From: Joseph Sutton Date: Mon, 29 Nov 2021 20:42:10 +0000 (+1300) Subject: tests/krb5: Add FAST enc-pa-rep tests X-Git-Tag: tdb-1.4.6~81 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48362a706f8a6c35a17ecbf625bbf29802143185;p=thirdparty%2Fsamba.git tests/krb5: Add FAST enc-pa-rep tests Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index dbd4e4e4ce2..e8cdf152655 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -53,6 +53,7 @@ from samba.tests.krb5.rfc4120_constants import ( NT_SRV_INST, PADATA_FX_COOKIE, PADATA_FX_FAST, + PADATA_REQ_ENC_PA_REP, ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto @@ -122,6 +123,35 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_simple_enc_pa_rep(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_pa_rep_timestamp_padata, + 'expected_flags': 'enc-pa-rep' + } + ]) + + # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests. + def test_simple_tgs_enc_pa_rep(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt, + 'gen_padata_fn': self.generate_enc_pa_rep_padata, + 'expected_flags': 'enc-pa-rep' + } + ]) + def test_simple_no_sname(self): expected_sname = self.get_krbtgt_sname() @@ -422,6 +452,7 @@ class FAST_Tests(KDCBaseTest): } ]) + # Expected to fail against Windows - Windows does not produce an error. def test_fast_unknown_critical_option(self): self._run_test_sequence([ { @@ -572,6 +603,7 @@ class FAST_Tests(KDCBaseTest): } ]) + # Expected to fail against Windows - Windows does not produce an error. def test_fast_encrypted_challenge_clock_skew(self): # The KDC is supposed to confirm that the timestamp is within its # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 @@ -747,6 +779,56 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_enc_pa_rep(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'expected_flags': 'enc-pa-rep' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_pa_rep_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'expected_flags': 'enc-pa-rep' + } + ]) + + # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests. + def test_fast_tgs_enc_pa_rep(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'gen_padata_fn': self.generate_enc_pa_rep_padata, + 'expected_flags': 'enc-pa-rep' + } + ]) + + # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests. + def test_fast_tgs_armor_enc_pa_rep(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_padata_fn': self.generate_enc_pa_rep_padata, + 'expected_flags': 'enc-pa-rep' + } + ]) + def test_fast_outer_wrong_realm(self): self._run_test_sequence([ { @@ -1660,6 +1742,38 @@ class FAST_Tests(KDCBaseTest): # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) + def generate_enc_pa_rep_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + padata = self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b'') + + return [padata], req_body + + def generate_enc_pa_rep_challenge_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + padata, req_body = self.generate_enc_challenge_padata(kdc_exchange_dict, + callback_dict, + req_body) + + padata.append(self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b'')) + + return padata, req_body + + def generate_enc_pa_rep_timestamp_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + padata, req_body = self.generate_enc_timestamp_padata(kdc_exchange_dict, + callback_dict, + req_body) + + padata.append(self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b'')) + + return padata, req_body + def generate_fast_armor_auth_data(self): auth_data = self.AuthorizationData_create(AD_FX_FAST_ARMOR, b'') diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7054dc543aa..38f49e13ab2 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -90,7 +90,8 @@ from samba.tests.krb5.rfc4120_constants import ( PADATA_PKINIT_KX, PADATA_PK_AS_REQ, PADATA_PK_AS_REP_19, - PADATA_SUPPORTED_ETYPES + PADATA_SUPPORTED_ETYPES, + PADATA_REQ_ENC_PA_REP ) import samba.tests.krb5.kcrypto as kcrypto diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index e5c0e77150c..7b146015548 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -184,6 +184,7 @@ TicketFlags ::= KerberosFlags -- the following are new since 1510 -- transited-policy-checked(12), -- ok-as-delegate(13) + -- enc-pa-rep(15) AS-REQ ::= [APPLICATION 10] KDC-REQ @@ -611,7 +612,8 @@ TicketFlagsValues ::= BIT STRING { -- KerberosFlags hw-authent(11), -- the following are new since 1510 transited-policy-checked(12), - ok-as-delegate(13) + ok-as-delegate(13), + enc-pa-rep(15) } TicketFlagsSequence ::= SEQUENCE { dummy [0] TicketFlagsValues diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index f582960494a..db400844be4 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -68,6 +68,8 @@ PADATA_PKINIT_KX = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-PKINIT-KX')) PADATA_GSS = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-GSS')) +PADATA_REQ_ENC_PA_REP = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-REQ-ENC-PA-REP')) # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index b406267301c..d789ab96b43 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -107,13 +107,6 @@ class EncryptionType(Int32): pass -class UInt32(univ.Integer): - pass - - -UInt32.subtypeSpec = constraint.ValueRangeConstraint(0, 4294967295) - - class EncryptedData(univ.Sequence): pass @@ -256,6 +249,13 @@ class KerberosTime(useful.GeneralizedTime): pass +class UInt32(univ.Integer): + pass + + +UInt32.subtypeSpec = constraint.ValueRangeConstraint(0, 4294967295) + + class KDC_REQ_BODY(univ.Sequence): pass @@ -1135,7 +1135,8 @@ TicketFlagsValues.namedValues = namedval.NamedValues( ('pre-authent', 10), ('hw-authent', 11), ('transited-policy-checked', 12), - ('ok-as-delegate', 13) + ('ok-as-delegate', 13), + ('enc-pa-rep', 15) ) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 3c4470c49b5..961b1cb19c3 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -21,6 +21,7 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_as_req_self.ad_dc @@ -42,6 +43,8 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_session_key.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc @@ -49,6 +52,8 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_enc_pa_rep.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 79c1219e2d5..5610fb6249a 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -349,6 +349,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc