1 files changed, 108 insertions, 0 deletions
diff --git a/tests/module/fast-anon-t.c b/tests/module/fast-anon-t.c
new file mode 100644
index 000000000000..6355a5154f69
--- /dev/null
+++ b/tests/module/fast-anon-t.c
@@ -0,0 +1,108 @@
+/*
+ * Tests for anonymous FAST support in pam-krb5.
+ *
+ * Tests for anonymous Flexible Authentication Secure Tunneling, a mechanism
+ * for improving the preauthentication part of the Kerberos protocol and
+ * protecting it against various attacks.
+ *
+ * This is broken out from the other FAST tests because it uses PKINIT, and
+ * PKINIT code cannot be tested under valgrind with MIT Kerberos due to some
+ * bug in valgrind.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+
+
+/*
+ * Test whether anonymous authentication works.  If this doesn't, we need to
+ * skip the tests of anonymous FAST.
+ */
+static bool
+anon_fast_works(void)
+{
+    krb5_context ctx;
+    krb5_error_code retval;
+    krb5_principal princ = NULL;
+    char *realm;
+    krb5_creds creds;
+    krb5_get_init_creds_opt *opts = NULL;
+
+    /* Construct the anonymous principal name. */
+    retval = krb5_init_context(&ctx);
+    if (retval != 0)
+        bail("cannot initialize Kerberos");
+    retval = krb5_get_default_realm(ctx, &realm);
+    if (retval != 0)
+        bail("cannot get default realm");
+    retval = krb5_build_principal_ext(
+        ctx, &princ, (unsigned int) strlen(realm), realm,
+        strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
+        strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
+    if (retval != 0)
+        bail("cannot construct anonymous principal");
+    krb5_free_default_realm(ctx, realm);
+
+    /* Obtain the credentials. */
+    memset(&creds, 0, sizeof(creds));
+    retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
+    if (retval != 0)
+        bail("cannot create credential options");
+    krb5_get_init_creds_opt_set_anonymous(opts, 1);
+    krb5_get_init_creds_opt_set_tkt_life(opts, 60);
+    retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL, NULL,
+                                          0, NULL, opts);
+
+    /* Clean up. */
+    if (princ != NULL)
+        krb5_free_principal(ctx, princ);
+    if (opts != NULL)
+        krb5_get_init_creds_opt_free(ctx, opts);
+    krb5_free_cred_contents(ctx, &creds);
+
+    /* Return whether authentication succeeded. */
+    return (retval == 0);
+}
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Skip the test if FAST is not available. */
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME
+    skip_all("FAST support not available");
+#endif
+
+    /* Initialize Kerberos configuration. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Skip the test if anonymous PKINIT doesn't work. */
+    if (!anon_fast_works())
+        skip_all("anonymous PKINIT failed");
+
+    /* Test anonymous FAST. */
+    plan_lazy();
+    run_script("data/scripts/fast/anonymous", &config);
+    run_script("data/scripts/fast/anonymous-debug", &config);
+
+    return 0;
+}