1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Check encrypted-pa-data if present

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2021-11-30 09:45:13 +13:00 committed by Joseph Sutton
parent 48362a706f
commit f94bdb41fc
3 changed files with 67 additions and 19 deletions

View File

@ -60,6 +60,7 @@ from samba.tests.krb5.rfc4120_constants import (
KRB_TGS_REQ,
KU_AP_REQ_AUTH,
KU_AS_REP_ENC_PART,
KU_AS_REQ,
KU_ENC_CHALLENGE_KDC,
KU_FAST_ENC,
KU_FAST_FINISHED,
@ -1973,6 +1974,8 @@ class RawKerberosTest(TestCaseInTempDir):
req_body=req_body,
asn1Spec=req_asn1Spec())
kdc_exchange_dict['req_obj'] = req_obj
to_rodc = kdc_exchange_dict['to_rodc']
rep = self.send_recv_transaction(req_decoded, to_rodc=to_rodc)
@ -2369,6 +2372,8 @@ class RawKerberosTest(TestCaseInTempDir):
rep_decpart,
asn1Spec=krb5_asn1.EncTGSRepPart())
kdc_exchange_dict['reply_key'] = encpart_decryption_key
self.assertIsNotNone(check_kdc_private_fn)
if check_kdc_private_fn is not None:
check_kdc_private_fn(kdc_exchange_dict, callback_dict,
@ -2548,15 +2553,35 @@ class RawKerberosTest(TestCaseInTempDir):
sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
if self.strict_checking:
if canonicalize or '1' in sent_pac_options:
self.assertElementPresent(encpart_private,
'encrypted-pa-data')
enc_pa_dict = self.get_pa_dict(
encpart_private['encrypted-pa-data'])
if canonicalize:
self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
sent_enc_pa_rep = self.sent_enc_pa_rep(kdc_exchange_dict)
enc_padata = self.getElementValue(encpart_private,
'encrypted-pa-data')
if (canonicalize or '1' in sent_pac_options or (
rep_msg_type == KRB_AS_REP and sent_enc_pa_rep)):
if self.strict_checking:
self.assertIsNotNone(enc_padata)
if enc_padata is not None:
enc_pa_dict = self.get_pa_dict(enc_padata)
if self.strict_checking:
if canonicalize:
self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
else:
self.assertNotIn(PADATA_SUPPORTED_ETYPES,
enc_pa_dict)
if '1' in sent_pac_options:
self.assertIn(PADATA_PAC_OPTIONS, enc_pa_dict)
else:
self.assertNotIn(PADATA_PAC_OPTIONS, enc_pa_dict)
if rep_msg_type == KRB_AS_REP and sent_enc_pa_rep:
self.assertIn(PADATA_REQ_ENC_PA_REP, enc_pa_dict)
else:
self.assertNotIn(PADATA_REQ_ENC_PA_REP, enc_pa_dict)
if PADATA_SUPPORTED_ETYPES in enc_pa_dict:
expected_supported_etypes = kdc_exchange_dict[
'expected_supported_etypes']
expected_supported_etypes |= (
@ -2570,24 +2595,39 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertEqual(supported_etypes,
expected_supported_etypes)
else:
self.assertNotIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
if '1' in sent_pac_options:
self.assertIn(PADATA_PAC_OPTIONS, enc_pa_dict)
if PADATA_PAC_OPTIONS in enc_pa_dict:
pac_options = self.der_decode(
enc_pa_dict[PADATA_PAC_OPTIONS],
asn1Spec=krb5_asn1.PA_PAC_OPTIONS())
self.assertElementEqual(pac_options, 'options',
sent_pac_options)
else:
self.assertNotIn(PADATA_PAC_OPTIONS, enc_pa_dict)
else:
self.assertElementEqual(encpart_private,
'encrypted-pa-data',
[])
if PADATA_REQ_ENC_PA_REP in enc_pa_dict:
enc_pa_rep = enc_pa_dict[PADATA_REQ_ENC_PA_REP]
enc_pa_rep = self.der_decode(
enc_pa_rep,
asn1Spec=krb5_asn1.Checksum())
reply_key = kdc_exchange_dict['reply_key']
req_obj = kdc_exchange_dict['req_obj']
req_asn1Spec = kdc_exchange_dict['req_asn1Spec']
req_obj = self.der_encode(req_obj,
asn1Spec=req_asn1Spec())
checksum = enc_pa_rep['checksum']
ctype = enc_pa_rep['cksumtype']
reply_key.verify_checksum(KU_AS_REQ,
req_obj,
ctype,
checksum)
else:
if enc_padata is not None:
self.assertEqual(enc_padata, [])
if ticket_session_key is not None and encpart_session_key is not None:
self.assertEqual(ticket_session_key.etype,
@ -3753,6 +3793,11 @@ class RawKerberosTest(TestCaseInTempDir):
return PADATA_ENCRYPTED_CHALLENGE in fast_pa_dict
def sent_enc_pa_rep(self, kdc_exchange_dict):
fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict)
return PADATA_REQ_ENC_PA_REP in fast_pa_dict
def get_sent_pac_options(self, kdc_exchange_dict):
fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict)

View File

@ -187,6 +187,7 @@ KU_FAST_REP = 52
KU_FAST_FINISHED = 53
KU_ENC_CHALLENGE_CLIENT = 54
KU_ENC_CHALLENGE_KDC = 55
KU_AS_REQ = 56
# Armor types
FX_FAST_ARMOR_AP_REQUEST = 1

View File

@ -351,8 +351,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc