From 849ee959845832b206ae315ab5911c623ea61148 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 29 Sep 2023 13:13:01 +1300 Subject: [PATCH] =?UTF-8?q?tests/krb5:=20Add=20method=20to=20perform=20an?= =?UTF-8?q?=20armored=20AS=E2=80=90REQ?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/kdc_tgs_tests.py | 117 +++++++++++++++++++++++ python/samba/tests/krb5/raw_testcase.py | 2 + 2 files changed, 119 insertions(+) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index b4a21f8500a..6619081a844 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import Krb5EncryptionKey from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, + FX_FAST_ARMOR_AP_REQUEST, KRB_ERROR, KDC_ERR_BADKEYVER, KDC_ERR_BADMATCH, @@ -169,6 +170,122 @@ class KdcTgsBaseTests(KDCBaseTest): self.check_as_reply(rep) return kdc_exchange_dict['rep_ticket_creds'] + def _armored_as_req(self, + client_creds, + target_creds, + armor_tgt, + *, + expected_error=0, + expected_sname=None, + expect_edata=None, + expect_status=None, + expected_status=None, + expected_groups=None, + expect_device_info=None, + expected_device_groups=None, + expect_device_claims=None, + expected_device_claims=None): + client_username = client_creds.get_username() + client_realm = client_creds.get_realm() + client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_username]) + + target_name = target_creds.get_username() + target_sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[target_name]) + target_realm = target_creds.get_realm() + target_decryption_key = self.TicketDecryptionKey_from_creds( + target_creds) + target_etypes = target_creds.tgs_supported_enctypes + + authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) + armor_key = self.generate_armor_key(authenticator_subkey, + armor_tgt.session_key) + + preauth_key = self.PasswordKey_from_creds(client_creds, + kcrypto.Enctype.AES256) + + client_challenge_key = ( + self.generate_client_challenge_key(armor_key, preauth_key)) + fast_padata = [self.get_challenge_pa_data(client_challenge_key)] + + def _generate_fast_padata(kdc_exchange_dict, + _callback_dict, + req_body): + return list(fast_padata), req_body + + etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4 + + if expected_error: + check_error_fn = self.generic_check_kdc_error + check_rep_fn = None + else: + check_error_fn = None + check_rep_fn = self.generic_check_kdc_rep + + pac_options = '1' # claims support + + samdb = self.get_samdb() + domain_sid_str = samdb.get_domain_sid() + + if expected_groups is not None: + expected_groups = self.map_sids(expected_groups, None, domain_sid_str) + + if expected_device_groups is not None: + expected_device_groups = self.map_sids(expected_device_groups, None, domain_sid_str) + + if expected_sname is None: + expected_sname = target_sname + + kdc_exchange_dict = self.as_exchange_dict( + creds=client_creds, + expected_crealm=client_realm, + expected_cname=client_cname, + expected_srealm=target_realm, + expected_sname=expected_sname, + expected_supported_etypes=target_etypes, + ticket_decryption_key=target_decryption_key, + generate_fast_fn=self.generate_simple_fast, + generate_fast_armor_fn=self.generate_ap_req, + generate_fast_padata_fn=_generate_fast_padata, + fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, + check_kdc_private_fn=self.generic_check_kdc_private, + expected_error_mode=expected_error, + expected_salt=client_creds.get_salt(), + expect_edata=expect_edata, + expect_status=expect_status, + expected_status=expected_status, + expected_groups=expected_groups, + expect_device_info=expect_device_info, + expected_device_domain_sid=domain_sid_str, + expected_device_groups=expected_device_groups, + expect_device_claims=expect_device_claims, + expected_device_claims=expected_device_claims, + authenticator_subkey=authenticator_subkey, + preauth_key=preauth_key, + armor_key=armor_key, + armor_tgt=armor_tgt, + armor_subkey=authenticator_subkey, + kdc_options='0', + pac_options=pac_options, + # PA-DATA types are not important for these tests. + check_patypes=False) + + rep = self._generic_kdc_exchange( + kdc_exchange_dict, + cname=client_cname, + realm=client_realm, + sname=target_sname, + etypes=etypes) + if expected_error: + self.check_error_rep(rep, expected_error) + return None + else: + self.check_as_reply(rep) + return kdc_exchange_dict['rep_ticket_creds'] + def _tgs_req(self, tgt, expected_error, creds, target_creds, *, armor_tgt=None, kdc_options='0', diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 8e49dbb5043..af30921aa99 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -3007,6 +3007,7 @@ class RawKerberosTest(TestCase): expected_sid=None, expected_requester_sid=None, expected_domain_sid=None, + expected_device_domain_sid=None, expected_supported_etypes=None, expected_flags=None, unexpected_flags=None, @@ -3085,6 +3086,7 @@ class RawKerberosTest(TestCase): 'expected_sid': expected_sid, 'expected_requester_sid': expected_requester_sid, 'expected_domain_sid': expected_domain_sid, + 'expected_device_domain_sid': expected_device_domain_sid, 'expected_supported_etypes': expected_supported_etypes, 'expected_flags': expected_flags, 'unexpected_flags': unexpected_flags,