From: Joseph Sutton Date: Wed, 15 Sep 2021 23:13:09 +0000 (+1200) Subject: tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange X-Git-Tag: ldb-2.5.0~594 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a4d53dc12aa785f696e53ae3376f67375ce455f;p=thirdparty%2Fsamba.git tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 0e138352b06..6a370d3036e 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -52,7 +52,11 @@ from samba.samdb import SamDB, dsdb_Dn from samba.tests import delete_force import samba.tests.krb5.kcrypto as kcrypto -from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest +from samba.tests.krb5.raw_testcase import ( + KerberosCredentials, + KerberosTicketCreds, + RawKerberosTest +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( AD_IF_RELEVANT, @@ -66,7 +70,6 @@ from samba.tests.krb5.rfc4120_constants import ( KU_AS_REP_ENC_PART, KU_ENC_CHALLENGE_CLIENT, KU_PA_ENC_TIMESTAMP, - KU_TGS_REP_ENC_PART_SUB_KEY, KU_TICKET, NT_PRINCIPAL, NT_SRV_HST, @@ -1063,49 +1066,56 @@ class KDCBaseTest(RawKerberosTest): else: self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) - def tgs_req(self, cname, sname, realm, ticket, key, etypes): + def tgs_req(self, cname, sname, realm, ticket, key, etypes, + expected_error_mode=0): '''Send a TGS-REQ, returns the response and the decrypted and decoded enc-part ''' kdc_options = "0" - till = self.get_KerberosTime(offset=36000) - padata = [] subkey = self.RandomKey(key.etype) (ctime, cusec) = self.get_KerberosTimeWithUsec() - req = self.TGS_REQ_create(padata=padata, - cusec=cusec, - ctime=ctime, - ticket=ticket, - kdc_options=str(kdc_options), - cname=cname, - realm=realm, - sname=sname, - from_time=None, - till_time=till, - renew_time=None, - nonce=0x7ffffffe, - etypes=etypes, - addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, - additional_tickets=None, - ticket_session_key=key, - authenticator_subkey=subkey) - rep = self.send_recv_transaction(req) - self.assertIsNotNone(rep) + tgt = KerberosTicketCreds(ticket, + key, + crealm=realm, + cname=cname) - msg_type = rep['msg-type'] - enc_part = None - if msg_type == KRB_TGS_REP: - enc_part = subkey.decrypt( - KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part = self.der_decode( - enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) - return (rep, enc_part) + if not expected_error_mode: + check_error_fn = None + check_rep_fn = self.generic_check_kdc_rep + else: + check_error_fn = self.generic_check_kdc_error + check_rep_fn = None + + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=realm, + expected_cname=cname, + expected_srealm=realm, + expected_sname=sname, + expected_error_mode=expected_error_mode, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, + check_kdc_private_fn=self.generic_check_kdc_private, + tgt=tgt, + authenticator_subkey=subkey, + kdc_options=str(kdc_options)) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + cname=None, + realm=realm, + sname=sname, + etypes=etypes) + + if expected_error_mode: + enc_part = None + else: + ticket_creds = kdc_exchange_dict['rep_ticket_creds'] + enc_part = ticket_creds.encpart_private + + return rep, enc_part # Named tuple to contain values of interest when the PAC is decoded. PacData = namedtuple( diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 97f9dd41339..dad9e6b88df 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -84,7 +84,8 @@ class KdcTgsTests(KDCBaseTest): name_type=NT_PRINCIPAL, names=["host", samdb.host_dns_name()]) - (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype) + (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype, + expected_error_mode=KDC_ERR_BADMATCH) self.assertIsNone( enc_part, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 632f69794e6..7eba62b4022 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2039,7 +2039,6 @@ class RawKerberosTest(TestCaseInTempDir): error_code=0) ticket_private = None - self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index c62e0d01bc1..2ed72fda265 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -927,22 +927,26 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) for env in ["ad_dc", smbv1_disabled_testenv]: @@ -1545,7 +1549,8 @@ planpythontestsuite( "samba.tests.krb5.kdc_tgs_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) planpythontestsuite( "ad_dc", @@ -1560,7 +1565,8 @@ planpythontestsuite( "samba.tests.krb5.ms_kile_client_principal_lookup_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', - 'ADMIN_PASSWORD': '$PASSWORD' + 'ADMIN_PASSWORD': '$PASSWORD', + 'STRICT_CHECKING': '0' }) for env in [