[28853] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add tests for key rotation and 32-bit keytab kvnos
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 15 00:40:52 2015
Date: Wed, 15 Apr 2015 00:40:42 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201504150440.t3F4eguc015527@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/3c873481596653f5a35be1fffc268847867e89e7
commit 3c873481596653f5a35be1fffc268847867e89e7
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Mar 4 14:43:20 2015 -0500
Add tests for key rotation and 32-bit keytab kvnos
In t_keytab.py, test that kvnos no longer wrap after 255 or 32767, that
they do wrap from 65535 to 1, and that kadmin ktrem preserves the more
recent key after a wraparound.
Also test edge cases of the 32-bit keytab kvno extension using
hand-crafted keytab entries.
ticket: 7532
src/tests/t_keytab.py | 81 ++++++++++++++++++++++++++++++++++++++++++-------
1 files changed, 70 insertions(+), 11 deletions(-)
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index 7e35460..6b7e9bc 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -5,7 +5,7 @@ for realm in multipass_realms(create_user=False):
# Test kinit with a keytab.
realm.kinit(realm.host_princ, flags=['-k'])
-realm = K5Realm(get_creds=False)
+realm = K5Realm(get_creds=False, start_kadmind=True)
# Test kinit with a partial keytab.
pkeytab = realm.keytab + '.partial'
@@ -41,19 +41,78 @@ if 'keytab specified, forcing -k' not in output:
fail('Expected output not seen from kinit -i')
realm.klist(realm.user_princ)
-# Test handling of kvno values beyond 255.
+# Test handling of kvno values beyond 255. Use kadmin over the
+# network since we used to have an 8-bit limit on kvno marshalling.
+
+# Test one key rotation, verifying that the expected new kvno appears
+# in the keytab and in the principal entry.
+def test_key_rotate(realm, princ, expected_kvno):
+ realm.run_kadmin(['ktadd', '-k', realm.keytab, princ])
+ realm.run([kadminl, 'ktrem', princ, 'old'])
+ realm.kinit(princ, flags=['-k'])
+ out = realm.run([klist, '-k'])
+ if ('%d %s' % (expected_kvno, princ)) not in out:
+ fail('kvno %d not listed in keytab' % expected_kvno)
+ out = realm.run_kadmin(['getprinc', princ])
+ if ('Key: vno %d,' % expected_kvno) not in out:
+ fail('vno %d not seen in getprinc output' % expected_kvno)
+
+realm.prep_kadmin()
princ = 'foo/bar@%s' % realm.realm
realm.addprinc(princ)
os.remove(realm.keytab)
-realm.run([kadminl, 'modprinc', '-kvno', '252', princ])
-for kvno in range(253, 259):
- realm.run([kadminl, 'ktadd', '-k', realm.keytab, princ])
- realm.kinit(princ, flags=['-k'])
- realm.klist_keytab(princ)
- os.remove(realm.keytab)
-output = realm.run([kadminl, 'getprinc', princ])
-if 'Key: vno 258,' not in output:
- fail('Expected vno not seen in kadmin.local output')
+realm.run([kadminl, 'modprinc', '-kvno', '253', princ])
+test_key_rotate(realm, princ, 254)
+test_key_rotate(realm, princ, 255)
+test_key_rotate(realm, princ, 256)
+test_key_rotate(realm, princ, 257)
+realm.run([kadminl, 'modprinc', '-kvno', '32766', princ])
+test_key_rotate(realm, princ, 32767)
+test_key_rotate(realm, princ, 32768)
+test_key_rotate(realm, princ, 32769)
+realm.run([kadminl, 'modprinc', '-kvno', '65534', princ])
+test_key_rotate(realm, princ, 65535)
+test_key_rotate(realm, princ, 1)
+test_key_rotate(realm, princ, 2)
+
+# Test that klist -k can read a keytab entry without a 32-bit kvno and
+# reports the 8-bit key version.
+record = '\x00\x01' # principal component count
+record += '\x00\x0bKRBTEST.COM' # realm
+record += '\x00\x04user' # principal component
+record += '\x00\x00\x00\x01' # name type (NT-PRINCIPAL)
+record += '\x54\xf7\x4d\x35' # timestamp
+record += '\x02' # key version
+record += '\x00\x12' # enctype
+record += '\x00\x20' # key length
+record += '\x00' * 32 # key bytes
+f = open(realm.keytab, 'w')
+f.write('\x05\x02\x00\x00\x00' + chr(len(record)))
+f.write(record)
+f.close()
+out = realm.run([klist, '-k'])
+if (' 2 %s' % realm.user_princ) not in out:
+ fail('Expected entry not seen in klist -k output')
+
+# Make sure zero-fill isn't treated as a 32-bit kvno.
+f = open(realm.keytab, 'w')
+f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
+f.write(record)
+f.write('\x00\x00\x00\x00')
+f.close()
+out = realm.run([klist, '-k'])
+if (' 2 %s' % realm.user_princ) not in out:
+ fail('Expected entry not seen in klist -k output')
+
+# Make sure a hand-crafted 32-bit kvno is recognized.
+f = open(realm.keytab, 'w')
+f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
+f.write(record)
+f.write('\x00\x00\x00\x03')
+f.close()
+out = realm.run([klist, '-k'])
+if (' 3 %s' % realm.user_princ) not in out:
+ fail('Expected entry not seen in klist -k output')
# Test parameter expansion in profile variables
realm.stop()
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
