4 realm = K5Realm(create_user=False)
6 # Check that a non-default salt type applies only to the key it is
7 # matched with and not to subsequent keys. e1 and e2 are enctypes,
8 # and salt is a non-default salt type.
9 def test_salt(realm, e1, salt, e2):
10 keysalts = e1 + ':' + salt + ',' + e2
11 realm.run([kadminl, 'ank', '-e', keysalts, '-pw', 'password', 'user'])
12 out = realm.run([kadminl, 'getprinc', 'user'])
13 if len(re.findall(':' + salt, out)) != 1:
14 fail(salt + ' present in second enctype or not present')
15 realm.run([kadminl, 'delprinc', 'user'])
17 # Enctype/salt pairs chosen with non-default salt types.
18 # The enctypes are mostly arbitrary.
19 salts = [('des3-cbc-sha1', 'norealm'),
20 ('arcfour-hmac', 'onlyrealm'),
21 ('aes128-cts-hmac-sha1-96', 'special')]
22 # These enctypes are chosen to cover the different string-to-key routines.
23 # Omit ":normal" from aes256 to check that salttype defaulting works.
24 second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
25 'des3-cbc-sha1:normal']
27 # Test using different salt types in a principal's key list.
28 # Parameters from one key in the list must not leak over to later ones.
29 for e1, string in salts:
30 for e2 in second_kstypes:
31 test_salt(realm, e1, string, e2)
33 def test_dup(realm, ks):
34 realm.run([kadminl, 'ank', '-e', ks, '-pw', 'password', 'ks_princ'])
35 out = realm.run([kadminl, 'getprinc', 'ks_princ'])
36 lines = out.split('\n')
37 keys = [l for l in lines if 'Key: ' in l]
39 # 'Key:' matches 'MKey:' as well so len(keys) has one extra
40 if (len(uniq) != len(keys)) or len(keys) > len(ks.split(',')):
41 fail('Duplicate keysalt detection failed for keysalt ' + ks)
42 realm.run([kadminl, 'delprinc', 'ks_princ'])
44 # All in-tree callers request duplicate suppression from
45 # krb5_string_to_keysalts(); we should check that it works, respects
46 # aliases, and doesn't result in an infinite loop.
47 dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
48 'aes256-cts-hmac-sha1-96:normal,aes128-cts,aes256-cts',
49 'aes256-cts-hmac-sha1-96:normal,aes256-cts:special,' +
50 'aes256-cts-hmac-sha1-96:normal']
52 for ks in dup_kstypes: