static int dns_send(const char *name)
{
int ret;
struct header *header;
enum dns_query_type qtype = DNS_A_RECORD;
unsigned char *packet = net_udp_get_payload(dns_con);
unsigned char *p, *s, *fullname, *dotptr;
const unsigned char *domain;
/* Prepare DNS packet header */
header = (struct header *)packet;
header->tid = 1;
header->flags = htons(0x100); /* standard query */
header->nqueries = htons(1); /* Just one query */
header->nanswers = 0;
header->nauth = 0;
header->nother = 0;
domain = getenv("net.domainname");
if (!strchr(name, '.') && domain && *domain)
fullname = basprintf(".%s.%s.", name, domain);
else
fullname = basprintf(".%s.", name);
/* replace dots in fullname with chunk len */
dotptr = fullname;
do {
int len;
s = strchr(dotptr + 1, '.');
len = s - dotptr - 1;
*dotptr = len;
dotptr = s;
} while (*(dotptr + 1));
*dotptr = 0;
strcpy(header->data, fullname);
p = header->data + strlen(fullname);
*p++ = 0; /* Mark end of host name */
*p++ = 0; /* Some servers require double null */
*p++ = (unsigned char)qtype; /* Query Type */
*p++ = 0;
*p++ = 1; /* Class: inet, 0x0001 */
ret = net_udp_send(dns_con, p - packet);
free(fullname);
return ret;
}
static int state_convert_node_variable(struct state *state,
struct device_node *node,
struct device_node *parent,
const char *parent_name,
enum state_convert conv)
{
const struct variable_type *vtype;
struct device_node *child;
struct device_node *new_node = NULL;
struct state_variable *sv;
const char *type_name;
char *short_name, *name, *indexs;
unsigned int start_size[2];
int ret;
/* strip trailing @<ADDRESS> */
short_name = xstrdup(node->name);
indexs = strchr(short_name, '@');
if (indexs)
*indexs = 0;
/* construct full name */
name = basprintf("%s%s%s", parent_name, parent_name[0] ? "." : "",
short_name);
free(short_name);
if ((conv == STATE_CONVERT_TO_NODE) || (conv == STATE_CONVERT_FIXUP))
new_node = of_new_node(parent, node->name);
for_each_child_of_node(node, child) {
ret = state_convert_node_variable(state, child, new_node, name,
conv);
if (ret)
goto out_free;
}
static int e9_devices_init(void)
{
int ret;
char *environment_path;
if (!of_machine_is_compatible("embedsky,e9"))
return 0;
armlinux_set_architecture(3980);
environment_path = basprintf("/chosen/environment-mmc%d",
bootsource_get_instance());
ret = of_device_enable_path(environment_path);
if (ret < 0)
pr_warn("Failed to enable environment partition '%s' (%d)\n",
environment_path, ret);
free(environment_path);
defaultenv_append_directory(defaultenv_e9);
imx6_bbu_internal_mmc_register_handler("sd", "/dev/mmc1",
BBU_HANDLER_FLAG_DEFAULT);
imx6_bbu_internal_mmc_register_handler("emmc", "/dev/mmc3",
BBU_HANDLER_FLAG_DEFAULT);
return 0;
}
static int rdu_networkconfig(void)
{
static char *rdu_netconfig;
struct device_d *sp_dev;
if (!of_machine_is_compatible("zii,imx6q-zii-rdu2") &&
!of_machine_is_compatible("zii,imx6qp-zii-rdu2") &&
!of_machine_is_compatible("zii,imx51-rdu1"))
return 0;
sp_dev = get_device_by_name("sp");
if (!sp_dev) {
pr_warn("no sp device found, network config not available!\n");
return -ENODEV;
}
rdu_netconfig = basprintf("ip=%s:::%s::eth0:",
dev_get_param(sp_dev, "ipaddr"),
dev_get_param(sp_dev, "netmask"));
globalvar_add_simple_string("linux.bootargs.rdu_network",
&rdu_netconfig);
return 0;
}
int ubi_volume_cdev_add(struct ubi_device *ubi, struct ubi_volume *vol)
{
struct cdev *cdev = &vol->cdev;
struct ubi_volume_cdev_priv *priv;
int ret;
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
priv->vol = vol;
priv->ubi = ubi;
cdev->ops = &ubi_volume_fops;
cdev->name = basprintf("%s.%s", ubi->cdev.name, vol->name);
cdev->priv = priv;
cdev->size = vol->used_bytes;
if (vol->vol_type == UBI_STATIC_VOLUME)
cdev->flags = DEVFS_IS_CHARACTER_DEV;
cdev->dev = &vol->dev;
ubi_msg(ubi, "registering %s as /dev/%s", vol->name, cdev->name);
ret = devfs_create(cdev);
if (ret) {
kfree(priv);
free(cdev->name);
}
list_add_tail(&vol->list, &ubi_volumes_list);
return 0;
}
/*
* Internal helper function for remctld_start and remctld_start_fakeroot.
*
* Takes the Kerberos test configuration (the keytab principal is used as the
* server principal), the configuration file to use (found via
* test_file_path), and then any additional arguments to pass to remctld,
* ending with a NULL. Returns the PID of the running remctld process. If
* anything fails, calls bail.
*
* The path to remctld is obtained from the PATH_REMCTLD #define. If this is
* not set, remctld_start_internal calls skip_all.
*/
static struct process *
remctld_start_internal(struct kerberos_config *krbconf, const char *config,
va_list args, bool fakeroot)
{
va_list args_copy;
char *tmpdir, *pidfile, *confpath;
size_t i, length;
const char *arg, **argv;
struct process *process;
const char *path_remctld = PATH_REMCTLD;
/* Check prerequisites. */
if (path_remctld[0] == '\0')
skip_all("remctld not found");
/* Determine the location of the PID file and remove any old ones. */
tmpdir = test_tmpdir();
basprintf(&pidfile, "%s/remctld.pid", tmpdir);
if (access(pidfile, F_OK) == 0)
bail("remctld may already be running: %s exists", pidfile);
/* Build the argv used to run remctld. */
confpath = test_file_path(config);
if (confpath == NULL)
bail("cannot find remctld config %s", config);
length = 11;
va_copy(args_copy, args);
while ((arg = va_arg(args_copy, const char *)) != NULL)
length++;
va_end(args_copy);
argv = bmalloc(length * sizeof(const char *));
i = 0;
argv[i++] = path_remctld;
argv[i++] = "-mdSF";
argv[i++] = "-p";
argv[i++] = "14373";
argv[i++] = "-s";
argv[i++] = krbconf->principal;
argv[i++] = "-P";
argv[i++] = pidfile;
argv[i++] = "-f";
argv[i++] = confpath;
while ((arg = va_arg(args, const char *)) != NULL)
argv[i++] = arg;
argv[i] = NULL;
/* Start remctld using process_start or process_start_fakeroot. */
if (fakeroot)
process = process_start_fakeroot(argv, pidfile);
else
process = process_start(argv, pidfile);
/* Clean up and return. */
test_file_path_free(confpath);
free(pidfile);
test_tmpdir_free(tmpdir);
free(argv);
return process;
}
message_log_buffer(int len UNUSED, const char *fmt, va_list args,
int error UNUSED)
{
char *message;
bvasprintf(&message, fmt, args);
if (errors == NULL)
basprintf(&errors, "%s\n", message);
else {
char *new_errors;
basprintf(&new_errors, "%s%s\n", errors, message);
free(errors);
errors = new_errors;
}
free(message);
}
static void load_logo(int width, void *start, void *end)
{
char *filename;
size_t size = end - start;
filename = basprintf("/logo/barebox-logo-%d.png", width);
write_file(filename, start, size);
free(filename);
}
/*
* Clean up at the end of a test. This removes the ticket cache and resets
* and frees the memory allocated for the environment variables so that
* valgrind output on test suites is cleaner. Most of the work is done by
* kerberos_free, but this function also deletes the ticket cache.
*/
void
kerberos_cleanup(void)
{
char *path;
if (tmpdir_ticket != NULL) {
basprintf(&path, "%s/krb5cc_test", tmpdir_ticket);
unlink(path);
free(path);
}
kerberos_free();
}
int copy_recursive(const char *src, const char *dst)
{
struct stat s;
DIR *dir;
struct dirent *d;
int ret;
ret = stat(src, &s);
if (ret)
return ret;
if (!S_ISDIR(s.st_mode))
return copy_file(src, dst, 0);
ret = make_directory(dst);
if (ret)
return ret;
dir = opendir(src);
if (!dir)
return -EIO;
while ((d = readdir(dir))) {
char *from, *to;
if (!strcmp(d->d_name, ".") || !strcmp(d->d_name, ".."))
continue;
from = basprintf("%s/%s", src, d->d_name);
to = basprintf("%s/%s", dst, d->d_name);
ret = copy_recursive(from, to);
if (ret)
break;
free(from);
free(to);
}
closedir(dir);
return ret;
}
static int do_compare_file(const char *filename, const char *base)
{
int ret;
char *cmp;
const char *relname = filename + strlen(base) + 1;
cmp = basprintf("%s/%s", TMPDIR, relname);
ret = compare_file(cmp, filename);
free(cmp);
return ret;
}
int
main(void)
{
struct kerberos_config *config;
struct remctl *r;
struct remctl_output *output;
char *tmpdir, *confpath;
FILE *conf;
const char *test[] = { "test", "test", NULL };
/* Unless we have Kerberos available, we can't really do anything. */
config = kerberos_setup(TAP_KRB_NEEDS_KEYTAB);
/* Write out our empty configuration file. */
tmpdir = test_tmpdir();
basprintf(&confpath, "%s/conf-empty", tmpdir);
conf = fopen(confpath, "w");
if (conf == NULL)
sysbail("cannot create %s", confpath);
fclose(conf);
/* Now we can start remctl with our temporary configuration file. */
remctld_start(config, "tmp/conf-empty", NULL);
plan(7);
/* Test that we get a valid UNKNOWN_COMMAND error. */
r = remctl_new();
ok(remctl_open(r, "localhost", 14373, config->principal), "remctl_open");
ok(remctl_command(r, test), "remctl_command");
output = remctl_output(r);
ok(output != NULL, "first output token is not null");
if (output == NULL)
ok_block(4, 0, "...and has correct content");
else {
is_int(REMCTL_OUT_ERROR, output->type, "...and is an error");
is_int(15, output->length, "...and is right length");
if (output->data == NULL)
ok(0, "...and has the right error message");
else
ok(memcmp("Unknown command", output->data, 15) == 0,
"...and has the right error message");
is_int(ERROR_UNKNOWN_COMMAND, output->error, "...and error number");
}
remctl_close(r);
unlink(confpath);
free(confpath);
test_tmpdir_free(tmpdir);
return 0;
}
static int ds2431_probe(struct w1_device *dev)
{
struct cdev *cdev;
cdev = xzalloc(sizeof(*cdev));
cdev->dev = &dev->dev;
cdev->priv = dev;
cdev->ops = &ds2431_ops;
cdev->size = W1_F2D_EEPROM_SIZE;
cdev->name = basprintf(DRIVERNAME"%d", ds2431_count++);
if (cdev->name == NULL)
return -ENOMEM;
return devfs_create(cdev);
}
/*
* Calls server_config_acl_permit with the anonymous identity and anonymous
* set to true.
*
* Heimdal's KRB5_WELLKNOWN_NAME and related constants expand to a literal in
* parentheses, which means they cannot be concatenated by the preprocessor
* and the string cannot be constructed at compile time.
*/
static bool
acl_permit_anonymous(const struct rule *rule)
{
static char *pname = NULL;
struct client client = {
-1, -1, NULL, NULL, 0, NULL, NULL, true, 0, 0, false, false, NULL,
NULL, NULL
};
if (pname == NULL)
basprintf(&pname, "%s/%s@%s", KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
KRB5_ANON_REALM);
client.user = pname;
return server_config_acl_permit(rule, &client);
}
/*
* Clean up the krb5.conf file generated by kerberos_generate_conf and free
* the memory used to set the environment variable. This doesn't fail if the
* file and variable are already gone, allowing it to be harmlessly run
* multiple times.
*
* Normally called via an atexit handler.
*/
void
kerberos_cleanup_conf(void)
{
char *path;
if (tmpdir_conf != NULL) {
basprintf(&path, "%s/krb5.conf", tmpdir_conf);
unlink(path);
free(path);
test_tmpdir_free(tmpdir_conf);
tmpdir_conf = NULL;
}
putenv((char *) "KRB5_CONFIG=");
free(krb5_config);
krb5_config = NULL;
}
static void
kerberos_kinit(void)
{
static const char * const format[] = {
"kinit --no-afslog -k -t %s %s >/dev/null 2>&1 </dev/null",
"kinit -k -t %s %s >/dev/null 2>&1 </dev/null",
"kinit -t %s %s >/dev/null 2>&1 </dev/null",
"kinit -k -K %s %s >/dev/null 2>&1 </dev/null"
};
FILE *file;
char *path;
char principal[BUFSIZ], *command;
size_t i;
int status;
/* Read the principal corresponding to the keytab. */
path = test_file_path("config/principal");
if (path == NULL) {
test_file_path_free(config->keytab);
config->keytab = NULL;
return;
}
file = fopen(path, "r");
if (file == NULL) {
test_file_path_free(path);
return;
}
test_file_path_free(path);
if (fgets(principal, sizeof(principal), file) == NULL)
bail("cannot read %s", path);
fclose(file);
if (principal[strlen(principal) - 1] != '\n')
bail("no newline in %s", path);
principal[strlen(principal) - 1] = '\0';
config->principal = bstrdup(principal);
/* Now do the Kerberos initialization. */
for (i = 0; i < ARRAY_SIZE(format); i++) {
basprintf(&command, format[i], config->keytab, principal);
status = system(command);
free(command);
if (status != -1 && WEXITSTATUS(status) == 0)
break;
}
if (status == -1 || WEXITSTATUS(status) != 0)
bail("cannot get Kerberos tickets");
}
int ubi_cdev_add(struct ubi_device *ubi)
{
struct cdev *cdev = &ubi->cdev;
int ret;
cdev->ops = &ubi_fops;
cdev->name = basprintf("%s.ubi", ubi->mtd->cdev.name);
cdev->priv = ubi;
cdev->size = 0;
ubi_msg(ubi, "registering /dev/%s", cdev->name);
ret = devfs_create(cdev);
if (ret)
kfree(cdev->name);
return ret;
}
void ubifs_set_rootarg(struct ubifs_priv *priv, struct fs_device_d *fsdev)
{
struct ubi_volume_info vi = {};
struct ubi_device_info di = {};
struct mtd_info *mtd;
char *str;
ubi_get_volume_info(priv->ubi, &vi);
ubi_get_device_info(vi.ubi_num, &di);
mtd = di.mtd;
str = basprintf("root=ubi0:%s ubi.mtd=%s rootfstype=ubifs",
vi.name, mtd->cdev.partname);
fsdev_set_linux_rootarg(fsdev, str);
free(str);
}
/*
* Generate a krb5.conf file for testing and set KRB5_CONFIG to point to it.
* The [appdefaults] section will be stripped out and the default realm will
* be set to the realm specified, if not NULL. This will use config/krb5.conf
* in preference, so users can configure the tests by creating that file if
* the system file isn't suitable.
*
* Depends on data/generate-krb5-conf being present in the test suite.
*/
void
kerberos_generate_conf(const char *realm)
{
char *path;
const char *argv[3];
if (tmpdir_conf != NULL)
kerberos_cleanup_conf();
path = test_file_path("data/generate-krb5-conf");
if (path == NULL)
bail("cannot find generate-krb5-conf");
argv[0] = path;
argv[1] = realm;
argv[2] = NULL;
run_setup(argv);
test_file_path_free(path);
tmpdir_conf = test_tmpdir();
basprintf(&krb5_config, "KRB5_CONFIG=%s/krb5.conf", tmpdir_conf);
putenv(krb5_config);
if (atexit(kerberos_cleanup_conf) != 0)
sysdiag("cannot register cleanup function");
}
static int file_remove_action(const char *filename, struct stat *statbuf,
void *userdata, int depth)
{
struct action_data *data = userdata;
char *envname;
struct stat s;
int ret;
struct envfs_entry *env;
filename += sizeof(TMPDIR) - 1;
envname = basprintf("%s/%s", data->base, filename);
ret = stat(envname, &s);
if (ret) {
char *base;
base = basename(envname);
env = xzalloc(sizeof(*env));
env->name = strdup(filename);
env->size = strlen(base) + 1;
env->buf = strdup(base);
if (!env->buf)
goto out;
env->mode = S_IRWXU | S_IRWXG | S_IRWXO | S_IFLNK;
env->next = data->env;
data->env = env;
}
out:
free(envname);
return 1;
}
static void *omap_xload_boot_mmc(void)
{
int ret;
void *buf;
int len;
const char *diskdev;
char *partname;
diskdev = omap_get_bootmmc_devname();
if (!diskdev)
diskdev = "disk0";
device_detect_by_name(diskdev);
partname = basprintf("%s.0", diskdev);
ret = mount(partname, NULL, "/", NULL);
if (ret) {
printf("Unable to mount %s (%d)\n", partname, ret);
free(partname);
return NULL;
}
free(partname);
buf = read_file("/barebox.bin", &len);
if (!buf)
buf = read_file("/boot/barebox.bin", &len);
if (!buf) {
printf("could not read barebox.bin from sd card\n");
return NULL;
}
return buf;
}
static void
kerberos_kinit(void)
{
char *name, *krbtgt;
krb5_error_code code;
krb5_context ctx;
krb5_ccache ccache;
krb5_principal kprinc;
krb5_keytab keytab;
krb5_get_init_creds_opt *opts;
krb5_creds creds;
const char *realm;
/*
* Determine the principal corresponding to that keytab. We copy the
* memory to ensure that it's allocated in the right memory domain on
* systems where that may matter (like Windows).
*/
code = krb5_init_context(&ctx);
if (code != 0)
bail_krb5(ctx, code, "error initializing Kerberos");
kprinc = kerberos_keytab_principal(ctx, config->keytab);
code = krb5_unparse_name(ctx, kprinc, &name);
if (code != 0)
bail_krb5(ctx, code, "error unparsing name");
krb5_free_principal(ctx, kprinc);
config->principal = bstrdup(name);
krb5_free_unparsed_name(ctx, name);
/* Now do the Kerberos initialization. */
code = krb5_cc_default(ctx, &ccache);
if (code != 0)
bail_krb5(ctx, code, "error setting ticket cache");
code = krb5_parse_name(ctx, config->principal, &kprinc);
if (code != 0)
bail_krb5(ctx, code, "error parsing principal %s", config->principal);
realm = krb5_principal_get_realm(ctx, kprinc);
basprintf(&krbtgt, "krbtgt/%s@%s", realm, realm);
code = krb5_kt_resolve(ctx, config->keytab, &keytab);
if (code != 0)
bail_krb5(ctx, code, "cannot open keytab %s", config->keytab);
code = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (code != 0)
bail_krb5(ctx, code, "cannot allocate credential options");
krb5_get_init_creds_opt_set_default_flags(ctx, NULL, realm, opts);
krb5_get_init_creds_opt_set_forwardable(opts, 0);
krb5_get_init_creds_opt_set_proxiable(opts, 0);
code = krb5_get_init_creds_keytab(ctx, &creds, kprinc, keytab, 0, krbtgt,
opts);
if (code != 0)
bail_krb5(ctx, code, "cannot get Kerberos tickets");
code = krb5_cc_initialize(ctx, ccache, kprinc);
if (code != 0)
bail_krb5(ctx, code, "error initializing ticket cache");
code = krb5_cc_store_cred(ctx, ccache, &creds);
if (code != 0)
bail_krb5(ctx, code, "error storing credentials");
krb5_cc_close(ctx, ccache);
krb5_free_cred_contents(ctx, &creds);
krb5_kt_close(ctx, keytab);
krb5_free_principal(ctx, kprinc);
krb5_get_init_creds_opt_free(ctx, opts);
krb5_free_context(ctx);
free(krbtgt);
}
int
main(void)
{
struct script_config config;
struct kerberos_password *password;
DIR *tmpdir;
struct dirent *file;
char *tmppath, *path;
/* Load the Kerberos principal and password from a file. */
password = kerberos_config_password();
if (password == NULL)
skip_all("Kerberos tests not configured");
memset(&config, 0, sizeof(config));
config.user = password->username;
config.password = password->password;
config.extra[0] = password->principal;
/* Generate a testing krb5.conf file. */
kerberos_generate_conf(password->realm);
/* Get the temporary directory and store that as the %1 substitution. */
tmppath = test_tmpdir();
config.extra[1] = tmppath;
plan_lazy();
/*
* We need to ensure that the only thing in the test temporary directory
* is the krb5.conf file that we generated, since we're going to check for
* cleanup by looking for any out-of-place files.
*/
tmpdir = opendir(tmppath);
if (tmpdir == NULL)
sysbail("cannot open directory %s", tmppath);
while ((file = readdir(tmpdir)) != NULL) {
if (strcmp(file->d_name, ".") == 0 || strcmp(file->d_name, "..") == 0)
continue;
if (strcmp(file->d_name, "krb5.conf") == 0)
continue;
basprintf(&path, "%s/%s", tmppath, file->d_name);
if (unlink(path) < 0)
sysbail("cannot delete temporary file %s", path);
free(path);
}
closedir(tmpdir);
/*
* Authenticate only, call pam_end, and be sure the ticket cache is
* gone. The auth-only script sets ccache_dir to the temporary directory,
* so the module will create a temporary ticket cache there and then
* should clean it up.
*/
run_script("data/scripts/cache-cleanup/auth-only", &config);
path = NULL;
tmpdir = opendir(tmppath);
if (tmpdir == NULL)
sysbail("cannot open directory %s", tmppath);
while ((file = readdir(tmpdir)) != NULL) {
if (strcmp(file->d_name, ".") == 0 || strcmp(file->d_name, "..") == 0)
continue;
if (strcmp(file->d_name, "krb5.conf") == 0)
continue;
if (path == NULL)
basprintf(&path, "%s/%s", tmppath, file->d_name);
}
closedir(tmpdir);
if (path != NULL)
diag("found stray temporary file %s", path);
ok(path == NULL, "ticket cache cleaned up");
if (path != NULL)
free(path);
test_tmpdir_free(tmppath);
kerberos_config_password_free(password);
return 0;
}
int
main(void)
{
krb5_context ctx;
const char *message;
char *expected;
char long_principal[VERY_LONG_PRINCIPAL];
const char *acls[5];
const struct rule rule = {
(char *) "TEST", 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, 0,
NULL, NULL, (char **) acls
};
plan(16);
/* Use a krb5.conf with a default realm of EXAMPLE.ORG. */
kerberos_generate_conf("EXAMPLE.ORG");
/* Check behavior with empty groups. */
fake_queue_group(&empty, 0);
set_passwd("someone", 0);
acls[0] = "localgroup:empty";
acls[1] = NULL;
ok(!acl_permit(&rule, "*****@*****.**"), "Empty");
/* Check behavior when user is expected to be in supplied group. */
fake_queue_group(&goodguys, 0);
set_passwd("remi", 0);
acls[0] = "localgroup:goodguys";
acls[1] = NULL;
ok(acl_permit(&rule, "*****@*****.**"), "User in group");
/* And when the user is not in the supplied group. */
fake_queue_group(&goodguys, 0);
set_passwd("someoneelse", 0);
ok(!acl_permit(&rule, "*****@*****.**"), "User not in group");
/* Check that the user's primary group also counts. */
fake_queue_group(&goodguys, 0);
set_passwd("otheruser", 42);
ok(acl_permit(&rule, "*****@*****.**"),
"User has group as primary group");
/* And when the user does not convert to a local user or is complex. */
fake_queue_group(&goodguys, 0);
set_passwd("remi", 0);
errors_capture();
ok(!acl_permit(&rule, "remi/[email protected]"),
"User with instance with base user in group");
is_string(NULL, errors, "...with no error");
/* Principal name is too long. */
fake_queue_group(&goodguys, 0);
memset(long_principal, 'A', sizeof(long_principal));
long_principal[sizeof(long_principal) - 1] = '\0';
errors_capture();
ok(!acl_permit(&rule, long_principal), "Long principal");
/* Determine the expected error message and check it. */
if (krb5_init_context(&ctx) != 0)
bail("cannot create Kerberos context");
message = krb5_get_error_message(ctx, KRB5_CONFIG_NOTENUFSPACE);
basprintf(&expected, "conversion of %s to local name failed: %s\n",
long_principal, message);
krb5_free_context(ctx);
is_string(expected, errors, "...with correct error message");
krb5_free_error_message(ctx, message);
free(expected);
/* Unsupported realm. */
fake_queue_group(&goodguys, 0);
set_passwd("eagle", 0);
ok(!acl_permit(&rule, "*****@*****.**"), "Non-local realm");
/* Check behavior when syscall fails */
fake_queue_group(&goodguys, EPERM);
set_passwd("remi", 0);
errors_capture();
ok(!acl_permit(&rule, "*****@*****.**"), "Failing getgrnam_r");
is_string("TEST:0: retrieving membership of localgroup goodguys failed\n",
errors, "...with correct error message");
/* Check that deny group works as expected */
fake_queue_group(&badguys, 0);
set_passwd("boba-fett", 0);
acls[0] = "deny:localgroup:badguys";
acls[1] = NULL;
ok(!acl_permit(&rule, "*****@*****.**"), "Denied user");
fake_queue_group(&badguys, 0);
set_passwd("remi", 0);
ok(!acl_permit(&rule, "*****@*****.**"),
"User not in denied group but also not allowed");
/* Check that both deny and "allow" pragma work together */
fake_queue_group(&goodguys, 0);
fake_queue_group(&badguys, 0);
set_passwd("eagle", 0);
acls[0] = "localgroup:goodguys";
acls[1] = "deny:localgroup:badguys";
acls[2] = NULL;
ok(acl_permit(&rule, "*****@*****.**"),
"User in allowed group plus a denied group");
fake_queue_group(&goodguys, 0);
fake_queue_group(&badguys, 0);
set_passwd("darth-maul", 0);
ok(!acl_permit(&rule, "*****@*****.**"),
"User in a denied group plus an allowed group");
fake_queue_group(&goodguys, 0);
fake_queue_group(&badguys, 0);
set_passwd("anyoneelse", 0);
ok(!acl_permit(&rule, "*****@*****.**"),
"User in neither denied nor allowed group");
/* Clean up. */
free(errors);
return 0;
}
int ifup(const char *name, unsigned flags)
{
int ret;
char *cmd, *cmd_discover;
const char *ip;
struct stat s;
int i;
struct device_d *dev;
struct eth_device *edev = eth_get_byname(name);
if (edev && edev->ipaddr && !(flags & IFUP_FLAG_FORCE))
return 0;
eth_set_current(edev);
env_push_context();
setenv("ip", "");
for (i = 0; i < ARRAY_SIZE(vars); i++)
setenv(vars[i], "");
cmd = basprintf("source /env/network/%s", name);
cmd_discover = basprintf("/env/network/%s-discover", name);
ret = run_command(cmd);
if (ret) {
pr_err("Running '%s' failed with %d\n", cmd, ret);
goto out;
}
ret = stat(cmd_discover, &s);
if (!ret) {
ret = run_command(cmd_discover);
if (ret) {
pr_err("Running '%s' failed with %d\n", cmd, ret);
goto out;
}
}
dev = get_device_by_name(name);
if (!dev) {
pr_err("Cannot find device %s\n", name);
goto out;
}
ret = eth_set_param(dev, "ethaddr");
if (ret)
goto out;
ip = getenv("ip");
if (!ip)
ip = "";
if (!strcmp(ip, "dhcp")) {
ret = run_command("dhcp");
if (ret)
goto out;
ret = eth_set_param(dev, "serverip");
if (ret)
goto out;
} else if (!strcmp(ip, "static")) {
for (i = 0; i < ARRAY_SIZE(vars); i++) {
ret = eth_set_param(dev, vars[i]);
if (ret)
goto out;
}
} else {
pr_err("unknown ip type: %s\n", ip);
ret = -EINVAL;
goto out;
}
ret = 0;
out:
env_pop_context();
free(cmd);
free(cmd_discover);
return ret;
}
int
main(void)
{
struct script_config config;
struct kerberos_config *krbconf;
char *newpass, *date;
struct passwd pwd;
time_t now;
/* Load the Kerberos principal and password from a file. */
krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
memset(&config, 0, sizeof(config));
config.user = krbconf->username;
config.password = krbconf->password;
config.extra[0] = krbconf->userprinc;
/*
* Ensure we can expire the password. Heimdal has a prompt for the
* expiration time, so save that to use as a substitution in the script.
*/
now = time(NULL) - 1;
if (!kerberos_expire_password(krbconf->userprinc, now))
skip_all("kadmin not configured or kadmin mismatch");
date = bstrdup(ctime(&now));
date[strlen(date) - 1] = '\0';
config.extra[1] = date;
/* Generate a testing krb5.conf file. */
kerberos_generate_conf(krbconf->realm);
/* Create a fake passwd struct for our user. */
memset(&pwd, 0, sizeof(pwd));
pwd.pw_name = krbconf->username;
pwd.pw_uid = getuid();
pwd.pw_gid = getgid();
basprintf(&pwd.pw_dir, "%s/tmp", getenv("BUILD"));
pam_set_pwd(&pwd);
/*
* We'll be changing the password to something new. This needs to be
* sufficiently random that it's unlikely to fall afoul of password
* strength checking.
*/
basprintf(&newpass, "ngh1,a%lu nn9af6", (unsigned long) getpid());
config.newpass = newpass;
plan_lazy();
/* Default behavior. */
#ifdef HAVE_KRB5_HEIMDAL
run_script("data/scripts/expired/basic-heimdal", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-debug", &config);
#else
run_script("data/scripts/expired/basic-mit", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-mit-debug", &config);
#endif
/* Test again with PAM_SILENT, specified two ways. */
#ifdef HAVE_KRB5_HEIMDAL
config.newpass = newpass;
config.password = krbconf->password;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-silent", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-flag-silent", &config);
#else
config.newpass = newpass;
config.password = krbconf->password;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-mit-silent", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-mit-flag-silent", &config);
#endif
/*
* We can only run the remaining checks if we can suppress the Kerberos
* library behavior of prompting for a new password when the password has
* expired.
*/
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT
/* Check the forced failure behavior. */
run_script("data/scripts/expired/fail", &config);
run_script("data/scripts/expired/fail-debug", &config);
/* Defer the error to the account management check. */
config.newpass = newpass;
config.password = krbconf->password;
config.authtok = krbconf->password;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/defer", &config);
config.newpass = krbconf->password;
config.password = newpass;
config.authtok = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/defer-debug", &config);
#else /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */
/* Mention that we skipped something for the record. */
skip_block(4, "cannot disable library password prompting");
#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */
/* In case we ran into some error, try to unexpire the password. */
kerberos_expire_password(krbconf->userprinc, 0);
free(date);
free(newpass);
free(pwd.pw_dir);
return 0;
}
int
main(void)
{
struct script_config config;
struct kerberos_config *krbconf;
char *user;
/*
* Load the Kerberos principal and password from a file, but set the
* principal as extra[0] and use something else bogus as the user. We
* want to test that alt_auth_map works when there's no relationship
* between the mapped principal and the user.
*/
krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
memset(&config, 0, sizeof(config));
config.user = "******";
config.authtok = krbconf->password;
config.extra[0] = krbconf->username;
config.extra[1] = krbconf->userprinc;
/*
* Generate a testing krb5.conf file with a nonexistent default realm so
* that we can be sure that our principals will stay fully-qualified in
* the logs.
*/
kerberos_generate_conf("bogus.example.com");
config.extra[2] = "bogus.example.com";
/* Test without password prompting. */
plan_lazy();
run_script("data/scripts/alt-auth/basic", &config);
run_script("data/scripts/alt-auth/basic-debug", &config);
run_script("data/scripts/alt-auth/fail", &config);
run_script("data/scripts/alt-auth/fail-debug", &config);
run_script("data/scripts/alt-auth/force", &config);
run_script("data/scripts/alt-auth/only", &config);
/*
* If the alternate account exists but the password is incorrect, we
* should not fall back to the regular account. Test with debug so that
* we don't need two principals configured.
*/
config.authtok = "bogus incorrect password";
run_script("data/scripts/alt-auth/force-fail-debug", &config);
/*
* Switch to our correct user (but wrong realm) realm to test username
* mapping to a different realm.
*/
config.authtok = krbconf->password;
config.user = krbconf->username;
config.extra[2] = krbconf->realm;
run_script("data/scripts/alt-auth/username-map", &config);
/*
* Split the username into two parts, one in the PAM configuration and one
* in the real username, so that we can test interpolation of the username
* when %s isn't the first token.
*/
config.user = &krbconf->username[1];
user = bstrndup(krbconf->username, 1);
config.extra[3] = user;
run_script("data/scripts/alt-auth/username-map-prefix", &config);
free(user);
config.extra[3] = NULL;
/*
* Ensure that we don't add the realm of the authentication username when
* the alt_auth_map already includes a realm.
*/
basprintf(&user, "*****@*****.**", krbconf->username);
config.user = user;
diag("re-running username-map with fully-qualified PAM user");
run_script("data/scripts/alt-auth/username-map", &config);
free(user);
config.user = krbconf->username;
/*
* Add the password and make the user match our authentication principal,
* and then test fallback to normal authentication when alternative
* authentication fails.
*/
config.user = krbconf->userprinc;
config.password = krbconf->password;
config.extra[2] = krbconf->realm;
run_script("data/scripts/alt-auth/fallback", &config);
run_script("data/scripts/alt-auth/fallback-debug", &config);
run_script("data/scripts/alt-auth/fallback-realm", &config);
run_script("data/scripts/alt-auth/force-fallback", &config);
run_script("data/scripts/alt-auth/only-fail", &config);
return 0;
}
int register_framebuffer(struct fb_info *info)
{
int id = get_free_deviceid("fb");
struct device_d *dev;
int ret, num_modes, i;
const char **names;
dev = &info->dev;
/*
* If info->mode is set at this point it's the only mode
* the fb supports. move it over to the modes list.
*/
if (info->mode) {
info->modes.modes = info->mode;
info->modes.num_modes = 1;
}
if (!info->line_length)
info->line_length = info->xres * (info->bits_per_pixel >> 3);
info->cdev.ops = &fb_ops;
info->cdev.name = basprintf("fb%d", id);
info->cdev.size = info->line_length * info->yres;
info->cdev.dev = dev;
info->cdev.priv = info;
dev->resource = xzalloc(sizeof(struct resource));
dev->resource[0].start = (resource_size_t)info->screen_base;
dev->resource[0].end = dev->resource[0].start + info->cdev.size - 1;
dev->resource[0].flags = IORESOURCE_MEM;
dev->num_resources = 1;
dev->priv = info;
dev->id = id;
dev->info = fb_info;
dev_set_name(dev, "fb");
ret = register_device(&info->dev);
if (ret)
goto err_free;
dev_add_param_bool(dev, "enable", fb_enable_set, NULL,
&info->p_enable, info);
if (IS_ENABLED(CONFIG_DRIVER_VIDEO_EDID))
fb_edid_add_modes(info);
num_modes = info->modes.num_modes + info->edid_modes.num_modes;
names = xzalloc(sizeof(char *) * num_modes);
for (i = 0; i < info->modes.num_modes; i++)
names[i] = info->modes.modes[i].name;
for (i = 0; i < info->edid_modes.num_modes; i++)
names[i + info->modes.num_modes] = info->edid_modes.modes[i].name;
dev_add_param_enum(dev, "mode_name", fb_set_modename, NULL, &info->current_mode, names, num_modes, info);
info->shadowfb = 1;
dev_add_param_bool(dev, "shadowfb", fb_set_shadowfb, NULL, &info->shadowfb, info);
info->mode = fb_num_to_mode(info, 0);
fb_setup_mode(info);
ret = devfs_create(&info->cdev);
if (ret)
goto err_unregister;
if (IS_ENABLED(CONFIG_DRIVER_VIDEO_SIMPLEFB)) {
ret = fb_register_simplefb(info);
if (ret)
dev_err(&info->dev, "failed to register simplefb: %s\n",
strerror(-ret));
}
if (IS_ENABLED(CONFIG_FRAMEBUFFER_CONSOLE))
register_fbconsole(info);
return 0;
err_unregister:
unregister_device(&info->dev);
err_free:
free(dev->resource);
return ret;
}
static void *am33xx_net_boot(void)
{
void *buf = NULL;
int err;
int len;
struct dhcp_req_param dhcp_param;
const char *bootfile;
IPaddr_t ip;
char *file;
char ip4_str[sizeof("255.255.255.255")];
struct eth_device *edev;
struct dhcp_result *dhcp_res;
am33xx_register_ethaddr(0, 0);
memset(&dhcp_param, 0, sizeof(struct dhcp_req_param));
dhcp_param.vendor_id = "am335x barebox-mlo";
edev = eth_get_byname("eth0");
if (!edev) {
printf("eth0 not found\n");
return NULL;
}
err = dhcp_request(edev, &dhcp_param, &dhcp_res);
if (err) {
printf("dhcp failed\n");
return NULL;
}
dhcp_set_result(edev, dhcp_res);
edev->ifup = true;
/*
* Older tftp server don't send the file size.
* Then tftpfs needs temporary place to store the file.
*/
err = mount("none", "ramfs", "/", NULL);
if (err < 0) {
printf("failed to mount ramfs\n");
return NULL;
}
err = make_directory(TFTP_MOUNT);
if (err)
return NULL;
ip = net_get_serverip();
sprintf(ip4_str, "%pI4", &ip);
err = mount(ip4_str, "tftp", TFTP_MOUNT, NULL);
if (err < 0) {
printf("Unable to mount.\n");
return NULL;
}
bootfile = dhcp_res->bootfile;
if (!bootfile) {
printf("bootfile not found.\n");
return NULL;
}
file = basprintf("%s/%s", TFTP_MOUNT, bootfile);
buf = read_file(file, &len);
if (!buf)
printf("could not read %s.\n", bootfile);
free(file);
umount(TFTP_MOUNT);
return buf;
}
/*
* Obtain Kerberos tickets for the principal specified in config/principal
* using the keytab specified in config/keytab, both of which are presumed to
* be in tests in either the build or the source tree. Also sets KRB5_KTNAME
* and KRB5CCNAME.
*
* Returns the contents of config/principal in newly allocated memory or NULL
* if Kerberos tests are apparently not configured. If Kerberos tests are
* configured but something else fails, calls bail.
*/
struct kerberos_config *
kerberos_setup(enum kerberos_needs needs)
{
char *path;
char buffer[BUFSIZ];
FILE *file = NULL;
/* If we were called before, clean up after the previous run. */
if (config != NULL)
kerberos_cleanup();
config = bcalloc(1, sizeof(struct kerberos_config));
/*
* If we have a config/keytab file, set the KRB5CCNAME and KRB5_KTNAME
* environment variables and obtain initial tickets.
*/
config->keytab = test_file_path("config/keytab");
if (config->keytab == NULL) {
if (needs == TAP_KRB_NEEDS_KEYTAB || needs == TAP_KRB_NEEDS_BOTH)
skip_all("Kerberos tests not configured");
} else {
tmpdir_ticket = test_tmpdir();
basprintf(&config->cache, "%s/krb5cc_test", tmpdir_ticket);
basprintf(&krb5ccname, "KRB5CCNAME=%s/krb5cc_test", tmpdir_ticket);
basprintf(&krb5_ktname, "KRB5_KTNAME=%s", config->keytab);
putenv(krb5ccname);
putenv(krb5_ktname);
kerberos_kinit();
}
/*
* If we have a config/password file, read it and fill out the relevant
* members of our config struct.
*/
path = test_file_path("config/password");
if (path != NULL)
file = fopen(path, "r");
if (file == NULL) {
if (needs == TAP_KRB_NEEDS_PASSWORD || needs == TAP_KRB_NEEDS_BOTH)
skip_all("Kerberos tests not configured");
} else {
if (fgets(buffer, sizeof(buffer), file) == NULL)
bail("cannot read %s", path);
if (buffer[strlen(buffer) - 1] != '\n')
bail("no newline in %s", path);
buffer[strlen(buffer) - 1] = '\0';
config->userprinc = bstrdup(buffer);
if (fgets(buffer, sizeof(buffer), file) == NULL)
bail("cannot read password from %s", path);
fclose(file);
if (buffer[strlen(buffer) - 1] != '\n')
bail("password too long in %s", path);
buffer[strlen(buffer) - 1] = '\0';
config->password = bstrdup(buffer);
/*
* Strip the realm from the principal and set realm and username.
* This is not strictly correct; it doesn't cope with escaped @-signs
* or enterprise names.
*/
config->username = bstrdup(config->userprinc);
config->realm = strchr(config->username, '@');
if (config->realm == NULL)
bail("test principal has no realm");
*config->realm = '\0';
config->realm++;
}
test_file_path_free(path);
/*
* If we have PKINIT configuration, read it and fill out the relevant
* members of our config struct.
*/
path = test_file_path("config/pkinit-principal");
if (path != NULL)
file = fopen(path, "r");
if (file != NULL) {
if (fgets(buffer, sizeof(buffer), file) == NULL)
bail("cannot read %s", path);
if (buffer[strlen(buffer) - 1] != '\n')
bail("no newline in %s", path);
buffer[strlen(buffer) - 1] = '\0';
fclose(file);
test_file_path_free(path);
path = test_file_path("config/pkinit-cert");
if (path != NULL) {
config->pkinit_principal = bstrdup(buffer);
config->pkinit_cert = bstrdup(path);
}
}
test_file_path_free(path);
if (config->pkinit_cert == NULL && (needs & TAP_KRB_NEEDS_PKINIT) != 0)
skip_all("PKINIT tests not configured");
/*
* Register the cleanup function so that the caller doesn't have to do
* explicit cleanup.
*/
test_cleanup_register(kerberos_cleanup_handler);
/* Return the configuration. */
return config;
}
