xref: /freebsd/crypto/krb5/src/tests/t_y2038.py (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1from k5test import *
2
3# These tests will become much less important after the y2038 boundary
4# has elapsed, and may start exhibiting problems around the year 2075.
5
6if runenv.sizeof_time_t <= 4:
7    skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
8
9# Start a KDC running roughly 21 years in the future, after the y2038
10# boundary.  Set long maximum lifetimes for later tests.
11conf = {'realms': {'$realm': {'max_life': '9000d',
12                              'max_renewable_life': '9000d'}}}
13realm = K5Realm(start_kdc=False, kdc_conf=conf)
14realm.start_kdc(['-T', '662256000'])
15
16# kinit without preauth should succeed with clock skew correction, but
17# will result in an expired ticket, because we sent an absolute end
18# time and didn't get a chance to correct it..
19mark('kinit, no preauth')
20realm.kinit(realm.user_princ, password('user'))
21realm.run([kvno, realm.host_princ], expected_code=1,
22          expected_msg='Ticket expired')
23
24# kinit with preauth should succeed and result in a valid ticket, as
25# we get a chance to correct the end time based on the KDC time.  Try
26# with encrypted timestamp and encrypted challenge.
27mark('kinit, with preauth')
28realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
29realm.kinit(realm.user_princ, password('user'))
30realm.run([kvno, realm.host_princ])
31realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
32realm.run([kvno, realm.host_princ])
33
34# Test that expiration warning works after y2038, by setting a
35# password expiration time ten minutes after the KDC time.
36mark('expiration warning')
37realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
38out = realm.kinit(realm.user_princ, password('user'))
39if 'will expire in less than one hour' not in out:
40    fail('password expiration message')
41year = int(out.split()[-1])
42if year < 2038 or year > 9999:
43    fail('password expiration year')
44
45realm.stop_kdc()
46realm.start_kdc()
47realm.start_kadmind()
48realm.prep_kadmin()
49
50# Test getdate parsing of absolute timestamps after 2038 and
51# marshalling over the kadmin protocol.  The local time zone will
52# affect the display time by a little bit, so just look for the year.
53mark('kadmin marshalling')
54realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
55realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
56
57# Get a ticket whose lifetime crosses the y2038 boundary and
58# range-check the expiration year as reported by klist.
59mark('ticket lifetime across y2038')
60realm.kinit(realm.user_princ, password('user'),
61            flags=['-l', '8000d', '-r', '8500d'])
62realm.run([kvno, realm.host_princ])
63out = realm.run([klist])
64if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
65    fail('unexpected tgt expiration year')
66if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
67    fail('unexpected tgt rtill year')
68if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
69    fail('unexpected service ticket expiration year')
70if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
71    fail('unexpected service ticket rtill year')
72realm.kinit(realm.user_princ, None, ['-R'])
73out = realm.run([klist])
74if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
75    fail('unexpected renewed tgt expiration year')
76if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
77    fail('unexpected renewed tgt rtill year')
78
79success('y2038 tests')
80