]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Fix including enc-authorization-data
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Mon, 26 Jul 2021 05:14:08 +0000 (17:14 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 18 Aug 2021 22:28:33 +0000 (22:28 +0000)
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
python/samba/tests/krb5/as_canonicalization_tests.py
python/samba/tests/krb5/compatability_tests.py
python/samba/tests/krb5/kdc_base_test.py
python/samba/tests/krb5/kdc_tests.py
python/samba/tests/krb5/raw_testcase.py
python/samba/tests/krb5/s4u_tests.py
python/samba/tests/krb5/simple_tests.py
python/samba/tests/krb5/xrealm_tests.py

index abb3f96a1e64a09e8a6c4b28c6deea1cfdffe9e0..29d8cf418f563eecfa99f60f57a4442de4876847 100755 (executable)
@@ -257,8 +257,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
@@ -314,8 +312,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
index 5a1ef02ef80da24965cdf4a289c88248d4c91df9..cd67549212a8139ed121f16971eae256153d5253 100755 (executable)
@@ -147,8 +147,6 @@ class SimpleKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
 
@@ -209,8 +207,6 @@ class SimpleKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
index 79efc68254ef8a12dccff595da73bc1cb7ceba4f..7874562d32d6a6d0eefa85566c8871ca1c6b963a 100644 (file)
@@ -390,8 +390,6 @@ class KDCBaseTest(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         return rep
index c7c53953a86df2bc4c68b2730a10b79eab4d1148..930edd0a63e0e844e45fccab2d100c625cb9e96e 100755 (executable)
@@ -79,8 +79,6 @@ class KdcTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         return rep
index dfa6a71467afa6b6b59bafce4ae6a6914a19a268..f39656d5e03b97537ebbf67619d5ef5b4f436f03 100644 (file)
@@ -53,6 +53,8 @@ from samba.tests.krb5.rfc4120_constants import (
     KU_TGS_REP_ENC_PART_SUB_KEY,
     KU_TGS_REQ_AUTH,
     KU_TGS_REQ_AUTH_CKSUM,
+    KU_TGS_REQ_AUTH_DAT_SESSION,
+    KU_TGS_REQ_AUTH_DAT_SUBKEY,
     KU_TICKET,
     PADATA_ENC_TIMESTAMP,
     PADATA_ETYPE_INFO,
@@ -1022,9 +1024,10 @@ class RawKerberosTest(TestCaseInTempDir):
                             nonce,
                             etypes,
                             addresses,
+                            additional_tickets,
                             EncAuthorizationData,
                             EncAuthorizationData_key,
-                            additional_tickets,
+                            EncAuthorizationData_usage,
                             asn1_print=None,
                             hexdump=None):
         # KDC-REQ-BODY    ::= SEQUENCE {
@@ -1054,8 +1057,9 @@ class RawKerberosTest(TestCaseInTempDir):
                 asn1Spec=krb5_asn1.AuthorizationData(),
                 asn1_print=asn1_print,
                 hexdump=hexdump)
-            enc_ad = self.EncryptedData_create(
-                EncAuthorizationData_key, enc_ad_plain)
+            enc_ad = self.EncryptedData_create(EncAuthorizationData_key,
+                                               EncAuthorizationData_usage,
+                                               enc_ad_plain)
         else:
             enc_ad = None
         KDC_REQ_BODY_obj = {
@@ -1123,8 +1127,6 @@ class RawKerberosTest(TestCaseInTempDir):
                       nonce,        # required
                       etypes,       # required
                       addresses,    # optional
-                      EncAuthorizationData,
-                      EncAuthorizationData_key,
                       additional_tickets,
                       native_decoded_only=True,
                       asn1_print=None,
@@ -1170,9 +1172,10 @@ class RawKerberosTest(TestCaseInTempDir):
             nonce,
             etypes,
             addresses,
-            EncAuthorizationData,
-            EncAuthorizationData_key,
             additional_tickets,
+            EncAuthorizationData=None,
+            EncAuthorizationData_key=None,
+            EncAuthorizationData_usage=None,
             asn1_print=asn1_print,
             hexdump=hexdump)
         obj, decoded = self.KDC_REQ_create(
@@ -1290,6 +1293,11 @@ class RawKerberosTest(TestCaseInTempDir):
         #                                        -- NOTE: not empty
         # }
 
+        if authenticator_subkey is not None:
+            EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY
+        else:
+            EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SESSION
+
         req_body = self.KDC_REQ_BODY_create(
             kdc_options=kdc_options,
             cname=None,
@@ -1301,9 +1309,10 @@ class RawKerberosTest(TestCaseInTempDir):
             nonce=nonce,
             etypes=etypes,
             addresses=addresses,
+            additional_tickets=additional_tickets,
             EncAuthorizationData=EncAuthorizationData,
             EncAuthorizationData_key=EncAuthorizationData_key,
-            additional_tickets=additional_tickets)
+            EncAuthorizationData_usage=EncAuthorizationData_usage)
         req_body_blob = self.der_encode(req_body,
                                         asn1Spec=krb5_asn1.KDC_REQ_BODY(),
                                         asn1_print=asn1_print, hexdump=hexdump)
@@ -1397,9 +1406,10 @@ class RawKerberosTest(TestCaseInTempDir):
                               nonce=None,  # required
                               etypes=None,  # required
                               addresses=None,  # optional
+                              additional_tickets=None,  # optional
                               EncAuthorizationData=None,  # optional
                               EncAuthorizationData_key=None,  # optional
-                              additional_tickets=None):  # optional
+                              EncAuthorizationData_usage=None):  # optional
 
         check_error_fn = kdc_exchange_dict['check_error_fn']
         check_rep_fn = kdc_exchange_dict['check_rep_fn']
@@ -1425,9 +1435,10 @@ class RawKerberosTest(TestCaseInTempDir):
             nonce=nonce,
             etypes=etypes,
             addresses=addresses,
+            additional_tickets=additional_tickets,
             EncAuthorizationData=EncAuthorizationData,
             EncAuthorizationData_key=EncAuthorizationData_key,
-            additional_tickets=additional_tickets)
+            EncAuthorizationData_usage=EncAuthorizationData_usage)
         if generate_padata_fn is not None:
             # This can alter req_body...
             padata, req_body = generate_padata_fn(kdc_exchange_dict,
index 30a58d6345a7b7926814cb0ea25af53fc51055aa..57575f0595de2e922d104579df95db02e2153a2e 100755 (executable)
@@ -69,8 +69,6 @@ class S4UKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
@@ -113,8 +111,6 @@ class S4UKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
index 9650702c6c61273717eb2ece1fba477fc5975f63..795d753b4f75358f1ae880f23e4d2536d0598104 100755 (executable)
@@ -69,8 +69,6 @@ class SimpleKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
@@ -113,8 +111,6 @@ class SimpleKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
index efb953bdf7ebab7e462efb77beed9a535387b62b..073cb755b46ce009cc00eb2d29b1a2b736cc7886 100755 (executable)
@@ -68,8 +68,6 @@ class XrealmKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)
@@ -112,8 +110,6 @@ class XrealmKerberosTests(RawKerberosTest):
                                  nonce=0x7fffffff,
                                  etypes=etypes,
                                  addresses=None,
-                                 EncAuthorizationData=None,
-                                 EncAuthorizationData_key=None,
                                  additional_tickets=None)
         rep = self.send_recv_transaction(req)
         self.assertIsNotNone(rep)