' % (repr(pw), repr(ks)))
- args = pw + ks
- kadmin_as(all_changepw, ['cpw'] + args + ['unselected'])
- kadmin_as(some_changepw, ['cpw'] + args + ['selected'])
- msg = "Operation requires ``change-password'' privilege"
- kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1,
- expected_msg=msg)
- kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
- expected_code=1, expected_msg=msg)
- # Verify that the ACL check is canonicalized.
- kadmin_as(some_changepw, ['cpw'] + args + ['aliastounselected'],
- expected_code=1, expected_msg=msg)
- kadmin_as(some_changepw, ['cpw'] + args + ['aliastoselected'])
- kadmin_as(none, ['cpw'] + args + ['none'])
- kadmin_as(aliastonone, ['cpw'] + args + ['none'],
- expected_code=1, expected_msg=msg)
- realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
- msg = "Current password's minimum life has not expired"
- kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1,
- expected_msg=msg)
- realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('addpol')
-kadmin_as(all_add, ['addpol', 'policy'])
-realm.run([kadminl, 'delpol', 'policy'])
-kadmin_as(none, ['addpol', 'policy'], expected_code=1,
- expected_msg="Operation requires ``add'' privilege")
-
-# addprinc can generate two different RPC calls depending on options.
-for ks in ([], ['-e', 'aes256-cts']):
- mark('addprinc: %s' % repr(ks))
- args = ['-pw', 'pw'] + ks
- kadmin_as(all_add, ['addprinc'] + args + ['unselected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
- kadmin_as(some_add, ['addprinc'] + args + ['selected'])
- realm.run([kadminl, 'delprinc', 'selected'])
- kadmin_as(restricted_add, ['addprinc'] + args + ['unselected'])
- realm.run([kadminl, 'getprinc', 'unselected'],
- expected_msg='REQUIRES_PRE_AUTH')
- realm.run([kadminl, 'delprinc', 'unselected'])
- kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1,
- expected_msg="Operation requires ``add'' privilege")
- kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1,
- expected_msg="Operation requires ``add'' privilege")
- # Verify that the ACL check isn't canonicalized. (We need the alias
- # to resolve or we will overwrite it, currently.)
- realm.addprinc('unselected')
- kadmin_as(some_add, ['addprinc'] + args + ['aliastounselected'],
- expected_code=1, expected_msg='already exists')
- realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('delprinc')
-realm.addprinc('unselected', 'pw')
-kadmin_as(all_delete, ['delprinc', 'unselected'])
-realm.addprinc('selected', 'pw')
-kadmin_as(some_delete, ['delprinc', 'selected'])
-realm.addprinc('unselected', 'pw')
-kadmin_as(none, ['delprinc', 'unselected'], expected_code=1,
- expected_msg="Operation requires ``delete'' privilege")
-kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1,
- expected_msg="Operation requires ``delete'' privilege")
-# Verify that the ACL check isn't canonicalized.
-kadmin_as(some_delete, ['delprinc', 'aliastounselected'])
-realm.run([kadminl, 'alias', 'aliastounselected', 'unselected'])
-kadmin_as(some_delete, ['delprinc', 'aliastoselected'], expected_code=1,
- expected_msg="Operation requires ``delete'' privilege")
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('getpol')
-kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife')
-kadmin_as(none, ['getpol', 'minlife'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
-kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife')
-realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
-
-mark('getprinc')
-realm.addprinc('selected', 'pw')
-realm.addprinc('unselected', 'pw')
-kadmin_as(all_inquire, ['getprinc', 'unselected'],
- expected_msg='Principal: unselected@KRBTEST.COM')
-kadmin_as(some_inquire, ['getprinc', 'selected'],
- expected_msg='Principal: selected@KRBTEST.COM')
-kadmin_as(none, ['getprinc', 'selected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_inquire, ['getprinc', 'aliastounselected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-kadmin_as(some_inquire, ['getprinc', 'aliastoselected'],
- expected_msg='Principal: selected@KRBTEST.COM')
-kadmin_as(none, ['getprinc', 'none'],
- expected_msg='Principal: none@KRBTEST.COM')
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('listprincs')
-kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM')
-kadmin_as(none, ['listprincs'], expected_code=1,
- expected_msg="Operation requires ``list'' privilege")
-
-mark('getstrs')
-realm.addprinc('selected', 'pw')
-realm.addprinc('unselected', 'pw')
-realm.run([kadminl, 'setstr', 'selected', 'key', 'value'])
-realm.run([kadminl, 'setstr', 'unselected', 'key', 'value'])
-kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value')
-kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value')
-kadmin_as(none, ['getstrs', 'selected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_inquire, ['getstrs', 'aliastounselected'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-kadmin_as(some_inquire, ['getstrs', 'aliastoselected'],
- expected_msg='key: value')
-kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)')
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('modpol')
-out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'],
- expected_code=1)
-if 'Operation requires' in out:
- fail('modpol success (acl)')
-kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-
-mark('modprinc')
-realm.addprinc('selected', 'pw')
-realm.addprinc('unselected', 'pw')
-kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
-kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected'])
-kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
-realm.run([kadminl, 'getprinc', 'unselected'],
- expected_msg='REQUIRES_PRE_AUTH')
-kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
- expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
- expected_code=1, expected_msg='Operation requires')
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'aliastounselected'],
- expected_code=1, expected_msg='Operation requires')
-kadmin_as(some_modify, ['modprinc', '-maxlife', '2 hours', 'aliastoselected'])
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('purgekeys')
-realm.addprinc('selected', 'pw')
-realm.addprinc('unselected', 'pw')
-kadmin_as(all_modify, ['purgekeys', 'unselected'])
-kadmin_as(some_modify, ['purgekeys', 'selected'])
-kadmin_as(none, ['purgekeys', 'selected'], expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_modify, ['purgekeys', 'aliastounselected'], expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-kadmin_as(some_modify, ['purgekeys', 'aliastoselected'])
-kadmin_as(none, ['purgekeys', 'none'])
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('renprinc')
-realm.addprinc('from', 'pw')
-kadmin_as(all_rename, ['renprinc', 'from', 'to'])
-realm.run([kadminl, 'renprinc', 'to', 'from'])
-kadmin_as(some_rename, ['renprinc', 'from', 'to'])
-realm.run([kadminl, 'renprinc', 'to', 'from'])
-kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-realm.run([kadminl, 'renprinc', 'from', 'notfrom'])
-kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-# Verify that the ACL check isn't canonicalized.
-realm.run([kadminl, 'alias', 'aliastofrom', 'from'])
-realm.run([kadminl, 'alias', 'aliastoto', 'to'])
-kadmin_as(some_rename, ['renprinc', 'aliastofrom', 'to'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(some_rename, ['renprinc', 'from', 'aliastoto'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-realm.run([kadminl, 'delprinc', 'aliastofrom'])
-realm.run([kadminl, 'delprinc', 'aliastoto'])
-kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-realm.run([kadminl, 'delprinc', 'notfrom'])
-
-mark('setstr')
-realm.addprinc('selected', 'pw')
-realm.addprinc('unselected', 'pw')
-kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value'])
-kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value'])
-kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
- expected_code=1, expected_msg='Operation requires')
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_modify, ['setstr', 'aliastounselected', 'key', 'value'],
- expected_code=1, expected_msg='Operation requires')
-kadmin_as(some_modify, ['setstr', 'aliastoselected', 'key', 'value'])
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('addprinc/delprinc (wildcard)')
-kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget'])
-realm.run([kadminl, 'delprinc', 'anytarget'])
-kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card'])
-realm.run([kadminl, 'delprinc', 'wild/card'])
-kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
- expected_code=1, expected_msg='Operation requires')
-realm.addprinc('admin/user', 'pw')
-kadmin_as(admin, ['delprinc', 'admin/user'])
-kadmin_as(admin, ['delprinc', 'none'], expected_code=1,
- expected_msg='Operation requires')
-realm.addprinc('four/one/three', 'pw')
-kadmin_as(onetwothreefour, ['delprinc', 'four/one/three'])
-
-mark('addprinc (restrictions)')
-kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1'])
-realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife')
-realm.run([kadminl, 'delprinc', 'type1'])
-kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife',
- 'type2'])
-realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]')
-realm.run([kadminl, 'delprinc', 'type2'])
-kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute',
- 'type3'])
-out = realm.run([kadminl, 'getprinc', 'type3'])
-if ('Maximum ticket life: 0 days 00:01:00' not in out or
- 'Maximum renewable life: 0 days 02:00:00' not in out):
- fail('restriction (maxlife low, maxrenewlife unspec)')
-realm.run([kadminl, 'delprinc', 'type3'])
-kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day',
- 'type3'])
-realm.run([kadminl, 'getprinc', 'type3'],
- expected_msg='Maximum renewable life: 0 days 02:00:00')
-
-mark('extract')
-realm.addprinc('selected')
-realm.addprinc('unselected')
-realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
-msg = "Operation requires ``extract-keys'' privilege"
-kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
- expected_code=1, expected_msg=msg)
-kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
-realm.kinit('extractkeys', flags=['-k'])
-kadmin_as(some_extract, ['ktadd', '-norandkey', 'selected'])
-kadmin_as(some_extract, ['ktadd', '-norandkey', 'unselected'], expected_code=1,
- expected_msg=msg)
-# Verify that the ACL check is canonicalized.
-kadmin_as(some_extract, ['ktadd', '-norandkey', 'aliastounselected'],
- expected_code=1, expected_msg=msg)
-kadmin_as(some_extract, ['ktadd', '-norandkey', 'aliastoselected'])
-os.remove(realm.keytab)
-realm.run([kadminl, 'delprinc', 'selected'])
-realm.run([kadminl, 'delprinc', 'unselected'])
-
-mark('lockdown_keys')
-kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
-kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
- expected_code=1,
- expected_msg="Operation requires ``change-password'' privilege")
-kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
-kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1,
- expected_msg="Operation requires ``extract-keys'' privilege")
-kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1,
- expected_msg="Operation requires ``delete'' privilege")
-kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
- expected_code=1,
- expected_msg="Operation requires ``delete'' privilege")
-kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
- expected_code=1,
- expected_msg="Operation requires ``modify'' privilege")
-realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
-kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
-realm.kinit('extractkeys', flags=['-k'])
-os.remove(realm.keytab)
-
-mark('alias')
-kadmin_as(all_alias, ['alias', 'aliasname', 'canon'])
-realm.run([kadminl, 'delprinc', 'aliasname'])
-kadmin_as(some_alias, ['alias', 'aliasname', 'canon'])
-realm.run([kadminl, 'delprinc', 'aliasname'])
-kadmin_as(all_add, ['alias', 'aliasname', 'canon'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(all_inquire, ['alias', 'aliasname', 'canon'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(some_alias, ['alias', 'aliasname', 'notcanon'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(some_alias, ['alias', 'notaliasname', 'canon'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-kadmin_as(restricted_alias, ['alias', 'aliasname', 'canon'], expected_code=1,
- expected_msg="Insufficient authorization for operation")
-
-# Verify that self-service key changes require an initial ticket.
-mark('self-service initial ticket')
-realm.run([kadminl, 'cpw', '-pw', password('none'), 'none'])
-realm.run([kadminl, 'modprinc', '+allow_tgs_req', 'kadmin/admin'])
-realm.kinit('none', password('none'))
-realm.run([kvno, 'kadmin/admin'])
-msg = 'Operation requires initial ticket'
-realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', 'none'],
- expected_code=1, expected_msg=msg)
-realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw',
- '-e', 'aes256-cts', 'none'], expected_code=1, expected_msg=msg)
-realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
- expected_code=1, expected_msg=msg)
-realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
- 'none'], expected_code=1, expected_msg=msg)
-
-# Test authentication to kadmin/hostname.
-mark('authentication to kadmin/hostname')
-kadmin_hostname = 'kadmin/' + hostname
-realm.addprinc(kadmin_hostname)
-realm.run([kadminl, 'delprinc', 'kadmin/admin'])
-msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
- 'Setting initial creds service to kadmin/admin',
- '/Server not found in Kerberos database',
- 'Getting initial credentials for user/admin@KRBTEST.COM',
- 'Setting initial creds service to ' + kadmin_hostname,
- 'Decrypted AS reply')
-realm.run([kadmin, '-p', 'user/admin', 'listprincs'], expected_code=1,
- expected_msg="Operation requires ``list'' privilege",
- input=password('user/admin'), expected_trace=msgs)
-
-# Test operations disallowed at the libkadm5 layer.
-realm.run([kadminl, 'delprinc', 'K/M'],
- expected_code=1, expected_msg='Cannot change protected principal')
-realm.run([kadminl, 'cpw', '-pw', 'pw', 'kadmin/history'],
- expected_code=1, expected_msg='Cannot change protected principal')
-
-success('kadmin ACL enforcement')
diff --git a/crypto/krb5/src/tests/t_kadmin_parsing.py b/crypto/krb5/src/tests/t_kadmin_parsing.py
deleted file mode 100644
index bebb01488870..000000000000
--- a/crypto/krb5/src/tests/t_kadmin_parsing.py
+++ /dev/null
@@ -1,82 +0,0 @@
-from k5test import *
-
-# This file contains tests for kadmin command parsing. Principal
-# flags (which can also be used in kadm5.acl or krb5.conf) are tested
-# in t_princflags.py.
-
-# kadmin recognizes time intervals using either the
-# krb5_string_to_deltat() formats or the relative getdate.y formats.
-# (Absolute getdate.y formats also work with the current time
-# subtracted; this isn't very useful and we won't test it here.)
-intervals = (
- # krb5_string_to_deltat() formats. Whitespace ( \t\n) is allowed
- # before or between most elements or at the end, but not after
- # 's'. Negative or oversized numbers are allowed in most places,
- # but not after the first number in an HH:MM:SS form.
- ('28s', '0 days 00:00:28'),
- ('7m ', '0 days 00:07:00'),
- ('6m 9s', '0 days 00:06:09'),
- ('2h', '0 days 02:00:00'),
- ('2h-5s', '0 days 01:59:55'),
- ('2h3m', '0 days 02:03:00'),
- ('2h3m5s', '0 days 02:03:05'),
- ('5d ', '5 days 00:00:00'),
- ('5d-48s', '4 days 23:59:12'),
- ('5d18m', '5 days 00:18:00'),
- ('5d -6m56s', '4 days 23:54:56'),
- ('5d4h', '5 days 04:00:00'),
- ('5d4h 1s', '5 days 04:00:01'),
- ('5d4h3m', '5 days 04:03:00'),
- (' \t 15d \n 4h 3m 2s', '15 days 04:03:02'),
- ('10-8:45:0', '10 days 08:45:00'),
- ('1000:67:99', '41 days 17:08:39'),
- ('999:11', '41 days 15:11:00'),
- ('382512', '4 days 10:15:12'),
-
- # getdate.y relative formats (and "never", which is handled
- # specially as a zero interval). Any number of relative forms can
- # be specified in any order. Whitespace is ignored before or
- # after any token. "month" and "year" are allowed as units but
- # depend on the current time, so we won't test them. Plural unit
- # names are treated identically to singular unit names. Numbers
- # before unit names are optional and may be signed; there are also
- # aliases for some numbers. "ago" inverts the interval up to the
- # point where it appears.
- ('never', '0 days 00:00:00'),
- ('fortnight', '14 days 00:00:00'),
- ('3 day ago 4 weeks 8 hours', '25 days 08:00:00'),
- ('8 second -3 secs 5 minute ago 63 min', '0 days 00:57:55'),
- ('min mins min mins min', '0 days 00:05:00'),
- ('tomorrow tomorrow today yesterday now last minute', '0 days 23:59:00'),
- ('this second next minute first hour third fortnight fourth day '
- 'fifth weeks sixth sec seventh secs eighth second ninth mins tenth '
- 'day eleventh min twelfth sec', '91 days 01:22:34'))
-
-realm = K5Realm(create_host=False, get_creds=False)
-realm.run([kadminl, 'addpol', 'pol'])
-for instr, outstr in intervals:
- realm.run([kadminl, 'modprinc', '-maxlife', instr, realm.user_princ])
- msg = 'Maximum ticket life: ' + outstr + '\n'
- realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
-
- realm.run([kadminl, 'modprinc', '-maxrenewlife', instr, realm.user_princ])
- msg = 'Maximum renewable life: ' + outstr + '\n'
- realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-maxlife', instr, 'pol'])
- msg = 'Maximum password life: ' + outstr + '\n'
- realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-minlife', instr, 'pol'])
- msg = 'Minimum password life: ' + outstr + '\n'
- realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-failurecountinterval', instr, 'pol'])
- msg = 'Password failure count reset interval: ' + outstr + '\n'
- realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-lockoutduration', instr, 'pol'])
- msg = 'Password lockout duration: ' + outstr + '\n'
- realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
-success('kadmin command parsing tests')
diff --git a/crypto/krb5/src/tests/t_kdb.py b/crypto/krb5/src/tests/t_kdb.py
deleted file mode 100755
index 14d57923fd71..000000000000
--- a/crypto/krb5/src/tests/t_kdb.py
+++ /dev/null
@@ -1,637 +0,0 @@
-from k5test import *
-import time
-
-# Run kdbtest against the non-LDAP KDB modules.
-for realm in multidb_realms(create_kdb=False):
- realm.run(['./kdbtest'])
-
-# Set up an OpenLDAP test server if we can.
-
-if (not os.path.exists(os.path.join(plugins, 'kdb', 'kldap.so')) and
- not os.path.exists(os.path.join(buildtop, 'lib', 'libkdb_ldap.a'))):
- skip_rest('LDAP KDB tests', 'LDAP KDB module not built')
-
-if 'SLAPD' not in os.environ and not which('slapd'):
- skip_rest('LDAP KDB tests', 'slapd not found')
-
-slapadd = which('slapadd')
-if not slapadd:
- skip_rest('LDAP KDB tests', 'slapadd not found')
-
-ldapdir = os.path.abspath('ldap')
-dbdir = os.path.join(ldapdir, 'ldap')
-slapd_conf = os.path.join(ldapdir, 'slapd.d')
-slapd_out = os.path.join(ldapdir, 'slapd.out')
-slapd_pidfile = os.path.join(ldapdir, 'pid')
-ldap_pwfile = os.path.join(ldapdir, 'pw')
-ldap_sock = os.path.join(ldapdir, 'sock')
-ldap_uri = 'ldapi://%s/' % ldap_sock.replace(os.path.sep, '%2F')
-schema = os.path.join(srctop, 'plugins', 'kdb', 'ldap', 'libkdb_ldap',
- 'kerberos.openldap.ldif')
-top_dn = 'cn=krb5'
-admin_dn = 'cn=admin,cn=krb5'
-admin_pw = 'admin'
-
-shutil.rmtree(ldapdir, True)
-os.mkdir(ldapdir)
-os.mkdir(slapd_conf)
-os.mkdir(dbdir)
-
-if 'SLAPD' in os.environ:
- slapd = os.environ['SLAPD']
-else:
- # Some Linux installations have AppArmor or similar restrictions
- # on the slapd binary, which would prevent it from accessing the
- # build directory. Try to defeat this by copying the binary.
- system_slapd = which('slapd')
- slapd = os.path.join(ldapdir, 'slapd')
- shutil.copy(system_slapd, slapd)
-
-def slap_add(ldif):
- proc = subprocess.Popen([slapadd, '-b', 'cn=config', '-F', slapd_conf],
- stdin=subprocess.PIPE, stdout=subprocess.PIPE,
- stderr=subprocess.STDOUT, universal_newlines=True)
- (out, dummy) = proc.communicate(ldif)
- output(out)
- return proc.wait()
-
-
-# Configure the pid file and some authorization rules we will need for
-# SASL testing.
-if slap_add('dn: cn=config\n'
- 'objectClass: olcGlobal\n'
- 'olcPidFile: %s\n'
- 'olcAuthzRegexp: '
- '".*uidNumber=%d,cn=peercred,cn=external,cn=auth" "%s"\n'
- 'olcAuthzRegexp: "uid=digestuser,cn=digest-md5,cn=auth" "%s"\n' %
- (slapd_pidfile, os.geteuid(), admin_dn, admin_dn)) != 0:
- skip_rest('LDAP KDB tests', 'slapd basic configuration failed')
-
-# Find a working writable database type, trying mdb (added in OpenLDAP
-# 2.4.27) and bdb (deprecated and sometimes not built due to licensing
-# incompatibilities).
-for dbtype in ('mdb', 'bdb'):
- # Try to load the module. This could fail if OpenLDAP is built
- # without module support, so ignore errors.
- slap_add('dn: cn=module,cn=config\n'
- 'objectClass: olcModuleList\n'
- 'olcModuleLoad: back_%s\n' % dbtype)
-
- dbclass = 'olc%sConfig' % dbtype.capitalize()
- if slap_add('dn: olcDatabase=%s,cn=config\n'
- 'objectClass: olcDatabaseConfig\n'
- 'objectClass: %s\n'
- 'olcSuffix: %s\n'
- 'olcRootDN: %s\n'
- 'olcRootPW: %s\n'
- 'olcDbDirectory: %s\n' %
- (dbtype, dbclass, top_dn, admin_dn, admin_pw, dbdir)) == 0:
- break
-else:
- skip_rest('LDAP KDB tests', 'could not find working slapd db type')
-
-if slap_add('include: file://%s\n' % schema) != 0:
- skip_rest('LDAP KDB tests', 'failed to load Kerberos schema')
-
-# Load the core schema if we can.
-ldap_homes = ['/etc/ldap', '/etc/openldap', '/usr/local/etc/openldap',
- '/usr/local/etc/ldap']
-local_schema_path = '/schema/core.ldif'
-core_schema = next((i for i in map(lambda x:x+local_schema_path, ldap_homes)
- if os.path.isfile(i)), None)
-if core_schema:
- if slap_add('include: file://%s\n' % core_schema) != 0:
- core_schema = None
-
-slapd_pid = -1
-def kill_slapd():
- global slapd_pid
- if slapd_pid != -1:
- os.kill(slapd_pid, signal.SIGTERM)
- slapd_pid = -1
-atexit.register(kill_slapd)
-
-out = open(slapd_out, 'w')
-subprocess.call([slapd, '-h', ldap_uri, '-F', slapd_conf], stdout=out,
- stderr=out, universal_newlines=True)
-out.close()
-pidf = open(slapd_pidfile, 'r')
-slapd_pid = int(pidf.read())
-pidf.close()
-output('*** Started slapd (pid %d, output in %s)\n' % (slapd_pid, slapd_out))
-
-# slapd detaches before it finishes setting up its listener sockets
-# (they are bound but listen() has not been called). Give it a second
-# to finish.
-time.sleep(1)
-
-# Run kdbtest against the LDAP module.
-conf = {'realms': {'$realm': {'database_module': 'ldap'}},
- 'dbmodules': {'ldap': {'db_library': 'kldap',
- 'ldap_kerberos_container_dn': top_dn,
- 'ldap_kdc_dn': admin_dn,
- 'ldap_kadmind_dn': admin_dn,
- 'ldap_service_password_file': ldap_pwfile,
- 'ldap_servers': ldap_uri}}}
-realm = K5Realm(create_kdb=False, kdc_conf=conf)
-input = admin_pw + '\n' + admin_pw + '\n'
-realm.run([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input)
-realm.run(['./kdbtest'])
-
-# Run a kdb5_ldap_util command using the test server's admin DN and password.
-def kldaputil(args, **kw):
- return realm.run([kdb5_ldap_util, '-D', admin_dn, '-w', admin_pw] + args,
- **kw)
-
-# kdbtest can't currently clean up after itself since the LDAP module
-# doesn't support krb5_db_destroy. So clean up after it with
-# kdb5_ldap_util before proceeding.
-kldaputil(['destroy', '-f'])
-
-ldapmodify = which('ldapmodify')
-ldapsearch = which('ldapsearch')
-if not ldapmodify or not ldapsearch:
- skip_rest('some LDAP KDB tests', 'ldapmodify or ldapsearch not found')
-
-def ldap_search(args):
- proc = subprocess.Popen([ldapsearch, '-H', ldap_uri, '-b', top_dn,
- '-D', admin_dn, '-w', admin_pw, args],
- stdin=subprocess.PIPE, stdout=subprocess.PIPE,
- stderr=subprocess.STDOUT, universal_newlines=True)
- (out, dummy) = proc.communicate()
- return out
-
-def ldap_modify(ldif, args=[]):
- proc = subprocess.Popen([ldapmodify, '-H', ldap_uri, '-D', admin_dn,
- '-x', '-w', admin_pw] + args,
- stdin=subprocess.PIPE, stdout=subprocess.PIPE,
- stderr=subprocess.STDOUT, universal_newlines=True)
- (out, dummy) = proc.communicate(ldif)
- output(out)
-
-def ldap_add(dn, objectclass, attrs=[]):
- in_data = 'dn: %s\nobjectclass: %s\n' % (dn, objectclass)
- in_data += '\n'.join(attrs) + '\n'
- ldap_modify(in_data, ['-a'])
-
-# Create krbContainer objects for use as subtrees.
-ldap_add('cn=t1,cn=krb5', 'krbContainer')
-ldap_add('cn=t2,cn=krb5', 'krbContainer')
-ldap_add('cn=x,cn=t1,cn=krb5', 'krbContainer')
-ldap_add('cn=y,cn=t2,cn=krb5', 'krbContainer')
-
-# Create a realm, exercising all of the realm options.
-kldaputil(['create', '-s', '-P', 'master', '-subtrees', 'cn=t2,cn=krb5',
- '-containerref', 'cn=t2,cn=krb5', '-sscope', 'one',
- '-maxtktlife', '5min', '-maxrenewlife', '10min', '-allow_svr'])
-
-# Modify the realm, exercising overlapping subtree pruning.
-kldaputil(['modify', '-subtrees',
- 'cn=x,cn=t1,cn=krb5:cn=t1,cn=krb5:cn=t2,cn=krb5:cn=y,cn=t2,cn=krb5',
- '-containerref', 'cn=t1,cn=krb5', '-sscope', 'sub',
- '-maxtktlife', '5hour', '-maxrenewlife', '10hour', '+allow_svr'])
-
-out = kldaputil(['list'])
-if out != 'KRBTEST.COM\n':
- fail('Unexpected kdb5_ldap_util list output')
-
-# Create a principal at a specified DN. This is a little dodgy
-# because we're sticking a krbPrincipalAux objectclass onto a subtree
-# krbContainer, but it works and it avoids having to load core.schema
-# in the test LDAP server.
-mark('LDAP specified dn')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
- expected_code=1, expected_msg='DN is out of the realm subtree')
-# Check that the DN container check is a hierarchy test, not a simple
-# suffix match (CVE-2018-5730). We expect this operation to fail
-# either way (because "xcn" isn't a valid DN tag) but the container
-# check should happen before the DN is parsed.
-realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
- expected_code=1, expected_msg='DN is out of the realm subtree')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
-realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
- expected_code=1, expected_msg='ldap object is already kerberized')
-# Check that we can't set linkdn on a non-standalone object.
-realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
- expected_code=1, expected_msg='link information can not be set')
-
-# Create a principal with a specified linkdn.
-mark('LDAP specified linkdn')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
- expected_code=1, expected_msg='DN is out of the realm subtree')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2'])
-# Check that we can't reset linkdn.
-realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
- expected_code=1, expected_msg='kerberos principal is already linked')
-
-# Create a principal with a specified containerdn.
-mark('LDAP specified containerdn')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'],
- expected_code=1, expected_msg='DN is out of the realm subtree')
-realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
- 'princ3'])
-realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
- expected_code=1, expected_msg='containerdn option not supported')
-# Verify that containerdn is checked when linkdn is also supplied
-# (CVE-2018-5730).
-realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
- '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
- expected_msg='DN is out of the realm subtree')
-
-mark('LDAP ticket policy')
-
-# Create and modify a ticket policy.
-kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
- '-allow_forwardable', 'tktpol'])
-kldaputil(['modify_policy', '-maxtktlife', '4hour', '-maxrenewlife', '8hour',
- '+requires_preauth', 'tktpol'])
-out = kldaputil(['view_policy', 'tktpol'])
-if ('Ticket policy: tktpol\n' not in out or
- 'Maximum ticket life: 0 days 04:00:00\n' not in out or
- 'Maximum renewable life: 0 days 08:00:00\n' not in out or
- 'Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PRE_AUTH' not in out):
- fail('Unexpected kdb5_ldap_util view_policy output')
-
-out = kldaputil(['list_policy'])
-if out != 'tktpol\n':
- fail('Unexpected kdb5_ldap_util list_policy output')
-
-# Associate the ticket policy to a principal.
-realm.run([kadminl, 'ank', '-randkey', '-x', 'tktpolicy=tktpol', 'princ4'])
-out = realm.run([kadminl, 'getprinc', 'princ4'])
-if ('Maximum ticket life: 0 days 04:00:00\n' not in out or
- 'Maximum renewable life: 0 days 08:00:00\n' not in out or
- 'Attributes: DISALLOW_FORWARDABLE REQUIRES_PRE_AUTH\n' not in out):
- fail('Unexpected getprinc output with ticket policy')
-
-# Destroying the policy should fail while a principal references it.
-kldaputil(['destroy_policy', '-force', 'tktpol'], expected_code=1)
-
-# Dissociate the ticket policy from the principal.
-realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=', 'princ4'])
-out = realm.run([kadminl, 'getprinc', 'princ4'])
-if ('Maximum ticket life: 0 days 05:00:00\n' not in out or
- 'Maximum renewable life: 0 days 10:00:00\n' not in out or
- 'Attributes:\n' not in out):
- fail('Unexpected getprinc output without ticket policy')
-
-# Destroy the ticket policy.
-kldaputil(['destroy_policy', '-force', 'tktpol'])
-kldaputil(['view_policy', 'tktpol'], expected_code=1)
-out = kldaputil(['list_policy'])
-if out:
- fail('Unexpected kdb5_ldap_util list_policy output after destroy')
-
-# Create another ticket policy to be destroyed with the realm.
-kldaputil(['create_policy', 'tktpol2'])
-
-# Try to create a password policy conflicting with a ticket policy.
-realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1,
- expected_msg='Already exists while creating policy "tktpol2"')
-
-# Try to create a ticket policy conflicting with a password policy.
-realm.run([kadminl, 'addpol', 'pwpol'])
-out = kldaputil(['create_policy', 'pwpol'], expected_code=1)
-if 'Already exists while creating policy object' not in out:
- fail('Expected error not seen in kdb5_ldap_util output')
-
-# Try to use a password policy as a ticket policy.
-realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
- expected_code=1, expected_msg='Object class violation')
-
-# Use a ticket policy as a password policy (CVE-2014-5353). This
-# works with a warning; use kadmin.local -q so the warning is shown.
-realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'],
- expected_msg='WARNING: policy "tktpol2" does not exist')
-
-# Do some basic tests with a KDC against the LDAP module, exercising the
-# db_args processing code.
-mark('LDAP KDC operation')
-realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri,
- '-x', 'binddn=' + admin_dn, '-x', 'bindpwd=' + admin_pw])
-realm.addprinc(realm.user_princ, password('user'))
-realm.addprinc(realm.host_princ)
-realm.extract_keytab(realm.host_princ, realm.keytab)
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ])
-realm.klist(realm.user_princ, realm.host_princ)
-
-mark('LDAP auth indicator')
-
-# Test require_auth normalization.
-realm.addprinc('authind', password('authind'))
-realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius'])
-
-# Check that krbPrincipalAuthInd attributes are set when the string
-# attribute it set.
-out = ldap_search('(krbPrincipalName=authind*)')
-if 'krbPrincipalAuthInd: otp' not in out:
- fail('Expected krbPrincipalAuthInd value not in output')
-if 'krbPrincipalAuthInd: radius' not in out:
- fail('Expected krbPrincipalAuthInd value not in output')
-
-# Check that the string attribute still appears when the principal is
-# loaded.
-realm.run([kadminl, 'getstrs', 'authind'],
- expected_msg='require_auth: otp radius')
-
-# Modify the LDAP attributes and check that the change is reflected in
-# the string attribute.
-ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n'
- 'changetype: modify\n'
- 'replace: krbPrincipalAuthInd\n'
- 'krbPrincipalAuthInd: radius\n'
- 'krbPrincipalAuthInd: pkinit\n')
-realm.run([kadminl, 'getstrs', 'authind'],
- expected_msg='require_auth: radius pkinit')
-
-# Regression test for #8877: remove the string attribute and check
-# that it is reflected in the LDAP attributes and by getstrs.
-realm.run([kadminl, 'delstr', 'authind', 'require_auth'])
-out = ldap_search('(krbPrincipalName=authind*)')
-if 'krbPrincipalAuthInd' in out:
- fail('krbPrincipalAuthInd attribute still present after delstr')
-out = realm.run([kadminl, 'getstrs', 'authind'])
-if 'require_auth' in out:
- fail('require_auth string attribute still visible after delstr')
-
-mark('LDAP service principal aliases')
-
-# Test service principal aliases.
-realm.addprinc('canon', password('canon'))
-realm.run([kadminl, 'alias', 'alias', 'canon'])
-realm.run([kadminl, 'alias', 'ent\\@abc', 'canon'])
-out = ldap_search('(krbPrincipalName=canon*)')
-if ('krbPrincipalName: canon@KRBTEST.COM' not in out or
- 'krbPrincipalName: alias@KRBTEST.COM' not in out or
- 'krbPrincipalName: ent@abc@KRBTEST.COM' not in out or
- 'krbCanonicalName: canon@KRBTEST.COM' not in out):
- fail('expected names not found in canon object')
-realm.run([kadminl, 'getprinc', 'alias'],
- expected_msg='Principal: canon@KRBTEST.COM\n')
-realm.run([kadminl, 'getprinc', 'ent\\@abc'],
- expected_msg='Principal: canon@KRBTEST.COM\n')
-realm.run([kadminl, 'getprinc', 'canon'],
- expected_msg='Principal: canon@KRBTEST.COM\n')
-realm.run([kvno, 'alias', 'canon'])
-out = realm.run([klist])
-if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out:
- fail('After fetching alias and canon, klist is missing one or both')
-realm.kinit(realm.user_princ, password('user'), ['-S', 'alias'])
-realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
-
-# Make sure an alias to the local TGS is still treated like an alias.
-realm.run([kadminl, 'alias', 'tgtalias', 'krbtgt/KRBTEST.COM'])
-realm.run([kadminl, 'getprinc', 'tgtalias'],
- expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM')
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, 'tgtalias'])
-realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
-
-# Make sure aliases work in header tickets.
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user'])
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours',
- 'krbtgt/KRBTEST.COM'])
-realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
-realm.run([kvno, 'alias'])
-realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
-realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
-
-# Test client principal aliases, with and without preauth.
-realm.kinit('canon', password('canon'))
-realm.kinit('alias', password('canon'))
-realm.run([kvno, 'alias'])
-realm.klist('alias@KRBTEST.COM', 'alias@KRBTEST.COM')
-realm.kinit('alias', password('canon'), ['-C'])
-realm.run([kvno, 'alias'])
-realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
-realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
-realm.kinit('canon', password('canon'))
-realm.kinit('alias', password('canon'), ['-C'])
-
-# Test enterprise alias with and without canonicalization.
-realm.kinit('ent@abc', password('canon'), ['-E', '-C'])
-realm.run([kvno, 'alias'])
-realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
-
-realm.kinit('ent@abc', password('canon'), ['-E'])
-realm.run([kvno, 'alias'])
-realm.klist('ent\\@abc@KRBTEST.COM', 'alias@KRBTEST.COM')
-
-# Test client name canonicalization in non-krbtgt AS reply
-realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
-
-# Test deleting an alias.
-mark('LDAP alias deletion')
-realm.run([kadminl, 'delprinc', 'alias'])
-realm.run([kadminl, 'getprinc', 'alias'], expected_code=1,
- expected_msg='Principal does not exist')
-realm.run([kadminl, 'getprinc', 'ent\\@abc'],
- expected_msg='Principal: canon@KRBTEST.COM\n')
-realm.run([kadminl, 'getprinc', 'canon'],
- expected_msg='Principal: canon@KRBTEST.COM\n')
-
-# Test deleting a canonical name when an alias is present.
-realm.run([kadminl, 'delprinc', 'canon'])
-realm.run([kadminl, 'getprinc', 'canon'], expected_code=1,
- expected_msg='Principal does not exist')
-realm.run([kadminl, 'getprinc', 'ent\\@abc'], expected_code=1,
- expected_msg='Principal does not exist')
-
-mark('LDAP password history')
-
-# Test password history.
-def test_pwhist(nhist):
- def cpw(n, **kwargs):
- realm.run([kadminl, 'cpw', '-pw', str(n), princ], **kwargs)
- def cpw_fail(n):
- cpw(n, expected_code=1)
- output('*** Testing password history of size %d\n' % nhist)
- princ = 'pwhistprinc' + str(nhist)
- pol = 'pwhistpol' + str(nhist)
- realm.run([kadminl, 'addpol', '-history', str(nhist), pol])
- realm.run([kadminl, 'addprinc', '-policy', pol, '-nokey', princ])
- for i in range(nhist):
- # Set a password, then check that all previous passwords fail.
- cpw(i)
- for j in range(i + 1):
- cpw_fail(j)
- # Set one more new password, and make sure the oldest key is
- # rotated out.
- cpw(nhist)
- cpw_fail(1)
- cpw(0)
-
-for n in (1, 2, 3, 4, 5):
- test_pwhist(n)
-
-# Regression test for #8193: test password character class requirements.
-princ = 'charclassprinc'
-pol = 'charclasspol'
-realm.run([kadminl, 'addpol', '-minclasses', '3', pol])
-realm.run([kadminl, 'addprinc', '-policy', pol, '-nokey', princ])
-realm.run([kadminl, 'cpw', '-pw', 'abcdef', princ], expected_code=1)
-realm.run([kadminl, 'cpw', '-pw', 'Abcdef', princ], expected_code=1)
-realm.run([kadminl, 'cpw', '-pw', 'Abcdef1', princ])
-
-# Test principal renaming and make sure last modified is changed
-def get_princ(princ):
- out = realm.run([kadminl, 'getprinc', princ])
- return dict(map(str.strip, x.split(":", 1)) for x in out.splitlines())
-
-mark('LDAP principal renaming')
-realm.addprinc("rename", password('rename'))
-renameprinc = get_princ("rename")
-realm.run([kadminl, '-p', 'fake@KRBTEST.COM', 'renprinc', 'rename', 'renamed'])
-renamedprinc = get_princ("renamed")
-if renameprinc['Last modified'] == renamedprinc['Last modified']:
- fail('Last modified data not updated when principal was renamed')
-
-# Regression test for #7980 (fencepost when dividing keys up by kvno).
-mark('#7980 regression test')
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
- 'kvnoprinc'])
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'kvnoprinc'])
-realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4')
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'kvnoprinc'])
-realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6')
-
-# Regression test for #8041 (NULL dereference on keyless principals).
-mark('#8041 regression test')
-realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc'])
-realm.run([kadminl, 'getprinc', 'keylessprinc'],
- expected_msg='Number of keys: 0')
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts',
- 'keylessprinc'])
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'keylessprinc'])
-realm.run([kadminl, 'getprinc', 'keylessprinc'],
- expected_msg='Number of keys: 4')
-realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc'])
-realm.run([kadminl, 'getprinc', 'keylessprinc'],
- expected_msg='Number of keys: 0')
-
-# Test for 8354 (old password history entries when -keepold is used)
-mark('#8354 regression test')
-realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol'])
-realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
- 'keepoldpassprinc'])
-for p in ('bbbb', 'cccc', 'aaaa'):
- realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
-
-if runenv.sizeof_time_t <= 4:
- skipped('y2038 LDAP test', 'platform has 32-bit time_t')
-else:
- # Test storage of timestamps after y2038.
- realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
- realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
-
-# Regression test for #8861 (pw_expiration policy enforcement).
-mark('pw_expiration propogation')
-# Create a policy with a max life and verify its application.
-realm.run([kadminl, 'addpol', '-maxlife', '1s', 'pw_e'])
-realm.run([kadminl, 'addprinc', '-policy', 'pw_e', '-pw', 'password',
- 'pwuser'])
-out = realm.run([kadminl, 'getprinc', 'pwuser'],
- expected_msg='Password expiration date: ')
-if 'Password expiration date: [never]' in out:
- fail('pw_expiration not applied at principal creation')
-# Unset the policy max life and verify its application during password
-# change.
-realm.run([kadminl, 'modpol', '-maxlife', '0', 'pw_e'])
-realm.run([kadminl, 'cpw', '-pw', 'password_', 'pwuser'])
-realm.run([kadminl, 'getprinc', 'pwuser'],
- expected_msg='Password expiration date: [never]')
-
-realm.stop()
-
-# Test dump and load. Include a regression test for #8882
-# (pw_expiration not set during load operation).
-mark('LDAP dump and load')
-realm.run([kadminl, 'modprinc', '-pwexpire', 'now', 'pwuser'])
-dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run([kdb5_util, 'dump', dumpfile])
-realm.run([kdb5_util, 'load', dumpfile], expected_code=1,
- expected_msg='KDB module requires -update argument')
-realm.run([kadminl, 'delprinc', 'pwuser'])
-realm.run([kdb5_util, 'load', '-update', dumpfile])
-out = realm.run([kadminl, 'getprinc', 'pwuser'])
-if 'Password expiration date: [never]' in out:
- fail('pw_expiration not preserved across dump and load')
-realm.run([kadminl, 'getprinc', 'tgtalias'],
- expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM')
-
-# Destroy the realm.
-kldaputil(['destroy', '-f'])
-out = kldaputil(['list'])
-if out:
- fail('Unexpected kdb5_ldap_util list output after destroy')
-
-if not core_schema:
- skip_rest('LDAP SASL tests', 'core schema not found')
-
-if runenv.have_sasl != 'yes':
- skip_rest('LDAP SASL tests', 'SASL support not built')
-
-# Test SASL EXTERNAL auth. Remove the DNs and service password file
-# from the DB module config.
-mark('LDAP SASL EXTERNAL auth')
-os.remove(ldap_pwfile)
-dbmod = conf['dbmodules']['ldap']
-dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'EXTERNAL'
-del dbmod['ldap_service_password_file']
-del dbmod['ldap_kdc_dn'], dbmod['ldap_kadmind_dn']
-realm = K5Realm(create_kdb=False, kdc_conf=conf)
-realm.run([kdb5_ldap_util, 'create', '-s', '-P', 'master'])
-realm.start_kdc()
-realm.addprinc(realm.user_princ, password('user'))
-realm.kinit(realm.user_princ, password('user'))
-realm.stop()
-realm.run([kdb5_ldap_util, 'destroy', '-f'])
-
-# Test SASL DIGEST-MD5 auth. We need to set a clear-text password for
-# the admin DN, so create a person entry (requires the core schema).
-# Restore the service password file in the config and set authcids.
-mark('LDAP SASL DIGEST-MD5 auth')
-ldap_add('cn=admin,cn=krb5', 'person',
- ['sn: dummy', 'userPassword: admin'])
-dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'DIGEST-MD5'
-dbmod['ldap_kdc_sasl_authcid'] = 'digestuser'
-dbmod['ldap_kadmind_sasl_authcid'] = 'digestuser'
-dbmod['ldap_service_password_file'] = ldap_pwfile
-realm = K5Realm(create_kdb=False, kdc_conf=conf)
-# Work around https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091694
-if runenv.asan == 'yes':
- realm.env['ASAN_OPTIONS'] = 'detect_leaks=false'
-input = admin_pw + '\n' + admin_pw + '\n'
-realm.run([kdb5_ldap_util, 'stashsrvpw', 'digestuser'], input=input)
-realm.run([kdb5_ldap_util, 'create', '-s', '-P', 'master'])
-realm.start_kdc()
-realm.addprinc(realm.user_princ, password('user'))
-realm.kinit(realm.user_princ, password('user'))
-realm.stop()
-# Exercise DB options, which should cause binding to fail.
-realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
- expected_code=1, expected_msg='Cannot bind to LDAP server')
-realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
- expected_code=1, expected_msg='Cannot bind to LDAP server')
-realm.run([kdb5_ldap_util, 'destroy', '-f'])
-
-# We could still use tests to exercise:
-# * DB arg handling in krb5_ldap_create
-# * krbAllowedToDelegateTo attribute processing
-# * A load operation overwriting a standalone principal entry which
-# already exists but doesn't have a krbPrincipalName attribute
-# matching the principal name.
-# * A bunch of invalid-input error conditions
-#
-# There is no coverage for the following because it would be difficult:
-# * Out-of-memory error conditions
-# * Handling of failures from slapd (including krb5_retry_get_ldap_handle)
-# * Handling of servers which don't support mod-increment
-# * krb5_ldap_delete_krbcontainer (only happens if krb5_ldap_create fails)
-
-success('LDAP and DB2 KDB tests')
diff --git a/crypto/krb5/src/tests/t_kdb_locking.py b/crypto/krb5/src/tests/t_kdb_locking.py
deleted file mode 100755
index 9ae42a827cdb..000000000000
--- a/crypto/krb5/src/tests/t_kdb_locking.py
+++ /dev/null
@@ -1,32 +0,0 @@
-# This is a regression test for
-# https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
-#
-# We start a KDC, remove the kadm5 lock file, use the KDC, re-create the
-# kadm5 lock file, and use kadmin.local. The kinit should fail, and the
-# kadmin.local should succeed.
-
-
-import os
-
-from k5test import *
-
-p = 'foo'
-realm = K5Realm(create_user=False, bdb_only=True)
-realm.addprinc(p, p)
-
-kadm5_lock = os.path.join(realm.testdir, 'db.kadm5.lock')
-if not os.path.exists(kadm5_lock):
- fail('kadm5 lock file not created: ' + kadm5_lock)
-os.unlink(kadm5_lock)
-
-realm.kinit(p, p, [], expected_code=1,
- expected_msg='A service is not available')
-
-f = open(kadm5_lock, 'w')
-f.close()
-
-output = realm.run([kadminl, 'modprinc', '-allow_tix', p])
-if 'Cannot lock database' in output:
- fail('krb5kdc still holds a lock on the principal db')
-
-success('KDB locking tests')
diff --git a/crypto/krb5/src/tests/t_kdc_log.py b/crypto/krb5/src/tests/t_kdc_log.py
deleted file mode 100755
index 1b14828de65f..000000000000
--- a/crypto/krb5/src/tests/t_kdc_log.py
+++ /dev/null
@@ -1,21 +0,0 @@
-from k5test import *
-
-# Make a TGS request with an expired ticket.
-realm = K5Realm()
-realm.stop()
-realm.start_kdc(['-T', '3600'])
-realm.run([kvno, realm.host_princ], expected_code=1)
-
-kdc_logfile = os.path.join(realm.testdir, 'kdc.log')
-f = open(kdc_logfile, 'r')
-found_skew = False
-for line in f:
- if 'Clock skew too great' in line:
- found_skew = True
- if realm.user_princ not in line:
- fail('Client principal not logged in expired-ticket TGS request')
-f.close()
-if not found_skew:
- fail('Did not find KDC log line for expired-ticket TGS request')
-
-success('KDC logging tests')
diff --git a/crypto/krb5/src/tests/t_kdcoptions.py b/crypto/krb5/src/tests/t_kdcoptions.py
deleted file mode 100644
index 7ec57508c4e4..000000000000
--- a/crypto/krb5/src/tests/t_kdcoptions.py
+++ /dev/null
@@ -1,100 +0,0 @@
-from k5test import *
-import re
-
-# KDC option test coverage notes:
-#
-# FORWARDABLE here
-# FORWARDED no test
-# PROXIABLE here
-# PROXY no test
-# ALLOW_POSTDATE no test
-# POSTDATED no test
-# RENEWABLE t_renew.py
-# CNAME_IN_ADDL_TKT gssapi/t_s4u.py
-# CANONICALIZE t_kdb.py and various other tests
-# REQUEST_ANONYMOUS t_pkinit.py
-# DISABLE_TRANSITED_CHECK no test
-# RENEWABLE_OK t_renew.py
-# ENC_TKT_IN_SKEY t_u2u.py
-# RENEW t_renew.py
-# VALIDATE no test
-
-# Run klist -f and return the flags on the ticket for svcprinc.
-def get_flags(realm, svcprinc):
- grab_flags = False
- for line in realm.run([klist, '-f']).splitlines():
- if grab_flags:
- return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
- grab_flags = line.endswith(svcprinc)
-
-
-# Get the flags on the ticket for svcprinc, and check for an expected
-# element and an expected-absent element, either of which can be None.
-def check_flags(realm, svcprinc, expected_flag, expected_noflag):
- flags = get_flags(realm, svcprinc)
- if expected_flag is not None and not expected_flag in flags:
- fail('expected flag ' + expected_flag)
- if expected_noflag is not None and expected_noflag in flags:
- fail('did not expect flag ' + expected_noflag)
-
-
-# Run kinit with the given flags, and check the flags on the resulting
-# TGT.
-def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
- realm.kinit(realm.user_princ, password('user'), flags)
- check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
-
-
-# Run kinit with kflags. Then get credentials for the host principal
-# with gflags, and check the flags on the resulting ticket.
-def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
- realm.kinit(realm.user_princ, password('user'), kflags)
- realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
- check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
-
-
-realm = K5Realm()
-
-mark('proxiable (AS)')
-kinit_check_flags(realm, [], None, 'P')
-kinit_check_flags(realm, ['-p'], 'P', None)
-realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
-kinit_check_flags(realm, ['-p'], None, 'P')
-realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
-realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
-kinit_check_flags(realm, ['-p'], None, 'P')
-realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
-
-mark('proxiable (TGS)')
-gcred_check_flags(realm, [], [], None, 'P')
-gcred_check_flags(realm, ['-p'], [], 'P', None)
-
-# Not tested: PROXIABLE option set with a non-proxiable TGT (because
-# there is no krb5_get_credentials() flag to request this; would
-# expect a non-proxiable ticket).
-
-# Not tested: proxiable TGT but PROXIABLE flag not set (because we
-# internally set the PROXIABLE option when using a proxiable TGT;
-# would expect a non-proxiable ticket).
-
-mark('forwardable (AS)')
-kinit_check_flags(realm, [], None, 'F')
-kinit_check_flags(realm, ['-f'], 'F', None)
-realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
-kinit_check_flags(realm, ['-f'], None, 'F')
-realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
-realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
-kinit_check_flags(realm, ['-f'], None, 'F')
-realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
-
-mark('forwardable (TGS)')
-realm.kinit(realm.user_princ, password('user'))
-gcred_check_flags(realm, [], [], None, 'F')
-gcred_check_flags(realm, [], ['-f'], None, 'F')
-gcred_check_flags(realm, ['-f'], [], 'F', None)
-
-# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
-# internally set the FORWARDABLE option when using a forwardable TGT;
-# would expect a non-proxiable ticket).
-
-success('KDC option tests')
diff --git a/crypto/krb5/src/tests/t_kdcpolicy.py b/crypto/krb5/src/tests/t_kdcpolicy.py
deleted file mode 100644
index 924133388adf..000000000000
--- a/crypto/krb5/src/tests/t_kdcpolicy.py
+++ /dev/null
@@ -1,65 +0,0 @@
-from k5test import *
-from datetime import datetime
-import re
-
-testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test',
- 'kdcpolicy_test.so')
-krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
- 'clpreauth': {'module': 'test:' + testpreauth},
- 'kdcpolicy': {'module': 'test:' + testpolicy}}}
-kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth',
- 'max_renewable_life': '1d'}}}
-realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf)
-
-# We will be scraping timestamps from klist to compute lifetimes, so
-# use a time zone with no daylight savings time.
-realm.env['TZ'] = 'UTC'
-
-realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
-
-def verify_time(out, target_time):
- times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
- times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
- divisor = 1
- while len(times) > 0:
- starttime = times.pop(0)
- endtime = times.pop(0)
- renewtime = times.pop(0)
-
- if str((endtime - starttime) * divisor) != target_time:
- fail('unexpected lifetime value')
- if str((renewtime - endtime) * divisor) != target_time:
- fail('unexpected renewable value')
-
- # Service tickets should have half the lifetime of initial
- # tickets.
- divisor = 2
-
-rflags = ['-r', '1d', '-l', '12h']
-
-# Test AS+TGS success path.
-realm.kinit(realm.user_princ, password('user'),
- rflags + ['-X', 'indicators=SEVEN_HOURS'])
-realm.run([kvno, realm.host_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
-out = realm.run([klist, '-e', realm.ccache])
-verify_time(out, '7:00:00')
-
-# Test AS+TGS success path with different values.
-realm.kinit(realm.user_princ, password('user'),
- rflags + ['-X', 'indicators=ONE_HOUR'])
-realm.run([kvno, realm.host_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
-out = realm.run([klist, '-e', realm.ccache])
-verify_time(out, '1:00:00')
-
-# Test TGS failure path (using previous creds).
-realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1,
- expected_msg='KDC policy rejects request')
-
-# Test AS failure path.
-realm.kinit('fail@%s' % realm.realm, password('fail'),
- expected_code=1, expected_msg='KDC policy rejects request')
-
-success('kdcpolicy tests')
diff --git a/crypto/krb5/src/tests/t_keydata.py b/crypto/krb5/src/tests/t_keydata.py
deleted file mode 100755
index baa40b62ca1b..000000000000
--- a/crypto/krb5/src/tests/t_keydata.py
+++ /dev/null
@@ -1,49 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_user=False, create_host=False)
-
-# Create a principal with no keys.
-realm.run([kadminl, 'addprinc', '-nokey', 'user'])
-realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
-
-# Change its password and check the resulting kvno.
-realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
-realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
-
-# Delete all of its keys.
-realm.run([kadminl, 'purgekeys', '-all', 'user'])
-realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
-
-# Randomize its keys and check the resulting kvno.
-realm.run([kadminl, 'cpw', '-randkey', 'user'])
-realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
-
-# Return true if patype appears to have been received in a hint list
-# from a KDC error message, based on the trace file fname.
-def preauth_type_received(trace, patype):
- found = False
- for line in trace.splitlines():
- if 'Processing preauth types:' in line:
- ind = line.find('types:')
- patypes = line[ind + 6:].split(', ')
- if str(patype) in patypes:
- found = True
- return found
-
-# Make sure the KDC doesn't offer encrypted timestamp for a principal
-# with no keys.
-realm.run([kadminl, 'purgekeys', '-all', 'user'])
-realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-out, trace = realm.run([kinit, 'user'], expected_code=1, return_trace=True)
-if preauth_type_received(trace, 2):
- fail('encrypted timestamp')
-
-# Make sure it doesn't offer encrypted challenge either.
-realm.run([kadminl, 'addprinc', '-pw', 'fast', 'armor'])
-realm.kinit('armor', 'fast')
-out, trace = realm.run([kinit, '-T', realm.ccache, 'user'], expected_code=1,
- return_trace=True)
-if preauth_type_received(trace, 138):
- fail('encrypted challenge')
-
-success('Key data tests')
diff --git a/crypto/krb5/src/tests/t_keyrollover.py b/crypto/krb5/src/tests/t_keyrollover.py
deleted file mode 100755
index 036c0c3c6f42..000000000000
--- a/crypto/krb5/src/tests/t_keyrollover.py
+++ /dev/null
@@ -1,100 +0,0 @@
-from k5test import *
-import re
-
-rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
-
-realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal',
- krb5_conf=rollover_krb5_conf)
-
-princ1 = 'host/test1@%s' % (realm.realm,)
-princ2 = 'host/test2@%s' % (realm.realm,)
-realm.addprinc(princ1)
-realm.addprinc(princ2)
-
-realm.run([kvno, realm.host_princ])
-
-# Change key for TGS, keeping old key.
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', '-keepold',
- realm.krbtgt_princ])
-
-# Ensure that kvno still works with an old TGT.
-realm.run([kvno, princ1])
-
-realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
-# Make sure an old TGT fails after purging old TGS key.
-realm.run([kvno, princ2], expected_code=1)
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
- 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \
- (realm.realm, realm.realm)
-realm.run([klist, '-e'], expected_msg=msg)
-
-# Check that new key actually works.
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ])
-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
- 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
- (realm.realm, realm.realm)
-realm.run([klist, '-e'], expected_msg=msg)
-
-# Test that the KDC only accepts the first enctype for a kvno, for a
-# local-realm TGS request. To set this up, we abuse an edge-case
-# behavior of modprinc -kvno. First, set up a DES3 krbtgt entry at
-# kvno 1 and cache a krbtgt ticket.
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'des3-cbc-sha1',
- realm.krbtgt_princ])
-realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
-realm.kinit(realm.user_princ, password('user'))
-# Add an AES krbtgt entry at kvno 2, and then reset it to kvno 1
-# (modprinc -kvno sets the kvno on all entries without deleting any).
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts',
- realm.krbtgt_princ])
-realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
-out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ])
-if 'vno 1, aes256-cts' not in out or \
- 'vno 1, DEPRECATED:des3-cbc-sha1' not in out:
- fail('keyrollover: setup for TGS enctype test failed')
-# Now present the DES3 ticket to the KDC and make sure it's rejected.
-realm.run([kvno, realm.host_princ], expected_code=1)
-
-# Test -keepold limit for self-service requests through kadmind.
-def count_kvnos(princ, expected_count):
- out = realm.run_kadmin(['getprinc', princ])
- vnos = re.findall(r' vno \d+,', out)
- if len(set(vnos)) != expected_count:
- fail('expected %d key versions' % expected_count)
-realm.start_kadmind()
-realm.prep_kadmin(realm.user_princ, password('user'))
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-count_kvnos(realm.user_princ, 5)
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-count_kvnos(realm.user_princ, 5)
-realm.run_kadmin(['cpw', '-pw', 'pw', '-keepold', realm.user_princ])
-count_kvnos(realm.user_princ, 5)
-# Test that the limit doesn't apply when modifying another principal.
-realm.prep_kadmin()
-realm.run_kadmin(['cpw', '-randkey', '-keepold', realm.user_princ])
-count_kvnos(realm.user_princ, 6)
-realm.run_kadmin(['cpw', '-pw', 'pw', '-keepold', realm.user_princ])
-count_kvnos(realm.user_princ, 7)
-
-realm.stop()
-
-# Test a cross-realm TGT key rollover scenario where realm 1 mimics
-# the Active Directory behavior of always using kvno 0 when issuing
-# cross-realm TGTs. The first kvno invocation caches a cross-realm
-# TGT with the old key, and the second kvno invocation sends it to
-# r2's KDC with no kvno to identify it, forcing the KDC to try
-# multiple keys.
-r1, r2 = cross_realms(2)
-crosstgt_princ = 'krbtgt/%s@%s' % (r2.realm, r1.realm)
-r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
-r1.run([kvno, r2.host_princ])
-r2.run([kadminl, 'cpw', '-pw', 'newcross', '-keepold', crosstgt_princ])
-r1.run([kadminl, 'cpw', '-pw', 'newcross', crosstgt_princ])
-r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
-r1.run([kvno, r2.user_princ])
-
-success('keyrollover')
diff --git a/crypto/krb5/src/tests/t_keytab.py b/crypto/krb5/src/tests/t_keytab.py
deleted file mode 100755
index a9adebb26e0e..000000000000
--- a/crypto/krb5/src/tests/t_keytab.py
+++ /dev/null
@@ -1,209 +0,0 @@
-from k5test import *
-
-for realm in multipass_realms(create_user=False):
- # Test kinit with a keytab.
- realm.kinit(realm.host_princ, flags=['-k'])
-
-realm = K5Realm(get_creds=False, start_kadmind=True)
-
-# Test kinit with a partial keytab.
-mark('partial keytab')
-pkeytab = realm.keytab + '.partial'
-realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
- (realm.keytab, pkeytab)))
-realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab])
-
-# Test kinit with no keys for client in keytab.
-mark('no keys for client')
-realm.kinit(realm.user_princ, flags=['-k'], expected_code=1,
- expected_msg='no suitable keys')
-
-# Test kinit and klist with client keytab defaults.
-mark('client keytab')
-realm.extract_keytab(realm.user_princ, realm.client_keytab);
-realm.run([kinit, '-k', '-i'])
-realm.klist(realm.user_princ)
-realm.run([kdestroy])
-realm.kinit(realm.user_princ, flags=['-k', '-i'])
-realm.klist(realm.user_princ)
-out = realm.run([klist, '-k', '-i'])
-if realm.client_keytab not in out or realm.user_princ not in out:
- fail('Expected output not seen from klist -k -i')
-
-# Test implicit request for keytab (-i or -t without -k)
-mark('implicit -k')
-realm.run([kdestroy])
-realm.kinit(realm.host_princ, flags=['-t', realm.keytab],
- expected_msg='keytab specified, forcing -k')
-realm.klist(realm.host_princ)
-realm.run([kdestroy])
-realm.kinit(realm.user_princ, flags=['-i'],
- expected_msg='keytab specified, forcing -k')
-realm.klist(realm.user_princ)
-
-# Test default principal for -k. This operation requires
-# canonicalization against the keytab in krb5_get_init_creds_keytab()
-# as the krb5_sname_to_principal() result won't have a realm. Try
-# with and without without fallback processing since the code paths
-# are different.
-mark('default principal for -k')
-realm.run([kinit, '-k'])
-realm.klist(realm.host_princ)
-no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
-no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
-realm.run([kinit, '-k'], env=no_canon)
-realm.klist(realm.host_princ)
-
-# Test extracting keys with multiple key versions present.
-mark('multi-kvno extract')
-os.remove(realm.keytab)
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.host_princ])
-out = realm.run([kadminl, 'ktadd', '-norandkey', realm.host_princ])
-if 'with kvno 1,' not in out or 'with kvno 2,' not in out:
- fail('Expected output not seen from kadmin.local ktadd -norandkey')
-out = realm.run([klist, '-k', '-e'])
-if ' 1 host/' not in out or ' 2 host/' not in out:
- fail('Expected output not seen from klist -k -e')
-
-# Test again using kadmin over the network.
-mark('multi-kvno extract (via kadmin)')
-realm.prep_kadmin()
-os.remove(realm.keytab)
-out = realm.run_kadmin(['ktadd', '-norandkey', realm.host_princ])
-if 'with kvno 1,' not in out or 'with kvno 2,' not in out:
- fail('Expected output not seen from kadmin.local ktadd -norandkey')
-out = realm.run([klist, '-k', '-e'])
-if ' 1 host/' not in out or ' 2 host/' not in out:
- fail('Expected output not seen from klist -k -e')
-
-# Test handling of kvno values beyond 255. Use kadmin over the
-# network since we used to have an 8-bit limit on kvno marshalling.
-
-# Test one key rotation, verifying that the expected new kvno appears
-# in the keytab and in the principal entry.
-def test_key_rotate(realm, princ, expected_kvno):
- realm.run_kadmin(['ktadd', '-k', realm.keytab, princ])
- realm.run([kadminl, 'ktrem', princ, 'old'])
- realm.kinit(princ, flags=['-k'])
- msg = '%d %s' % (expected_kvno, princ)
- out = realm.run([klist, '-k'], expected_msg=msg)
- msg = 'Key: vno %d,' % expected_kvno
- out = realm.run_kadmin(['getprinc', princ], expected_msg=msg)
-
-mark('key rotation across boundaries')
-princ = 'foo/bar@%s' % realm.realm
-realm.addprinc(princ)
-os.remove(realm.keytab)
-realm.run([kadminl, 'modprinc', '-kvno', '253', princ])
-test_key_rotate(realm, princ, 254)
-test_key_rotate(realm, princ, 255)
-test_key_rotate(realm, princ, 256)
-test_key_rotate(realm, princ, 257)
-realm.run([kadminl, 'modprinc', '-kvno', '32766', princ])
-test_key_rotate(realm, princ, 32767)
-test_key_rotate(realm, princ, 32768)
-test_key_rotate(realm, princ, 32769)
-realm.run([kadminl, 'modprinc', '-kvno', '65534', princ])
-test_key_rotate(realm, princ, 65535)
-test_key_rotate(realm, princ, 1)
-test_key_rotate(realm, princ, 2)
-
-mark('32-bit kvno')
-
-# Test that klist -k can read a keytab entry without a 32-bit kvno and
-# reports the 8-bit key version.
-record = b'\x00\x01' # principal component count
-record += b'\x00\x0bKRBTEST.COM' # realm
-record += b'\x00\x04user' # principal component
-record += b'\x00\x00\x00\x01' # name type (NT-PRINCIPAL)
-record += b'\x54\xf7\x4d\x35' # timestamp
-record += b'\x02' # key version
-record += b'\x00\x12' # enctype
-record += b'\x00\x20' # key length
-record += b'\x00' * 32 # key bytes
-f = open(realm.keytab, 'wb')
-f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record)]))
-f.write(record)
-f.close()
-msg = ' 2 %s' % realm.user_princ
-out = realm.run([klist, '-k'], expected_msg=msg)
-
-# Make sure zero-fill isn't treated as a 32-bit kvno.
-f = open(realm.keytab, 'wb')
-f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4]))
-f.write(record)
-f.write(b'\x00\x00\x00\x00')
-f.close()
-msg = ' 2 %s' % realm.user_princ
-out = realm.run([klist, '-k'], expected_msg=msg)
-
-# Make sure a hand-crafted 32-bit kvno is recognized.
-f = open(realm.keytab, 'wb')
-f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4]))
-f.write(record)
-f.write(b'\x00\x00\x00\x03')
-f.close()
-msg = ' 3 %s' % realm.user_princ
-out = realm.run([klist, '-k'], expected_msg=msg)
-
-# Test parameter expansion in profile variables
-mark('parameter expansion')
-realm.stop()
-conf = {'libdefaults': {
- 'default_keytab_name': 'testdir/%{null}abc%{uid}',
- 'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}
-realm = K5Realm(krb5_conf=conf, create_kdb=False)
-del realm.env['KRB5_KTNAME']
-del realm.env['KRB5_CLIENT_KTNAME']
-uidstr = str(os.getuid())
-msg = 'FILE:testdir/abc%s' % uidstr
-out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
-msg = 'FILE:testdir/xyz%s' % uidstr
-out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg)
-
-conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
-realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
-
-realm.run([kadminl, 'ank', '-pw', 'pw', 'default'])
-realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
-realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
- 'pexp'])
-
-# Extract one of the explicit salt values from the database.
-out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
-salt_dict = {f[0]: f[5] for f in [l.split('\t') for l in out.splitlines()]}
-exp_salt = bytes.fromhex(salt_dict['exp@KRBTEST.COM']).decode('ascii')
-
-# Create a keytab using ktutil addent with the specified options and
-# password "pw". Test that we can use it to get initial tickets.
-# Remove the keytab afterwards.
-def test_addent(realm, princ, opts):
- realm.run([ktutil], input=('addent -password -p %s -k 1 %s\npw\nwkt %s\n' %
- (princ, opts, realm.keytab)))
- realm.kinit(princ, flags=['-k'])
- os.remove(realm.keytab)
-
-mark('ktutil addent')
-
-# Test with default salt.
-test_addent(realm, 'default', '-e aes128-cts')
-test_addent(realm, 'default', '-e aes256-cts')
-
-# Test with a salt specified to ktutil addent.
-test_addent(realm, 'exp', '-e aes256-cts -s %s' % exp_salt)
-
-# Test etype-info fetching.
-test_addent(realm, 'default', '-f')
-test_addent(realm, 'default', '-f -e aes128-cts')
-test_addent(realm, 'exp', '-f')
-test_addent(realm, 'pexp', '-f')
-
-# Regression test for #8914: INT32_MIN length can cause backwards seek
-mark('invalid record length')
-f = open(realm.keytab, 'wb')
-f.write(b'\x05\x02\x80\x00\x00\x00')
-f.close()
-msg = 'Bad format in keytab while scanning keytab'
-realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
-
-success('Keytab-related tests')
diff --git a/crypto/krb5/src/tests/t_kprop.py b/crypto/krb5/src/tests/t_kprop.py
deleted file mode 100755
index 4421a7c353c8..000000000000
--- a/crypto/krb5/src/tests/t_kprop.py
+++ /dev/null
@@ -1,125 +0,0 @@
-from k5test import *
-
-conf_replica = {'dbmodules': {'db': {'database_name': '$testdir/db.replica'}}}
-
-def setup_acl(realm):
- acl_file = os.path.join(realm.testdir, 'kpropd-acl')
- acl = open(acl_file, 'w')
- acl.write(realm.host_princ + '\n')
- acl.close()
-
-def check_output(kpropd):
- output('*** kpropd output follows\n')
- while True:
- line = kpropd.stdout.readline()
- if 'Database load process for full propagation completed' in line:
- break
- output('kpropd: ' + line)
- if 'Rejected connection' in line:
- fail('kpropd rejected connection from kprop')
-
-# kprop/kpropd are the only users of krb5_auth_con_initivector, so run
-# this test over all enctypes to exercise mkpriv cipher state.
-for realm in multipass_realms(create_user=False):
- replica = realm.special_env('replica', True, kdc_conf=conf_replica)
-
- # Set up the kpropd acl file.
- setup_acl(realm)
-
- # Create the replica db.
- dumpfile = os.path.join(realm.testdir, 'dump')
- realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kdb5_util, 'load', dumpfile], replica)
- realm.run([kdb5_util, 'stash', '-P', 'master'], replica)
-
- # Make some changes to the primary db.
- realm.addprinc('wakawaka')
-
- # Start kpropd.
- kpropd = realm.start_kpropd(replica, ['-d'])
-
- realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
- check_output(kpropd)
-
- realm.run([kadminl, 'listprincs'], replica, expected_msg='wakawaka')
-
-# default_realm tests follow.
-# default_realm and domain_realm different than realm.realm (test -r argument).
-conf_rep2 = {'dbmodules': {'db': {'database_name': '$testdir/db.replica2'}}}
-krb5_conf_rep2 = {'libdefaults': {'default_realm': 'FOO'},
- 'domain_realm': {hostname: 'FOO'}}
-# default_realm and domain_realm map differ.
-conf_rep3 = {'dbmodules': {'db': {'database_name': '$testdir/db.replica3'}}}
-krb5_conf_rep3 = {'domain_realm': {hostname: 'BAR'}}
-
-realm = K5Realm(create_user=False)
-replica2 = realm.special_env('replica2', True, kdc_conf=conf_rep2,
- krb5_conf=krb5_conf_rep2)
-replica3 = realm.special_env('replica3', True, kdc_conf=conf_rep3,
- krb5_conf=krb5_conf_rep3)
-
-setup_acl(realm)
-
-# Create the replica db.
-dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run([kdb5_util, 'dump', dumpfile])
-realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], replica2)
-realm.run([kdb5_util, 'load', dumpfile], replica3)
-
-# Make some changes to the primary db.
-realm.addprinc('wakawaka')
-
-# Test override of default_realm with -r realm argument.
-kpropd = realm.start_kpropd(replica2, ['-r', realm.realm, '-d'])
-realm.run([kdb5_util, 'dump', dumpfile])
-realm.run([kprop, '-r', realm.realm, '-f', dumpfile, '-P',
- str(realm.kprop_port()), hostname])
-check_output(kpropd)
-realm.run([kadminl, '-r', realm.realm, 'listprincs'], replica2,
- expected_msg='wakawaka')
-
-stop_daemon(kpropd)
-
-# Test default_realm and domain_realm mismatch.
-kpropd = realm.start_kpropd(replica3, ['-d'])
-realm.run([kdb5_util, 'dump', dumpfile])
-realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
-check_output(kpropd)
-realm.run([kadminl, 'listprincs'], replica3, expected_msg='wakawaka')
-stop_daemon(kpropd)
-
-# This test is too resource-intensive to be included in "make check"
-# by default, but it can be enabled in the environment to test the
-# propagation of databases large enough to require a 12-byte encoding
-# of the database size.
-if 'KPROP_LARGE_DB_TEST' in os.environ:
- output('Generating >4GB dumpfile\n')
- with open(dumpfile, 'w') as f:
- f.write('kdb5_util load_dump version 6\n')
- f.write('princ\t38\t15\t3\t1\t0\tK/M@KRBTEST.COM\t64\t86400\t0\t0\t0'
- '\t0\t0\t0\t8\t2\t0100\t9\t8\t0100010000000000\t2\t28'
- '\tb93e105164625f6372656174696f6e404b5242544553542e434f4d00'
- '\t1\t1\t18\t62\t2000408c027c250e8cc3b81476414f2214d57c1ce'
- '38891e29792e87258247c73547df4d5756266931dd6686b62270e6568'
- '95a31ec66bfe913b4f15226227\t-1;\n')
- for i in range(1, 20000000):
- f.write('princ\t38\t21\t1\t1\t0\tp%08d@KRBTEST.COM' % i)
- f.write('\t0\t86400\t0\t0\t0\t0\t0\t0\t2\t27'
- '\td73e1051757365722f61646d696e404b5242544553542e434f4d00'
- '\t1\t1\t17\t46'
- '\t10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c49'
- '5605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf\t-1;\n')
- assert os.path.getsize(dumpfile) > 4 * 1024 * 1024 * 1024
- with open(dumpfile + '.dump_ok', 'w') as f:
- f.write('\0')
- conf_large = {'dbmodules': {'db': {'database_name': '$testdir/db.large'}},
- 'realms': {'$realm': {'iprop_resync_timeout': '3600'}}}
- large = realm.special_env('large', True, kdc_conf=conf_large)
- kpropd = realm.start_kpropd(large, ['-d'])
- realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
- check_output(kpropd)
- realm.run([kadminl, 'getprinc', 'p19999999'], env=large,
- expected_msg='Principal: p19999999')
-
-success('kprop tests')
diff --git a/crypto/krb5/src/tests/t_localauth.py b/crypto/krb5/src/tests/t_localauth.py
deleted file mode 100755
index 75b53a569332..000000000000
--- a/crypto/krb5/src/tests/t_localauth.py
+++ /dev/null
@@ -1,154 +0,0 @@
-from k5test import *
-
-# Unfortunately, we can't reliably test the k5login module. We can control
-# the directory where k5login files are read, but we can't suppress the UID
-# validity check, which might fail in some filesystems for a .k5login file
-# we create.
-conf = {'plugins': {'localauth': { 'disable': 'k5login'}}}
-realm = K5Realm(create_kdb=False, krb5_conf=conf)
-
-def test_an2ln(env, aname, result, msg):
- out = realm.run(['./localauth', aname], env=env)
- if out != result + '\n':
- fail(msg)
-
-def test_an2ln_err(env, aname, err, msg):
- realm.run(['./localauth', aname], env=env, expected_code=1,
- expected_msg=err)
-
-def test_userok(env, aname, lname, ok, msg):
- out = realm.run(['./localauth', aname, lname], env=env)
- if ((ok and out != 'yes\n') or
- (not ok and out != 'no\n')):
- fail(msg)
-
-# The default an2ln method works only in the default realm, and works
-# for a single-component principal or a two-component principal where
-# the second component is the default realm.
-mark('default')
-test_an2ln(None, 'user@KRBTEST.COM', 'user', 'default rule 1')
-test_an2ln(None, 'user/KRBTEST.COM@KRBTEST.COM', 'user', 'default rule 2')
-test_an2ln_err(None, 'user/KRBTEST.COM/x@KRBTEST.COM', 'No translation',
- 'default rule (3)')
-test_an2ln_err(None, 'user/X@KRBTEST.COM', 'No translation',
- 'default rule comp mismatch')
-test_an2ln_err(None, 'user@X', 'No translation', 'default rule realm mismatch')
-
-# auth_to_local_names matches ignore the realm but are case-sensitive.
-mark('auth_to_local_names')
-conf_names1 = {'realms': {'$realm': {'auth_to_local_names': {'user': 'abcd'}}}}
-names1 = realm.special_env('names1', False, conf_names1)
-test_an2ln(names1, 'user@KRBTEST.COM', 'abcd', 'auth_to_local_names match')
-test_an2ln(names1, 'user@X', 'abcd', 'auth_to_local_names out-of-realm match')
-test_an2ln(names1, 'x@KRBTEST.COM', 'x', 'auth_to_local_names mismatch')
-test_an2ln(names1, 'User@KRBTEST.COM', 'User', 'auth_to_local_names case')
-
-# auth_to_local_names values must be in the default realm's section.
-conf_names2 = {'realms': {'X': {'auth_to_local_names': {'user': 'abcd'}}}}
-names2 = realm.special_env('names2', False, conf_names2)
-test_an2ln_err(names2, 'user@X', 'No translation',
- 'auth_to_local_names section mismatch')
-
-# Return a realm environment containing an auth_to_local value (or list).
-def a2l_realm(name, values):
- conf = {'realms': {'$realm': {'auth_to_local': values}}}
- return realm.special_env(name, False, conf)
-
-# Test explicit use of default method.
-mark('explicit default')
-auth1 = a2l_realm('auth1', 'DEFAULT')
-test_an2ln(auth1, 'user@KRBTEST.COM', 'user', 'default rule')
-
-# Test some invalid auth_to_local values.
-mark('auth_to_local invalid')
-auth2 = a2l_realm('auth2', 'RULE')
-test_an2ln_err(auth2, 'user@X', 'Improper format', 'null rule')
-auth3 = a2l_realm('auth3', 'UNRECOGNIZED:stuff')
-test_an2ln_err(auth3, 'user@X', 'Improper format', 'null rule')
-
-# An empty rule has the default selection string (unparsed principal
-# without realm) and no match or substitutions.
-mark('rule (empty)')
-rule1 = a2l_realm('rule1', 'RULE:')
-test_an2ln(rule1, 'user@KRBTEST.COM', 'user', 'empty rule')
-test_an2ln(rule1, 'user@X', 'user', 'empty rule (foreign realm)')
-test_an2ln(rule1, 'a/b/c@X', 'a/b/c', 'empty rule (multi-component)')
-
-# Test explicit selection string. Also test that the default method
-# is suppressed when auth_to_local values are present.
-mark('rule (selection string)')
-rule2 = a2l_realm('rule2', 'RULE:[2:$$0.$$2.$$1]')
-test_an2ln(rule2, 'aaron/burr@REALM', 'REALM.burr.aaron', 'selection string')
-test_an2ln_err(rule2, 'user@KRBTEST.COM', 'No translation', 'suppress default')
-
-# Test match string.
-mark('rule (match string)')
-rule3 = a2l_realm('rule3', 'RULE:(.*tail)')
-test_an2ln(rule3, 'withtail@X', 'withtail', 'rule match 1')
-test_an2ln(rule3, 'x/withtail@X', 'x/withtail', 'rule match 2')
-test_an2ln_err(rule3, 'tails@X', 'No translation', 'rule anchor mismatch')
-
-# Test substitutions.
-mark('rule (substitutions)')
-rule4 = a2l_realm('rule4', 'RULE:s/birds/bees/')
-test_an2ln(rule4, 'thebirdsbirdsbirds@X', 'thebeesbirdsbirds', 'subst 1')
-rule5 = a2l_realm('rule4', 'RULE:s/birds/bees/g s/bees/birds/')
-test_an2ln(rule4, 'the/birdsbirdsbirds@x', 'the/birdsbeesbees', 'subst 2')
-
-# Test a bunch of auth_to_local values and rule features in combination.
-mark('rule (combo)')
-combo = a2l_realm('combo', ['RULE:[1:$$1-$$0](fred.*)s/-/ /g',
- 'DEFAULT',
- 'RULE:[3:$$1](z.*z)'])
-test_an2ln(combo, 'fred@X', 'fred X', 'combo 1')
-test_an2ln(combo, 'fred-too@X', 'fred too X', 'combo 2')
-test_an2ln(combo, 'fred@KRBTEST.COM', 'fred KRBTEST.COM', 'combo 3')
-test_an2ln(combo, 'user@KRBTEST.COM', 'user', 'combo 4')
-test_an2ln(combo, 'zazz/b/c@X', 'zazz', 'combo 5')
-test_an2ln_err(combo, 'a/b@KRBTEST.COM', 'No translation', 'combo 6')
-
-# Test the an2ln userok method with the combo environment.
-mark('userok (an2ln)')
-test_userok(combo, 'fred@X', 'fred X', True, 'combo userok 1')
-test_userok(combo, 'user@KRBTEST.COM', 'user', True, 'combo userok 2')
-test_userok(combo, 'user@KRBTEST.COM', 'X', False, 'combo userok 3')
-test_userok(combo, 'a/b@KRBTEST.COM', 'a/b', False, 'combo userok 4')
-
-mark('test modules')
-
-# Register the two test modules and set up some auth_to_local and
-# auth_to_local_names entries.
-modpath = os.path.join(buildtop, 'plugins', 'localauth', 'test',
- 'localauth_test.so')
-conf = {'plugins': {'localauth': { 'module': [
- 'test1:' + modpath,
- 'test2:' + modpath]}},
- 'realms': {'$realm': {'auth_to_local': [
- 'RULE:(test/rulefirst)s/.*/rule/',
- 'TYPEA',
- 'DEFAULT',
- 'TYPEB:resid']},
- 'auth_to_local_names': {'test/a/b': 'name'}}}
-mod = realm.special_env('mod', False, conf)
-
-# test1's untyped an2ln method should come before the names method, mapping
-# test/a/b@X to its realm name (superseding auth_to_local_names).
-test_an2ln(mod, 'test/a/b@X', 'X', 'mod untyped an2ln')
-
-# Match the auth_to_local values in order. test2's TYPEA should map
-# test/notrule to its second component, and its TYPEB should map
-# anything which gets there to the residual string.
-test_an2ln(mod, 'test/rulefirst@X', 'rule', 'mod auth_to_local 1')
-test_an2ln(mod, 'test/notrule', 'notrule', 'mod auth_to_local 2')
-test_an2ln(mod, 'user@KRBTEST.COM', 'user', 'mod auth_to_local 3')
-test_an2ln(mod, 'xyz@X', 'resid', 'mod auth_to_local 4')
-
-# test2's userok module should succeed when the number of components
-# is equal to the length of the local name, should pass if the first
-# component is 'pass', and should reject otherwise.
-test_userok(mod, 'a/b/c/d@X', 'four', True, 'mod userok 1')
-test_userok(mod, 'x/y/z@X', 'four', False, 'mod userok 2')
-test_userok(mod, 'pass@KRBTEST.COM', 'pass', True, 'mod userok 3')
-test_userok(mod, 'user@KRBTEST.COM', 'user', False, 'mod userok 4')
-
-success('krb5_kuserok and krb5_aname_to_localname tests')
diff --git a/crypto/krb5/src/tests/t_mkey.py b/crypto/krb5/src/tests/t_mkey.py
deleted file mode 100755
index 32f4070bcbc9..000000000000
--- a/crypto/krb5/src/tests/t_mkey.py
+++ /dev/null
@@ -1,344 +0,0 @@
-from k5test import *
-import random
-import re
-import struct
-
-# Convenience constants for use as expected enctypes. defetype is the
-# default enctype for master keys.
-aes256 = 'aes256-cts-hmac-sha1-96'
-aes128 = 'aes128-cts-hmac-sha1-96'
-des3 = 'des3-cbc-sha1'
-defetype = aes256
-
-realm = K5Realm(create_host=False, start_kadmind=True)
-realm.prep_kadmin()
-stash_file = os.path.join(realm.testdir, 'stash')
-
-# Count the number of principals in the realm.
-nprincs = len(realm.run([kadminl, 'listprincs']).splitlines())
-
-# List the currently active mkeys and compare against expected
-# results. Each argument must be a sequence of four elements: an
-# expected kvno, an expected enctype, whether the key is expected to
-# have an activation time, and whether the key is expected to be
-# currently active.
-list_mkeys_re = re.compile(r'^KVNO: (\d+), Enctype: (\S+), '
- r'(Active on: [^\*]+|No activate time set)( \*)?$')
-def check_mkey_list(*expected):
- # Split the output of kdb5_util list_mkeys into lines and ignore the first.
- outlines = realm.run([kdb5_util, 'list_mkeys']).splitlines()[1:]
- if len(outlines) != len(expected):
- fail('Unexpected number of list_mkeys output lines')
- for line, ex in zip(outlines, expected):
- m = list_mkeys_re.match(line)
- if not m:
- fail('Unrecognized list_mkeys output line')
- kvno, enctype, act_time, active = m.groups()
- exp_kvno, exp_enctype, exp_act_time_present, exp_active = ex
- if kvno != str(exp_kvno):
- fail('Unexpected master key version')
- if enctype != exp_enctype:
- fail('Unexpected master key enctype')
- if act_time.startswith('Active on: ') != exp_act_time_present:
- fail('Unexpected presence or absence of mkey activation time')
- if (active == ' *') != exp_active:
- fail('Master key unexpectedly active or inactive')
-
-
-# Get the K/M principal. Verify that it has the expected mkvno. Each
-# remaining argument must be a sequence of two elements: an expected
-# key version and an expected enctype.
-keyline_re = re.compile(r'^Key: vno (\d+), (\S+)$')
-def check_master_dbent(expected_mkvno, *expected_keys):
- outlines = realm.run([kadminl, 'getprinc', 'K/M']).splitlines()
- mkeyline = [l for l in outlines if l.startswith('MKey: vno ')]
- if len(mkeyline) != 1 or mkeyline[0] != ('MKey: vno %d' % expected_mkvno):
- fail('Unexpected mkvno in K/M DB entry')
- keylines = [l for l in outlines if l.startswith('Key: vno ')]
- if len(keylines) != len(expected_keys):
- fail('Unexpected number of key lines in K/M DB entry')
- for line, ex in zip(keylines, expected_keys):
- m = keyline_re.match(line)
- if not m:
- fail('Unrecognized key line in K/M DB entry')
- kvno, enctype = m.groups()
- exp_kvno, exp_enctype = ex
- if kvno != str(exp_kvno):
- fail('Unexpected key version in K/M DB entry')
- if enctype != exp_enctype:
- fail('Unexpected enctype in K/M DB entry')
-
-
-# Check the stash file. Each argument must be a sequence of two
-# elements: an expected key version and an expected enctype.
-klist_re = re.compile(r'^\s*(\d+) K/M@KRBTEST.COM \((\S+)\)')
-def check_stash(*expected):
- # Split the output of klist -e -k into lines and ignore the first three.
- outlines = realm.run([klist, '-e', '-k', stash_file]).splitlines()[3:]
- if len(outlines) != len(expected):
- fail('Unexpected number of lines in stash file klist')
- for line, ex in zip(outlines, expected):
- m = klist_re.match(line)
- if not m:
- fail('Unrecognized stash file klist line')
- kvno, enctype = m.groups()
- exp_kvno, exp_enctype = ex
- if kvno != str(exp_kvno):
- fail('Unexpected stash file klist kvno')
- if enctype != exp_enctype:
- fail('Unexpected stash file klist enctype')
-
-
-# Verify that the user principal has the expected mkvno.
-def check_mkvno(princ, expected_mkvno):
- msg = 'MKey: vno %d\n' % expected_mkvno
- realm.run([kadminl, 'getprinc', princ], expected_msg=msg)
-
-
-# Change the password using either kadmin.local or kadmin, then check
-# the mkvno of the principal against expected_mkvno and verify that
-# the running KDC can access the new key.
-def change_password_check_mkvno(local, princ, password, expected_mkvno):
- cmd = ['cpw', '-pw', password, princ]
- if local:
- realm.run([kadminl] + cmd)
- else:
- realm.run_kadmin(cmd)
- check_mkvno(princ, expected_mkvno)
- realm.kinit(princ, password)
-
-
-# Add a master key with the specified options and a random password.
-def add_mkey(options):
- pw = ''.join(random.choice(string.ascii_uppercase) for x in range(5))
- realm.run([kdb5_util, 'add_mkey'] + options, input=(pw + '\n' + pw + '\n'))
-
-
-# Run kdb5_util update_princ_encryption (with the dry-run option if
-# specified) and verify the output against the expected mkvno, number
-# of updated principals, and number of already-current principals.
-mkvno_re = {False: re.compile(r'^Principals whose keys are being re-encrypted '
- r'to master key vno (\d+) if necessary:$'),
- True: re.compile(r'^Principals whose keys WOULD BE re-encrypted '
- r'to master key vno (\d+):$')}
-count_re = {False: re.compile(r'^(\d+) principals processed: (\d+) updated, '
- r'(\d+) already current$'),
- True: re.compile(r'^(\d+) principals processed: (\d+) would be '
- r'updated, (\d+) already current$')}
-def update_princ_encryption(dry_run, expected_mkvno, expected_updated,
- expected_current):
- opts = ['-f', '-v']
- if dry_run:
- opts += ['-n']
- out = realm.run([kdb5_util, 'update_princ_encryption'] + opts)
- lines = out.splitlines()
- # Parse the first line to get the target mkvno.
- m = mkvno_re[dry_run].match(lines[0])
- if not m:
- fail('Unexpected first line of update_princ_encryption output')
- if m.group(1) != str(expected_mkvno):
- fail('Unexpected master key version in update_princ_encryption output')
- # Parse the last line to get the principal counts.
- m = count_re[dry_run].match(lines[-1])
- if not m:
- fail('Unexpected last line of update_princ_encryption output')
- total, updated, current = m.groups()
- if (total != str(expected_updated + expected_current) or
- updated != str(expected_updated) or current != str(expected_current)):
- fail('Unexpected counts from update_princ_encryption')
-
-
-# Check the initial state of the realm.
-mark('initial state')
-check_mkey_list((1, defetype, True, True))
-check_master_dbent(1, (1, defetype))
-check_stash((1, defetype))
-check_mkvno(realm.user_princ, 1)
-
-# Check that stash will fail if a temp stash file is already present.
-mark('temp stash collision')
-collisionfile = os.path.join(realm.testdir, 'stash_tmp')
-f = open(collisionfile, 'w')
-f.close()
-realm.run([kdb5_util, 'stash'], expected_code=1,
- expected_msg='Temporary stash file already exists')
-os.unlink(collisionfile)
-
-# Add a new master key with no options. Verify that:
-# 1. The new key appears in list_mkeys but has no activation time and
-# is not active.
-# 2. The new key appears in the K/M DB entry and is the current key to
-# encrypt that entry.
-# 3. The stash file is not modified (since we did not pass -s).
-# 4. The old key is used for password changes.
-mark('add_mkey (second master key)')
-add_mkey([])
-check_mkey_list((2, defetype, False, False), (1, defetype, True, True))
-check_master_dbent(2, (2, defetype), (1, defetype))
-change_password_check_mkvno(True, realm.user_princ, 'abcd', 1)
-change_password_check_mkvno(False, realm.user_princ, 'user', 1)
-
-# Verify that use_mkey won't make all master keys inactive.
-mark('use_mkey (no active keys)')
-realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1,
- expected_msg='there must be one master key currently active')
-check_mkey_list((2, defetype, False, False), (1, defetype, True, True))
-
-# Make the new master key active. Verify that:
-# 1. The new key has an activation time in list_mkeys and is active.
-# 2. The new key is used for password changes.
-# 3. The running KDC can access the new key.
-mark('use_mkey')
-realm.run([kdb5_util, 'use_mkey', '2', 'now-1day'])
-check_mkey_list((2, defetype, True, True), (1, defetype, True, False))
-change_password_check_mkvno(True, realm.user_princ, 'abcd', 2)
-change_password_check_mkvno(False, realm.user_princ, 'user', 2)
-
-# Check purge_mkeys behavior with both master keys still in use.
-mark('purge_mkeys (nothing to purge)')
-realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
- expected_msg='All keys in use, nothing purged.')
-
-# Do an update_princ_encryption dry run and for real. Verify that:
-# 1. The target master key is 2 (the active mkvno).
-# 2. nprincs - 2 principals were updated and one principal was
-# skipped (K/M is not included in the output and user was updated
-# above).
-# 3. The dry run doesn't change user/admin's mkvno but the real update
-# does.
-# 4. The old stashed master key is sufficient to access the DB (via
-# MKEY_AUX tl-data which keeps the current master key encrypted in
-# each of the old master keys).
-mark('update_princ_encryption')
-update_princ_encryption(True, 2, nprincs - 2, 1)
-check_mkvno(realm.admin_princ, 1)
-update_princ_encryption(False, 2, nprincs - 2, 1)
-check_mkvno(realm.admin_princ, 2)
-realm.stop_kdc()
-realm.start_kdc()
-realm.kinit(realm.user_princ, 'user')
-
-# Update all principals back to mkvno 1 and to mkvno 2 again, to
-# verify that update_princ_encryption targets the active master key.
-mark('update_princ_encryption (back and forth)')
-realm.run([kdb5_util, 'use_mkey', '2', 'now+1day'])
-update_princ_encryption(False, 1, nprincs - 1, 0)
-check_mkvno(realm.user_princ, 1)
-realm.run([kdb5_util, 'use_mkey', '2', 'now-1day'])
-update_princ_encryption(False, 2, nprincs - 1, 0)
-check_mkvno(realm.user_princ, 2)
-
-# Test the safety check for purging with an outdated stash file.
-mark('purge_mkeys (outdated stash file)')
-realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1,
- expected_msg='stash file needs updating')
-
-# Update the master stash file and check it. Save a copy of the old
-# one for a later test.
-mark('update stash file')
-shutil.copy(stash_file, stash_file + '.old')
-realm.run([kdb5_util, 'stash'])
-check_stash((2, defetype), (1, defetype))
-
-# Do a purge_mkeys dry run and for real. Verify that:
-# 1. Master key 1 is purged.
-# 2. The dry run doesn't remove mkvno 1 but the real one does.
-# 3. The old stash file is no longer sufficient to access the DB.
-# 4. If the stash file is updated, it no longer contains mkvno 1.
-# 5. use_mkey now gives an error if we refer to mkvno 1.
-# 6. A second purge_mkeys gives the right message.
-mark('purge_mkeys')
-out = realm.run([kdb5_util, 'purge_mkeys', '-v', '-n', '-f'])
-if 'KVNO: 1' not in out or '1 key(s) would be purged' not in out:
- fail('Unexpected output from purge_mkeys dry-run')
-check_mkey_list((2, defetype, True, True), (1, defetype, True, False))
-check_master_dbent(2, (2, defetype), (1, defetype))
-out = realm.run([kdb5_util, 'purge_mkeys', '-v', '-f'])
-check_mkey_list((2, defetype, True, True))
-check_master_dbent(2, (2, defetype))
-os.rename(stash_file, stash_file + '.save')
-os.rename(stash_file + '.old', stash_file)
-realm.run([kadminl, 'getprinc', 'user'], expected_code=1,
- expected_msg='Unable to decrypt latest master key')
-os.rename(stash_file + '.save', stash_file)
-realm.run([kdb5_util, 'stash'])
-check_stash((2, defetype))
-realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1,
- expected_msg='1 is an invalid KVNO value')
-realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
- expected_msg='There is only one master key which can not be purged.')
-
-# Add a third master key with a specified enctype. Verify that:
-# 1. The new master key receives the correct number.
-# 2. The enctype argument is respected.
-# 3. The new master key is stashed (by itself, at the moment).
-# 4. We can roll over to the new master key and use it.
-mark('add_mkey and update_princ_encryption (third master key)')
-add_mkey(['-s', '-e', aes128])
-check_mkey_list((3, aes128, False, False), (2, defetype, True, True))
-check_master_dbent(3, (3, aes128), (2, defetype))
-check_stash((3, aes128))
-realm.run([kdb5_util, 'use_mkey', '3', 'now-1day'])
-update_princ_encryption(False, 3, nprincs - 1, 0)
-check_mkey_list((3, aes128, True, True), (2, defetype, True, False))
-check_mkvno(realm.user_princ, 3)
-
-# Regression test for #7994 (randkey does not update principal mkvno)
-# and #7995 (-keepold does not re-encrypt old keys).
-mark('#7994 and #7995 regression test')
-add_mkey(['-s'])
-realm.run([kdb5_util, 'use_mkey', '4', 'now-1day'])
-realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.user_princ])
-# With #7994 unfixed, mkvno of user will still be 3.
-check_mkvno(realm.user_princ, 4)
-# With #7995 unfixed, old keys are still encrypted with mkvno 3.
-update_princ_encryption(False, 4, nprincs - 2, 1)
-realm.run([kdb5_util, 'purge_mkeys', '-f'])
-out = realm.run([kadminl, 'xst', '-norandkey', realm.user_princ])
-if 'Decrypt integrity check failed' in out or 'added to keytab' not in out:
- fail('Preserved old key data not updated to new master key')
-
-realm.stop()
-
-# Load a dump file created with krb5 1.6, before the master key
-# rollover changes were introduced. Write out an old-format stash
-# file consistent with the dump's master password ("footes"). The K/M
-# entry in this database will not have actkvno tl-data because it was
-# created prior to master key rollover support. Verify that:
-# 1. We can access the database using the old-format stash file.
-# 2. list_mkeys displays the same list as for a post-1.7 KDB.
-mark('pre-1.7 stash file')
-dumpfile = os.path.join(srctop, 'tests', 'dumpfiles', 'dump.16')
-os.remove(stash_file)
-f = open(stash_file, 'wb')
-f.write(struct.pack('=HL24s', 16, 24,
- b'\xF8\x3E\xFB\xBA\x6D\x80\xD9\x54\xE5\x5D\xF2\xE0'
- b'\x94\xAD\x6D\x86\xB5\x16\x37\xEC\x7C\x8A\xBC\x86'))
-f.close()
-realm.run([kdb5_util, 'load', dumpfile])
-nprincs = len(realm.run([kadminl, 'listprincs']).splitlines())
-check_mkvno('K/M', 1)
-check_mkey_list((1, des3, True, True))
-
-# Create a new master key and verify that, without actkvkno tl-data:
-# 1. list_mkeys displays the same as for a post-1.7 KDB.
-# 2. update_princ_encryption still targets mkvno 1.
-# 3. libkadm5 still uses mkvno 1 for key changes.
-# 4. use_mkey creates the same list as for a post-1.7 KDB.
-mark('rollover from pre-1.7 KDB')
-add_mkey([])
-check_mkey_list((2, defetype, False, False), (1, des3, True, True))
-update_princ_encryption(False, 1, 0, nprincs - 1)
-realm.run([kadminl, 'addprinc', '-randkey', realm.user_princ])
-check_mkvno(realm.user_princ, 1)
-realm.run([kdb5_util, 'use_mkey', '2', 'now-1day'])
-check_mkey_list((2, defetype, True, True), (1, des3, True, False))
-
-# Regression test for #8395. Purge the master key and verify that a
-# master key fetch does not segfault.
-mark('#8395 regression test')
-realm.run([kadminl, 'purgekeys', '-all', 'K/M'])
-realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1,
- expected_msg='Cannot find master key record in database')
-
-success('Master key rollover tests')
diff --git a/crypto/krb5/src/tests/t_otp.py b/crypto/krb5/src/tests/t_otp.py
deleted file mode 100755
index dd5cdc5c26d9..000000000000
--- a/crypto/krb5/src/tests/t_otp.py
+++ /dev/null
@@ -1,275 +0,0 @@
-# Author: Nathaniel McCallum <npmccallum@redhat.com>
-#
-# Copyright (c) 2013 Red Hat, Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-
-#
-# This script tests OTP, both UDP and Unix Sockets, with a variety of
-# configuration. It requires pyrad to run, but exits gracefully if not found.
-# It also deliberately shuts down the test daemons between tests in order to
-# test how OTP handles the case of short daemon restarts.
-#
-
-from k5test import *
-from queue import Empty
-import io
-import struct
-
-try:
- from pyrad import packet, dictionary
-except ImportError:
- skip_rest('OTP tests', 'Python pyrad module not found')
-try:
- from multiprocessing import Process, Queue
-except ImportError:
- skip_rest('OTP tests', 'Python version 2.6 required')
-
-# We could use a dictionary file, but since we need so few attributes,
-# we'll just include them here.
-radius_attributes = '''
-ATTRIBUTE User-Name 1 string
-ATTRIBUTE User-Password 2 octets
-ATTRIBUTE Service-Type 6 integer
-ATTRIBUTE NAS-Identifier 32 string
-ATTRIBUTE Message-Authenticator 80 octets
-'''
-
-class RadiusDaemon(Process):
- MAX_PACKET_SIZE = 4096
- DICTIONARY = dictionary.Dictionary(io.StringIO(radius_attributes))
-
- def listen(self, addr):
- raise NotImplementedError()
-
- def recvRequest(self, data):
- raise NotImplementedError()
-
- def run(self):
- addr = self._args[0]
- secrfile = self._args[1]
- pswd = self._args[2]
- outq = self._args[3]
-
- if secrfile:
- with open(secrfile, 'rb') as file:
- secr = file.read().strip()
- else:
- secr = b''
-
- data = self.listen(addr)
- outq.put("started")
- (buf, sock, addr) = self.recvRequest(data)
- pkt = packet.AuthPacket(secret=secr,
- dict=RadiusDaemon.DICTIONARY,
- packet=buf)
-
- usernm = []
- passwd = []
- for key in pkt.keys():
- if key == 'User-Password':
- passwd = list(map(pkt.PwDecrypt, pkt[key]))
- elif key == 'User-Name':
- usernm = pkt[key]
-
- reply = pkt.CreateReply()
- replyq = {'user': usernm, 'pass': passwd}
- if passwd == [pswd]:
- reply.code = packet.AccessAccept
- replyq['reply'] = True
- else:
- reply.code = packet.AccessReject
- replyq['reply'] = False
-
- reply.add_message_authenticator()
-
- outq.put(replyq)
- if addr is None:
- sock.send(reply.ReplyPacket())
- else:
- sock.sendto(reply.ReplyPacket(), addr)
- sock.close()
-
-class UDPRadiusDaemon(RadiusDaemon):
- def listen(self, addr):
- sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- sock.bind((addr.split(':')[0], int(addr.split(':')[1])))
- return sock
-
- def recvRequest(self, sock):
- (buf, addr) = sock.recvfrom(RadiusDaemon.MAX_PACKET_SIZE)
- return (buf, sock, addr)
-
-class UnixRadiusDaemon(RadiusDaemon):
- def listen(self, addr):
- sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
- if os.path.exists(addr):
- os.remove(addr)
- sock.bind(addr)
- sock.listen(1)
- return (sock, addr)
-
- def recvRequest(self, sock_and_addr):
- sock, addr = sock_and_addr
- conn = sock.accept()[0]
- sock.close()
- os.remove(addr)
-
- buf = b''
- remain = RadiusDaemon.MAX_PACKET_SIZE
- while True:
- buf += conn.recv(remain)
- remain = RadiusDaemon.MAX_PACKET_SIZE - len(buf)
- if (len(buf) >= 4):
- remain = struct.unpack("!BBH", buf[0:4])[2] - len(buf)
- if (remain <= 0):
- return (buf, conn, None)
-
-def verify(daemon, queue, reply, usernm, passwd):
- try:
- data = queue.get(timeout=1)
- except Empty:
- sys.stderr.write("ERROR: Packet not received by daemon!\n")
- daemon.terminate()
- sys.exit(1)
- assert data['reply'] is reply
- assert data['user'] == [usernm]
- assert data['pass'] == [passwd]
- daemon.join()
-
-# Compose a single token configuration.
-def otpconfig_1(toktype, username=None, indicators=None):
- val = '{"type": "%s"' % toktype
- if username is not None:
- val += ', "username": "%s"' % username
- if indicators is not None:
- qind = ['"%s"' % s for s in indicators]
- jsonlist = '[' + ', '.join(qind) + ']'
- val += ', "indicators":' + jsonlist
- val += '}'
- return val
-
-# Compose a token configuration list suitable for the "otp" string
-# attribute.
-def otpconfig(toktype, username=None, indicators=None):
- return '[' + otpconfig_1(toktype, username, indicators) + ']'
-
-prefix = "/tmp/%d" % os.getpid()
-secret_file = prefix + ".secret"
-socket_file = prefix + ".socket"
-with open(secret_file, "w") as file:
- file.write("otptest")
-atexit.register(lambda: os.remove(secret_file))
-
-conf = {'plugins': {'kdcpreauth': {'enable_only': 'otp'}},
- 'otp': {'udp': {'server': '127.0.0.1:$port9',
- 'secret': secret_file,
- 'strip_realm': 'true',
- 'indicator': ['indotp1', 'indotp2']},
- 'unix': {'server': socket_file,
- 'strip_realm': 'false'}}}
-
-queue = Queue()
-
-realm = K5Realm(kdc_conf=conf)
-realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
-flags = ['-T', realm.ccache]
-server_addr = '127.0.0.1:' + str(realm.portbase + 9)
-
-## Test UDP fail / custom username
-mark('UDP fail / custom username')
-daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue))
-daemon.start()
-queue.get()
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp',
- otpconfig('udp', 'custom')])
-realm.kinit(realm.user_princ, 'reject', flags=flags, expected_code=1)
-verify(daemon, queue, False, 'custom', 'reject')
-
-## Test UDP success / standard username
-mark('UDP success / standard username')
-daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue))
-daemon.start()
-queue.get()
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('udp')])
-realm.kinit(realm.user_princ, 'accept', flags=flags)
-verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
-realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-realm.run(['./adata', realm.krbtgt_princ],
- expected_msg='+97: [indotp1, indotp2]')
-
-# Repeat with an indicators override in the string attribute.
-mark('auth indicator override')
-daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue))
-daemon.start()
-queue.get()
-oconf = otpconfig('udp', indicators=['indtok1', 'indtok2'])
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf])
-realm.kinit(realm.user_princ, 'accept', flags=flags)
-verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
-realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-realm.run(['./adata', realm.krbtgt_princ],
- expected_msg='+97: [indtok1, indtok2]')
-
-# Detect upstream pyrad bug
-# https://github.com/wichert/pyrad/pull/18
-try:
- auth = packet.Packet.CreateAuthenticator()
- packet.Packet(authenticator=auth, secret=b'').ReplyPacket()
-except AssertionError:
- skip_rest('OTP UNIX domain socket tests', 'pyrad assertion bug detected')
-
-## Test Unix fail / custom username
-mark('Unix socket fail / custom username')
-daemon = UnixRadiusDaemon(args=(socket_file, None, 'accept', queue))
-daemon.start()
-queue.get()
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp',
- otpconfig('unix', 'custom')])
-realm.kinit(realm.user_princ, 'reject', flags=flags, expected_code=1)
-verify(daemon, queue, False, 'custom', 'reject')
-
-## Test Unix success / standard username
-mark('Unix socket success / standard username')
-daemon = UnixRadiusDaemon(args=(socket_file, None, 'accept', queue))
-daemon.start()
-queue.get()
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('unix')])
-realm.kinit(realm.user_princ, 'accept', flags=flags)
-verify(daemon, queue, True, realm.user_princ, 'accept')
-
-## Regression test for #8708: test with the standard username and two
-## tokens configured, with the first rejecting and the second
-## accepting. With the bug, the KDC incorrectly rejects the request
-## and then performs invalid memory accesses, most likely crashing.
-queue2 = Queue()
-daemon1 = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept1', queue))
-daemon2 = UnixRadiusDaemon(args=(socket_file, None, 'accept2', queue2))
-daemon1.start()
-queue.get()
-daemon2.start()
-queue2.get()
-oconf = '[' + otpconfig_1('udp') + ', ' + otpconfig_1('unix') + ']'
-realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf])
-realm.kinit(realm.user_princ, 'accept2', flags=flags)
-verify(daemon1, queue, False, realm.user_princ.split('@')[0], 'accept2')
-verify(daemon2, queue2, True, realm.user_princ, 'accept2')
-
-success('OTP tests')
diff --git a/crypto/krb5/src/tests/t_pkinit.py b/crypto/krb5/src/tests/t_pkinit.py
deleted file mode 100755
index 91d4630a0a3b..000000000000
--- a/crypto/krb5/src/tests/t_pkinit.py
+++ /dev/null
@@ -1,469 +0,0 @@
-from k5test import *
-import re
-
-# Skip this test if pkinit wasn't built.
-if not pkinit_enabled:
- skip_rest('PKINIT tests', 'PKINIT module not built')
-
-# Construct a krb5.conf fragment configuring pkinit.
-user_pem = os.path.join(pkinit_certs, 'user.pem')
-ecuser_pem = os.path.join(pkinit_certs, 'ecuser.pem')
-privkey_pem = os.path.join(pkinit_certs, 'privkey.pem')
-privkey_enc_pem = os.path.join(pkinit_certs, 'privkey-enc.pem')
-privkey_ec_pem = os.path.join(pkinit_certs, 'eckey.pem')
-user_p12 = os.path.join(pkinit_certs, 'user.p12')
-user_enc_p12 = os.path.join(pkinit_certs, 'user-enc.p12')
-user_upn_p12 = os.path.join(pkinit_certs, 'user-upn.p12')
-user_upn2_p12 = os.path.join(pkinit_certs, 'user-upn2.p12')
-user_upn3_p12 = os.path.join(pkinit_certs, 'user-upn3.p12')
-generic_p12 = os.path.join(pkinit_certs, 'generic.p12')
-path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
-path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
-
-pkinit_kdc_conf = {'realms': {'$realm': {
- 'default_principal_flags': '+preauth',
- 'pkinit_eku_checking': 'none',
- 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
-restrictive_kdc_conf = {'realms': {'$realm': {
- 'restrict_anonymous_to_tgt': 'true' }}}
-freshness_kdc_conf = {'realms': {'$realm': {
- 'pkinit_require_freshness': 'true'}}}
-
-testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}}
-alias_kdc_conf = {'realms': {'$realm': {
- 'default_principal_flags': '+preauth',
- 'pkinit_eku_checking': 'none',
- 'pkinit_allow_upn': 'true',
- 'database_module': 'test'}},
- 'dbmodules': {'test': {
- 'db_library': 'test',
- 'alias': {'user@krbtest.com': 'user'},
- 'princs': testprincs}}}
-
-file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
-file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
-ec_identity = 'FILE:%s,%s' % (ecuser_pem, privkey_ec_pem)
-dir_identity = 'DIR:%s' % path
-dir_enc_identity = 'DIR:%s' % path_enc
-dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'),
- os.path.join(path, 'user.key'))
-dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'),
- os.path.join(path_enc, 'user.key'))
-p12_identity = 'PKCS12:%s' % user_p12
-p12_upn_identity = 'PKCS12:%s' % user_upn_p12
-p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
-p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
-p12_generic_identity = 'PKCS12:%s' % generic_p12
-p12_enc_identity = 'PKCS12:%s' % user_enc_p12
-
-# Start a realm with the test kdb module for the following UPN SAN tests.
-realm = K5Realm(kdc_conf=alias_kdc_conf, create_kdb=False, pkinit=True)
-realm.start_kdc()
-
-mark('UPN SANs')
-
-# Compatibility check: cert contains UPN "user", which matches the
-# request principal user@KRBTEST.COM if parsed as a normal principal.
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity])
-
-# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches
-# the request principal user@KRBTEST.COM if parsed as a normal principal.
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity])
-
-# Cert contains UPN "user@krbtest.com" which is aliased to the request
-# principal.
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
-
-# Test an id-pkinit-san match to a post-canonical principal.
-realm.kinit('user@krbtest.com',
- flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity])
-
-# Test a UPN match to a post-canonical principal. (This only works
-# for the cert with the UPN containing just "user", as we don't allow
-# UPN reparsing when comparing to the canonicalized client principal.)
-realm.kinit('user@krbtest.com',
- flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
-
-# Test a mismatch.
-msg = 'kinit: Client name mismatch while getting initial credentials'
-realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, 'user2'],
- expected_code=1, expected_msg=msg)
-realm.stop()
-
-realm = K5Realm(kdc_conf=pkinit_kdc_conf, get_creds=False, pkinit=True)
-
-# Sanity check - password-based preauth should still work.
-mark('password preauth sanity check')
-realm.run(['./responder', '-r', 'password=%s' % password('user'),
- realm.user_princ])
-realm.kinit(realm.user_princ, password=password('user'))
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# Having tested password preauth, remove the keys for better error
-# reporting.
-realm.run([kadminl, 'purgekeys', '-all', realm.user_princ])
-
-# Test anonymous PKINIT.
-mark('anonymous')
-realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1,
- expected_msg='not found in Kerberos database')
-realm.addprinc('WELLKNOWN/ANONYMOUS')
-realm.kinit('@%s' % realm.realm, flags=['-n'])
-realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS')
-realm.run([kvno, realm.host_princ])
-out = realm.run(['./adata', realm.host_princ])
-if '97:' in out:
- fail('auth indicators seen in anonymous PKINIT ticket')
-# Verify start_realm setting and test referrals TGS request.
-realm.run([klist, '-C'], expected_msg='start_realm = KRBTEST.COM')
-realm.run([kvno, '-S', 'host', hostname])
-
-# Test anonymous kadmin.
-mark('anonymous kadmin')
-f = open(os.path.join(realm.testdir, 'acl'), 'a')
-f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')
-f.close()
-realm.start_kadmind()
-realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
-realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1,
- expected_msg="Operation requires ``get'' privilege")
-realm.stop_kadmind()
-
-# Test with anonymous restricted; FAST should work but kvno should fail.
-mark('anonymous restricted')
-r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
-realm.stop_kdc()
-realm.start_kdc(env=r_env)
-realm.kinit('@%s' % realm.realm, flags=['-n'])
-realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache])
-realm.run([kvno, realm.host_princ], expected_code=1,
- expected_msg='KDC policy rejects request')
-
-# Regression test for #8458: S4U2Self requests crash the KDC if
-# anonymous is restricted.
-mark('#8458 regression test')
-realm.kinit(realm.host_princ, flags=['-k'])
-realm.run([kvno, '-U', 'user', realm.host_princ])
-
-# Go back to the normal KDC environment.
-realm.stop_kdc()
-realm.start_kdc()
-
-# Run the basic test - PKINIT with FILE: identity, with no password on the key.
-mark('FILE identity, no password')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'PKINIT client received freshness token from KDC',
- 'PKINIT loading CA certs and CRLs from FILE',
- 'PKINIT client making DH request',
- ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)',
- 'PKINIT client verified DH reply',
- 'PKINIT client found id-pkinit-san in KDC cert',
- 'PKINIT client matched KDC principal krbtgt/')
-realm.pkinit(realm.user_princ, expected_trace=msgs)
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# Test each Diffie-Hellman group except 1024-bit (which doesn't work
-# in OpenSSL 3.0) and the default 2048-bit group.
-for g in ('4096', 'P-256', 'P-384', 'P-521'):
- mark('Diffie-Hellman group ' + g)
- group_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': g}}}
- group_env = realm.special_env(g, True, krb5_conf=group_conf)
- realm.pkinit(realm.user_princ, expected_trace=('PKINIT using ' + g,),
- env=group_env)
-
-# Test with an EC client cert.
-mark('EC client cert')
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % ec_identity])
-
-# Try using multiple configured pkinit_identities, to make sure we
-# fall back to the second one when the first one cannot be read.
-id_conf = {'realms': {'$realm': {'pkinit_identities': [file_identity + 'X',
- file_identity]}}}
-id_env = realm.special_env('idconf', False, krb5_conf=id_conf)
-realm.kinit(realm.user_princ, expected_trace=msgs, env=id_env)
-
-# Test a DH parameter renegotiation by temporarily setting a 4096-bit
-# minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ;
-# 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.)
-mark('DH parameter renegotiation')
-minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
-minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
-realm.stop_kdc()
-realm.start_kdc(env=minbits_env)
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'PKINIT using 2048-bit DH key exchange group',
- 'Preauth module pkinit (16) (real) returned: 0/Success',
- ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)',
- '/Key parameters not accepted',
- 'Preauth tryagain input types (16): 109, PA-FX-COOKIE (133)',
- 'PKINIT accepting KDC key exchange group preference P-384',
- 'trying again with KDC-provided parameters',
- 'PKINIT using P-384 key exchange group',
- 'Preauth module pkinit (16) tryagain returned: 0/Success',
- ' preauth for next request: PA-PK-AS-REQ (16), PA-FX-COOKIE (133)')
-realm.pkinit(realm.user_princ, expected_trace=msgs)
-
-# Test enforcement of required freshness tokens. (We can leave
-# freshness tokens required after this test.)
-mark('freshness token enforcement')
-realm.pkinit(realm.user_princ, flags=['-X', 'disable_freshness=yes'])
-f_env = realm.special_env('freshness', True, kdc_conf=freshness_kdc_conf)
-realm.stop_kdc()
-realm.start_kdc(env=f_env)
-realm.pkinit(realm.user_princ)
-realm.pkinit(realm.user_princ, flags=['-X', 'disable_freshness=yes'],
- expected_code=1, expected_msg='Preauthentication failed')
-# Anonymous should never require a freshness token.
-realm.kinit('@%s' % realm.realm, flags=['-n', '-X', 'disable_freshness=yes'])
-
-# Run the basic test - PKINIT with FILE: identity, with a password on the key,
-# supplied by the prompter.
-# Expect failure if the responder does nothing, and we have no prompter.
-mark('FILE identity, password on key (prompter)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
- '-X', 'X509_user_identity=%s' % file_enc_identity, realm.user_princ],
- expected_code=2)
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % file_enc_identity],
- password='encrypted')
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-realm.run(['./adata', realm.host_princ],
- expected_msg='+97: [indpkinit1, indpkinit2]')
-
-# Run the basic test - PKINIT with FILE: identity, with a password on the key,
-# supplied by the responder.
-# Supply the response in raw form.
-mark('FILE identity, password on key (responder)')
-out = realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity,
- '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity,
- '-X', 'X509_user_identity=%s' % file_enc_identity,
- realm.user_princ])
-# Regression test for #8885 (password question asked twice).
-if out.count('OK: ') != 1:
- fail('Wrong number of responder calls')
-# Supply the response through the convenience API.
-realm.run(['./responder', '-X', 'X509_user_identity=%s' % file_enc_identity,
- '-p', '%s=%s' % (file_enc_identity, 'encrypted'), realm.user_princ])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with DIR: identity, with no password on the key.
-mark('DIR identity, no password')
-os.mkdir(path)
-os.mkdir(path_enc)
-shutil.copy(privkey_pem, os.path.join(path, 'user.key'))
-shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key'))
-shutil.copy(user_pem, os.path.join(path, 'user.crt'))
-shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % dir_identity])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with DIR: identity, with a password on the key, supplied by the
-# prompter.
-# Expect failure if the responder does nothing, and we have no prompter.
-mark('DIR identity, password on key (prompter)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
- '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ],
- expected_code=2)
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % dir_enc_identity],
- password='encrypted')
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with DIR: identity, with a password on the key, supplied by the
-# responder.
-# Supply the response in raw form.
-mark('DIR identity, password on key (responder)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity,
- '-r', 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity,
- '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ])
-# Supply the response through the convenience API.
-realm.run(['./responder', '-X', 'X509_user_identity=%s' % dir_enc_identity,
- '-p', '%s=%s' % (dir_file_enc_identity, 'encrypted'),
- realm.user_princ])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with PKCS12: identity, with no password on the bundle.
-mark('PKCS12 identity, no password')
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
-# prompter.
-# Expect failure if the responder does nothing, and we have no prompter.
-mark('PKCS12 identity, password on bundle (prompter)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
- '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ],
- expected_code=2)
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_enc_identity],
- password='encrypted')
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-# PKINIT with PKCS12: identity, with a password on the bundle, supplied by the
-# responder.
-# Supply the response in raw form.
-mark('PKCS12 identity, password on bundle (responder)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity,
- '-r', 'pkinit={"%s": "encrypted"}' % p12_enc_identity,
- '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ])
-# Supply the response through the convenience API.
-realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
- '-p', '%s=%s' % (p12_enc_identity, 'encrypted'),
- realm.user_princ])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-mark('pkinit_cert_match rules')
-
-# Match a single rule.
-rule = '<SAN>^user@KRBTEST.COM$'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist(realm.user_princ)
-
-# Regression test for #8670: match a UPN SAN with a single rule.
-rule = '<SAN>^user@krbtest.com$'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
-realm.klist(realm.user_princ)
-
-# Match a combined rule (default prefix is &&).
-rule = '<SUBJECT>CN=user$<KU>digitalSignature,keyEncipherment'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist(realm.user_princ)
-
-# Fail an && rule.
-rule = '&&<SUBJECT>O=OTHER.COM<SAN>^user@KRBTEST.COM$'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-msg = 'kinit: Certificate mismatch while getting initial credentials'
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity],
- expected_code=1, expected_msg=msg)
-
-# Pass an || rule.
-rule = '||<SUBJECT>O=KRBTEST.COM<SAN>^otheruser@KRBTEST.COM$'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity])
-realm.klist(realm.user_princ)
-
-# Fail an || rule.
-rule = '||<SUBJECT>O=OTHER.COM<SAN>^otheruser@KRBTEST.COM$'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-msg = 'kinit: Certificate mismatch while getting initial credentials'
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_identity],
- expected_code=1, expected_msg=msg)
-
-# Authorize a client cert with no PKINIT extensions using subject and
-# issuer. (Relies on EKU checking being turned off.)
-rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
-realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-realm.kinit(realm.user_princ,
- flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
-realm.klist(realm.user_princ)
-
-# Regression test for #8726: null deref when parsing a FILE residual
-# beginning with a comma.
-realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'],
- expected_code=1, expected_msg='Preauthentication failed while')
-
-softhsm2 = '/usr/lib/softhsm/libsofthsm2.so'
-if not os.path.exists(softhsm2):
- skip_rest('PKCS11 tests', 'SoftHSMv2 required')
-pkcs11_tool = which('pkcs11-tool')
-if not pkcs11_tool:
- skip_rest('PKCS11 tests', 'pkcs11-tool from OpenSC required')
-tool_cmd = [pkcs11_tool, '--module', softhsm2]
-
-# Prepare a SoftHSM token.
-softhsm2_conf = os.path.join(realm.testdir, 'softhsm2.conf')
-softhsm2_tokens = os.path.join(realm.testdir, 'tokens')
-os.mkdir(softhsm2_tokens)
-realm.env['SOFTHSM2_CONF'] = softhsm2_conf
-with open(softhsm2_conf, 'w') as f:
- f.write('directories.tokendir = %s\n' % softhsm2_tokens)
-realm.run(tool_cmd + ['--init-token', '--label', 'user',
- '--so-pin', 'sopin', '--init-pin', '--pin', 'userpin'])
-realm.run(tool_cmd + ['-w', user_pem, '-y', 'cert'])
-realm.run(tool_cmd + ['-w', privkey_pem, '-y', 'privkey',
- '-l', '--pin', 'userpin'])
-
-# Extract the slot ID generated by SoftHSM.
-out = realm.run(tool_cmd + ['-L'])
-m = re.search(r'slot ID 0x([0-9a-f]+)\n', out)
-if not m:
- fail('could not extract slot ID from SoftHSM token')
-slot_id = int(m.group(1), 16)
-
-p11_attr = 'X509_user_identity=PKCS11:' + softhsm2
-p11_token_identity = ('PKCS11:module_name=%s:slotid=%d:token=user' %
- (softhsm2, slot_id))
-
-mark('PKCS11 identity, with PIN (prompter)')
-realm.kinit(realm.user_princ, flags=['-X', p11_attr], password='userpin')
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-mark('PKCS11 identity, unavailable PIN')
-realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
- '-X', p11_attr, realm.user_princ], expected_code=2)
-
-mark('PKCS11 identity, wrong PIN')
-expected_trace = ('PKINIT client has no configured identity; giving up',)
-realm.kinit(realm.user_princ,
- flags=['-X', p11_attr],
- password='wrong', expected_code=1, expected_trace=expected_trace)
-
-# PKINIT with PKCS11: identity, with a PIN supplied by the responder.
-# Supply the response in raw form. Expect the PIN_COUNT_LOW flag (1)
-# to be set due to the previous test.
-mark('PKCS11 identity, with PIN (responder)')
-realm.run(['./responder', '-x', 'pkinit={"%s": 1}' % p11_token_identity,
- '-r', 'pkinit={"%s": "userpin"}' % p11_token_identity,
- '-X', p11_attr, realm.user_princ])
-# Supply the response through the convenience API.
-realm.run(['./responder', '-X', p11_attr,
- '-p', '%s=%s' % (p11_token_identity, 'userpin'),
- realm.user_princ])
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-mark('PKCS11 identity, EC client cert')
-shutil.rmtree(softhsm2_tokens)
-os.mkdir(softhsm2_tokens)
-realm.run(tool_cmd + ['--init-token', '--label', 'user',
- '--so-pin', 'sopin', '--init-pin', '--pin', 'userpin'])
-realm.run(tool_cmd + ['-w', ecuser_pem, '-y', 'cert'])
-realm.run(tool_cmd + ['-w', privkey_ec_pem, '-y', 'privkey',
- '-l', '--pin', 'userpin'])
-realm.kinit(realm.user_princ, flags=['-X', p11_attr], password='userpin')
-realm.klist(realm.user_princ)
-realm.run([kvno, realm.host_princ])
-
-success('PKINIT tests')
diff --git a/crypto/krb5/src/tests/t_policy.py b/crypto/krb5/src/tests/t_policy.py
deleted file mode 100755
index 0b0e8c51ebcf..000000000000
--- a/crypto/krb5/src/tests/t_policy.py
+++ /dev/null
@@ -1,222 +0,0 @@
-from k5test import *
-import re
-
-realm = K5Realm(create_host=False, start_kadmind=True)
-
-# Test password quality enforcement.
-mark('password quality')
-realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
-realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
-realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1,
- expected_msg='Password is too short')
-realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1,
- expected_msg='Password does not contain enough character classes')
-realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
-
-# Test some password history enforcement. Even with no history value,
-# the current password should be denied.
-mark('password history')
-realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
- expected_msg='Cannot reuse password')
-realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
-realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
-realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
- expected_msg='Cannot reuse password')
-realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
-realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
-
-# Regression test for #929 (kadmind crash with more historical
-# passwords in a principal entry than current policy history setting).
-mark('password history (policy value reduced below current array size)')
-realm.run([kadminl, 'addpol', '-history', '5', 'histpol'])
-realm.addprinc('histprinc', 'first')
-realm.run([kadminl, 'modprinc', '-policy', 'histpol', 'histprinc'])
-realm.run([kadminl, 'cpw', '-pw', 'second', 'histprinc'])
-realm.run([kadminl, 'cpw', '-pw', 'third', 'histprinc'])
-realm.run([kadminl, 'cpw', '-pw', 'fourth', 'histprinc'])
-realm.run([kadminl, 'modpol', '-history', '3', 'histpol'])
-realm.run([kadminl, 'cpw', '-pw', 'fifth', 'histprinc'])
-realm.run([kadminl, 'delprinc', 'histprinc'])
-
-# Regression test for #2841 (heap buffer overflow when policy history
-# value is reduced to match the number of historical passwords for a
-# principal).
-mark('password history (policy value reduced to current array size)')
-def histfail(*pwlist):
- for pw in pwlist:
- realm.run([kadminl, 'cpw', '-pw', pw, 'histprinc'], expected_code=1,
- expected_msg='Cannot reuse password')
-realm.run([kadminl, 'modpol', '-history', '3', 'histpol'])
-realm.addprinc('histprinc', '1111')
-realm.run([kadminl, 'modprinc', '-policy', 'histpol', 'histprinc'])
-realm.run([kadminl, 'cpw', '-pw', '2222', 'histprinc'])
-histfail('2222', '1111')
-realm.run([kadminl, 'modpol', '-history', '2', 'histpol'])
-realm.run([kadminl, 'cpw', '-pw', '3333', 'histprinc'])
-
-# Test that the history array is properly resized if the policy
-# history value is increased after the array is filled.
-mark('password history (policy value increase)')
-realm.run([kadminl, 'delprinc', 'histprinc'])
-realm.addprinc('histprinc', '1111')
-realm.run([kadminl, 'modprinc', '-policy', 'histpol', 'histprinc'])
-realm.run([kadminl, 'cpw', '-pw', '2222', 'histprinc'])
-histfail('2222', '1111')
-realm.run([kadminl, 'cpw', '-pw', '2222', 'histprinc'], expected_code=1,
- expected_msg='Cannot reuse password')
-realm.run([kadminl, 'cpw', '-pw', '1111', 'histprinc'], expected_code=1,
- expected_msg='Cannot reuse password')
-realm.run([kadminl, 'modpol', '-history', '3', 'histpol'])
-realm.run([kadminl, 'cpw', '-pw', '3333', 'histprinc'])
-histfail('3333', '2222', '1111')
-realm.run([kadminl, 'modpol', '-history', '4', 'histpol'])
-histfail('3333', '2222', '1111')
-realm.run([kadminl, 'cpw', '-pw', '4444', 'histprinc'])
-histfail('4444', '3333', '2222', '1111')
-
-# Test that when the policy history value is reduced, all currently
-# known old passwords still fail until the next password change, after
-# which the new number of old passwords fails (but no more).
-mark('password history (policy value reduction)')
-realm.run([kadminl, 'modpol', '-history', '3', 'histpol'])
-histfail('4444', '3333', '2222', '1111')
-realm.run([kadminl, 'cpw', '-pw', '5555', 'histprinc'])
-histfail('5555', '3333', '3333')
-realm.run([kadminl, 'cpw', '-pw', '2222', 'histprinc'])
-realm.run([kadminl, 'modpol', '-history', '2', 'histpol'])
-histfail('2222', '5555', '4444')
-realm.run([kadminl, 'cpw', '-pw', '3333', 'histprinc'])
-
-# Test references to nonexistent policies.
-mark('nonexistent policy references')
-realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
-realm.run([kadminl, 'getprinc', 'newuser'],
- expected_msg='Policy: newpol [does not exist]\n')
-realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
-# pwuser should allow reuse of the current password since newpol doesn't exist.
-realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
-# Regression test for #8427 (min_life check with nonexistent policy).
-realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
- '3rdpassword', 'pwuser'])
-
-# Create newpol and verify that it is enforced.
-mark('create referenced policy')
-realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
-realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n')
-realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1,
- expected_msg='Password is too short')
-realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1,
- expected_msg='Cannot reuse password')
-
-realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n')
-realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1,
- expected_msg='Password is too short')
-
-# Delete the policy and verify that it is no longer enforced.
-mark('delete referenced policy')
-realm.run([kadminl, 'delpol', 'newpol'])
-realm.run([kadminl, 'getpol', 'newpol'], expected_code=1,
- expected_msg='Policy does not exist')
-realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
-
-# Test basic password lockout support.
-mark('password lockout')
-realm.stop()
-for realm in multidb_realms(create_host=False):
- realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval',
- '5m', 'lockout'])
- realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
- 'user'])
-
- # kinit twice with the wrong password.
- msg = 'Password incorrect while getting initial credentials'
- realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
- expected_msg=msg)
- realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
- expected_msg=msg)
-
- # Now the account should be locked out.
- msg = 'credentials have been revoked while getting initial credentials'
- realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=msg)
-
- # Check that modprinc -unlock allows a further attempt.
- realm.run([kadminl, 'modprinc', '-unlock', 'user'])
- realm.kinit(realm.user_princ, password('user'))
-
- # Make sure a nonexistent policy reference doesn't prevent authentication.
- realm.run([kadminl, 'delpol', 'lockout'])
- realm.kinit(realm.user_princ, password('user'))
-
-# Regression test for issue #7099: databases created prior to krb5 1.3 have
-# multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
-# first one to create history entries.
-mark('#7099 regression test')
-realm = K5Realm(start_kdc=False)
-# Create a history principal with two keys.
-realm.run(['./hist', 'make'])
-realm.run([kadminl, 'addpol', '-history', '2', 'pol'])
-realm.run([kadminl, 'modprinc', '-policy', 'pol', 'user'])
-realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
-# Swap the keys, simulating older kadmin having chosen the second entry.
-realm.run(['./hist', 'swap'])
-# Make sure we can read the history entry.
-realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
- expected_msg='Cannot reuse password')
-
-mark('Error message for unsupported kadmin/history key type')
-realm.run(['./hist', 'des'])
-realm.run([kadminl, 'cpw', '-pw', 'pw', 'user'], expected_code=1,
- expected_msg='(kadmin/history) contains unsupported key type')
-
-# Test key/salt constraints.
-mark('allowedkeysalts')
-
-realm.stop()
-krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
-realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
-
-# Add policy.
-realm.run([kadminl, 'addpol', '-allowedkeysalts', 'aes256-cts', 'ak'])
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-
-# Test with one-enctype allowed_keysalts.
-realm.run([kadminl, 'modprinc', '-policy', 'ak', 'server'])
-out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'],
- expected_code=1)
-if not 'Invalid key/salt tuples' in out:
- fail('allowed_keysalts policy not applied properly')
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
-
-# Now test a multi-enctype allowed_keysalts. Test that subsets are allowed,
-# the the complete set is allowed, that order doesn't matter, and that
-# enctypes outside the set are not allowed.
-
-# Test modpol.
-realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
-realm.run([kadminl, 'getpol', 'ak'],
- expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac')
-
-# Test subsets and full set.
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
-
-# Check that the order we got is the one from the policy.
-realm.run([kadminl, 'getprinc', '-terse', 'server'],
- expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0')
-
-# Test partially intersecting sets.
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'],
- expected_code=1, expected_msg='Invalid key/salt tuples')
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts',
- 'server'], expected_code=1, expected_msg='Invalid key/salt tuples')
-
-# Test reset of allowedkeysalts.
-realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
-out = realm.run([kadminl, 'getpol', 'ak'])
-if 'Allowed key/salt types' in out:
- fail('failed to clear allowedkeysalts')
-realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'])
-
-success('Policy tests')
diff --git a/crypto/krb5/src/tests/t_preauth.py b/crypto/krb5/src/tests/t_preauth.py
deleted file mode 100644
index d95eed5d862d..000000000000
--- a/crypto/krb5/src/tests/t_preauth.py
+++ /dev/null
@@ -1,265 +0,0 @@
-from k5test import *
-
-# Test that the kdcpreauth client_keyblock() callback matches the key
-# indicated by the etype info, and returns NULL if no key was selected.
-testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
- 'clpreauth': {'module': 'test:' + testpreauth}}}
-realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
-realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
-realm.run([kadminl, 'setstr', realm.user_princ, 'teststring', 'testval'])
-realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser'])
-realm.kinit(realm.user_princ, password('user'), expected_msg='testval')
-realm.kinit('nokeyuser', password('user'), expected_code=1,
- expected_msg='no key')
-
-# Preauth type -123 is the test preauth module type; 133 is FAST
-# PA-FX-COOKIE; 2 is encrypted timestamp.
-
-# Test normal preauth flow.
-mark('normal')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- 'Decrypted AS reply')
-realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='testval', expected_trace=msgs)
-
-# Test successful optimistic preauth.
-mark('optimistic')
-expected_trace = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: -123',
- 'Decrypted AS reply')
-realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
- expected_trace=expected_trace)
-
-# Test optimistic preauth failing on client, falling back to encrypted
-# timestamp.
-mark('optimistic (client failure)')
-msgs = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- '/induced optimistic fail',
- 'Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'Decrypted AS reply')
-realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ,
- password('user')], expected_trace=msgs)
-
-# Test optimistic preauth failing on KDC, falling back to encrypted
-# timestamp.
-mark('optimistic (KDC failure)')
-realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes'])
-msgs = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: -123',
- '/Preauthentication failed',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'Decrypted AS reply')
-realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
- expected_trace=msgs)
-# Leave failopt set for the next test.
-
-# Test optimistic preauth failing on KDC, stopping because the test
-# module disabled fallback.
-mark('optimistic (KDC failure, no fallback)')
-msgs = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: -123',
- '/Preauthentication failed')
-realm.run(['./icred', '-X', 'disable_fallback', '-o', '-123', realm.user_princ,
- password('user')], expected_code=1,
- expected_msg='Preauthentication failed', expected_trace=msgs)
-realm.run([kadminl, 'delstr', realm.user_princ, 'failopt'])
-
-# Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies.
-mark('second round-trip')
-realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip'])
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, PA-FX-COOKIE (133)',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- 'Decrypted AS reply')
-realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=msgs)
-
-# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
-# falling back to encrypted timestamp.
-mark('second round-trip (client failure)')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, PA-FX-COOKIE (133)',
- '/induced 2rt fail',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'Decrypted AS reply')
-realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=msgs)
-
-# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
-# stopping because the test module disabled fallback.
-mark('second round-trip (client failure, no fallback)')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, PA-FX-COOKIE (133)',
- '/induced 2rt fail')
-realm.run(['./icred', '-X', 'fail_2rt', '-X', 'disable_fallback',
- realm.user_princ, password('user')], expected_code=1,
- expected_msg='Pre-authentication failed: induced 2rt fail',
- expected_trace=msgs)
-
-# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
-# falling back to encrypted timestamp.
-mark('second round-trip (KDC failure)')
-realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes'])
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, PA-FX-COOKIE (133)',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/Preauthentication failed',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'Decrypted AS reply')
-realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=msgs)
-# Leave fail2rt set for the next test.
-
-# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
-# stopping because the test module disabled fallback.
-mark('second round-trip (KDC failure, no fallback)')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, PA-FX-COOKIE (133)',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/Preauthentication failed')
-realm.run(['./icred', '-X', 'disable_fallback',
- realm.user_princ, password('user')], expected_code=1,
- expected_msg='Preauthentication failed', expected_trace=msgs)
-realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt'])
-
-# Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC.
-mark('tryagain')
-realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain'])
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/KDC has no support for encryption type',
- 'Recovering from KDC error 14 using preauth mech -123',
- 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)',
- 'Preauth module test (-123) tryagain returned: 0/Success',
- 'Followup preauth for next request: -123, PA-FX-COOKIE (133)',
- 'Decrypted AS reply')
-realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='tryagain: testagain', expected_trace=msgs)
-
-# Test a client-side tryagain failure, falling back to encrypted
-# timestamp.
-mark('tryagain (client failure)')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/KDC has no support for encryption type',
- 'Recovering from KDC error 14 using preauth mech -123',
- 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)',
- '/induced tryagain fail',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'Decrypted AS reply')
-realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ,
- password('user')], expected_trace=msgs)
-
-# Test a client-side tryagain failure, stopping because the test
-# module disabled fallback.
-mark('tryagain (client failure, no fallback)')
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
- '/KDC has no support for encryption type',
- 'Recovering from KDC error 14 using preauth mech -123',
- 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)',
- '/induced tryagain fail')
-realm.run(['./icred', '-X', 'fail_tryagain', '-X', 'disable_fallback',
- realm.user_princ, password('user')], expected_code=1,
- expected_msg='KDC has no support for encryption type',
- expected_trace=msgs)
-
-# Test that multiple stepwise initial creds operations can be
-# performed with the same krb5_context, with proper tracking of
-# clpreauth module request handles.
-mark('interleaved')
-realm.run([kadminl, 'addprinc', '-pw', 'pw', 'u1'])
-realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u2'])
-realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u3'])
-realm.run([kadminl, 'setstr', 'u2', '2rt', 'extra'])
-out = realm.run(['./icinterleave', 'pw', 'u1', 'u2', 'u3'])
-if out != ('step 1\nstep 2\nstep 3\nstep 1\nfinish 1\nstep 2\nno attr\n'
- 'step 3\nno attr\nstep 2\n2rt: extra\nstep 3\nfinish 3\nstep 2\n'
- 'finish 2\n'):
- fail('unexpected output from icinterleave')
-
-success('Pre-authentication framework tests')
diff --git a/crypto/krb5/src/tests/t_princflags.py b/crypto/krb5/src/tests/t_princflags.py
deleted file mode 100755
index aa366021738b..000000000000
--- a/crypto/krb5/src/tests/t_princflags.py
+++ /dev/null
@@ -1,138 +0,0 @@
-from k5test import *
-from princflags import *
-import re
-
-realm = K5Realm(create_host=False, get_creds=False)
-
-# Regex pattern to match an empty attribute line from kadmin getprinc
-emptyattr = re.compile('^Attributes:$', re.MULTILINE)
-
-
-# Regex pattern to match a kadmin getprinc output for a flag tuple
-def attr_pat(ftuple):
- return re.compile('^Attributes: ' + ftuple.flagname() + '$',
- re.MULTILINE)
-
-
-# Test one flag tuple for kadmin ank.
-def one_kadmin_flag(ftuple):
- pat = attr_pat(ftuple)
- realm.run([kadminl, 'ank', ftuple.setspec(),
- '-pw', 'password', 'test'])
- out = realm.run([kadminl, 'getprinc', 'test'])
- if not pat.search(out):
- fail('Failed to set flag ' + ftuple.flagname())
-
- realm.run([kadminl, 'modprinc', ftuple.clearspec(), 'test'])
- out = realm.run([kadminl, 'getprinc', 'test'])
- if not emptyattr.search(out):
- fail('Failed to clear flag ' + ftuple.flagname())
- realm.run([kadminl, 'delprinc', 'test'])
-
-
-# Generate a custom kdc.conf with default_principal_flags set
-# according to ftuple.
-def genkdcconf(ftuple):
- d = { 'realms': { '$realm': {
- 'default_principal_flags': ftuple.setspec()
- }}}
- return realm.special_env('tmp', True, kdc_conf=d)
-
-
-# Test one ftuple for kdc.conf default_principal_flags.
-def one_kdcconf(ftuple):
- e = genkdcconf(ftuple)
- pat = attr_pat(ftuple)
- realm.run([kadminl, 'ank', '-pw', 'password', 'test'], env=e)
- out = realm.run([kadminl, 'getprinc', 'test'])
- if not pat.search(out):
- fail('Failed to set flag ' + ftuple.flagname() + ' via kdc.conf')
-
- realm.run([kadminl, 'delprinc', 'test'])
-
-
-# Principal name for kadm5.acl line
-def ftuple2pname(ftuple, doset):
- pname = 'set_' if doset else 'clear_'
- return pname + ftuple.flagname()
-
-
-# Translate a strconv ftuple to a spec string for kadmin.
-def ftuple2kadm_spec(ftuple, doset):
- ktuple = kadmin_itable[ftuple.flag]
- if ktuple.invert != ftuple.invert:
- # Could do:
- # doset = not doset
- # but this shouldn't happen.
- raise ValueError
- return ktuple.spec(doset)
-
-
-# Generate a line for kadm5.acl.
-def acl_line(ftuple, doset):
- pname = ftuple2pname(ftuple, doset)
- spec = ftuple.spec(doset)
- return "%s * %s %s\n" % (realm.admin_princ, pname, spec)
-
-
-# Test one kadm5.acl line for a ftuple.
-def one_aclcheck(ftuple, doset):
- pname = ftuple2pname(ftuple, doset)
- pat = attr_pat(ftuple)
- outname = ftuple.flagname()
- # Create the principal and check that the flag is correctly set or
- # cleared.
- realm.run_kadmin(['ank', '-pw', 'password', pname])
- out = realm.run([kadminl, 'getprinc', pname])
- if doset:
- if not pat.search(out):
- fail('Failed to set flag ' + outname + ' via kadm5.acl')
- else:
- if not emptyattr.search(out):
- fail('Failed to clear flag ' + outname + ' via kadm5.acl')
- # If acl forces flag to be set, try to clear it, and vice versa.
- spec = ftuple2kadm_spec(ftuple, not doset)
- realm.run_kadmin(['modprinc', spec, pname])
- out = realm.run([kadminl, 'getprinc', pname])
- if doset:
- if not pat.search(out):
- fail('Failed to keep flag ' + outname + ' set')
- else:
- if not emptyattr.search(out):
- fail('Failed to keep flag ' + outname + ' clear')
-
-
-# Set all flags simultaneously, even the ones that aren't defined yet.
-def lamptest():
- pat = re.compile('^Attributes: ' +
- ' '.join(flags2namelist(0xffffffff)) +
- '$', re.MULTILINE)
- realm.run([kadminl, 'ank', '-pw', 'password', '+0xffffffff', 'test'])
- out = realm.run([kadminl, 'getprinc', 'test'])
- if not pat.search(out):
- fail('Failed to simultaenously set all flags')
- realm.run([kadminl, 'delprinc', 'test'])
-
-
-for ftuple in kadmin_ftuples:
- one_kadmin_flag(ftuple)
-
-for ftuple in strconv_ftuples:
- one_kdcconf(ftuple)
-
-f = open(os.path.join(realm.testdir, 'acl'), 'w')
-for ftuple in strconv_ftuples:
- f.write(acl_line(ftuple, True))
- f.write(acl_line(ftuple, False))
-f.close()
-
-realm.start_kadmind()
-realm.prep_kadmin()
-
-for ftuple in strconv_ftuples:
- one_aclcheck(ftuple, True)
- one_aclcheck(ftuple, False)
-
-lamptest()
-
-success('KDB principal flags')
diff --git a/crypto/krb5/src/tests/t_proxy.py b/crypto/krb5/src/tests/t_proxy.py
deleted file mode 100755
index cbd592a3fe4d..000000000000
--- a/crypto/krb5/src/tests/t_proxy.py
+++ /dev/null
@@ -1,220 +0,0 @@
-from k5test import *
-
-# Skip this test if we're missing proxy functionality or parts of the proxy.
-if runenv.tls_impl == 'no':
- skip_rest('HTTP proxy tests', 'TLS build support not enabled')
-try:
- import kdcproxy
-except:
- skip_rest('HTTP proxy tests', 'Python kdcproxy module not found')
-
-# Construct a krb5.conf fragment configuring the client to use a local proxy
-# server.
-proxycerts = os.path.join(srctop, 'tests', 'proxy-certs')
-proxysubjectpem = os.path.join(proxycerts, 'proxy-subject.pem')
-proxysanpem = os.path.join(proxycerts, 'proxy-san.pem')
-proxyidealpem = os.path.join(proxycerts, 'proxy-ideal.pem')
-proxywrongpem = os.path.join(proxycerts, 'proxy-no-match.pem')
-proxybadpem = os.path.join(proxycerts, 'proxy-badsig.pem')
-proxyca = os.path.join(proxycerts, 'ca.pem')
-proxyurl = 'https://localhost:$port5/KdcProxy'
-proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
-proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
-proxyurl6 = 'https://[::1]:$port5/KdcProxy'
-
-unanchored_krb5_conf = {'realms': {'$realm': {
- 'kdc': proxyurl,
- 'kpasswd_server': proxyurl}}}
-anchored_name_krb5_conf = {'realms': {'$realm': {
- 'kdc': proxyurl,
- 'kpasswd_server': proxyurl,
- 'http_anchors': 'FILE:%s' % proxyca}}}
-anchored_upcasename_krb5_conf = {'realms': {'$realm': {
- 'kdc': proxyurlupcase,
- 'kpasswd_server': proxyurlupcase,
- 'http_anchors': 'FILE:%s' % proxyca}}}
-anchored_kadmin_krb5_conf = {'realms': {'$realm': {
- 'kdc': proxyurl,
- 'admin_server': proxyurl,
- 'http_anchors': 'FILE:%s' % proxyca}}}
-anchored_ipv4_krb5_conf = {'realms': {'$realm': {
- 'kdc': proxyurl4,
- 'kpasswd_server': proxyurl4,
- 'http_anchors': 'FILE:%s' % proxyca}}}
-kpasswd_input = (password('user') + '\n' + password('user') + '\n' +
- password('user') + '\n')
-
-def start_proxy(realm, keycertpem):
- proxy_conf_path = os.path.join(realm.testdir, 'kdcproxy.conf')
- proxy_exec_path = os.path.join(srctop, 'util', 'wsgiref-kdcproxy.py')
- conf = open(proxy_conf_path, 'w')
- conf.write('[%s]\n' % realm.realm)
- conf.write('kerberos = kerberos://localhost:%d\n' % realm.portbase)
- conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2))
- conf.close()
- realm.env['KDCPROXY_CONFIG'] = proxy_conf_path
- cmd = [sys.executable, proxy_exec_path, str(realm.server_port()),
- keycertpem]
- return realm.start_server(cmd, sentinel='proxy server ready')
-
-# Fail: untrusted issuer and hostname doesn't match.
-mark('untrusted issuer, hostname mismatch')
-output("running pass 1: issuer not trusted and hostname doesn't match\n")
-realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxywrongpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: untrusted issuer, host name matches subject.
-mark('untrusted issuer, hostname subject match')
-output("running pass 2: subject matches, issuer not trusted\n")
-realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxysubjectpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: untrusted issuer, host name matches subjectAltName.
-mark('untrusted issuer, hostname SAN match')
-output("running pass 3: subjectAltName matches, issuer not trusted\n")
-realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxysanpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: untrusted issuer, certificate signature is bad.
-mark('untrusted issuer, bad signature')
-output("running pass 4: subject matches, issuer not trusted\n")
-realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxybadpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: trusted issuer but hostname doesn't match.
-mark('trusted issuer, hostname mismatch')
-output("running pass 5: issuer trusted but hostname doesn't match\n")
-realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxywrongpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subject.
-mark('trusted issuer, hostname subject match')
-output("running pass 6: issuer trusted, subject matches\n")
-realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
- get_creds=False)
-proxy = start_proxy(realm, proxysubjectpem)
-realm.kinit(realm.user_princ, password=password('user'))
-realm.run([kvno, realm.host_princ])
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subjectAltName.
-mark('trusted issuer, hostname SAN match')
-output("running pass 7: issuer trusted, subjectAltName matches\n")
-realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True,
- get_creds=False)
-proxy = start_proxy(realm, proxysanpem)
-realm.kinit(realm.user_princ, password=password('user'))
-realm.run([kvno, realm.host_princ])
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: certificate signature is bad.
-mark('bad signature')
-output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n")
-realm = K5Realm(krb5_conf=anchored_name_krb5_conf,
- get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxybadpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: trusted issuer but IP doesn't match.
-mark('trusted issuer, IP mismatch')
-output("running pass 9: issuer trusted but no name matches IP\n")
-realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxywrongpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: trusted issuer, but subject does not match.
-mark('trusted issuer, IP mismatch (hostname in subject)')
-output("running pass 10: issuer trusted, but subject does not match IP\n")
-realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxysubjectpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subjectAltName.
-mark('trusted issuer, IP SAN match')
-output("running pass 11: issuer trusted, subjectAltName matches IP\n")
-realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True,
- get_creds=False)
-proxy = start_proxy(realm, proxysanpem)
-realm.kinit(realm.user_princ, password=password('user'))
-realm.run([kvno, realm.host_princ])
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-# Fail: certificate signature is bad.
-mark('bad signature (IP hostname)')
-output("running pass 12: issuer trusted, names don't match, signature bad\n")
-realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False,
- create_host=False)
-proxy = start_proxy(realm, proxybadpem)
-realm.kinit(realm.user_princ, password=password('user'), expected_code=1)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subject, using kadmin
-# configuration to find kpasswdd.
-mark('trusted issuer, hostname subject match (kadmin)')
-output("running pass 13: issuer trusted, subject matches\n")
-realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
- get_creds=False, create_host=False)
-proxy = start_proxy(realm, proxysubjectpem)
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subjectAltName, using
-# kadmin configuration to find kpasswdd.
-mark('trusted issuer, hostname SAN match (kadmin)')
-output("running pass 14: issuer trusted, subjectAltName matches\n")
-realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True,
- get_creds=False, create_host=False)
-proxy = start_proxy(realm, proxysanpem)
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-# Succeed: trusted issuer and host name matches subjectAltName (give or take
-# case).
-mark('trusted issuer, hostname SAN case-insensitive match')
-output("running pass 15: issuer trusted, subjectAltName case-insensitive\n")
-realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True,
- get_creds=False, create_host=False)
-proxy = start_proxy(realm, proxysanpem)
-realm.run([kpasswd, realm.user_princ], input=kpasswd_input)
-stop_daemon(proxy)
-realm.stop()
-
-success('MS-KKDCP proxy')
diff --git a/crypto/krb5/src/tests/t_pwqual.py b/crypto/krb5/src/tests/t_pwqual.py
deleted file mode 100755
index 58d610d8b6f5..000000000000
--- a/crypto/krb5/src/tests/t_pwqual.py
+++ /dev/null
@@ -1,78 +0,0 @@
-from k5test import *
-
-plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so")
-
-dictfile = os.path.join(os.getcwd(), 'testdir', 'dict')
-
-pconf = {'plugins': {'pwqual': {'module': 'combo:' + plugin}}}
-dconf = {'realms': {'$realm': {'dict_file': dictfile}}}
-realm = K5Realm(krb5_conf=pconf, kdc_conf=dconf, create_user=False,
- create_host=False)
-
-# Write a short dictionary file.
-f = open(dictfile, 'w')
-f.write('birds\nbees\napples\noranges\n')
-f.close()
-
-realm.run([kadminl, 'addpol', 'pol'])
-
-mark('pwqual modules')
-
-# The built-in "empty" module rejects empty passwords even without a policy.
-realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1,
- expected_msg='Empty passwords are not allowed')
-
-# The built-in "dict" module rejects dictionary words, but only with a policy.
-realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2'])
-realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
- expected_code=1,
- expected_msg='Password is in the password dictionary')
-
-# The built-in "princ" module rejects principal components, only with a policy.
-realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4'])
-realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
- expected_code=1,
- expected_msg='Password may not match principal name')
-
-# The dynamic "combo" module rejects pairs of dictionary words.
-realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1,
- expected_msg='Password may not be a pair of dictionary words')
-
-# These plugin ordering tests aren't specifically related to the
-# password quality interface, but are convenient to put here.
-
-mark('plugin module order')
-
-def test_order(realm, testname, conf, expected):
- conf = {'plugins': {'pwqual': conf}}
- env = realm.special_env(testname, False, krb5_conf=conf)
- out = realm.run(['./plugorder'], env=env)
- if out.split() != expected:
- fail('order test: ' + testname)
-
-realm.stop()
-realm = K5Realm(create_kdb=False)
-
-# Check the test harness with no special configuration.
-test_order(realm, 'noconf', {}, ['blt1', 'blt2', 'blt3'])
-
-# Test the basic order: dynamic modules, then built-in modules, each
-# in registration order.
-conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn2:' + plugin]}
-test_order(realm, 'basic', conf,
- ['dyn3', 'dyn1', 'dyn2', 'blt1', 'blt2', 'blt3'])
-
-# Disabling modules should not affect the order of other modules.
-conf['disable'] = ['dyn1', 'blt3']
-test_order(realm, 'disable', conf, ['dyn3', 'dyn2', 'blt1', 'blt2'])
-
-# enable_only should reorder the modules, but can't resurrect disabled
-# modules or create ones from thin air.
-conf['enable_only'] = ['dyn2', 'blt3', 'blt2', 'dyn1', 'dyn3', 'xxx']
-test_order(realm, 'enable_only', conf, ['dyn2', 'blt2', 'dyn3'])
-
-# Duplicate modules should be pruned by preferring earlier entries.
-conf = {'module': ['dyn3:' + plugin, 'dyn1:' + plugin, 'dyn3:' + plugin]}
-test_order(realm, 'duplicate', conf, ['dyn3', 'dyn1', 'blt1', 'blt2', 'blt3'])
-
-success('Password quality interface tests')
diff --git a/crypto/krb5/src/tests/t_rdreq.py b/crypto/krb5/src/tests/t_rdreq.py
deleted file mode 100755
index 7b120b1d62c5..000000000000
--- a/crypto/krb5/src/tests/t_rdreq.py
+++ /dev/null
@@ -1,138 +0,0 @@
-from k5test import *
-
-conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}}
-realm = K5Realm(create_host=False, kdc_conf=conf)
-
-# Define some server principal names.
-princ1 = 'host/1@%s' % realm.realm
-princ2 = 'host/2@%s' % realm.realm
-princ3 = 'HTTP/3@%s' % realm.realm
-princ4 = 'HTTP/4@%s' % realm.realm
-matchprinc = 'host/@'
-nomatchprinc = 'x/@'
-realm.addprinc(princ1)
-realm.addprinc(princ2)
-realm.addprinc(princ3)
-
-def test(tserver, server, expected):
- args = ['./rdreq', tserver]
- if server is not None:
- args += [server]
- out = realm.run(args)
- if out.strip() != expected:
- fail('unexpected rdreq output')
-
-
-# No keytab present.
-mark('no keytab')
-nokeytab_err = "45 Key table file '%s' not found" % realm.keytab
-test(princ1, None, nokeytab_err)
-test(princ1, princ1, nokeytab_err)
-test(princ1, matchprinc, nokeytab_err)
-
-# Keytab present, successful decryption.
-mark('success')
-realm.extract_keytab(princ1, realm.keytab)
-test(princ1, None, '0 success')
-test(princ1, princ1, '0 success')
-test(princ1, matchprinc, '0 success')
-
-# Explicit server principal not found in keytab.
-mark('explicit server not found')
-test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
-
-# Matching server principal does not match any entries in keytab (with
-# and without ticket server present in keytab).
-mark('matching server')
-nomatch_err = '45 Server principal x/@ does not match any keys in keytab'
-test(princ1, nomatchprinc, nomatch_err)
-test(princ2, nomatchprinc, nomatch_err)
-
-# Ticket server does not match explicit server principal (with and
-# without ticket server present in keytab).
-mark('ticket server mismatch')
-test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
-test(princ2, princ1,
- '35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for '
- 'host/1@KRBTEST.COM')
-
-# Ticket server not found in keytab during iteration.
-mark('ticket server not found')
-test(princ2, None,
- '35 Request ticket server host/2@KRBTEST.COM not found in keytab '
- '(ticket kvno 1)')
-
-# Ticket server found in keytab but is not matched by server principal
-# (but other principals in keytab do match).
-mark('ticket server mismatch (matching)')
-realm.extract_keytab(princ3, realm.keytab)
-test(princ3, matchprinc,
- '35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does '
- 'not match server principal host/@')
-
-# Service ticket is out of date.
-mark('outdated service ticket')
-os.remove(realm.keytab)
-realm.run([kadminl, 'ktadd', princ1])
-test(princ1, None,
- '44 Request ticket server host/1@KRBTEST.COM kvno 1 not found in keytab; '
- 'ticket is likely out of date')
-test(princ1, princ1,
- '44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab')
-
-# kvno mismatch due to ticket principal mismatch with explicit server.
-mark('ticket server mismatch (kvno)')
-test(princ2, princ1,
- '35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request '
- 'ticket server host/2@KRBTEST.COM)')
-
-# Keytab is out of date.
-mark('outdated keytab')
-realm.run([kadminl, 'cpw', '-randkey', princ1])
-realm.kinit(realm.user_princ, password('user'))
-test(princ1, None,
- '44 Request ticket server host/1@KRBTEST.COM kvno 3 not found in keytab; '
- 'keytab is likely out of date')
-test(princ1, princ1,
- '44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab')
-
-# Ticket server and kvno found but not with ticket enctype.
-mark('missing enctype')
-os.remove(realm.keytab)
-realm.extract_keytab(princ1, realm.keytab)
-pkeytab = realm.keytab + '.partial'
-realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
- (realm.keytab, pkeytab)))
-os.rename(pkeytab, realm.keytab)
-realm.run([klist, '-ke'])
-test(princ1, None,
- '44 Request ticket server host/1@KRBTEST.COM kvno 3 found in keytab but '
- 'not with enctype aes256-cts')
-# This is a bad code (KRB_AP_ERR_NOKEY) and message, because
-# krb5_kt_get_entry returns the same result for this and not finding
-# the principal at all. But it's an uncommon case; GSSAPI apps
-# usually use a matching principal and missing key enctypes are rare.
-test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM')
-
-# Ticket server, kvno, and enctype matched, but key does not work.
-mark('wrong key')
-realm.run([kadminl, 'cpw', '-randkey', princ1])
-realm.run([kadminl, 'modprinc', '-kvno', '3', princ1])
-os.remove(realm.keytab)
-realm.extract_keytab(princ1, realm.keytab)
-test(princ1, None,
- '31 Request ticket server host/1@KRBTEST.COM kvno 3 enctype aes256-cts '
- 'found in keytab but cannot decrypt ticket')
-test(princ1, princ1,
- '31 Cannot decrypt ticket for host/1@KRBTEST.COM using keytab key for '
- 'host/1@KRBTEST.COM')
-
-# Test that aliases work. The ticket server (princ4) isn't present in
-# keytab, but there is a usable princ1 entry with the same key.
-mark('aliases')
-realm.run([kadminl, 'renprinc', princ1, princ4])
-test(princ4, None, '0 success')
-test(princ4, princ1, '0 success')
-test(princ4, matchprinc, '0 success')
-
-success('krb5_rd_req tests')
diff --git a/crypto/krb5/src/tests/t_referral.py b/crypto/krb5/src/tests/t_referral.py
deleted file mode 100755
index f427d5b6e664..000000000000
--- a/crypto/krb5/src/tests/t_referral.py
+++ /dev/null
@@ -1,142 +0,0 @@
-from k5test import *
-
-# Create a pair of realms, where KRBTEST1.COM can authenticate to
-# REFREALM and has a domain-realm mapping for 'd' pointing to it.
-drealm = {'domain_realm': {'d': 'REFREALM'}}
-realm, refrealm = cross_realms(2, xtgts=((0,1),),
- args=({'kdc_conf': drealm},
- {'realm': 'REFREALM',
- 'create_user': False}),
- create_host=False)
-refrealm.addprinc('a/x.d')
-
-savefile = os.path.join(realm.testdir, 'ccache.copy')
-os.rename(realm.ccache, savefile)
-
-# Get credentials and check that we got a referral to REFREALM.
-def testref(realm, nametype):
- shutil.copyfile(savefile, realm.ccache)
- realm.run(['./gcred', nametype, 'a/x.d@'])
- out = realm.run([klist]).split('\n')
- if len(out) != 8:
- fail('unexpected number of lines in klist output')
- if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d@REFREALM':
- fail('unexpected service principals in klist output')
-
-# Get credentials and check that we get an error, not a referral.
-def testfail(realm, nametype):
- shutil.copyfile(savefile, realm.ccache)
- realm.run(['./gcred', nametype, 'a/x.d@'], expected_code=1,
- expected_msg='not found in Kerberos database')
-
-# Create a modified KDC environment and restart the KDC.
-def restart_kdc(realm, kdc_conf):
- env = realm.special_env('extravars', True, kdc_conf=kdc_conf)
- realm.stop_kdc()
- realm.start_kdc(env=env)
-
-# With no KDC configuration besides [domain_realm], we should get a
-# referral for a NT-SRV-HST or NT-SRV-INST server name, but not an
-# NT-UNKNOWN or NT-PRINCIPAL server name.
-mark('[domain-realm] only')
-testref(realm, 'srv-hst')
-testref(realm, 'srv-inst')
-testfail(realm, 'principal')
-testfail(realm, 'unknown')
-
-# With host_based_services matching the first server name component
-# ("a"), we should get a referral for an NT-UNKNOWN server name.
-# host_based_services can appear in either [kdcdefaults] or the realm
-# section, with the realm values supplementing the kdcdefaults values.
-# NT-SRV-HST server names should be unaffected by host_based_services,
-# and NT-PRINCIPAL server names shouldn't get a referral regardless.
-mark('host_based_services')
-restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}})
-testref(realm, 'unknown')
-testfail(realm, 'principal')
-restart_kdc(realm, {'kdcdefaults': {'host_based_services': ['b', 'a,c']}})
-testref(realm, 'unknown')
-restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}})
-testref(realm, 'unknown')
-restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'},
- 'realms': {'$realm': {'host_based_services': 'b c'}}})
-testref(realm, 'unknown')
-restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'},
- 'realms': {'$realm': {'host_based_services': 'a,b'}}})
-testref(realm, 'unknown')
-restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}})
-testfail(realm, 'unknown')
-testref(realm, 'srv-hst')
-
-# With no_host_referrals matching the first server name component, we
-# should not get a referral even for NT-SRV-HOST server names
-mark('no_host_referral')
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}})
-testfail(realm, 'srv-hst')
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}})
-testfail(realm, 'srv-hst')
-restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}})
-testfail(realm, 'srv-hst')
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'},
- 'realms': {'$realm': {'no_host_referral': 'b c'}}})
-testfail(realm, 'srv-hst')
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'},
- 'realms': {'$realm': {'no_host_referral': 'a,b'}}})
-testfail(realm, 'srv-hst')
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}})
-testref(realm, 'srv-hst')
-
-# no_host_referrals should override host_based_services for NT-UNKNWON
-# server names.
-restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*',
- 'host_based_services': '*'}})
-testfail(realm, 'unknown')
-
-realm.stop()
-refrealm.stop()
-
-# Regression test for #7483: a KDC should not return a host referral
-# to its own realm.
-mark('#7483 regression test')
-drealm = {'domain_realm': {'d': 'KRBTEST.COM'}}
-realm = K5Realm(kdc_conf=drealm, create_host=False)
-out, trace = realm.run(['./gcred', 'srv-hst', 'a/x.d@'], expected_code=1,
- return_trace=True)
-if 'back to same realm' in trace:
- fail('KDC returned referral to service realm')
-realm.stop()
-
-# Test client referrals. Use the test KDB module for KRBTEST1.COM to
-# simulate referrals since our built-in modules do not support them.
-# No cross-realm TGTs are necessary.
-mark('client referrals')
-kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'alias': {'user': '@KRBTEST2.COM',
- 'abc@XYZ': '@KRBTEST2.COM'}}}}
-r1, r2 = cross_realms(2, xtgts=(),
- args=({'kdc_conf': kdcconf, 'create_kdb': False}, None),
- create_host=False)
-r2.addprinc('abc\\@XYZ', 'pw')
-r1.start_kdc()
-r1.kinit('user', expected_code=1,
- expected_msg='not found in Kerberos database')
-r1.kinit('user', password('user'), ['-C'])
-r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
-r1.kinit('abc@XYZ', 'pw', ['-E'])
-r1.klist('abc\\@XYZ@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
-
-# Test that disable_encrypted_timestamp persists across client
-# referrals. (This test relies on SPAKE not being enabled by default
-# on the KDC.)
-r2.run([kadminl, 'modprinc', '+preauth', 'user'])
-msgs = ('Encrypted timestamp (for ')
-r1.kinit('user', password('user'), ['-C'], expected_trace=msgs)
-dconf = {'realms': {'$realm': {'disable_encrypted_timestamp': 'true'}}}
-denv = r1.special_env('disable_encts', False, krb5_conf=dconf)
-msgs = ('Ignoring encrypted timestamp because it is disabled',
- '/Encrypted timestamp is disabled')
-r1.kinit('user', None, ['-C'], env=denv, expected_code=1, expected_trace=msgs,
- expected_msg='Encrypted timestamp is disabled')
-
-success('KDC host referral tests')
diff --git a/crypto/krb5/src/tests/t_renew.py b/crypto/krb5/src/tests/t_renew.py
deleted file mode 100755
index 9f22bab821fa..000000000000
--- a/crypto/krb5/src/tests/t_renew.py
+++ /dev/null
@@ -1,122 +0,0 @@
-from k5test import *
-from datetime import datetime
-import re
-
-conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}}}
-realm = K5Realm(create_host=False, get_creds=False, kdc_conf=conf)
-
-# We will be scraping timestamps from klist to compute lifetimes, so
-# use a time zone with no daylight savings time.
-realm.env['TZ'] = 'UTC'
-
-def test(testname, life, rlife, exp_life, exp_rlife, env=None):
- global realm
- flags = ['-l', life]
- if rlife is not None:
- flags += ['-r', rlife]
- realm.kinit(realm.user_princ, password('user'), flags=flags, env=env)
- out = realm.run([klist, '-f'])
-
- if ('Default principal: %s\n' % realm.user_princ) not in out:
- fail('%s: did not get tickets' % testname)
-
- # Extract flags and check the renewable flag against expectations.
- flags = re.findall(r'Flags: ([a-zA-Z]*)', out)[0]
- if exp_rlife is None and 'R' in flags:
- fail('%s: ticket unexpectedly renewable' % testname)
- if exp_rlife is not None and 'R' not in flags:
- fail('%s: ticket unexpectedly non-renewable' % testname)
-
- # Extract the start time, end time, and renewable end time if present.
- times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
- times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
- starttime = times[0]
- endtime = times[1]
- rtime = times[2] if len(times) >= 3 else None
-
- # Check the ticket lifetime against expectations. If the lifetime
- # was determined by the request, there may be a small error
- # because KDC requests contain an end time rather than a lifetime.
- life = (endtime - starttime).seconds
- if abs(life - exp_life) > 5:
- fail('%s: expected life %d, got %d' % (testname, exp_life, life))
-
- # Check the ticket renewable lifetime against expectations.
- if exp_rlife is None and rtime is not None:
- fail('%s: ticket has unexpected renew_till' % testname)
- if exp_rlife is not None and rtime is None:
- fail('%s: ticket is renewable but has no renew_till' % testname)
- if rtime is not None:
- rlife = (rtime - starttime).seconds
- if abs(rlife - exp_rlife) > 5:
- fail('%s: expected rlife %d, got %d' %
- (testname, exp_rlife, rlife))
-
-# Get renewable tickets.
-test('simple', '1h', '2h', 3600, 7200)
-
-# Renew twice, to test that renewed tickets are renewable.
-mark('renew twice')
-realm.kinit(realm.user_princ, flags=['-R'])
-realm.kinit(realm.user_princ, flags=['-R'])
-realm.klist(realm.user_princ)
-
-# Make sure we can use a renewed ticket.
-realm.run([kvno, realm.user_princ])
-
-# Make sure we can't renew non-renewable tickets.
-mark('non-renewable')
-test('non-renewable', '1h', None, 3600, None)
-realm.kinit(realm.user_princ, flags=['-R'], expected_code=1,
- expected_msg="KDC can't fulfill requested option")
-
-# Test that -allow_renewable on the client principal works.
-mark('allow_renewable (client)')
-realm.run([kadminl, 'modprinc', '-allow_renewable', 'user'])
-test('disallowed client', '1h', '2h', 3600, None)
-realm.run([kadminl, 'modprinc', '+allow_renewable', 'user'])
-
-# Test that -allow_renewable on the server principal works.
-mark('allow_renewable (server)')
-realm.run([kadminl, 'modprinc', '-allow_renewable', realm.krbtgt_princ])
-test('disallowed server', '1h', '2h', 3600, None)
-realm.run([kadminl, 'modprinc', '+allow_renewable', realm.krbtgt_princ])
-
-# Test that trivially renewable tickets are issued if renew_till <=
-# till. (Our client code bumps up the requested renewable life to the
-# requested life.)
-mark('trivially renewable')
-test('short', '2h', '1h', 7200, 7200)
-
-# Test that renewable tickets are issued if till > max life by
-# default, but not if we configure away the RENEWABLE-OK option.
-mark('renewable-ok')
-no_opts_conf = {'libdefaults': {'kdc_default_options': '0'}}
-no_opts = realm.special_env('no_opts', False, krb5_conf=no_opts_conf)
-realm.run([kadminl, 'modprinc', '-maxlife', '10 hours', 'user'])
-test('long', '15h', None, 10 * 3600, 15 * 3600)
-test('long noopts', '15h', None, 10 * 3600, None, env=no_opts)
-realm.run([kadminl, 'modprinc', '-maxlife', '20 hours', 'user'])
-
-# Test maximum renewable life on the client principal.
-mark('maxrenewlife (client)')
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '5 hours', 'user'])
-test('maxrenewlife client 1', '4h', '5h', 4 * 3600, 5 * 3600)
-test('maxrenewlife client 2', '6h', '10h', 6 * 3600, 5 * 3600)
-
-# Test maximum renewable life on the server principal.
-mark('maxrenewlife (server)')
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours',
- realm.krbtgt_princ])
-test('maxrenewlife server 1', '2h', '3h', 2 * 3600, 3 * 3600)
-test('maxrenewlife server 2', '4h', '8h', 4 * 3600, 3 * 3600)
-
-# Test realm maximum life.
-mark('realm maximum life')
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours', 'user'])
-realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours',
- realm.krbtgt_princ])
-test('maxrenewlife realm 1', '10h', '20h', 10 * 3600, 20 * 3600)
-test('maxrenewlife realm 2', '21h', '40h', 20 * 3600, 20 * 3600)
-
-success('Renewing credentials')
diff --git a/crypto/krb5/src/tests/t_renprinc.py b/crypto/krb5/src/tests/t_renprinc.py
deleted file mode 100755
index 3dbb3e77ef11..000000000000
--- a/crypto/krb5/src/tests/t_renprinc.py
+++ /dev/null
@@ -1,45 +0,0 @@
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-
-enctype = "aes128-cts"
-
-realm = K5Realm(create_host=False, create_user=False)
-salttypes = ('normal', 'norealm', 'onlyrealm')
-
-# For a variety of salt types, test that we can rename a principal and
-# still get tickets with the same password.
-for st in salttypes:
- realm.run([kadminl, 'addprinc', '-e', enctype + ':' + st,
- '-pw', password(st), st])
- realm.kinit(st, password(st))
- newprinc = 'new' + st
- realm.run([kadminl, 'renprinc', st, newprinc])
- realm.kinit(newprinc, password(st))
-
-# Rename the normal salt again to test renaming a principal with
-# special salt type (which it will have after the first rename).
-realm.run([kadminl, 'renprinc', 'newnormal', 'newnormal2'])
-realm.kinit('newnormal2', password('normal'))
-
-success('Principal renaming tests')
diff --git a/crypto/krb5/src/tests/t_replay.py b/crypto/krb5/src/tests/t_replay.py
deleted file mode 100644
index 6ad58fe13209..000000000000
--- a/crypto/krb5/src/tests/t_replay.py
+++ /dev/null
@@ -1,6 +0,0 @@
-from k5test import *
-
-realm = K5Realm()
-realm.run(['./replay', realm.host_princ])
-
-success('Replay tests')
diff --git a/crypto/krb5/src/tests/t_salt.py b/crypto/krb5/src/tests/t_salt.py
deleted file mode 100755
index 65084bbf3576..000000000000
--- a/crypto/krb5/src/tests/t_salt.py
+++ /dev/null
@@ -1,55 +0,0 @@
-from k5test import *
-import re
-
-realm = K5Realm(create_user=False)
-
-# Check that a non-default salt type applies only to the key it is
-# matched with and not to subsequent keys. e1 and e2 are enctypes,
-# and salt is a non-default salt type.
-def test_salt(realm, e1, salt, e2):
- keysalts = e1 + ':' + salt + ',' + e2
- realm.run([kadminl, 'ank', '-e', keysalts, '-pw', 'password', 'user'])
- out = realm.run([kadminl, 'getprinc', 'user'])
- if len(re.findall(':' + salt, out)) != 1:
- fail(salt + ' present in second enctype or not present')
- realm.run([kadminl, 'delprinc', 'user'])
-
-# Enctype/salt pairs chosen with non-default salt types.
-# The enctypes are mostly arbitrary.
-salts = [('des3-cbc-sha1', 'norealm'),
- ('arcfour-hmac', 'onlyrealm'),
- ('aes128-cts-hmac-sha1-96', 'special')]
-# These enctypes are chosen to cover the different string-to-key routines.
-# Omit ":normal" from aes256 to check that salttype defaulting works.
-second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
- 'des3-cbc-sha1:normal']
-
-# Test using different salt types in a principal's key list.
-# Parameters from one key in the list must not leak over to later ones.
-for e1, string in salts:
- for e2 in second_kstypes:
- test_salt(realm, e1, string, e2)
-
-def test_dup(realm, ks):
- realm.run([kadminl, 'ank', '-e', ks, '-pw', 'password', 'ks_princ'])
- out = realm.run([kadminl, 'getprinc', 'ks_princ'])
- lines = out.split('\n')
- keys = [l for l in lines if 'Key: ' in l]
- uniq = set(keys)
- # 'Key:' matches 'MKey:' as well so len(keys) has one extra
- if (len(uniq) != len(keys)) or len(keys) > len(ks.split(',')):
- fail('Duplicate keysalt detection failed for keysalt ' + ks)
- realm.run([kadminl, 'delprinc', 'ks_princ'])
-
-# All in-tree callers request duplicate suppression from
-# krb5_string_to_keysalts(); we should check that it works, respects
-# aliases, and doesn't result in an infinite loop.
-dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
- 'aes256-cts-hmac-sha1-96:normal,aes128-cts,aes256-cts',
- 'aes256-cts-hmac-sha1-96:normal,aes256-cts:special,' +
- 'aes256-cts-hmac-sha1-96:normal']
-
-for ks in dup_kstypes:
- test_dup(realm, ks)
-
-success("Salt types")
diff --git a/crypto/krb5/src/tests/t_sendto_kdc.py b/crypto/krb5/src/tests/t_sendto_kdc.py
deleted file mode 100644
index d27467b6ba6c..000000000000
--- a/crypto/krb5/src/tests/t_sendto_kdc.py
+++ /dev/null
@@ -1,45 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_host=False)
-
-mark('Fallback to primary KDC')
-
-# Create a replica database and start a KDC.
-conf_rep = {'dbmodules': {'db': {'database_name': '$testdir/db.replica2'}},
- 'realms': {'$realm': {'kdc_listen': '$port9',
- 'kdc_tcp_listen': '$port9'}}}
-replica = realm.special_env('replica', True, kdc_conf=conf_rep)
-dumpfile = os.path.join(realm.testdir, 'dump')
-realm.run([kdb5_util, 'dump', dumpfile])
-realm.run([kdb5_util, 'load', dumpfile], env=replica)
-replica_kdc = realm.start_server([krb5kdc, '-n'], 'starting...', env=replica)
-
-# Change the password on the primary.
-realm.run([kadminl, 'cpw', '-pw', 'new', realm.user_princ])
-
-conf_fallback = {'realms': {'$realm': {'kdc': '$hostname:$port9',
- 'primary_kdc': '$hostname:$port0'}}}
-fallback = realm.special_env('fallback', False, krb5_conf=conf_fallback)
-msgs = ('Retrying AS request with primary KDC',)
-realm.kinit(realm.user_princ, 'new', env=fallback, expected_trace=msgs)
-
-stop_daemon(replica_kdc)
-
-mark('UNIX domain socket')
-
-conf_unix = {'realms': {'$realm': {'kdc_listen': '$testdir/krb5.sock',
- 'kdc_tcp_listen': ''}}}
-unix = realm.special_env('unix', True, kdc_conf=conf_unix)
-realm.run([kdb5_util, 'load', dumpfile], env=unix)
-realm.stop_kdc()
-realm.start_kdc(env=unix)
-
-conf_unix_cli = {'realms': {'$realm': {'kdc': '$testdir/krb5.sock'}}}
-unix_cli = realm.special_env('unix_cli', False, krb5_conf=conf_unix_cli)
-
-# Do a kinit and check if we send the packet via a UNIX domain socket.
-msgs = ('Sending TCP request to UNIX domain socket',)
-realm.kinit(realm.user_princ, password('user'), env=unix_cli,
- expected_trace=msgs)
-
-success('sendto_kdc')
diff --git a/crypto/krb5/src/tests/t_sesskeynego.py b/crypto/krb5/src/tests/t_sesskeynego.py
deleted file mode 100755
index 5a213617b525..000000000000
--- a/crypto/krb5/src/tests/t_sesskeynego.py
+++ /dev/null
@@ -1,94 +0,0 @@
-from k5test import *
-import re
-
-# Run "kvno server" with a fresh set of client tickets, then check that the
-# enctypes in the service ticket match the expected values.
-etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): '
- r'([^,]+), ([^\s]+)')
-def test_kvno(realm, expected_skey, expected_tkt):
- realm.kinit(realm.user_princ, password('user'))
- realm.run([kvno, 'server'])
- output = realm.run([klist, '-e'])
- m = etypes_re.search(output)
- if not m:
- fail('could not parse etypes from klist -e output')
- skey, tkt = m.groups()
- if skey != expected_skey:
- fail('got session key type %s, expected %s' % (skey, expected_skey))
- if tkt != expected_tkt:
- fail('got ticket key type %s, expected %s' % (tkt, expected_tkt))
-
-conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}
-conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
-conf3 = {'libdefaults': {
- 'allow_weak_crypto': 'true',
- 'default_tkt_enctypes': 'aes128-cts',
- 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
-conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
-conf5 = {'libdefaults': {'allow_rc4': 'true'}}
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
-# Test with client request and session_enctypes preferring aes128, but
-# aes256 long-term key.
-realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
- 'aes128-cts,aes256-cts'])
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# Second go, almost same as first, but resulting session key must be aes256
-# because of the difference in default_tgs_enctypes order. This tests that
-# session_enctypes doesn't change the order in which we negotiate.
-realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
- 'aes128-cts,aes256-cts'])
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# Next we use conf3 and try various things.
-realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts:normal',
- 'server'])
-
-# 3a: Negotiate aes128 session key when principal only has aes256 long-term.
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
- 'aes128-cts,aes256-cts'])
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
-
-# 3b: Skip RC4 (as the KDC does not allow it for session keys by
-# default) and negotiate aes128-cts session key, with only an aes256
-# long-term service key.
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
- 'rc4-hmac,aes128-cts,aes256-cts'])
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# 4: Check that permitted_enctypes is a default for session key enctypes.
-realm = K5Realm(krb5_conf=conf4, create_host=False, get_creds=False)
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, 'user'],
- expected_trace=('etypes requested in TGS request: aes256-cts',))
-realm.stop()
-
-# 5: allow_rc4 permits negotiation of rc4-hmac session key.
-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# 7: default config negotiates aes256-sha1 session key for RC4-only service.
-realm = K5Realm(create_host=False, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
-realm.stop()
-
-success('sesskeynego')
diff --git a/crypto/krb5/src/tests/t_skew.py b/crypto/krb5/src/tests/t_skew.py
deleted file mode 100755
index ed40edecf64a..000000000000
--- a/crypto/krb5/src/tests/t_skew.py
+++ /dev/null
@@ -1,55 +0,0 @@
-from k5test import *
-
-# Create a realm with the KDC one hour in the past.
-realm = K5Realm(start_kdc=False)
-realm.start_kdc(['-T', '-3600'])
-
-# kinit (no preauth) should work, and should set a clock skew allowing
-# kvno to work, with or without FAST.
-mark('kdc_timesync enabled, no preauth')
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ])
-realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-realm.run([kvno, realm.host_princ])
-realm.run([kdestroy])
-
-# kinit (with preauth) should work, with or without FAST.
-mark('kdc_timesync enabled, with preauth')
-realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ])
-realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-realm.run([kvno, realm.host_princ])
-realm.run([kdestroy])
-
-realm.stop()
-
-# Repeat the above tests with kdc_timesync disabled.
-conf = {'libdefaults': {'kdc_timesync': '0'}}
-realm = K5Realm(start_kdc=False, krb5_conf=conf)
-realm.start_kdc(['-T', '-3600'])
-
-# Get tickets to use for FAST kinit tests. The start time offset is
-# ignored by the KDC since we aren't getting postdatable tickets, but
-# serves to suppress the client clock skew check on the KDC reply.
-fast_cache = realm.ccache + '.fast'
-realm.kinit(realm.user_princ, password('user'),
- flags=['-s', '-3600s', '-c', fast_cache])
-
-# kinit should detect too much skew in the KDC response. kinit with
-# FAST should fail from the KDC since the armor AP-REQ won't be valid.
-mark('KDC timesync disabled, no preauth')
-realm.kinit(realm.user_princ, password('user'), expected_code=1,
- expected_msg='Clock skew too great in KDC reply')
-realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
- expected_msg='Clock skew too great while')
-
-# kinit (with preauth) should fail from the KDC, with or without FAST.
-mark('KDC timesync disabled, with preauth')
-realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-realm.kinit(realm.user_princ, password('user'), expected_code=1,
- expected_msg='Clock skew too great while')
-realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
- expected_msg='Clock skew too great while')
-
-success('Clock skew tests')
diff --git a/crypto/krb5/src/tests/t_sn2princ.py b/crypto/krb5/src/tests/t_sn2princ.py
deleted file mode 100755
index 0b63dbecdbc4..000000000000
--- a/crypto/krb5/src/tests/t_sn2princ.py
+++ /dev/null
@@ -1,167 +0,0 @@
-from k5test import *
-
-offline = (len(args) > 0 and args[0] != "no")
-
-conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'},
- 'domain_realm': {'kerberos.org': 'R1',
- 'example.com': 'R2',
- 'mit.edu': 'R3'}}
-no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
-no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
- 'qualify_shortname': 'example.com'}}
-fallback_canon_conf = {'libdefaults':
- {'rdns': 'false',
- 'dns_canonicalize_hostname': 'fallback'}}
-
-realm = K5Realm(realm='R1', create_host=False, krb5_conf=conf)
-no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf)
-no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
-fallback_canon = realm.special_env('fallback_canon', False,
- krb5_conf=fallback_canon_conf)
-
-def testbase(host, nametype, princhost, princrealm, env=None):
- # Run the sn2princ harness with a specified host and name type and
- # the fixed service string 'svc', and compare the result to the
- # expected hostname and realm part.
- out = realm.run(['./s2p', host, 'SVC', nametype], env=env).rstrip()
- expected = 'SVC/%s@%s' % (princhost, princrealm)
- if out != expected:
- fail('Expected %s, got %s' % (expected, out))
-
-def test(host, princhost, princrealm):
- # Test with the host-based name type with canonicalization enabled.
- testbase(host, 'srv-hst', princhost, princrealm)
-
-def testnc(host, princhost, princrealm):
- # Test with the host-based name type with canonicalization disabled.
- testbase(host, 'srv-hst', princhost, princrealm, env=no_canon)
-
-def testnr(host, princhost, princrealm):
- # Test with the host-based name type with reverse lookup disabled.
- testbase(host, 'srv-hst', princhost, princrealm, env=no_rdns)
-
-def testu(host, princhost, princrealm):
- # Test with the unknown name type.
- testbase(host, 'unknown', princhost, princrealm)
-
-def testfc(host, princhost, princrealm):
- # Test with the host-based name type with canonicalization fallback.
- testbase(host, 'srv-hst', princhost, princrealm, env=fallback_canon)
-
-# With the unknown principal type, we do not canonicalize or downcase,
-# but we do remove a trailing period and look up the realm.
-mark('unknown type')
-testu('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
-testu('Example.COM', 'Example.COM', 'R2')
-testu('abcde', 'abcde', '')
-
-# A ':port' or ':instance' trailer should be ignored for realm lookup.
-# If there is more than one colon in the name, we assume it's an IPv6
-# address and don't treat it as having a trailer.
-mark('port trailer')
-testu('example.com.:123', 'example.com.:123', 'R2')
-testu('Example.COM:xyZ', 'Example.COM:xyZ', 'R2')
-testu('example.com.::123', 'example.com.::123', '')
-
-# With dns_canonicalize_hostname=false, we downcase and remove
-# trailing dots but do not canonicalize the hostname.
-# Single-component names are qualified with the configured suffix
-# (defaulting to the first OS search domain, but Python cannot easily
-# retrieve that value so we don't test it). Trailers do not get
-# downcased.
-mark('dns_canonicalize_host=false')
-testnc('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
-testnc('Example.COM', 'example.com', 'R2')
-testnc('abcde', 'abcde.example.com', 'R2')
-testnc('example.com.:123', 'example.com:123', 'R2')
-testnc('Example.COM:xyZ', 'example.com:xyZ', 'R2')
-testnc('example.com.::123', 'example.com.::123', '')
-
-if offline:
- skip_rest('sn2princ tests', 'offline mode requested')
-
-# For the online tests, we rely on ptr-mismatch.kerberos.org forward
-# and reverse resolving to these names.
-oname = 'ptr-mismatch.kerberos.org'
-fname = 'www.kerberos.org'
-
-# Test fallback canonicalization krb5_sname_to_principal() results.
-mark('dns_canonicalize_host=fallback')
-testfc(oname, oname, '')
-
-# Verify forward resolution before testing for it.
-try:
- ai = socket.getaddrinfo(oname, None, 0, 0, 0, socket.AI_CANONNAME)
-except socket.gaierror:
- skip_rest('sn2princ tests', 'cannot forward resolve %s' % oname)
-(family, socktype, proto, canonname, sockaddr) = ai[0]
-if canonname.lower() != fname:
- skip_rest('sn2princ tests',
- '%s forward resolves to %s, not %s' % (oname, canonname, fname))
-
-# Test fallback canonicalization in krb5_get_credentials().
-oprinc = 'host/' + oname
-fprinc = 'host/' + fname
-shutil.copy(realm.ccache, realm.ccache + '.save')
-# Test that we only try fprinc once if we enter it as input.
-out, trace = realm.run(['./gcred', 'srv-hst', fprinc + '@'],
- env=fallback_canon, expected_code=1, return_trace=True)
-msg = 'Requesting tickets for %s@R1, referrals on' % fprinc
-if trace.count(msg) != 1:
- fail('Expected one try for %s' % fprinc)
-# Create fprinc, and verify that we get it as the canonicalized
-# fallback for oprinc.
-realm.addprinc(fprinc)
-msgs = ('Getting credentials user@R1 -> %s@ using' % oprinc,
- 'Requesting tickets for %s@R1' % oprinc,
- 'Requesting tickets for %s@R1' % fprinc,
- 'Received creds for desired service %s@R1' % fprinc)
-realm.run(['./gcred', 'srv-hst', oprinc + '@'], env=fallback_canon,
- expected_msg=fprinc, expected_trace=msgs)
-realm.addprinc(oprinc)
-# oprinc now exists, but we still get the fprinc ticket from the cache.
-realm.run(['./gcred', 'srv-hst', oprinc + '@'], env=fallback_canon,
- expected_msg=fprinc)
-# Without the cached result, we should get oprinc in preference to fprinc.
-os.rename(realm.ccache + '.save', realm.ccache)
-realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
- expected_msg=oprinc)
-
-# Test fallback canonicalization for krb5_rd_req().
-realm.run([kadminl, 'ktadd', fprinc])
-msgs = ('Decrypted AP-REQ with server principal %s@R1' % fprinc,
- 'AP-REQ ticket: user@R1 -> %s@R1' % fprinc)
-realm.run(['./rdreq', fprinc, oprinc + '@'], env=fallback_canon,
- expected_trace=msgs)
-
-# Test fallback canonicalization for getting initial creds with a keytab.
-msgs = ('Getting initial credentials for %s@' % oprinc,
- 'Found entries for %s@R1 in keytab' % fprinc,
- 'Retrieving %s@R1 from ' % fprinc)
-realm.run(['./icred', '-k', realm.keytab, '-S', 'host', oname],
- env=fallback_canon, expected_trace=msgs)
-
-# Test forward-only canonicalization (rdns=false).
-mark('rdns=false')
-testnr(oname, fname, 'R1')
-testnr(oname + ':123', fname + ':123', 'R1')
-testnr(oname + ':xyZ', fname + ':xyZ', 'R1')
-
-# Verify reverse resolution before testing for it.
-try:
- names = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
-except socket.gaierror:
- skip_rest('reverse sn2princ tests', 'cannot reverse resolve %s' % oname)
-rname = names[0].lower()
-if rname == fname:
- skip_rest('reverse sn2princ tests',
- '%s reverse resolves to %s '
- 'which should be different from %s' % (oname, rname, fname))
-
-# Test default canonicalization (forward and reverse lookup).
-mark('default')
-test(oname, rname, 'R3')
-test(oname + ':123', rname + ':123', 'R3')
-test(oname + ':xyZ', rname + ':xyZ', 'R3')
-
-success('krb5_sname_to_principal tests')
diff --git a/crypto/krb5/src/tests/t_spake.py b/crypto/krb5/src/tests/t_spake.py
deleted file mode 100644
index f0afefb60565..000000000000
--- a/crypto/krb5/src/tests/t_spake.py
+++ /dev/null
@@ -1,149 +0,0 @@
-from k5test import *
-
-# The name and number of each supported SPAKE group.
-builtin_groups = ((1, 'edwards25519'),)
-openssl_groups = ((2, 'P-256'), (3, 'P-384'), (4, 'P-521'))
-if runenv.have_spake_openssl == 'yes':
- groups = builtin_groups + openssl_groups
-else:
- groups = builtin_groups
-
-for gnum, gname in groups:
- mark('group %s' % gname)
- conf = {'libdefaults': {'spake_preauth_groups': gname}}
- for realm in multipass_realms(create_user=False, create_host=False,
- krb5_conf=conf):
- realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
-
- # Test a basic SPAKE preauth scenario with no optimizations.
- msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Selected etype info:',
- 'Sending SPAKE support message',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- '/More preauthentication data is required',
- 'Continuing preauth mech PA-SPAKE (151)',
- 'SPAKE challenge received with group ' + str(gnum),
- 'Sending SPAKE response',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- 'AS key determined by preauth:',
- 'Decrypted AS reply')
- realm.kinit('user', 'pw', expected_trace=msgs)
-
- # Test an unsuccessful authentication.
- msgs = ('/Additional pre-authentication required',
- 'Selected etype info:',
- 'Sending SPAKE support message',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- '/More preauthentication data is required',
- 'Continuing preauth mech PA-SPAKE (151)',
- 'SPAKE challenge received with group ' + str(gnum),
- 'Sending SPAKE response',
- '/Preauthentication failed')
- realm.kinit('user', 'wrongpw', expected_code=1, expected_trace=msgs)
-
-conf = {'libdefaults': {'spake_preauth_groups': 'edwards25519'}}
-kdcconf = {'realms': {'$realm': {'spake_preauth_indicator': 'indspake'}}}
-realm = K5Realm(create_user=False, krb5_conf=conf, kdc_conf=kdcconf)
-realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
-
-# Test with FAST.
-mark('FAST')
-msgs = ('Using FAST due to armor ccache negotiation',
- 'FAST armor key:',
- 'Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Decoding FAST response',
- 'Selected etype info:',
- 'Sending SPAKE support message',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- '/More preauthentication data is required',
- 'Continuing preauth mech PA-SPAKE (151)',
- 'SPAKE challenge received with group 1',
- 'Sending SPAKE response',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- 'AS key determined by preauth:',
- 'FAST reply key:')
-realm.kinit(realm.host_princ, flags=['-k'])
-realm.kinit('user', 'pw', flags=['-T', realm.ccache], expected_trace=msgs)
-
-# Test optimistic client preauth (151 is PA-SPAKE).
-mark('client optimistic')
-msgs = ('Attempting optimistic preauth',
- 'Processing preauth types: PA-SPAKE (151)',
- 'Sending SPAKE support message',
- 'for next request: PA-SPAKE (151)',
- '/More preauthentication data is required',
- 'Selected etype info:',
- 'SPAKE challenge received with group 1',
- 'Sending SPAKE response',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- 'AS key determined by preauth:',
- 'Decrypted AS reply')
-realm.run(['./icred', '-o', '151', 'user', 'pw'], expected_trace=msgs)
-
-# Test KDC optimistic challenge (accepted by client).
-mark('KDC optimistic')
-oconf = {'kdcdefaults': {'spake_preauth_kdc_challenge': 'edwards25519'}}
-oenv = realm.special_env('ochal', True, krb5_conf=oconf)
-realm.stop_kdc()
-realm.start_kdc(env=oenv)
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Selected etype info:',
- 'SPAKE challenge received with group 1',
- 'Sending SPAKE response',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- 'AS key determined by preauth:',
- 'Decrypted AS reply')
-realm.kinit('user', 'pw', expected_trace=msgs)
-
-if runenv.have_spake_openssl != 'yes':
- skip_rest('SPAKE fallback tests', 'SPAKE not built using OpenSSL')
-
-# Test optimistic client preauth falling back to encrypted timestamp
-# because the KDC doesn't support any of the client groups.
-mark('client optimistic (fallback)')
-p256conf={'libdefaults': {'spake_preauth_groups': 'P-256'}}
-p256env = realm.special_env('p256', False, krb5_conf=p256conf)
-msgs = ('Attempting optimistic preauth',
- 'Processing preauth types: PA-SPAKE (151)',
- 'Sending SPAKE support message',
- 'for next request: PA-SPAKE (151)',
- '/Preauthentication failed',
- 'Selected etype info:',
- 'Encrypted timestamp ',
- 'for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
- 'AS key determined by preauth:',
- 'Decrypted AS reply')
-realm.run(['./icred', '-o', '151', 'user', 'pw'], env=p256env,
- expected_trace=msgs)
-
-# Test KDC optimistic challenge (rejected by client).
-mark('KDC optimistic (rejected)')
-rconf = {'libdefaults': {'spake_preauth_groups': 'P-384,edwards25519'},
- 'kdcdefaults': {'spake_preauth_kdc_challenge': 'P-384'}}
-renv = realm.special_env('ochal', True, krb5_conf=rconf)
-realm.stop_kdc()
-realm.start_kdc(env=renv)
-msgs = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Selected etype info:',
- 'SPAKE challenge with group 3 rejected',
- 'Sending SPAKE support message',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- '/More preauthentication data is required',
- 'Continuing preauth mech PA-SPAKE (151)',
- 'SPAKE challenge received with group 1',
- 'Sending SPAKE response',
- 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
- 'AS key determined by preauth:',
- 'Decrypted AS reply')
-realm.kinit('user', 'pw', expected_trace=msgs)
-
-# Check that the auth indicator for SPAKE is properly included by the KDC.
-mark('auth indicator')
-realm.run([kvno, realm.host_princ])
-realm.run(['./adata', realm.host_princ], expected_msg='+97: [indspake]')
-
-success('SPAKE pre-authentication tests')
diff --git a/crypto/krb5/src/tests/t_stringattr.py b/crypto/krb5/src/tests/t_stringattr.py
deleted file mode 100755
index c2dc348e9004..000000000000
--- a/crypto/krb5/src/tests/t_stringattr.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-
-realm = K5Realm(start_kadmind=True, create_host=False, get_creds=False)
-
-realm.prep_kadmin()
-
-realm.run_kadmin(['getstrs', 'user'], expected_msg='(No string attributes.)')
-
-realm.run_kadmin(['setstr', 'user', 'attr1', 'value1'])
-realm.run_kadmin(['setstr', 'user', 'attr2', 'value2'])
-realm.run_kadmin(['delstr', 'user', 'attr1'])
-realm.run_kadmin(['setstr', 'user', 'attr3', 'value3'])
-
-out = realm.run_kadmin(['getstrs', 'user'])
-if ('attr2: value2' not in out or 'attr3: value3' not in out or
- 'attr1:' in out):
- fail('Final attribute query')
-
-success('KDB string attributes')
diff --git a/crypto/krb5/src/tests/t_tabdump.py b/crypto/krb5/src/tests/t_tabdump.py
deleted file mode 100755
index 54117467f5b1..000000000000
--- a/crypto/krb5/src/tests/t_tabdump.py
+++ /dev/null
@@ -1,86 +0,0 @@
-from k5test import *
-
-import csv
-from io import StringIO
-
-def tab_csv(s):
- io = StringIO(s)
- return list(csv.DictReader(io, dialect=csv.excel_tab))
-
-
-def getrows(dumptype):
- out = realm.run([kdb5_util, 'tabdump', dumptype])
- return tab_csv(out)
-
-
-def checkkeys(rows, dumptype, names):
- if sorted(rows[0].keys()) != sorted(names):
- fail('tabdump %s field names' % dumptype)
-
-
-realm = K5Realm(start_kdc=False, get_creds=False)
-realm.run([kadminl, 'alias', 'useralias', 'user'])
-
-rows = getrows('alias')
-checkkeys(rows, 'alias', ["aliasname", "targetname"])
-if (rows[0]['aliasname'] != 'useralias@KRBTEST.COM' or
- rows[0]['targetname'] != 'user@KRBTEST.COM'):
- fail('tabdump alias principal names')
-
-rows = getrows('keyinfo')
-checkkeys(rows, 'keyinfo',
- ["name", "keyindex", "kvno", "enctype", "salttype", "salt"])
-
-userrows = [x for x in rows if x['name'].startswith('user@')]
-userrows.sort(key=lambda x: x['keyindex'])
-
-if (userrows[0]['enctype'] != 'aes256-cts-hmac-sha1-96' or
- userrows[1]['enctype'] != 'aes128-cts-hmac-sha1-96'):
- fail('tabdump keyinfo enctypes')
-
-success('tabdump keyinfo')
-
-
-rows = getrows('keydata')
-checkkeys(rows, 'keydata',
- ["name", "keyindex", "kvno", "enctype", "key", "salttype", "salt"])
-
-
-rows = getrows('princ_flags')
-checkkeys(rows, 'princ_flags', ["name", "flag", "value"])
-
-
-rows = getrows('princ_lockout')
-checkkeys(rows, 'princ_lockout', ["name", "last_success", "last_failed",
- "fail_count"])
-
-
-realm.run([kadminl, 'addpol', '-history', '3', 'testpol'])
-realm.run([kadminl, 'modprinc', '-policy', 'testpol', 'user'])
-
-rows = getrows('princ_meta')
-checkkeys(rows, 'princ_meta', ["name", "modby", "modtime", "lastpwd",
- "policy", "mkvno", "hist_kvno"])
-
-userrows = [x for x in rows if x['name'].startswith('user@')]
-
-if userrows[0]['policy'] != 'testpol':
- fail('tabdump princ_meta policy name')
-
-
-realm.run([kadminl, 'set_string', 'user', 'foo', 'bar'])
-
-rows = getrows('princ_stringattrs')
-checkkeys(rows, 'princ_stringattrs', ["name", "key", "value"])
-
-userrows = [x for x in rows if x['name'].startswith('user@')]
-if (len(userrows) != 1 or userrows[0]['key'] != 'foo' or
- userrows[0]['value'] != 'bar'):
- fail('tabdump princ_stringattrs key/value')
-
-
-rows = getrows('princ_tktpolicy')
-checkkeys(rows, 'princ_tktpolicy', ["name", "expiration", "pw_expiration",
- "max_life", "max_renew_life"])
-
-success('tabdump')
diff --git a/crypto/krb5/src/tests/t_u2u.py b/crypto/krb5/src/tests/t_u2u.py
deleted file mode 100644
index 4b8a82a2ffa9..000000000000
--- a/crypto/krb5/src/tests/t_u2u.py
+++ /dev/null
@@ -1,60 +0,0 @@
-from k5test import *
-
-realm = K5Realm(create_host=False)
-
-# Create a second user principal and get tickets for it.
-u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
-realm.addprinc('alice', password('alice'))
-realm.kinit('alice', password('alice'), ['-c', u2u_ccache])
-
-# Verify that -allow_dup_skey denies u2u requests.
-realm.run([kadminl, 'modprinc', '-allow_dup_skey', 'alice'])
-realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_code=1,
- expected_msg='KDC policy rejects request')
-realm.run([kadminl, 'modprinc', '+allow_dup_skey', 'alice'])
-
-# Verify that -allow_svr denies regular TGS requests, but allows
-# user-to-user TGS requests.
-realm.run([kadminl, 'modprinc', '-allow_svr', 'alice'])
-realm.run([kvno, 'alice'], expected_code=1,
- expected_msg='Server principal valid for user2user only')
-realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0')
-realm.run([kadminl, 'modprinc', '+allow_svr', 'alice'])
-
-# Verify that normal lookups ignore the user-to-user ticket.
-realm.run([kvno, 'alice'], expected_msg='kvno = 1')
-out = realm.run([klist])
-if out.count('alice@KRBTEST.COM') != 2:
- fail('expected two alice tickets after regular kvno')
-
-# Try u2u against the client user.
-realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
-
-realm.run([klist])
-
-realm.stop()
-
-# Load the test KDB module to test aliases
-testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
- 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
- 'WIN10': {'keys': 'aes128-cts'}}
-kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
- 'dbmodules': {'test': {'db_library': 'test',
- 'princs': testprincs,
- 'alias': {'HOST/win10': 'WIN10'}}}}
-
-realm = K5Realm(kdc_conf=kdcconf, create_kdb=False)
-realm.start_kdc()
-
-# Create a second user principal and get tickets for it.
-u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
-realm.extract_keytab('WIN10', realm.keytab)
-realm.kinit('WIN10', None, ['-k', '-c', u2u_ccache])
-
-realm.extract_keytab(realm.user_princ, realm.keytab)
-realm.kinit(realm.user_princ, None, ['-k'])
-
-realm.run([kvno, '--u2u', u2u_ccache, 'HOST/win10'], expected_msg='kvno = 0')
-realm.run([kvno, '--u2u', u2u_ccache, 'WIN10'], expected_msg='kvno = 0')
-
-success('user-to-user tests')
diff --git a/crypto/krb5/src/tests/t_unlockiter.py b/crypto/krb5/src/tests/t_unlockiter.py
deleted file mode 100755
index fb18abc6c6c0..000000000000
--- a/crypto/krb5/src/tests/t_unlockiter.py
+++ /dev/null
@@ -1,20 +0,0 @@
-from k5test import *
-
-# Default KDB iteration is locked. Expect write lock failure unless
-# unlocked iteration is explicitly requested.
-realm = K5Realm(create_user=False, create_host=False, start_kdc=False,
- bdb_only=True)
-realm.run(['./unlockiter'], expected_code=1)
-realm.run(['./unlockiter', '-u'])
-realm.run(['./unlockiter', '-l'], expected_code=1)
-
-# Set default to unlocked iteration. Only explicitly requested locked
-# iteration should block the write lock.
-realm = K5Realm(create_user=False, create_host=False, start_kdc=False,
- bdb_only=True,
- krb5_conf={'dbmodules': {'db': {'unlockiter': 'true'}}})
-realm.run(['./unlockiter'])
-realm.run(['./unlockiter', '-u'])
-realm.run(['./unlockiter', '-l'], expected_code=1)
-
-success('Unlocked iteration unit tests')
diff --git a/crypto/krb5/src/tests/t_y2038.py b/crypto/krb5/src/tests/t_y2038.py
deleted file mode 100644
index 2eaa191e72e6..000000000000
--- a/crypto/krb5/src/tests/t_y2038.py
+++ /dev/null
@@ -1,79 +0,0 @@
-from k5test import *
-
-# These tests will become much less important after the y2038 boundary
-# has elapsed, and may start exhibiting problems around the year 2075.
-
-if runenv.sizeof_time_t <= 4:
- skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
-
-# Start a KDC running roughly 21 years in the future, after the y2038
-# boundary. Set long maximum lifetimes for later tests.
-conf = {'realms': {'$realm': {'max_life': '9000d',
- 'max_renewable_life': '9000d'}}}
-realm = K5Realm(start_kdc=False, kdc_conf=conf)
-realm.start_kdc(['-T', '662256000'])
-
-# kinit without preauth should succeed with clock skew correction, but
-# will result in an expired ticket, because we sent an absolute end
-# time and didn't get a chance to correct it..
-mark('kinit, no preauth')
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ], expected_code=1,
- expected_msg='Ticket expired')
-
-# kinit with preauth should succeed and result in a valid ticket, as
-# we get a chance to correct the end time based on the KDC time. Try
-# with encrypted timestamp and encrypted challenge.
-mark('kinit, with preauth')
-realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-realm.kinit(realm.user_princ, password('user'))
-realm.run([kvno, realm.host_princ])
-realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-realm.run([kvno, realm.host_princ])
-
-# Test that expiration warning works after y2038, by setting a
-# password expiration time ten minutes after the KDC time.
-mark('expiration warning')
-realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
-out = realm.kinit(realm.user_princ, password('user'))
-if 'will expire in less than one hour' not in out:
- fail('password expiration message')
-year = int(out.split()[-1])
-if year < 2038 or year > 9999:
- fail('password expiration year')
-
-realm.stop_kdc()
-realm.start_kdc()
-realm.start_kadmind()
-realm.prep_kadmin()
-
-# Test getdate parsing of absolute timestamps after 2038 and
-# marshalling over the kadmin protocol. The local time zone will
-# affect the display time by a little bit, so just look for the year.
-mark('kadmin marshalling')
-realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
-realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
-
-# Get a ticket whose lifetime crosses the y2038 boundary and
-# range-check the expiration year as reported by klist.
-mark('ticket lifetime across y2038')
-realm.kinit(realm.user_princ, password('user'),
- flags=['-l', '8000d', '-r', '8500d'])
-realm.run([kvno, realm.host_princ])
-out = realm.run([klist])
-if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
- fail('unexpected tgt expiration year')
-if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
- fail('unexpected tgt rtill year')
-if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
- fail('unexpected service ticket expiration year')
-if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
- fail('unexpected service ticket rtill year')
-realm.kinit(realm.user_princ, None, ['-R'])
-out = realm.run([klist])
-if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
- fail('unexpected renewed tgt expiration year')
-if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
- fail('unexpected renewed tgt rtill year')
-
-success('y2038 tests')
diff --git a/crypto/krb5/src/tests/threads/Makefile.in b/crypto/krb5/src/tests/threads/Makefile.in
deleted file mode 100644
index 4e12b3731f38..000000000000
--- a/crypto/krb5/src/tests/threads/Makefile.in
+++ /dev/null
@@ -1,40 +0,0 @@
-# The test programs here are not built or run by default. You can
-# build a specific test program with "make gss-perf" or similar.
-# "make run-t_rcache" will run the replay cache test program in the
-# proper environment.
-
-mydir=tests$(S)threads
-BUILDTOP=$(REL)..$(S)..
-
-SRCS=$(srcdir)/t_rcache.c \
- $(srcdir)/gss-perf.c \
- $(srcdir)/init_ctx.c \
- $(srcdir)/profread.c \
- $(srcdir)/prof1.c
-
-all:
-
-run-t_rcache: t_rcache
- $(RUN_TEST) ./t_rcache file2:test.rcache2
-
-t_rcache: t_rcache.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o t_rcache t_rcache.o $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-prof1: prof1.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o prof1 prof1.o $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-prof1.o: prof1.c
-
-gss-perf: gss-perf.o $(KRB5_BASE_DEPLIBS) $(GSS_DEPLIBS)
- $(CC_LINK) $(PTHREAD_CFLAGS) -o gss-perf gss-perf.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-init_ctx: init_ctx.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) $(PTHREAD_CFLAGS) -o init_ctx init_ctx.o $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-profread: profread.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) $(PTHREAD_CFLAGS) -o profread profread.o $(KRB5_BASE_LIBS) $(THREAD_LINKOPTS)
-
-install:
-
-clean:
- $(RM) *.o t_rcache syms prof1 gss-perf test.rcache2
diff --git a/crypto/krb5/src/tests/threads/deps b/crypto/krb5/src/tests/threads/deps
deleted file mode 100644
index f536935de110..000000000000
--- a/crypto/krb5/src/tests/threads/deps
+++ /dev/null
@@ -1,27 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)t_rcache.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h t_rcache.c
-$(OUTPRE)gss-perf.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
- gss-perf.c
-$(OUTPRE)init_ctx.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- init_ctx.c
-$(OUTPRE)profread.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- profread.c
-$(OUTPRE)prof1.$(OBJEXT): $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) prof1.c
diff --git a/crypto/krb5/src/tests/threads/gss-perf.c b/crypto/krb5/src/tests/threads/gss-perf.c
deleted file mode 100644
index 0ca6d84f534a..000000000000
--- a/crypto/krb5/src/tests/threads/gss-perf.c
+++ /dev/null
@@ -1,455 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/threads/gss-perf.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * GSSAPI performance testing
- * initially contributed by Ken Raeburn
- */
-/*
- * Possible to-do items:
- * - init-mutual testing (process msg back from accept)
- * - wrap/unwrap testing (one init/accept per thread, loop on wrap/unwrap)
- * - wrap/unwrap MT testing (one init/accept for process) ?
- * - init+accept with replay cache
- * - default to target "host@localhostname"
- * - input ccache option?
- *
- * Also, perhaps try to simulate certain application patterns, like
- * init/accept, exchange N messages with wrap/unwrap, destroy context,
- * all in a loop in M parallel threads.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <assert.h>
-#include <unistd.h>
-#include <pthread.h>
-#include <krb5.h>
-#include <gssapi/gssapi.h>
-
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#define N_THREADS 2
-#define ITER_COUNT 10000
-static int init_krb5_first = 0;
-
-struct resource_info {
- struct timeval start_time, end_time;
-};
-struct thread_info {
- pthread_t tid;
- struct resource_info r;
-};
-
-static gss_name_t target;
-static char *prog, *target_name;
-static unsigned int n_threads = N_THREADS;
-static int iter_count = ITER_COUNT;
-static int do_pause, do_mutual;
-static int test_init, test_accept;
-
-static void usage (void) __attribute__((noreturn));
-static void set_target (char *);
-
-static void
-usage (void)
-{
- fprintf (stderr, "usage: %s [ options ] service-name\n", prog);
- fprintf (stderr, " service-name\tGSSAPI host-based service name (e.g., 'host@FQDN')\n");
- fprintf (stderr, "options:\n");
- fprintf (stderr, "\t-I\ttest gss_init_sec_context\n");
- fprintf (stderr, "\t-A\ttest gss_accept_sec_context\n");
- fprintf (stderr, "\t-k K\tspecify keytab (remember FILE: or other prefix!)\n");
- fprintf (stderr, "\t-t N\tspecify number of threads (default %d)\n",
- N_THREADS);
- fprintf (stderr, "\t-i N\tset iteration count (default %d)\n",
- ITER_COUNT);
- fprintf (stderr, "\t-m\tenable mutual authentication flag (but don't do the additional calls)\n");
- fprintf (stderr, "\t-K\tinitialize a krb5_context for the duration\n");
- fprintf (stderr, "\t-P\tpause briefly after starting, to allow attaching dtrace/strace/etc\n");
- exit (1);
-}
-
-static int
-numarg (char *arg)
-{
- char *end;
- long val;
-
- val = strtol (arg, &end, 10);
- if (*arg == 0 || *end != 0) {
- fprintf (stderr, "invalid numeric argument '%s'\n", arg);
- usage ();
- }
- if (val >= 1 && val <= INT_MAX)
- return val;
- fprintf (stderr, "out of range numeric value %ld (1..%d)\n",
- val, INT_MAX);
- usage ();
-}
-
-static char optstring[] = "k:t:i:KPmIA";
-
-static void
-process_options (int argc, char *argv[])
-{
- int c;
-
- prog = strrchr (argv[0], '/');
- if (prog)
- prog++;
- else
- prog = argv[0];
- while ((c = getopt (argc, argv, optstring)) != -1) {
- switch (c) {
- case '?':
- case ':':
- usage ();
- break;
-
- case 'k':
- setenv ("KRB5_KTNAME", optarg, 1);
- break;
-
- case 't':
- n_threads = numarg (optarg);
- if (n_threads >= SIZE_MAX / sizeof (struct thread_info)) {
- n_threads = SIZE_MAX / sizeof (struct thread_info);
- fprintf (stderr, "limiting n_threads to %u\n", n_threads);
- }
- break;
-
- case 'i':
- iter_count = numarg (optarg);
- break;
-
- case 'K':
- init_krb5_first = 1;
- break;
-
- case 'P':
- do_pause = 1;
- break;
-
- case 'I':
- test_init = 1;
- break;
- case 'A':
- test_accept = 1;
- break;
- }
- }
- if (argc == optind + 1)
- set_target (argv[optind]);
- else
- usage ();
-
- if (test_init && test_accept) {
- fprintf (stderr, "-I and -A are mutually exclusive\n");
- usage ();
- }
- if (test_init == 0 && test_accept == 0)
- test_init = 1;
-}
-
-static void
-display_a_status (const char *s_type, OM_uint32 type, OM_uint32 val)
-{
- OM_uint32 mctx = 0;
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
-
- do {
- maj_stat = gss_display_status (&min_stat,
- val,
- type,
- GSS_C_NO_OID,
- &mctx,
- &msg);
- if (maj_stat != GSS_S_COMPLETE) {
- fprintf (stderr,
- "error getting display form of %s status code %#lx\n",
- s_type, (unsigned long) val);
- exit (1);
- }
- fprintf (stderr, " %s: %.*s\n", s_type,
- (int) msg.length, (char *) msg.value);
- gss_release_buffer (&min_stat, &msg);
- } while (mctx != 0);
-}
-
-static void
-gss_error(const char *where, OM_uint32 maj_stat, OM_uint32 min_stat)
-{
- fprintf (stderr, "%s: %s:\n", prog, where);
- display_a_status ("major", GSS_C_GSS_CODE, maj_stat);
- display_a_status ("minor", GSS_C_MECH_CODE, min_stat);
- exit (1);
-}
-
-static void
-do_accept (gss_buffer_desc *msg, int iter)
-{
- OM_uint32 maj_stat, min_stat;
- gss_name_t client = GSS_C_NO_NAME;
- gss_buffer_desc reply = GSS_C_EMPTY_BUFFER;
- gss_OID oid = GSS_C_NO_OID;
- gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
- OM_uint32 flags = do_mutual ? GSS_C_MUTUAL_FLAG : 0;
-
- reply.value = NULL;
- reply.length = 0;
- maj_stat = gss_accept_sec_context (&min_stat,
- &ctx,
- GSS_C_NO_CREDENTIAL,
- msg,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client,
- &oid,
- &reply,
- &flags,
- NULL, /* time_rec */
- NULL); /* del_cred_handle */
- if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
- fprintf (stderr, "pid %lu thread %#lx failing in iteration %d\n",
- (unsigned long) getpid (), (unsigned long) pthread_self (),
- iter);
- gss_error ("accepting context", maj_stat, min_stat);
- }
- gss_release_buffer (&min_stat, &reply);
- if (ctx != GSS_C_NO_CONTEXT)
- gss_delete_sec_context (&min_stat, &ctx, GSS_C_NO_BUFFER);
- gss_release_name (&min_stat, &client);
-}
-
-static gss_buffer_desc
-do_init (void)
-{
- OM_uint32 maj_stat, min_stat;
- gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
- OM_uint32 flags = 0, ret_flags = 0;
- gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
-
- if (do_mutual)
- flags |= GSS_C_MUTUAL_FLAG;
-
- msg.value = NULL;
- msg.length = 0;
- maj_stat = gss_init_sec_context (&min_stat,
- GSS_C_NO_CREDENTIAL,
- &ctx,
- target,
- GSS_C_NO_OID,
- flags,
- 0,
- NULL, /* no channel bindings */
- NULL, /* no previous token */
- NULL, /* ignore mech type */
- &msg,
- &ret_flags,
- NULL); /* time_rec */
- if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
- gss_error ("initiating", maj_stat, min_stat);
- }
- if (ctx != GSS_C_NO_CONTEXT)
- gss_delete_sec_context (&min_stat, &ctx, GSS_C_NO_BUFFER);
- return msg;
-}
-
-static void
-set_target (char *name)
-{
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc namebuf;
-
- target_name = name;
- namebuf.value = name;
- namebuf.length = strlen (name);
- maj_stat = gss_import_name (&min_stat,
- &namebuf,
- GSS_C_NT_HOSTBASED_SERVICE,
- &target);
- if (maj_stat != GSS_S_COMPLETE)
- gss_error ("importing target name", maj_stat, min_stat);
-}
-
-static long double
-tvsub (struct timeval t1, struct timeval t2)
-{
- /* POSIX says .tv_usec is signed. */
- return (t1.tv_sec - t2.tv_sec
- + (long double) 1.0e-6 * (t1.tv_usec - t2.tv_usec));
-}
-
-static struct timeval
-now (void)
-{
- struct timeval tv;
- if (gettimeofday (&tv, NULL) < 0) {
- perror ("gettimeofday");
- exit (1);
- }
- return tv;
-}
-
-static gss_buffer_desc init_msg;
-
-static void run_iterations (struct resource_info *r)
-{
- int i;
- OM_uint32 min_stat;
-
- r->start_time = now ();
- for (i = 0; i < iter_count; i++) {
- if (test_init) {
- gss_buffer_desc msg = do_init ();
- gss_release_buffer (&min_stat, &msg);
- } else if (test_accept) {
- do_accept (&init_msg, i);
- } else
- assert (test_init || test_accept);
- }
- r->end_time = now ();
-}
-
-static void *
-thread_proc (void *p)
-{
- run_iterations (p);
- return 0;
-}
-
-static struct thread_info *tinfo;
-
-static krb5_context kctx;
-static struct rusage start, finish;
-static struct timeval start_time, finish_time;
-
-int
-main (int argc, char *argv[])
-{
- long double user, sys, wallclock, total;
- unsigned int i;
-
- /* Probably should have a command-line option controlling this,
- but if a replay cache is used, we can't do just one
- init_sec_context and easily time just the accept_sec_context
- side. */
- setenv ("KRB5RCACHETYPE", "none", 1);
-
- process_options (argc, argv);
-
- /*
- * Some places in the krb5 library cache data globally.
- * This option allows you to test the effect of that.
- */
- if (init_krb5_first && krb5_init_context (&kctx) != 0) {
- fprintf (stderr, "krb5_init_context error\n");
- exit (1);
- }
- tinfo = calloc (n_threads, sizeof (*tinfo));
- if (tinfo == NULL) {
- perror ("calloc");
- exit (1);
- }
- printf ("Test: %s threads: %d iterations: %d target: %s\n",
- test_init ? "init" : "accept", n_threads, iter_count,
- target_name ? target_name : "(NONE)");
- if (do_pause) {
- printf ("pid %lu napping...\n", (unsigned long) getpid ());
- sleep (10);
- }
- /*
- * Some tests use one message and process it over and over. Even
- * if not, this sort of "primes" things by fetching any needed
- * tickets just once.
- */
- init_msg = do_init ();
- printf ("starting...\n");
- /* And *now* we start measuring the performance. */
- if (getrusage (RUSAGE_SELF, &start) < 0) {
- perror ("getrusage");
- exit (1);
- }
- start_time = now ();
-#define foreach_thread(IDXVAR) for (IDXVAR = 0; IDXVAR < n_threads; IDXVAR++)
- foreach_thread (i) {
- int err;
-
- err = pthread_create (&tinfo[i].tid, NULL, thread_proc, &tinfo[i].r);
- if (err) {
- fprintf (stderr, "pthread_create: %s\n", strerror (err));
- exit (1);
- }
- }
- foreach_thread (i) {
- int err;
- void *val;
-
- err = pthread_join (tinfo[i].tid, &val);
- if (err) {
- fprintf (stderr, "pthread_join: %s\n", strerror (err));
- exit (1);
- }
- }
- finish_time = now ();
- if (getrusage (RUSAGE_SELF, &finish) < 0) {
- perror ("getrusage");
- exit (1);
- }
- if (init_krb5_first)
- krb5_free_context (kctx);
- foreach_thread (i) {
- printf ("Thread %2d: elapsed time %Lfs\n", i,
- tvsub (tinfo[i].r.end_time, tinfo[i].r.start_time));
- }
- wallclock = tvsub (finish_time, start_time);
- /*
- * Report on elapsed time and CPU usage. Depending what
- * performance issue you're chasing down, different values may be
- * of particular interest, so report all the info we've got.
- */
- printf ("Overall run time with %d threads = %Lfs, %Lfms per iteration.\n",
- n_threads, wallclock, 1000 * wallclock / iter_count);
- user = tvsub (finish.ru_utime, start.ru_utime);
- sys = tvsub (finish.ru_stime, start.ru_stime);
- total = user + sys;
- printf ("CPU usage: user=%Lfs sys=%Lfs total=%Lfs.\n", user, sys, total);
- printf ("Utilization: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock,
- 100 * sys / wallclock,
- 100 * total / wallclock);
- printf ("Util/thread: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock / n_threads,
- 100 * sys / wallclock / n_threads,
- 100 * total / wallclock / n_threads);
- printf ("Total CPU use per iteration per thread: %Lfms\n",
- 1000 * total / n_threads / iter_count);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/threads/init_ctx.c b/crypto/krb5/src/tests/threads/init_ctx.c
deleted file mode 100644
index dc3d41749f6b..000000000000
--- a/crypto/krb5/src/tests/threads/init_ctx.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/threads/init_ctx.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * krb5 context creation performance testing
- * initially contributed by Ken Raeburn
- */
-
-#include "k5-platform.h"
-#include <unistd.h>
-#include <pthread.h>
-#include <krb5.h>
-
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#define N_THREADS 4
-#define ITER_COUNT 40000
-static int init_krb5_first = 0;
-
-struct resource_info {
- struct timeval start_time, end_time;
-};
-struct thread_info {
- pthread_t tid;
- struct resource_info r;
-};
-
-static char *prog;
-static unsigned int n_threads = N_THREADS;
-static int iter_count = ITER_COUNT;
-static int do_pause;
-
-static void usage (void) __attribute__((noreturn));
-
-static void
-usage (void)
-{
- fprintf (stderr, "usage: %s [ options ]\n", prog);
- fprintf (stderr, "options:\n");
- fprintf (stderr, "\t-t N\tspecify number of threads (default %d)\n",
- N_THREADS);
- fprintf (stderr, "\t-i N\tset iteration count (default %d)\n",
- ITER_COUNT);
- fprintf (stderr, "\t-K\tinitialize a krb5_context for the duration\n");
- fprintf (stderr, "\t-P\tpause briefly after starting, to allow attaching dtrace/strace/etc\n");
- exit (1);
-}
-
-static int
-numarg (char *arg)
-{
- char *end;
- long val;
-
- val = strtol (arg, &end, 10);
- if (*arg == 0 || *end != 0) {
- fprintf (stderr, "invalid numeric argument '%s'\n", arg);
- usage ();
- }
- if (val >= 1 && val <= INT_MAX)
- return val;
- fprintf (stderr, "out of range numeric value %ld (1..%d)\n",
- val, INT_MAX);
- usage ();
-}
-
-static char optstring[] = "t:i:KP";
-
-static void
-process_options (int argc, char *argv[])
-{
- int c;
-
- prog = strrchr (argv[0], '/');
- if (prog)
- prog++;
- else
- prog = argv[0];
- while ((c = getopt (argc, argv, optstring)) != -1) {
- switch (c) {
- case '?':
- case ':':
- usage ();
- break;
-
- case 't':
- n_threads = numarg (optarg);
- if (n_threads >= SIZE_MAX / sizeof (struct thread_info)) {
- n_threads = SIZE_MAX / sizeof (struct thread_info);
- fprintf (stderr, "limiting n_threads to %u\n", n_threads);
- }
- break;
-
- case 'i':
- iter_count = numarg (optarg);
- break;
-
- case 'K':
- init_krb5_first = 1;
- break;
-
- case 'P':
- do_pause = 1;
- break;
- }
- }
- if (argc != optind)
- usage ();
-}
-
-static long double
-tvsub (struct timeval t1, struct timeval t2)
-{
- /* POSIX says .tv_usec is signed. */
- return (t1.tv_sec - t2.tv_sec
- + (long double) 1.0e-6 * (t1.tv_usec - t2.tv_usec));
-}
-
-static struct timeval
-now (void)
-{
- struct timeval tv;
- if (gettimeofday (&tv, NULL) < 0) {
- perror ("gettimeofday");
- exit (1);
- }
- return tv;
-}
-
-static void run_iterations (struct resource_info *r)
-{
- int i;
- krb5_error_code err;
- krb5_context ctx;
-
- r->start_time = now ();
- for (i = 0; i < iter_count; i++) {
- err = krb5_init_context(&ctx);
- if (err) {
- com_err(prog, err, "initializing krb5 context");
- exit(1);
- }
- krb5_free_context(ctx);
- }
- r->end_time = now ();
-}
-
-static void *
-thread_proc (void *p)
-{
- run_iterations (p);
- return 0;
-}
-
-static struct thread_info *tinfo;
-
-static krb5_context kctx;
-static struct rusage start, finish;
-static struct timeval start_time, finish_time;
-
-int
-main (int argc, char *argv[])
-{
- long double user, sys, wallclock, total;
- unsigned int i;
-
- process_options (argc, argv);
-
- /*
- * Some places in the krb5 library cache data globally.
- * This option allows you to test the effect of that.
- */
- if (init_krb5_first && krb5_init_context (&kctx) != 0) {
- fprintf (stderr, "krb5_init_context error\n");
- exit (1);
- }
- tinfo = calloc (n_threads, sizeof (*tinfo));
- if (tinfo == NULL) {
- perror ("calloc");
- exit (1);
- }
- printf ("Threads: %d iterations: %d\n", n_threads, iter_count);
- if (do_pause) {
- printf ("pid %lu napping...\n", (unsigned long) getpid ());
- sleep (10);
- }
- printf ("starting...\n");
- /* And *now* we start measuring the performance. */
- if (getrusage (RUSAGE_SELF, &start) < 0) {
- perror ("getrusage");
- exit (1);
- }
- start_time = now ();
-#define foreach_thread(IDXVAR) for (IDXVAR = 0; IDXVAR < n_threads; IDXVAR++)
- foreach_thread (i) {
- int err;
-
- err = pthread_create (&tinfo[i].tid, NULL, thread_proc, &tinfo[i].r);
- if (err) {
- fprintf (stderr, "pthread_create: %s\n", strerror (err));
- exit (1);
- }
- }
- foreach_thread (i) {
- int err;
- void *val;
-
- err = pthread_join (tinfo[i].tid, &val);
- if (err) {
- fprintf (stderr, "pthread_join: %s\n", strerror (err));
- exit (1);
- }
- }
- finish_time = now ();
- if (getrusage (RUSAGE_SELF, &finish) < 0) {
- perror ("getrusage");
- exit (1);
- }
- if (init_krb5_first)
- krb5_free_context (kctx);
- foreach_thread (i) {
- printf ("Thread %2d: elapsed time %Lfs\n", i,
- tvsub (tinfo[i].r.end_time, tinfo[i].r.start_time));
- }
- wallclock = tvsub (finish_time, start_time);
- /*
- * Report on elapsed time and CPU usage. Depending what
- * performance issue you're chasing down, different values may be
- * of particular interest, so report all the info we've got.
- */
- printf ("Overall run time with %d threads = %Lfs, %Lfms per iteration.\n",
- n_threads, wallclock, 1000 * wallclock / iter_count);
- user = tvsub (finish.ru_utime, start.ru_utime);
- sys = tvsub (finish.ru_stime, start.ru_stime);
- total = user + sys;
- printf ("CPU usage: user=%Lfs sys=%Lfs total=%Lfs.\n", user, sys, total);
- printf ("Utilization: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock,
- 100 * sys / wallclock,
- 100 * total / wallclock);
- printf ("Util/thread: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock / n_threads,
- 100 * sys / wallclock / n_threads,
- 100 * total / wallclock / n_threads);
- printf ("Total CPU use per iteration per thread: %Lfms\n",
- 1000 * total / n_threads / iter_count);
- free(tinfo);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/threads/prof1.c b/crypto/krb5/src/tests/threads/prof1.c
deleted file mode 100644
index 3d9597844b29..000000000000
--- a/crypto/krb5/src/tests/threads/prof1.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/threads/prof1.c */
-/*
- * Copyright (C) 2004 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <pthread.h>
-#include <assert.h>
-#include <sys/types.h>
-#include <time.h>
-#include <sys/time.h>
-#include <utime.h>
-#include <com_err.h>
-#include <profile.h>
-
-int nthreads = 10;
-unsigned int delay = 3600;
-
-volatile int done = 0; /* XXX hack */
-
-const char *path = "/tmp/foo1.conf:/tmp/foo.conf";
-const char *filename = "/tmp/foo.conf";
-
-const char *prog;
-
-static void *worker(void *arg)
-{
- profile_t p;
- long err;
- int i;
- const char *const names[] = {
- "one", "two", "three", 0
- };
- char **values;
- const char *mypath = (random() & 1) ? path : filename;
-
- while (!done) {
- err = profile_init_path(mypath, &p);
- if (err) {
- com_err(prog, err, "calling profile_init(\"%s\")", mypath);
- exit(1);
- }
- for (i = 0; i < 10; i++) {
- values = 0;
- err = profile_get_values(p, names, &values);
- if (err == 0 && values != 0)
- profile_free_list(values);
- }
- profile_release(p);
- }
- return 0;
-}
-
-static void *modifier(void *arg)
-{
- struct timespec req;
- while (!done) {
- req.tv_sec = 0;
- req.tv_nsec = random() & 499999999;
- nanosleep(&req, 0);
- utime(filename, 0);
-/* printf("."), fflush(stdout); */
- }
- return 0;
-}
-
-int main(int argc, char *argv[])
-{
- int i;
- pthread_t thr;
-
- prog = argv[0];
- for (i = 0; i < nthreads; i++) {
- assert(0 == pthread_create(&thr, 0, worker, 0));
- }
- sleep(1);
- pthread_create(&thr, 0, modifier, 0);
- sleep(delay);
- done = 1;
- sleep(2);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/threads/profread.c b/crypto/krb5/src/tests/threads/profread.c
deleted file mode 100644
index 69bdb05c5d90..000000000000
--- a/crypto/krb5/src/tests/threads/profread.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/threads/profread.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * krb5 profile data retrieval performance testing
- * initially contributed by Ken Raeburn
- */
-
-#include "k5-platform.h"
-#include <unistd.h>
-#include <pthread.h>
-#include <krb5.h>
-#include <profile.h>
-
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#define N_THREADS 4
-#define ITER_COUNT 40000
-static int init_krb5_first = 0;
-
-struct resource_info {
- struct timeval start_time, end_time;
-};
-struct thread_info {
- pthread_t tid;
- struct resource_info r;
- krb5_context ctx;
-};
-
-static char *prog;
-static unsigned int n_threads = N_THREADS;
-static int iter_count = ITER_COUNT;
-static int do_pause;
-
-static void usage (void) __attribute__((noreturn));
-
-static void
-usage (void)
-{
- fprintf (stderr, "usage: %s [ options ]\n", prog);
- fprintf (stderr, "options:\n");
- fprintf (stderr, "\t-t N\tspecify number of threads (default %d)\n",
- N_THREADS);
- fprintf (stderr, "\t-i N\tset iteration count (default %d)\n",
- ITER_COUNT);
- fprintf (stderr, "\t-K\tinitialize a krb5_context for the duration\n");
- fprintf (stderr, "\t-P\tpause briefly after starting, to allow attaching dtrace/strace/etc\n");
- exit (1);
-}
-
-static int
-numarg (char *arg)
-{
- char *end;
- long val;
-
- val = strtol (arg, &end, 10);
- if (*arg == 0 || *end != 0) {
- fprintf (stderr, "invalid numeric argument '%s'\n", arg);
- usage ();
- }
- if (val >= 1 && val <= INT_MAX)
- return val;
- fprintf (stderr, "out of range numeric value %ld (1..%d)\n",
- val, INT_MAX);
- usage ();
-}
-
-static char optstring[] = "t:i:KP";
-
-static void
-process_options (int argc, char *argv[])
-{
- int c;
-
- prog = strrchr (argv[0], '/');
- if (prog)
- prog++;
- else
- prog = argv[0];
- while ((c = getopt (argc, argv, optstring)) != -1) {
- switch (c) {
- case '?':
- case ':':
- usage ();
- break;
-
- case 't':
- n_threads = numarg (optarg);
- if (n_threads >= SIZE_MAX / sizeof (struct thread_info)) {
- n_threads = SIZE_MAX / sizeof (struct thread_info);
- fprintf (stderr, "limiting n_threads to %u\n", n_threads);
- }
- break;
-
- case 'i':
- iter_count = numarg (optarg);
- break;
-
- case 'K':
- init_krb5_first = 1;
- break;
-
- case 'P':
- do_pause = 1;
- break;
- }
- }
- if (argc != optind)
- usage ();
-}
-
-static long double
-tvsub (struct timeval t1, struct timeval t2)
-{
- /* POSIX says .tv_usec is signed. */
- return (t1.tv_sec - t2.tv_sec
- + (long double) 1.0e-6 * (t1.tv_usec - t2.tv_usec));
-}
-
-static struct timeval
-now (void)
-{
- struct timeval tv;
- if (gettimeofday (&tv, NULL) < 0) {
- perror ("gettimeofday");
- exit (1);
- }
- return tv;
-}
-
-static void run_iterations (struct resource_info *r)
-{
- int i;
- krb5_error_code err;
- krb5_context ctx;
- profile_t prof = NULL;
-
- err = krb5_init_context(&ctx);
- if (err) {
- com_err(prog, err, "initializing krb5 context");
- exit(1);
- }
- err = krb5_get_profile(ctx, &prof);
- if (err) {
- com_err(prog, err, "fetching profile from context");
- exit(1);
- }
- r->start_time = now ();
- for (i = 0; i < iter_count; i++) {
- int ival;
- err = profile_get_integer(prof, "one", "two", "three", 42, &ival);
- if (err) {
- com_err(prog, err, "fetching value from profile");
- exit(1);
- }
- }
- r->end_time = now ();
- profile_release (prof);
- krb5_free_context(ctx);
-}
-
-static void *
-thread_proc (void *p)
-{
- run_iterations (p);
- return 0;
-}
-
-static struct thread_info *tinfo;
-
-static krb5_context kctx;
-static struct rusage start, finish;
-static struct timeval start_time, finish_time;
-
-int
-main (int argc, char *argv[])
-{
- long double user, sys, wallclock, total;
- unsigned int i;
-
- process_options (argc, argv);
-
- /*
- * Some places in the krb5 library cache data globally.
- * This option allows you to test the effect of that.
- */
- if (init_krb5_first && krb5_init_context (&kctx) != 0) {
- fprintf (stderr, "krb5_init_context error\n");
- exit (1);
- }
- tinfo = calloc (n_threads, sizeof (*tinfo));
- if (tinfo == NULL) {
- perror ("calloc");
- exit (1);
- }
- printf ("Threads: %d iterations: %d\n", n_threads, iter_count);
- if (do_pause) {
- printf ("pid %lu napping...\n", (unsigned long) getpid ());
- sleep (10);
- }
- printf ("starting...\n");
- /* And *now* we start measuring the performance. */
- if (getrusage (RUSAGE_SELF, &start) < 0) {
- perror ("getrusage");
- exit (1);
- }
- start_time = now ();
-#define foreach_thread(IDXVAR) for (IDXVAR = 0; IDXVAR < n_threads; IDXVAR++)
- foreach_thread (i) {
- int err;
-
- err = pthread_create (&tinfo[i].tid, NULL, thread_proc, &tinfo[i].r);
- if (err) {
- fprintf (stderr, "pthread_create: %s\n", strerror (err));
- exit (1);
- }
- }
- foreach_thread (i) {
- int err;
- void *val;
-
- err = pthread_join (tinfo[i].tid, &val);
- if (err) {
- fprintf (stderr, "pthread_join: %s\n", strerror (err));
- exit (1);
- }
- }
- finish_time = now ();
- if (getrusage (RUSAGE_SELF, &finish) < 0) {
- perror ("getrusage");
- exit (1);
- }
- if (init_krb5_first)
- krb5_free_context (kctx);
- foreach_thread (i) {
- printf ("Thread %2d: elapsed time %Lfs\n", i,
- tvsub (tinfo[i].r.end_time, tinfo[i].r.start_time));
- }
- wallclock = tvsub (finish_time, start_time);
- /*
- * Report on elapsed time and CPU usage. Depending what
- * performance issue you're chasing down, different values may be
- * of particular interest, so report all the info we've got.
- */
- printf ("Overall run time with %d threads = %Lfs, %.2Lfus per iteration.\n",
- n_threads, wallclock, 1000000 * wallclock / iter_count);
- user = tvsub (finish.ru_utime, start.ru_utime);
- sys = tvsub (finish.ru_stime, start.ru_stime);
- total = user + sys;
- printf ("CPU usage: user=%Lfs sys=%Lfs total=%Lfs.\n", user, sys, total);
- printf ("Utilization: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock,
- 100 * sys / wallclock,
- 100 * total / wallclock);
- printf ("Util/thread: user=%5.1Lf%% sys=%5.1Lf%% total=%5.1Lf%%\n",
- 100 * user / wallclock / n_threads,
- 100 * sys / wallclock / n_threads,
- 100 * total / wallclock / n_threads);
- printf ("Total CPU use per iteration per thread: %.2Lfus\n",
- 1000000 * total / n_threads / iter_count);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/threads/t_rcache.c b/crypto/krb5/src/tests/threads/t_rcache.c
deleted file mode 100644
index 8121429275cf..000000000000
--- a/crypto/krb5/src/tests/threads/t_rcache.c
+++ /dev/null
@@ -1,260 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/threads/t_rcache.c */
-/*
- * Copyright (C) 2006 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include <com_err.h>
-#include <krb5.h>
-#include <pthread.h>
-
-krb5_context ctx;
-krb5_rcache rcache;
-const char *rcname;
-time_t end_time;
-const char *prog;
-
-struct tinfo {
- time_t now;
- unsigned long my_ctime;
- unsigned int my_cusec;
- unsigned int total;
- int idx;
-};
-
-#define DEFAULT_N_THREADS 2
-#define DEFAULT_INTERVAL 20 /* 5 * 60 */
-
-int init_once = 0;
-int n_threads = DEFAULT_N_THREADS;
-int interval = DEFAULT_INTERVAL;
-int *ip;
-
-static void wait_for_tick (void)
-{
- time_t now, next;
- now = time(0);
- do {
- next = time(0);
- } while (now == next);
-}
-
-/* Encrypt data into out (preallocated by the caller) with a random key. */
-static krb5_error_code encrypt_data (krb5_data *data, krb5_enc_data *out)
-{
- krb5_keyblock kb;
- krb5_error_code err;
-
- err = krb5_c_make_random_key(ctx, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- &kb);
- if (err)
- return err;
- err = krb5_c_encrypt(ctx, &kb, KRB5_KEYUSAGE_TGS_REQ_AUTH, NULL, data,
- out);
- krb5_free_keyblock_contents(ctx, &kb);
- return err;
-}
-
-static void try_one (struct tinfo *t)
-{
- krb5_error_code err;
- char buf[256], buf2[512];
- krb5_rcache my_rcache;
- krb5_data d;
- krb5_enc_data enc;
-
- snprintf(buf, sizeof(buf), "host/all-in-one.mit.edu/%p@ATHENA.MIT.EDU",
- buf);
-
- /* k5_rc_store() requires a ciphertext. Create one by encrypting a dummy
- * value in a random key. */
- d = string2data(buf);
- enc.ciphertext = make_data(buf2, sizeof(buf2));
- err = encrypt_data(&d, &enc);
- if (err != 0) {
- const char *msg = krb5_get_error_message(ctx, err);
- fprintf(stderr, "%s: encrypting authenticator: %s\n", prog, msg);
- krb5_free_error_message(ctx, msg);
- exit(1);
- }
-
- if (t->now != t->my_ctime) {
- if (t->my_ctime != 0) {
- snprintf(buf2, sizeof(buf2), "%3d: %ld %5d\n", t->idx,
- t->my_ctime, t->my_cusec);
- printf("%s", buf2);
- }
- t->my_ctime = t->now;
- t->my_cusec = 1;
- } else
- t->my_cusec++;
- if (!init_once) {
- err = k5_rc_resolve(ctx, rcname, &my_rcache);
- if (err) {
- const char *msg = krb5_get_error_message(ctx, err);
- fprintf(stderr, "%s: %s while initializing replay cache\n", prog, msg);
- krb5_free_error_message(ctx, msg);
- exit(1);
- }
- } else
- my_rcache = rcache;
- err = k5_rc_store(ctx, my_rcache, &enc);
- if (err) {
- com_err(prog, err, "storing in replay cache");
- exit(1);
- }
- if (!init_once)
- k5_rc_close(ctx, my_rcache);
-}
-
-static void *run_a_loop (void *x)
-{
- struct tinfo t = { 0 };
-
- t.now = time(0);
- t.idx = *(int *)x;
- while (t.now != time(0))
- ;
- t.now = time(0);
- while (t.now < end_time) {
- t.now = time(0);
- try_one(&t);
- t.total++;
- }
- *(int*)x = t.total;
- return 0;
-}
-
-static void usage(void)
-{
- fprintf (stderr, "usage: %s [ options ] rcname\n", prog);
- fprintf (stderr, "options:\n");
- fprintf (stderr, "\t-1\tcreate one rcache handle for process\n");
- fprintf (stderr, "\t-t N\tnumber of threads to create (default: %d)\n",
- DEFAULT_N_THREADS);
- fprintf (stderr,
- "\t-i N\tinterval to run test over, in seconds (default: %d)\n",
- DEFAULT_INTERVAL);
- exit(1);
-}
-
-static const char optstring[] = "1t:i:";
-
-static void process_options (int argc, char *argv[])
-{
- int c;
-
- prog = argv[0];
- while ((c = getopt(argc, argv, optstring)) != -1) {
- switch (c) {
- case '?':
- case ':':
- default:
- usage ();
- case '1':
- init_once = 1;
- break;
- case 't':
- n_threads = atoi (optarg);
- if (n_threads < 1 || n_threads > 10000)
- usage ();
- break;
- case 'i':
- interval = atoi (optarg);
- if (interval < 2 || n_threads > 100000)
- usage ();
- break;
- }
- }
-
- argc -= optind;
- argv += optind;
- if (argc != 1)
- usage ();
- rcname = argv[0];
-}
-
-int main (int argc, char *argv[])
-{
- krb5_error_code err;
- int i;
- unsigned long sum;
-
- process_options (argc, argv);
- err = krb5_init_context(&ctx);
- if (err) {
- com_err(prog, err, "initializing context");
- return 1;
- }
-
- if (init_once) {
- err = k5_rc_resolve(ctx, rcname, &rcache);
- if (err) {
- const char *msg = krb5_get_error_message(ctx, err);
- fprintf(stderr, "%s: %s while initializing new replay cache\n",
- prog, msg);
- krb5_free_error_message(ctx, msg);
- return 1;
- }
- }
-
- ip = malloc(sizeof(int) * n_threads);
- if (ip == 0 && n_threads > 0) {
- perror("malloc");
- exit(1);
- }
- for (i = 0; i < n_threads; i++)
- ip[i] = i;
-
- wait_for_tick ();
- end_time = time(0) + interval;
-
- for (i = 0; i < n_threads; i++) {
- pthread_t new_thread;
- int perr;
- perr = pthread_create(&new_thread, 0, run_a_loop, &ip[i]);
- if (perr) {
- errno = perr;
- perror("pthread_create");
- exit(1);
- }
- }
- while (time(0) < end_time + 1)
- sleep(1);
- sum = 0;
- for (i = 0; i < n_threads; i++) {
- sum += ip[i];
- printf("thread %d total %5d, about %.1f per second\n", i, ip[i],
- ((double) ip[i])/interval);
- }
- printf("total %lu in %d seconds, avg ~%.1f/sec, ~%.1f/sec/thread\n",
- sum, interval,
- ((double)sum)/interval, ((double)sum)/interval/n_threads);
- free(ip);
-
- if (init_once)
- k5_rc_close(ctx, rcache);
- krb5_free_context(ctx);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/unlockiter.c b/crypto/krb5/src/tests/unlockiter.c
deleted file mode 100644
index e854bc90b7db..000000000000
--- a/crypto/krb5/src/tests/unlockiter.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/unlockiter.c - test program for unlocked iteration */
-/*
- * Copyright (C) 2014 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Test unlocked KDB iteration.
- */
-
-#include <sys/types.h>
-#include <sys/select.h>
-#include <sys/time.h>
-#include <sys/wait.h>
-
-#include <errno.h>
-#include <krb5.h>
-#include <kadm5/admin.h>
-#include <signal.h>
-#include <stdlib.h>
-#include <string.h> /* Some platforms need memset() for FD_ZERO */
-#include <unistd.h>
-
-struct cb_arg {
- int inpipe;
- int outpipe;
- int timeout;
- int done;
-};
-
-/* Helper function for cb(): read a sync byte (with possible timeout), then
- * write a sync byte. */
-static int
-syncpair_rw(const char *name, struct cb_arg *arg, char *cp, int timeout)
-{
- struct timeval tv;
- fd_set rset;
- int nfds;
-
- FD_ZERO(&rset);
- FD_SET(arg->inpipe, &rset);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
-
- printf("cb: waiting for %s sync pair\n", name);
- nfds = select(arg->inpipe + 1, &rset,
- NULL, NULL, (timeout == 0) ? NULL : &tv);
- if (nfds < 0)
- return -1;
- if (nfds == 0) {
- errno = ETIMEDOUT;
- return -1;
- }
- if (read(arg->inpipe, cp, 1) < 0)
- return -1;
- printf("cb: writing %s sync pair\n", name);
- if (write(arg->outpipe, cp, 1) < 0)
- return -1;
- return 0;
-}
-
-/* On the first iteration only, receive and send sync bytes to the locking
- * child to drive its locking activities. */
-static krb5_error_code
-cb(void *argin, krb5_db_entry *ent)
-{
- struct cb_arg *arg = argin;
- char c = '\0';
-
- if (arg->done)
- return 0;
-
- if (syncpair_rw("first", arg, &c, 0) < 0) {
- com_err("cb", errno, "first sync pair");
- return errno;
- }
- if (syncpair_rw("second", arg, &c, arg->timeout) < 0) {
- com_err("cb", errno, "second sync pair");
- return errno;
- }
- printf("cb: waiting for final sync byte\n");
- if (read(arg->inpipe, &c, 1) < 0) {
- com_err("cb", errno, "final sync byte");
- return errno;
- }
- arg->done = 1;
- return 0;
-}
-
-/* Parent process: iterate over the KDB, using a callback that synchronizes
- * with the locking child. */
-static int
-iterator(struct cb_arg *cb_arg, char **db_args, pid_t child)
-{
- krb5_error_code retval;
- krb5_context ctx;
-
- retval = krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx);
- if (retval)
- goto cleanup;
-
- retval = krb5_db_open(ctx, db_args,
- KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN);
- if (retval)
- goto cleanup;
-
- retval = krb5_db_iterate(ctx, NULL, cb, cb_arg, 0);
- if (retval)
- goto cleanup;
-
- retval = krb5_db_fini(ctx);
-
-cleanup:
- krb5_free_context(ctx);
- if (retval) {
- com_err("iterator", retval, "");
- kill(child, SIGTERM);
- exit(1);
- }
- return retval;
-}
-
-/* Helper function for locker(): write, then receive a sync byte. */
-static int
-syncpair_wr(const char *name, int inpipe, int outpipe, unsigned char *cp)
-{
- printf("locker: writing %s sync pair\n", name);
- if (write(outpipe, cp, 1) < 0)
- return -1;
- printf("locker: waiting for %s sync pair\n", name);
- if (read(inpipe, cp, 1) < 0)
- return -1;
- return 0;
-}
-
-/* Child process: acquire and release a write lock on the KDB, synchronized
- * with parent. */
-static int
-locker(int inpipe, int outpipe, char **db_args)
-{
- krb5_error_code retval;
- unsigned char c = '\0';
- krb5_context ctx;
-
- retval = krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx);
- if (retval)
- goto cleanup;
-
- retval = krb5_db_open(ctx, db_args,
- KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN);
- if (retval)
- goto cleanup;
-
- if (syncpair_wr("first", inpipe, outpipe, &c) < 0) {
- retval = errno;
- goto cleanup;
- }
- printf("locker: acquiring lock...\n");
- retval = krb5_db_lock(ctx, KRB5_DB_LOCKMODE_EXCLUSIVE);
- if (retval)
- goto cleanup;
- printf("locker: acquired lock\n");
- if (syncpair_wr("second", inpipe, outpipe, &c) < 0) {
- retval = errno;
- goto cleanup;
- }
- krb5_db_unlock(ctx);
- printf("locker: released lock\n");
- printf("locker: writing final sync byte\n");
- if (write(outpipe, &c, 1) < 0) {
- retval = errno;
- goto cleanup;
- }
- retval = krb5_db_fini(ctx);
-cleanup:
- if (retval)
- com_err("locker", retval, "");
-
- krb5_free_context(ctx);
- exit(retval != 0);
-}
-
-static void
-usage(const char *prog)
-{
- fprintf(stderr, "usage: %s [-lu] [-t timeout]\n", prog);
- exit(1);
-}
-
-int
-main(int argc, char *argv[])
-{
- struct cb_arg cb_arg;
- pid_t child;
- char *db_args[2] = { NULL, NULL };
- int c;
- int cstatus;
- int pipe_to_locker[2], pipe_to_iterator[2];
-
- cb_arg.timeout = 1;
- cb_arg.done = 0;
- while ((c = getopt(argc, argv, "lt:u")) != -1) {
- switch (c) {
- case 'l':
- db_args[0] = "lockiter";
- break;
- case 't':
- cb_arg.timeout = atoi(optarg);
- break;
- case 'u':
- db_args[0] = "unlockiter";
- break;
- default:
- usage(argv[0]);
- }
- }
- if (pipe(pipe_to_locker) < 0) {
- com_err(argv[0], errno, "pipe(p_il)");
- exit(1);
- }
- if (pipe(pipe_to_iterator) < 0) {
- com_err(argv[0], errno, "pipe(p_li)");
- exit(1);
- }
- cb_arg.inpipe = pipe_to_iterator[0];
- cb_arg.outpipe = pipe_to_locker[1];
- child = fork();
- switch (child) {
- case -1:
- com_err(argv[0], errno, "fork");
- exit(1);
- break;
- case 0:
- locker(pipe_to_locker[0], pipe_to_iterator[1], db_args);
- break;
- default:
- if (iterator(&cb_arg, db_args, child))
- exit(1);
- if (wait(&cstatus) < 0) {
- com_err(argv[0], errno, "wait");
- exit(1);
- }
- if (WIFSIGNALED(cstatus))
- exit(1);
- if (WIFEXITED(cstatus) && WEXITSTATUS(cstatus) != 0) {
- exit(1);
- }
- }
- exit(0);
-}
diff --git a/crypto/krb5/src/tests/verify/Makefile.in b/crypto/krb5/src/tests/verify/Makefile.in
deleted file mode 100644
index bdff9d6801cf..000000000000
--- a/crypto/krb5/src/tests/verify/Makefile.in
+++ /dev/null
@@ -1,16 +0,0 @@
-mydir=tests$(S)verify
-BUILDTOP=$(REL)..$(S)..
-KDB5_DEP_LIB=$(THREAD_LINKOPTS) $(DL_LIB)
-
-SRCS=$(srcdir)/kdb5_verify.c
-
-all: kdb5_verify
-
-kdb5_verify: kdb5_verify.o $(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o kdb5_verify kdb5_verify.o $(KDB5_LIBS) $(KDB5_DEP_LIB) $(KRB5_BASE_LIBS)
-
-install:
-
-clean:
- $(RM) kdb5_verify.o kdb5_verify
-
diff --git a/crypto/krb5/src/tests/verify/deps b/crypto/krb5/src/tests/verify/deps
deleted file mode 100644
index 066e907c7071..000000000000
--- a/crypto/krb5/src/tests/verify/deps
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)kdb5_verify.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SS_DEPS) \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h kdb5_verify.c
diff --git a/crypto/krb5/src/tests/verify/kdb5_verify.c b/crypto/krb5/src/tests/verify/kdb5_verify.c
deleted file mode 100644
index d53e92ad4542..000000000000
--- a/crypto/krb5/src/tests/verify/kdb5_verify.c
+++ /dev/null
@@ -1,440 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/verify/kdb5_verify.c */
-/*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include "com_err.h"
-#include <ss/ss.h>
-#include <stdio.h>
-
-#define REALM_SEP '@'
-#define REALM_SEP_STR "@"
-
-struct mblock {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_kvno mkvno;
-} mblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- 0
-};
-
-int set_dbname_help (krb5_context, char *, char *);
-
-static void
-usage(char *who, int status)
-{
- fprintf(stderr,
- "usage: %s -p prefix -n num_to_check [-d dbpathname] [-r realmname]\n",
- who);
- fprintf(stderr, "\t [-D depth] [-k enctype] [-M mkeyname]\n");
-
- exit(status);
-}
-
-krb5_keyblock master_keyblock;
-krb5_principal master_princ;
-krb5_encrypt_block master_encblock;
-krb5_pointer master_random;
-char *str_master_princ;
-
-static char *progname;
-static char *cur_realm = 0;
-static char *mkey_name = 0;
-static char *mkey_password = 0;
-static krb5_boolean manual_mkey = FALSE;
-
-
-int check_princ (krb5_context, char *);
-
-int
-main(int argc, char *argv[])
-{
- extern char *optarg;
- int optchar, i, n;
- char tmp[4096], tmp2[BUFSIZ], *str_princ;
-
- krb5_context context;
- krb5_error_code retval;
- char *dbname = 0;
- int enctypedone = 0;
- int num_to_check;
- char principal_string[BUFSIZ];
- char *suffix = 0;
- size_t suffix_size = 0;
- int depth, errors;
-
- krb5_init_context(&context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- progname = argv[0];
-
- memset(principal_string, 0, sizeof(principal_string));
- num_to_check = 0;
- depth = 1;
-
- while ((optchar = getopt(argc, argv, "D:P:p:n:d:r:R:k:M:e:m")) != -1) {
- switch(optchar) {
- case 'D':
- depth = atoi(optarg); /* how deep to go */
- break;
- case 'P': /* Only used for testing!!! */
- mkey_password = optarg;
- break;
- case 'p': /* prefix name to check */
- strncpy(principal_string, optarg, sizeof(principal_string) - 1);
- principal_string[sizeof(principal_string) - 1] = '\0';
- suffix = principal_string + strlen(principal_string);
- suffix_size = sizeof(principal_string) -
- (suffix - principal_string);
- break;
- case 'n': /* how many to check */
- num_to_check = atoi(optarg);
- break;
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'r':
- cur_realm = optarg;
- break;
- case 'k':
- master_keyblock.enctype = atoi(optarg);
- enctypedone++;
- break;
- case 'M': /* master key name in DB */
- mkey_name = optarg;
- break;
- case 'm':
- manual_mkey = TRUE;
- break;
- case '?':
- default:
- usage(progname, 1);
- /*NOTREACHED*/
- }
- }
-
- if (!(num_to_check && suffix)) usage(progname, 1);
-
- if (!enctypedone)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-
- if (!krb5_c_valid_enctype(master_keyblock.enctype)) {
- com_err(progname, KRB5_PROG_ETYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- exit(1);
- }
-
- krb5_use_enctype(context, &master_encblock, master_keyblock.enctype);
-
- if (!dbname)
- dbname = DEFAULT_KDB_FILE; /* XXX? */
-
- if (!cur_realm) {
- if ((retval = krb5_get_default_realm(context, &cur_realm))) {
- com_err(progname, retval, "while retrieving default realm name");
- exit(1);
- }
- }
- if ((retval = set_dbname_help(context, progname, dbname)))
- exit(retval);
-
- errors = 0;
-
- fprintf(stdout, "\nChecking ");
-
- for (n = 1; n <= num_to_check; n++) {
- /* build the new principal name */
- /* we can't pick random names because we need to generate all the names
- again given a prefix and count to test the db lib and kdb */
- (void) snprintf(suffix, suffix_size, "%d", n);
- (void) snprintf(tmp, sizeof(tmp), "%s-DEPTH-1", principal_string);
- str_princ = tmp;
- if (check_princ(context, str_princ)) errors++;
-
- for (i = 2; i <= depth; i++) {
- (void) snprintf(tmp2, sizeof(tmp2), "/%s-DEPTH-%d",
- principal_string, i);
- tmp2[sizeof(tmp2) - 1] = '\0';
- strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
- str_princ = tmp;
- if (check_princ(context, str_princ)) errors++;
- }
- }
-
- if (errors)
- fprintf(stdout, "\n%d errors/principals failed.\n", errors);
- else
- fprintf(stdout, "\nNo errors.\n");
-
- krb5_finish_random_key(context, &master_encblock, &master_random);
- krb5_finish_key(context, &master_encblock);
-
- retval = krb5_db_fini(context);
- memset(master_keyblock.contents, 0, (size_t) master_keyblock.length);
- if (retval && retval != KRB5_KDB_DBNOTINITED) {
- com_err(progname, retval, "while closing database");
- exit(1);
- }
- krb5_free_keyblock_contents(context, &master_keyblock);
-
- if (str_master_princ) {
- krb5_free_unparsed_name(context, str_master_princ);
- }
- krb5_free_principal(context, master_princ);
- krb5_free_context(context);
- exit(0);
-}
-
-int
-check_princ(krb5_context context, char *str_princ)
-{
- krb5_error_code retval;
- krb5_db_entry *kdbe = NULL;
- krb5_keyblock pwd_key, db_key;
- krb5_data pwd, salt;
- krb5_principal princ;
- /* char *str_mod_name; */
- char princ_name[4096];
-
- snprintf(princ_name, sizeof(princ_name), "%s@%s", str_princ, cur_realm);
-
- if ((retval = krb5_parse_name(context, princ_name, &princ))) {
- com_err(progname, retval, "while parsing '%s'", princ_name);
- goto out;
- }
-
- pwd.data = princ_name; /* must be able to regenerate */
- pwd.length = strlen(princ_name);
-
- if ((retval = krb5_principal2salt(context, princ, &salt))) {
- com_err(progname, retval, "while converting principal to salt for '%s'", princ_name);
- krb5_free_principal(context, princ);
- goto out;
- }
-
- if ((retval = krb5_string_to_key(context, &master_encblock,
- &pwd_key, &pwd, &salt))) {
- com_err(progname, retval, "while converting password to key for '%s'",
- princ_name);
- krb5_free_data_contents(context, &salt);
- krb5_free_principal(context, princ);
- goto out;
- }
- krb5_free_data_contents(context, &salt);
-
- if ((retval = krb5_db_get_principal(context, princ, 0, &kdbe))) {
- com_err(progname, retval, "while attempting to verify principal's existence");
- krb5_free_principal(context, princ);
- goto out;
- }
- krb5_free_principal(context, princ);
-
- if ((retval = krb5_dbe_decrypt_key_data(context, NULL,
- kdbe->key_data, &db_key, NULL))) {
- com_err(progname, retval, "while decrypting key for '%s'", princ_name);
- goto errout;
- }
-
- if ((pwd_key.enctype != db_key.enctype) ||
- (pwd_key.length != db_key.length)) {
- fprintf (stderr, "\tKey types do not agree (%d expected, %d from db)\n",
- pwd_key.enctype, db_key.enctype);
- errout:
- krb5_db_free_principal(context, kdbe);
- return(-1);
- }
- else {
- if (memcmp((char *)pwd_key.contents, (char *) db_key.contents,
- (size_t) pwd_key.length)) {
- fprintf(stderr, "\t key did not match stored value for %s\n",
- princ_name);
- goto errout;
- }
- }
-
- free(pwd_key.contents);
- free(db_key.contents);
-
- if (kdbe->key_data[0].key_data_kvno != 1) {
- fprintf(stderr,"\tkvno did not match stored value for %s.\n", princ_name);
- goto errout;
- }
-
- if (kdbe->max_life != mblock.max_life) {
- fprintf(stderr, "\tmax life did not match stored value for %s.\n",
- princ_name);
- goto errout;
- }
-
- if (kdbe->max_renewable_life != mblock.max_rlife) {
- fprintf(stderr,
- "\tmax renewable life did not match stored value for %s.\n",
- princ_name);
- goto errout;
- }
-
- if (kdbe->expiration != mblock.expiration) {
- fprintf(stderr, "\texpiration time did not match stored value for %s.\n",
- princ_name);
- goto errout;
- }
-
-/*
- if ((retval = krb5_unparse_name(context, kdbe.mod_name, &str_mod_name)))
- com_err(progname, retval, "while unparsing mode name");
- else {
- if (strcmp(str_mod_name, str_master_princ) != 0) {
- fprintf(stderr, "\tmod name isn't the master princ (%s not %s).\n",
- str_mod_name, str_master_princ);
- free(str_mod_name);
- goto errout;
- }
- else free(str_mod_name);
- }
-*/
-
- if (kdbe->attributes != mblock.flags) {
- fprintf(stderr, "\tAttributes did not match stored value for %s.\n",
- princ_name);
- goto errout;
- }
-
-out:
- krb5_db_free_principal(context, kdbe);
-
- return(0);
-}
-
-int
-set_dbname_help(krb5_context context, char *pname, char *dbname)
-{
- krb5_error_code retval;
- krb5_data pwd, scratch;
- char *args[2];
- krb5_db_entry *master_entry;
-
- /* assemble & parse the master key name */
-
- if ((retval = krb5_db_setup_mkey_name(context, mkey_name, cur_realm, 0,
- &master_princ))) {
- com_err(pname, retval, "while setting up master key name");
- return(1);
- }
- if (mkey_password) {
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(context, master_princ, &scratch);
- if (retval) {
- com_err(pname, retval, "while calculated master key salt");
- return(1);
- }
- if ((retval = krb5_string_to_key(context, &master_encblock,
- &master_keyblock, &pwd, &scratch))) {
- com_err(pname, retval,
- "while transforming master key from password");
- return(1);
- }
- free(scratch.data);
- } else {
- if ((retval = krb5_db_fetch_mkey(context, master_princ,
- master_keyblock.enctype,
- manual_mkey, FALSE, (char *) NULL,
- NULL, NULL,
- &master_keyblock))) {
- com_err(pname, retval, "while reading master key");
- return(1);
- }
- }
-
- /* Ick! Current DAL interface requires that the default_realm
- field be set in the krb5_context. */
- if ((retval = krb5_set_default_realm(context, cur_realm))) {
- com_err(pname, retval, "setting default realm");
- return 1;
- }
- /* Pathname is passed to db2 via 'args' parameter. */
- args[1] = NULL;
- if (asprintf(&args[0], "dbname=%s", dbname) < 0) {
- com_err(pname, errno, "while setting up db parameters");
- return 1;
- }
-
- if ((retval = krb5_db_open(context, args, KRB5_KDB_OPEN_RO))) {
- com_err(pname, retval, "while initializing database");
- return(1);
- }
- if ((retval = krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock))) {
- com_err(pname, retval, "while verifying master key");
- (void) krb5_db_fini(context);
- return(1);
- }
- if ((retval = krb5_db_get_principal(context, master_princ, 0,
- &master_entry))) {
- com_err(pname, retval, "while retrieving master entry");
- (void) krb5_db_fini(context);
- return(1);
- }
-
- if ((retval = krb5_unparse_name(context, master_princ,
- &str_master_princ))) {
- com_err(pname, retval, "while unparsing master principal");
- krb5_db_fini(context);
- return(1);
- }
-
- if ((retval = krb5_process_key(context,
- &master_encblock, &master_keyblock))) {
- com_err(pname, retval, "while processing master key");
- (void) krb5_db_fini(context);
- return(1);
- }
- if ((retval = krb5_init_random_key(context,
- &master_encblock, &master_keyblock,
- &master_random))) {
- com_err(pname, retval, "while initializing random key generator");
- krb5_finish_key(context, &master_encblock);
- (void) krb5_db_fini(context);
- return(1);
- }
- mblock.max_life = master_entry->max_life;
- mblock.max_rlife = master_entry->max_renewable_life;
- mblock.expiration = master_entry->expiration;
- /* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry->key_data[0].key_data_kvno;
-
- krb5_db_free_principal(context, master_entry);
- free(args[0]);
- return 0;
-}
diff --git a/crypto/krb5/src/tests/verify/pkey.c b/crypto/krb5/src/tests/verify/pkey.c
deleted file mode 100644
index 9ed575c4a117..000000000000
--- a/crypto/krb5/src/tests/verify/pkey.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/verify/pkey.c */
-/*
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * For copying and distribution information, please see the file
- * <krb5/copyright.h>.
- *
- */
-
-#include <stdio.h>
-
-void pkey(k)
- unsigned char *k;
-{
- int i;
- unsigned int foo;
-
- for (i = 0 ; i < 8 ; i++) {
- foo = *k++;
- fprintf(stderr, "%x ", foo);
- }
-}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-04 06:53:20 +0000