fd463aed6a
Do not always canonicalize enterprise principals
2329 lines
84 KiB
Diff
2329 lines
84 KiB
Diff
From 99077dd3855832912df7563086cd615ba430e440 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Fri, 24 May 2019 13:11:55 -0400
|
|
Subject: [PATCH] Update test suite to avoid single-DES enctypes
|
|
|
|
Remove the CRC exercise code, since CRC is DES-only.
|
|
|
|
ticket: 8808
|
|
(cherry picked from commit 50588db5d26e81f3d564d1f69435af34ae80d9b2)
|
|
---
|
|
src/kadmin/testing/proto/kdc.conf.proto | 2 +-
|
|
src/kadmin/testing/util/tcl_kadm5.c | 2 -
|
|
src/lib/crypto/crypto_tests/CRC.pm | 156 ----------
|
|
src/lib/crypto/crypto_tests/Makefile.in | 31 +-
|
|
src/lib/crypto/crypto_tests/crc.pl | 111 -------
|
|
src/lib/crypto/crypto_tests/deps | 24 --
|
|
src/lib/crypto/crypto_tests/t_cf2.expected | 1 -
|
|
src/lib/crypto/crypto_tests/t_cf2.in | 5 -
|
|
src/lib/crypto/crypto_tests/t_cksum.c | 160 ----------
|
|
src/lib/crypto/crypto_tests/t_cksums.c | 8 +-
|
|
src/lib/crypto/crypto_tests/t_combine.c | 18 --
|
|
src/lib/crypto/crypto_tests/t_crc.c | 148 ----------
|
|
src/lib/crypto/crypto_tests/t_decrypt.c | 148 ----------
|
|
src/lib/crypto/crypto_tests/t_encrypt.c | 3 -
|
|
src/lib/crypto/crypto_tests/t_short.c | 3 -
|
|
src/lib/crypto/crypto_tests/t_str2key.c | 274 ------------------
|
|
src/lib/crypto/crypto_tests/vectors.c | 3 +-
|
|
.../api.current/chpass-principal-v2.exp | 8 +-
|
|
.../api.current/get-principal-v2.exp | 4 +-
|
|
.../api.current/randkey-principal-v2.exp | 11 +-
|
|
src/lib/kadm5/unit-test/setkey-test.c | 6 +-
|
|
src/lib/krb5/keytab/t_keytab.c | 40 +--
|
|
src/lib/krb5/krb/t_etypes.c | 67 +----
|
|
src/lib/krb5/krb/t_ser.c | 2 +-
|
|
src/lib/krb5/os/t_trace.c | 2 +-
|
|
src/lib/krb5/os/t_trace.ref | 2 +-
|
|
src/tests/asn.1/ktest.c | 2 +-
|
|
src/tests/asn.1/pkinit_encode.out | 2 +-
|
|
src/tests/asn.1/pkinit_trval.out | 2 +-
|
|
src/tests/dejagnu/config/default.exp | 226 ++-------------
|
|
src/tests/gssapi/t_invalid.c | 20 +-
|
|
src/tests/gssapi/t_pcontok.c | 17 +-
|
|
src/tests/gssapi/t_prf.c | 7 -
|
|
src/tests/t_etype_info.py | 4 +-
|
|
src/tests/t_keyrollover.py | 6 +-
|
|
src/tests/t_salt.py | 2 +-
|
|
src/tests/t_sesskeynego.py | 18 +-
|
|
src/util/k5test.py | 2 +-
|
|
38 files changed, 88 insertions(+), 1459 deletions(-)
|
|
delete mode 100644 src/lib/crypto/crypto_tests/CRC.pm
|
|
delete mode 100644 src/lib/crypto/crypto_tests/crc.pl
|
|
delete mode 100644 src/lib/crypto/crypto_tests/t_cksum.c
|
|
delete mode 100644 src/lib/crypto/crypto_tests/t_crc.c
|
|
|
|
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
|
|
index 45df78b91..8a4b87de1 100644
|
|
--- a/src/kadmin/testing/proto/kdc.conf.proto
|
|
+++ b/src/kadmin/testing/proto/kdc.conf.proto
|
|
@@ -12,5 +12,5 @@
|
|
kadmind_port = 1751
|
|
kpasswd_port = 1752
|
|
master_key_type = des3-hmac-sha1
|
|
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
|
|
+ supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
|
|
}
|
|
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
|
|
index 9dde579ef..4d3114b11 100644
|
|
--- a/src/kadmin/testing/util/tcl_kadm5.c
|
|
+++ b/src/kadmin/testing/util/tcl_kadm5.c
|
|
@@ -1514,8 +1514,6 @@ static Tcl_DString *unparse_keytype(krb5_enctype enctype)
|
|
switch (enctype) {
|
|
/* XXX is this right? */
|
|
case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break;
|
|
- case ENCTYPE_DES_CBC_CRC:
|
|
- Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break;
|
|
default:
|
|
sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype);
|
|
Tcl_DStringAppend(str, buf, -1);
|
|
diff --git a/src/lib/crypto/crypto_tests/CRC.pm b/src/lib/crypto/crypto_tests/CRC.pm
|
|
deleted file mode 100644
|
|
index ee2ab2ae8..000000000
|
|
--- a/src/lib/crypto/crypto_tests/CRC.pm
|
|
+++ /dev/null
|
|
@@ -1,156 +0,0 @@
|
|
-# Copyright 2002 by the Massachusetts Institute of Technology.
|
|
-# All Rights Reserved.
|
|
-#
|
|
-# Export of this software from the United States of America may
|
|
-# require a specific license from the United States Government.
|
|
-# It is the responsibility of any person or organization contemplating
|
|
-# export to obtain such a license before exporting.
|
|
-#
|
|
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
-# distribute this software and its documentation for any purpose and
|
|
-# without fee is hereby granted, provided that the above copyright
|
|
-# notice appear in all copies and that both that copyright notice and
|
|
-# this permission notice appear in supporting documentation, and that
|
|
-# the name of M.I.T. not be used in advertising or publicity pertaining
|
|
-# to distribution of the software without specific, written prior
|
|
-# permission. Furthermore if you modify this software you must label
|
|
-# your software as modified software and not distribute it in such a
|
|
-# fashion that it might be confused with the original M.I.T. software.
|
|
-# M.I.T. makes no representations about the suitability of
|
|
-# this software for any purpose. It is provided "as is" without express
|
|
-# or implied warranty.
|
|
-
|
|
-package CRC;
|
|
-
|
|
-# CRC: implement a CRC using the Poly package (yes this is slow)
|
|
-#
|
|
-# message M(x) = m_0 * x^0 + m_1 * x^1 + ... + m_(k-1) * x^(k-1)
|
|
-# generator P(x) = p_0 * x^0 + p_1 * x^1 + ... + p_n * x^n
|
|
-# remainder R(x) = r_0 * x^0 + r_1 * x^1 + ... + r_(n-1) * x^(n-1)
|
|
-#
|
|
-# R(x) = (x^n * M(x)) % P(x)
|
|
-#
|
|
-# Note that if F(x) = x^n * M(x) + R(x), then F(x) = 0 mod P(x) .
|
|
-#
|
|
-# In MIT Kerberos 5, R(x) is taken as the CRC, as opposed to what
|
|
-# ISO 3309 does.
|
|
-#
|
|
-# ISO 3309 adds a precomplement and a postcomplement.
|
|
-#
|
|
-# The ISO 3309 postcomplement is of the form
|
|
-#
|
|
-# A(x) = x^0 + x^1 + ... + x^(n-1) .
|
|
-#
|
|
-# The ISO 3309 precomplement is of the form
|
|
-#
|
|
-# B(x) = x^k * A(x) .
|
|
-#
|
|
-# The ISO 3309 FCS is then
|
|
-#
|
|
-# (x^n * M(x)) % P(x) + B(x) % P(x) + A(x) ,
|
|
-#
|
|
-# which is equivalent to
|
|
-#
|
|
-# (x^n * M(x) + B(x)) % P(x) + A(x) .
|
|
-#
|
|
-# In ISO 3309, the transmitted frame is
|
|
-#
|
|
-# F'(x) = x^n * M(x) + R(x) + R'(x) + A(x) ,
|
|
-#
|
|
-# where
|
|
-#
|
|
-# R'(x) = B(x) % P(x) .
|
|
-#
|
|
-# Note that this means that if a new remainder is computed over the
|
|
-# frame F'(x) (treating F'(x) as the new M(x)), it will be equal to a
|
|
-# constant.
|
|
-#
|
|
-# F'(x) = 0 + R'(x) + A(x) mod P(x) ,
|
|
-#
|
|
-# then
|
|
-#
|
|
-# (F'(x) + x^k * A(x)) * x^n
|
|
-#
|
|
-# = ((R'(x) + A(x)) + x^k * A(x)) * x^n mod P(x)
|
|
-#
|
|
-# = (x^k * A(x) + A(x) + x^k * A(x)) * x^n mod P(x)
|
|
-#
|
|
-# = (0 + A(x)) * x^n mod P(x)
|
|
-#
|
|
-# Note that (A(x) * x^n) % P(x) is a constant, and that this result
|
|
-# depends on B(x) being x^k * A(x).
|
|
-
|
|
-use Carp;
|
|
-use Poly;
|
|
-
|
|
-sub new {
|
|
- my $self = shift;
|
|
- my $class = ref($self) || $self;
|
|
- my %args = @_;
|
|
- $self = {bitsendian => "little"};
|
|
- bless $self, $class;
|
|
- $self->setpoly($args{"Poly"}) if exists $args{"Poly"};
|
|
- $self->bitsendian($args{"bitsendian"})
|
|
- if exists $args{"bitsendian"};
|
|
- $self->{precomp} = $args{precomp} if exists $args{precomp};
|
|
- $self->{postcomp} = $args{postcomp} if exists $args{postcomp};
|
|
- return $self;
|
|
-}
|
|
-
|
|
-sub setpoly {
|
|
- my $self = shift;
|
|
- my($arg) = @_;
|
|
- croak "need a polynomial" if !$arg->isa("Poly");
|
|
- $self->{Poly} = $arg;
|
|
- return $self;
|
|
-}
|
|
-
|
|
-sub crc {
|
|
- my $self = shift;
|
|
- my $msg = Poly->new(@_);
|
|
- my($order, $r, $precomp);
|
|
- $order = $self->{Poly}->order;
|
|
- # B(x) = x^k * precomp
|
|
- $precomp = $self->{precomp} ?
|
|
- $self->{precomp} * Poly->powers2poly(scalar(@_)) : Poly->new;
|
|
- # R(x) = (x^n * M(x)) % P(x)
|
|
- $r = ($msg * Poly->powers2poly($order)) % $self->{Poly};
|
|
- # B(x) % P(x)
|
|
- $r += $precomp % $self->{Poly};
|
|
- $r += $self->{postcomp} if exists $self->{postcomp};
|
|
- return $r;
|
|
-}
|
|
-
|
|
-# endianness of bits of each octet
|
|
-#
|
|
-# Note that the message is always treated as being sent in big-endian
|
|
-# octet order.
|
|
-#
|
|
-# Usually, the message will be treated as bits being little-endian,
|
|
-# since that is the common case for serial implementations that
|
|
-# present data in octets; e.g., most UARTs shift octets onto the line
|
|
-# in little-endian order, and protocols such as ISO 3309, V.42,
|
|
-# etc. treat individual octets as being sent LSB-first.
|
|
-
|
|
-sub bitsendian {
|
|
- my $self = shift;
|
|
- my($arg) = @_;
|
|
- croak "bad bit endianness" if $arg !~ /big|little/;
|
|
- $self->{bitsendian} = $arg;
|
|
- return $self;
|
|
-}
|
|
-
|
|
-sub crcstring {
|
|
- my $self = shift;
|
|
- my($arg) = @_;
|
|
- my($packstr, @m);
|
|
- {
|
|
- $packstr = "B*", last if $self->{bitsendian} =~ /big/;
|
|
- $packstr = "b*", last if $self->{bitsendian} =~ /little/;
|
|
- croak "bad bit endianness";
|
|
- };
|
|
- @m = split //, unpack $packstr, $arg;
|
|
- return $self->crc(@m);
|
|
-}
|
|
-
|
|
-1;
|
|
diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in
|
|
index c5eba1b10..09feeb50e 100644
|
|
--- a/src/lib/crypto/crypto_tests/Makefile.in
|
|
+++ b/src/lib/crypto/crypto_tests/Makefile.in
|
|
@@ -16,9 +16,7 @@ EXTRADEPSRCS=\
|
|
$(srcdir)/aes-test.c \
|
|
$(srcdir)/camellia-test.c \
|
|
$(srcdir)/t_cf2.c \
|
|
- $(srcdir)/t_cksum.c \
|
|
$(srcdir)/t_cksums.c \
|
|
- $(srcdir)/t_crc.c \
|
|
$(srcdir)/t_mddriver.c \
|
|
$(srcdir)/t_kperf.c \
|
|
$(srcdir)/t_sha2.c \
|
|
@@ -30,15 +28,12 @@ EXTRADEPSRCS=\
|
|
|
|
##DOS##BUILDTOP = ..\..\..
|
|
|
|
-# NOTE: The t_cksum known checksum values are primarily for regression
|
|
-# testing. They are not derived a priori, but are known to produce
|
|
-# checksums that interoperate.
|
|
check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
|
|
- t_cksum4 t_cksum5 t_cksums \
|
|
+ t_cksums \
|
|
aes-test \
|
|
camellia-test \
|
|
t_mddriver4 t_mddriver \
|
|
- t_crc t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
|
|
+ t_cts t_sha2 t_short t_str2key t_derive t_fork t_cf2 \
|
|
t_combine
|
|
$(RUN_TEST) ./t_nfold
|
|
$(RUN_TEST) ./t_encrypt
|
|
@@ -47,10 +42,7 @@ check-unix: t_nfold t_encrypt t_decrypt t_prf t_prng t_cmac t_hmac \
|
|
$(RUN_TEST) ./t_cmac
|
|
$(RUN_TEST) ./t_hmac
|
|
$(RUN_TEST) ./t_prf
|
|
- $(RUN_TEST) ./t_cksum4 "this is a test" e3f76a07f3401e3536b43a3f54226c39422c35682c354835
|
|
- $(RUN_TEST) ./t_cksum5 "this is a test" e3f76a07f3401e351143ee6f4c09be1edb4264d55015db53
|
|
$(RUN_TEST) ./t_cksums
|
|
- $(RUN_TEST) ./t_crc
|
|
$(RUN_TEST) ./t_cts
|
|
$(RUN_TEST) ./aes-test -k > vk.txt
|
|
cmp vk.txt $(srcdir)/expect-vk.txt
|
|
@@ -109,24 +101,9 @@ t_short$(EXEEXT): t_short.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
|
|
$(CC_LINK) -o $@ t_short.$(OBJEXT) \
|
|
$(KRB5_BASE_LIBS)
|
|
|
|
-t_cksum4.o: $(srcdir)/t_cksum.c
|
|
- $(CC) -DMD=4 $(ALL_CFLAGS) -o t_cksum4.o -c $(srcdir)/t_cksum.c
|
|
-
|
|
-t_cksum5.o: $(srcdir)/t_cksum.c
|
|
- $(CC) -DMD=5 $(ALL_CFLAGS) -o t_cksum5.o -c $(srcdir)/t_cksum.c
|
|
-
|
|
-t_cksum4: t_cksum4.o $(CRYTPO_DEPLIB)
|
|
- $(CC_LINK) -o t_cksum4 t_cksum4.o $(KRB5_BASE_LIBS)
|
|
-
|
|
-t_cksum5: t_cksum5.o $(CRYPTO_DEPLIB)
|
|
- $(CC_LINK) -o t_cksum5 t_cksum5.o $(KRB5_BASE_LIBS)
|
|
-
|
|
t_cksums: t_cksums.o $(CRYTPO_DEPLIB)
|
|
$(CC_LINK) -o t_cksums t_cksums.o -lkrb5 $(KRB5_BASE_LIBS)
|
|
|
|
-t_crc: t_crc.o $(KRB5_BASE_DEPLIBS)
|
|
- $(CC_LINK) -o $@ t_crc.o $(KRB5_BASE_LIBS)
|
|
-
|
|
aes-test: aes-test.$(OBJEXT) $(KRB5_BASE_DEPLIBS)
|
|
$(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(KRB5_BASE_LIBS)
|
|
|
|
@@ -165,9 +142,9 @@ clean:
|
|
t_decrypt.o t_decrypt t_prng.o t_prng t_cmac.o t_cmac \
|
|
t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
|
|
aes-test.o aes-test vt.txt vk.txt kresults.out \
|
|
- t_crc.o t_crc t_cts.o t_cts \
|
|
+ t_cts.o t_cts \
|
|
t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver \
|
|
- t_cksum4 t_cksum4.o t_cksum5 t_cksum5.o t_cksums t_cksums.o \
|
|
+ t_cksums t_cksums.o \
|
|
t_kperf.o t_kperf t_sha2.o t_sha2 t_short t_short.o t_str2key \
|
|
t_str2key.o t_derive t_derive.o t_fork t_fork.o \
|
|
t_mddriver$(EXEEXT) $(OUTPRE)t_mddriver.$(OBJEXT) \
|
|
diff --git a/src/lib/crypto/crypto_tests/crc.pl b/src/lib/crypto/crypto_tests/crc.pl
|
|
deleted file mode 100644
|
|
index b21b6b15d..000000000
|
|
--- a/src/lib/crypto/crypto_tests/crc.pl
|
|
+++ /dev/null
|
|
@@ -1,111 +0,0 @@
|
|
-# Copyright 2002 by the Massachusetts Institute of Technology.
|
|
-# All Rights Reserved.
|
|
-#
|
|
-# Export of this software from the United States of America may
|
|
-# require a specific license from the United States Government.
|
|
-# It is the responsibility of any person or organization contemplating
|
|
-# export to obtain such a license before exporting.
|
|
-#
|
|
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
-# distribute this software and its documentation for any purpose and
|
|
-# without fee is hereby granted, provided that the above copyright
|
|
-# notice appear in all copies and that both that copyright notice and
|
|
-# this permission notice appear in supporting documentation, and that
|
|
-# the name of M.I.T. not be used in advertising or publicity pertaining
|
|
-# to distribution of the software without specific, written prior
|
|
-# permission. Furthermore if you modify this software you must label
|
|
-# your software as modified software and not distribute it in such a
|
|
-# fashion that it might be confused with the original M.I.T. software.
|
|
-# M.I.T. makes no representations about the suitability of
|
|
-# this software for any purpose. It is provided "as is" without express
|
|
-# or implied warranty.
|
|
-
|
|
-use CRC;
|
|
-
|
|
-print "*** crudely testing polynomial functions ***\n";
|
|
-
|
|
-$x = Poly->new(1,1,1,1);
|
|
-$y = Poly->new(1,1);
|
|
-print "x = @{[$x->pretty]}\ny = @{[$y->pretty]}\n";
|
|
-$q = $x / $y;
|
|
-$r = $x % $y;
|
|
-print $x->pretty, " = (", $y->pretty , ") * (", $q->pretty,
|
|
- ") + ", $r->pretty, "\n";
|
|
-$q = $y / $x;
|
|
-$r = $y % $x;
|
|
-print "y / x = @{[$q->pretty]}\ny % x = @{[$r->pretty]}\n";
|
|
-
|
|
-# ISO 3309 32-bit FCS polynomial
|
|
-$fcs32 = Poly->powers2poly(32,26,23,22,16,12,11,10,8,7,5,4,2,1,0);
|
|
-print "fcs32 = ", $fcs32->pretty, "\n";
|
|
-
|
|
-$crc = CRC->new(Poly => $fcs32, bitsendian => "little");
|
|
-
|
|
-print "\n";
|
|
-
|
|
-print "*** little endian, no complementation ***\n";
|
|
-for ($i = 0; $i < 256; $i++) {
|
|
- $r = $crc->crcstring(pack "C", $i);
|
|
- printf ("%02x: ", $i) if !($i % 8);
|
|
- print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
|
|
-}
|
|
-
|
|
-print "\n";
|
|
-
|
|
-print "*** little endian, 4 bits, no complementation ***\n";
|
|
-for ($i = 0; $i < 16; $i++) {
|
|
- @m = (split //, unpack "b*", pack "C", $i)[0..3];
|
|
- $r = $crc->crc(@m);
|
|
- printf ("%02x: ", $i) if !($i % 8);
|
|
- print ($r->revhex, ($i % 8 == 7) ? "\n" : " ");
|
|
-}
|
|
-
|
|
-print "\n";
|
|
-
|
|
-print "*** test vectors for t_crc.c, little endian ***\n";
|
|
-for ($i = 1; $i <= 4; $i *=2) {
|
|
- for ($j = 0; $j < $i * 8; $j++) {
|
|
- @m = split //, unpack "b*", pack "V", 1 << $j;
|
|
- splice @m, $i * 8;
|
|
- $r = $crc->crc(@m);
|
|
- $m = unpack "H*", pack "b*", join("", @m);
|
|
- print "{HEX, \"$m\", 0x", $r->revhex, "},\n";
|
|
- }
|
|
-}
|
|
-@m = ("foo", "test0123456789",
|
|
- "MASSACHVSETTS INSTITVTE OF TECHNOLOGY");
|
|
-foreach $m (@m) {
|
|
- $r = $crc->crcstring($m);
|
|
- print "{STR, \"$m\", 0x", $r->revhex, "},\n";
|
|
-}
|
|
-__END__
|
|
-
|
|
-print "*** big endian, no complementation ***\n";
|
|
-for ($i = 0; $i < 256; $i++) {
|
|
- $r = $crc->crcstring(pack "C", $i);
|
|
- printf ("%02x: ", $i) if !($i % 8);
|
|
- print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
|
|
-}
|
|
-
|
|
-# all ones polynomial of order 31
|
|
-$ones = Poly->new((1) x 32);
|
|
-
|
|
-print "*** big endian, ISO-3309 style\n";
|
|
-$crc = CRC->new(Poly => $fcs32,
|
|
- bitsendian => "little",
|
|
- precomp => $ones,
|
|
- postcomp => $ones);
|
|
-for ($i = 0; $i < 256; $i++) {
|
|
- $r = $crc->crcstring(pack "C", $i);
|
|
- print ($r->hex, ($i % 8 == 7) ? "\n" : " ");
|
|
-}
|
|
-
|
|
-for ($i = 0; $i < 0; $i++) {
|
|
- $x = Poly->new((1) x 32, (0) x $i);
|
|
- $y = Poly->new((1) x 32);
|
|
- $f = ($x % $fcs32) + $y;
|
|
- $r = (($f + $x) * Poly->powers2poly(32)) % $fcs32;
|
|
- @out = @$r;
|
|
- unshift @out, 0 while @out < 32;
|
|
- print @out, "\n";
|
|
-}
|
|
diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps
|
|
index 5d94a593d..19fef2582 100644
|
|
--- a/src/lib/crypto/crypto_tests/deps
|
|
+++ b/src/lib/crypto/crypto_tests/deps
|
|
@@ -140,17 +140,6 @@ $(OUTPRE)camellia-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
$(top_srcdir)/include/socket-utils.h camellia-test.c
|
|
$(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
|
|
$(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h t_cf2.c
|
|
-$(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
|
|
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
- t_cksum.c
|
|
$(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
@@ -161,19 +150,6 @@ $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
$(top_srcdir)/include/socket-utils.h t_cksums.c
|
|
-$(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
|
|
- $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \
|
|
- $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \
|
|
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
- $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
|
|
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
- t_crc.c
|
|
$(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \
|
|
diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected
|
|
index 11a24b800..f8251a16c 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_cf2.expected
|
|
+++ b/src/lib/crypto/crypto_tests/t_cf2.expected
|
|
@@ -1,6 +1,5 @@
|
|
97df97e4b798b29eb31ed7280287a92a
|
|
4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b
|
|
-43bae3738c9467e6
|
|
e58f9eb643862c13ad38e529313462a7f73e62834fe54a01
|
|
24d7f6b6bae4e5c00d2082c5ebab3672
|
|
edd02a39d2dbde31611c16e610be062c
|
|
diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in
|
|
index e62ead7d8..73e2f8fbc 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_cf2.in
|
|
+++ b/src/lib/crypto/crypto_tests/t_cf2.in
|
|
@@ -8,11 +8,6 @@ key1
|
|
key2
|
|
a
|
|
b
|
|
-1
|
|
-key1
|
|
-key2
|
|
-a
|
|
-b
|
|
16
|
|
key1
|
|
key2
|
|
diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c
|
|
deleted file mode 100644
|
|
index 0edaeb850..000000000
|
|
--- a/src/lib/crypto/crypto_tests/t_cksum.c
|
|
+++ /dev/null
|
|
@@ -1,160 +0,0 @@
|
|
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
-/* lib/crypto/crypto_tests/t_cksum.c */
|
|
-/*
|
|
- * Copyright 1995 by the Massachusetts Institute of Technology.
|
|
- * All Rights Reserved.
|
|
- *
|
|
- * Export of this software from the United States of America may
|
|
- * require a specific license from the United States Government.
|
|
- * It is the responsibility of any person or organization contemplating
|
|
- * export to obtain such a license before exporting.
|
|
- *
|
|
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
- * distribute this software and its documentation for any purpose and
|
|
- * without fee is hereby granted, provided that the above copyright
|
|
- * notice appear in all copies and that both that copyright notice and
|
|
- * this permission notice appear in supporting documentation, and that
|
|
- * the name of M.I.T. not be used in advertising or publicity pertaining
|
|
- * to distribution of the software without specific, written prior
|
|
- * permission. Furthermore if you modify this software you must label
|
|
- * your software as modified software and not distribute it in such a
|
|
- * fashion that it might be confused with the original M.I.T. software.
|
|
- * M.I.T. makes no representations about the suitability of
|
|
- * this software for any purpose. It is provided "as is" without express
|
|
- * or implied warranty.
|
|
- */
|
|
-
|
|
-/* Test checksum and checksum compatability for rsa-md[4,5]-des. */
|
|
-
|
|
-#include "k5-int.h"
|
|
-#include "k5-hex.h"
|
|
-
|
|
-#define MD5_K5BETA_COMPAT
|
|
-#define MD4_K5BETA_COMPAT
|
|
-
|
|
-#if MD == 4
|
|
-#define CKTYPE CKSUMTYPE_RSA_MD4_DES
|
|
-#endif
|
|
-
|
|
-#if MD == 5
|
|
-#define CKTYPE CKSUMTYPE_RSA_MD5_DES
|
|
-#endif
|
|
-
|
|
-static void
|
|
-print_checksum(char *text, int number, char *message, krb5_checksum *checksum)
|
|
-{
|
|
- unsigned int i;
|
|
-
|
|
- printf("%s MD%d checksum(\"%s\") = ", text, number, message);
|
|
- for (i=0; i<checksum->length; i++)
|
|
- printf("%02x", (unsigned char) checksum->contents[i]);
|
|
- printf("\n");
|
|
-}
|
|
-
|
|
-/*
|
|
- * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES
|
|
- * checksums.
|
|
- */
|
|
-
|
|
-krb5_octet testkey[8] = { 0x45, 0x01, 0x49, 0x61, 0x58, 0x19, 0x1a, 0x3d };
|
|
-
|
|
-int
|
|
-main(argc, argv)
|
|
- int argc;
|
|
- char **argv;
|
|
-{
|
|
- int msgindex;
|
|
- size_t len;
|
|
- krb5_boolean valid;
|
|
- krb5_keyblock keyblock;
|
|
- krb5_key key;
|
|
- krb5_error_code kret=0;
|
|
- krb5_data plaintext;
|
|
- krb5_checksum checksum, knowncksum;
|
|
-
|
|
- /* this is a terrible seed, but that's ok for the test. */
|
|
-
|
|
- plaintext.length = 8;
|
|
- plaintext.data = (char *) testkey;
|
|
-
|
|
- krb5_c_random_seed(/* XXX */ 0, &plaintext);
|
|
-
|
|
- keyblock.enctype = ENCTYPE_DES_CBC_CRC;
|
|
- keyblock.length = sizeof(testkey);
|
|
- keyblock.contents = testkey;
|
|
-
|
|
- krb5_k_create_key(NULL, &keyblock, &key);
|
|
-
|
|
- for (msgindex = 1; msgindex + 1 < argc; msgindex += 2) {
|
|
- plaintext.length = strlen(argv[msgindex]);
|
|
- plaintext.data = argv[msgindex];
|
|
-
|
|
- /* Create a checksum. */
|
|
- kret = krb5_k_make_checksum(NULL, CKTYPE, key, 0, &plaintext,
|
|
- &checksum);
|
|
- if (kret != 0) {
|
|
- printf("krb5_calculate_checksum choked with %d\n", kret);
|
|
- break;
|
|
- }
|
|
- print_checksum("correct", MD, argv[msgindex], &checksum);
|
|
-
|
|
- /* Verify it. */
|
|
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
|
|
- &valid);
|
|
- if (kret != 0) {
|
|
- printf("verify on new checksum choked with %d\n", kret);
|
|
- break;
|
|
- }
|
|
- if (!valid) {
|
|
- printf("verify on new checksum failed\n");
|
|
- kret = 1;
|
|
- break;
|
|
- }
|
|
- printf("Verify succeeded for \"%s\"\n", argv[msgindex]);
|
|
-
|
|
- /* Corrupt the checksum and see if it still verifies. */
|
|
- checksum.contents[0]++;
|
|
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &checksum,
|
|
- &valid);
|
|
- if (kret != 0) {
|
|
- printf("verify on new checksum choked with %d\n", kret);
|
|
- break;
|
|
- }
|
|
- if (valid) {
|
|
- printf("verify on new checksum succeeded, but shouldn't have\n");
|
|
- kret = 1;
|
|
- break;
|
|
- }
|
|
- printf("Verify of bad checksum OK for \"%s\"\n", argv[msgindex]);
|
|
- free(checksum.contents);
|
|
-
|
|
- /* Verify a known-good checksum for this plaintext. */
|
|
- kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len);
|
|
- if (kret) {
|
|
- printf("k5_hex_decode failed\n");
|
|
- break;
|
|
- }
|
|
- knowncksum.length = len;
|
|
- knowncksum.checksum_type = CKTYPE;
|
|
- knowncksum.magic = KV5M_CHECKSUM;
|
|
- kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum,
|
|
- &valid);
|
|
- if (kret != 0) {
|
|
- printf("verify on known checksum choked with %d\n", kret);
|
|
- break;
|
|
- }
|
|
- if (!valid) {
|
|
- printf("verify on known checksum failed\n");
|
|
- kret = 1;
|
|
- break;
|
|
- }
|
|
- printf("Verify on known checksum succeeded\n");
|
|
- free(knowncksum.contents);
|
|
- }
|
|
- if (!kret)
|
|
- printf("%d tests passed successfully for MD%d checksum\n", (argc-1)/2, MD);
|
|
-
|
|
- krb5_k_free_key(NULL, key);
|
|
-
|
|
- return(kret);
|
|
-}
|
|
diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c
|
|
index 5afc90ed8..4da14ea43 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_cksums.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_cksums.c
|
|
@@ -27,7 +27,7 @@
|
|
/*
|
|
* This harness tests checksum results against known values. With the -v flag,
|
|
* results for all tests are displayed. This harness only works for
|
|
- * deterministic checksums; for rsa-md4-des and rsa-md5-des, see t_cksum.c.
|
|
+ * deterministic checksums.
|
|
*/
|
|
|
|
#include "k5-int.h"
|
|
@@ -40,12 +40,6 @@ struct test {
|
|
krb5_data keybits;
|
|
krb5_data cksum;
|
|
} test_cases[] = {
|
|
- {
|
|
- { KV5M_DATA, 3, "abc" },
|
|
- CKSUMTYPE_CRC32, 0, 0, { KV5M_DATA, 0, "" },
|
|
- { KV5M_DATA, 4,
|
|
- "\xD0\x98\x65\xCA" }
|
|
- },
|
|
{
|
|
{ KV5M_DATA, 3, "one" },
|
|
CKSUMTYPE_RSA_MD4, 0, 0, { KV5M_DATA, 0, "" },
|
|
diff --git a/src/lib/crypto/crypto_tests/t_combine.c b/src/lib/crypto/crypto_tests/t_combine.c
|
|
index 89219c762..ba0622bcf 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_combine.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_combine.c
|
|
@@ -32,10 +32,6 @@
|
|
|
|
#include "k5-int.h"
|
|
|
|
-unsigned char des_key1[] = "\x04\x86\xCD\x97\x61\xDF\xD6\x29";
|
|
-unsigned char des_key2[] = "\x1A\x54\x9B\x7F\xDC\x20\x83\x0E";
|
|
-unsigned char des_result[] = "\xC2\x13\x01\x52\x89\x26\xC4\xF7";
|
|
-
|
|
unsigned char des3_key1[] = "\x10\xB6\x75\xD5\x5B\xD9\x6E\x73"
|
|
"\xFD\x54\xB3\x3D\x37\x52\xC1\x2A\xF7\x43\x91\xFE\x1C\x02\x37\x13";
|
|
unsigned char des3_key2[] = "\xC8\xDA\x3E\xA7\xB6\x64\xAE\x7A"
|
|
@@ -48,20 +44,6 @@ main(int argc, char **argv)
|
|
{
|
|
krb5_keyblock kb1, kb2, result;
|
|
|
|
- kb1.enctype = ENCTYPE_DES_CBC_CRC;
|
|
- kb1.contents = des_key1;
|
|
- kb1.length = 8;
|
|
- kb2.enctype = ENCTYPE_DES_CBC_CRC;
|
|
- kb2.contents = des_key2;
|
|
- kb2.length = 8;
|
|
- memset(&result, 0, sizeof(result));
|
|
- if (krb5int_c_combine_keys(NULL, &kb1, &kb2, &result) != 0)
|
|
- abort();
|
|
- if (result.enctype != ENCTYPE_DES_CBC_CRC || result.length != 8 ||
|
|
- memcmp(result.contents, des_result, 8) != 0)
|
|
- abort();
|
|
- krb5_free_keyblock_contents(NULL, &result);
|
|
-
|
|
kb1.enctype = ENCTYPE_DES3_CBC_SHA1;
|
|
kb1.contents = des3_key1;
|
|
kb1.length = 24;
|
|
diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c
|
|
deleted file mode 100644
|
|
index 8cd1d36cb..000000000
|
|
--- a/src/lib/crypto/crypto_tests/t_crc.c
|
|
+++ /dev/null
|
|
@@ -1,148 +0,0 @@
|
|
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
-/* lib/crypto/crypto_tests/t_crc.c */
|
|
-/*
|
|
- * Copyright 2002,2005 by the Massachusetts Institute of Technology.
|
|
- * All Rights Reserved.
|
|
- *
|
|
- * Export of this software from the United States of America may
|
|
- * require a specific license from the United States Government.
|
|
- * It is the responsibility of any person or organization contemplating
|
|
- * export to obtain such a license before exporting.
|
|
- *
|
|
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
- * distribute this software and its documentation for any purpose and
|
|
- * without fee is hereby granted, provided that the above copyright
|
|
- * notice appear in all copies and that both that copyright notice and
|
|
- * this permission notice appear in supporting documentation, and that
|
|
- * the name of M.I.T. not be used in advertising or publicity pertaining
|
|
- * to distribution of the software without specific, written prior
|
|
- * permission. Furthermore if you modify this software you must label
|
|
- * your software as modified software and not distribute it in such a
|
|
- * fashion that it might be confused with the original M.I.T. software.
|
|
- * M.I.T. makes no representations about the suitability of
|
|
- * this software for any purpose. It is provided "as is" without express
|
|
- * or implied warranty.
|
|
- */
|
|
-
|
|
-/*
|
|
- * Sanity checks for CRC32.
|
|
- */
|
|
-#include <sys/times.h>
|
|
-#include <limits.h>
|
|
-#include <stdio.h>
|
|
-#include <stdlib.h>
|
|
-#include <string.h>
|
|
-#include <k5-hex.h>
|
|
-#include "crypto_int.h"
|
|
-
|
|
-#define HEX 1
|
|
-#define STR 2
|
|
-struct crc_trial {
|
|
- int type;
|
|
- char *data;
|
|
- unsigned long sum;
|
|
-};
|
|
-
|
|
-struct crc_trial trials[] = {
|
|
- {HEX, "01", 0x77073096},
|
|
- {HEX, "02", 0xee0e612c},
|
|
- {HEX, "04", 0x076dc419},
|
|
- {HEX, "08", 0x0edb8832},
|
|
- {HEX, "10", 0x1db71064},
|
|
- {HEX, "20", 0x3b6e20c8},
|
|
- {HEX, "40", 0x76dc4190},
|
|
- {HEX, "80", 0xedb88320},
|
|
- {HEX, "0100", 0x191b3141},
|
|
- {HEX, "0200", 0x32366282},
|
|
- {HEX, "0400", 0x646cc504},
|
|
- {HEX, "0800", 0xc8d98a08},
|
|
- {HEX, "1000", 0x4ac21251},
|
|
- {HEX, "2000", 0x958424a2},
|
|
- {HEX, "4000", 0xf0794f05},
|
|
- {HEX, "8000", 0x3b83984b},
|
|
- {HEX, "0001", 0x77073096},
|
|
- {HEX, "0002", 0xee0e612c},
|
|
- {HEX, "0004", 0x076dc419},
|
|
- {HEX, "0008", 0x0edb8832},
|
|
- {HEX, "0010", 0x1db71064},
|
|
- {HEX, "0020", 0x3b6e20c8},
|
|
- {HEX, "0040", 0x76dc4190},
|
|
- {HEX, "0080", 0xedb88320},
|
|
- {HEX, "01000000", 0xb8bc6765},
|
|
- {HEX, "02000000", 0xaa09c88b},
|
|
- {HEX, "04000000", 0x8f629757},
|
|
- {HEX, "08000000", 0xc5b428ef},
|
|
- {HEX, "10000000", 0x5019579f},
|
|
- {HEX, "20000000", 0xa032af3e},
|
|
- {HEX, "40000000", 0x9b14583d},
|
|
- {HEX, "80000000", 0xed59b63b},
|
|
- {HEX, "00010000", 0x01c26a37},
|
|
- {HEX, "00020000", 0x0384d46e},
|
|
- {HEX, "00040000", 0x0709a8dc},
|
|
- {HEX, "00080000", 0x0e1351b8},
|
|
- {HEX, "00100000", 0x1c26a370},
|
|
- {HEX, "00200000", 0x384d46e0},
|
|
- {HEX, "00400000", 0x709a8dc0},
|
|
- {HEX, "00800000", 0xe1351b80},
|
|
- {HEX, "00000100", 0x191b3141},
|
|
- {HEX, "00000200", 0x32366282},
|
|
- {HEX, "00000400", 0x646cc504},
|
|
- {HEX, "00000800", 0xc8d98a08},
|
|
- {HEX, "00001000", 0x4ac21251},
|
|
- {HEX, "00002000", 0x958424a2},
|
|
- {HEX, "00004000", 0xf0794f05},
|
|
- {HEX, "00008000", 0x3b83984b},
|
|
- {HEX, "00000001", 0x77073096},
|
|
- {HEX, "00000002", 0xee0e612c},
|
|
- {HEX, "00000004", 0x076dc419},
|
|
- {HEX, "00000008", 0x0edb8832},
|
|
- {HEX, "00000010", 0x1db71064},
|
|
- {HEX, "00000020", 0x3b6e20c8},
|
|
- {HEX, "00000040", 0x76dc4190},
|
|
- {HEX, "00000080", 0xedb88320},
|
|
- {STR, "foo", 0x7332bc33},
|
|
- {STR, "test0123456789", 0xb83e88d6},
|
|
- {STR, "MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 0xe34180f7}
|
|
-};
|
|
-
|
|
-#define NTRIALS (sizeof(trials) / sizeof(trials[0]))
|
|
-
|
|
-
|
|
-int
|
|
-main(void)
|
|
-{
|
|
- unsigned int i;
|
|
- struct crc_trial trial;
|
|
- uint8_t *bytes;
|
|
- size_t len;
|
|
- unsigned long cksum;
|
|
- char *typestr;
|
|
-
|
|
- for (i = 0; i < NTRIALS; i++) {
|
|
- trial = trials[i];
|
|
- switch (trial.type) {
|
|
- case STR:
|
|
- len = strlen(trial.data);
|
|
- typestr = "STR";
|
|
- cksum = 0;
|
|
- mit_crc32(trial.data, len, &cksum);
|
|
- break;
|
|
- case HEX:
|
|
- typestr = "HEX";
|
|
- if (k5_hex_decode(trial.data, &bytes, &len) != 0)
|
|
- abort();
|
|
- cksum = 0;
|
|
- mit_crc32(bytes, len, &cksum);
|
|
- free(bytes);
|
|
- break;
|
|
- default:
|
|
- typestr = "BOGUS";
|
|
- fprintf(stderr, "bad trial type %d\n", trial.type);
|
|
- exit(1);
|
|
- }
|
|
- printf("%s: %s \"%s\" = 0x%08lx\n",
|
|
- (trial.sum == cksum) ? "OK" : "***BAD***",
|
|
- typestr, trial.data, cksum);
|
|
- }
|
|
- exit(0);
|
|
-}
|
|
diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c
|
|
index 4ae0256cc..a40a85500 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_decrypt.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_decrypt.c
|
|
@@ -39,151 +39,6 @@ struct test {
|
|
krb5_data keybits;
|
|
krb5_data ciphertext;
|
|
} test_cases[] = {
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- { KV5M_DATA, 0, "" }, 0,
|
|
- { KV5M_DATA, 8,
|
|
- "\x45\xE6\x08\x7C\xDF\x13\x8F\xB5" },
|
|
- { KV5M_DATA, 16,
|
|
- "\x28\xF6\xB0\x9A\x01\x2B\xCC\xF7\x2F\xB0\x51\x22\xB2\x83\x9E\x6E" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- { KV5M_DATA, 1, "1" }, 1,
|
|
- { KV5M_DATA, 8,
|
|
- "\x92\xA7\x15\x58\x10\x58\x6B\x2F" },
|
|
- { KV5M_DATA, 16,
|
|
- "\xB4\xC8\x71\xC2\xF3\xE7\xBF\x76\x05\xEF\xD6\x2F\x2E\xEE\xC2\x05" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- { KV5M_DATA, 9, "9 bytesss" }, 2,
|
|
- { KV5M_DATA, 8,
|
|
- "\xA4\xB9\x51\x4A\x61\x64\x64\x23" },
|
|
- { KV5M_DATA, 24,
|
|
- "\x5F\x14\xC3\x51\x78\xD3\x3D\x7C\xDE\x0E\xC1\x69\xC6\x23\xCC\x83"
|
|
- "\x21\xB7\xB8\xBD\x34\xEA\x7E\xFE" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
|
|
- { KV5M_DATA, 8,
|
|
- "\x2F\x16\xA2\xA7\xFD\xB0\x57\x68" },
|
|
- { KV5M_DATA, 32,
|
|
- "\x0B\x58\x8E\x38\xD9\x71\x43\x3C\x9D\x86\xD8\xBA\xEB\xF6\x3E\x4C"
|
|
- "\x1A\x01\x66\x6E\x76\xD8\xA5\x4A\x32\x93\xF7\x26\x79\xED\x88\xC9" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
|
|
- { KV5M_DATA, 8,
|
|
- "\xBC\x8F\x70\xFD\x20\x97\xD6\x7C" },
|
|
- { KV5M_DATA, 48,
|
|
- "\x38\xD6\x32\xD2\xC2\x0A\x7C\x2E\xA2\x50\xFC\x8E\xCE\x42\x93\x8E"
|
|
- "\x92\xA9\xF5\xD3\x02\x50\x26\x65\xC1\xA3\x37\x29\xC1\x05\x0D\xC2"
|
|
- "\x05\x62\x98\xFB\xFB\x16\x82\xCE\xEB\x65\xE5\x92\x04\xFD\xA7\xDF" }
|
|
- },
|
|
-
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- { KV5M_DATA, 0, "", }, 0,
|
|
- { KV5M_DATA, 8,
|
|
- "\x13\xEF\x45\xD0\xD6\xD9\xA1\x5D" },
|
|
- { KV5M_DATA, 24,
|
|
- "\x1F\xB2\x02\xBF\x07\xAF\x30\x47\xFB\x78\x01\xE5\x88\x56\x86\x86"
|
|
- "\xBA\x63\xD7\x8B\xE3\xE8\x7D\xC7" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- { KV5M_DATA, 1, "1", }, 1,
|
|
- { KV5M_DATA, 8,
|
|
- "\x64\x68\x86\x54\xDC\x26\x9E\x67" },
|
|
- { KV5M_DATA, 32,
|
|
- "\x1F\x6C\xB9\xCE\xCB\x73\xF7\x55\xAB\xFD\xB3\xD5\x65\xBD\x31\xD5"
|
|
- "\xA2\xE6\x4B\xFE\x44\xC4\x91\xE2\x0E\xEB\xE5\xBD\x20\xE4\xD2\xA9" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- { KV5M_DATA, 9, "9 bytesss", }, 2,
|
|
- { KV5M_DATA, 8,
|
|
- "\x68\x04\xFB\x26\xDF\x8A\x4C\x32" },
|
|
- { KV5M_DATA, 40,
|
|
- "\x08\xA5\x3D\x62\xFE\xC3\x33\x8A\xD1\xD2\x18\xE6\x0D\xBD\xD3\xB2"
|
|
- "\x12\x94\x06\x79\xD1\x25\xE0\x62\x1B\x3B\xAB\x46\x80\xCE\x03\x67"
|
|
- "\x6A\x2C\x42\x0E\x9B\xE7\x84\xEB" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
|
|
- { KV5M_DATA, 8,
|
|
- "\x23\x4A\x43\x6E\xC7\x2F\xA8\x0B" },
|
|
- { KV5M_DATA, 40,
|
|
- "\x17\xCD\x45\xE1\x4F\xF0\x6B\x28\x40\xA6\x03\x6E\x9A\xA7\xA4\x14"
|
|
- "\x4E\x29\x76\x81\x44\xA0\xC1\x82\x7D\x8C\x4B\xC7\xC9\x90\x6E\x72"
|
|
- "\xCD\x4D\xC3\x28\xF6\x64\x8C\x99" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
|
|
- { KV5M_DATA, 8,
|
|
- "\x1F\xD5\xF7\x43\x34\xC4\xFB\x8C" },
|
|
- { KV5M_DATA, 56,
|
|
- "\x51\x13\x4C\xD8\x95\x1E\x9D\x57\xC0\xA3\x60\x53\xE0\x4C\xE0\x3E"
|
|
- "\xCB\x84\x22\x48\x8F\xDD\xC5\xC0\x74\xC4\xD8\x5E\x60\xA2\xAE\x42"
|
|
- "\x3C\x3C\x70\x12\x01\x31\x4F\x36\x2C\xB0\x74\x48\x09\x16\x79\xC6"
|
|
- "\xA4\x96\xC1\x1D\x7B\x93\xC7\x1B" }
|
|
- },
|
|
-
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- { KV5M_DATA, 0, "", }, 0,
|
|
- { KV5M_DATA, 8,
|
|
- "\x4A\x54\x5E\x0B\xF7\xA2\x26\x31" },
|
|
- { KV5M_DATA, 24,
|
|
- "\x78\x4C\xD8\x15\x91\xA0\x34\xBE\x82\x55\x6F\x56\xDC\xA3\x22\x4B"
|
|
- "\x62\xD9\x95\x6F\xA9\x0B\x1B\x93" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- { KV5M_DATA, 1, "1", }, 1,
|
|
- { KV5M_DATA, 8,
|
|
- "\xD5\x80\x4A\x26\x9D\xC4\xE6\x45" },
|
|
- { KV5M_DATA, 32,
|
|
- "\xFF\xA2\x5C\x7B\xE2\x87\x59\x6B\xFE\x58\x12\x6E\x90\xAA\xA0\xF1"
|
|
- "\x2D\x9A\x82\xA0\xD8\x6D\xF6\xD5\xF9\x07\x4B\x6B\x39\x9E\x7F\xF1" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- { KV5M_DATA, 9, "9 bytesss", }, 2,
|
|
- { KV5M_DATA, 8,
|
|
- "\xC8\x31\x2F\x7F\x83\xEA\x46\x40" },
|
|
- { KV5M_DATA, 40,
|
|
- "\xE7\x85\x03\x37\xF2\xCC\x5E\x3F\x35\xCE\x3D\x69\xE2\xC3\x29\x86"
|
|
- "\x38\xA7\xAA\x44\xB8\x78\x03\x1E\x39\x85\x1E\x47\xC1\x5B\x5D\x0E"
|
|
- "\xE7\xE7\xAC\x54\xDE\x11\x1D\x80" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- { KV5M_DATA, 13, "13 bytes byte", }, 3,
|
|
- { KV5M_DATA, 8,
|
|
- "\x7F\xDA\x3E\x62\xAD\x8A\xF1\x8C" },
|
|
- { KV5M_DATA, 40,
|
|
- "\xD7\xA8\x03\x2E\x19\x99\x4C\x92\x87\x77\x50\x65\x95\xFB\xDA\x98"
|
|
- "\x83\x15\x8A\x85\x14\x54\x8E\x29\x6E\x91\x1C\x29\xF4\x65\xC6\x72"
|
|
- "\x36\x60\x00\x55\x8B\xFC\x2E\x88" }
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4,
|
|
- { KV5M_DATA, 8,
|
|
- "\xD3\xD6\x83\x29\x70\xA7\x37\x52" },
|
|
- { KV5M_DATA, 56,
|
|
- "\x8A\x48\x16\x6A\x4C\x6F\xEA\xE6\x07\xA8\xCF\x68\xB3\x81\xC0\x75"
|
|
- "\x5E\x40\x2B\x19\xDB\xC0\xF8\x1A\x7D\x7C\xA1\x9A\x25\xE0\x52\x23"
|
|
- "\xF6\x06\x44\x09\xBF\x5A\x4F\x50\xAC\xD8\x26\x63\x9F\xFA\x76\x73"
|
|
- "\xFD\x32\x4E\xC1\x9E\x42\x95\x02" }
|
|
- },
|
|
-
|
|
{
|
|
ENCTYPE_DES3_CBC_SHA1,
|
|
{ KV5M_DATA, 0, "", }, 0,
|
|
@@ -669,9 +524,6 @@ printhex(const char *head, void *data, size_t len)
|
|
|
|
static krb5_enctype
|
|
enctypes[] = {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
ENCTYPE_DES3_CBC_SHA1,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
ENCTYPE_ARCFOUR_HMAC_EXP,
|
|
diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c
|
|
index 4afbddedb..bd9b94691 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_encrypt.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_encrypt.c
|
|
@@ -37,9 +37,6 @@
|
|
|
|
/* What enctypes should we test?*/
|
|
krb5_enctype interesting_enctypes[] = {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
ENCTYPE_DES3_CBC_SHA1,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
ENCTYPE_ARCFOUR_HMAC_EXP,
|
|
diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c
|
|
index 40fa2821f..d4c2b97df 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_short.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_short.c
|
|
@@ -34,9 +34,6 @@
|
|
#include "k5-int.h"
|
|
|
|
krb5_enctype interesting_enctypes[] = {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD4,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
ENCTYPE_DES3_CBC_SHA1,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
ENCTYPE_ARCFOUR_HMAC_EXP,
|
|
diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c
|
|
index 27896e61e..cdb1acc6d 100644
|
|
--- a/src/lib/crypto/crypto_tests/t_str2key.c
|
|
+++ b/src/lib/crypto/crypto_tests/t_str2key.c
|
|
@@ -35,280 +35,6 @@ struct test {
|
|
krb5_error_code expected_err;
|
|
krb5_boolean allow_weak;
|
|
} test_cases[] = {
|
|
- /* AFS string-to-key tests from old t_afss2k.c. */
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xA4\xD0\xD0\x9B\x86\x92\xB0\xC2" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "M",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xF1\xF2\x9E\xAB\xD0\xEF\xDF\x73" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xD6\x85\x61\xC4\xF2\x94\xF4\xA1" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My ",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xD0\xE3\xA7\x83\x94\x61\xE0\xD0" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My P",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xD5\x62\xCD\x94\x61\xCB\x97\xDF" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pa",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x9E\xA2\xA2\xEC\xA8\x8C\x6B\x8F" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pas",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xE3\x91\x6D\xD3\x85\xF1\x67\xC4" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pass",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xF4\xC4\x73\xC8\x8A\xE9\x94\x6D" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passw",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xA1\x9E\xB3\xAD\x6B\xE3\xAB\xD9" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passwo",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xAD\xA1\xCE\x10\x37\x83\xA7\x8C" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passwor",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xD3\x01\xD0\xF7\x3E\x7A\x49\x0B" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Password",
|
|
- { KV5M_DATA, 15, "Sodium Chloride" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xB6\x2A\x4A\xEC\x9D\x4C\x68\xDF" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x61\xEF\xE6\x83\xE5\x8A\x6B\x98" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "M",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x68\xCD\x68\xAD\xC4\x86\xCD\xE5" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x83\xA1\xC8\x86\x8F\x67\xD0\x62" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My ",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x9E\xC7\x8F\xA4\xA4\xB3\xE0\xD5" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My P",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xD9\x92\x86\x8F\x9D\x8C\x85\xE6" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pa",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xDA\xF2\x92\x83\xF4\x9B\xA7\xAD" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pas",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x91\xCD\xAD\xEF\x86\xDF\xD3\xA2" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Pass",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x73\xD3\x67\x68\x8F\x6E\xE3\x73" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passw",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xC4\x61\x85\x9D\xAD\xF4\xDC\xB0" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passwo",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\xE9\x02\x83\x16\x2C\xEC\xE0\x08" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Passwor",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x61\xC8\x26\x29\xD9\x73\x6E\xB6" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "My Password",
|
|
- { KV5M_DATA, 4, "NaCl" },
|
|
- { KV5M_DATA, 1, "\1" },
|
|
- { KV5M_DATA, 8, "\x8C\xA8\x9E\xC4\xA8\xDC\x31\x73" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
-
|
|
- /* Test vectors from RFC 3961 appendix A.2. */
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "password",
|
|
- { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\xCB\xC2\x2F\xAE\x23\x52\x98\xE3" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "potatoe",
|
|
- { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\xDF\x3D\x32\xA7\x4F\xD9\x2A\x01" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "\xF0\x9D\x84\x9E",
|
|
- { KV5M_DATA, 18, "EXAMPLE.COMpianist" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\x4F\xFB\x26\xBA\xB0\xCD\x94\x13" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "\xC3\x9F",
|
|
- { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\x62\xC8\x1A\x52\x32\xB5\xE6\x9D" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "11119999",
|
|
- { KV5M_DATA, 8, "AAAAAAAA" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\x98\x40\x54\xd0\xf1\xa7\x3e\x31" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- "NNNN6666",
|
|
- { KV5M_DATA, 8, "FFFFAAAA" },
|
|
- { KV5M_DATA, 1, "\0" },
|
|
- { KV5M_DATA, 8, "\xC4\xBF\x6B\x25\xAD\xF7\xA4\xF8" },
|
|
- 0,
|
|
- FALSE
|
|
- },
|
|
-
|
|
/* Test vectors from RFC 3961 appendix A.4. */
|
|
{
|
|
ENCTYPE_DES3_CBC_SHA1,
|
|
diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c
|
|
index c1a765732..bcf5c9106 100644
|
|
--- a/src/lib/crypto/crypto_tests/vectors.c
|
|
+++ b/src/lib/crypto/crypto_tests/vectors.c
|
|
@@ -30,7 +30,8 @@
|
|
*
|
|
* N.B.: Doesn't compile -- this file uses some routines internal to our
|
|
* crypto library which are declared "static" and thus aren't accessible
|
|
- * without modifying the other sources.
|
|
+ * without modifying the other sources. Additionally, some ciphers have been
|
|
+ * removed.
|
|
*/
|
|
|
|
#include <assert.h>
|
|
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
|
index db899a1dc..740425c69 100644
|
|
--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
|
+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
|
|
@@ -18,8 +18,8 @@ proc test200 {} {
|
|
|
|
# I'd like to specify a long list of keysalt tuples and make sure
|
|
# that chpass does the right thing, but we can only use those
|
|
- # enctypes that krbtgt has a key for: des-cbc-crc:normal
|
|
- # according to the prototype kdc.conf.
|
|
+ # enctypes that krbtgt has a key for: the AES enctypes, according to
|
|
+ # the prototype kdc.conf.
|
|
if {! [cmd [format {
|
|
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
|
|
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
|
|
@@ -53,10 +53,10 @@ proc test200 {} {
|
|
}
|
|
|
|
# XXX Perhaps I should actually check the key type returned.
|
|
- if {$num_keys == 2} {
|
|
+ if {$num_keys == 5} {
|
|
pass "$test"
|
|
} else {
|
|
- fail "$test: $num_keys keys, should be 2"
|
|
+ fail "$test: $num_keys keys, should be 5"
|
|
}
|
|
if { ! [cmd {kadm5_destroy $server_handle}]} {
|
|
perror "$test: unexpected failure in destroy"
|
|
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
|
|
index 8526897ed..3ea1ba29b 100644
|
|
--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
|
|
+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
|
|
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
|
|
}
|
|
|
|
set failed 0
|
|
- if {$num_keys != 2} {
|
|
- fail "$test: num_keys $num_keys should be 2"
|
|
+ if {$num_keys != 5} {
|
|
+ fail "$test: num_keys $num_keys should be 5"
|
|
set failed 1
|
|
}
|
|
for {set i 0} {$i < $num_keys} {incr i} {
|
|
diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
|
|
index ee652cbd3..2925c1c43 100644
|
|
--- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
|
|
+++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
|
|
@@ -16,10 +16,9 @@ proc test100 {} {
|
|
return
|
|
}
|
|
|
|
- # I'd like to specify a long list of keysalt tuples and make sure
|
|
- # that randkey does the right thing, but we can only use those
|
|
- # enctypes that krbtgt has a key for: des-cbc-crc:normal and
|
|
- # des-cbc-crc:v4, according to the prototype kdc.conf.
|
|
+ # I'd like to specify a long list of keysalt tuples and make sure that
|
|
+ # randkey does the right thing, but we can only use those enctypes that
|
|
+ # krbtgt has a key for: 3DES and AES, according to the prototype kdc.conf.
|
|
if {! [cmd [format {
|
|
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
|
|
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
|
|
@@ -47,10 +46,10 @@ proc test100 {} {
|
|
}
|
|
|
|
# XXX Perhaps I should actually check the key type returned.
|
|
- if {$num_keys == 2} {
|
|
+ if {$num_keys == 5} {
|
|
pass "$test"
|
|
} else {
|
|
- fail "$test: $num_keys keys, should be 2"
|
|
+ fail "$test: $num_keys keys, should be 5"
|
|
}
|
|
if { ! [cmd {kadm5_destroy $server_handle}]} {
|
|
perror "$test: unexpected failure in destroy"
|
|
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
|
|
index fa2392f81..8e7df96e9 100644
|
|
--- a/src/lib/kadm5/unit-test/setkey-test.c
|
|
+++ b/src/lib/kadm5/unit-test/setkey-test.c
|
|
@@ -19,15 +19,15 @@ need a random number generator
|
|
#endif /* no random */
|
|
|
|
krb5_keyblock test1[] = {
|
|
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
|
|
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
|
|
{-1},
|
|
};
|
|
krb5_keyblock test2[] = {
|
|
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
|
|
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
|
|
{-1},
|
|
};
|
|
krb5_keyblock test3[] = {
|
|
- {0, ENCTYPE_DES_CBC_CRC, 0, 0},
|
|
+ {0, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0, 0},
|
|
{-1},
|
|
};
|
|
|
|
diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c
|
|
index c845596d6..ea4ce6819 100644
|
|
--- a/src/lib/krb5/keytab/t_keytab.c
|
|
+++ b/src/lib/krb5/keytab/t_keytab.c
|
|
@@ -96,6 +96,8 @@ kt_test(krb5_context context, const char *name)
|
|
krb5_principal princ;
|
|
krb5_kt_cursor cursor, cursor2;
|
|
int cnt;
|
|
+ krb5_enctype e1 = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
|
|
+ e2 = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
|
|
|
|
kret = krb5_kt_resolve(context, name, &kt);
|
|
CHECK(kret, "resolve");
|
|
@@ -139,9 +141,9 @@ kt_test(krb5_context context, const char *name)
|
|
/* =================== Add entries to keytab ================= */
|
|
/*
|
|
* Add the following for this principal
|
|
- * enctype 1, kvno 1, key = "1"
|
|
- * enctype 2, kvno 1, key = "1"
|
|
- * enctype 1, kvno 2, key = "2"
|
|
+ * enctype e1, kvno 1, key = "1"
|
|
+ * enctype e2, kvno 1, key = "1"
|
|
+ * enctype e1, kvno 2, key = "2"
|
|
*/
|
|
memset(&kent, 0, sizeof(kent));
|
|
kent.magic = KV5M_KEYTAB_ENTRY;
|
|
@@ -149,7 +151,7 @@ kt_test(krb5_context context, const char *name)
|
|
kent.timestamp = 327689;
|
|
kent.vno = 1;
|
|
kent.key.magic = KV5M_KEYBLOCK;
|
|
- kent.key.enctype = 1;
|
|
+ kent.key.enctype = e1;
|
|
kent.key.length = 1;
|
|
kent.key.contents = (krb5_octet *) "1";
|
|
|
|
@@ -157,11 +159,11 @@ kt_test(krb5_context context, const char *name)
|
|
kret = krb5_kt_add_entry(context, kt, &kent);
|
|
CHECK(kret, "Adding initial entry");
|
|
|
|
- kent.key.enctype = 2;
|
|
+ kent.key.enctype = e2;
|
|
kret = krb5_kt_add_entry(context, kt, &kent);
|
|
CHECK(kret, "Adding second entry");
|
|
|
|
- kent.key.enctype = 1;
|
|
+ kent.key.enctype = e1;
|
|
kent.vno = 2;
|
|
kent.key.contents = (krb5_octet *) "2";
|
|
kret = krb5_kt_add_entry(context, kt, &kent);
|
|
@@ -183,7 +185,7 @@ kt_test(krb5_context context, const char *name)
|
|
cnt = 0;
|
|
while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) {
|
|
if(((kent.vno != 1) && (kent.vno != 2)) ||
|
|
- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
|
|
+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Error in read contents\n");
|
|
@@ -231,7 +233,7 @@ kt_test(krb5_context context, const char *name)
|
|
/* Ensure a valid answer - we did not specify an enctype or kvno */
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
((kent.vno != 1) && (kent.vno != 2)) ||
|
|
- ((kent.key.enctype != 1) && (kent.key.enctype != 2)) ||
|
|
+ ((kent.key.enctype != e1) && (kent.key.enctype != e2)) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Retrieved principal does not check\n");
|
|
@@ -243,12 +245,12 @@ kt_test(krb5_context context, const char *name)
|
|
/* Try to lookup a specific enctype - but unspecified kvno - should give
|
|
* max kvno
|
|
*/
|
|
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
|
|
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
|
|
CHECK(kret, "looking up principal");
|
|
|
|
/* Ensure a valid answer - we did specified an enctype */
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
- (kent.vno != 2) || (kent.key.enctype != 1) ||
|
|
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Retrieved principal does not check\n");
|
|
@@ -266,7 +268,7 @@ kt_test(krb5_context context, const char *name)
|
|
|
|
/* Ensure a valid answer - we did not specify a kvno */
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
- (kent.vno != 2) || (kent.key.enctype != 1) ||
|
|
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Retrieved principal does not check\n");
|
|
@@ -281,11 +283,11 @@ kt_test(krb5_context context, const char *name)
|
|
|
|
/* Try to lookup specified enctype and kvno */
|
|
|
|
- kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent);
|
|
+ kret = krb5_kt_get_entry(context, kt, princ, 1, e1, &kent);
|
|
CHECK(kret, "looking up principal");
|
|
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
- (kent.vno != 1) || (kent.key.enctype != 1) ||
|
|
+ (kent.vno != 1) || (kent.key.enctype != e1) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Retrieved principal does not check\n");
|
|
@@ -334,7 +336,7 @@ kt_test(krb5_context context, const char *name)
|
|
|
|
/* Try to lookup specified enctype and kvno - that does not exist*/
|
|
|
|
- kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent);
|
|
+ kret = krb5_kt_get_entry(context, kt, princ, 3, e1, &kent);
|
|
CHECK_ERR(kret, KRB5_KT_KVNONOTFOUND,
|
|
"looking up specific principal, kvno, enctype");
|
|
|
|
@@ -347,12 +349,12 @@ kt_test(krb5_context context, const char *name)
|
|
kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ);
|
|
CHECK(kret, "parsing principal");
|
|
|
|
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
|
|
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
|
|
CHECK(kret, "looking up principal");
|
|
|
|
- /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */
|
|
+ /* Ensure a valid answer - we are looking for max(kvno) and enc=e1 */
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
- (kent.vno != 2) || (kent.key.enctype != 1) ||
|
|
+ (kent.vno != 2) || (kent.key.enctype != e1) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Retrieved principal does not check\n");
|
|
@@ -368,12 +370,12 @@ kt_test(krb5_context context, const char *name)
|
|
krb5_free_keytab_entry_contents(context, &kent);
|
|
/* And ensure gone */
|
|
|
|
- kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent);
|
|
+ kret = krb5_kt_get_entry(context, kt, princ, 0, e1, &kent);
|
|
CHECK(kret, "looking up principal");
|
|
|
|
/* Ensure a valid answer - kvno should now be 1 - we deleted 2 */
|
|
if (!krb5_principal_compare(context, princ, kent.principal) ||
|
|
- (kent.vno != 1) || (kent.key.enctype != 1) ||
|
|
+ (kent.vno != 1) || (kent.key.enctype != e1) ||
|
|
(kent.key.length != 1) ||
|
|
(kent.key.contents[0] != kent.vno +'0')) {
|
|
fprintf(stderr, "Delete principal check failed\n");
|
|
diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
|
|
index 317637684..f609e938a 100644
|
|
--- a/src/lib/krb5/krb/t_etypes.c
|
|
+++ b/src/lib/krb5/krb/t_etypes.c
|
|
@@ -36,20 +36,6 @@ static struct {
|
|
krb5_error_code expected_err_noweak;
|
|
krb5_error_code expected_err_weak;
|
|
} tests[] = {
|
|
- /* Empty string, unused default list */
|
|
- { "",
|
|
- { ENCTYPE_DES_CBC_CRC, 0 },
|
|
- { 0 },
|
|
- { 0 },
|
|
- 0, 0
|
|
- },
|
|
- /* Single weak enctype */
|
|
- { "des-cbc-md4",
|
|
- { 0 },
|
|
- { 0 },
|
|
- { ENCTYPE_DES_CBC_MD4, 0 },
|
|
- 0, 0
|
|
- },
|
|
/* Single non-weak enctype */
|
|
{ "aes128-cts-hmac-sha1-96",
|
|
{ 0 },
|
|
@@ -57,35 +43,11 @@ static struct {
|
|
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
|
|
0, 0
|
|
},
|
|
- /* Two enctypes, one an alias, one weak */
|
|
- { "rc4-hmac des-cbc-md5",
|
|
- { 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, 0 },
|
|
- 0, 0
|
|
- },
|
|
- /* Three enctypes, all weak, case variation, funky separators */
|
|
- { " deS-HMac-shA1 , arCFour-hmaC-mD5-exp\tdeS3-Cbc-RAw\n",
|
|
- { 0 },
|
|
- { 0 },
|
|
- { ENCTYPE_DES_HMAC_SHA1, ENCTYPE_ARCFOUR_HMAC_EXP,
|
|
- ENCTYPE_DES3_CBC_RAW, 0 },
|
|
- 0, 0
|
|
- },
|
|
- /* Default set with enctypes added (one weak in each pair) */
|
|
- { "DEFAULT des-cbc-raw +des3-hmac-sha1",
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP,
|
|
- ENCTYPE_DES_CBC_RAW, ENCTYPE_DES3_CBC_SHA1, 0 },
|
|
- 0, 0
|
|
- },
|
|
/* Default set with enctypes removed */
|
|
{ "default -aes128-cts -des-hmac-sha1",
|
|
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_HMAC_SHA1, 0 },
|
|
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },
|
|
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
|
|
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
|
|
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_MD5, 0 },
|
|
0, 0
|
|
},
|
|
/* Family followed by enctype */
|
|
@@ -105,31 +67,22 @@ static struct {
|
|
{ ENCTYPE_CAMELLIA128_CTS_CMAC, 0 },
|
|
{ ENCTYPE_CAMELLIA128_CTS_CMAC, 0 }
|
|
},
|
|
- /* Enctype followed by two families */
|
|
- { "+rc4-hmAC des3 +des",
|
|
- { 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 },
|
|
- 0, 0
|
|
- },
|
|
/* Default set with family added and enctype removed */
|
|
{ "DEFAULT +aes -arcfour-hmac-md5",
|
|
- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC, 0 },
|
|
+ { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 },
|
|
{ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192,
|
|
ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 },
|
|
- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES_CBC_CRC,
|
|
+ { ENCTYPE_DES3_CBC_SHA1,
|
|
ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128,
|
|
0 },
|
|
0, 0
|
|
},
|
|
/* Default set with families removed and enctypes added (one redundant) */
|
|
- { "DEFAULT -des -des3 rc4-hmac rc4-hmac-exp",
|
|
+ { "DEFAULT -des3 rc4-hmac rc4-hmac-exp",
|
|
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC,
|
|
- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, 0 },
|
|
+ ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 },
|
|
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
ENCTYPE_ARCFOUR_HMAC, 0 },
|
|
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
@@ -158,17 +111,17 @@ static struct {
|
|
},
|
|
/* Test krb5_set_default_in_tkt_ktypes */
|
|
{ NULL,
|
|
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
|
|
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
|
|
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_DES_CBC_CRC, 0 },
|
|
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
|
|
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 },
|
|
0, 0
|
|
},
|
|
/* Should get KRB5_CONFIG_ETYPE_NOSUPP if app-provided list has no strong
|
|
* enctypes and allow_weak_crypto=false. */
|
|
{ NULL,
|
|
- { ENCTYPE_DES_CBC_CRC, 0 },
|
|
+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
|
|
{ 0 },
|
|
- { ENCTYPE_DES_CBC_CRC, 0 },
|
|
+ { ENCTYPE_ARCFOUR_HMAC_EXP, 0 },
|
|
KRB5_CONFIG_ETYPE_NOSUPP, 0
|
|
},
|
|
/* Should get EINVAL if app provides an empty list. */
|
|
diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c
|
|
index 1d6cceaa2..f1a8c2553 100644
|
|
--- a/src/lib/krb5/krb/t_ser.c
|
|
+++ b/src/lib/krb5/krb/t_ser.c
|
|
@@ -272,7 +272,7 @@ ser_acontext_test(krb5_context kcontext, int verbose)
|
|
KV5M_AUTH_CONTEXT))) {
|
|
memset(&ukeyblock, 0, sizeof(ukeyblock));
|
|
memset(keydata, 0, sizeof(keydata));
|
|
- ukeyblock.enctype = ENCTYPE_DES_CBC_MD5;
|
|
+ ukeyblock.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128;
|
|
ukeyblock.length = sizeof(keydata);
|
|
ukeyblock.contents = keydata;
|
|
keydata[0] = 0xde;
|
|
diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c
|
|
index 5aea68e8d..10ba8d0ac 100644
|
|
--- a/src/lib/krb5/os/t_trace.c
|
|
+++ b/src/lib/krb5/os/t_trace.c
|
|
@@ -204,7 +204,7 @@ main (int argc, char *argv[])
|
|
padatap = NULL;
|
|
|
|
TRACE(ctx, "krb5_enctype, display shortest name of enctype: {etype}",
|
|
- ENCTYPE_DES_CBC_CRC);
|
|
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96);
|
|
TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", enctypes);
|
|
TRACE(ctx, "krb5_enctype *, display list of enctypes: {etypes}", NULL);
|
|
|
|
diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref
|
|
index bd5d9b6b6..044a66999 100644
|
|
--- a/src/lib/krb5/os/t_trace.ref
|
|
+++ b/src/lib/krb5/os/t_trace.ref
|
|
@@ -40,7 +40,7 @@ int, krb5_principal type: NT 4 style name and SID
|
|
int, krb5_principal type: ?
|
|
krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0
|
|
krb5_pa_data **, display list of padata type numbers: (empty)
|
|
-krb5_enctype, display shortest name of enctype: des-cbc-crc
|
|
+krb5_enctype, display shortest name of enctype: aes128-cts
|
|
krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511
|
|
krb5_enctype *, display list of enctypes: (empty)
|
|
krb5_ccache, display type:name: FILE:/path/to/ccache
|
|
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
|
|
index 6bf6e54ac..258377299 100644
|
|
--- a/src/tests/asn.1/ktest.c
|
|
+++ b/src/tests/asn.1/ktest.c
|
|
@@ -893,7 +893,7 @@ ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
|
|
void
|
|
ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p)
|
|
{
|
|
- p->enctype = ENCTYPE_DES_CBC_CRC;
|
|
+ p->enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192;
|
|
ktest_make_sample_data(&p->as_req);
|
|
ktest_make_sample_data(&p->pk_as_rep);
|
|
}
|
|
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
|
|
index 3b0f7190a..55a60bbef 100644
|
|
--- a/src/tests/asn.1/pkinit_encode.out
|
|
+++ b/src/tests/asn.1/pkinit_encode.out
|
|
@@ -10,4 +10,4 @@ encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03
|
|
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
|
|
encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
|
|
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
|
|
-encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 01 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
|
|
+encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
|
|
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
|
|
index f9edbe154..9557188a8 100644
|
|
--- a/src/tests/asn.1/pkinit_trval.out
|
|
+++ b/src/tests/asn.1/pkinit_trval.out
|
|
@@ -145,6 +145,6 @@ encode_krb5_sp80056a_other_info:
|
|
encode_krb5_pkinit_supp_pub_info:
|
|
|
|
[Sequence/Sequence Of]
|
|
-. [0] [Integer] 1
|
|
+. [0] [Integer] 20
|
|
. [1] [Octet String] "krb5data"
|
|
. [2] [Octet String] "krb5data"
|
|
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
|
|
index c061d764e..e8adee234 100644
|
|
--- a/src/tests/dejagnu/config/default.exp
|
|
+++ b/src/tests/dejagnu/config/default.exp
|
|
@@ -16,21 +16,6 @@ set stty_init {erase \^h kill \^u}
|
|
set env(TERM) dumb
|
|
|
|
set des3_krbtgt 0
|
|
-set tgt_support_desmd5 0
|
|
-
|
|
-# The names of the individual passes must be unique; lots of things
|
|
-# depend on it. The PASSES variable may not contain comments; only
|
|
-# small pieces get evaluated, so comments will do strange things.
|
|
-
|
|
-# Most of the purpose of using multiple passes is to exercise the
|
|
-# dependency of various bugs on configuration file settings,
|
|
-# particularly with regards to encryption types.
|
|
-
|
|
-# The des.no-kdc-md5 pass will fail if the KDC does not constrain
|
|
-# session key enctypes to those in its permitted_enctypes list. It
|
|
-# works by assuming enctype similarity, thus allowing the client to
|
|
-# request a des-cbc-md4 session key. Since only des-cbc-crc is in the
|
|
-# KDC's permitted_enctypes list, the TGT will be unusable.
|
|
|
|
if { [string length $VALGRIND] } {
|
|
rename spawn valgrind_aux_spawn
|
|
@@ -111,47 +96,21 @@ if { $PRIOCNTL_HACK } {
|
|
}
|
|
}
|
|
|
|
-# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't
|
|
-# constrain ticket key enctypes to those in permitted_enctypes. It
|
|
-# does this by not putting des3 in the permitted_enctypes, while
|
|
-# creating a TGT princpal that has a des3 key as well as a des key.
|
|
+# The names of the individual passes must be unique; lots of things
|
|
+# depend on it. The PASSES variable may not contain comments; only
|
|
+# small pieces get evaluated, so comments will do strange things.
|
|
|
|
-# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is
|
|
-# possible to configure things such that you have a master_key_type
|
|
-# that is not permitted, and the error message used to be cryptic.
|
|
+# Most of the purpose of using multiple passes is to exercise the
|
|
+# dependency of various bugs on configuration file settings,
|
|
+# particularly with regards to encryption types.
|
|
|
|
set passes {
|
|
- {
|
|
- des
|
|
- mode=udp
|
|
- des3_krbtgt=0
|
|
- {supported_enctypes=des-cbc-crc:normal}
|
|
- {dummy=[verbose -log "DES TGT, DES enctype"]}
|
|
- }
|
|
- {
|
|
- des.des3tgt
|
|
- mode=udp
|
|
- des3_krbtgt=1
|
|
- {supported_enctypes=des-cbc-crc:normal}
|
|
- {dummy=[verbose -log "DES3 TGT, DES enctype"]}
|
|
- }
|
|
{
|
|
des3
|
|
mode=udp
|
|
des3_krbtgt=1
|
|
- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
|
|
- {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
|
|
- }
|
|
- {
|
|
- aes-des
|
|
- mode=udp
|
|
- des3_krbtgt=0
|
|
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
|
|
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc}
|
|
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc}
|
|
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc}
|
|
- {master_key_type=aes256-cts-hmac-sha1-96}
|
|
- {dummy=[verbose -log "AES + DES enctypes"]}
|
|
+ {supported_enctypes=des3-cbc-sha1:normal}
|
|
+ {dummy=[verbose -log "DES3 TGT, DES3 enctype"]}
|
|
}
|
|
{
|
|
aes-only
|
|
@@ -220,10 +179,10 @@ set passes {
|
|
aes-des3
|
|
mode=udp
|
|
des3_krbtgt=0
|
|
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
|
|
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
|
|
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
{master_key_type=aes256-cts-hmac-sha1-96}
|
|
{dummy=[verbose -log "AES + DES3 + DES enctypes"]}
|
|
}
|
|
@@ -231,12 +190,12 @@ set passes {
|
|
aes-des3tgt
|
|
mode=udp
|
|
des3_krbtgt=1
|
|
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal}
|
|
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc}
|
|
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal}
|
|
+ {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
+ {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
+ {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1}
|
|
{master_key_type=aes256-cts-hmac-sha1-96}
|
|
- {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
|
|
+ {dummy=[verbose -log "AES enctypes, DES3 TGT"]}
|
|
}
|
|
{
|
|
all-enctypes
|
|
@@ -248,115 +207,8 @@ set passes {
|
|
{allow_weak_crypto(server)=false}
|
|
{dummy=[verbose -log "all default enctypes"]}
|
|
}
|
|
- {
|
|
- des.no-kdc-md5
|
|
- mode=udp
|
|
- des3_krbtgt=0
|
|
- tgt_support_desmd5=0
|
|
- {permitted_enctypes(kdc)=des-cbc-crc}
|
|
- {default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
|
|
- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
|
|
- {supported_enctypes=des-cbc-crc:normal}
|
|
- {master_key_type=des-cbc-crc}
|
|
- {dummy=[verbose -log \
|
|
- "DES TGT, KDC permitting only des-cbc-crc"]}
|
|
- }
|
|
- {
|
|
- des.des3-tgt.no-kdc-des3
|
|
- mode=udp
|
|
- tgt_support_desmd5=0
|
|
- {permitted_enctypes(kdc)=des-cbc-crc}
|
|
- {default_tgs_enctypes(client)=des-cbc-crc}
|
|
- {default_tkt_enctypes(client)=des-cbc-crc}
|
|
- {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
|
|
- {master_key_type=des-cbc-crc}
|
|
- {dummy=[verbose -log \
|
|
- "DES3 TGT, KDC permitting only des-cbc-crc"]}
|
|
- }
|
|
}
|
|
|
|
-# des.md5-tgt is set as unused, since it won't trigger the error case
|
|
-# if SUPPORT_DESMD5 isn't honored.
|
|
-
|
|
-# The des.md5-tgt pass will fail if enctype similarity is inconsisent;
|
|
-# between 1.0.x and 1.1, the decrypt functions became more strict
|
|
-# about matching enctypes, while the KDB retrieval functions didn't
|
|
-# coerce the enctype to match what was requested. It works by setting
|
|
-# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of
|
|
-# des-cbc-md5 on the TGT key. Since the database only contains a
|
|
-# des-cbc-crc key, the decrypt will fail if enctypes are not coerced.
|
|
-
|
|
-# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even
|
|
-# though des.no-kdc-md5 is roughly equivalent, since the associated
|
|
-# comment needs additional investigation at some point re the kadmin
|
|
-# client.
|
|
-
|
|
-# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to
|
|
-# the KDC issuing session keys that it won't accept. It will also
|
|
-# fail for a kadmin client, but for different reasons, since the kadm5
|
|
-# library does some curious filtering of enctypes, and also uses
|
|
-# get_in_tkt() rather than get_init_creds(); the former does an
|
|
-# intersection of the enctypes provided by the caller and those listed
|
|
-# in the config file!
|
|
-
|
|
-set unused_passes {
|
|
- {
|
|
- des.md5-tgt
|
|
- des3_krbtgt=0
|
|
- tgt_support_desmd5=1
|
|
- supported_enctypes=des-cbc-crc:normal
|
|
- {permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
|
|
- {permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
|
|
- {dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]}
|
|
- }
|
|
- {
|
|
- des.md5-tgt.no-kdc-md5
|
|
- des3_krbtgt=0
|
|
- tgt_support_desmd5=1
|
|
- {permitted_enctypes(kdc)=des-cbc-crc}
|
|
- {default_tgs_enctypes(client)=des-cbc-crc}
|
|
- {default_tkt_enctypes(client)=des-cbc-crc}
|
|
- {supported_enctypes=des-cbc-crc:normal}
|
|
- {master_key_type=des-cbc-crc}
|
|
- {dummy=[verbose -log \
|
|
- "DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]}
|
|
- }
|
|
- {
|
|
- des.no-kdc-md5.client-md4-skey
|
|
- des3_krbtgt=0
|
|
- {permitted_enctypes(kdc)=des-cbc-crc}
|
|
- {permitted_enctypes(client)=des-cbc-crc des-cbc-md4}
|
|
- {default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4}
|
|
- {default_tkt_enctypes(client)=des-cbc-md4}
|
|
- {supported_enctypes=des-cbc-crc:normal}
|
|
- {dummy=[verbose -log \
|
|
- "DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]}
|
|
- }
|
|
- {
|
|
- all-enctypes
|
|
- des3_krbtgt=1
|
|
- {supported_enctypes=\
|
|
- aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \
|
|
- aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
|
|
- des3-cbc-sha1:normal des3-cbc-sha1:none \
|
|
- des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
|
|
- }
|
|
- {dummy=[verbose -log "DES3 TGT, default enctypes"]}
|
|
- }
|
|
- {
|
|
- aes-tcp
|
|
- mode=tcp
|
|
- des3_krbtgt=0
|
|
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
|
|
- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
|
|
- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
|
|
- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96}
|
|
- {master_key_type=aes256-cts-hmac-sha1-96}
|
|
- {dummy=[verbose -log "AES via TCP"]}
|
|
- }
|
|
-}
|
|
-# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
|
|
-
|
|
# This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems
|
|
# to need it because its runtest.exp doesn't deal with PASS at all.
|
|
if [info exists PASS] {
|
|
@@ -1095,7 +947,7 @@ proc setup_kerberos_db { standalone } {
|
|
global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
|
|
global tmppwd hostname
|
|
global spawn_id
|
|
- global des3_krbtgt tgt_support_desmd5
|
|
+ global des3_krbtgt
|
|
global multipass_name last_passname_db
|
|
|
|
set failall 0
|
|
@@ -1334,48 +1186,6 @@ proc setup_kerberos_db { standalone } {
|
|
}
|
|
}
|
|
}
|
|
- if $tgt_support_desmd5 {
|
|
- # Make TGT support des-cbc-md5
|
|
- set test "kadmin.local TGT to SUPPORT_DESMD5"
|
|
- set body {
|
|
- if $failall {
|
|
- break
|
|
- }
|
|
- spawn $KADMIN_LOCAL -r $REALMNAME
|
|
- verbose "starting $test"
|
|
- expect_after $def_exp_after
|
|
-
|
|
- expect "kadmin.local: "
|
|
- send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
|
|
- # It echos...
|
|
- expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
|
|
- expect {
|
|
- "Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { }
|
|
- }
|
|
- expect "kadmin.local: "
|
|
- send "quit\r"
|
|
- expect eof
|
|
- catch expect_after
|
|
- if ![check_exit_status kadmin_local] {
|
|
- break
|
|
- }
|
|
- }
|
|
- set ret [catch $body]
|
|
- catch "expect eof"
|
|
- catch expect_after
|
|
- if $ret {
|
|
- set failall 1
|
|
- if $standalone {
|
|
- fail $test
|
|
- } else {
|
|
- delete_db
|
|
- }
|
|
- } else {
|
|
- if $standalone {
|
|
- pass $test
|
|
- }
|
|
- }
|
|
- }
|
|
envstack_pop
|
|
|
|
# create the admin database lock file
|
|
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
|
|
index 2a332a8ae..9876a11e6 100644
|
|
--- a/src/tests/gssapi/t_invalid.c
|
|
+++ b/src/tests/gssapi/t_invalid.c
|
|
@@ -84,17 +84,6 @@ struct test {
|
|
size_t toklen;
|
|
const char *token;
|
|
} tests[] = {
|
|
- {
|
|
- ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW,
|
|
- SEAL_ALG_DES, SGN_ALG_DES_MAC_MD5, 8,
|
|
- 8,
|
|
- "\x26\xEC\xBA\xB6\xFE\xBA\x91\xCE",
|
|
- 53,
|
|
- "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x00"
|
|
- "\x00\x00\x00\xFF\xFF\xF0\x0B\x90\x7B\xC4\xFC\xEB\xF4\x84\x9C\x5A"
|
|
- "\xA8\x56\x41\x3E\xE1\x62\xEE\x38\xD1\x34\x9A\xE3\xFB\xC9\xFD\x0A"
|
|
- "\xDC\x83\xE1\x4A\xE4"
|
|
- },
|
|
{
|
|
ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW,
|
|
SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20,
|
|
@@ -160,8 +149,6 @@ make_fake_context(const struct test *test)
|
|
gss_union_ctx_id_t uctx;
|
|
krb5_gss_ctx_id_t kgctx;
|
|
krb5_keyblock kb;
|
|
- unsigned char encbuf[8];
|
|
- size_t i;
|
|
|
|
kgctx = calloc(1, sizeof(*kgctx));
|
|
if (kgctx == NULL)
|
|
@@ -184,11 +171,6 @@ make_fake_context(const struct test *test)
|
|
if (krb5_k_create_key(NULL, &kb, &kgctx->seq) != 0)
|
|
abort();
|
|
|
|
- if (kb.enctype == ENCTYPE_DES_CBC_RAW) {
|
|
- for (i = 0; i < 8; i++)
|
|
- encbuf[i] = kb.contents[i] ^ 0xF0;
|
|
- kb.contents = encbuf;
|
|
- }
|
|
if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
|
|
abort();
|
|
|
|
@@ -248,7 +230,7 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
|
|
gss_iov_buffer_desc iov;
|
|
|
|
store_16_be(KG_TOK_SIGN_MSG, tokbuf);
|
|
- store_16_le(SGN_ALG_DES_MAC_MD5, tokbuf + 2);
|
|
+ store_16_le(SGN_ALG_HMAC_MD5, tokbuf + 2);
|
|
store_16_le(SEAL_ALG_NONE, tokbuf + 4);
|
|
store_16_le(0xFFFF, tokbuf + 6);
|
|
memset(tokbuf + 8, 0, 16);
|
|
diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
|
|
index c40ea434c..7368f752f 100644
|
|
--- a/src/tests/gssapi/t_pcontok.c
|
|
+++ b/src/tests/gssapi/t_pcontok.c
|
|
@@ -43,7 +43,6 @@
|
|
#include "k5-int.h"
|
|
#include "common.h"
|
|
|
|
-#define SGN_ALG_DES_MAC_MD5 0x00
|
|
#define SGN_ALG_HMAC_SHA1_DES3_KD 0x04
|
|
#define SGN_ALG_HMAC_MD5 0x11
|
|
|
|
@@ -78,11 +77,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
|
|
ret = krb5_k_create_key(context, &seqkb, &seq);
|
|
check_k5err(context, "krb5_k_create_key", ret);
|
|
|
|
- if (signalg == SGN_ALG_DES_MAC_MD5) {
|
|
- cktype = CKSUMTYPE_RSA_MD5;
|
|
- cksize = 8;
|
|
- ckusage = 0;
|
|
- } else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
|
|
+ if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) {
|
|
cktype = CKSUMTYPE_HMAC_SHA1_DES3;
|
|
cksize = 20;
|
|
ckusage = 23;
|
|
@@ -122,15 +117,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
|
|
d = make_data(ptr - 8, 8);
|
|
ret = krb5_k_make_checksum(context, cktype, seq, ckusage, &d, &cksum);
|
|
check_k5err(context, "krb5_k_make_checksum", ret);
|
|
- if (signalg == SGN_ALG_DES_MAC_MD5) {
|
|
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
|
|
- iov.data = make_data(cksum.contents, 16);
|
|
- ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
|
|
- check_k5err(context, "krb5_k_encrypt_iov", ret);
|
|
- memcpy(ptr + 8, cksum.contents + 8, 8);
|
|
- } else {
|
|
- memcpy(ptr + 8, cksum.contents, cksize);
|
|
- }
|
|
+ memcpy(ptr + 8, cksum.contents, cksize);
|
|
|
|
/* Create the sequence number (8 bytes). */
|
|
iov.flags = KRB5_CRYPTO_TYPE_DATA;
|
|
diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c
|
|
index 6a698ce0f..f71774cdc 100644
|
|
--- a/src/tests/gssapi/t_prf.c
|
|
+++ b/src/tests/gssapi/t_prf.c
|
|
@@ -41,13 +41,6 @@ static struct {
|
|
const char *key2;
|
|
const char *out2;
|
|
} tests[] = {
|
|
- { ENCTYPE_DES_CBC_CRC,
|
|
- "E607FE9DABB57AE0",
|
|
- "803C4121379FC4B87CE413B67707C4632EBED2C6D6B7"
|
|
- "2A55E878836E35E21600D915D590DED5B6D77BB30A1F",
|
|
- "54758316B6257A75",
|
|
- "279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA"
|
|
- "33264ACB5729562DC637950F6BD144B654BE7700B2D6" },
|
|
{ ENCTYPE_DES3_CBC_SHA1,
|
|
"70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2",
|
|
"9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9"
|
|
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
|
index c21d054f1..2a052fc17 100644
|
|
--- a/src/tests/t_etype_info.py
|
|
+++ b/src/tests/t_etype_info.py
|
|
@@ -24,7 +24,7 @@ def test_etinfo(princ, enctypes, expected_lines):
|
|
# With no newer enctypes in the request, PA-ETYPE-INFO2,
|
|
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
|
|
# key for the most preferred matching enctype.
|
|
-test_etinfo('user', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
|
|
+test_etinfo('user', 'rc4-hmac-exp des3 rc4',
|
|
['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser',
|
|
'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser',
|
|
'asrep pw_salt KRBTEST.COMuser'])
|
|
@@ -37,7 +37,7 @@ test_etinfo('user', 'rc4 aes256-cts',
|
|
|
|
# In preauth-required errors, PA-PW-SALT does not appear, but the same
|
|
# etype-info2 values are expected.
|
|
-test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
|
|
+test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4',
|
|
['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser',
|
|
'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser'])
|
|
test_etinfo('preauthuser', 'rc4 aes256-cts',
|
|
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
|
|
index 4af6804f2..2c825a692 100755
|
|
--- a/src/tests/t_keyrollover.py
|
|
+++ b/src/tests/t_keyrollover.py
|
|
@@ -2,7 +2,7 @@ from k5test import *
|
|
|
|
rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
|
|
|
|
-realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
|
|
+realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal',
|
|
krb5_conf=rollover_krb5_conf)
|
|
|
|
princ1 = 'host/test1@%s' % (realm.realm,)
|
|
@@ -22,9 +22,9 @@ realm.run([kvno, princ1])
|
|
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
|
|
# Make sure an old TGT fails after purging old TGS key.
|
|
realm.run([kvno, princ2], expected_code=1)
|
|
-ddes = "DEPRECATED:des-cbc-crc"
|
|
+et = "aes128-cts-hmac-sha256-128"
|
|
msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
|
|
- (realm.realm, realm.realm, ddes, ddes)
|
|
+ (realm.realm, realm.realm, et, et)
|
|
realm.run([klist, '-e'], expected_msg=msg)
|
|
|
|
# Check that new key actually works.
|
|
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
|
|
index 008efcb03..65084bbf3 100755
|
|
--- a/src/tests/t_salt.py
|
|
+++ b/src/tests/t_salt.py
|
|
@@ -22,7 +22,7 @@ salts = [('des3-cbc-sha1', 'norealm'),
|
|
# These enctypes are chosen to cover the different string-to-key routines.
|
|
# Omit ":normal" from aes256 to check that salttype defaulting works.
|
|
second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
|
|
- 'des3-cbc-sha1:normal', 'des-cbc-crc:normal']
|
|
+ 'des3-cbc-sha1:normal']
|
|
|
|
# Test using different salt types in a principal's key list.
|
|
# Parameters from one key in the list must not leak over to later ones.
|
|
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
|
index da02f224a..621b27156 100755
|
|
--- a/src/tests/t_sesskeynego.py
|
|
+++ b/src/tests/t_sesskeynego.py
|
|
@@ -23,13 +23,7 @@ conf2 = {'libdefaults': {'default_tgs_enctypes': 'aes256-cts,aes128-cts'}}
|
|
conf3 = {'libdefaults': {
|
|
'allow_weak_crypto': 'true',
|
|
'default_tkt_enctypes': 'aes128-cts',
|
|
- 'default_tgs_enctypes': 'rc4-hmac,aes128-cts,des-cbc-crc'}}
|
|
-conf4 = {'libdefaults': {
|
|
- 'allow_weak_crypto': 'true',
|
|
- 'default_tkt_enctypes': 'aes256-cts',
|
|
- 'default_tgs_enctypes': 'des-cbc-crc,rc4-hmac,aes256-cts'},
|
|
- 'realms': {'$realm': {'des_crc_session_supported': 'false'}}}
|
|
-
|
|
+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
|
# Test with client request and session_enctypes preferring aes128, but
|
|
# aes256 long-term key.
|
|
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
|
@@ -63,16 +57,6 @@ test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
|
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
|
'rc4-hmac,aes128-cts,aes256-cts'])
|
|
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
|
-
|
|
-# 3c: Test des-cbc-crc default assumption.
|
|
-realm.run([kadminl, 'delstr', 'server', 'session_enctypes'])
|
|
-test_kvno(realm, 'DEPRECATED:des-cbc-crc', 'aes256-cts-hmac-sha1-96')
|
|
-realm.stop()
|
|
-
|
|
-# Last go: test that we can disable the des-cbc-crc assumption
|
|
-realm = K5Realm(krb5_conf=conf4, get_creds=False)
|
|
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
|
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
|
realm.stop()
|
|
|
|
success('sesskeynego')
|
|
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
|
index b6d93f1d8..da2782e15 100644
|
|
--- a/src/util/k5test.py
|
|
+++ b/src/util/k5test.py
|
|
@@ -1307,7 +1307,7 @@ _passes = [
|
|
'master_key_type': 'aes256-sha2'}}}),
|
|
|
|
# Test a setup with modern principal keys but an old TGT key.
|
|
- ('aes256.destgt', 'des-cbc-crc:normal',
|
|
+ ('aes256.destgt', 'arcfour-hmac:normal',
|
|
{'libdefaults': {'allow_weak_crypto': 'true'}},
|
|
None)
|
|
]
|