]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Wed, 28 Jul 2021 23:50:16 +0000 (11:50 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 18 Aug 2021 22:28:34 +0000 (22:28 +0000)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
python/samba/tests/krb5/raw_testcase.py

index 5016e14783c60e4ba33a4659b2f903a94aacad4e..4ebab36714122f378a96084481ff5fe30ddf5a1b 100644 (file)
@@ -68,6 +68,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KU_TGS_REQ_AUTH_DAT_SUBKEY,
     KU_TICKET,
     NT_SRV_INST,
+    NT_WELLKNOWN,
     PADATA_ENCRYPTED_CHALLENGE,
     PADATA_ENC_TIMESTAMP,
     PADATA_ETYPE_INFO,
@@ -2149,7 +2150,8 @@ class RawKerberosTest(TestCaseInTempDir):
     def generic_check_kdc_error(self,
                                 kdc_exchange_dict,
                                 callback_dict,
-                                rep):
+                                rep,
+                                inner=False):
 
         rep_msg_type = kdc_exchange_dict['rep_msg_type']
 
@@ -2173,7 +2175,10 @@ class RawKerberosTest(TestCaseInTempDir):
         # error-code checked above
         if self.strict_checking:
             self.assertElementMissing(rep, 'crealm')
-            self.assertElementMissing(rep, 'cname')
+            if expected_cname['name-type'] == NT_WELLKNOWN and not inner:
+                self.assertElementEqualPrincipal(rep, 'cname', expected_cname)
+            else:
+                self.assertElementMissing(rep, 'cname')
             self.assertElementEqualUTF8(rep, 'realm', expected_srealm)
             if sent_fast and expected_error_mode == KDC_ERR_GENERIC:
                 self.assertElementEqualPrincipal(rep, 'sname',
@@ -2186,7 +2191,8 @@ class RawKerberosTest(TestCaseInTempDir):
                 or (rep_msg_type == KRB_TGS_REP
                     and not sent_fast)
                 or (sent_fast and fast_armor_type is not None
-                    and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)):
+                    and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)
+                or inner):
             self.assertElementMissing(rep, 'e-data')
             return rep
         edata = self.getElementValue(rep, 'e-data')