feat: add tests for gssapi-with-mic

feat: tests set hostname for sshd, make GSSAPIStrictAcceptorCheck yes pass feat: add GSSAPI_TESTING cmake option feat: gssapi libssh server test feat: make kdc setup and teardown functions feat: add kinit, kadmin scripts to kdc setup function feat: add some client gssapi auth tests Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2026-02-09 18:04:25 +09:00 · 2024-03-29 06:47:36 +00:00
parent 6d1ed76c7a
commit 74d42ca38b
14 changed files with 867 additions and 19 deletions
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -562,6 +562,7 @@ void torture_setup_socket_dir(void **state)
    const char *p;
    size_t len;
    char *env = NULL;
+    char gss_dir[1024] = {0};
    int rc;

    s = calloc(1, sizeof(struct torture_state));
@@ -581,6 +582,16 @@ void torture_setup_socket_dir(void **state)
    s->socket_dir = torture_make_temp_dir(TORTURE_SOCKET_DIR);
    assert_non_null(s->socket_dir);

+#ifdef WITH_GSSAPI
+    snprintf(gss_dir,
+             sizeof(gss_dir),
+             "%s/gss",
+             s->socket_dir);
+    rc = mkdir(gss_dir, 0755);
+    assert_return_code(rc, errno);
+    s->gss_dir = strdup(gss_dir);
+#endif
+
    p = s->socket_dir;

    /* pcap file */
@@ -931,6 +942,50 @@ int torture_wait_for_daemon(unsigned int seconds)
    return 1;
 }

+void
+torture_set_kdc_env_str(const char *gss_dir, char *env, size_t size)
+{
+    snprintf(env,
+             size,
+             "KRB5CCNAME=%s/cc "
+             "KRB5_CONFIG=%s/k/krb5.conf "
+             "KRB5_KDC_PROFILE=%s/k "
+             "KRB5_KTNAME=%s/d/ssh.keytab "
+             "KRB5RCACHETYPE=none ",
+             gss_dir,
+             gss_dir,
+             gss_dir,
+             gss_dir);
+}
+
+void
+torture_set_env_from_str(const char *env)
+{
+    struct ssh_tokens_st *vars = NULL, *var = NULL;
+
+    vars = ssh_tokenize(env, ' ');
+    if (vars == NULL) {
+        fail_msg("bad environment string");
+    }
+
+    for (int i = 0; vars->tokens[i]; i++) {
+        var = ssh_tokenize(vars->tokens[i], '=');
+        if (var == NULL) {
+            ssh_tokens_free(vars);
+            fail_msg("bad environment string");
+        }
+        if (var->tokens[0] != NULL && var->tokens[1] != NULL) {
+            setenv(var->tokens[0], var->tokens[1], 1);
+        } else {
+            ssh_tokens_free(var);
+            ssh_tokens_free(vars);
+            fail_msg("bad environment string");
+        }
+        ssh_tokens_free(var);
+    }
+    ssh_tokens_free(vars);
+}
+
 /**
 * @brief Run a libssh based server under timeout.
 *
@@ -956,6 +1011,7 @@ void torture_setup_libssh_server(void **state, const char *server_path)
    char start_cmd[1024];
    char timeout_cmd[512];
    char env[1024];
+    char kdc_env[255];
    char extra_options[1024];
    int rc;
    char *ld_preload = NULL;
@@ -995,15 +1051,23 @@ void torture_setup_libssh_server(void **state, const char *server_path)
        force_fips = "";
    }

+    torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
+
    /* Write the environment setting */
    /* OPENSSL variable is needed to enable SHA1 */
-    printed = snprintf(env, sizeof(env),
+    printed = snprintf(env,
+                       sizeof(env),
                       "SOCKET_WRAPPER_DIR=%s "
                       "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
                       "LD_PRELOAD=%s "
                       "%s "
-                       "OPENSSL_ENABLE_SHA1_SIGNATURES=1",
-                       s->socket_dir, ld_preload, force_fips);
+                       "OPENSSL_ENABLE_SHA1_SIGNATURES=1 "
+                       "NSS_WRAPPER_HOSTNAME=server.libssh.site "
+                       "%s ",
+                       s->socket_dir,
+                       ld_preload,
+                       force_fips,
+                       kdc_env);
    if (printed < 0) {
        fail_msg("Failed to print env!");
        /* Unreachable */
@@ -1080,18 +1144,29 @@ static int torture_start_sshd_server(void **state)
    struct torture_state *s = *state;
    char sshd_start_cmd[1024];
    int rc;
+    char kdc_env[255] = {0};

    /* Set the default interface for the server */
    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
    setenv("PAM_WRAPPER", "1", 1);

-    snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
-             SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
-             s->srv_config, s->socket_dir, s->socket_dir);
+#ifdef WITH_GSSAPI
+    setenv("NSS_WRAPPER_HOSTNAME", "server.libssh.site", 1);
+    torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
+#endif
+    snprintf(sshd_start_cmd,
+             sizeof(sshd_start_cmd),
+             "%s " SSHD_EXECUTABLE
+             " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+             kdc_env,
+             s->srv_config,
+             s->socket_dir,
+             s->socket_dir);

    rc = system(sshd_start_cmd);
    assert_return_code(rc, errno);

+    unsetenv("NSS_WRAPPER_HOSTNAME");
    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
    unsetenv("PAM_WRAPPER");

@@ -1113,10 +1188,91 @@ void torture_setup_sshd_server(void **state, bool pam)
    assert_int_equal(rc, 0);
 }

+#ifdef WITH_GSSAPI
+/**
+ * @brief Setup KDC for GSSAPI testing
+ *
+ * This should be called after sshd or libssh server's setup functions.
+ *
+ * @param[in] state A pointer to a pointer to an initialized torture_state
+ *                  structure
+ * @param[in] kadmin_script kadmin commands to be executed on the KDC
+ * @param[in] kinit_script kinit commands to get the TGT
+ *
+ */
+void
+torture_setup_kdc_server(void **state,
+                         const char *kadmin_script,
+                         const char *kinit_script)
+{
+    struct torture_state *s = *state;
+    int rc;
+    char command[1024] = {0};
+    char kdc_env[255] = {0};
+    char kadmin_file[255] = {0};
+    char kinit_file[255] = {0};
+
+    /* Remove the previous files and folders, but keep the same directory
+     * because we pass only one temporary directory to the server */
+    snprintf(command, sizeof(command), "rm -rf %s/*", s->gss_dir);
+    rc = system(command);
+    assert_return_code(rc, errno);
+
+    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "11", 1);
+    setenv("NSS_WRAPPER_HOSTNAME", "kdc.libssh.site", 1);
+
+    torture_set_kdc_env_str(s->gss_dir, kdc_env, sizeof(kdc_env));
+    torture_set_env_from_str(kdc_env);
+
+    snprintf(kadmin_file, sizeof(kadmin_file), "%s/kadmin.sh", s->gss_dir);
+    snprintf(kinit_file, sizeof(kinit_file), "%s/kinit.sh", s->gss_dir);
+
+    torture_write_file(kadmin_file, kadmin_script);
+    torture_write_file(kinit_file, kinit_script);
+
+    snprintf(command,
+             sizeof(command),
+             "%s/tests/gss/kdcsetup.sh %s",
+             BINARYDIR,
+             s->socket_dir);
+    rc = system(command);
+    assert_return_code(rc, errno);
+    assert_int_equal(rc, 0);
+
+    unsetenv("NSS_WRAPPER_HOSTNAME");
+    /* Back to client */
+    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
+}
+
+/**
+ * @brief Teardown KDC
+ *
+ * This should be called before sshd or libssh server's teardown functions.
+ *
+ * @param[in] state A pointer to a pointer to an initialized torture_state
+ *                  structure
+ */
+void
+torture_teardown_kdc_server(void **state)
+{
+    struct torture_state *s = *state;
+    int rc;
+    char temp[1024] = {0};
+
+    snprintf(temp, sizeof(temp), "%s/pid", s->gss_dir);
+    rc = torture_terminate_process(temp);
+    assert_return_code(rc, errno);
+}
+
+#endif /* WITH_GSSAPI */
+
 void torture_free_state(struct torture_state *s)
 {
    free(s->srv_config);
    free(s->socket_dir);
+#ifdef WITH_GSSAPI
+    free(s->gss_dir);
+#endif
    free(s->pcap_file);
    free(s->log_file);
    free(s->srv_pidfile);
@@ -1196,7 +1352,6 @@ void torture_teardown_sshd_server(void **state)

    rc = torture_terminate_process(s->srv_pidfile);
    assert_return_code(rc, errno);
-
    torture_teardown_socket_dir(state);
 }
 #endif /* SSHD_EXECUTABLE */