From: Joseph Sutton Date: Tue, 14 Dec 2021 06:16:15 +0000 (+1300) Subject: tests/krb5: Add tests for AS-REQ to self with FAST X-Git-Tag: tdb-1.4.6~284 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f4eca775aa52cfe40a25ead90c560d76b286ad9;p=thirdparty%2Fsamba.git tests/krb5: Add tests for AS-REQ to self with FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184 --- diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 54b74c067e8..6a6fdfa786e 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -95,6 +95,23 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_simple_as_req_self(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True + } + ], client_account=self.AccountType.COMPUTER) + def test_simple_tgs(self): self._run_test_sequence([ { @@ -479,6 +496,27 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_encrypted_challenge_as_req_self(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'as_req_self': True + } + ], client_account=self.AccountType.COMPUTER) + def test_fast_encrypted_challenge_wrong_key(self): self._run_test_sequence([ { @@ -1256,14 +1294,15 @@ class FAST_Tests(KDCBaseTest): return fast_padata - def _run_test_sequence(self, test_sequence): + def _run_test_sequence(self, test_sequence, + client_account=KDCBaseTest.AccountType.USER): if self.strict_checking: self.check_kdc_fast_support() kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' 'canonicalize')) - client_creds = self.get_client_creds() + client_creds = self.get_cached_creds(account_type=client_account) target_creds = self.get_service_creds() krbtgt_creds = self.get_krbtgt_creds() @@ -1289,6 +1328,10 @@ class FAST_Tests(KDCBaseTest): target_creds) target_etypes = target_creds.tgs_supported_enctypes + client_decryption_key = self.TicketDecryptionKey_from_creds( + client_creds) + client_etypes = client_creds.tgs_supported_enctypes + fast_cookie = None preauth_etype_info2 = None @@ -1350,10 +1393,16 @@ class FAST_Tests(KDCBaseTest): cname = client_cname if rep_type == KRB_AS_REP else None crealm = client_realm + as_req_self = kdc_dict.pop('as_req_self', False) + if as_req_self: + self.assertEqual(KRB_AS_REP, rep_type) + if 'sname' in kdc_dict: sname = kdc_dict.pop('sname') else: - if rep_type == KRB_AS_REP: + if as_req_self: + sname = client_cname + elif rep_type == KRB_AS_REP: sname = krbtgt_sname else: # KRB_TGS_REP sname = target_sname @@ -1493,16 +1542,23 @@ class FAST_Tests(KDCBaseTest): strict_edata_checking = kdc_dict.pop('strict_edata_checking', True) if rep_type == KRB_AS_REP: + if as_req_self: + expected_supported_etypes = client_etypes + decryption_key = client_decryption_key + else: + expected_supported_etypes = krbtgt_etypes + decryption_key = krbtgt_decryption_key + kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, expected_cname=expected_cname, expected_anon=expected_anon, expected_srealm=expected_srealm, expected_sname=expected_sname, - expected_supported_etypes=krbtgt_etypes, + expected_supported_etypes=expected_supported_etypes, expected_flags=expected_flags, unexpected_flags=unexpected_flags, - ticket_decryption_key=krbtgt_decryption_key, + ticket_decryption_key=decryption_key, generate_fast_fn=generate_fast_fn, generate_fast_armor_fn=generate_fast_armor_fn, generate_fast_padata_fn=generate_fast_padata_fn, diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index a8810abcf8f..3c4470c49b5 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -23,6 +23,7 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_as_req_self.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc