From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 18 Nov 2021 00:44:32 +0000 (+1300)
Subject: tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
X-Git-Tag: tdb-1.4.6~431
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce;p=thirdparty%2Fsamba.git

tests/krb5: Add tests for FAST with use-session-key flag and armor ticket

This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index a27955e0d35..ee9d932e38a 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -640,6 +640,42 @@ class FAST_Tests(KDCBaseTest):
             }
         ])
 
+    def test_fast_session_key(self):
+        # Ensure that specified APOptions are ignored.
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+                'use_fast': True,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            },
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_padata_fn': self.generate_enc_challenge_padata,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            }
+        ])
+
+    def test_fast_tgs_armor_session_key(self):
+        # Ensure that specified APOptions are ignored.
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_TGS_REP,
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_tgt_fn': self.get_user_tgt,
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+            }
+        ])
+
     def test_fast_outer_wrong_realm(self):
         self._run_test_sequence([
             {
@@ -1420,6 +1456,8 @@ class FAST_Tests(KDCBaseTest):
             if unexpected_flags is not None:
                 unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags)
 
+            fast_ap_options = kdc_dict.pop('fast_ap_options', None)
+
             if rep_type == KRB_AS_REP:
                 kdc_exchange_dict = self.as_exchange_dict(
                     expected_crealm=expected_crealm,
@@ -1454,6 +1492,7 @@ class FAST_Tests(KDCBaseTest):
                     outer_req=outer_req,
                     pac_request=True,
                     pac_options=pac_options,
+                    fast_ap_options=fast_ap_options,
                     expect_edata=expect_edata)
             else:  # KRB_TGS_REP
                 kdc_exchange_dict = self.tgs_exchange_dict(
@@ -1488,6 +1527,7 @@ class FAST_Tests(KDCBaseTest):
                     outer_req=outer_req,
                     pac_request=None,
                     pac_options=pac_options,
+                    fast_ap_options=fast_ap_options,
                     expect_edata=expect_edata)
 
             repeat = kdc_dict.pop('repeat', 1)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 78d79d2f320..4171ead34d4 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2039,6 +2039,8 @@ class RawKerberosTest(TestCaseInTempDir):
                          outer_req=None,
                          pac_request=None,
                          pac_options=None,
+                         ap_options=None,
+                         fast_ap_options=None,
                          expect_edata=None,
                          expect_pac=True,
                          expect_claims=True,
@@ -2095,6 +2097,8 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'ap_options': ap_options,
+            'fast_ap_options': fast_ap_options,
             'expect_edata': expect_edata,
             'expect_pac': expect_pac,
             'expect_claims': expect_claims,
@@ -2146,6 +2150,8 @@ class RawKerberosTest(TestCaseInTempDir):
                           outer_req=None,
                           pac_request=None,
                           pac_options=None,
+                          ap_options=None,
+                          fast_ap_options=None,
                           expect_edata=None,
                           expect_pac=True,
                           expect_claims=True,
@@ -2203,6 +2209,8 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'ap_options': ap_options,
+            'fast_ap_options': fast_ap_options,
             'expect_edata': expect_edata,
             'expect_pac': expect_pac,
             'expect_claims': expect_claims,
@@ -3151,8 +3159,13 @@ class RawKerberosTest(TestCaseInTempDir):
                                                   usage,
                                                   authenticator_blob)
 
-        ap_options = krb5_asn1.APOptions('0')
-        ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options),
+        if armor:
+            ap_options = kdc_exchange_dict['fast_ap_options']
+        else:
+            ap_options = kdc_exchange_dict['ap_options']
+        if ap_options is None:
+            ap_options = str(krb5_asn1.APOptions('0'))
+        ap_req_obj = self.AP_REQ_create(ap_options=ap_options,
                                         ticket=tgt.ticket,
                                         authenticator=authenticator)
         ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ())
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 56298f6a6ad..0bad613726f 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -39,6 +39,7 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_session_key.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index be0d1744880..d593048c8a8 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -349,6 +349,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc