fixed des3-cbc-sha1-kd and extended tests

client/client_integration_test.go

@@ -136,26 +136,37 @@ func TestClient_SuccessfulLogin_AD(t *testing.T) {
 	}
 }
 
-func TestClient_TGSExchange_AD(t *testing.T) {
+func TestClient_TGSExchange_EncTypes(t *testing.T) {
 	b, err := hex.DecodeString(testdata.TESTUSER1_KEYTAB)
 	kt, _ := keytab.Parse(b)
-	c, _ := config.NewConfigFromString(testdata.TEST_KRB5CONF_AD)
-	c.LibDefaults.DefaultTktEnctypes = []string{"rc4-hmac"}
-	c.LibDefaults.DefaultTktEnctypeIDs = []int{etypeID.RC4_HMAC}
-	c.LibDefaults.DefaultTGSEnctypes = []string{"rc4-hmac"}
-	c.LibDefaults.DefaultTGSEnctypeIDs = []int{etypeID.RC4_HMAC}
-	cl := NewClientWithKeytab("testuser1", "TEST.GOKRB5", kt)
-	cl.WithConfig(c)
-
-	err = cl.Login()
-	if err != nil {
-		t.Fatalf("Error on login: %v\n", err)
+	c, _ := config.NewConfigFromString(testdata.TEST_KRB5CONF_LATESTKDC)
+	var tests = []string{
+		"des3-cbc-sha1-kd",
+		"aes128-cts-hmac-sha1-96",
+		"aes256-cts-hmac-sha1-96",
+		"aes128-cts-hmac-sha256-128",
+		"aes256-cts-hmac-sha384-192",
+		"rc4-hmac",
 	}
-	_, _, err = cl.GetServiceTicket("HTTP/host.test.gokrb5")
-	if err != nil {
-		t.Fatalf("Error in TGS exchange: %v", err)
+	for _, test := range tests {
+		c.LibDefaults.DefaultTktEnctypes = []string{test}
+		c.LibDefaults.DefaultTktEnctypeIDs = []int{etypeID.ETypesByName[test]}
+		c.LibDefaults.DefaultTGSEnctypes = []string{test}
+		c.LibDefaults.DefaultTGSEnctypeIDs = []int{etypeID.ETypesByName[test]}
+		cl := NewClientWithKeytab("testuser1", "TEST.GOKRB5", kt)
+		cl.WithConfig(c)
+
+		err = cl.Login()
+		if err != nil {
+			t.Errorf("Error on login using enctype %s: %v\n", test, err)
+		}
+		tkt, key, err := cl.GetServiceTicket("HTTP/host.test.gokrb5")
+		if err != nil {
+			t.Errorf("Error in TGS exchange using enctype %s: %v", test, err)
+		}
+		assert.Equal(t, "TEST.GOKRB5", tkt.Realm, "Realm in ticket not as expected for %s test", test)
+		assert.Equal(t, etypeID.ETypesByName[test], key.KeyType, "Key is not for enctype %s", test)
 	}
-
 }
 
 func TestClient_FailedLogin(t *testing.T) {

crypto/rfc3961/encryption.go

@@ -16,7 +16,6 @@ import (
 func DES3EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) {
 	if len(key) != e.GetKeyByteSize() {
 		return nil, nil, fmt.Errorf("Incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
-
 	}
 	data, _ = common.ZeroPad(data, e.GetMessageBlockByteSize())
 
@@ -31,7 +30,7 @@ func DES3EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) {
 	ct := make([]byte, len(data))
 	mode := cipher.NewCBCEncrypter(block, ivz)
 	mode.CryptBlocks(ct, data)
-	return ivz, ct, nil
+	return ct[len(ct)-e.GetMessageBlockByteSize():], ct, nil
 }
 
 // DES3EncryptMessage encrypts the message provided using DES3 and methods specific to the etype provided.
@@ -44,6 +43,7 @@ func DES3EncryptMessage(key, message []byte, usage uint32, e etype.EType) ([]byt
 		return []byte{}, []byte{}, fmt.Errorf("Could not generate random confounder: %v", err)
 	}
 	plainBytes := append(c, message...)
+	plainBytes, _ = common.ZeroPad(plainBytes, e.GetMessageBlockByteSize())
 
 	// Derive key for encryption from usage
 	var k []byte

iana/etypeID/constants.go

@@ -43,8 +43,8 @@ var ETypesByName = map[string]int{
 	"des3-cbc-md5":                 DES3_CBC_MD5,
 	"des3-cbc-raw":                 DES3_CBC_RAW,
 	"des3-cbc-sha1":                DES3_CBC_SHA1,
-	"des3-hmac-sha1":               DES3_CBC_SHA1,
-	"des3-cbc-sha1-kd":             DES3_CBC_SHA1,
+	"des3-hmac-sha1":               DES_HMAC_SHA1,
+	"des3-cbc-sha1-kd":             DES3_CBC_SHA1_KD,
 	"des-hmac-sha1":                DES_HMAC_SHA1,
 	"dsaWithSHA1-CmsOID":           DSAWITHSHA1_CMSOID,
 	"md5WithRSAEncryption-CmsOID":  MD5WITHRSAENCRYPTION_CMSOID,

testenv/krb5kdc-vagrant/kdc.conf

@@ -10,5 +10,5 @@
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+  supported_enctypes = des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  }

testenv/latest-krb5kdc-vagrant/kdc.conf

@@ -10,5 +10,5 @@
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal aes128-sha2:normal aes256-sha2:normal
+  supported_enctypes = des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  }