Test bogus KDC-REQs

Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req() and krb5_is_tgs_req(), to make sure that the KDC recovers correctly from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also send an encoding that isn't a valid KDC-REQ. (back ported from commit dae7693) ticket: 7811 version_fixed: 1.12.1 status: resolved
krb5 · Jan 9, 2014 · bc4809b · bc4809b
1 parent 1122d59
commit bc4809b
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
@@ -122,6 +122,7 @@ check-pytests:: t_init_creds t_localauth
 	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
 			-i au.log
+	$(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS)
 
 clean::
 	$(RM) gcred hist hrealm kdbtest plugorder responder

diff --git a/src/tests/t_bogus_kdc_req.py b/src/tests/t_bogus_kdc_req.py
@@ -0,0 +1,44 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
+# and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
+# from failures in decode_krb5_as_req() and decode_krb5_tgs_req().
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+
+# Bogus AS-REQ
+
+x1 = base64.b16decode('6AFF')
+s.sendto(x1, a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+# Bogus TGS-REQ
+
+x2 = base64.b16decode('6CFF')
+s.sendto(x2, a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+# Not a KDC-REQ, even a little bit
+
+x3 = base64.b16decode('FFFF')
+s.sendto(x3, a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('Bogus KDC-REQ test')