From: Greg Hudson Date: Wed, 4 Mar 2015 19:43:20 +0000 (-0500) Subject: Add tests for key rotation and 32-bit keytab kvnos X-Git-Tag: krb5-1.14-alpha1~134 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c873481596653f5a35be1fffc268847867e89e7;p=thirdparty%2Fkrb5.git Add tests for key rotation and 32-bit keytab kvnos In t_keytab.py, test that kvnos no longer wrap after 255 or 32767, that they do wrap from 65535 to 1, and that kadmin ktrem preserves the more recent key after a wraparound. Also test edge cases of the 32-bit keytab kvno extension using hand-crafted keytab entries. ticket: 7532 --- diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index 7e3546010f..6b7e9bcb2f 100755 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -5,7 +5,7 @@ for realm in multipass_realms(create_user=False): # Test kinit with a keytab. realm.kinit(realm.host_princ, flags=['-k']) -realm = K5Realm(get_creds=False) +realm = K5Realm(get_creds=False, start_kadmind=True) # Test kinit with a partial keytab. pkeytab = realm.keytab + '.partial' @@ -41,19 +41,78 @@ if 'keytab specified, forcing -k' not in output: fail('Expected output not seen from kinit -i') realm.klist(realm.user_princ) -# Test handling of kvno values beyond 255. +# Test handling of kvno values beyond 255. Use kadmin over the +# network since we used to have an 8-bit limit on kvno marshalling. + +# Test one key rotation, verifying that the expected new kvno appears +# in the keytab and in the principal entry. +def test_key_rotate(realm, princ, expected_kvno): + realm.run_kadmin(['ktadd', '-k', realm.keytab, princ]) + realm.run([kadminl, 'ktrem', princ, 'old']) + realm.kinit(princ, flags=['-k']) + out = realm.run([klist, '-k']) + if ('%d %s' % (expected_kvno, princ)) not in out: + fail('kvno %d not listed in keytab' % expected_kvno) + out = realm.run_kadmin(['getprinc', princ]) + if ('Key: vno %d,' % expected_kvno) not in out: + fail('vno %d not seen in getprinc output' % expected_kvno) + +realm.prep_kadmin() princ = 'foo/bar@%s' % realm.realm realm.addprinc(princ) os.remove(realm.keytab) -realm.run([kadminl, 'modprinc', '-kvno', '252', princ]) -for kvno in range(253, 259): - realm.run([kadminl, 'ktadd', '-k', realm.keytab, princ]) - realm.kinit(princ, flags=['-k']) - realm.klist_keytab(princ) - os.remove(realm.keytab) -output = realm.run([kadminl, 'getprinc', princ]) -if 'Key: vno 258,' not in output: - fail('Expected vno not seen in kadmin.local output') +realm.run([kadminl, 'modprinc', '-kvno', '253', princ]) +test_key_rotate(realm, princ, 254) +test_key_rotate(realm, princ, 255) +test_key_rotate(realm, princ, 256) +test_key_rotate(realm, princ, 257) +realm.run([kadminl, 'modprinc', '-kvno', '32766', princ]) +test_key_rotate(realm, princ, 32767) +test_key_rotate(realm, princ, 32768) +test_key_rotate(realm, princ, 32769) +realm.run([kadminl, 'modprinc', '-kvno', '65534', princ]) +test_key_rotate(realm, princ, 65535) +test_key_rotate(realm, princ, 1) +test_key_rotate(realm, princ, 2) + +# Test that klist -k can read a keytab entry without a 32-bit kvno and +# reports the 8-bit key version. +record = '\x00\x01' # principal component count +record += '\x00\x0bKRBTEST.COM' # realm +record += '\x00\x04user' # principal component +record += '\x00\x00\x00\x01' # name type (NT-PRINCIPAL) +record += '\x54\xf7\x4d\x35' # timestamp +record += '\x02' # key version +record += '\x00\x12' # enctype +record += '\x00\x20' # key length +record += '\x00' * 32 # key bytes +f = open(realm.keytab, 'w') +f.write('\x05\x02\x00\x00\x00' + chr(len(record))) +f.write(record) +f.close() +out = realm.run([klist, '-k']) +if (' 2 %s' % realm.user_princ) not in out: + fail('Expected entry not seen in klist -k output') + +# Make sure zero-fill isn't treated as a 32-bit kvno. +f = open(realm.keytab, 'w') +f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) +f.write(record) +f.write('\x00\x00\x00\x00') +f.close() +out = realm.run([klist, '-k']) +if (' 2 %s' % realm.user_princ) not in out: + fail('Expected entry not seen in klist -k output') + +# Make sure a hand-crafted 32-bit kvno is recognized. +f = open(realm.keytab, 'w') +f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) +f.write(record) +f.write('\x00\x00\x00\x03') +f.close() +out = realm.run([klist, '-k']) +if (' 3 %s' % realm.user_princ) not in out: + fail('Expected entry not seen in klist -k output') # Test parameter expansion in profile variables realm.stop()