From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 20 Dec 2023 03:38:33 +0000 (+1300)
Subject: tests/krb5: Test that root key data is the correct length in bytes
X-Git-Tag: talloc-2.4.2~189
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4946ab4c17f1d4615a98e4c8d1f5e82456aa5cf7;p=thirdparty%2Fsamba.git

tests/krb5: Test that root key data is the correct length in bytes

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/gkdi.py b/python/samba/tests/gkdi.py
index 53cd6146aa6..53b49a31556 100644
--- a/python/samba/tests/gkdi.py
+++ b/python/samba/tests/gkdi.py
@@ -514,12 +514,6 @@ class GkdiBaseTest(TestCase):
 
         if data is None:
             data = secrets.token_bytes(KEY_LEN_BYTES)
-        else:
-            self.assertEqual(
-                KEY_LEN_BYTES,
-                len(data),
-                f"root key data must be {KEY_LEN_BYTES} bytes",
-            )
 
         create_time = current_nt_time = self.current_nt_time()
 
diff --git a/python/samba/tests/krb5/gkdi_tests.py b/python/samba/tests/krb5/gkdi_tests.py
index edb15023737..a2a074f81ec 100755
--- a/python/samba/tests/krb5/gkdi_tests.py
+++ b/python/samba/tests/krb5/gkdi_tests.py
@@ -32,6 +32,7 @@ from samba.gkdi import (
     Algorithm,
     Gkid,
     KEY_CYCLE_DURATION,
+    KEY_LEN_BYTES,
     MAX_CLOCK_SKEW,
     NtTime,
     NtTimeDelta,
@@ -287,6 +288,30 @@ class GkdiExplicitRootKeyTests(GkdiKdcBaseTest):
             "using a nonâexistent root key should fail with NO_KEY",
         )
 
+    def test_root_key_wrong_length(self):
+        """Attempt to use a root key that is the wrong length."""
+        root_key_id = self.new_root_key(data=bytes(KEY_LEN_BYTES // 2))
+
+        gkid = self.current_gkid()
+
+        with self.assertRaises(GetKeyError) as err:
+            self.get_key(self.get_samdb(), self.gmsa_sd, root_key_id, gkid)
+
+        self.assertEqual(
+            HRES_NTE_BAD_KEY,
+            err.exception.args[0],
+            "using a root key that is the wrong length should fail with BAD_KEY",
+        )
+
+        with self.assertRaises(GetKeyError) as rpc_err:
+            self.rpc_get_key(self.gkdi_conn(), self.gmsa_sd, root_key_id, gkid)
+
+        self.assertEqual(
+            HRES_NTE_BAD_KEY,
+            rpc_err.exception.args[0],
+            "using a root key that is the wrong length should fail with BAD_KEY",
+        )
+
 
 class GkdiImplicitRootKeyTests(GkdiKdcBaseTest):
     _root_key: ClassVar[misc.GUID]
diff --git a/selftest/knownfail.d/gkdi b/selftest/knownfail.d/gkdi
index 68f3dffd42e..fbea302922f 100644
--- a/selftest/knownfail.d/gkdi
+++ b/selftest/knownfail.d/gkdi
@@ -10,6 +10,7 @@
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiExplicitRootKeyTests\.test_previous_l0_idx\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiExplicitRootKeyTests\.test_root_key_use_start_time_too_low\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiExplicitRootKeyTests\.test_root_key_use_start_time_zero\(ad_dc\)$
+^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiExplicitRootKeyTests\.test_root_key_wrong_length\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_both_seed_keys\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_l1_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_l2_seed_key\(ad_dc\)$