1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-09-29 16:15:26 +13:00 committed by Andrew Bartlett
parent 8e1efd8bd3
commit aa2e583fde
2 changed files with 55 additions and 0 deletions

View File

@ -113,6 +113,9 @@ interface krb5pac
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
PAC_TYPE_UPN_DNS_INFO = 12,
PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
PAC_TYPE_DEVICE_INFO = 14,
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;

View File

@ -2340,6 +2340,13 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementPresent(ticket_private, 'authorization-data',
expect_empty=not expect_pac)
if expect_pac:
authorization_data = self.getElementValue(ticket_private,
'authorization-data')
pac_data = self.get_pac(authorization_data)
self.check_pac_buffers(pac_data, kdc_exchange_dict)
encpart_session_key = None
if encpart_private is not None:
self.assertElementPresent(encpart_private, 'key')
@ -2446,6 +2453,47 @@ class RawKerberosTest(TestCaseInTempDir):
kdc_exchange_dict['rep_ticket_creds'] = ticket_creds
def check_pac_buffers(self, pac_data, kdc_exchange_dict):
pac = ndr_unpack(krb5pac.PAC_DATA, pac_data)
rep_msg_type = kdc_exchange_dict['rep_msg_type']
armor_tgt = kdc_exchange_dict['armor_tgt']
expected_sname = kdc_exchange_dict['expected_sname']
expect_claims = kdc_exchange_dict['expect_claims']
expected_types = [krb5pac.PAC_TYPE_LOGON_INFO,
krb5pac.PAC_TYPE_SRV_CHECKSUM,
krb5pac.PAC_TYPE_KDC_CHECKSUM,
krb5pac.PAC_TYPE_LOGON_NAME,
krb5pac.PAC_TYPE_UPN_DNS_INFO]
kdc_options = kdc_exchange_dict['kdc_options']
pos = len(tuple(krb5_asn1.KDCOptions('cname-in-addl-tkt'))) - 1
constrained_delegation = (pos < len(kdc_options)
and kdc_options[pos] == '1')
if constrained_delegation:
expected_types.append(krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION)
if self.kdc_fast_support:
if expect_claims:
expected_types.append(krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO)
if (rep_msg_type == KRB_TGS_REP
and armor_tgt is not None):
expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
if not self.is_tgs(expected_sname):
expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
if self.strict_checking:
buffer_types = [pac_buffer.type
for pac_buffer in pac.buffers]
self.assertCountEqual(expected_types, buffer_types,
f'expected: {expected_types} '
f'got: {buffer_types}')
def generic_check_kdc_error(self,
kdc_exchange_dict,
callback_dict,
@ -3397,6 +3445,10 @@ class RawKerberosTest(TestCaseInTempDir):
return new_auth_data, old_pac
def get_pac(self, auth_data, expect_pac=True):
_, pac = self.replace_pac(auth_data, None, expect_pac)
return pac
def get_krbtgt_checksum_key(self):
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)