1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Adjust expected error codes for FAST tests

This allows more of the tests to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-11-16 19:55:17 +13:00 committed by Andrew Bartlett
parent 8bd7b316bd
commit f8e55b3670
3 changed files with 42 additions and 46 deletions

View File

@ -33,12 +33,16 @@ from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
FX_FAST_ARMOR_AP_REQUEST,
KDC_ERR_BAD_INTEGRITY,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_GENERIC,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_MODIFIED,
KDC_ERR_NOT_US,
KDC_ERR_POLICY,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_SKEW,
KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
KRB_AS_REP,
KRB_TGS_REP,
@ -134,7 +138,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
@ -164,7 +169,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
@ -181,7 +187,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
@ -206,7 +213,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_NOT_US,
'expected_error_mode': (KDC_ERR_NOT_US,
KDC_ERR_POLICY),
'use_fast': False,
'gen_tgt_fn': self.get_user_service_ticket,
'expect_edata': False
@ -217,7 +225,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_NOT_US,
'expected_error_mode': (KDC_ERR_NOT_US,
KDC_ERR_POLICY),
'use_fast': False,
'gen_tgt_fn': self.get_mach_service_ticket,
'expect_edata': False
@ -378,7 +387,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'gen_fast_fn': self.generate_empty_fast,
'fast_armor': None,
@ -403,7 +413,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'fast_armor': None, # no armor,
'gen_armor_tgt_fn': self.get_mach_tgt,
@ -500,7 +511,8 @@ class FAST_Tests(KDCBaseTest):
},
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_PREAUTH_FAILED,
'expected_error_mode': (KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED),
'use_fast': False,
'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key
}
@ -509,8 +521,8 @@ class FAST_Tests(KDCBaseTest):
def test_fast_encrypted_challenge_clock_skew(self):
# The KDC is supposed to confirm that the timestamp is within its
# current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113
# 5.4.6). However, Windows accepts a skewed timestamp in the encrypted
# challenge.
# 5.4.6). However, this test fails against Windows, which accepts a
# skewed timestamp in the encrypted challenge.
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
@ -521,7 +533,7 @@ class FAST_Tests(KDCBaseTest):
},
{
'rep_type': KRB_AS_REP,
'expected_error_mode': 0,
'expected_error_mode': KDC_ERR_SKEW,
'use_fast': True,
'gen_padata_fn': functools.partial(
self.generate_enc_challenge_padata,
@ -533,43 +545,30 @@ class FAST_Tests(KDCBaseTest):
def test_fast_invalid_tgt(self):
# The armor ticket 'sname' field is required to identify the target
# realm TGS (RFC6113 5.4.1.1). However, Windows will still accept a
# service ticket identifying a different server principal.
# realm TGS (RFC6113 5.4.1.1). However, this test fails against
# Windows, which will still accept a service ticket identifying a
# different server principal.
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_user_service_ticket
},
{
'rep_type': KRB_AS_REP,
'expected_error_mode': 0,
'use_fast': True,
'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_user_service_ticket
# ticket not identifying TGS of current
# realm
}
])
# Similarly, this test fails against Windows, which accepts a service
# ticket identifying a different server principal.
def test_fast_invalid_tgt_mach(self):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_service_ticket
},
{
'rep_type': KRB_AS_REP,
'expected_error_mode': 0,
'use_fast': True,
'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_service_ticket
# ticket not identifying TGS of current
# realm
@ -862,8 +861,8 @@ class FAST_Tests(KDCBaseTest):
# Add the 'FAST used' auth data and it now fails.
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
# should be KRB_APP_ERR_MODIFIED
'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_GENERIC),
'use_fast': False,
'gen_authdata_fn': self.generate_fast_used_auth_data,
'gen_tgt_fn': self.get_user_tgt,
@ -889,7 +888,8 @@ class FAST_Tests(KDCBaseTest):
# Add the 'FAST armor' auth data and it now fails.
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_BAD_INTEGRITY),
'use_fast': True,
'gen_authdata_fn': self.generate_fast_armor_auth_data,
'gen_tgt_fn': self.get_user_tgt,
@ -941,7 +941,8 @@ class FAST_Tests(KDCBaseTest):
# fails.
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_BAD_INTEGRITY),
'use_fast': True,
'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data,
'fast_armor': None,
@ -976,7 +977,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_NOT_US,
'expected_error_mode': (KDC_ERR_NOT_US,
KDC_ERR_POLICY),
'use_fast': True,
'gen_tgt_fn': self.get_user_service_ticket, # fails
'fast_armor': None
@ -987,7 +989,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_NOT_US, # fails
'expected_error_mode': (KDC_ERR_NOT_US, # fails
KDC_ERR_POLICY),
'use_fast': True,
'gen_tgt_fn': self.get_mach_service_ticket,
'fast_armor': None
@ -1013,7 +1016,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
'expected_error_mode': KDC_ERR_GENERIC,
'expected_error_mode': (KDC_ERR_GENERIC,
KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,

View File

@ -25,7 +25,6 @@
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc
@ -50,18 +49,13 @@
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
#

View File

@ -345,9 +345,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc