rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
76d9979dc3
krb5/Update-test-suite-to-avoid-single-DES-enctypes.patch

2328 lines
84 KiB
Diff
Raw Normal View History

Remove support for single-DES and CRC
2019-05-28 19:22:45 +00:00
From 8fe2563e133e904e56c3ed3b9b970bb632c843b6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 24 May 2019 13:11:55 -0400
Subject: [PATCH] Update test suite to avoid single-DES enctypes
Remove the CRC exercise code, since CRC is DES-only.
ticket: 8808
(cherry picked from commit 50588db5d26e81f3d564d1f69435af34ae80d9b2)
---
src/kadmin/testing/proto/kdc.conf.proto | 2 +-
src/kadmin/testing/util/tcl_kadm5.c | 2 -
src/lib/crypto/crypto_tests/CRC.pm | 156 ----------
src/lib/crypto/crypto_tests/Makefile.in | 31 +-
src/lib/crypto/crypto_tests/crc.pl | 111 -------
src/lib/crypto/crypto_tests/deps | 24 --
src/lib/crypto/crypto_tests/t_cf2.expected | 1 -
src/lib/crypto/crypto_tests/t_cf2.in | 5 -
src/lib/crypto/crypto_tests/t_cksum.c | 160 ----------
src/lib/crypto/crypto_tests/t_cksums.c | 8 +-
src/lib/crypto/crypto_tests/t_combine.c | 18 --
src/lib/crypto/crypto_tests/t_crc.c | 148 ----------
src/lib/crypto/crypto_tests/t_decrypt.c | 148 ----------
src/lib/crypto/crypto_tests/t_encrypt.c | 3 -
src/lib/crypto/crypto_tests/t_short.c | 3 -
src/lib/crypto/crypto_tests/t_str2key.c | 274 ------------------
src/lib/crypto/crypto_tests/vectors.c | 3 +-
.../api.current/chpass-principal-v2.exp | 8 +-
.../api.current/get-principal-v2.exp | 4 +-
.../api.current/randkey-principal-v2.exp | 11 +-
src/lib/kadm5/unit-test/setkey-test.c | 6 +-
src/lib/krb5/keytab/t_keytab.c | 40 +--
src/lib/krb5/krb/t_etypes.c | 67 +----
src/lib/krb5/krb/t_ser.c | 2 +-
src/lib/krb5/os/t_trace.c | 2 +-
src/lib/krb5/os/t_trace.ref | 2 +-
src/tests/asn.1/ktest.c | 2 +-
src/tests/asn.1/pkinit_encode.out | 2 +-
src/tests/asn.1/pkinit_trval.out | 2 +-
src/tests/dejagnu/config/default.exp | 226 ++-------------
src/tests/gssapi/t_invalid.c | 20 +-
src/tests/gssapi/t_pcontok.c | 17 +-
src/tests/gssapi/t_prf.c | 7 -
src/tests/t_etype_info.py | 4 +-
src/tests/t_keyrollover.py | 6 +-
src/tests/t_salt.py | 2 +-
src/tests/t_sesskeynego.py | 18 +-
src/util/k5test.py | 2 +-
38 files changed, 88 insertions(+), 1459 deletions(-)
delete mode 100644 src/lib/crypto/crypto_tests/CRC.pm
delete mode 100644 src/lib/crypto/crypto_tests/crc.pl
delete mode 100644 src/lib/crypto/crypto_tests/t_cksum.c
delete mode 100644 src/lib/crypto/crypto_tests/t_crc.c
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 45df78b91..8a4b87de1 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -12,5 +12,5 @@
kadmind_port = 1751
kpasswd_port = 1752
master_key_type = des3-hmac-sha1
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
+ supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
}
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index 9dde579ef..4d3114b11 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -1514,8 +1514,6 @@ static Tcl_DString *unparse_keytype(krb5_enctype enctype)
switch (enctype) {
/* XXX is this right? */
case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break;
- case ENCTYPE_DES_CBC_CRC:
- Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break;
default:
sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype);
Tcl_DStringAppend(str, buf, -1);
diff --git a/src/lib/crypto/crypto_tests/CRC.pm b/src/lib/crypto/crypto_tests/CRC.pm
deleted file mode 100644
index ee2ab2ae8..000000000
--- a/src/lib/crypto/crypto_tests/CRC.pm
+++ /dev/null
@@ -1,156 +0,0 @@
-# Copyright 2002 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-package CRC;
-
-# CRC: implement a CRC using the Poly package (yes this is slow)
-#
-# message M(x) = m_0 * x^0 + m_1 * x^1 + ... + m_(k-1) * x^(k-1)
-# generator P(x) = p_0 * x^0 + p_1 * x^1 + ... + p_n * x^n
-# remainder R(x) = r_0 * x^0 + r_1 * x^1 + ... + r_(n-1) * x^(n-1)
-#
-# R(x) = (x^n * M(x)) % P(x)
-#
-# Note that if F(x) = x^n * M(x) + R(x), then F(x) = 0 mod P(x) .
-#
-# In MIT Kerberos 5, R(x) is taken as the CRC, as opposed to what
-# ISO 3309 does.
-#
-# ISO 3309 adds a precomplement and a postcomplement.
-#
-# The ISO 3309 postcomplement is of the form
-#
-# A(x) = x^0 + x^1 + ... + x^(n-1) .
-#
-# The ISO 3309 precomplement is of the form
-#
-# B(x) = x^k * A(x) .
-#
-# The ISO 3309 FCS is then
-#
-# (x^n * M(x)) % P(x) + B(x) % P(x) + A(x) ,
-#
-# which is equivalent to
-#
-# (x^n * M(x) + B(x)) % P(x) + A(x) .
-#
-# In ISO 3309, the transmitted frame is
-#
-# F'(x) = x^n * M(x) + R(x) + R'(x) + A(x) ,
-#
-# where
-#
-# R'(x) = B(x) % P(x) .
-#
-# Note that this means that if a new remainder is computed over the
-# frame F'(x) (treating F'(x) as the new M(x)), it will be equal to a
-# constant.
-#
-# F'(x) = 0 + R'(x) + A(x) mod P(x) ,
-#
-# then
-#
-# (F'(x) + x^k * A(x)) * x^n
-#
-# = ((R'(x) + A(x)) + x^k * A(x)) * x^n mod P(x)
-#
-# = (x^k * A(x) + A(x) + x^k * A(x)) * x^n mod P(x)
-#
-# = (0 + A(x)) * x^n mod P(x)
-#
-# Note that (A(x) * x^n) % P(x) is a constant, and that this result
-# depends on B(x) being x^k * A(x).
-
-use Carp;
-use Poly;
-
-sub new {
- my $self = shift;
- my $class = ref($self) || $self;
- my %args = @_;
- $self = {bitsendian => "little"};
- bless $self, $class;
- $self->setpoly($args{"Poly"}) if exists $args{"Poly"};
- $self->bitsendian($args{"bitsendian"})
- if exists $args{"bitsendian"};
- $self->{precomp} = $args{precomp} if exists $args{precomp};
- $self->{postcomp} = $args{postcomp} if exists $args{postcomp};
- return $self;
-}
-
-sub setpoly {
- my $self = shift;
- my($arg) = @_;
- croak "need a polynomial" if !$arg->isa("Poly");
- $self->{Poly} = $arg;
- return $self;
-}
-
-sub crc {
- my $self = shift;
- my $msg = Poly->new(@_);
- my($order, $r, $precomp);
- $order = $self->{Poly}->order;
- # B(x) = x^k * precomp
- $precomp = $self->{precomp} ?
- $self->{precomp} * Poly->powers2poly(scalar(@_)) : Poly->new;
- # R(x) = (x^n * M(x)) % P(x)
- $r = ($msg * Poly->powers2poly($order)) % $self->{Poly};
- # B(x) % P(x)
- $r += $precomp % $self->{Poly};
- $r += $self->{postcomp} if exists $self->{postcomp};
- return $r;
-}
-
-# endianness of bits of each octet
-#
-# Note that the message is always treated as being sent in big-endian
-# octet order.
-#
-# Usually, the message will be treated as bits being little-endian,
-# since that is the common case for serial implementations that
-# present data in octets; e.g., most UARTs shift octets onto the line
-# in little-endian order, and protocols such as ISO 3309, V.42,
-# etc. treat individual octets as being sent LSB-first.
-
-sub bitsendian {
- my $self = shift;
- my($arg) = @_;
- croak "bad bit endianness" if $arg !~ /big|little/;
- $self->{bitsendian} = $arg;
- return $self;
-}
-
-sub crcstring {
- my $self = shift;
- my($arg) = @_;
- my($packstr, @m);
- {
- $packstr = "B*", last if $self->{bitsendian} =~ /big/;
- $packstr = "b*", last if $self->{bitsendian} =~ /little/;
- croak "bad bit endianness";
- };
- @m = split //, unpack $packstr, $arg;
- return $self->crc(@m);
-}
-
-1;
diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in
index c5eba1b10..09feeb50e 100644
--- a/src/lib/crypto/crypto_tests/Makefile.in
+++ b/src/lib/crypto/crypto_tests/Makefile.in
@@ -16,9 +16,7 @@ EXTRADEPSRCS=\
$(srcdir)/aes-test.c \
$(srcdir)/camellia-test.c \
$(srcdir)/t_cf2.c \
- $(srcdir)/t_cksum.c \
$(srcdir)/t_cksums.c \
- $(srcdir)/t_crc.c \
$(srcdir)/t_mddriver.c \
$(srcdir)/t_kperf.c \
$(srcdir)/t_sha2.c \
@@ -30,15 +28,12 @@ EXTRADEPSRCS=\
##DOS##BUILDTOP = ..\..\..
-# NOTE: The t_cksum known checksum values are primarily for regression
-# testing. They are not derived a priori, but are known to produce
-# checksums that interoperate.
check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
- t_cksum4 t_cksum5 t_cksums \
+ t_cksums \
aes-test \
camellia-test \
t_mddriver4 t_mddriver \
- t_crc t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
+ t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
t_combine
$(RUN_TEST) ./t_nfold
$(RUN_TEST) ./t_encrypt
@@ -47,10 +42,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
$(RUN_TEST) ./t_cmac
$(RUN_TEST) ./t_hmac
$(RUN_TEST) ./t_prf
- $(RUN_TEST) ./t_cksum4 "this is a test" e3f76a07f3401e3536b43a3f54226c39422c35682c354835
- $(RUN_TEST) ./t_cksum5 "this is a test" e3f76a07f3401e351143ee6f4c09be1edb4264d55015db53
$(RUN_TEST) ./t_cksums
- $(RUN_TEST) ./t_crc
$(RUN_TEST) ./t_cts
$(RUN_TEST) ./aes-test -k > vk.txt
cmp vk.txt $(srcdir)/expect-vk.txt
@@ -109,24 +101,9 @@ t_short$(EXEEXT): t_short.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_short.$(OBJEXT) \
$(KRB5_BASE_LIBS)
-t_cksum4.o: $(srcdir)/t_cksum.c
- $(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c
-
-t_cksum5.o: $(srcdir)/t_cksum.c
- $(CC) -DMD=5 $(ALL_CFLAGS) -o t_cksum5.o -c $(srcdir)/t_cksum.c
-
-t_cksum4: t_cksum4.o $(CRYTPO_DEPLIB)
- $(CC_LINK) -o t_cksum4 t_cksum4.o $(KRB5_BASE_LIBS)
-
-t_cksum5: t_cksum5.o $(CRYPTO_DEPLIB)
- $(CC_LINK) -o t_cksum5 t_cksum5.o $(KRB5_BASE_LIBS)
-
t_cksums: t_cksums.o $(CRYTPO_DEPLIB)
$(CC_LINK) -o t_cksums t_cksums.o -lkrb5 $(KRB5_BASE_LIBS)
-t_crc: t_crc.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ t_crc.o $(KRB5_BASE_LIBS)
-
aes-test: aes-test.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(KRB5_BASE_LIBS)
@@ -165,9 +142,9 @@ clean:
t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \
t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
aes-test.o aes-test vt.txt vk.txt kresults.out \
- t_crc.o t_crc t_cts.o t_cts \
+ t_cts.o t_cts \
t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \
- t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_cksums t_cksums.o \
+ t_cksums t_cksums.o \
t_kperf.o t_kperf t_sha2.o t_sha2 t_short t_short.o t_str2key \
t_str2key.o t_derive t_derive.o t_fork t_fork.o \
t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \
diff --git a/src/lib/crypto/crypto_tests/crc.pl b/src/lib/crypto/crypto_tests/crc.pl
deleted file mode 100644
index b21b6b15d..000000000
--- a/src/lib/crypto/crypto_tests/crc.pl
+++ /dev/null
@@ -1,111 +0,0 @@
-# Copyright 2002 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-use CRC;
-
-print "*** crudely testing polynomial functions ***\n";
-
-$x = Poly->new(1,1,1,1);
-$y = Poly->new(1,1);
-print "x = @{[$x->pretty]}\ny = @{[$y->pretty]}\n";
-$q = $x / $y;
-$r = $x % $y;
-print $x->pretty, " = (", $y->pretty , ") * (", $q->pretty,
- ") + ", $r->pretty, "\n";
-$q = $y / $x;
-$r = $y % $x;
-print "y / x = @{[$q->pretty]}\ny % x = @{[$r->pretty]}\n";
-
-# ISO 3309 32-bit FCS polynomial
-$fcs32 = Poly->powers2poly(32,26,23,22,16,12,11,10,8,7,5,4,2,1,0);
-print "fcs32 = ", $fcs32->pretty, "\n";
-
-$crc = CRC->new(Poly => $fcs32, bitsendian => "little");
-
-print "\n";
-
-print "*** little endian, no complementation ***\n";
-for ($i = 0; $i < 256; $i++) {
- $r = $crc->crcstring(pack "C", $i);
- printf ("%02x: ", $i) if !($i % 8);
- print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-print "\n";
-
-print "*** little endian, 4 bits, no complementation ***\n";
-for ($i = 0; $i < 16; $i++) {
- @m = (split //, unpack "b*", pack "C", $i)[0..3];
- $r = $crc->crc(@m);
- printf ("%02x: ", $i) if !($i % 8);
- print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-print "\n";
-
-print "*** test vectors for t_crc.c, little endian ***\n";
-for ($i = 1; $i <= 4; $i *=2) {
- for ($j = 0; $j < $i * 8; $j++) {
- @m = split //, unpack "b*", pack "V", 1 << $j;
- splice @m, $i * 8;
- $r = $crc->crc(@m);
- $m = unpack "H*", pack "b*", join("", @m);
- print "{HEX, \"$m\", 0x", $r->revhex, "},\n";
- }
-}
-@m = ("foo", "test0123456789",
- "MASSACHVSETTS INSTITVTE OF TECHNOLOGY");
-foreach $m (@m) {
- $r = $crc->crcstring($m);
- print "{STR, \"$m\", 0x", $r->revhex, "},\n";
-}
-__END__
-
-print "*** big endian, no complementation ***\n";
-for ($i = 0; $i < 256; $i++) {
- $r = $crc->crcstring(pack "C", $i);
- printf ("%02x: ", $i) if !($i % 8);
- print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-# all ones polynomial of order 31
-$ones = Poly->new((1) x 32);
-
-print "*** big endian, ISO-3309 style\n";
-$crc = CRC->new(Poly => $fcs32,
- bitsendian => "little",
- precomp => $ones,
- postcomp => $ones);
-for ($i = 0; $i < 256; $i++) {
- $r = $crc->crcstring(pack "C", $i);
- print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
-}
-
-for ($i = 0; $i < 0; $i++) {
- $x = Poly->new((1) x 32, (0) x $i);
- $y = Poly->new((1) x 32);
- $f = ($x % $fcs32) + $y;
- $r = (($f + $x) * Poly->powers2poly(32)) % $fcs32;
- @out = @$r;
- unshift @out, 0 while @out < 32;
- print @out, "\n";
-}
diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps
index 5d94a593d..19fef2582 100644
--- a/src/lib/crypto/crypto_tests/deps
+++ b/src/lib/crypto/crypto_tests/deps
@@ -140,17 +140,6 @@ $(OUTPRE)camellia-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/socket-utils.h camellia-test.c
$(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
$(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_cf2.c
-$(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- t_cksum.c
$(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -161,19 +150,6 @@ $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h t_cksums.c
-$(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \
- $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- t_crc.c
$(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected
index 11a24b800..f8251a16c 100644
--- a/src/lib/crypto/crypto_tests/t_cf2.expected
+++ b/src/lib/crypto/crypto_tests/t_cf2.expected
@@ -1,6 +1,5 @@
97df97e4b798b29eb31ed7280287a92a
4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b
-43bae3738c9467e6
e58f9eb643862c13ad38e529313462a7f73e62834fe54a01
24d7f6b6bae4e5c00d2082c5ebab3672
edd02a39d2dbde31611c16e610be062c
diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in
index e62ead7d8..73e2f8fbc 100644
--- a/src/lib/crypto/crypto_tests/t_cf2.in
+++ b/src/lib/crypto/crypto_tests/t_cf2.in
@@ -8,11 +8,6 @@ key1
key2
a
b
-1
-key1
-key2
-a
-b
16
key1
key2
diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c
deleted file mode 100644
index 0edaeb850..000000000
--- a/src/lib/crypto/crypto_tests/t_cksum.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/crypto_tests/t_cksum.c */
-/*
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/* Test checksum and checksum compatability for rsa-md[4,5]-des. */
-
-#include "k5-int.h"
-#include "k5-hex.h"
-
-#define MD5_K5BETA_COMPAT
-#define MD4_K5BETA_COMPAT
-
-#if MD == 4
-#define CKTYPE CKSUMTYPE_RSA_MD4_DES
-#endif
-
-#if MD == 5
-#define CKTYPE CKSUMTYPE_RSA_MD5_DES
-#endif
-
-static void
-print_checksum(char *text, int number, char *message, krb5_checksum *checksum)
-{
- unsigned int i;
-
- printf("%s MD%d checksum(\"%s\") = ", text, number, message);
- for (i=0; i<checksum->length; i++)
- printf("%02x", (unsigned char) checksum->contents[i]);
- printf("\n");
-}
-
-/*
- * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES
- * checksums.
- */
-
-krb5_octet testkey[8] = { 0x45, 0x01, 0x49, 0x61, 0x58, 0x19, 0x1a, 0x3d };
-
-int
-main(argc, argv)
- int argc;
- char **argv;
-{
- int msgindex;
- size_t len;
- krb5_boolean valid;
- krb5_keyblock keyblock;
- krb5_key key;
- krb5_error_code kret=0;
- krb5_data plaintext;
- krb5_checksum checksum, knowncksum;
-
- /* this is a terrible seed, but that's ok for the test. */
-
- plaintext.length = 8;
- plaintext.data = (char *) testkey;
-
- krb5_c_random_seed(/* XXX */ 0, &plaintext);
-
- keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- keyblock.length = sizeof(testkey);
- keyblock.contents = testkey;
-
- krb5_k_create_key(NULL, &keyblock, &key);
-
- for (msgindex = 1; msgindex + 1 < argc; msgindex += 2) {
- plaintext.length = strlen(argv[msgindex]);
- plaintext.data = argv[msgindex];
-
- /* Create a checksum. */
- kret = krb5_k_make_checksum(NULL, CKTYPE, key, 0, &plaintext,
- &checksum);
- if (kret != 0) {
- printf("krb5_calculate_checksum choked with %d\n", kret);
- break;
- }
- print_checksum("correct", MD, argv[msgindex], &checksum);
-
- /* Verify it. */
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
- &valid);
- if (kret != 0) {
- printf("verify on new checksum choked with %d\n", kret);
- break;
- }
- if (!valid) {
- printf("verify on new checksum failed\n");
- kret = 1;
- break;
- }
- printf("Verify succeeded for \"%s\"\n", argv[msgindex]);
-
- /* Corrupt the checksum and see if it still verifies. */
- checksum.contents[0]++;
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
- &valid);
- if (kret != 0) {
- printf("verify on new checksum choked with %d\n", kret);
- break;
- }
- if (valid) {
- printf("verify on new checksum succeeded, but shouldn't have\n");
- kret = 1;
- break;
- }
- printf("Verify of bad checksum OK for \"%s\"\n", argv[msgindex]);
- free(checksum.contents);
-
- /* Verify a known-good checksum for this plaintext. */
- kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len);
- if (kret) {
- printf("k5_hex_decode failed\n");
- break;
- }
- knowncksum.length = len;
- knowncksum.checksum_type = CKTYPE;
- knowncksum.magic = KV5M_CHECKSUM;
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum,
- &valid);
- if (kret != 0) {
- printf("verify on known checksum choked with %d\n", kret);
- break;
- }
- if (!valid) {
- printf("verify on known checksum failed\n");
- kret = 1;
- break;
- }
- printf("Verify on known checksum succeeded\n");
- free(knowncksum.contents);
- }
- if (!kret)
- printf("%d tests passed successfully for MD%d checksum\n", (argc-1)/2, MD);
-
- krb5_k_free_key(NULL, key);
-
- return(kret);
-}
diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c
index 5afc90ed8..4da14ea43 100644
--- a/src/lib/crypto/crypto_tests/t_cksums.c
+++ b/src/lib/crypto/crypto_tests/t_cksums.c
@@ -27,7 +27,7 @@
/*
* This harness tests checksum results against known values. With the -v flag,
* results for all tests are displayed. This harness only works for
- * deterministic checksums; for rsa-md4-des and rsa-md5-des, see t_cksum.c.
+ * deterministic checksums.
*/
#include "k5-int.h"
@@ -40,12 +40,6 @@ struct test {
krb5_data keybits;
krb5_data cksum;
} test_cases[] = {
- {
- { KV5M_DATA, 3, "abc" },
- CKSUMTYPE_CRC32, 0, 0, { KV5M_DATA, 0, "" },
- { KV5M_DATA, 4,
- "\xD0\x98\x65\xCA" }
- },
{
{ KV5M_DATA, 3, "one" },
CKSUMTYPE_RSA_MD4, 0, 0, { KV5M_DATA, 0, "" },
diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c
index 89219c762..ba0622bcf 100644
--- a/src/lib/crypto/crypto_tests/t_combine.c
+++ b/src/lib/crypto/crypto_tests/t_combine.c
@@ -32,10 +32,6 @@
#include "k5-int.h"
-unsigned char des_key1[] = "\x04\x86\xCD\x97\x61\xDF\xD6\x29";
-unsigned char des_key2[] = "\x1A\x54\x9B\x7F\xDC\x20\x83\x0E";
-unsigned char des_result[] = "\xC2\x13\x01\x52\x89\x26\xC4\xF7";
-
unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73"
"\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13";
unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A"
@@ -48,20 +44,6 @@ main(int argc, char **argv)
{
krb5_keyblock kb1, kb2, result;
- kb1.enctype = ENCTYPE_DES_CBC_CRC;
- kb1.contents = des_key1;
- kb1.length = 8;
- kb2.enctype = ENCTYPE_DES_CBC_CRC;
- kb2.contents = des_key2;
- kb2.length = 8;
- memset(&result, 0, sizeof(result));
- if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0)
- abort();
- if (result.enctype != ENCTYPE_DES_CBC_CRC || result.length != 8 ||
- memcmp(result.contents, des_result, 8) != 0)
- abort();
- krb5_free_keyblock_contents(NULL, &result);
-
kb1.enctype = ENCTYPE_DES3_CBC_SHA1;
kb1.contents = des3_key1;
kb1.length = 24;
diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c
deleted file mode 100644
index 8cd1d36cb..000000000
--- a/src/lib/crypto/crypto_tests/t_crc.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/crypto_tests/t_crc.c */
-/*
- * Copyright 2002,2005 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Sanity checks for CRC32.
- */
-#include <sys/times.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <k5-hex.h>
-#include "crypto_int.h"
-
-#define HEX 1
-#define STR 2
-struct crc_trial {
- int type;
- char *data;
- unsigned long sum;
-};
-
-struct crc_trial trials[] = {
- {HEX, "01", 0x77073096},
- {HEX, "02", 0xee0e612c},
- {HEX, "04", 0x076dc419},
- {HEX, "08", 0x0edb8832},
- {HEX, "10", 0x1db71064},
- {HEX, "20", 0x3b6e20c8},
- {HEX, "40", 0x76dc4190},
- {HEX, "80", 0xedb88320},
- {HEX, "0100", 0x191b3141},
- {HEX, "0200", 0x32366282},
- {HEX, "0400", 0x646cc504},
- {HEX, "0800", 0xc8d98a08},
- {HEX, "1000", 0x4ac21251},
- {HEX, "2000", 0x958424a2},
- {HEX, "4000", 0xf0794f05},
- {HEX, "8000", 0x3b83984b},
- {HEX, "0001", 0x77073096},
- {HEX, "0002", 0xee0e612c},
- {HEX, "0004", 0x076dc419},
- {HEX, "0008", 0x0edb8832},
- {HEX, "0010", 0x1db71064},
- {HEX, "0020", 0x3b6e20c8},
- {HEX, "0040", 0x76dc4190},
- {HEX, "0080", 0xedb88320},
- {HEX, "01000000", 0xb8bc6765},
- {HEX, "02000000", 0xaa09c88b},
- {HEX, "04000000", 0x8f629757},
- {HEX, "08000000", 0xc5b428ef},
- {HEX, "10000000", 0x5019579f},
- {HEX, "20000000", 0xa032af3e},
- {HEX, "40000000", 0x9b14583d},
- {HEX, "80000000", 0xed59b63b},
- {HEX, "00010000", 0x01c26a37},
- {HEX, "00020000", 0x0384d46e},
- {HEX, "00040000", 0x0709a8dc},
- {HEX, "00080000", 0x0e1351b8},
- {HEX, "00100000", 0x1c26a370},
- {HEX, "00200000", 0x384d46e0},
- {HEX, "00400000", 0x709a8dc0},
- {HEX, "00800000", 0xe1351b80},
- {HEX, "00000100", 0x191b3141},
- {HEX, "00000200", 0x32366282},
- {HEX, "00000400", 0x646cc504},
- {HEX, "00000800", 0xc8d98a08},
- {HEX, "00001000", 0x4ac21251},
- {HEX, "00002000", 0x958424a2},
- {HEX, "00004000", 0xf0794f05},
- {HEX, "00008000", 0x3b83984b},
- {HEX, "00000001", 0x77073096},
- {HEX, "00000002", 0xee0e612c},
- {HEX, "00000004", 0x076dc419},
- {HEX, "00000008", 0x0edb8832},
- {HEX, "00000010", 0x1db71064},
- {HEX, "00000020", 0x3b6e20c8},
- {HEX, "00000040", 0x76dc4190},
- {HEX, "00000080", 0xedb88320},
- {STR, "foo", 0x7332bc33},
- {STR, "test0123456789", 0xb83e88d6},
- {STR, "MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 0xe34180f7}
-};
-
-#define NTRIALS (sizeof(trials) / sizeof(trials[0]))
-
-
-int
-main(void)
-{
- unsigned int i;
- struct crc_trial trial;
- uint8_t *bytes;
- size_t len;
- unsigned long cksum;
- char *typestr;
-
- for (i = 0; i < NTRIALS; i++) {
- trial = trials[i];
- switch (trial.type) {
- case STR:
- len = strlen(trial.data);
- typestr = "STR";
- cksum = 0;
- mit_crc32(trial.data, len, &cksum);
- break;
- case HEX:
- typestr = "HEX";
- if (k5_hex_decode(trial.data, &bytes, &len) != 0)
- abort();
- cksum = 0;
- mit_crc32(bytes, len, &cksum);
- free(bytes);
- break;
- default:
- typestr = "BOGUS";
- fprintf(stderr, "bad trial type %d\n", trial.type);
- exit(1);
- }
- printf("%s: %s \"%s\" = 0x%08lx\n",
- (trial.sum == cksum) ? "OK" : "***BAD***",
- typestr, trial.data, cksum);
- }
- exit(0);
-}
diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c
index 4ae0256cc..a40a85500 100644
--- a/src/lib/crypto/crypto_tests/t_decrypt.c
+++ b/src/lib/crypto/crypto_tests/t_decrypt.c
@@ -39,151 +39,6 @@ struct test {
krb5_data keybits;
krb5_data ciphertext;
} test_cases[] = {
- {
- ENCTYPE_DES_CBC_CRC,
- { KV5M_DATA, 0, "" }, 0,
- { KV5M_DATA, 8,
- "\x45\xE6\x08\x7C\xDF\x13\x8F\xB5" },
- { KV5M_DATA, 16,
- "\x28\xF6\xB0\x9A\x01\x2B\xCC\xF7\x2F\xB0\x51\x22\xB2\x83\x9E\x6E" }
- },
- {
- ENCTYPE_DES_CBC_CRC,
- { KV5M_DATA, 1, "1" }, 1,
- { KV5M_DATA, 8,
- "\x92\xA7\x15\x58\x10\x58\x6B\x2F" },
- { KV5M_DATA, 16,
- "\xB4\xC8\x71\xC2\xF3\xE7\xBF\x76\x05\xEF\xD6\x2F\x2E\xEE\xC2\x05" }
- },
- {
- ENCTYPE_DES_CBC_CRC,
- { KV5M_DATA, 9, "9 bytesss" }, 2,
- { KV5M_DATA, 8,
- "\xA4\xB9\x51\x4A\x61\x64\x64\x23" },
- { KV5M_DATA, 24,
- "\x5F\x14\xC3\x51\x78\xD3\x3D\x7C\xDE\x0E\xC1\x69\xC6\x23\xCC\x83"
- "\x21\xB7\xB8\xBD\x34\xEA\x7E\xFE" }
- },
- {
- ENCTYPE_DES_CBC_CRC,
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
- { KV5M_DATA, 8,
- "\x2F\x16\xA2\xA7\xFD\xB0\x57\x68" },
- { KV5M_DATA, 32,
- "\x0B\x58\x8E\x38\xD9\x71\x43\x3C\x9D\x86\xD8\xBA\xEB\xF6\x3E\x4C"
- "\x1A\x01\x66\x6E\x76\xD8\xA5\x4A\x32\x93\xF7\x26\x79\xED\x88\xC9" }
- },
- {
- ENCTYPE_DES_CBC_CRC,
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
- { KV5M_DATA, 8,
- "\xBC\x8F\x70\xFD\x20\x97\xD6\x7C" },
- { KV5M_DATA, 48,
- "\x38\xD6\x32\xD2\xC2\x0A\x7C\x2E\xA2\x50\xFC\x8E\xCE\x42\x93\x8E"
- "\x92\xA9\xF5\xD3\x02\x50\x26\x65\xC1\xA3\x37\x29\xC1\x05\x0D\xC2"
- "\x05\x62\x98\xFB\xFB\x16\x82\xCE\xEB\x65\xE5\x92\x04\xFD\xA7\xDF" }
- },
-
- {
- ENCTYPE_DES_CBC_MD4,
- { KV5M_DATA, 0, "", }, 0,
- { KV5M_DATA, 8,
- "\x13\xEF\x45\xD0\xD6\xD9\xA1\x5D" },
- { KV5M_DATA, 24,
- "\x1F\xB2\x02\xBF\x07\xAF\x30\x47\xFB\x78\x01\xE5\x88\x56\x86\x86"
- "\xBA\x63\xD7\x8B\xE3\xE8\x7D\xC7" }
- },
- {
- ENCTYPE_DES_CBC_MD4,
- { KV5M_DATA, 1, "1", }, 1,
- { KV5M_DATA, 8,
- "\x64\x68\x86\x54\xDC\x26\x9E\x67" },
- { KV5M_DATA, 32,
- "\x1F\x6C\xB9\xCE\xCB\x73\xF7\x55\xAB\xFD\xB3\xD5\x65\xBD\x31\xD5"
- "\xA2\xE6\x4B\xFE\x44\xC4\x91\xE2\x0E\xEB\xE5\xBD\x20\xE4\xD2\xA9" }
- },
- {
- ENCTYPE_DES_CBC_MD4,
- { KV5M_DATA, 9, "9 bytesss", }, 2,
- { KV5M_DATA, 8,
- "\x68\x04\xFB\x26\xDF\x8A\x4C\x32" },
- { KV5M_DATA, 40,
- "\x08\xA5\x3D\x62\xFE\xC3\x33\x8A\xD1\xD2\x18\xE6\x0D\xBD\xD3\xB2"
- "\x12\x94\x06\x79\xD1\x25\xE0\x62\x1B\x3B\xAB\x46\x80\xCE\x03\x67"
- "\x6A\x2C\x42\x0E\x9B\xE7\x84\xEB" }
- },
- {
- ENCTYPE_DES_CBC_MD4,
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
- { KV5M_DATA, 8,
- "\x23\x4A\x43\x6E\xC7\x2F\xA8\x0B" },
- { KV5M_DATA, 40,
- "\x17\xCD\x45\xE1\x4F\xF0\x6B\x28\x40\xA6\x03\x6E\x9A\xA7\xA4\x14"
- "\x4E\x29\x76\x81\x44\xA0\xC1\x82\x7D\x8C\x4B\xC7\xC9\x90\x6E\x72"
- "\xCD\x4D\xC3\x28\xF6\x64\x8C\x99" }
- },
- {
- ENCTYPE_DES_CBC_MD4,
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
- { KV5M_DATA, 8,
- "\x1F\xD5\xF7\x43\x34\xC4\xFB\x8C" },
- { KV5M_DATA, 56,
- "\x51\x13\x4C\xD8\x95\x1E\x9D\x57\xC0\xA3\x60\x53\xE0\x4C\xE0\x3E"
- "\xCB\x84\x22\x48\x8F\xDD\xC5\xC0\x74\xC4\xD8\x5E\x60\xA2\xAE\x42"
- "\x3C\x3C\x70\x12\x01\x31\x4F\x36\x2C\xB0\x74\x48\x09\x16\x79\xC6"
- "\xA4\x96\xC1\x1D\x7B\x93\xC7\x1B" }
- },
-
- {
- ENCTYPE_DES_CBC_MD5,
- { KV5M_DATA, 0, "", }, 0,
- { KV5M_DATA, 8,
- "\x4A\x54\x5E\x0B\xF7\xA2\x26\x31" },
- { KV5M_DATA, 24,
- "\x78\x4C\xD8\x15\x91\xA0\x34\xBE\x82\x55\x6F\x56\xDC\xA3\x22\x4B"
- "\x62\xD9\x95\x6F\xA9\x0B\x1B\x93" }
- },
- {
- ENCTYPE_DES_CBC_MD5,
- { KV5M_DATA, 1, "1", }, 1,
- { KV5M_DATA, 8,
- "\xD5\x80\x4A\x26\x9D\xC4\xE6\x45" },
- { KV5M_DATA, 32,
- "\xFF\xA2\x5C\x7B\xE2\x87\x59\x6B\xFE\x58\x12\x6E\x90\xAA\xA0\xF1"
- "\x2D\x9A\x82\xA0\xD8\x6D\xF6\xD5\xF9\x07\x4B\x6B\x39\x9E\x7F\xF1" }
- },
- {
- ENCTYPE_DES_CBC_MD5,
- { KV5M_DATA, 9, "9 bytesss", }, 2,
- { KV5M_DATA, 8,
- "\xC8\x31\x2F\x7F\x83\xEA\x46\x40" },
- { KV5M_DATA, 40,
- "\xE7\x85\x03\x37\xF2\xCC\x5E\x3F\x35\xCE\x3D\x69\xE2\xC3\x29\x86"
- "\x38\xA7\xAA\x44\xB8\x78\x03\x1E\x39\x85\x1E\x47\xC1\x5B\x5D\x0E"
- "\xE7\xE7\xAC\x54\xDE\x11\x1D\x80" }
- },
- {
- ENCTYPE_DES_CBC_MD5,
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
- { KV5M_DATA, 8,
- "\x7F\xDA\x3E\x62\xAD\x8A\xF1\x8C" },
- { KV5M_DATA, 40,
- "\xD7\xA8\x03\x2E\x19\x99\x4C\x92\x87\x77\x50\x65\x95\xFB\xDA\x98"
- "\x83\x15\x8A\x85\x14\x54\x8E\x29\x6E\x91\x1C\x29\xF4\x65\xC6\x72"
- "\x36\x60\x00\x55\x8B\xFC\x2E\x88" }
- },
- {
- ENCTYPE_DES_CBC_MD5,
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
- { KV5M_DATA, 8,
- "\xD3\xD6\x83\x29\x70\xA7\x37\x52" },
- { KV5M_DATA, 56,
- "\x8A\x48\x16\x6A\x4C\x6F\xEA\xE6\x07\xA8\xCF\x68\xB3\x81\xC0\x75"
- "\x5E\x40\x2B\x19\xDB\xC0\xF8\x1A\x7D\x7C\xA1\x9A\x25\xE0\x52\x23"
- "\xF6\x06\x44\x09\xBF\x5A\x4F\x50\xAC\xD8\x26\x63\x9F\xFA\x76\x73"
- "\xFD\x32\x4E\xC1\x9E\x42\x95\x02" }
- },
-
{
ENCTYPE_DES3_CBC_SHA1,
{ KV5M_DATA, 0, "", }, 0,
@@ -669,9 +524,6 @@ printhex(const char *head, void *data, size_t len)
static krb5_enctype
enctypes[] = {
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c
index 4afbddedb..bd9b94691 100644
--- a/src/lib/crypto/crypto_tests/t_encrypt.c
+++ b/src/lib/crypto/crypto_tests/t_encrypt.c
@@ -37,9 +37,6 @@
/* What enctypes should we test?*/
krb5_enctype interesting_enctypes[] = {
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c
index 40fa2821f..d4c2b97df 100644
--- a/src/lib/crypto/crypto_tests/t_short.c
+++ b/src/lib/crypto/crypto_tests/t_short.c
@@ -34,9 +34,6 @@
#include "k5-int.h"
krb5_enctype interesting_enctypes[] = {
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_ARCFOUR_HMAC_EXP,
diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c
index 27896e61e..cdb1acc6d 100644
--- a/src/lib/crypto/crypto_tests/t_str2key.c
+++ b/src/lib/crypto/crypto_tests/t_str2key.c
@@ -35,280 +35,6 @@ struct test {
krb5_error_code expected_err;
krb5_boolean allow_weak;
} test_cases[] = {
- /* AFS string-to-key tests from old t_afss2k.c. */
- {
- ENCTYPE_DES_CBC_CRC,
- "",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xA4\xD0\xD0\x9B\x86\x92\xB0\xC2" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "M",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xF1\xF2\x9E\xAB\xD0\xEF\xDF\x73" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xD6\x85\x61\xC4\xF2\x94\xF4\xA1" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My ",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xD0\xE3\xA7\x83\x94\x61\xE0\xD0" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My P",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xD5\x62\xCD\x94\x61\xCB\x97\xDF" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pa",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x9E\xA2\xA2\xEC\xA8\x8C\x6B\x8F" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pas",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xE3\x91\x6D\xD3\x85\xF1\x67\xC4" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pass",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xF4\xC4\x73\xC8\x8A\xE9\x94\x6D" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passw",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xA1\x9E\xB3\xAD\x6B\xE3\xAB\xD9" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passwo",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xAD\xA1\xCE\x10\x37\x83\xA7\x8C" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passwor",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xD3\x01\xD0\xF7\x3E\x7A\x49\x0B" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Password",
- { KV5M_DATA, 15, "Sodium Chloride" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xB6\x2A\x4A\xEC\x9D\x4C\x68\xDF" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x61\xEF\xE6\x83\xE5\x8A\x6B\x98" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "M",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x68\xCD\x68\xAD\xC4\x86\xCD\xE5" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x83\xA1\xC8\x86\x8F\x67\xD0\x62" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My ",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x9E\xC7\x8F\xA4\xA4\xB3\xE0\xD5" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My P",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xD9\x92\x86\x8F\x9D\x8C\x85\xE6" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pa",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xDA\xF2\x92\x83\xF4\x9B\xA7\xAD" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pas",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x91\xCD\xAD\xEF\x86\xDF\xD3\xA2" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Pass",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x73\xD3\x67\x68\x8F\x6E\xE3\x73" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passw",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xC4\x61\x85\x9D\xAD\xF4\xDC\xB0" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passwo",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\xE9\x02\x83\x16\x2C\xEC\xE0\x08" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Passwor",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x61\xC8\x26\x29\xD9\x73\x6E\xB6" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "My Password",
- { KV5M_DATA, 4, "NaCl" },
- { KV5M_DATA, 1, "\1" },
- { KV5M_DATA, 8, "\x8C\xA8\x9E\xC4\xA8\xDC\x31\x73" },
- 0,
- FALSE
- },
-
- /* Test vectors from RFC 3961 appendix A.2. */
- {
- ENCTYPE_DES_CBC_CRC,
- "password",
- { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\xCB\xC2\x2F\xAE\x23\x52\x98\xE3" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "potatoe",
- { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\xDF\x3D\x32\xA7\x4F\xD9\x2A\x01" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "\xF0\x9D\x84\x9E",
- { KV5M_DATA, 18, "EXAMPLE.COMpianist" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\x4F\xFB\x26\xBA\xB0\xCD\x94\x13" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "\xC3\x9F",
- { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\x62\xC8\x1A\x52\x32\xB5\xE6\x9D" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "11119999",
- { KV5M_DATA, 8, "AAAAAAAA" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\x98\x40\x54\xd0\xf1\xa7\x3e\x31" },
- 0,
- FALSE
- },
- {
- ENCTYPE_DES_CBC_CRC,
- "NNNN6666",
- { KV5M_DATA, 8, "FFFFAAAA" },
- { KV5M_DATA, 1, "\0" },
- { KV5M_DATA, 8, "\xC4\xBF\x6B\x25\xAD\xF7\xA4\xF8" },
- 0,
- FALSE
- },
-
/* Test vectors from RFC 3961 appendix A.4. */
{
ENCTYPE_DES3_CBC_SHA1,
diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c
index c1a765732..bcf5c9106 100644
--- a/src/lib/crypto/crypto_tests/vectors.c
+++ b/src/lib/crypto/crypto_tests/vectors.c
@@ -30,7 +30,8 @@
*
* N.B.: Doesn't compile -- this file uses some routines internal to our
* crypto library which are declared "static" and thus aren't accessible
- * without modifying the other sources.
+ * without modifying the other sources. Additionally, some ciphers have been
+ * removed.
*/
#include <assert.h>
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
index db899a1dc..740425c69 100644
--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
@@ -18,8 +18,8 @@ proc test200 {} {
# I'd like to specify a long list of keysalt tuples and make sure
# that chpass does the right thing, but we can only use those
- # enctypes that krbtgt has a key for: des-cbc-crc:normal
- # according to the prototype kdc.conf.
+ # enctypes that krbtgt has a key for: the AES enctypes, according to
+ # the prototype kdc.conf.
if {! [cmd [format {
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -53,10 +53,10 @@ proc test200 {} {
}
# XXX Perhaps I should actually check the key type returned.
- if {$num_keys == 2} {
+ if {$num_keys == 5} {
pass "$test"
} else {
- fail "$test: $num_keys keys, should be 2"
+ fail "$test: $num_keys keys, should be 5"
}
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
index 8526897ed..3ea1ba29b 100644
--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
}
set failed 0
- if {$num_keys != 2} {
- fail "$test: num_keys $num_keys should be 2"
+ if {$num_keys != 5} {
+ fail "$test: num_keys $num_keys should be 5"
set failed 1
}
for {set i 0} {$i < $num_keys} {incr i} {
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
index ee652cbd3..2925c1c43 100644
--- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
@@ -16,10 +16,9 @@ proc test100 {} {
return
}
- # I'd like to specify a long list of keysalt tuples and make sure
- # that randkey does the right thing, but we can only use those
- # enctypes that krbtgt has a key for: des-cbc-crc:normal and
- # des-cbc-crc:v4, according to the prototype kdc.conf.
+ # I'd like to specify a long list of keysalt tuples and make sure that
+ # randkey does the right thing, but we can only use those enctypes that
+ # krbtgt has a key for: 3DES and AES, according to the prototype kdc.conf.
if {! [cmd [format {
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -47,10 +46,10 @@ proc test100 {} {
}
# XXX Perhaps I should actually check the key type returned.
- if {$num_keys == 2} {
+ if {$num_keys == 5} {
pass "$test"
} else {
- fail "$test: $num_keys keys, should be 2"
+ fail "$test: $num_keys keys, should be 5"
}
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
index fa2392f81..8e7df96e9 100644
--- a/src/lib/kadm5/unit-test/setkey-test.c
+++ b/src/lib/kadm5/unit-test/setkey-test.c
@@ -19,15 +19,15 @@ need a random number generator
#endif /* no random */
krb5_keyblock test1[] = {
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
{-1},
};
krb5_keyblock test2[] = {
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
{-1},
};
krb5_keyblock test3[] = {
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
{-1},
};
diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c
index c845596d6..ea4ce6819 100644
--- a/src/lib/krb5/keytab/t_keytab.c
+++ b/src/lib/krb5/keytab/t_keytab.c
@@ -96,6 +96,8 @@ kt_test(krb5_context context, const char *name)
krb5_principal princ;
krb5_kt_cursor cursor, cursor2;
int cnt;
+ krb5_enctype e1 = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+ e2 = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
kret = krb5_kt_resolve(context, name, &kt);
CHECK(kret, "resolve");
@@ -139,9 +141,9 @@ kt_test(krb5_context context, const char *name)
/* =================== Add entries to keytab ================= */
/*
* Add the following for this principal
- * enctype 1, kvno 1, key = "1"
- * enctype 2, kvno 1, key = "1"
- * enctype 1, kvno 2, key = "2"
+ * enctype e1, kvno 1, key = "1"
+ * enctype e2, kvno 1, key = "1"
+ * enctype e1, kvno 2, key = "2"
*/
memset(&kent, 0, sizeof(kent));
kent.magic = KV5M_KEYTAB_ENTRY;
@@ -149,7 +151,7 @@ kt_test(krb5_context context, const char *name)
kent.timestamp = 327689;
kent.vno = 1;
kent.key.magic = KV5M_KEYBLOCK;
- kent.key.enctype = 1;
+ kent.key.enctype = e1;
kent.key.length = 1;
kent.key.contents = (krb5_octet *) "1";
@@ -157,11 +159,11 @@ kt_test(krb5_context context, const char *name)
kret = krb5_kt_add_entry(context, kt, &kent);
CHECK(kret, "Adding initial entry");
- kent.key.enctype = 2;
+ kent.key.enctype = e2;
kret = krb5_kt_add_entry(context, kt, &kent);
CHECK(kret, "Adding second entry");
- kent.key.enctype = 1;
+ kent.key.enctype = e1;
kent.vno = 2;
kent.key.contents = (krb5_octet *) "2";
kret = krb5_kt_add_entry(context, kt, &kent);
@@ -183,7 +185,7 @@ kt_test(krb5_context context, const char *name)
cnt = 0;
while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) {
if(((kent.vno != 1) && (kent.vno != 2)) ||
- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Error in read contents\n");
@@ -231,7 +233,7 @@ kt_test(krb5_context context, const char *name)
/* Ensure a valid answer - we did not specify an enctype or kvno */
if (!krb5_principal_compare(context, princ, kent.principal) ||
((kent.vno != 1) && (kent.vno != 2)) ||
- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Retrieved principal does not check\n");
@@ -243,12 +245,12 @@ kt_test(krb5_context context, const char *name)
/* Try to lookup a specific enctype - but unspecified kvno - should give
* max kvno
*/
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
CHECK(kret, "looking up principal");
/* Ensure a valid answer - we did specified an enctype */
if (!krb5_principal_compare(context, princ, kent.principal) ||
- (kent.vno != 2) || (kent.key.enctype != 1) ||
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Retrieved principal does not check\n");
@@ -266,7 +268,7 @@ kt_test(krb5_context context, const char *name)
/* Ensure a valid answer - we did not specify a kvno */
if (!krb5_principal_compare(context, princ, kent.principal) ||
- (kent.vno != 2) || (kent.key.enctype != 1) ||
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Retrieved principal does not check\n");
@@ -281,11 +283,11 @@ kt_test(krb5_context context, const char *name)
/* Try to lookup specified enctype and kvno */
- kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent);
+ kret = krb5_kt_get_entry(context, kt, princ, 1, e1, &kent);
CHECK(kret, "looking up principal");
if (!krb5_principal_compare(context, princ, kent.principal) ||
- (kent.vno != 1) || (kent.key.enctype != 1) ||
+ (kent.vno != 1) || (kent.key.enctype != e1) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Retrieved principal does not check\n");
@@ -334,7 +336,7 @@ kt_test(krb5_context context, const char *name)
/* Try to lookup specified enctype and kvno - that does not exist*/
- kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent);
+ kret = krb5_kt_get_entry(context, kt, princ, 3, e1, &kent);
CHECK_ERR(kret, KRB5_KT_KVNONOTFOUND,
"looking up specific principal, kvno, enctype");
@@ -347,12 +349,12 @@ kt_test(krb5_context context, const char *name)
kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ);
CHECK(kret, "parsing principal");
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
CHECK(kret, "looking up principal");
- /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */
+ /* Ensure a valid answer - we are looking for max(kvno) and enc=e1 */
if (!krb5_principal_compare(context, princ, kent.principal) ||
- (kent.vno != 2) || (kent.key.enctype != 1) ||
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Retrieved principal does not check\n");
@@ -368,12 +370,12 @@ kt_test(krb5_context context, const char *name)
krb5_free_keytab_entry_contents(context, &kent);
/* And ensure gone */
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
CHECK(kret, "looking up principal");
/* Ensure a valid answer - kvno should now be 1 - we deleted 2 */
if (!krb5_principal_compare(context, princ, kent.principal) ||
- (kent.vno != 1) || (kent.key.enctype != 1) ||
+ (kent.vno != 1) || (kent.key.enctype != e1) ||
(kent.key.length != 1) ||
(kent.key.contents[0] != kent.vno +'0')) {
fprintf(stderr, "Delete principal check failed\n");
diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
index 317637684..f609e938a 100644
--- a/src/lib/krb5/krb/t_etypes.c
+++ b/src/lib/krb5/krb/t_etypes.c
@@ -36,20 +36,6 @@ static struct {
krb5_error_code expected_err_noweak;
krb5_error_code expected_err_weak;
} tests[] = {
- /* Empty string, unused default list */
- { "",
- { ENCTYPE_DES_CBC_CRC, 0 },
- { 0 },
- { 0 },
- 0, 0
- },
- /* Single weak enctype */
- { "des-cbc-md4",
- { 0 },
- { 0 },
- { ENCTYPE_DES_CBC_MD4, 0 },
- 0, 0
- },
/* Single non-weak enctype */
{ "aes128-cts-hmac-sha1-96",
{ 0 },
@@ -57,35 +43,11 @@ static struct {
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
0, 0
},
- /* Two enctypes, one an alias, one weak */
- { "rc4-hmac des-cbc-md5",
- { 0 },
- { ENCTYPE_ARCFOUR_HMAC, 0 },
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, 0 },
- 0, 0
- },
- /* Three enctypes, all weak, case variation, funky separators */
- { " deS-HMac-shA1 , arCFour-hmaC-mD5-exp\tdeS3-Cbc-RAw\n",
- { 0 },
- { 0 },
- { ENCTYPE_DES_HMAC_SHA1, ENCTYPE_ARCFOUR_HMAC_EXP,
- ENCTYPE_DES3_CBC_RAW, 0 },
- 0, 0
- },
- /* Default set with enctypes added (one weak in each pair) */
- { "DEFAULT des-cbc-raw +des3-hmac-sha1",
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP,
- ENCTYPE_DES_CBC_RAW, ENCTYPE_DES3_CBC_SHA1, 0 },
- 0, 0
- },
/* Default set with enctypes removed */
{ "default -aes128-cts -des-hmac-sha1",
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_HMAC_SHA1, 0 },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_MD5, 0 },
0, 0
},
/* Family followed by enctype */
@@ -105,31 +67,22 @@ static struct {
{ ENCTYPE_CAMELLIA128_CTS_CMAC, 0 },
{ ENCTYPE_CAMELLIA128_CTS_CMAC, 0 }
},
- /* Enctype followed by two families */
- { "+rc4-hmAC des3 +des",
- { 0 },
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 },
- 0, 0
- },
/* Default set with family added and enctype removed */
{ "DEFAULT +aes -arcfour-hmac-md5",
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 },
+ { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
{ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 },
- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
+ { ENCTYPE_DES3_CBC_SHA1,
ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
0 },
0, 0
},
/* Default set with families removed and enctypes added (one redundant) */
- { "DEFAULT -des -des3 rc4-hmac rc4-hmac-exp",
+ { "DEFAULT -des3 rc4-hmac rc4-hmac-exp",
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, 0 },
+ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_ARCFOUR_HMAC, 0 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -158,17 +111,17 @@ static struct {
},
/* Test krb5_set_default_in_tkt_ktypes */
{ NULL,
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
0, 0
},
/* Should get KRB5_CONFIG_ETYPE_NOSUPP if app-provided list has no strong
* enctypes and allow_weak_crypto=false. */
{ NULL,
- { ENCTYPE_DES_CBC_CRC, 0 },
+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
{ 0 },
- { ENCTYPE_DES_CBC_CRC, 0 },
+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
KRB5_CONFIG_ETYPE_NOSUPP, 0
},
/* Should get EINVAL if app provides an empty list. */
diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c
index 1d6cceaa2..f1a8c2553 100644
--- a/src/lib/krb5/krb/t_ser.c
+++ b/src/lib/krb5/krb/t_ser.c
@@ -272,7 +272,7 @@ ser_acontext_test(krb5_context kcontext, int verbose)
KV5M_AUTH_CONTEXT))) {
memset(&ukeyblock, 0, sizeof(ukeyblock));
memset(keydata, 0, sizeof(keydata));
- ukeyblock.enctype = ENCTYPE_DES_CBC_MD5;
+ ukeyblock.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128;
ukeyblock.length = sizeof(keydata);
ukeyblock.contents = keydata;
keydata[0] = 0xde;
diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c
index 5aea68e8d..10ba8d0ac 100644
--- a/src/lib/krb5/os/t_trace.c
+++ b/src/lib/krb5/os/t_trace.c
@@ -204,7 +204,7 @@ main (int argc, char *argv[])
padatap = NULL;
TRACE(ctx, "krb5_enctype, display shortest name of enctype: {etype}",
- ENCTYPE_DES_CBC_CRC);
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96);
TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", enctypes);
TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", NULL);
diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref
index bd5d9b6b6..044a66999 100644
--- a/src/lib/krb5/os/t_trace.ref
+++ b/src/lib/krb5/os/t_trace.ref
@@ -40,7 +40,7 @@ int, krb5_principal type: NT 4 style name and SID
int, krb5_principal type: ?
krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0
krb5_pa_data **, display list of padata type numbers: (empty)
-krb5_enctype, display shortest name of enctype: des-cbc-crc
+krb5_enctype, display shortest name of enctype: aes128-cts
krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511
krb5_enctype *, display list of enctypes: (empty)
krb5_ccache, display type:name: FILE:/path/to/ccache
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 6bf6e54ac..258377299 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -893,7 +893,7 @@ ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
void
ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p)
{
- p->enctype = ENCTYPE_DES_CBC_CRC;
+ p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
ktest_make_sample_data(&p->as_req);
ktest_make_sample_data(&p->pk_as_rep);
}
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 3b0f7190a..55a60bbef 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -10,4 +10,4 @@ encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
-encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 01 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
+encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index f9edbe154..9557188a8 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -145,6 +145,6 @@ encode_krb5_sp80056a_other_info:
encode_krb5_pkinit_supp_pub_info:
[Sequence/Sequence Of]
-. [0] [Integer] 1
+. [0] [Integer] 20
. [1] [Octet String] "krb5data"
. [2] [Octet String] "krb5data"
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index c061d764e..e8adee234 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -16,21 +16,6 @@ set stty_init {erase \^h kill \^u}
set env(TERM) dumb
set des3_krbtgt 0
-set tgt_support_desmd5 0
-
-# The names of the individual passes must be unique; lots of things
-# depend on it. The PASSES variable may not contain comments; only
-# small pieces get evaluated, so comments will do strange things.
-
-# Most of the purpose of using multiple passes is to exercise the
-# dependency of various bugs on configuration file settings,
-# particularly with regards to encryption types.
-
-# The des.no-kdc-md5 pass will fail if the KDC does not constrain
-# session key enctypes to those in its permitted_enctypes list. It
-# works by assuming enctype similarity, thus allowing the client to
-# request a des-cbc-md4 session key. Since only des-cbc-crc is in the
-# KDC's permitted_enctypes list, the TGT will be unusable.
if { [string length $VALGRIND] } {
rename spawn valgrind_aux_spawn
@@ -111,47 +96,21 @@ if { $PRIOCNTL_HACK } {
}
}
-# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't
-# constrain ticket key enctypes to those in permitted_enctypes. It
-# does this by not putting des3 in the permitted_enctypes, while
-# creating a TGT princpal that has a des3 key as well as a des key.
+# The names of the individual passes must be unique; lots of things
+# depend on it. The PASSES variable may not contain comments; only
+# small pieces get evaluated, so comments will do strange things.
-# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is
-# possible to configure things such that you have a master_key_type
-# that is not permitted, and the error message used to be cryptic.
+# Most of the purpose of using multiple passes is to exercise the
+# dependency of various bugs on configuration file settings,
+# particularly with regards to encryption types.
set passes {
- {
- des
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=des-cbc-crc:normal}
- {dummy=[verbose -log "DES TGT, DES enctype"]}
- }
- {
- des.des3tgt
- mode=udp
- des3_krbtgt=1
- {supported_enctypes=des-cbc-crc:normal}
- {dummy=[verbose -log "DES3 TGT, DES enctype"]}
- }
{
des3
mode=udp
des3_krbtgt=1
- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
- {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
- }
- {
- aes-des
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc}
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc}
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc}
- {master_key_type=aes256-cts-hmac-sha1-96}
- {dummy=[verbose -log "AES + DES enctypes"]}
+ {supported_enctypes=des3-cbc-sha1:normal}
+ {dummy=[verbose -log "DES3 TGT, DES3 enctype"]}
}
{
aes-only
@@ -220,10 +179,10 @@ set passes {
aes-des3
mode=udp
des3_krbtgt=0
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
{master_key_type=aes256-cts-hmac-sha1-96}
{dummy=[verbose -log "AES + DES3 + DES enctypes"]}
}
@@ -231,12 +190,12 @@ set passes {
aes-des3tgt
mode=udp
des3_krbtgt=1
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
{master_key_type=aes256-cts-hmac-sha1-96}
- {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
+ {dummy=[verbose -log "AES enctypes, DES3 TGT"]}
}
{
all-enctypes
Fix KCM client time offset propagation
2019-08-15 20:32:06 +00:00
@@ -248,114 +207,7 @@ set passes {
Remove support for single-DES and CRC
2019-05-28 19:22:45 +00:00
{allow_weak_crypto(server)=false}
{dummy=[verbose -log "all default enctypes"]}
}
- {
- des.no-kdc-md5
- mode=udp
- des3_krbtgt=0
- tgt_support_desmd5=0
- {permitted_enctypes(kdc)=des-cbc-crc}
- {default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
- {supported_enctypes=des-cbc-crc:normal}
- {master_key_type=des-cbc-crc}
- {dummy=[verbose -log \
- "DES TGT, KDC permitting only des-cbc-crc"]}
- }
- {
- des.des3-tgt.no-kdc-des3
- mode=udp
- tgt_support_desmd5=0
- {permitted_enctypes(kdc)=des-cbc-crc}
- {default_tgs_enctypes(client)=des-cbc-crc}
- {default_tkt_enctypes(client)=des-cbc-crc}
- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
- {master_key_type=des-cbc-crc}
- {dummy=[verbose -log \
- "DES3 TGT, KDC permitting only des-cbc-crc"]}
- }
Fix KCM client time offset propagation
2019-08-15 20:32:06 +00:00
-}
-
Remove support for single-DES and CRC
2019-05-28 19:22:45 +00:00
-# des.md5-tgt is set as unused, since it won't trigger the error case
-# if SUPPORT_DESMD5 isn't honored.
-
-# The des.md5-tgt pass will fail if enctype similarity is inconsisent;
-# between 1.0.x and 1.1, the decrypt functions became more strict
-# about matching enctypes, while the KDB retrieval functions didn't
-# coerce the enctype to match what was requested. It works by setting
-# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of
-# des-cbc-md5 on the TGT key. Since the database only contains a
-# des-cbc-crc key, the decrypt will fail if enctypes are not coerced.
-
-# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even
-# though des.no-kdc-md5 is roughly equivalent, since the associated
-# comment needs additional investigation at some point re the kadmin
-# client.
-
-# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to
-# the KDC issuing session keys that it won't accept. It will also
-# fail for a kadmin client, but for different reasons, since the kadm5
-# library does some curious filtering of enctypes, and also uses
-# get_in_tkt() rather than get_init_creds(); the former does an
-# intersection of the enctypes provided by the caller and those listed
-# in the config file!
-
-set unused_passes {
- {
- des.md5-tgt
- des3_krbtgt=0
- tgt_support_desmd5=1
- supported_enctypes=des-cbc-crc:normal
- {permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
- {permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
- {dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]}
- }
- {
- des.md5-tgt.no-kdc-md5
- des3_krbtgt=0
- tgt_support_desmd5=1
- {permitted_enctypes(kdc)=des-cbc-crc}
- {default_tgs_enctypes(client)=des-cbc-crc}
- {default_tkt_enctypes(client)=des-cbc-crc}
- {supported_enctypes=des-cbc-crc:normal}
- {master_key_type=des-cbc-crc}
- {dummy=[verbose -log \
- "DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]}
- }
- {
- des.no-kdc-md5.client-md4-skey
- des3_krbtgt=0
- {permitted_enctypes(kdc)=des-cbc-crc}
- {permitted_enctypes(client)=des-cbc-crc des-cbc-md4}
- {default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4}
- {default_tkt_enctypes(client)=des-cbc-md4}
- {supported_enctypes=des-cbc-crc:normal}
- {dummy=[verbose -log \
- "DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]}
- }
- {
- all-enctypes
- des3_krbtgt=1
- {supported_enctypes=\
- aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \
- aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
- des3-cbc-sha1:normal des3-cbc-sha1:none \
- des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
- }
- {dummy=[verbose -log "DES3 TGT, default enctypes"]}
- }
- {
- aes-tcp
- mode=tcp
- des3_krbtgt=0
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
- {master_key_type=aes256-cts-hmac-sha1-96}
- {dummy=[verbose -log "AES via TCP"]}
- }
Fix KCM client time offset propagation
2019-08-15 20:32:06 +00:00
}
Remove support for single-DES and CRC
2019-05-28 19:22:45 +00:00
-# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
Fix KCM client time offset propagation
2019-08-15 20:32:06 +00:00
Remove support for single-DES and CRC
2019-05-28 19:22:45 +00:00
# This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems
# to need it because its runtest.exp doesn't deal with PASS at all.
@@ -1095,7 +947,7 @@ proc setup_kerberos_db { standalone } {
global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
global tmppwd hostname
global spawn_id
- global des3_krbtgt tgt_support_desmd5
+ global des3_krbtgt
global multipass_name last_passname_db
set failall 0
@@ -1334,48 +1186,6 @@ proc setup_kerberos_db { standalone } {
}
}
}
- if $tgt_support_desmd5 {
- # Make TGT support des-cbc-md5
- set test "kadmin.local TGT to SUPPORT_DESMD5"
- set body {
- if $failall {
- break
- }
- spawn $KADMIN_LOCAL -r $REALMNAME
- verbose "starting $test"
- expect_after $def_exp_after
-
- expect "kadmin.local: "
- send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
- # It echos...
- expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
- expect {
- "Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { }
- }
- expect "kadmin.local: "
- send "quit\r"
- expect eof
- catch expect_after
- if ![check_exit_status kadmin_local] {
- break
- }
- }
- set ret [catch $body]
- catch "expect eof"
- catch expect_after
- if $ret {
- set failall 1
- if $standalone {
- fail $test
- } else {
- delete_db
- }
- } else {
- if $standalone {
- pass $test
- }
- }
- }
envstack_pop
# create the admin database lock file
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 2a332a8ae..9876a11e6 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -84,17 +84,6 @@ struct test {
size_t toklen;
const char *token;
} tests[] = {
- {
- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW,
- SEAL_ALG_DES, SGN_ALG_DES_MAC_MD5, 8,
- 8,
- "\x26\xEC\xBA\xB6\xFE\xBA\x91\xCE",
- 53,
- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x00"
- "\x00\x00\x00\xFF\xFF\xF0\x0B\x90\x7B\xC4\xFC\xEB\xF4\x84\x9C\x5A"
- "\xA8\x56\x41\x3E\xE1\x62\xEE\x38\xD1\x34\x9A\xE3\xFB\xC9\xFD\x0A"
- "\xDC\x83\xE1\x4A\xE4"
- },
{
ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW,
SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20,
@@ -160,8 +149,6 @@ make_fake_context(const struct test *test)
gss_union_ctx_id_t uctx;
krb5_gss_ctx_id_t kgctx;
krb5_keyblock kb;
- unsigned char encbuf[8];
- size_t i;
kgctx = calloc(1, sizeof(*kgctx));
if (kgctx == NULL)
@@ -184,11 +171,6 @@ make_fake_context(const struct test *test)
if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0)
abort();
- if (kb.enctype == ENCTYPE_DES_CBC_RAW) {
- for (i = 0; i < 8; i++)
- encbuf[i] = kb.contents[i] ^ 0xF0;
- kb.contents = encbuf;
- }
if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
abort();
@@ -248,7 +230,7 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
gss_iov_buffer_desc iov;
store_16_be(KG_TOK_SIGN_MSG, tokbuf);
- store_16_le(SGN_ALG_DES_MAC_MD5, tokbuf + 2);
+ store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2);
store_16_le(SEAL_ALG_NONE, tokbuf + 4);
store_16_le(0xFFFF, tokbuf + 6);
memset(tokbuf + 8, 0, 16);
diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
index c40ea434c..7368f752f 100644
--- a/src/tests/gssapi/t_pcontok.c
+++ b/src/tests/gssapi/t_pcontok.c
@@ -43,7 +43,6 @@
#include "k5-int.h"
#include "common.h"
-#define SGN_ALG_DES_MAC_MD5 0x00
#define SGN_ALG_HMAC_SHA1_DES3_KD 0x04
#define SGN_ALG_HMAC_MD5 0x11
@@ -78,11 +77,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
ret = krb5_k_create_key(context, &seqkb, &seq);
check_k5err(context, "krb5_k_create_key", ret);
- if (signalg == SGN_ALG_DES_MAC_MD5) {
- cktype = CKSUMTYPE_RSA_MD5;
- cksize = 8;
- ckusage = 0;
- } else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
+ if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
cktype = CKSUMTYPE_HMAC_SHA1_DES3;
cksize = 20;
ckusage = 23;
@@ -122,15 +117,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
d = make_data(ptr - 8, 8);
ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum);
check_k5err(context, "krb5_k_make_checksum", ret);
- if (signalg == SGN_ALG_DES_MAC_MD5) {
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = make_data(cksum.contents, 16);
- ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
- check_k5err(context, "krb5_k_encrypt_iov", ret);
- memcpy(ptr + 8, cksum.contents + 8, 8);
- } else {
- memcpy(ptr + 8, cksum.contents, cksize);
- }
+ memcpy(ptr + 8, cksum.contents, cksize);
/* Create the sequence number (8 bytes). */
iov.flags = KRB5_CRYPTO_TYPE_DATA;
diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c
index 6a698ce0f..f71774cdc 100644
--- a/src/tests/gssapi/t_prf.c
+++ b/src/tests/gssapi/t_prf.c
@@ -41,13 +41,6 @@ static struct {
const char *key2;
const char *out2;
} tests[] = {
- { ENCTYPE_DES_CBC_CRC,
- "E607FE9DABB57AE0",
- "803C4121379FC4B87CE413B67707C4632EBED2C6D6B7"
- "2A55E878836E35E21600D915D590DED5B6D77BB30A1F",
- "54758316B6257A75",
- "279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA"
- "33264ACB5729562DC637950F6BD144B654BE7700B2D6" },
{ ENCTYPE_DES3_CBC_SHA1,
"70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2",
"9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9"
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index c21d054f1..2a052fc17 100644
--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
@@ -24,7 +24,7 @@ def test_etinfo(princ, enctypes, expected_lines):
# With no newer enctypes in the request, PA-ETYPE-INFO2,
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
# key for the most preferred matching enctype.
-test_etinfo('user', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
+test_etinfo('user', 'rc4-hmac-exp des3 rc4',
['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser',
'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser',
'asrep pw_salt KRBTEST.COMuser'])
@@ -37,7 +37,7 @@ test_etinfo('user', 'rc4 aes256-cts',
# In preauth-required errors, PA-PW-SALT does not appear, but the same
# etype-info2 values are expected.
-test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
+test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4',
['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser',
'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser'])
test_etinfo('preauthuser', 'rc4 aes256-cts',
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 4af6804f2..2c825a692 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -2,7 +2,7 @@ from k5test import *
rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
-realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
+realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal',
krb5_conf=rollover_krb5_conf)
princ1 = 'host/test1@%s' % (realm.realm,)
@@ -22,9 +22,9 @@ realm.run([kvno, princ1])
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
# Make sure an old TGT fails after purging old TGS key.
realm.run([kvno, princ2], expected_code=1)
-ddes = "DEPRECATED:des-cbc-crc"
+et = "aes128-cts-hmac-sha256-128"
msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
- (realm.realm, realm.realm, ddes, ddes)
+ (realm.realm, realm.realm, et, et)
realm.run([klist, '-e'], expected_msg=msg)
# Check that new key actually works.
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
index 008efcb03..65084bbf3 100755
--- a/src/tests/t_salt.py
+++ b/src/tests/t_salt.py
@@ -22,7 +22,7 @@ salts = [('des3-cbc-sha1', 'norealm'),
# These enctypes are chosen to cover the different string-to-key routines.
# Omit ":normal" from aes256 to check that salttype defaulting works.
second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
- 'des3-cbc-sha1:normal', 'des-cbc-crc:normal']
+ 'des3-cbc-sha1:normal']
# Test using different salt types in a principal's key list.
# Parameters from one key in the list must not leak over to later ones.
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
index da02f224a..621b27156 100755
--- a/src/tests/t_sesskeynego.py
+++ b/src/tests/t_sesskeynego.py
@@ -23,13 +23,7 @@ conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
conf3 = {'libdefaults': {
'allow_weak_crypto': 'true',
'default_tkt_enctypes': 'aes128-cts',
- 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}
-conf4 = {'libdefaults': {
- 'allow_weak_crypto': 'true',
- 'default_tkt_enctypes': 'aes256-cts',
- 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
- 'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
-
+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
# Test with client request and session_enctypes preferring aes128, but
# aes256 long-term key.
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
@@ -63,16 +57,6 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
'rc4-hmac,aes128-cts,aes256-cts'])
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
-
-# 3c: Test des-cbc-crc default assumption.
-realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
-test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96')
-realm.stop()
-
-# Last go: test that we can disable the des-cbc-crc assumption
-realm = K5Realm(krb5_conf=conf4, get_creds=False)
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
realm.stop()
success('sesskeynego')
diff --git a/src/util/k5test.py b/src/util/k5test.py
index b6d93f1d8..da2782e15 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1307,7 +1307,7 @@ _passes = [
'master_key_type': 'aes256-sha2'}}}),
# Test a setup with modern principal keys but an old TGT key.
- ('aes256.destgt', 'des-cbc-crc:normal',
+ ('aes256.destgt', 'arcfour-hmac:normal',
{'libdefaults': {'allow_weak_crypto': 'true'}},
None)
]
Reference in New Issue Copy Permalink