diff options
author | Nicolas Williams <nico@cryptonector.com> | 2012-06-04 17:17:31 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-06-06 13:46:17 -0400 |
commit | 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 (patch) | |
tree | d39c9bf38401f5fec0c88f81dfc6945486f470d3 /src/tests/t_sesskeynego.py | |
parent | dacb62f899329496f84e8b4bbc4c4dc94e585bd1 (diff) | |
download | krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.gz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.xz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.zip |
Add control over session key enctype negotiation
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Diffstat (limited to 'src/tests/t_sesskeynego.py')
-rw-r--r-- | src/tests/t_sesskeynego.py | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py new file mode 100644 index 0000000000..9239e12544 --- /dev/null +++ b/src/tests/t_sesskeynego.py @@ -0,0 +1,83 @@ +#!/usr/bin/python +from k5test import * +import re + +# Run "kvno server" with a fresh set of client tickets, then check that the +# enctypes in the service ticket match the expected values. +etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): ' + '([^,]+), ([^\s]+)') +def test_kvno(realm, expected_skey, expected_tkt): + realm.kinit(realm.user_princ, password('user')) + realm.run_as_client([kvno, 'server']) + output = realm.run_as_client([klist, '-e']) + m = etypes_re.search(output) + if not m: + fail('could not parse etypes from klist -e output') + skey, tkt = m.groups() + if skey != expected_skey: + fail('got session key type %s, expected %s' % (skey, expected_skey)) + if tkt != expected_tkt: + fail('got ticket key type %s, expected %s' % (tkt, expected_tkt)) + +krb5_conf1 = {'all': {'libdefaults': { + 'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}} + +krb5_conf2 = {'all': {'libdefaults': { + 'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}} + +krb5_conf3 = {'all': {'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}} + +krb5_conf4 = {'all' :{ + 'libdefaults': { + 'allow_weak_crypto': 'true', + 'default_tkt_enctypes': 'aes256-cts', + 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts' + }, + 'realms': {'$realm': { + 'des_crc_session_supported' : 'false'}}}} + +# Test with client request and session_enctypes preferring aes128, but +# aes256 long-term key. +realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False) +realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') +realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') +test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') +realm.stop() + +# Second go, almost same as first, but resulting session key must be aes256 +# because of the difference in default_tgs_enctypes order. This tests that +# session_enctypes doesn't change the order in which we negotiate. +realm = K5Realm(krb5_conf=krb5_conf2, create_host=False, get_creds=False) +realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') +realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') +test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') +realm.stop() + +# Next we use krb5_conf3 and try various things. +realm = K5Realm(krb5_conf=krb5_conf3, create_host=False, get_creds=False) +realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') + +# 3a: Negotiate aes128 session key when principal only has aes256 long-term. +realm.run_kadminl('setstr server session_enctypes aes128-cts,aes256-cts') +test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. +realm.run_kadminl('setstr server session_enctypes ' + 'rc4-hmac,aes128-cts,aes256-cts') +test_kvno(realm, 'arcfour-hmac', 'aes256-cts-hmac-sha1-96') + +# 3c: Test des-cbc-crc default assumption. +realm.run_kadminl('delstr server session_enctypes') +test_kvno(realm, 'des-cbc-crc', 'aes256-cts-hmac-sha1-96') +realm.stop() + +# Last go: test that we can disable the des-cbc-crc assumption +realm = K5Realm(krb5_conf=krb5_conf4, get_creds=False) +realm.run_kadminl('addprinc -randkey -e aes256-cts:normal server') +test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') +realm.stop() + +success('sesskeynego') |