3 # The name and number of each supported SPAKE group.
4 builtin_groups = ((1, 'edwards25519'),)
5 openssl_groups = ((2, 'P-256'), (3, 'P-384'), (4, 'P-521'))
6 if runenv.have_spake_openssl == 'yes':
7 groups = builtin_groups + openssl_groups
9 groups = builtin_groups
11 for gnum, gname in groups:
12 mark('group %s' % gname)
13 conf = {'libdefaults': {'spake_preauth_groups': gname}}
14 for realm in multipass_realms(create_user=False, create_host=False,
16 realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
18 # Test a basic SPAKE preauth scenario with no optimizations.
19 msgs = ('Sending unauthenticated request',
20 '/Additional pre-authentication required',
21 'Selected etype info:',
22 'Sending SPAKE support message',
23 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
24 '/More preauthentication data is required',
25 'Continuing preauth mech PA-SPAKE (151)',
26 'SPAKE challenge received with group ' + str(gnum),
27 'Sending SPAKE response',
28 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
29 'AS key determined by preauth:',
31 realm.kinit('user', 'pw', expected_trace=msgs)
33 # Test an unsuccessful authentication.
34 msgs = ('/Additional pre-authentication required',
35 'Selected etype info:',
36 'Sending SPAKE support message',
37 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
38 '/More preauthentication data is required',
39 'Continuing preauth mech PA-SPAKE (151)',
40 'SPAKE challenge received with group ' + str(gnum),
41 'Sending SPAKE response',
42 '/Preauthentication failed')
43 realm.kinit('user', 'wrongpw', expected_code=1, expected_trace=msgs)
45 conf = {'libdefaults': {'spake_preauth_groups': 'edwards25519'}}
46 kdcconf = {'realms': {'$realm': {'spake_preauth_indicator': 'indspake'}}}
47 realm = K5Realm(create_user=False, krb5_conf=conf, kdc_conf=kdcconf)
48 realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user'])
52 msgs = ('Using FAST due to armor ccache negotiation',
54 'Sending unauthenticated request',
55 '/Additional pre-authentication required',
56 'Decoding FAST response',
57 'Selected etype info:',
58 'Sending SPAKE support message',
59 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
60 '/More preauthentication data is required',
61 'Continuing preauth mech PA-SPAKE (151)',
62 'SPAKE challenge received with group 1',
63 'Sending SPAKE response',
64 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
65 'AS key determined by preauth:',
67 realm.kinit(realm.host_princ, flags=['-k'])
68 realm.kinit('user', 'pw', flags=['-T', realm.ccache], expected_trace=msgs)
70 # Test optimistic client preauth (151 is PA-SPAKE).
71 mark('client optimistic')
72 msgs = ('Attempting optimistic preauth',
73 'Processing preauth types: PA-SPAKE (151)',
74 'Sending SPAKE support message',
75 'for next request: PA-SPAKE (151)',
76 '/More preauthentication data is required',
77 'Selected etype info:',
78 'SPAKE challenge received with group 1',
79 'Sending SPAKE response',
80 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
81 'AS key determined by preauth:',
83 realm.run(['./icred', '-o', '151', 'user', 'pw'], expected_trace=msgs)
85 # Test KDC optimistic challenge (accepted by client).
86 mark('KDC optimistic')
87 oconf = {'kdcdefaults': {'spake_preauth_kdc_challenge': 'edwards25519'}}
88 oenv = realm.special_env('ochal', True, krb5_conf=oconf)
90 realm.start_kdc(env=oenv)
91 msgs = ('Sending unauthenticated request',
92 '/Additional pre-authentication required',
93 'Selected etype info:',
94 'SPAKE challenge received with group 1',
95 'Sending SPAKE response',
96 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
97 'AS key determined by preauth:',
99 realm.kinit('user', 'pw', expected_trace=msgs)
101 if runenv.have_spake_openssl != 'yes':
102 skip_rest('SPAKE fallback tests', 'SPAKE not built using OpenSSL')
104 # Test optimistic client preauth falling back to encrypted timestamp
105 # because the KDC doesn't support any of the client groups.
106 mark('client optimistic (fallback)')
107 p256conf={'libdefaults': {'spake_preauth_groups': 'P-256'}}
108 p256env = realm.special_env('p256', False, krb5_conf=p256conf)
109 msgs = ('Attempting optimistic preauth',
110 'Processing preauth types: PA-SPAKE (151)',
111 'Sending SPAKE support message',
112 'for next request: PA-SPAKE (151)',
113 '/Preauthentication failed',
114 'Selected etype info:',
115 'Encrypted timestamp ',
116 'for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
117 'AS key determined by preauth:',
118 'Decrypted AS reply')
119 realm.run(['./icred', '-o', '151', 'user', 'pw'], env=p256env,
122 # Test KDC optimistic challenge (rejected by client).
123 mark('KDC optimistic (rejected)')
124 rconf = {'libdefaults': {'spake_preauth_groups': 'P-384,edwards25519'},
125 'kdcdefaults': {'spake_preauth_kdc_challenge': 'P-384'}}
126 renv = realm.special_env('ochal', True, krb5_conf=rconf)
128 realm.start_kdc(env=renv)
129 msgs = ('Sending unauthenticated request',
130 '/Additional pre-authentication required',
131 'Selected etype info:',
132 'SPAKE challenge with group 3 rejected',
133 'Sending SPAKE support message',
134 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
135 '/More preauthentication data is required',
136 'Continuing preauth mech PA-SPAKE (151)',
137 'SPAKE challenge received with group 1',
138 'Sending SPAKE response',
139 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)',
140 'AS key determined by preauth:',
141 'Decrypted AS reply')
142 realm.kinit('user', 'pw', expected_trace=msgs)
144 # Check that the auth indicator for SPAKE is properly included by the KDC.
145 mark('auth indicator')
146 realm.run([kvno, realm.host_princ])
147 realm.run(['./adata', realm.host_princ], expected_msg='+97: [indspake]')
149 success('SPAKE pre-authentication tests')