|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# The name and number of each supported SPAKE group.
|
|
Packit |
fd8b60 |
builtin_groups = ((1, 'edwards25519'),)
|
|
Packit |
fd8b60 |
openssl_groups = ((2, 'P-256'), (3, 'P-384'), (4, 'P-521'))
|
|
Packit |
fd8b60 |
if runenv.have_spake_openssl == 'yes':
|
|
Packit |
fd8b60 |
groups = builtin_groups + openssl_groups
|
|
Packit |
fd8b60 |
else:
|
|
Packit |
fd8b60 |
groups = builtin_groups
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for gnum, gname in groups:
|
|
Packit |
fd8b60 |
mark('group %s' % gname)
|
|
Packit |
fd8b60 |
conf = {'libdefaults': {'spake_preauth_groups': gname}}
|
|
Packit |
fd8b60 |
for realm in multipass_realms(create_user=False, create_host=False,
|
|
Packit |
fd8b60 |
krb5_conf=conf):
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test a basic SPAKE preauth scenario with no optimizations.
|
|
Packit |
fd8b60 |
msgs = ('Sending unauthenticated request',
|
|
Packit |
fd8b60 |
'/Additional pre-authentication required',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/More preauthentication data is required',
|
|
Packit |
fd8b60 |
'Continuing preauth mech PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group ' + str(gnum),
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'Decrypted AS reply')
|
|
Packit |
fd8b60 |
realm.kinit('user', 'pw', expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test an unsuccessful authentication.
|
|
Packit |
fd8b60 |
msgs = ('/Additional pre-authentication required',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/More preauthentication data is required',
|
|
Packit |
fd8b60 |
'Continuing preauth mech PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group ' + str(gnum),
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'/Preauthentication failed')
|
|
Packit |
fd8b60 |
realm.kinit('user', 'wrongpw', expected_code=1, expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
conf = {'libdefaults': {'spake_preauth_groups': 'edwards25519'}}
|
|
Packit |
fd8b60 |
kdcconf = {'realms': {'$realm': {'spake_preauth_indicator': 'indspake'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_user=False, krb5_conf=conf, kdc_conf=kdcconf)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with FAST.
|
|
Packit |
fd8b60 |
mark('FAST')
|
|
Packit |
fd8b60 |
msgs = ('Using FAST due to armor ccache negotiation',
|
|
Packit |
fd8b60 |
'FAST armor key:',
|
|
Packit |
fd8b60 |
'Sending unauthenticated request',
|
|
Packit |
fd8b60 |
'/Additional pre-authentication required',
|
|
Packit |
fd8b60 |
'Decoding FAST response',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/More preauthentication data is required',
|
|
Packit |
fd8b60 |
'Continuing preauth mech PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group 1',
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'FAST reply key:')
|
|
Packit |
fd8b60 |
realm.kinit(realm.host_princ, flags=['-k'])
|
|
Packit |
fd8b60 |
realm.kinit('user', 'pw', flags=['-T', realm.ccache], expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test optimistic client preauth (151 is PA-SPAKE).
|
|
Packit |
fd8b60 |
mark('client optimistic')
|
|
Packit |
fd8b60 |
msgs = ('Attempting optimistic preauth',
|
|
Packit |
fd8b60 |
'Processing preauth types: PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/More preauthentication data is required',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group 1',
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'Decrypted AS reply')
|
|
Packit |
fd8b60 |
realm.run(['./icred', '-o', '151', 'user', 'pw'], expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test KDC optimistic challenge (accepted by client).
|
|
Packit |
fd8b60 |
mark('KDC optimistic')
|
|
Packit |
fd8b60 |
oconf = {'kdcdefaults': {'spake_preauth_kdc_challenge': 'edwards25519'}}
|
|
Packit |
fd8b60 |
oenv = realm.special_env('ochal', True, krb5_conf=oconf)
|
|
Packit |
fd8b60 |
realm.stop_kdc()
|
|
Packit |
fd8b60 |
realm.start_kdc(env=oenv)
|
|
Packit |
fd8b60 |
msgs = ('Sending unauthenticated request',
|
|
Packit |
fd8b60 |
'/Additional pre-authentication required',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group 1',
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'Decrypted AS reply')
|
|
Packit |
fd8b60 |
realm.kinit('user', 'pw', expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if runenv.have_spake_openssl != 'yes':
|
|
Packit |
fd8b60 |
skip_rest('SPAKE fallback tests', 'SPAKE not built using OpenSSL')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test optimistic client preauth falling back to encrypted timestamp
|
|
Packit |
fd8b60 |
# because the KDC doesn't support any of the client groups.
|
|
Packit |
fd8b60 |
mark('client optimistic (fallback)')
|
|
Packit |
fd8b60 |
p256conf={'libdefaults': {'spake_preauth_groups': 'P-256'}}
|
|
Packit |
fd8b60 |
p256env = realm.special_env('p256', False, krb5_conf=p256conf)
|
|
Packit |
fd8b60 |
msgs = ('Attempting optimistic preauth',
|
|
Packit |
fd8b60 |
'Processing preauth types: PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/Preauthentication failed',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'Encrypted timestamp ',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'Decrypted AS reply')
|
|
Packit |
fd8b60 |
realm.run(['./icred', '-o', '151', 'user', 'pw'], env=p256env,
|
|
Packit |
fd8b60 |
expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test KDC optimistic challenge (rejected by client).
|
|
Packit |
fd8b60 |
mark('KDC optimistic (rejected)')
|
|
Packit |
fd8b60 |
rconf = {'libdefaults': {'spake_preauth_groups': 'P-384,edwards25519'},
|
|
Packit |
fd8b60 |
'kdcdefaults': {'spake_preauth_kdc_challenge': 'P-384'}}
|
|
Packit |
fd8b60 |
renv = realm.special_env('ochal', True, krb5_conf=rconf)
|
|
Packit |
fd8b60 |
realm.stop_kdc()
|
|
Packit |
fd8b60 |
realm.start_kdc(env=renv)
|
|
Packit |
fd8b60 |
msgs = ('Sending unauthenticated request',
|
|
Packit |
fd8b60 |
'/Additional pre-authentication required',
|
|
Packit |
fd8b60 |
'Selected etype info:',
|
|
Packit |
fd8b60 |
'SPAKE challenge with group 3 rejected',
|
|
Packit |
fd8b60 |
'Sending SPAKE support message',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'/More preauthentication data is required',
|
|
Packit |
fd8b60 |
'Continuing preauth mech PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'SPAKE challenge received with group 1',
|
|
Packit |
fd8b60 |
'Sending SPAKE response',
|
|
Packit |
fd8b60 |
'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
|
|
Packit |
fd8b60 |
'AS key determined by preauth:',
|
|
Packit |
fd8b60 |
'Decrypted AS reply')
|
|
Packit |
fd8b60 |
realm.kinit('user', 'pw', expected_trace=msgs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that the auth indicator for SPAKE is properly included by the KDC.
|
|
Packit |
fd8b60 |
mark('auth indicator')
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.run(['./adata', realm.host_princ], expected_msg='+97: [indspake]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('SPAKE pre-authentication tests')
|