mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
48362a706f
commit
f94bdb41fc
@ -60,6 +60,7 @@ from samba.tests.krb5.rfc4120_constants import (
|
||||
KRB_TGS_REQ,
|
||||
KU_AP_REQ_AUTH,
|
||||
KU_AS_REP_ENC_PART,
|
||||
KU_AS_REQ,
|
||||
KU_ENC_CHALLENGE_KDC,
|
||||
KU_FAST_ENC,
|
||||
KU_FAST_FINISHED,
|
||||
@ -1973,6 +1974,8 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
req_body=req_body,
|
||||
asn1Spec=req_asn1Spec())
|
||||
|
||||
kdc_exchange_dict['req_obj'] = req_obj
|
||||
|
||||
to_rodc = kdc_exchange_dict['to_rodc']
|
||||
|
||||
rep = self.send_recv_transaction(req_decoded, to_rodc=to_rodc)
|
||||
@ -2369,6 +2372,8 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
rep_decpart,
|
||||
asn1Spec=krb5_asn1.EncTGSRepPart())
|
||||
|
||||
kdc_exchange_dict['reply_key'] = encpart_decryption_key
|
||||
|
||||
self.assertIsNotNone(check_kdc_private_fn)
|
||||
if check_kdc_private_fn is not None:
|
||||
check_kdc_private_fn(kdc_exchange_dict, callback_dict,
|
||||
@ -2548,15 +2553,35 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
|
||||
sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
|
||||
|
||||
if self.strict_checking:
|
||||
if canonicalize or '1' in sent_pac_options:
|
||||
self.assertElementPresent(encpart_private,
|
||||
'encrypted-pa-data')
|
||||
enc_pa_dict = self.get_pa_dict(
|
||||
encpart_private['encrypted-pa-data'])
|
||||
if canonicalize:
|
||||
self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
|
||||
sent_enc_pa_rep = self.sent_enc_pa_rep(kdc_exchange_dict)
|
||||
|
||||
enc_padata = self.getElementValue(encpart_private,
|
||||
'encrypted-pa-data')
|
||||
if (canonicalize or '1' in sent_pac_options or (
|
||||
rep_msg_type == KRB_AS_REP and sent_enc_pa_rep)):
|
||||
if self.strict_checking:
|
||||
self.assertIsNotNone(enc_padata)
|
||||
|
||||
if enc_padata is not None:
|
||||
enc_pa_dict = self.get_pa_dict(enc_padata)
|
||||
if self.strict_checking:
|
||||
if canonicalize:
|
||||
self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
|
||||
else:
|
||||
self.assertNotIn(PADATA_SUPPORTED_ETYPES,
|
||||
enc_pa_dict)
|
||||
|
||||
if '1' in sent_pac_options:
|
||||
self.assertIn(PADATA_PAC_OPTIONS, enc_pa_dict)
|
||||
else:
|
||||
self.assertNotIn(PADATA_PAC_OPTIONS, enc_pa_dict)
|
||||
|
||||
if rep_msg_type == KRB_AS_REP and sent_enc_pa_rep:
|
||||
self.assertIn(PADATA_REQ_ENC_PA_REP, enc_pa_dict)
|
||||
else:
|
||||
self.assertNotIn(PADATA_REQ_ENC_PA_REP, enc_pa_dict)
|
||||
|
||||
if PADATA_SUPPORTED_ETYPES in enc_pa_dict:
|
||||
expected_supported_etypes = kdc_exchange_dict[
|
||||
'expected_supported_etypes']
|
||||
expected_supported_etypes |= (
|
||||
@ -2570,24 +2595,39 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
|
||||
self.assertEqual(supported_etypes,
|
||||
expected_supported_etypes)
|
||||
else:
|
||||
self.assertNotIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict)
|
||||
|
||||
if '1' in sent_pac_options:
|
||||
self.assertIn(PADATA_PAC_OPTIONS, enc_pa_dict)
|
||||
|
||||
if PADATA_PAC_OPTIONS in enc_pa_dict:
|
||||
pac_options = self.der_decode(
|
||||
enc_pa_dict[PADATA_PAC_OPTIONS],
|
||||
asn1Spec=krb5_asn1.PA_PAC_OPTIONS())
|
||||
|
||||
self.assertElementEqual(pac_options, 'options',
|
||||
sent_pac_options)
|
||||
else:
|
||||
self.assertNotIn(PADATA_PAC_OPTIONS, enc_pa_dict)
|
||||
else:
|
||||
self.assertElementEqual(encpart_private,
|
||||
'encrypted-pa-data',
|
||||
[])
|
||||
|
||||
if PADATA_REQ_ENC_PA_REP in enc_pa_dict:
|
||||
enc_pa_rep = enc_pa_dict[PADATA_REQ_ENC_PA_REP]
|
||||
|
||||
enc_pa_rep = self.der_decode(
|
||||
enc_pa_rep,
|
||||
asn1Spec=krb5_asn1.Checksum())
|
||||
|
||||
reply_key = kdc_exchange_dict['reply_key']
|
||||
req_obj = kdc_exchange_dict['req_obj']
|
||||
req_asn1Spec = kdc_exchange_dict['req_asn1Spec']
|
||||
|
||||
req_obj = self.der_encode(req_obj,
|
||||
asn1Spec=req_asn1Spec())
|
||||
|
||||
checksum = enc_pa_rep['checksum']
|
||||
ctype = enc_pa_rep['cksumtype']
|
||||
|
||||
reply_key.verify_checksum(KU_AS_REQ,
|
||||
req_obj,
|
||||
ctype,
|
||||
checksum)
|
||||
else:
|
||||
if enc_padata is not None:
|
||||
self.assertEqual(enc_padata, [])
|
||||
|
||||
if ticket_session_key is not None and encpart_session_key is not None:
|
||||
self.assertEqual(ticket_session_key.etype,
|
||||
@ -3753,6 +3793,11 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
|
||||
return PADATA_ENCRYPTED_CHALLENGE in fast_pa_dict
|
||||
|
||||
def sent_enc_pa_rep(self, kdc_exchange_dict):
|
||||
fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict)
|
||||
|
||||
return PADATA_REQ_ENC_PA_REP in fast_pa_dict
|
||||
|
||||
def get_sent_pac_options(self, kdc_exchange_dict):
|
||||
fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict)
|
||||
|
||||
|
@ -187,6 +187,7 @@ KU_FAST_REP = 52
|
||||
KU_FAST_FINISHED = 53
|
||||
KU_ENC_CHALLENGE_CLIENT = 54
|
||||
KU_ENC_CHALLENGE_KDC = 55
|
||||
KU_AS_REQ = 56
|
||||
|
||||
# Armor types
|
||||
FX_FAST_ARMOR_AP_REQUEST = 1
|
||||
|
@ -351,8 +351,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
|
||||
|
Loading…
Reference in New Issue
Block a user