From 8fe2563e133e904e56c3ed3b9b970bb632c843b6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 24 May 2019 13:11:55 -0400 Subject: [PATCH] Update test suite to avoid single-DES enctypes Remove the CRC exercise code, since CRC is DES-only. ticket: 8808 (cherry picked from commit 50588db5d26e81f3d564d1f69435af34ae80d9b2) --- src/kadmin/testing/proto/kdc.conf.proto | 2 +- src/kadmin/testing/util/tcl_kadm5.c | 2 - src/lib/crypto/crypto_tests/CRC.pm | 156 ---------- src/lib/crypto/crypto_tests/Makefile.in | 31 +- src/lib/crypto/crypto_tests/crc.pl | 111 ------- src/lib/crypto/crypto_tests/deps | 24 -- src/lib/crypto/crypto_tests/t_cf2.expected | 1 - src/lib/crypto/crypto_tests/t_cf2.in | 5 - src/lib/crypto/crypto_tests/t_cksum.c | 160 ---------- src/lib/crypto/crypto_tests/t_cksums.c | 8 +- src/lib/crypto/crypto_tests/t_combine.c | 18 -- src/lib/crypto/crypto_tests/t_crc.c | 148 ---------- src/lib/crypto/crypto_tests/t_decrypt.c | 148 ---------- src/lib/crypto/crypto_tests/t_encrypt.c | 3 - src/lib/crypto/crypto_tests/t_short.c | 3 - src/lib/crypto/crypto_tests/t_str2key.c | 274 ------------------ src/lib/crypto/crypto_tests/vectors.c | 3 +- .../api.current/chpass-principal-v2.exp | 8 +- .../api.current/get-principal-v2.exp | 4 +- .../api.current/randkey-principal-v2.exp | 11 +- src/lib/kadm5/unit-test/setkey-test.c | 6 +- src/lib/krb5/keytab/t_keytab.c | 40 +-- src/lib/krb5/krb/t_etypes.c | 67 +---- src/lib/krb5/krb/t_ser.c | 2 +- src/lib/krb5/os/t_trace.c | 2 +- src/lib/krb5/os/t_trace.ref | 2 +- src/tests/asn.1/ktest.c | 2 +- src/tests/asn.1/pkinit_encode.out | 2 +- src/tests/asn.1/pkinit_trval.out | 2 +- src/tests/dejagnu/config/default.exp | 226 ++------------- src/tests/gssapi/t_invalid.c | 20 +- src/tests/gssapi/t_pcontok.c | 17 +- src/tests/gssapi/t_prf.c | 7 - src/tests/t_etype_info.py | 4 +- src/tests/t_keyrollover.py | 6 +- src/tests/t_salt.py | 2 +- src/tests/t_sesskeynego.py | 18 +- src/util/k5test.py | 2 +- 38 files changed, 88 insertions(+), 1459 deletions(-) delete mode 100644 src/lib/crypto/crypto_tests/CRC.pm delete mode 100644 src/lib/crypto/crypto_tests/crc.pl delete mode 100644 src/lib/crypto/crypto_tests/t_cksum.c delete mode 100644 src/lib/crypto/crypto_tests/t_crc.c diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto index 45df78b91..8a4b87de1 100644 --- a/src/kadmin/testing/proto/kdc.conf.proto +++ b/src/kadmin/testing/proto/kdc.conf.proto @@ -12,5 +12,5 @@ kadmind_port = 1751 kpasswd_port = 1752 master_key_type = des3-hmac-sha1 - supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal + supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal } diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index 9dde579ef..4d3114b11 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -1514,8 +1514,6 @@ static Tcl_DString *unparse_keytype(krb5_enctype enctype) switch (enctype) { /* XXX is this right? */ case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break; - case ENCTYPE_DES_CBC_CRC: - Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break; default: sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype); Tcl_DStringAppend(str, buf, -1); diff --git a/src/lib/crypto/crypto_tests/CRC.pm b/src/lib/crypto/crypto_tests/CRC.pm deleted file mode 100644 index ee2ab2ae8..000000000 --- a/src/lib/crypto/crypto_tests/CRC.pm +++ /dev/null @@ -1,156 +0,0 @@ -# Copyright 2002 by the Massachusetts Institute of Technology. -# All Rights Reserved. -# -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. Furthermore if you modify this software you must label -# your software as modified software and not distribute it in such a -# fashion that it might be confused with the original M.I.T. software. -# M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - -package CRC; - -# CRC: implement a CRC using the Poly package (yes this is slow) -# -# message M(x) = m_0 * x^0 + m_1 * x^1 + ... + m_(k-1) * x^(k-1) -# generator P(x) = p_0 * x^0 + p_1 * x^1 + ... + p_n * x^n -# remainder R(x) = r_0 * x^0 + r_1 * x^1 + ... + r_(n-1) * x^(n-1) -# -# R(x) = (x^n * M(x)) % P(x) -# -# Note that if F(x) = x^n * M(x) + R(x), then F(x) = 0 mod P(x) . -# -# In MIT Kerberos 5, R(x) is taken as the CRC, as opposed to what -# ISO 3309 does. -# -# ISO 3309 adds a precomplement and a postcomplement. -# -# The ISO 3309 postcomplement is of the form -# -# A(x) = x^0 + x^1 + ... + x^(n-1) . -# -# The ISO 3309 precomplement is of the form -# -# B(x) = x^k * A(x) . -# -# The ISO 3309 FCS is then -# -# (x^n * M(x)) % P(x) + B(x) % P(x) + A(x) , -# -# which is equivalent to -# -# (x^n * M(x) + B(x)) % P(x) + A(x) . -# -# In ISO 3309, the transmitted frame is -# -# F'(x) = x^n * M(x) + R(x) + R'(x) + A(x) , -# -# where -# -# R'(x) = B(x) % P(x) . -# -# Note that this means that if a new remainder is computed over the -# frame F'(x) (treating F'(x) as the new M(x)), it will be equal to a -# constant. -# -# F'(x) = 0 + R'(x) + A(x) mod P(x) , -# -# then -# -# (F'(x) + x^k * A(x)) * x^n -# -# = ((R'(x) + A(x)) + x^k * A(x)) * x^n mod P(x) -# -# = (x^k * A(x) + A(x) + x^k * A(x)) * x^n mod P(x) -# -# = (0 + A(x)) * x^n mod P(x) -# -# Note that (A(x) * x^n) % P(x) is a constant, and that this result -# depends on B(x) being x^k * A(x). - -use Carp; -use Poly; - -sub new { - my $self = shift; - my $class = ref($self) || $self; - my %args = @_; - $self = {bitsendian => "little"}; - bless $self, $class; - $self->setpoly($args{"Poly"}) if exists $args{"Poly"}; - $self->bitsendian($args{"bitsendian"}) - if exists $args{"bitsendian"}; - $self->{precomp} = $args{precomp} if exists $args{precomp}; - $self->{postcomp} = $args{postcomp} if exists $args{postcomp}; - return $self; -} - -sub setpoly { - my $self = shift; - my($arg) = @_; - croak "need a polynomial" if !$arg->isa("Poly"); - $self->{Poly} = $arg; - return $self; -} - -sub crc { - my $self = shift; - my $msg = Poly->new(@_); - my($order, $r, $precomp); - $order = $self->{Poly}->order; - # B(x) = x^k * precomp - $precomp = $self->{precomp} ? - $self->{precomp} * Poly->powers2poly(scalar(@_)) : Poly->new; - # R(x) = (x^n * M(x)) % P(x) - $r = ($msg * Poly->powers2poly($order)) % $self->{Poly}; - # B(x) % P(x) - $r += $precomp % $self->{Poly}; - $r += $self->{postcomp} if exists $self->{postcomp}; - return $r; -} - -# endianness of bits of each octet -# -# Note that the message is always treated as being sent in big-endian -# octet order. -# -# Usually, the message will be treated as bits being little-endian, -# since that is the common case for serial implementations that -# present data in octets; e.g., most UARTs shift octets onto the line -# in little-endian order, and protocols such as ISO 3309, V.42, -# etc. treat individual octets as being sent LSB-first. - -sub bitsendian { - my $self = shift; - my($arg) = @_; - croak "bad bit endianness" if $arg !~ /big|little/; - $self->{bitsendian} = $arg; - return $self; -} - -sub crcstring { - my $self = shift; - my($arg) = @_; - my($packstr, @m); - { - $packstr = "B*", last if $self->{bitsendian} =~ /big/; - $packstr = "b*", last if $self->{bitsendian} =~ /little/; - croak "bad bit endianness"; - }; - @m = split //, unpack $packstr, $arg; - return $self->crc(@m); -} - -1; diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in index c5eba1b10..09feeb50e 100644 --- a/src/lib/crypto/crypto_tests/Makefile.in +++ b/src/lib/crypto/crypto_tests/Makefile.in @@ -16,9 +16,7 @@ EXTRADEPSRCS=\ $(srcdir)/aes-test.c \ $(srcdir)/camellia-test.c \ $(srcdir)/t_cf2.c \ - $(srcdir)/t_cksum.c \ $(srcdir)/t_cksums.c \ - $(srcdir)/t_crc.c \ $(srcdir)/t_mddriver.c \ $(srcdir)/t_kperf.c \ $(srcdir)/t_sha2.c \ @@ -30,15 +28,12 @@ EXTRADEPSRCS=\ ##DOS##BUILDTOP = ..\..\.. -# NOTE: The t_cksum known checksum values are primarily for regression -# testing. They are not derived a priori, but are known to produce -# checksums that interoperate. check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ - t_cksum4 t_cksum5 t_cksums \ + t_cksums \ aes-test \ camellia-test \ t_mddriver4 t_mddriver \ - t_crc t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \ + t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \ t_combine $(RUN_TEST) ./t_nfold $(RUN_TEST) ./t_encrypt @@ -47,10 +42,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \ $(RUN_TEST) ./t_cmac $(RUN_TEST) ./t_hmac $(RUN_TEST) ./t_prf - $(RUN_TEST) ./t_cksum4 "this is a test" e3f76a07f3401e3536b43a3f54226c39422c35682c354835 - $(RUN_TEST) ./t_cksum5 "this is a test" e3f76a07f3401e351143ee6f4c09be1edb4264d55015db53 $(RUN_TEST) ./t_cksums - $(RUN_TEST) ./t_crc $(RUN_TEST) ./t_cts $(RUN_TEST) ./aes-test -k > vk.txt cmp vk.txt $(srcdir)/expect-vk.txt @@ -109,24 +101,9 @@ t_short$(EXEEXT): t_short.$(OBJEXT) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_short.$(OBJEXT) \ $(KRB5_BASE_LIBS) -t_cksum4.o: $(srcdir)/t_cksum.c - $(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c - -t_cksum5.o: $(srcdir)/t_cksum.c - $(CC) -DMD=5 $(ALL_CFLAGS) -o t_cksum5.o -c $(srcdir)/t_cksum.c - -t_cksum4: t_cksum4.o $(CRYTPO_DEPLIB) - $(CC_LINK) -o t_cksum4 t_cksum4.o $(KRB5_BASE_LIBS) - -t_cksum5: t_cksum5.o $(CRYPTO_DEPLIB) - $(CC_LINK) -o t_cksum5 t_cksum5.o $(KRB5_BASE_LIBS) - t_cksums: t_cksums.o $(CRYTPO_DEPLIB) $(CC_LINK) -o t_cksums t_cksums.o -lkrb5 $(KRB5_BASE_LIBS) -t_crc: t_crc.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_crc.o $(KRB5_BASE_LIBS) - aes-test: aes-test.$(OBJEXT) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(KRB5_BASE_LIBS) @@ -165,9 +142,9 @@ clean: t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ aes-test.o aes-test vt.txt vk.txt kresults.out \ - t_crc.o t_crc t_cts.o t_cts \ + t_cts.o t_cts \ t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \ - t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_cksums t_cksums.o \ + t_cksums t_cksums.o \ t_kperf.o t_kperf t_sha2.o t_sha2 t_short t_short.o t_str2key \ t_str2key.o t_derive t_derive.o t_fork t_fork.o \ t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \ diff --git a/src/lib/crypto/crypto_tests/crc.pl b/src/lib/crypto/crypto_tests/crc.pl deleted file mode 100644 index b21b6b15d..000000000 --- a/src/lib/crypto/crypto_tests/crc.pl +++ /dev/null @@ -1,111 +0,0 @@ -# Copyright 2002 by the Massachusetts Institute of Technology. -# All Rights Reserved. -# -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. Furthermore if you modify this software you must label -# your software as modified software and not distribute it in such a -# fashion that it might be confused with the original M.I.T. software. -# M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - -use CRC; - -print "*** crudely testing polynomial functions ***\n"; - -$x = Poly->new(1,1,1,1); -$y = Poly->new(1,1); -print "x = @{[$x->pretty]}\ny = @{[$y->pretty]}\n"; -$q = $x / $y; -$r = $x % $y; -print $x->pretty, " = (", $y->pretty , ") * (", $q->pretty, - ") + ", $r->pretty, "\n"; -$q = $y / $x; -$r = $y % $x; -print "y / x = @{[$q->pretty]}\ny % x = @{[$r->pretty]}\n"; - -# ISO 3309 32-bit FCS polynomial -$fcs32 = Poly->powers2poly(32,26,23,22,16,12,11,10,8,7,5,4,2,1,0); -print "fcs32 = ", $fcs32->pretty, "\n"; - -$crc = CRC->new(Poly => $fcs32, bitsendian => "little"); - -print "\n"; - -print "*** little endian, no complementation ***\n"; -for ($i = 0; $i < 256; $i++) { - $r = $crc->crcstring(pack "C", $i); - printf ("%02x: ", $i) if !($i % 8); - print ($r->revhex, ($i % 8 == 7) ? "\n" : " "); -} - -print "\n"; - -print "*** little endian, 4 bits, no complementation ***\n"; -for ($i = 0; $i < 16; $i++) { - @m = (split //, unpack "b*", pack "C", $i)[0..3]; - $r = $crc->crc(@m); - printf ("%02x: ", $i) if !($i % 8); - print ($r->revhex, ($i % 8 == 7) ? "\n" : " "); -} - -print "\n"; - -print "*** test vectors for t_crc.c, little endian ***\n"; -for ($i = 1; $i <= 4; $i *=2) { - for ($j = 0; $j < $i * 8; $j++) { - @m = split //, unpack "b*", pack "V", 1 << $j; - splice @m, $i * 8; - $r = $crc->crc(@m); - $m = unpack "H*", pack "b*", join("", @m); - print "{HEX, \"$m\", 0x", $r->revhex, "},\n"; - } -} -@m = ("foo", "test0123456789", - "MASSACHVSETTS INSTITVTE OF TECHNOLOGY"); -foreach $m (@m) { - $r = $crc->crcstring($m); - print "{STR, \"$m\", 0x", $r->revhex, "},\n"; -} -__END__ - -print "*** big endian, no complementation ***\n"; -for ($i = 0; $i < 256; $i++) { - $r = $crc->crcstring(pack "C", $i); - printf ("%02x: ", $i) if !($i % 8); - print ($r->hex, ($i % 8 == 7) ? "\n" : " "); -} - -# all ones polynomial of order 31 -$ones = Poly->new((1) x 32); - -print "*** big endian, ISO-3309 style\n"; -$crc = CRC->new(Poly => $fcs32, - bitsendian => "little", - precomp => $ones, - postcomp => $ones); -for ($i = 0; $i < 256; $i++) { - $r = $crc->crcstring(pack "C", $i); - print ($r->hex, ($i % 8 == 7) ? "\n" : " "); -} - -for ($i = 0; $i < 0; $i++) { - $x = Poly->new((1) x 32, (0) x $i); - $y = Poly->new((1) x 32); - $f = ($x % $fcs32) + $y; - $r = (($f + $x) * Poly->powers2poly(32)) % $fcs32; - @out = @$r; - unshift @out, 0 while @out < 32; - print @out, "\n"; -} diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps index 5d94a593d..19fef2582 100644 --- a/src/lib/crypto/crypto_tests/deps +++ b/src/lib/crypto/crypto_tests/deps @@ -140,17 +140,6 @@ $(OUTPRE)camellia-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/socket-utils.h camellia-test.c $(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_cf2.c -$(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - t_cksum.c $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -161,19 +150,6 @@ $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h t_cksums.c -$(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ - $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ - $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - t_crc.c $(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected index 11a24b800..f8251a16c 100644 --- a/src/lib/crypto/crypto_tests/t_cf2.expected +++ b/src/lib/crypto/crypto_tests/t_cf2.expected @@ -1,6 +1,5 @@ 97df97e4b798b29eb31ed7280287a92a 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b -43bae3738c9467e6 e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 24d7f6b6bae4e5c00d2082c5ebab3672 edd02a39d2dbde31611c16e610be062c diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in index e62ead7d8..73e2f8fbc 100644 --- a/src/lib/crypto/crypto_tests/t_cf2.in +++ b/src/lib/crypto/crypto_tests/t_cf2.in @@ -8,11 +8,6 @@ key1 key2 a b -1 -key1 -key2 -a -b 16 key1 key2 diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c deleted file mode 100644 index 0edaeb850..000000000 --- a/src/lib/crypto/crypto_tests/t_cksum.c +++ /dev/null @@ -1,160 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/crypto_tests/t_cksum.c */ -/* - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* Test checksum and checksum compatability for rsa-md[4,5]-des. */ - -#include "k5-int.h" -#include "k5-hex.h" - -#define MD5_K5BETA_COMPAT -#define MD4_K5BETA_COMPAT - -#if MD == 4 -#define CKTYPE CKSUMTYPE_RSA_MD4_DES -#endif - -#if MD == 5 -#define CKTYPE CKSUMTYPE_RSA_MD5_DES -#endif - -static void -print_checksum(char *text, int number, char *message, krb5_checksum *checksum) -{ - unsigned int i; - - printf("%s MD%d checksum(\"%s\") = ", text, number, message); - for (i=0; ilength; i++) - printf("%02x", (unsigned char) checksum->contents[i]); - printf("\n"); -} - -/* - * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES - * checksums. - */ - -krb5_octet testkey[8] = { 0x45, 0x01, 0x49, 0x61, 0x58, 0x19, 0x1a, 0x3d }; - -int -main(argc, argv) - int argc; - char **argv; -{ - int msgindex; - size_t len; - krb5_boolean valid; - krb5_keyblock keyblock; - krb5_key key; - krb5_error_code kret=0; - krb5_data plaintext; - krb5_checksum checksum, knowncksum; - - /* this is a terrible seed, but that's ok for the test. */ - - plaintext.length = 8; - plaintext.data = (char *) testkey; - - krb5_c_random_seed(/* XXX */ 0, &plaintext); - - keyblock.enctype = ENCTYPE_DES_CBC_CRC; - keyblock.length = sizeof(testkey); - keyblock.contents = testkey; - - krb5_k_create_key(NULL, &keyblock, &key); - - for (msgindex = 1; msgindex + 1 < argc; msgindex += 2) { - plaintext.length = strlen(argv[msgindex]); - plaintext.data = argv[msgindex]; - - /* Create a checksum. */ - kret = krb5_k_make_checksum(NULL, CKTYPE, key, 0, &plaintext, - &checksum); - if (kret != 0) { - printf("krb5_calculate_checksum choked with %d\n", kret); - break; - } - print_checksum("correct", MD, argv[msgindex], &checksum); - - /* Verify it. */ - kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum, - &valid); - if (kret != 0) { - printf("verify on new checksum choked with %d\n", kret); - break; - } - if (!valid) { - printf("verify on new checksum failed\n"); - kret = 1; - break; - } - printf("Verify succeeded for \"%s\"\n", argv[msgindex]); - - /* Corrupt the checksum and see if it still verifies. */ - checksum.contents[0]++; - kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum, - &valid); - if (kret != 0) { - printf("verify on new checksum choked with %d\n", kret); - break; - } - if (valid) { - printf("verify on new checksum succeeded, but shouldn't have\n"); - kret = 1; - break; - } - printf("Verify of bad checksum OK for \"%s\"\n", argv[msgindex]); - free(checksum.contents); - - /* Verify a known-good checksum for this plaintext. */ - kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len); - if (kret) { - printf("k5_hex_decode failed\n"); - break; - } - knowncksum.length = len; - knowncksum.checksum_type = CKTYPE; - knowncksum.magic = KV5M_CHECKSUM; - kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum, - &valid); - if (kret != 0) { - printf("verify on known checksum choked with %d\n", kret); - break; - } - if (!valid) { - printf("verify on known checksum failed\n"); - kret = 1; - break; - } - printf("Verify on known checksum succeeded\n"); - free(knowncksum.contents); - } - if (!kret) - printf("%d tests passed successfully for MD%d checksum\n", (argc-1)/2, MD); - - krb5_k_free_key(NULL, key); - - return(kret); -} diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c index 5afc90ed8..4da14ea43 100644 --- a/src/lib/crypto/crypto_tests/t_cksums.c +++ b/src/lib/crypto/crypto_tests/t_cksums.c @@ -27,7 +27,7 @@ /* * This harness tests checksum results against known values. With the -v flag, * results for all tests are displayed. This harness only works for - * deterministic checksums; for rsa-md4-des and rsa-md5-des, see t_cksum.c. + * deterministic checksums. */ #include "k5-int.h" @@ -40,12 +40,6 @@ struct test { krb5_data keybits; krb5_data cksum; } test_cases[] = { - { - { KV5M_DATA, 3, "abc" }, - CKSUMTYPE_CRC32, 0, 0, { KV5M_DATA, 0, "" }, - { KV5M_DATA, 4, - "\xD0\x98\x65\xCA" } - }, { { KV5M_DATA, 3, "one" }, CKSUMTYPE_RSA_MD4, 0, 0, { KV5M_DATA, 0, "" }, diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c index 89219c762..ba0622bcf 100644 --- a/src/lib/crypto/crypto_tests/t_combine.c +++ b/src/lib/crypto/crypto_tests/t_combine.c @@ -32,10 +32,6 @@ #include "k5-int.h" -unsigned char des_key1[] = "\x04\x86\xCD\x97\x61\xDF\xD6\x29"; -unsigned char des_key2[] = "\x1A\x54\x9B\x7F\xDC\x20\x83\x0E"; -unsigned char des_result[] = "\xC2\x13\x01\x52\x89\x26\xC4\xF7"; - unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73" "\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13"; unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A" @@ -48,20 +44,6 @@ main(int argc, char **argv) { krb5_keyblock kb1, kb2, result; - kb1.enctype = ENCTYPE_DES_CBC_CRC; - kb1.contents = des_key1; - kb1.length = 8; - kb2.enctype = ENCTYPE_DES_CBC_CRC; - kb2.contents = des_key2; - kb2.length = 8; - memset(&result, 0, sizeof(result)); - if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0) - abort(); - if (result.enctype != ENCTYPE_DES_CBC_CRC || result.length != 8 || - memcmp(result.contents, des_result, 8) != 0) - abort(); - krb5_free_keyblock_contents(NULL, &result); - kb1.enctype = ENCTYPE_DES3_CBC_SHA1; kb1.contents = des3_key1; kb1.length = 24; diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c deleted file mode 100644 index 8cd1d36cb..000000000 --- a/src/lib/crypto/crypto_tests/t_crc.c +++ /dev/null @@ -1,148 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/crypto_tests/t_crc.c */ -/* - * Copyright 2002,2005 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * Sanity checks for CRC32. - */ -#include -#include -#include -#include -#include -#include -#include "crypto_int.h" - -#define HEX 1 -#define STR 2 -struct crc_trial { - int type; - char *data; - unsigned long sum; -}; - -struct crc_trial trials[] = { - {HEX, "01", 0x77073096}, - {HEX, "02", 0xee0e612c}, - {HEX, "04", 0x076dc419}, - {HEX, "08", 0x0edb8832}, - {HEX, "10", 0x1db71064}, - {HEX, "20", 0x3b6e20c8}, - {HEX, "40", 0x76dc4190}, - {HEX, "80", 0xedb88320}, - {HEX, "0100", 0x191b3141}, - {HEX, "0200", 0x32366282}, - {HEX, "0400", 0x646cc504}, - {HEX, "0800", 0xc8d98a08}, - {HEX, "1000", 0x4ac21251}, - {HEX, "2000", 0x958424a2}, - {HEX, "4000", 0xf0794f05}, - {HEX, "8000", 0x3b83984b}, - {HEX, "0001", 0x77073096}, - {HEX, "0002", 0xee0e612c}, - {HEX, "0004", 0x076dc419}, - {HEX, "0008", 0x0edb8832}, - {HEX, "0010", 0x1db71064}, - {HEX, "0020", 0x3b6e20c8}, - {HEX, "0040", 0x76dc4190}, - {HEX, "0080", 0xedb88320}, - {HEX, "01000000", 0xb8bc6765}, - {HEX, "02000000", 0xaa09c88b}, - {HEX, "04000000", 0x8f629757}, - {HEX, "08000000", 0xc5b428ef}, - {HEX, "10000000", 0x5019579f}, - {HEX, "20000000", 0xa032af3e}, - {HEX, "40000000", 0x9b14583d}, - {HEX, "80000000", 0xed59b63b}, - {HEX, "00010000", 0x01c26a37}, - {HEX, "00020000", 0x0384d46e}, - {HEX, "00040000", 0x0709a8dc}, - {HEX, "00080000", 0x0e1351b8}, - {HEX, "00100000", 0x1c26a370}, - {HEX, "00200000", 0x384d46e0}, - {HEX, "00400000", 0x709a8dc0}, - {HEX, "00800000", 0xe1351b80}, - {HEX, "00000100", 0x191b3141}, - {HEX, "00000200", 0x32366282}, - {HEX, "00000400", 0x646cc504}, - {HEX, "00000800", 0xc8d98a08}, - {HEX, "00001000", 0x4ac21251}, - {HEX, "00002000", 0x958424a2}, - {HEX, "00004000", 0xf0794f05}, - {HEX, "00008000", 0x3b83984b}, - {HEX, "00000001", 0x77073096}, - {HEX, "00000002", 0xee0e612c}, - {HEX, "00000004", 0x076dc419}, - {HEX, "00000008", 0x0edb8832}, - {HEX, "00000010", 0x1db71064}, - {HEX, "00000020", 0x3b6e20c8}, - {HEX, "00000040", 0x76dc4190}, - {HEX, "00000080", 0xedb88320}, - {STR, "foo", 0x7332bc33}, - {STR, "test0123456789", 0xb83e88d6}, - {STR, "MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 0xe34180f7} -}; - -#define NTRIALS (sizeof(trials) / sizeof(trials[0])) - - -int -main(void) -{ - unsigned int i; - struct crc_trial trial; - uint8_t *bytes; - size_t len; - unsigned long cksum; - char *typestr; - - for (i = 0; i < NTRIALS; i++) { - trial = trials[i]; - switch (trial.type) { - case STR: - len = strlen(trial.data); - typestr = "STR"; - cksum = 0; - mit_crc32(trial.data, len, &cksum); - break; - case HEX: - typestr = "HEX"; - if (k5_hex_decode(trial.data, &bytes, &len) != 0) - abort(); - cksum = 0; - mit_crc32(bytes, len, &cksum); - free(bytes); - break; - default: - typestr = "BOGUS"; - fprintf(stderr, "bad trial type %d\n", trial.type); - exit(1); - } - printf("%s: %s \"%s\" = 0x%08lx\n", - (trial.sum == cksum) ? "OK" : "***BAD***", - typestr, trial.data, cksum); - } - exit(0); -} diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c index 4ae0256cc..a40a85500 100644 --- a/src/lib/crypto/crypto_tests/t_decrypt.c +++ b/src/lib/crypto/crypto_tests/t_decrypt.c @@ -39,151 +39,6 @@ struct test { krb5_data keybits; krb5_data ciphertext; } test_cases[] = { - { - ENCTYPE_DES_CBC_CRC, - { KV5M_DATA, 0, "" }, 0, - { KV5M_DATA, 8, - "\x45\xE6\x08\x7C\xDF\x13\x8F\xB5" }, - { KV5M_DATA, 16, - "\x28\xF6\xB0\x9A\x01\x2B\xCC\xF7\x2F\xB0\x51\x22\xB2\x83\x9E\x6E" } - }, - { - ENCTYPE_DES_CBC_CRC, - { KV5M_DATA, 1, "1" }, 1, - { KV5M_DATA, 8, - "\x92\xA7\x15\x58\x10\x58\x6B\x2F" }, - { KV5M_DATA, 16, - "\xB4\xC8\x71\xC2\xF3\xE7\xBF\x76\x05\xEF\xD6\x2F\x2E\xEE\xC2\x05" } - }, - { - ENCTYPE_DES_CBC_CRC, - { KV5M_DATA, 9, "9 bytesss" }, 2, - { KV5M_DATA, 8, - "\xA4\xB9\x51\x4A\x61\x64\x64\x23" }, - { KV5M_DATA, 24, - "\x5F\x14\xC3\x51\x78\xD3\x3D\x7C\xDE\x0E\xC1\x69\xC6\x23\xCC\x83" - "\x21\xB7\xB8\xBD\x34\xEA\x7E\xFE" } - }, - { - ENCTYPE_DES_CBC_CRC, - { KV5M_DATA, 13, "13 bytes byte", }, 3, - { KV5M_DATA, 8, - "\x2F\x16\xA2\xA7\xFD\xB0\x57\x68" }, - { KV5M_DATA, 32, - "\x0B\x58\x8E\x38\xD9\x71\x43\x3C\x9D\x86\xD8\xBA\xEB\xF6\x3E\x4C" - "\x1A\x01\x66\x6E\x76\xD8\xA5\x4A\x32\x93\xF7\x26\x79\xED\x88\xC9" } - }, - { - ENCTYPE_DES_CBC_CRC, - { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, - { KV5M_DATA, 8, - "\xBC\x8F\x70\xFD\x20\x97\xD6\x7C" }, - { KV5M_DATA, 48, - "\x38\xD6\x32\xD2\xC2\x0A\x7C\x2E\xA2\x50\xFC\x8E\xCE\x42\x93\x8E" - "\x92\xA9\xF5\xD3\x02\x50\x26\x65\xC1\xA3\x37\x29\xC1\x05\x0D\xC2" - "\x05\x62\x98\xFB\xFB\x16\x82\xCE\xEB\x65\xE5\x92\x04\xFD\xA7\xDF" } - }, - - { - ENCTYPE_DES_CBC_MD4, - { KV5M_DATA, 0, "", }, 0, - { KV5M_DATA, 8, - "\x13\xEF\x45\xD0\xD6\xD9\xA1\x5D" }, - { KV5M_DATA, 24, - "\x1F\xB2\x02\xBF\x07\xAF\x30\x47\xFB\x78\x01\xE5\x88\x56\x86\x86" - "\xBA\x63\xD7\x8B\xE3\xE8\x7D\xC7" } - }, - { - ENCTYPE_DES_CBC_MD4, - { KV5M_DATA, 1, "1", }, 1, - { KV5M_DATA, 8, - "\x64\x68\x86\x54\xDC\x26\x9E\x67" }, - { KV5M_DATA, 32, - "\x1F\x6C\xB9\xCE\xCB\x73\xF7\x55\xAB\xFD\xB3\xD5\x65\xBD\x31\xD5" - "\xA2\xE6\x4B\xFE\x44\xC4\x91\xE2\x0E\xEB\xE5\xBD\x20\xE4\xD2\xA9" } - }, - { - ENCTYPE_DES_CBC_MD4, - { KV5M_DATA, 9, "9 bytesss", }, 2, - { KV5M_DATA, 8, - "\x68\x04\xFB\x26\xDF\x8A\x4C\x32" }, - { KV5M_DATA, 40, - "\x08\xA5\x3D\x62\xFE\xC3\x33\x8A\xD1\xD2\x18\xE6\x0D\xBD\xD3\xB2" - "\x12\x94\x06\x79\xD1\x25\xE0\x62\x1B\x3B\xAB\x46\x80\xCE\x03\x67" - "\x6A\x2C\x42\x0E\x9B\xE7\x84\xEB" } - }, - { - ENCTYPE_DES_CBC_MD4, - { KV5M_DATA, 13, "13 bytes byte", }, 3, - { KV5M_DATA, 8, - "\x23\x4A\x43\x6E\xC7\x2F\xA8\x0B" }, - { KV5M_DATA, 40, - "\x17\xCD\x45\xE1\x4F\xF0\x6B\x28\x40\xA6\x03\x6E\x9A\xA7\xA4\x14" - "\x4E\x29\x76\x81\x44\xA0\xC1\x82\x7D\x8C\x4B\xC7\xC9\x90\x6E\x72" - "\xCD\x4D\xC3\x28\xF6\x64\x8C\x99" } - }, - { - ENCTYPE_DES_CBC_MD4, - { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, - { KV5M_DATA, 8, - "\x1F\xD5\xF7\x43\x34\xC4\xFB\x8C" }, - { KV5M_DATA, 56, - "\x51\x13\x4C\xD8\x95\x1E\x9D\x57\xC0\xA3\x60\x53\xE0\x4C\xE0\x3E" - "\xCB\x84\x22\x48\x8F\xDD\xC5\xC0\x74\xC4\xD8\x5E\x60\xA2\xAE\x42" - "\x3C\x3C\x70\x12\x01\x31\x4F\x36\x2C\xB0\x74\x48\x09\x16\x79\xC6" - "\xA4\x96\xC1\x1D\x7B\x93\xC7\x1B" } - }, - - { - ENCTYPE_DES_CBC_MD5, - { KV5M_DATA, 0, "", }, 0, - { KV5M_DATA, 8, - "\x4A\x54\x5E\x0B\xF7\xA2\x26\x31" }, - { KV5M_DATA, 24, - "\x78\x4C\xD8\x15\x91\xA0\x34\xBE\x82\x55\x6F\x56\xDC\xA3\x22\x4B" - "\x62\xD9\x95\x6F\xA9\x0B\x1B\x93" } - }, - { - ENCTYPE_DES_CBC_MD5, - { KV5M_DATA, 1, "1", }, 1, - { KV5M_DATA, 8, - "\xD5\x80\x4A\x26\x9D\xC4\xE6\x45" }, - { KV5M_DATA, 32, - "\xFF\xA2\x5C\x7B\xE2\x87\x59\x6B\xFE\x58\x12\x6E\x90\xAA\xA0\xF1" - "\x2D\x9A\x82\xA0\xD8\x6D\xF6\xD5\xF9\x07\x4B\x6B\x39\x9E\x7F\xF1" } - }, - { - ENCTYPE_DES_CBC_MD5, - { KV5M_DATA, 9, "9 bytesss", }, 2, - { KV5M_DATA, 8, - "\xC8\x31\x2F\x7F\x83\xEA\x46\x40" }, - { KV5M_DATA, 40, - "\xE7\x85\x03\x37\xF2\xCC\x5E\x3F\x35\xCE\x3D\x69\xE2\xC3\x29\x86" - "\x38\xA7\xAA\x44\xB8\x78\x03\x1E\x39\x85\x1E\x47\xC1\x5B\x5D\x0E" - "\xE7\xE7\xAC\x54\xDE\x11\x1D\x80" } - }, - { - ENCTYPE_DES_CBC_MD5, - { KV5M_DATA, 13, "13 bytes byte", }, 3, - { KV5M_DATA, 8, - "\x7F\xDA\x3E\x62\xAD\x8A\xF1\x8C" }, - { KV5M_DATA, 40, - "\xD7\xA8\x03\x2E\x19\x99\x4C\x92\x87\x77\x50\x65\x95\xFB\xDA\x98" - "\x83\x15\x8A\x85\x14\x54\x8E\x29\x6E\x91\x1C\x29\xF4\x65\xC6\x72" - "\x36\x60\x00\x55\x8B\xFC\x2E\x88" } - }, - { - ENCTYPE_DES_CBC_MD5, - { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, - { KV5M_DATA, 8, - "\xD3\xD6\x83\x29\x70\xA7\x37\x52" }, - { KV5M_DATA, 56, - "\x8A\x48\x16\x6A\x4C\x6F\xEA\xE6\x07\xA8\xCF\x68\xB3\x81\xC0\x75" - "\x5E\x40\x2B\x19\xDB\xC0\xF8\x1A\x7D\x7C\xA1\x9A\x25\xE0\x52\x23" - "\xF6\x06\x44\x09\xBF\x5A\x4F\x50\xAC\xD8\x26\x63\x9F\xFA\x76\x73" - "\xFD\x32\x4E\xC1\x9E\x42\x95\x02" } - }, - { ENCTYPE_DES3_CBC_SHA1, { KV5M_DATA, 0, "", }, 0, @@ -669,9 +524,6 @@ printhex(const char *head, void *data, size_t len) static krb5_enctype enctypes[] = { - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c index 4afbddedb..bd9b94691 100644 --- a/src/lib/crypto/crypto_tests/t_encrypt.c +++ b/src/lib/crypto/crypto_tests/t_encrypt.c @@ -37,9 +37,6 @@ /* What enctypes should we test?*/ krb5_enctype interesting_enctypes[] = { - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c index 40fa2821f..d4c2b97df 100644 --- a/src/lib/crypto/crypto_tests/t_short.c +++ b/src/lib/crypto/crypto_tests/t_short.c @@ -34,9 +34,6 @@ #include "k5-int.h" krb5_enctype interesting_enctypes[] = { - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD4, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c index 27896e61e..cdb1acc6d 100644 --- a/src/lib/crypto/crypto_tests/t_str2key.c +++ b/src/lib/crypto/crypto_tests/t_str2key.c @@ -35,280 +35,6 @@ struct test { krb5_error_code expected_err; krb5_boolean allow_weak; } test_cases[] = { - /* AFS string-to-key tests from old t_afss2k.c. */ - { - ENCTYPE_DES_CBC_CRC, - "", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xA4\xD0\xD0\x9B\x86\x92\xB0\xC2" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "M", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xF1\xF2\x9E\xAB\xD0\xEF\xDF\x73" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xD6\x85\x61\xC4\xF2\x94\xF4\xA1" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My ", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xD0\xE3\xA7\x83\x94\x61\xE0\xD0" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My P", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xD5\x62\xCD\x94\x61\xCB\x97\xDF" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pa", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x9E\xA2\xA2\xEC\xA8\x8C\x6B\x8F" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pas", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xE3\x91\x6D\xD3\x85\xF1\x67\xC4" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pass", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xF4\xC4\x73\xC8\x8A\xE9\x94\x6D" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passw", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xA1\x9E\xB3\xAD\x6B\xE3\xAB\xD9" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passwo", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xAD\xA1\xCE\x10\x37\x83\xA7\x8C" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passwor", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xD3\x01\xD0\xF7\x3E\x7A\x49\x0B" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Password", - { KV5M_DATA, 15, "Sodium Chloride" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xB6\x2A\x4A\xEC\x9D\x4C\x68\xDF" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x61\xEF\xE6\x83\xE5\x8A\x6B\x98" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "M", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x68\xCD\x68\xAD\xC4\x86\xCD\xE5" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x83\xA1\xC8\x86\x8F\x67\xD0\x62" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My ", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x9E\xC7\x8F\xA4\xA4\xB3\xE0\xD5" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My P", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xD9\x92\x86\x8F\x9D\x8C\x85\xE6" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pa", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xDA\xF2\x92\x83\xF4\x9B\xA7\xAD" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pas", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x91\xCD\xAD\xEF\x86\xDF\xD3\xA2" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Pass", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x73\xD3\x67\x68\x8F\x6E\xE3\x73" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passw", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xC4\x61\x85\x9D\xAD\xF4\xDC\xB0" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passwo", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\xE9\x02\x83\x16\x2C\xEC\xE0\x08" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Passwor", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x61\xC8\x26\x29\xD9\x73\x6E\xB6" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "My Password", - { KV5M_DATA, 4, "NaCl" }, - { KV5M_DATA, 1, "\1" }, - { KV5M_DATA, 8, "\x8C\xA8\x9E\xC4\xA8\xDC\x31\x73" }, - 0, - FALSE - }, - - /* Test vectors from RFC 3961 appendix A.2. */ - { - ENCTYPE_DES_CBC_CRC, - "password", - { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\xCB\xC2\x2F\xAE\x23\x52\x98\xE3" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "potatoe", - { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\xDF\x3D\x32\xA7\x4F\xD9\x2A\x01" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "\xF0\x9D\x84\x9E", - { KV5M_DATA, 18, "EXAMPLE.COMpianist" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\x4F\xFB\x26\xBA\xB0\xCD\x94\x13" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "\xC3\x9F", - { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\x62\xC8\x1A\x52\x32\xB5\xE6\x9D" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "11119999", - { KV5M_DATA, 8, "AAAAAAAA" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\x98\x40\x54\xd0\xf1\xa7\x3e\x31" }, - 0, - FALSE - }, - { - ENCTYPE_DES_CBC_CRC, - "NNNN6666", - { KV5M_DATA, 8, "FFFFAAAA" }, - { KV5M_DATA, 1, "\0" }, - { KV5M_DATA, 8, "\xC4\xBF\x6B\x25\xAD\xF7\xA4\xF8" }, - 0, - FALSE - }, - /* Test vectors from RFC 3961 appendix A.4. */ { ENCTYPE_DES3_CBC_SHA1, diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c index c1a765732..bcf5c9106 100644 --- a/src/lib/crypto/crypto_tests/vectors.c +++ b/src/lib/crypto/crypto_tests/vectors.c @@ -30,7 +30,8 @@ * * N.B.: Doesn't compile -- this file uses some routines internal to our * crypto library which are declared "static" and thus aren't accessible - * without modifying the other sources. + * without modifying the other sources. Additionally, some ciphers have been + * removed. */ #include diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp index db899a1dc..740425c69 100644 --- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp +++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp @@ -18,8 +18,8 @@ proc test200 {} { # I'd like to specify a long list of keysalt tuples and make sure # that chpass does the right thing, but we can only use those - # enctypes that krbtgt has a key for: des-cbc-crc:normal - # according to the prototype kdc.conf. + # enctypes that krbtgt has a key for: the AES enctypes, according to + # the prototype kdc.conf. if {! [cmd [format { kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ @@ -53,10 +53,10 @@ proc test200 {} { } # XXX Perhaps I should actually check the key type returned. - if {$num_keys == 2} { + if {$num_keys == 5} { pass "$test" } else { - fail "$test: $num_keys keys, should be 2" + fail "$test: $num_keys keys, should be 5" } if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp index 8526897ed..3ea1ba29b 100644 --- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp +++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp @@ -143,8 +143,8 @@ proc test101_102 {rpc} { } set failed 0 - if {$num_keys != 2} { - fail "$test: num_keys $num_keys should be 2" + if {$num_keys != 5} { + fail "$test: num_keys $num_keys should be 5" set failed 1 } for {set i 0} {$i < $num_keys} {incr i} { diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp index ee652cbd3..2925c1c43 100644 --- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp +++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp @@ -16,10 +16,9 @@ proc test100 {} { return } - # I'd like to specify a long list of keysalt tuples and make sure - # that randkey does the right thing, but we can only use those - # enctypes that krbtgt has a key for: des-cbc-crc:normal and - # des-cbc-crc:v4, according to the prototype kdc.conf. + # I'd like to specify a long list of keysalt tuples and make sure that + # randkey does the right thing, but we can only use those enctypes that + # krbtgt has a key for: 3DES and AES, according to the prototype kdc.conf. if {! [cmd [format { kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ @@ -47,10 +46,10 @@ proc test100 {} { } # XXX Perhaps I should actually check the key type returned. - if {$num_keys == 2} { + if {$num_keys == 5} { pass "$test" } else { - fail "$test: $num_keys keys, should be 2" + fail "$test: $num_keys keys, should be 5" } if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index fa2392f81..8e7df96e9 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -19,15 +19,15 @@ need a random number generator #endif /* no random */ krb5_keyblock test1[] = { - {0, ENCTYPE_DES_CBC_CRC, 0, 0}, + {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, {-1}, }; krb5_keyblock test2[] = { - {0, ENCTYPE_DES_CBC_CRC, 0, 0}, + {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, {-1}, }; krb5_keyblock test3[] = { - {0, ENCTYPE_DES_CBC_CRC, 0, 0}, + {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0}, {-1}, }; diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c index c845596d6..ea4ce6819 100644 --- a/src/lib/krb5/keytab/t_keytab.c +++ b/src/lib/krb5/keytab/t_keytab.c @@ -96,6 +96,8 @@ kt_test(krb5_context context, const char *name) krb5_principal princ; krb5_kt_cursor cursor, cursor2; int cnt; + krb5_enctype e1 = ENCTYPE_AES128_CTS_HMAC_SHA256_128, + e2 = ENCTYPE_AES256_CTS_HMAC_SHA384_192; kret = krb5_kt_resolve(context, name, &kt); CHECK(kret, "resolve"); @@ -139,9 +141,9 @@ kt_test(krb5_context context, const char *name) /* =================== Add entries to keytab ================= */ /* * Add the following for this principal - * enctype 1, kvno 1, key = "1" - * enctype 2, kvno 1, key = "1" - * enctype 1, kvno 2, key = "2" + * enctype e1, kvno 1, key = "1" + * enctype e2, kvno 1, key = "1" + * enctype e1, kvno 2, key = "2" */ memset(&kent, 0, sizeof(kent)); kent.magic = KV5M_KEYTAB_ENTRY; @@ -149,7 +151,7 @@ kt_test(krb5_context context, const char *name) kent.timestamp = 327689; kent.vno = 1; kent.key.magic = KV5M_KEYBLOCK; - kent.key.enctype = 1; + kent.key.enctype = e1; kent.key.length = 1; kent.key.contents = (krb5_octet *) "1"; @@ -157,11 +159,11 @@ kt_test(krb5_context context, const char *name) kret = krb5_kt_add_entry(context, kt, &kent); CHECK(kret, "Adding initial entry"); - kent.key.enctype = 2; + kent.key.enctype = e2; kret = krb5_kt_add_entry(context, kt, &kent); CHECK(kret, "Adding second entry"); - kent.key.enctype = 1; + kent.key.enctype = e1; kent.vno = 2; kent.key.contents = (krb5_octet *) "2"; kret = krb5_kt_add_entry(context, kt, &kent); @@ -183,7 +185,7 @@ kt_test(krb5_context context, const char *name) cnt = 0; while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { if(((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + ((kent.key.enctype != e1) && (kent.key.enctype != e2)) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Error in read contents\n"); @@ -231,7 +233,7 @@ kt_test(krb5_context context, const char *name) /* Ensure a valid answer - we did not specify an enctype or kvno */ if (!krb5_principal_compare(context, princ, kent.principal) || ((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + ((kent.key.enctype != e1) && (kent.key.enctype != e2)) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); @@ -243,12 +245,12 @@ kt_test(krb5_context context, const char *name) /* Try to lookup a specific enctype - but unspecified kvno - should give * max kvno */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - we did specified an enctype */ if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.vno != 2) || (kent.key.enctype != e1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); @@ -266,7 +268,7 @@ kt_test(krb5_context context, const char *name) /* Ensure a valid answer - we did not specify a kvno */ if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.vno != 2) || (kent.key.enctype != e1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); @@ -281,11 +283,11 @@ kt_test(krb5_context context, const char *name) /* Try to lookup specified enctype and kvno */ - kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); + kret = krb5_kt_get_entry(context, kt, princ, 1, e1, &kent); CHECK(kret, "looking up principal"); if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.vno != 1) || (kent.key.enctype != e1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); @@ -334,7 +336,7 @@ kt_test(krb5_context context, const char *name) /* Try to lookup specified enctype and kvno - that does not exist*/ - kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); + kret = krb5_kt_get_entry(context, kt, princ, 3, e1, &kent); CHECK_ERR(kret, KRB5_KT_KVNONOTFOUND, "looking up specific principal, kvno, enctype"); @@ -347,12 +349,12 @@ kt_test(krb5_context context, const char *name) kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); CHECK(kret, "parsing principal"); - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); CHECK(kret, "looking up principal"); - /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ + /* Ensure a valid answer - we are looking for max(kvno) and enc=e1 */ if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.vno != 2) || (kent.key.enctype != e1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Retrieved principal does not check\n"); @@ -368,12 +370,12 @@ kt_test(krb5_context context, const char *name) krb5_free_keytab_entry_contents(context, &kent); /* And ensure gone */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent); CHECK(kret, "looking up principal"); /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.vno != 1) || (kent.key.enctype != e1) || (kent.key.length != 1) || (kent.key.contents[0] != kent.vno +'0')) { fprintf(stderr, "Delete principal check failed\n"); diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c index 317637684..f609e938a 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -36,20 +36,6 @@ static struct { krb5_error_code expected_err_noweak; krb5_error_code expected_err_weak; } tests[] = { - /* Empty string, unused default list */ - { "", - { ENCTYPE_DES_CBC_CRC, 0 }, - { 0 }, - { 0 }, - 0, 0 - }, - /* Single weak enctype */ - { "des-cbc-md4", - { 0 }, - { 0 }, - { ENCTYPE_DES_CBC_MD4, 0 }, - 0, 0 - }, /* Single non-weak enctype */ { "aes128-cts-hmac-sha1-96", { 0 }, @@ -57,35 +43,11 @@ static struct { { ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, 0, 0 }, - /* Two enctypes, one an alias, one weak */ - { "rc4-hmac des-cbc-md5", - { 0 }, - { ENCTYPE_ARCFOUR_HMAC, 0 }, - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, 0 }, - 0, 0 - }, - /* Three enctypes, all weak, case variation, funky separators */ - { " deS-HMac-shA1 , arCFour-hmaC-mD5-exp\tdeS3-Cbc-RAw\n", - { 0 }, - { 0 }, - { ENCTYPE_DES_HMAC_SHA1, ENCTYPE_ARCFOUR_HMAC_EXP, - ENCTYPE_DES3_CBC_RAW, 0 }, - 0, 0 - }, - /* Default set with enctypes added (one weak in each pair) */ - { "DEFAULT des-cbc-raw +des3-hmac-sha1", - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, - ENCTYPE_DES_CBC_RAW, ENCTYPE_DES3_CBC_SHA1, 0 }, - 0, 0 - }, /* Default set with enctypes removed */ { "default -aes128-cts -des-hmac-sha1", - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_HMAC_SHA1, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_MD5, 0 }, 0, 0 }, /* Family followed by enctype */ @@ -105,31 +67,22 @@ static struct { { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 }, { ENCTYPE_CAMELLIA128_CTS_CMAC, 0 } }, - /* Enctype followed by two families */ - { "+rc4-hmAC des3 +des", - { 0 }, - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 }, - 0, 0 - }, /* Default set with family added and enctype removed */ { "DEFAULT +aes -arcfour-hmac-md5", - { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 }, + { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 }, - { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, + { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 }, 0, 0 }, /* Default set with families removed and enctypes added (one redundant) */ - { "DEFAULT -des -des3 rc4-hmac rc4-hmac-exp", + { "DEFAULT -des3 rc4-hmac rc4-hmac-exp", { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, - ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, 0 }, + ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, @@ -158,17 +111,17 @@ static struct { }, /* Test krb5_set_default_in_tkt_ktypes */ { NULL, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, 0, 0 }, /* Should get KRB5_CONFIG_ETYPE_NOSUPP if app-provided list has no strong * enctypes and allow_weak_crypto=false. */ { NULL, - { ENCTYPE_DES_CBC_CRC, 0 }, + { ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, { 0 }, - { ENCTYPE_DES_CBC_CRC, 0 }, + { ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, KRB5_CONFIG_ETYPE_NOSUPP, 0 }, /* Should get EINVAL if app provides an empty list. */ diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index 1d6cceaa2..f1a8c2553 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -272,7 +272,7 @@ ser_acontext_test(krb5_context kcontext, int verbose) KV5M_AUTH_CONTEXT))) { memset(&ukeyblock, 0, sizeof(ukeyblock)); memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; + ukeyblock.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128; ukeyblock.length = sizeof(keydata); ukeyblock.contents = keydata; keydata[0] = 0xde; diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c index 5aea68e8d..10ba8d0ac 100644 --- a/src/lib/krb5/os/t_trace.c +++ b/src/lib/krb5/os/t_trace.c @@ -204,7 +204,7 @@ main (int argc, char *argv[]) padatap = NULL; TRACE(ctx, "krb5_enctype, display shortest name of enctype: {etype}", - ENCTYPE_DES_CBC_CRC); + ENCTYPE_AES128_CTS_HMAC_SHA1_96); TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", enctypes); TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", NULL); diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref index bd5d9b6b6..044a66999 100644 --- a/src/lib/krb5/os/t_trace.ref +++ b/src/lib/krb5/os/t_trace.ref @@ -40,7 +40,7 @@ int, krb5_principal type: NT 4 style name and SID int, krb5_principal type: ? krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 krb5_pa_data **, display list of padata type numbers: (empty) -krb5_enctype, display shortest name of enctype: des-cbc-crc +krb5_enctype, display shortest name of enctype: aes128-cts krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 krb5_enctype *, display list of enctypes: (empty) krb5_ccache, display type:name: FILE:/path/to/ccache diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c index 6bf6e54ac..258377299 100644 --- a/src/tests/asn.1/ktest.c +++ b/src/tests/asn.1/ktest.c @@ -893,7 +893,7 @@ ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p) void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p) { - p->enctype = ENCTYPE_DES_CBC_CRC; + p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; ktest_make_sample_data(&p->as_req); ktest_make_sample_data(&p->pk_as_rep); } diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out index 3b0f7190a..55a60bbef 100644 --- a/src/tests/asn.1/pkinit_encode.out +++ b/src/tests/asn.1/pkinit_encode.out @@ -10,4 +10,4 @@ encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 -encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 01 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 +encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out index f9edbe154..9557188a8 100644 --- a/src/tests/asn.1/pkinit_trval.out +++ b/src/tests/asn.1/pkinit_trval.out @@ -145,6 +145,6 @@ encode_krb5_sp80056a_other_info: encode_krb5_pkinit_supp_pub_info: [Sequence/Sequence Of] -. [0] [Integer] 1 +. [0] [Integer] 20 . [1] [Octet String] "krb5data" . [2] [Octet String] "krb5data" diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index c061d764e..e8adee234 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -16,21 +16,6 @@ set stty_init {erase \^h kill \^u} set env(TERM) dumb set des3_krbtgt 0 -set tgt_support_desmd5 0 - -# The names of the individual passes must be unique; lots of things -# depend on it. The PASSES variable may not contain comments; only -# small pieces get evaluated, so comments will do strange things. - -# Most of the purpose of using multiple passes is to exercise the -# dependency of various bugs on configuration file settings, -# particularly with regards to encryption types. - -# The des.no-kdc-md5 pass will fail if the KDC does not constrain -# session key enctypes to those in its permitted_enctypes list. It -# works by assuming enctype similarity, thus allowing the client to -# request a des-cbc-md4 session key. Since only des-cbc-crc is in the -# KDC's permitted_enctypes list, the TGT will be unusable. if { [string length $VALGRIND] } { rename spawn valgrind_aux_spawn @@ -111,47 +96,21 @@ if { $PRIOCNTL_HACK } { } } -# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't -# constrain ticket key enctypes to those in permitted_enctypes. It -# does this by not putting des3 in the permitted_enctypes, while -# creating a TGT princpal that has a des3 key as well as a des key. +# The names of the individual passes must be unique; lots of things +# depend on it. The PASSES variable may not contain comments; only +# small pieces get evaluated, so comments will do strange things. -# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is -# possible to configure things such that you have a master_key_type -# that is not permitted, and the error message used to be cryptic. +# Most of the purpose of using multiple passes is to exercise the +# dependency of various bugs on configuration file settings, +# particularly with regards to encryption types. set passes { - { - des - mode=udp - des3_krbtgt=0 - {supported_enctypes=des-cbc-crc:normal} - {dummy=[verbose -log "DES TGT, DES enctype"]} - } - { - des.des3tgt - mode=udp - des3_krbtgt=1 - {supported_enctypes=des-cbc-crc:normal} - {dummy=[verbose -log "DES3 TGT, DES enctype"]} - } { des3 mode=udp des3_krbtgt=1 - {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} - {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]} - } - { - aes-des - mode=udp - des3_krbtgt=0 - {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal} - {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc} - {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc} - {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc} - {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES + DES enctypes"]} + {supported_enctypes=des3-cbc-sha1:normal} + {dummy=[verbose -log "DES3 TGT, DES3 enctype"]} } { aes-only @@ -220,10 +179,10 @@ set passes { aes-des3 mode=udp des3_krbtgt=0 - {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} - {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} - {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} - {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} {master_key_type=aes256-cts-hmac-sha1-96} {dummy=[verbose -log "AES + DES3 + DES enctypes"]} } @@ -231,12 +190,12 @@ set passes { aes-des3tgt mode=udp des3_krbtgt=1 - {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} - {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} - {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} - {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]} + {dummy=[verbose -log "AES enctypes, DES3 TGT"]} } { all-enctypes @@ -248,115 +207,8 @@ set passes { {allow_weak_crypto(server)=false} {dummy=[verbose -log "all default enctypes"]} } - { - des.no-kdc-md5 - mode=udp - des3_krbtgt=0 - tgt_support_desmd5=0 - {permitted_enctypes(kdc)=des-cbc-crc} - {default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} - {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} - {supported_enctypes=des-cbc-crc:normal} - {master_key_type=des-cbc-crc} - {dummy=[verbose -log \ - "DES TGT, KDC permitting only des-cbc-crc"]} - } - { - des.des3-tgt.no-kdc-des3 - mode=udp - tgt_support_desmd5=0 - {permitted_enctypes(kdc)=des-cbc-crc} - {default_tgs_enctypes(client)=des-cbc-crc} - {default_tkt_enctypes(client)=des-cbc-crc} - {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} - {master_key_type=des-cbc-crc} - {dummy=[verbose -log \ - "DES3 TGT, KDC permitting only des-cbc-crc"]} - } } -# des.md5-tgt is set as unused, since it won't trigger the error case -# if SUPPORT_DESMD5 isn't honored. - -# The des.md5-tgt pass will fail if enctype similarity is inconsisent; -# between 1.0.x and 1.1, the decrypt functions became more strict -# about matching enctypes, while the KDB retrieval functions didn't -# coerce the enctype to match what was requested. It works by setting -# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of -# des-cbc-md5 on the TGT key. Since the database only contains a -# des-cbc-crc key, the decrypt will fail if enctypes are not coerced. - -# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even -# though des.no-kdc-md5 is roughly equivalent, since the associated -# comment needs additional investigation at some point re the kadmin -# client. - -# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to -# the KDC issuing session keys that it won't accept. It will also -# fail for a kadmin client, but for different reasons, since the kadm5 -# library does some curious filtering of enctypes, and also uses -# get_in_tkt() rather than get_init_creds(); the former does an -# intersection of the enctypes provided by the caller and those listed -# in the config file! - -set unused_passes { - { - des.md5-tgt - des3_krbtgt=0 - tgt_support_desmd5=1 - supported_enctypes=des-cbc-crc:normal - {permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc} - {permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc} - {dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]} - } - { - des.md5-tgt.no-kdc-md5 - des3_krbtgt=0 - tgt_support_desmd5=1 - {permitted_enctypes(kdc)=des-cbc-crc} - {default_tgs_enctypes(client)=des-cbc-crc} - {default_tkt_enctypes(client)=des-cbc-crc} - {supported_enctypes=des-cbc-crc:normal} - {master_key_type=des-cbc-crc} - {dummy=[verbose -log \ - "DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]} - } - { - des.no-kdc-md5.client-md4-skey - des3_krbtgt=0 - {permitted_enctypes(kdc)=des-cbc-crc} - {permitted_enctypes(client)=des-cbc-crc des-cbc-md4} - {default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4} - {default_tkt_enctypes(client)=des-cbc-md4} - {supported_enctypes=des-cbc-crc:normal} - {dummy=[verbose -log \ - "DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]} - } - { - all-enctypes - des3_krbtgt=1 - {supported_enctypes=\ - aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \ - aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \ - des3-cbc-sha1:normal des3-cbc-sha1:none \ - des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ - } - {dummy=[verbose -log "DES3 TGT, default enctypes"]} - } - { - aes-tcp - mode=tcp - des3_krbtgt=0 - {supported_enctypes=aes256-cts-hmac-sha1-96:normal} - {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96} - {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} - {permitted_enctypes(server)=aes256-cts-hmac-sha1-96} - {master_key_type=aes256-cts-hmac-sha1-96} - {dummy=[verbose -log "AES via TCP"]} - } -} -# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal } - # This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems # to need it because its runtest.exp doesn't deal with PASS at all. if [info exists PASS] { @@ -1095,7 +947,7 @@ proc setup_kerberos_db { standalone } { global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY global tmppwd hostname global spawn_id - global des3_krbtgt tgt_support_desmd5 + global des3_krbtgt global multipass_name last_passname_db set failall 0 @@ -1334,48 +1186,6 @@ proc setup_kerberos_db { standalone } { } } } - if $tgt_support_desmd5 { - # Make TGT support des-cbc-md5 - set test "kadmin.local TGT to SUPPORT_DESMD5" - set body { - if $failall { - break - } - spawn $KADMIN_LOCAL -r $REALMNAME - verbose "starting $test" - expect_after $def_exp_after - - expect "kadmin.local: " - send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r" - # It echos... - expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r" - expect { - "Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { } - } - expect "kadmin.local: " - send "quit\r" - expect eof - catch expect_after - if ![check_exit_status kadmin_local] { - break - } - } - set ret [catch $body] - catch "expect eof" - catch expect_after - if $ret { - set failall 1 - if $standalone { - fail $test - } else { - delete_db - } - } else { - if $standalone { - pass $test - } - } - } envstack_pop # create the admin database lock file diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c index 2a332a8ae..9876a11e6 100644 --- a/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c @@ -84,17 +84,6 @@ struct test { size_t toklen; const char *token; } tests[] = { - { - ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW, - SEAL_ALG_DES, SGN_ALG_DES_MAC_MD5, 8, - 8, - "\x26\xEC\xBA\xB6\xFE\xBA\x91\xCE", - 53, - "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x00" - "\x00\x00\x00\xFF\xFF\xF0\x0B\x90\x7B\xC4\xFC\xEB\xF4\x84\x9C\x5A" - "\xA8\x56\x41\x3E\xE1\x62\xEE\x38\xD1\x34\x9A\xE3\xFB\xC9\xFD\x0A" - "\xDC\x83\xE1\x4A\xE4" - }, { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW, SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20, @@ -160,8 +149,6 @@ make_fake_context(const struct test *test) gss_union_ctx_id_t uctx; krb5_gss_ctx_id_t kgctx; krb5_keyblock kb; - unsigned char encbuf[8]; - size_t i; kgctx = calloc(1, sizeof(*kgctx)); if (kgctx == NULL) @@ -184,11 +171,6 @@ make_fake_context(const struct test *test) if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0) abort(); - if (kb.enctype == ENCTYPE_DES_CBC_RAW) { - for (i = 0; i < 8; i++) - encbuf[i] = kb.contents[i] ^ 0xF0; - kb.contents = encbuf; - } if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0) abort(); @@ -248,7 +230,7 @@ test_bogus_1964_token(gss_ctx_id_t ctx) gss_iov_buffer_desc iov; store_16_be(KG_TOK_SIGN_MSG, tokbuf); - store_16_le(SGN_ALG_DES_MAC_MD5, tokbuf + 2); + store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2); store_16_le(SEAL_ALG_NONE, tokbuf + 4); store_16_le(0xFFFF, tokbuf + 6); memset(tokbuf + 8, 0, 16); diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c index c40ea434c..7368f752f 100644 --- a/src/tests/gssapi/t_pcontok.c +++ b/src/tests/gssapi/t_pcontok.c @@ -43,7 +43,6 @@ #include "k5-int.h" #include "common.h" -#define SGN_ALG_DES_MAC_MD5 0x00 #define SGN_ALG_HMAC_SHA1_DES3_KD 0x04 #define SGN_ALG_HMAC_MD5 0x11 @@ -78,11 +77,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out) ret = krb5_k_create_key(context, &seqkb, &seq); check_k5err(context, "krb5_k_create_key", ret); - if (signalg == SGN_ALG_DES_MAC_MD5) { - cktype = CKSUMTYPE_RSA_MD5; - cksize = 8; - ckusage = 0; - } else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) { + if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) { cktype = CKSUMTYPE_HMAC_SHA1_DES3; cksize = 20; ckusage = 23; @@ -122,15 +117,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out) d = make_data(ptr - 8, 8); ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum); check_k5err(context, "krb5_k_make_checksum", ret); - if (signalg == SGN_ALG_DES_MAC_MD5) { - iov.flags = KRB5_CRYPTO_TYPE_DATA; - iov.data = make_data(cksum.contents, 16); - ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1); - check_k5err(context, "krb5_k_encrypt_iov", ret); - memcpy(ptr + 8, cksum.contents + 8, 8); - } else { - memcpy(ptr + 8, cksum.contents, cksize); - } + memcpy(ptr + 8, cksum.contents, cksize); /* Create the sequence number (8 bytes). */ iov.flags = KRB5_CRYPTO_TYPE_DATA; diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c index 6a698ce0f..f71774cdc 100644 --- a/src/tests/gssapi/t_prf.c +++ b/src/tests/gssapi/t_prf.c @@ -41,13 +41,6 @@ static struct { const char *key2; const char *out2; } tests[] = { - { ENCTYPE_DES_CBC_CRC, - "E607FE9DABB57AE0", - "803C4121379FC4B87CE413B67707C4632EBED2C6D6B7" - "2A55E878836E35E21600D915D590DED5B6D77BB30A1F", - "54758316B6257A75", - "279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA" - "33264ACB5729562DC637950F6BD144B654BE7700B2D6" }, { ENCTYPE_DES3_CBC_SHA1, "70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2", "9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9" diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py index c21d054f1..2a052fc17 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py @@ -24,7 +24,7 @@ def test_etinfo(princ, enctypes, expected_lines): # With no newer enctypes in the request, PA-ETYPE-INFO2, # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one # key for the most preferred matching enctype. -test_etinfo('user', 'rc4-hmac-exp des3 rc4 des-cbc-crc', +test_etinfo('user', 'rc4-hmac-exp des3 rc4', ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser', 'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser', 'asrep pw_salt KRBTEST.COMuser']) @@ -37,7 +37,7 @@ test_etinfo('user', 'rc4 aes256-cts', # In preauth-required errors, PA-PW-SALT does not appear, but the same # etype-info2 values are expected. -test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc', +test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4', ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser', 'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser']) test_etinfo('preauthuser', 'rc4 aes256-cts', diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 4af6804f2..2c825a692 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -2,7 +2,7 @@ from k5test import * rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}} -realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', +realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal', krb5_conf=rollover_krb5_conf) princ1 = 'host/test1@%s' % (realm.realm,) @@ -22,9 +22,9 @@ realm.run([kvno, princ1]) realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) # Make sure an old TGT fails after purging old TGS key. realm.run([kvno, princ2], expected_code=1) -ddes = "DEPRECATED:des-cbc-crc" +et = "aes128-cts-hmac-sha256-128" msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ - (realm.realm, realm.realm, ddes, ddes) + (realm.realm, realm.realm, et, et) realm.run([klist, '-e'], expected_msg=msg) # Check that new key actually works. diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py index 008efcb03..65084bbf3 100755 --- a/src/tests/t_salt.py +++ b/src/tests/t_salt.py @@ -22,7 +22,7 @@ salts = [('des3-cbc-sha1', 'norealm'), # These enctypes are chosen to cover the different string-to-key routines. # Omit ":normal" from aes256 to check that salttype defaulting works. second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal', - 'des3-cbc-sha1:normal', 'des-cbc-crc:normal'] + 'des3-cbc-sha1:normal'] # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py index da02f224a..621b27156 100755 --- a/src/tests/t_sesskeynego.py +++ b/src/tests/t_sesskeynego.py @@ -23,13 +23,7 @@ conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}} conf3 = {'libdefaults': { 'allow_weak_crypto': 'true', 'default_tkt_enctypes': 'aes128-cts', - 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}} -conf4 = {'libdefaults': { - 'allow_weak_crypto': 'true', - 'default_tkt_enctypes': 'aes256-cts', - 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'}, - 'realms': {'$realm': {'des_crc_session_supported': 'false'}}} - + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} # Test with client request and session_enctypes preferring aes128, but # aes256 long-term key. realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) @@ -63,16 +57,6 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac,aes128-cts,aes256-cts']) test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') - -# 3c: Test des-cbc-crc default assumption. -realm.run([kadminl, 'delstr', 'server', 'session_enctypes']) -test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96') -realm.stop() - -# Last go: test that we can disable the des-cbc-crc assumption -realm = K5Realm(krb5_conf=conf4, get_creds=False) -realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) -test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') realm.stop() success('sesskeynego') diff --git a/src/util/k5test.py b/src/util/k5test.py index b6d93f1d8..da2782e15 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -1307,7 +1307,7 @@ _passes = [ 'master_key_type': 'aes256-sha2'}}}), # Test a setup with modern principal keys but an old TGT key. - ('aes256.destgt', 'des-cbc-crc:normal', + ('aes256.destgt', 'arcfour-hmac:normal', {'libdefaults': {'allow_weak_crypto': 'true'}}, None) ]