|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
import re
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Run "kvno server" with a fresh set of client tickets, then check that the
|
|
Packit |
fd8b60 |
# enctypes in the service ticket match the expected values.
|
|
Packit |
fd8b60 |
etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): '
|
|
Packit |
fd8b60 |
'([^,]+), ([^\s]+)')
|
|
Packit |
fd8b60 |
def test_kvno(realm, expected_skey, expected_tkt):
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, 'server'])
|
|
Packit |
fd8b60 |
output = realm.run([klist, '-e'])
|
|
Packit |
fd8b60 |
m = etypes_re.search(output)
|
|
Packit |
fd8b60 |
if not m:
|
|
Packit |
fd8b60 |
fail('could not parse etypes from klist -e output')
|
|
Packit |
fd8b60 |
skey, tkt = m.groups()
|
|
Packit |
fd8b60 |
if skey != expected_skey:
|
|
Packit |
fd8b60 |
fail('got session key type %s, expected %s' % (skey, expected_skey))
|
|
Packit |
fd8b60 |
if tkt != expected_tkt:
|
|
Packit |
fd8b60 |
fail('got ticket key type %s, expected %s' % (tkt, expected_tkt))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}
|
|
Packit |
fd8b60 |
conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
|
|
Packit |
fd8b60 |
conf3 = {'libdefaults': {
|
|
Packit |
fd8b60 |
'allow_weak_crypto': 'true',
|
|
Packit |
fd8b60 |
'default_tkt_enctypes': 'aes128-cts',
|
|
Packit |
fd8b60 |
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
|
Packit |
fd8b60 |
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
|
Packit |
fd8b60 |
# Test with client request and session_enctypes preferring aes128, but
|
|
Packit |
fd8b60 |
# aes256 long-term key.
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
|
Packit |
fd8b60 |
'aes128-cts,aes256-cts'])
|
|
Packit |
fd8b60 |
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Second go, almost same as first, but resulting session key must be aes256
|
|
Packit |
fd8b60 |
# because of the difference in default_tgs_enctypes order. This tests that
|
|
Packit |
fd8b60 |
# session_enctypes doesn't change the order in which we negotiate.
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
|
Packit |
fd8b60 |
'aes128-cts,aes256-cts'])
|
|
Packit |
fd8b60 |
test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Next we use conf3 and try various things.
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts:normal',
|
|
Packit |
fd8b60 |
'server'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# 3a: Negotiate aes128 session key when principal only has aes256 long-term.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
|
Packit |
fd8b60 |
'aes128-cts,aes256-cts'])
|
|
Packit |
fd8b60 |
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
|
Packit |
fd8b60 |
'rc4-hmac,aes128-cts,aes256-cts'])
|
|
Packit |
fd8b60 |
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# 4: Check that permitted_enctypes is a default for session key enctypes.
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf4, create_host=False, get_creds=False)
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, 'user'],
|
|
Packit |
fd8b60 |
expected_trace=('etypes requested in TGS request: aes256-cts',))
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('sesskeynego')
|