diff options
| author | Ben Kaduk <kaduk@mit.edu> | 2013-10-25 13:33:23 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2013-10-25 19:34:37 -0400 |
| commit | e04cd7a75a36b2fc9914a5e767a2fc639ac96939 (patch) | |
| tree | 46e875bcda435ec887e38173284219d51f4e8e1c /src/tests/t_salt.py | |
| parent | 381cf01afb13ad28de0927de37f8e1d12749bf49 (diff) | |
| download | krb5-e04cd7a75a36b2fc9914a5e767a2fc639ac96939.tar.gz krb5-e04cd7a75a36b2fc9914a5e767a2fc639ac96939.tar.xz krb5-e04cd7a75a36b2fc9914a5e767a2fc639ac96939.zip | |
Add tests for different salt combinations
Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.
Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4. As such, it only makes sense for single-DES
enctypes. The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.
Diffstat (limited to 'src/tests/t_salt.py')
| -rwxr-xr-x | src/tests/t_salt.py | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py new file mode 100755 index 0000000000..3214cd2d4a --- /dev/null +++ b/src/tests/t_salt.py @@ -0,0 +1,58 @@ +#!/usr/bin/python +from k5test import * +import re + +realm = K5Realm(create_user=False) + +# Check that a non-default salt type applies only to the key it is matched +# with and not to subsequent keys. e1 is a enctype:salt string with +# non-default salt, and e2 is an enctype:salt string with default salt. +# The string argument corresponds to the salt type of e1, and must appear +# exactly once in the getprinc output, corresponding to just the first key. +def test_salt(realm, e1, string, e2): + query = 'ank -e ' + e1 + ',' + e2 + ' -pw password user' + realm.run_kadminl(query) + out = realm.run_kadminl('getprinc user') + if len(re.findall(string, out)) != 1: + fail(string + ' present in second enctype or not present') + realm.run_kadminl('delprinc -force user') + +# Enctype/salt pairs chosen with non-default salt types. +# The enctypes are mostly arbitrary, though afs3 must only be used with des. +# We do not enforce that v4 salts must only be used with des, but it seems +# like a good idea. +salts = [('des-cbc-crc:afs3', 'AFS version 3'), + ('des3-cbc-sha1:norealm', 'Version 5 - No Realm'), + ('arcfour-hmac:onlyrealm', 'Version 5 - Realm Only'), + ('des-cbc-crc:v4', 'Version 4'), + ('aes128-cts-hmac-sha1-96:special', 'Special')] +# These enctypes are chosen to cover the different string-to-key routines. +second_kstypes = ['aes256-cts-hmac-sha1-96:normal', 'arcfour-hmac:normal', + 'des3-cbc-sha1:normal', 'des-cbc-crc:normal'] + +# Test using different salt types in a principal's key list. +# Parameters from one key in the list must not leak over to later ones. +for e1, string in salts: + for e2 in second_kstypes: + test_salt(realm, e1, string, e2) + +# Attempt to create a principal with a non-des enctype and the afs3 salt, +# verifying that the expected error is received and the principal creation +# fails. +def test_reject_afs3(realm, etype): + query = 'ank -e ' + etype + ':afs3 -pw password princ1' + out = realm.run_kadminl(query) + if 'Invalid key generation parameters from KDC' not in out: + fail('Allowed afs3 salt for ' + etype) + out = realm.run_kadminl('getprinc princ1') + if 'Principal does not exist' not in out: + fail('Created principal with afs3 salt and enctype ' + etype) + +# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes. +# We do not currently do any verification on the key-generation parameters +# for the triple-DES enctypes, so that test is commented out. +test_reject_afs3(realm, 'arcfour-hmac') +test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96') +#test_reject_afs3(realm, 'des3-cbc-sha1') + +success("Salt types") |