.gitlab-ci.yml: corrected kerberos tests

This also corrects the kerberos test script environment
to enable running the test.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml

@@ -236,7 +236,7 @@ Fedora:
   - chmod -R o-w tests/data/raddb
   - git submodule update --init
   - autoreconf -fvi
-  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --enable-code-coverage --enable-kerberos-tests --enable-oidc-auth
+  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --enable-code-coverage --with-kerberos-tests --enable-oidc-auth
   - make -j$JOBS
   - make check -j$JOBS COVERAGE=1
   - make files-update

configure.ac

@@ -513,6 +513,12 @@ fi
 
 AM_CONDITIONAL(HAVE_GSSAPI, test "$enable_gssapi" = yes)
 
+if test "x$kerberos_tests" = xyes && test "$enable_gssapi" != yes;then
+	AC_MSG_ERROR([[***
+*** libkrb5 was not found and enable-kerberos-tests was specified.
+***]])
+fi
+
 dnl needed in the included PCL
 AC_C_VOLATILE
 AC_C_CONST

tests/Makefile.am

@@ -37,7 +37,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
 	data/test-udp-listen-host.config data/pam-kerberos/passdb.templ \
 	data/test-max-same-1.config data/test-script-multi-user.config \
 	sleep-connect-script data/test-psk-negotiate.config \
-	connect-ios-script data/apple-ios.config
+	connect-ios-script data/apple-ios.config certs/kerberos-cert.pem \
+	data/kdc.conf data/krb5.conf data/k5.KERBEROS.TEST data/kadm5.acl
 
 SUBDIRS = docker-ocserv
 

tests/certs/kerberos-cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmjCCAlKgAwIBAgIUAw1WUDsvgmQQ1Xgs8wxKwzQAXAMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAxMCQ0EwIBcNMjAwMzEyMjEzNzM3WhgPOTk5OTEyMzEyMzU5
+NTlaMAAwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivsPxSwLBn2
+8W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8u5HvN3nD
+Wtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lndYJx2X8WW
+ldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZIVumQy7c
++tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759KNPYisSq
+AuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk57lAIWER9
+egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZUyNncTSf6
+qMVoedgdAgMBAAGjgZwwgZkwDAYDVR0TAQH/BAIwADAjBgNVHREEHDAagg1rZXJi
+ZXJvcy50ZXN0gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P
+AQH/BAUDAwegADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0j
+BBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAJ48
+699xMoiFVRwWgvMMSD/aQXZpKGdRgGt9rIY2aewAHO9Fc3F8ejDx+nB5RNX9xa7I
+3lujSt1i8mzLRv7A36GL/9Eqekpr/qRUlsuSXFNXHM8hQDsLWamvI8CP00/xFxay
+Q9iBkFkwlAkz/CjEBQ/toWbgjlees7UpzUSOxeu7bqPN7VUfLlT+TyaqnEpDoQIB
+UEdtnosIUqXnenLJLgMB0oq3eIb24DgnLP6ugBN04uB6gmWs9A61Ky9MFt3dywj1
+NUgK+hDfkmBMUojYCbHFDZaoYhCXWmNWoWP1SB6HjUzChx1calDlF0btBqu5aGfY
+fbrU+MlHPU53frZaJX2LLKY0SQXVj/CsbOXsgrNlo4pHQlcTVy1FHS5awMN3gXFz
+eLT8eSJDB5v3mxxbPQ8=
+-----END CERTIFICATE-----

tests/common.sh

@@ -139,9 +139,9 @@ launch_pam_server() {
 		SR="libsocket_wrapper.so:"
 	fi
 	if test -n "${VERBOSE}" && test "${VERBOSE}" -ge 1;then
-		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* &
+		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $PRELOAD_CMD $SERV $* &
 	else
-		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $SERV $* >/dev/null 2>&1 &
+		LD_PRELOAD=libnss_wrapper.so:${SR}libpam_wrapper.so:libuid_wrapper.so PAM_WRAPPER=1 UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $PRELOAD_CMD $SERV $* >/dev/null 2>&1 &
 	fi
 	LOCALPID="$!";
 	unset NSS_WRAPPER_PASSWD

tests/data/k5.KERBEROS.TEST

@@ -0,0 +1 @@
+secret123

tests/data/kadm5.acl

@@ -0,0 +1 @@
+*/admin@KERBEROS.TEST	*

tests/data/kdc.conf

@@ -0,0 +1,15 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ spake_preauth_kdc_challenge = edwards25519
+
+[realms]
+ KERBEROS.TEST = {
+  master_key_type = aes256-cts
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+  key_stash_file = /var/kerberos/krb5kdc/k5.KERBEROS.TEST
+  supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
+ }
+

tests/data/kerberos.config

@@ -73,7 +73,7 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = @SRCDIR@/certs/server-cert.pem
+server-cert = @SRCDIR@/certs/kerberos-cert.pem
 server-key = @SRCDIR@/certs/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
@@ -100,7 +100,7 @@ server-key = @SRCDIR@/certs/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-ca-cert = /etc/ocserv/ca.pem
+ca-cert = @SRCDIR/certs/ca.pem
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN

tests/data/krb5.conf

@@ -0,0 +1,27 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = KERBEROS.TEST
+ default_keytab_name = /etc/krb5-keytab
+
+ default_ccache_name = FILE:/tmp/krb5_cc%{uid}
+
+[realms]
+KERBEROS.TEST = {
+ kdc = https://kerberos.test/kerberos
+ http_anchors = FILE:/etc/ocserv/ca.pem
+ admin_server = kerberos.test
+ auth_to_local = DEFAULT
+}
+
+[domain_realm]
+.kerberos.test = KERBEROS.TEST
+kerberos.test = KERBEROS.TEST

tests/kerberos

@@ -23,8 +23,9 @@
 OCCTL="${OCCTL:-../src/occtl/occtl}"
 SERV="${SERV:-../src/ocserv}"
 srcdir=${srcdir:-.}
-PORT=5647
+PORT=443
 PIDFILE=ocserv-pid.$$.tmp
+KRB5PIDFILE=krb5-pid.$$.tmp
 CLIPID=oc-pid.$$.tmp
 PATH=${PATH}:/usr/sbin
 IP=$(which ip)
@@ -33,20 +34,21 @@ OUTFILE=traffic.$$.tmp
 USERNAME=krb5user
 USERPASS=krb5user123
 
+export KRB5_TRACE=/dev/stderr
 
 . `dirname $0`/common.sh
 
 if test -z "${IP}";then
 	echo "no IP tool is present"
-	exit 77
+	exit 1
 fi
 
 if test "$(id -u)" != "0";then
-	echo "This test must be run as root"
-	exit 77
+	echo "This test must be run as root, and is a destructive one"
+	exit 1
 fi
 
-if ! test -f /etc/krb5.conf && ! test -f /var/kerberos/krb5kdc/kdc.conf;then
+if ! test -x /usr/sbin/kadmin.local;then
 	echo "This test must be run on a KDC-running system"
 	exit 1
 fi
@@ -57,7 +59,8 @@ function finish {
   set +e
   echo " * Cleaning up..."
   test -n "${PID}" && kill ${PID} >/dev/null 2>&1
-  test -n "${KRB5PID}" && kill ${KRB5PID} >/dev/null 2>&1
+  test -e "${KRB5PIDFILE}" && kill $(cat ${KRB5PIDFILE}) >/dev/null 2>&1
+  test -e "${KRB5PIDFILE}" && rm -f ${KRB5PIDFILE} >/dev/null 2>&1
   test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
   test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
   test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
@@ -82,42 +85,83 @@ ${CMDNS2} ${IP} link set dev lo up
 
 # Run KDC
 # This is destructive at the moment as it changes the system that it is being run.
+mkdir -p /var/kerberos/krb5kdc/
+cp ${srcdir}/data/krb5.conf /etc/
+cp ${srcdir}/data/kdc.conf /var/kerberos/krb5kdc/
+cp ${srcdir}/data/k5.KERBEROS.TEST /var/kerberos/krb5kdc/
+cp ${srcdir}/data/kadm5.acl /var/kerberos/krb5kdc/
+chmod 750 /var/kerberos/krb5kdc/
+chmod 640 /var/kerberos/krb5kdc/*
+
+echo " * creating database"
 echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util create -s
 
-echo " * added ${USERNAME}"
+echo " * addprinc ${USERNAME}"
 echo -e "${USERPASS}\n${USERPASS}" | /usr/sbin/kadmin.local -q "addprinc ${USERNAME}"
+test $? = 0 || exit 1
+
+echo " * addprinc HTTP"
 echo -e "test123\ntest123" | /usr/sbin/kadmin.local -q "addprinc HTTP/kerberos.test"
+test $? = 0 || exit 1
+
+echo " * addprinc keytab"
 /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/krb5-keytab HTTP/kerberos.test@KERBEROS.TEST"
+test $? = 0 || exit 1
 
-${CMDNS2} /usr/sbin/krb5kdc &
-KRB5PID=$!
+grep kerberos.test /etc/hosts || echo "${ADDRESS} kerberos.test" >> /etc/hosts
 
-sleep 2
+mkdir -p /etc/ocserv
+cp ${srcdir}/certs/ca.pem /etc/ocserv
+
+
+echo " * Starting KDC..."
+${CMDNS2} /usr/sbin/krb5kdc -P ${KRB5PIDFILE}
+test $? = 0 || exit 1
+
+sleep 4
 
 export TEST_PAMDIR=data/pam-kerberos
 update_config kerberos.config
-if test "$VERBOSE" = 1;then
-DEBUG="-d 3"
-fi
 
 # Run ocserv
-PREPEND_CMD=${CMDNS2}
-launch_pam_server -d 1 -f -c ${CONFIG} & PID=$!
-PREPEND_CMD=""
+PRELOAD_CMD=${CMDNS2}
+echo " * Starting ocserv..."
+launch_pam_server -d 3 -f -c ${CONFIG} & PID=$!
+PRELOAD_CMD=""
 
 sleep 5
 
+echo ""
 echo " * Getting cookie via PAM from ${ADDRESS}:${PORT}..."
-( echo "${USERPASS}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
+( echo "${USERPASS}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly )
 if test $? != 0;then
 	echo "Could not get cookie from server"
 	exit 1
 fi
 
-${CMDNS1} echo ${USERPASS}|kinit ${USERNAME}@KERBEROS.TEST
+echo ""
+echo " * Running kinit"
+echo ${USERPASS}|${CMDNS1} kinit -V ${USERNAME}@KERBEROS.TEST
+if test $? != 0;then
+	echo "Error in kinit"
+	exit 1
+fi
 
-echo " * Connecting via krb5 to ${ADDRESS}:${PORT}..."
-( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
+echo ""
+echo " * Running klist"
+${CMDNS1} klist
+
+echo ""
+echo " * Getting cookie via kerberos from kerberos.test:${PORT}..."
+${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly
+if test $? != 0;then
+	echo "Could not get cookie from server"
+	exit 1
+fi
+
+echo ""
+echo " * Connecting via krb5 to kerberos.test:${PORT}..."
+( ${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --verbose -b )
 if test $? != 0;then
 	echo "Could not connect to server"
 	exit 1
@@ -131,16 +175,11 @@ if test $? != 0;then
 	exit 1
 fi
 
-${CMDNS2} ping -w 3 ${CLIVPNADDR}
-if test $? != 0;then
-	echo "Could not ping client IP"
-	exit 1
-fi
-
 sleep 60
 
-echo " * Connecting via krb5 and non-fresh ticket to ${ADDRESS}:${PORT}..."
-( ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
+echo ""
+echo " * Connecting via krb5 and non-fresh ticket to kerberos.test:${PORT}..."
+${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly
 if test $? = 0;then
 	echo "Could connect to server although not expected"
 	exit 1