xref: /freebsd/crypto/krb5/src/tests/t_sesskeynego.py (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1from k5test import *
2import re
3
4# Run "kvno server" with a fresh set of client tickets, then check that the
5# enctypes in the service ticket match the expected values.
6etypes_re = re.compile(r'server@[^\n]+\n\tEtype \(skey, tkt\): '
7                       r'([^,]+), ([^\s]+)')
8def test_kvno(realm, expected_skey, expected_tkt):
9    realm.kinit(realm.user_princ, password('user'))
10    realm.run([kvno, 'server'])
11    output = realm.run([klist, '-e'])
12    m = etypes_re.search(output)
13    if not m:
14        fail('could not parse etypes from klist -e output')
15    skey, tkt = m.groups()
16    if skey != expected_skey:
17        fail('got session key type %s, expected %s' % (skey, expected_skey))
18    if tkt != expected_tkt:
19        fail('got ticket key type %s, expected %s' % (tkt, expected_tkt))
20
21conf1 = {'libdefaults': {'default_tgs_enctypes': 'aes128-cts,aes256-cts'}}
22conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
23conf3 = {'libdefaults': {
24        'allow_weak_crypto': 'true',
25        'default_tkt_enctypes': 'aes128-cts',
26        'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
27conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
28conf5 = {'libdefaults': {'allow_rc4': 'true'}}
29conf6 = {'libdefaults': {'allow_des3': 'true'}}
30# Test with client request and session_enctypes preferring aes128, but
31# aes256 long-term key.
32realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
33realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
34realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
35           'aes128-cts,aes256-cts'])
36test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
37realm.stop()
38
39# Second go, almost same as first, but resulting session key must be aes256
40# because of the difference in default_tgs_enctypes order.  This tests that
41# session_enctypes doesn't change the order in which we negotiate.
42realm = K5Realm(krb5_conf=conf2, create_host=False, get_creds=False)
43realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
44realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
45           'aes128-cts,aes256-cts'])
46test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
47realm.stop()
48
49# Next we use conf3 and try various things.
50realm = K5Realm(krb5_conf=conf3, create_host=False, get_creds=False)
51realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts:normal',
52           'server'])
53
54# 3a: Negotiate aes128 session key when principal only has aes256 long-term.
55realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
56           'aes128-cts,aes256-cts'])
57test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
58
59# 3b: Skip RC4 (as the KDC does not allow it for session keys by
60# default) and negotiate aes128-cts session key, with only an aes256
61# long-term service key.
62realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
63           'rc4-hmac,aes128-cts,aes256-cts'])
64test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
65realm.stop()
66
67# 4: Check that permitted_enctypes is a default for session key enctypes.
68realm = K5Realm(krb5_conf=conf4, create_host=False, get_creds=False)
69realm.kinit(realm.user_princ, password('user'))
70realm.run([kvno, 'user'],
71          expected_trace=('etypes requested in TGS request: aes256-cts',))
72realm.stop()
73
74# 5: allow_rc4 permits negotiation of rc4-hmac session key.
75realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
76realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
77realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
78test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
79realm.stop()
80
81# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
82realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
83realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
84realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
85test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
86realm.stop()
87
88# 7: default config negotiates aes256-sha1 session key for RC4-only service.
89realm = K5Realm(create_host=False, get_creds=False)
90realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
91test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
92realm.stop()
93
94success('sesskeynego')
95