sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code

tests/krb5: Add option to check reply padata

Browse Source 
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2021-11-30 09:47:32 +13:00 committed by Joseph Sutton
parent 0be58f55fa
commit 64e539bb7f
2 changed files with 97 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
python/samba/tests/krb5/raw_testcase.py
View File

@ -634,6 +634,12 @@ class RawKerberosTest(TestCaseInTempDir):
cname_checking = '1'
cls.cname_checking = bool(int(cname_checking))
padata_checking = samba.tests.env_get_var_value('CHECK_PADATA',
allow_missing=True)
if padata_checking is None:
padata_checking = '1'
cls.padata_checking = bool(int(padata_checking))
def setUp(self):
super().setUp()
self.do_asn1_print = False
@ -2318,6 +2324,12 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementPresent(encpart, 'cipher')
encpart_cipher = self.getElementValue(encpart, 'cipher')
if self.padata_checking:
self.check_reply_padata(kdc_exchange_dict,
callback_dict,
encpart,
padata)
ticket_checksum = None
# Get the decryption key for the encrypted part
@ -2963,6 +2975,52 @@ class RawKerberosTest(TestCaseInTempDir):
return rep
def check_reply_padata(self,
kdc_exchange_dict,
callback_dict,
encpart,
rep_padata):
expected_patypes = ()
sent_fast = self.sent_fast(kdc_exchange_dict)
rep_msg_type = kdc_exchange_dict['rep_msg_type']
if sent_fast:
expected_patypes += (PADATA_FX_FAST,)
elif rep_msg_type == KRB_AS_REP:
chosen_etype = self.getElementValue(encpart, 'etype')
self.assertIsNotNone(chosen_etype)
if chosen_etype in {kcrypto.Enctype.AES256,
kcrypto.Enctype.AES128}:
expected_patypes += (PADATA_ETYPE_INFO2,)
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
self.assertSequenceElementsEqual(expected_patypes, got_patypes)
if not expected_patypes:
return None
pa_dict = self.get_pa_dict(rep_padata)
etype_info2 = pa_dict.get(PADATA_ETYPE_INFO2)
if etype_info2 is not None:
etype_info2 = self.der_decode(etype_info2,
asn1Spec=krb5_asn1.ETYPE_INFO2())
self.assertEqual(len(etype_info2), 1)
elem = etype_info2[0]
e = self.getElementValue(elem, 'etype')
self.assertEqual(e, chosen_etype)
salt = self.getElementValue(elem, 'salt')
self.assertIsNotNone(salt)
expected_salt = kdc_exchange_dict['expected_salt']
if expected_salt is not None:
self.assertEqual(salt, expected_salt)
s2kparams = self.getElementValue(elem, 's2kparams')
if self.strict_checking:
self.assertIsNone(s2kparams)
def check_rep_padata(self,
kdc_exchange_dict,
callback_dict,

58
source4/selftest/tests.py
View File

@ -962,6 +962,7 @@ tkt_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
expect_pac = int('SAMBA4_USES_HEIMDAL' in config_hash)
extra_pac_buffers = int('SAMBA4_USES_HEIMDAL' in config_hash)
check_cname = int('SAMBA4_USES_HEIMDAL' in config_hash)
check_padata = int('SAMBA4_USES_HEIMDAL' in config_hash)
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
environ={'SERVICE_USERNAME':'$SERVER',
@ -969,7 +970,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname})
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata})
planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
environ={'ADMIN_USERNAME':'$USERNAME',
'ADMIN_PASSWORD':'$PASSWORD',
@ -979,7 +981,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname})
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata})
planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
environ={'ADMIN_USERNAME':'$USERNAME',
'ADMIN_PASSWORD':'$PASSWORD',
@ -988,7 +991,8 @@ planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname})
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata})
planoldpythontestsuite("ad_dc_default", "samba.tests.dsdb_dns")
@ -997,7 +1001,8 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname})
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata})
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache",
environ={
@ -1008,7 +1013,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap",
environ={
@ -1019,7 +1025,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
for env in ['ad_dc_default', 'ad_member']:
planoldpythontestsuite(env, "samba.tests.krb5.test_rpc",
@ -1031,7 +1038,8 @@ for env in ['ad_dc_default', 'ad_member']:
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb",
environ={
@ -1042,7 +1050,8 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planoldpythontestsuite("ad_member_idmap_nss:local",
"samba.tests.krb5.test_min_domain_uid",
@ -1067,7 +1076,8 @@ planoldpythontestsuite("ad_member_idmap_nss:local",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
for env in ["ad_dc", smbv1_disabled_testenv]:
@ -1664,7 +1674,8 @@ for env in ["fl2008r2dc", "fl2003dc"]:
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests',
@ -1676,7 +1687,8 @@ planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests',
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]:
@ -1701,7 +1713,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
environ={
@ -1712,14 +1725,16 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests",
environ={'FAST_SUPPORT': have_fast_support,
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname})
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata})
planpythontestsuite(
"ad_dc",
"samba.tests.krb5.kdc_tgs_tests",
@ -1731,7 +1746,8 @@ planpythontestsuite(
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite(
"ad_dc",
@ -1744,7 +1760,8 @@ planpythontestsuite(
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite(
"ad_dc",
@ -1757,7 +1774,8 @@ planpythontestsuite(
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite(
"ad_dc",
@ -1770,7 +1788,8 @@ planpythontestsuite(
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planpythontestsuite(
"ad_dc",
@ -1783,7 +1802,8 @@ planpythontestsuite(
'TKT_SIG_SUPPORT': tkt_sig_support,
'EXPECT_PAC': expect_pac,
'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
'CHECK_CNAME': check_cname
'CHECK_CNAME': check_cname,
'CHECK_PADATA': check_padata
})
planoldpythontestsuite(
'ad_dc',