xref: /freebsd/crypto/krb5/src/tests/t_rdreq.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1from k5test import *
2
3conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}}
4realm = K5Realm(create_host=False, kdc_conf=conf)
5
6# Define some server principal names.
7princ1 = 'host/1@%s' % realm.realm
8princ2 = 'host/2@%s' % realm.realm
9princ3 = 'HTTP/3@%s' % realm.realm
10princ4 = 'HTTP/4@%s' % realm.realm
11matchprinc = 'host/@'
12nomatchprinc = 'x/@'
13realm.addprinc(princ1)
14realm.addprinc(princ2)
15realm.addprinc(princ3)
16
17def test(tserver, server, expected):
18    args = ['./rdreq', tserver]
19    if server is not None:
20        args += [server]
21    out = realm.run(args)
22    if out.strip() != expected:
23        fail('unexpected rdreq output')
24
25
26# No keytab present.
27mark('no keytab')
28nokeytab_err = "45 Key table file '%s' not found" % realm.keytab
29test(princ1, None, nokeytab_err)
30test(princ1, princ1, nokeytab_err)
31test(princ1, matchprinc, nokeytab_err)
32
33# Keytab present, successful decryption.
34mark('success')
35realm.extract_keytab(princ1, realm.keytab)
36test(princ1, None, '0 success')
37test(princ1, princ1, '0 success')
38test(princ1, matchprinc, '0 success')
39
40# Explicit server principal not found in keytab.
41mark('explicit server not found')
42test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
43
44# Matching server principal does not match any entries in keytab (with
45# and without ticket server present in keytab).
46mark('matching server')
47nomatch_err = '45 Server principal x/@ does not match any keys in keytab'
48test(princ1, nomatchprinc, nomatch_err)
49test(princ2, nomatchprinc, nomatch_err)
50
51# Ticket server does not match explicit server principal (with and
52# without ticket server present in keytab).
53mark('ticket server mismatch')
54test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
55test(princ2, princ1,
56     '35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for '
57     'host/1@KRBTEST.COM')
58
59# Ticket server not found in keytab during iteration.
60mark('ticket server not found')
61test(princ2, None,
62     '35 Request ticket server host/2@KRBTEST.COM not found in keytab '
63     '(ticket kvno 1)')
64
65# Ticket server found in keytab but is not matched by server principal
66# (but other principals in keytab do match).
67mark('ticket server mismatch (matching)')
68realm.extract_keytab(princ3, realm.keytab)
69test(princ3, matchprinc,
70     '35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does '
71     'not match server principal host/@')
72
73# Service ticket is out of date.
74mark('outdated service ticket')
75os.remove(realm.keytab)
76realm.run([kadminl, 'ktadd', princ1])
77test(princ1, None,
78     '44 Request ticket server host/1@KRBTEST.COM kvno 1 not found in keytab; '
79     'ticket is likely out of date')
80test(princ1, princ1,
81     '44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab')
82
83# kvno mismatch due to ticket principal mismatch with explicit server.
84mark('ticket server mismatch (kvno)')
85test(princ2, princ1,
86     '35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request '
87     'ticket server host/2@KRBTEST.COM)')
88
89# Keytab is out of date.
90mark('outdated keytab')
91realm.run([kadminl, 'cpw', '-randkey', princ1])
92realm.kinit(realm.user_princ, password('user'))
93test(princ1, None,
94     '44 Request ticket server host/1@KRBTEST.COM kvno 3 not found in keytab; '
95     'keytab is likely out of date')
96test(princ1, princ1,
97     '44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab')
98
99# Ticket server and kvno found but not with ticket enctype.
100mark('missing enctype')
101os.remove(realm.keytab)
102realm.extract_keytab(princ1, realm.keytab)
103pkeytab = realm.keytab + '.partial'
104realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
105                           (realm.keytab, pkeytab)))
106os.rename(pkeytab, realm.keytab)
107realm.run([klist, '-ke'])
108test(princ1, None,
109     '44 Request ticket server host/1@KRBTEST.COM kvno 3 found in keytab but '
110     'not with enctype aes256-cts')
111# This is a bad code (KRB_AP_ERR_NOKEY) and message, because
112# krb5_kt_get_entry returns the same result for this and not finding
113# the principal at all.  But it's an uncommon case; GSSAPI apps
114# usually use a matching principal and missing key enctypes are rare.
115test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM')
116
117# Ticket server, kvno, and enctype matched, but key does not work.
118mark('wrong key')
119realm.run([kadminl, 'cpw', '-randkey', princ1])
120realm.run([kadminl, 'modprinc', '-kvno', '3', princ1])
121os.remove(realm.keytab)
122realm.extract_keytab(princ1, realm.keytab)
123test(princ1, None,
124     '31 Request ticket server host/1@KRBTEST.COM kvno 3 enctype aes256-cts '
125     'found in keytab but cannot decrypt ticket')
126test(princ1, princ1,
127     '31 Cannot decrypt ticket for host/1@KRBTEST.COM using keytab key for '
128     'host/1@KRBTEST.COM')
129
130# Test that aliases work.  The ticket server (princ4) isn't present in
131# keytab, but there is a usable princ1 entry with the same key.
132mark('aliases')
133realm.run([kadminl, 'renprinc', princ1, princ4])
134test(princ4, None, '0 success')
135test(princ4, princ1, '0 success')
136test(princ4, matchprinc, '0 success')
137
138success('krb5_rd_req tests')
139