sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-21 20:23:50 +03:00
Code Activity

tests/krb5: Get encpart decryption key from kdc_exchange_dict

Browse Source 
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Joseph Sutton
2021-09-03 09:55:10 +12:00
committed by Andrew Bartlett
parent a5186f9280
commit 0e99382d73
2 changed files with 49 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
python/samba/tests/krb5/fast_tests.py
View File

@@ -45,7 +45,6 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
KRB_AS_REP,
KRB_TGS_REP,
KU_AS_REP_ENC_PART,
KU_TICKET,
NT_PRINCIPAL,
NT_SRV_INST,
@@ -1157,8 +1156,6 @@ class FAST_Tests(KDCBaseTest):
fast_cookie = None
preauth_etype_info2 = None
preauth_key = None
for kdc_dict in test_sequence:
rep_type = kdc_dict.pop('rep_type')
self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP))
@@ -1292,13 +1289,6 @@ class FAST_Tests(KDCBaseTest):
padata):
return list(padata), req_body
def _check_padata_preauth_key(_kdc_exchange_dict,
_callback_dict,
_rep,
_padata):
as_rep_usage = KU_AS_REP_ENC_PART
return preauth_key, as_rep_usage
pac_options = kdc_dict.pop('pac_options', '1') # claims support
kdc_options = kdc_dict.pop('kdc_options', kdc_options_default)
@@ -1317,11 +1307,6 @@ class FAST_Tests(KDCBaseTest):
preauth_key = None
padata = []
if rep_type == KRB_AS_REP:
check_padata_fn = _check_padata_preauth_key
else:
check_padata_fn = self.check_simple_tgs_padata
if use_fast:
inner_padata = padata
outer_padata = []
@@ -1375,13 +1360,13 @@ class FAST_Tests(KDCBaseTest):
generate_padata_fn=generate_padata_fn,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_padata_fn=check_padata_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
callback_dict={},
expected_error_mode=expected_error_mode,
client_as_etypes=etypes,
expected_salt=expected_salt,
authenticator_subkey=authenticator_subkey,
preauth_key=preauth_key,
auth_data=auth_data,
armor_key=armor_key,
armor_tgt=armor_tgt,
@@ -1408,7 +1393,6 @@ class FAST_Tests(KDCBaseTest):
generate_padata_fn=generate_padata_fn,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_padata_fn=check_padata_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error_mode,
callback_dict={},

60
python/samba/tests/krb5/raw_testcase.py
View File

@@ -1794,7 +1794,6 @@ class RawKerberosTest(TestCaseInTempDir):
generate_padata_fn=None,
check_error_fn=None,
check_rep_fn=None,
check_padata_fn=None,
check_kdc_private_fn=None,
callback_dict=None,
expected_error_mode=0,
@@ -1802,6 +1801,7 @@ class RawKerberosTest(TestCaseInTempDir):
client_as_etypes=None,
expected_salt=None,
authenticator_subkey=None,
preauth_key=None,
armor_key=None,
armor_tgt=None,
armor_subkey=None,
@@ -1838,7 +1838,6 @@ class RawKerberosTest(TestCaseInTempDir):
'generate_padata_fn': generate_padata_fn,
'check_error_fn': check_error_fn,
'check_rep_fn': check_rep_fn,
'check_padata_fn': check_padata_fn,
'check_kdc_private_fn': check_kdc_private_fn,
'callback_dict': callback_dict,
'expected_error_mode': expected_error_mode,
@@ -1846,6 +1845,7 @@ class RawKerberosTest(TestCaseInTempDir):
'client_as_etypes': client_as_etypes,
'expected_salt': expected_salt,
'authenticator_subkey': authenticator_subkey,
'preauth_key': preauth_key,
'armor_key': armor_key,
'armor_tgt': armor_tgt,
'armor_subkey': armor_subkey,
@@ -1878,7 +1878,6 @@ class RawKerberosTest(TestCaseInTempDir):
generate_padata_fn=None,
check_error_fn=None,
check_rep_fn=None,
check_padata_fn=None,
check_kdc_private_fn=None,
expected_error_mode=0,
expected_status=None,
@@ -1922,7 +1921,6 @@ class RawKerberosTest(TestCaseInTempDir):
'generate_padata_fn': generate_padata_fn,
'check_error_fn': check_error_fn,
'check_rep_fn': check_rep_fn,
'check_padata_fn': check_padata_fn,
'check_kdc_private_fn': check_kdc_private_fn,
'callback_dict': callback_dict,
'expected_error_mode': expected_error_mode,
@@ -1956,7 +1954,6 @@ class RawKerberosTest(TestCaseInTempDir):
expected_srealm = kdc_exchange_dict['expected_srealm']
expected_sname = kdc_exchange_dict['expected_sname']
ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key']
check_padata_fn = kdc_exchange_dict['check_padata_fn']
check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn']
rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec']
msg_type = kdc_exchange_dict['rep_msg_type']
@@ -2004,13 +2001,9 @@ class RawKerberosTest(TestCaseInTempDir):
ticket_checksum = None
encpart_decryption_key = None
self.assertIsNotNone(check_padata_fn)
if check_padata_fn is not None:
# See if we can get the decryption key from the preauth phase
# Get the decryption key for the encrypted part
encpart_decryption_key, encpart_decryption_usage = (
check_padata_fn(kdc_exchange_dict, callback_dict,
rep, padata))
self.get_preauth_key(kdc_exchange_dict))
if armor_key is not None:
pa_dict = self.get_pa_dict(padata)
@@ -2030,7 +2023,7 @@ class RawKerberosTest(TestCaseInTempDir):
strengthen_key,
encpart_decryption_key))
fast_finished = fast_response.get('finished', None)
fast_finished = fast_response.get('finished')
if fast_finished is not None:
ticket_checksum = fast_finished['ticket-checksum']
@@ -2558,13 +2551,7 @@ class RawKerberosTest(TestCaseInTempDir):
armor_key = kdc_exchange_dict['armor_key']
self.assertIsNotNone(armor_key)
check_padata_fn = kdc_exchange_dict['check_padata_fn']
padata = self.getElementValue(rep, 'padata')
self.assertIsNotNone(check_padata_fn)
preauth_key, _ = check_padata_fn(kdc_exchange_dict,
callback_dict,
rep,
padata)
preauth_key, _ = self.get_preauth_key(kdc_exchange_dict)
kdc_challenge_key = self.generate_kdc_challenge_key(
armor_key, preauth_key)
@@ -2790,21 +2777,25 @@ class RawKerberosTest(TestCaseInTempDir):
return padata, req_body
def check_simple_tgs_padata(self,
kdc_exchange_dict,
callback_dict,
rep,
padata):
tgt = kdc_exchange_dict['tgt']
def get_preauth_key(self, kdc_exchange_dict):
msg_type = kdc_exchange_dict['rep_msg_type']
if msg_type == KRB_AS_REP:
key = kdc_exchange_dict['preauth_key']
usage = KU_AS_REP_ENC_PART
else: # KRB_TGS_REP
authenticator_subkey = kdc_exchange_dict['authenticator_subkey']
if authenticator_subkey is not None:
subkey = authenticator_subkey
subkey_usage = KU_TGS_REP_ENC_PART_SUB_KEY
key = authenticator_subkey
usage = KU_TGS_REP_ENC_PART_SUB_KEY
else:
subkey = tgt.session_key
subkey_usage = KU_TGS_REP_ENC_PART_SESSION
tgt = kdc_exchange_dict['tgt']
key = tgt.session_key
usage = KU_TGS_REP_ENC_PART_SESSION
return subkey, subkey_usage
self.assertIsNotNone(key)
return key, usage
def generate_armor_key(self, subkey, session_key):
armor_key = kcrypto.cf2(subkey.key,
@@ -2926,13 +2917,6 @@ class RawKerberosTest(TestCaseInTempDir):
req_body):
return padata, req_body
def _check_padata_preauth_key(_kdc_exchange_dict,
_callback_dict,
rep,
padata):
as_rep_usage = KU_AS_REP_ENC_PART
return preauth_key, as_rep_usage
if not expected_error_mode:
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
@@ -2954,13 +2938,13 @@ class RawKerberosTest(TestCaseInTempDir):
generate_padata_fn=generate_padata_fn,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_padata_fn=_check_padata_preauth_key,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=expected_error_mode,
client_as_etypes=client_as_etypes,
expected_salt=expected_salt,
expected_flags=expected_flags,
unexpected_flags=unexpected_flags,
preauth_key=preauth_key,
kdc_options=str(kdc_options),
pac_request=pac_request,
pac_options=pac_options,