From: Joseph Sutton Date: Mon, 29 Nov 2021 20:47:32 +0000 (+1300) Subject: tests/krb5: Add option to check reply padata X-Git-Tag: tdb-1.4.6~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64e539bb7fd8f6634a0ba767f6890356b6d51299;p=thirdparty%2Fsamba.git tests/krb5: Add option to check reply padata So far we have only been checking padata in error replies and with FAST. We should also check it in the general success case. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 5d63bd99e8c..584a3fe5567 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -634,6 +634,12 @@ class RawKerberosTest(TestCaseInTempDir): cname_checking = '1' cls.cname_checking = bool(int(cname_checking)) + padata_checking = samba.tests.env_get_var_value('CHECK_PADATA', + allow_missing=True) + if padata_checking is None: + padata_checking = '1' + cls.padata_checking = bool(int(padata_checking)) + def setUp(self): super().setUp() self.do_asn1_print = False @@ -2318,6 +2324,12 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(encpart, 'cipher') encpart_cipher = self.getElementValue(encpart, 'cipher') + if self.padata_checking: + self.check_reply_padata(kdc_exchange_dict, + callback_dict, + encpart, + padata) + ticket_checksum = None # Get the decryption key for the encrypted part @@ -2963,6 +2975,52 @@ class RawKerberosTest(TestCaseInTempDir): return rep + def check_reply_padata(self, + kdc_exchange_dict, + callback_dict, + encpart, + rep_padata): + expected_patypes = () + + sent_fast = self.sent_fast(kdc_exchange_dict) + rep_msg_type = kdc_exchange_dict['rep_msg_type'] + + if sent_fast: + expected_patypes += (PADATA_FX_FAST,) + elif rep_msg_type == KRB_AS_REP: + chosen_etype = self.getElementValue(encpart, 'etype') + self.assertIsNotNone(chosen_etype) + + if chosen_etype in {kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128}: + expected_patypes += (PADATA_ETYPE_INFO2,) + + got_patypes = tuple(pa['padata-type'] for pa in rep_padata) + self.assertSequenceElementsEqual(expected_patypes, got_patypes) + + if not expected_patypes: + return None + + pa_dict = self.get_pa_dict(rep_padata) + + etype_info2 = pa_dict.get(PADATA_ETYPE_INFO2) + if etype_info2 is not None: + etype_info2 = self.der_decode(etype_info2, + asn1Spec=krb5_asn1.ETYPE_INFO2()) + self.assertEqual(len(etype_info2), 1) + elem = etype_info2[0] + + e = self.getElementValue(elem, 'etype') + self.assertEqual(e, chosen_etype) + salt = self.getElementValue(elem, 'salt') + self.assertIsNotNone(salt) + expected_salt = kdc_exchange_dict['expected_salt'] + if expected_salt is not None: + self.assertEqual(salt, expected_salt) + s2kparams = self.getElementValue(elem, 's2kparams') + if self.strict_checking: + self.assertIsNone(s2kparams) + def check_rep_padata(self, kdc_exchange_dict, callback_dict, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index a13a7ced0e5..227fecbc9fe 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -962,6 +962,7 @@ tkt_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash) expect_pac = int('SAMBA4_USES_HEIMDAL' in config_hash) extra_pac_buffers = int('SAMBA4_USES_HEIMDAL' in config_hash) check_cname = int('SAMBA4_USES_HEIMDAL' in config_hash) +check_padata = int('SAMBA4_USES_HEIMDAL' in config_hash) planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ={'SERVICE_USERNAME':'$SERVER', @@ -969,7 +970,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname}) + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata}) planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", environ={'ADMIN_USERNAME':'$USERNAME', 'ADMIN_PASSWORD':'$PASSWORD', @@ -979,7 +981,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname}) + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata}) planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", environ={'ADMIN_USERNAME':'$USERNAME', 'ADMIN_PASSWORD':'$PASSWORD', @@ -988,7 +991,8 @@ planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname}) + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata}) planoldpythontestsuite("ad_dc_default", "samba.tests.dsdb_dns") @@ -997,7 +1001,8 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname}) + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata}) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", environ={ @@ -1008,7 +1013,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap", environ={ @@ -1019,7 +1025,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) for env in ['ad_dc_default', 'ad_member']: planoldpythontestsuite(env, "samba.tests.krb5.test_rpc", @@ -1031,7 +1038,8 @@ for env in ['ad_dc_default', 'ad_member']: 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", environ={ @@ -1042,7 +1050,8 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planoldpythontestsuite("ad_member_idmap_nss:local", "samba.tests.krb5.test_min_domain_uid", @@ -1067,7 +1076,8 @@ planoldpythontestsuite("ad_member_idmap_nss:local", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) for env in ["ad_dc", smbv1_disabled_testenv]: @@ -1664,7 +1674,8 @@ for env in ["fl2008r2dc", "fl2003dc"]: 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests', @@ -1676,7 +1687,8 @@ planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests', 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: @@ -1701,7 +1713,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", environ={ @@ -1712,14 +1725,16 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests", environ={'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname}) + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata}) planpythontestsuite( "ad_dc", "samba.tests.krb5.kdc_tgs_tests", @@ -1731,7 +1746,8 @@ planpythontestsuite( 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite( "ad_dc", @@ -1744,7 +1760,8 @@ planpythontestsuite( 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite( "ad_dc", @@ -1757,7 +1774,8 @@ planpythontestsuite( 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite( "ad_dc", @@ -1770,7 +1788,8 @@ planpythontestsuite( 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planpythontestsuite( "ad_dc", @@ -1783,7 +1802,8 @@ planpythontestsuite( 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, - 'CHECK_CNAME': check_cname + 'CHECK_CNAME': check_cname, + 'CHECK_PADATA': check_padata }) planoldpythontestsuite( 'ad_dc',