|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
import re
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(create_user=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that a non-default salt type applies only to the key it is
|
|
Packit |
fd8b60 |
# matched with and not to subsequent keys. e1 and e2 are enctypes,
|
|
Packit |
fd8b60 |
# and salt is a non-default salt type.
|
|
Packit |
fd8b60 |
def test_salt(realm, e1, salt, e2):
|
|
Packit |
fd8b60 |
keysalts = e1 + ':' + salt + ',' + e2
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-e', keysalts, '-pw', 'password', 'user'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'user'])
|
|
Packit |
fd8b60 |
if len(re.findall(':' + salt, out)) != 1:
|
|
Packit |
fd8b60 |
fail(salt + ' present in second enctype or not present')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'user'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Enctype/salt pairs chosen with non-default salt types.
|
|
Packit |
fd8b60 |
# The enctypes are mostly arbitrary.
|
|
rpm-build |
1cb403 |
salts = [('aes128-cts-hmac-sha1-96', 'norealm'),
|
|
Packit |
fd8b60 |
('arcfour-hmac', 'onlyrealm'),
|
|
Packit |
fd8b60 |
('aes128-cts-hmac-sha1-96', 'special')]
|
|
Packit |
fd8b60 |
# These enctypes are chosen to cover the different string-to-key routines.
|
|
Packit |
fd8b60 |
# Omit ":normal" from aes256 to check that salttype defaulting works.
|
|
rpm-build |
1cb403 |
second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal']
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test using different salt types in a principal's key list.
|
|
Packit |
fd8b60 |
# Parameters from one key in the list must not leak over to later ones.
|
|
Packit |
fd8b60 |
for e1, string in salts:
|
|
Packit |
fd8b60 |
for e2 in second_kstypes:
|
|
Packit |
fd8b60 |
test_salt(realm, e1, string, e2)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def test_dup(realm, ks):
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-e', ks, '-pw', 'password', 'ks_princ'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'ks_princ'])
|
|
Packit |
fd8b60 |
lines = out.split('\n')
|
|
Packit |
fd8b60 |
keys = [l for l in lines if 'Key: ' in l]
|
|
Packit |
fd8b60 |
uniq = set(keys)
|
|
Packit |
fd8b60 |
# 'Key:' matches 'MKey:' as well so len(keys) has one extra
|
|
Packit |
fd8b60 |
if (len(uniq) != len(keys)) or len(keys) > len(ks.split(',')):
|
|
Packit |
fd8b60 |
fail('Duplicate keysalt detection failed for keysalt ' + ks)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delprinc', 'ks_princ'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# All in-tree callers request duplicate suppression from
|
|
Packit |
fd8b60 |
# krb5_string_to_keysalts(); we should check that it works, respects
|
|
Packit |
fd8b60 |
# aliases, and doesn't result in an infinite loop.
|
|
Packit |
fd8b60 |
dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
|
|
Packit |
fd8b60 |
'aes256-cts-hmac-sha1-96:normal,aes128-cts,aes256-cts',
|
|
Packit |
fd8b60 |
'aes256-cts-hmac-sha1-96:normal,aes256-cts:special,' +
|
|
Packit |
fd8b60 |
'aes256-cts-hmac-sha1-96:normal']
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for ks in dup_kstypes:
|
|
Packit |
fd8b60 |
test_dup(realm, ks)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success("Salt types")
|