File: t_etype_info.py

package info (click to toggle)
krb5 1.17-6
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 55,116 kB
  • sloc: ansic: 303,225; exp: 13,198; cpp: 9,731; python: 8,927; makefile: 7,178; sh: 6,279; perl: 2,289; asm: 1,460; yacc: 1,005; awk: 396; csh: 147; xml: 135; lisp: 104; sed: 41
file content (89 lines) | stat: -rw-r--r-- 4,213 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from k5test import *

supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
conf = {'libdefaults': {'allow_weak_crypto': 'true'},
        'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)

realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth',
           'preauthuser'])
realm.run([kadminl, 'addprinc', '-pw', 'pw', '-e', 'rc4-hmac',
           '+requires_preauth', 'rc4user'])
realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser'])


# Run the test harness for the given principal and request enctype
# list.  Compare the output to the expected lines, ignoring order.
def test_etinfo(princ, enctypes, expected_lines):
    mark('etinfo test: %s %s' % (princ.partition('@')[0], enctypes))
    lines = realm.run(['./etinfo', princ, enctypes]).splitlines()
    if sorted(lines) != sorted(expected_lines):
        fail('Unexpected output for princ %s, etypes %s' % (princ, enctypes))


# With no newer enctypes in the request, PA-ETYPE-INFO2,
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
# key for the most preferred matching enctype.
test_etinfo('user', 'rc4-hmac-exp des3 rc4',
            ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser',
             'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser',
             'asrep pw_salt KRBTEST.COMuser'])

# With a newer enctype in the request (even if it is not the most
# preferred enctype and doesn't match any keys), only PA-ETYPE-INFO2
# appears.
test_etinfo('user', 'rc4 aes256-cts',
            ['asrep etype_info2 rc4-hmac KRBTEST.COMuser'])

# In preauth-required errors, PA-PW-SALT does not appear, but the same
# etype-info2 values are expected.
test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4',
            ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser',
             'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser'])
test_etinfo('preauthuser', 'rc4 aes256-cts',
            ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])

# AFS3 salt for DES enctypes is conveyed using s2kparams in
# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata
# type instead of PA-PW-SALT.
test_etinfo('user', 'des-cbc-crc rc4',
            ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01',
             'asrep etype_info des-cbc-crc KRBTEST.COM',
             'asrep afs3_salt KRBTEST.COM'])
test_etinfo('preauthuser', 'des-cbc-crc rc4',
            ['error etype_info2 des-cbc-crc KRBTEST.COM 01',
             'error etype_info des-cbc-crc KRBTEST.COM'])

# DES keys can be used with other DES enctypes.  The requested enctype
# shows up in the etype-info, not the database key enctype.
test_etinfo('user', 'des-cbc-md4 rc4',
            ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01',
             'asrep etype_info des-cbc-md4 KRBTEST.COM',
             'asrep afs3_salt KRBTEST.COM'])
test_etinfo('user', 'des-cbc-md5 rc4',
            ['asrep etype_info2 des KRBTEST.COM 01',
             'asrep etype_info des KRBTEST.COM',
             'asrep afs3_salt KRBTEST.COM'])

# If no keys are found matching the request enctypes, a
# preauth-required error can be generated with no etype-info at all
# (to allow for preauth mechs which don't depend on long-term keys).
# An AS-REP cannot be generated without preauth as there is no reply
# key.
test_etinfo('rc4user', 'des3', [])
test_etinfo('nokeyuser', 'des3', [])

# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED
# error if the client does optimistic preauth.
mark('MORE_PREAUTH_DATA_REQUIRED test')
realm.stop()
testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
                    'clpreauth': {'module': 'test:' + testpreauth}}}
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
realm.run([kadminl, 'setstr', realm.user_princ, '2rt', '2rtval'])
out = realm.run(['./etinfo', realm.user_princ, 'aes128-cts', '-123'])
if out != 'more etype_info2 aes128-cts KRBTEST.COMuser\n':
    fail('Unexpected output for MORE_PREAUTH_DATA_REQUIRED test')

success('KDC etype-info tests')