samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-28 17:47:29 +03:00

Author	SHA1	Message	Date
Joseph Sutton	ebd673e976	tests/krb5: Allow expected_error_mode to be a container type This allows a range of possible error codes to be checked against, for cases when the particular error code returned is not so important. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	24914ae17d	tests/krb5: Add tests for omitting sname in inner request Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC. This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49 and was given CVE-2021-37750 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	c6d7e19ecf	tests/krb5: Allow specifying parameters specific to the inner FAST request body BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	bbbb13caf7	tests/krb5: Add tests for omitting sname in request BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	1e4d757394	tests/krb5: Check PADATA-PW-SALT element in e-data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	e373c6461a	tests/krb5: Check e-data element for TGS-REP errors without FAST BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Andrew Bartlett	3330eaf39c	tests/krb5: Remove harmful and a-typical return in as_req testcase A test in a TestCase class should not return a value, the test is determined by the assertions raised. Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] to not always be filled, so we need to remove this rudundent code. This also fixes a lot of tests against the MIT KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	b8e2515552	CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would crash the Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	15f9f040fe	tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST Note: This test crashed the MIT KDC prior to MIT commit fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given CVE-2021-36222. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	36798f5b65	tests/krb5: Make cname checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	79dda329f2	tests/krb5: Make e-data checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC, instead failing when obtaining a TGT for the user or machine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-09-02 13:41:28 +00:00
Joseph Sutton	984a0db00c	tests/krb5: Add FAST tests Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184	2021-08-18 23:20:13 +00:00
Gary Lockyer	b7b62957bd	initial FAST tests Currently incomplete, and tested only against MIT Kerberos. [abartlet@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	aa2c221f4e	tests/krb5: Check PADATA-FX-ERROR in reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	66e1eb58be	tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	0c857f67a3	tests/krb5: Check PADATA-PAC-OPTIONS in reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	29070e74ba	tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	ab4e7028a6	tests/krb5: Make check_rep_padata() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	95b54078c2	tests/krb5: Check PADATA-FX-COOKIE in reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	2f7919db39	tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	44a44109db	tests/krb5: Adjust reply padata checking depending on whether FAST was sent Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	056fb71832	tests/krb5: Check reply FAST padata if request included FAST Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	7a27b75621	tests/krb5: Check sname is krbtgt for FAST generic error Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	dbe98005d5	tests/krb5: Add get_krbtgt_sname() method Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	5edbabeb26	tests/krb5: Remove unused variables Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	705e45e37f	tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	79b9aac65b	tests/krb5: Add check_rep_padata() method to check padata in reply Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	1389ba346d	tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	ea1ed63e88	tests/krb5: Include authdata in kdc_exchange_dict Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	2ee87dbf08	tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict This is useful for testing the 'hide client names' FAST option. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	0c029e780c	tests/krb5: Check encrypted-pa-data Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	99e3b909ed	tests/krb5: Add methods to determine whether elements were included in the request Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	dc7dac95ec	tests/krb5: Add functions to get dicts of request padata Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	d878bd6404	tests/krb5: Check FAST response Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	4ca05402b3	tests/krb5: Add method to verify ticket checksum for FAST Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	b62488113f	tests/krb5: Add method to check PA-FX-FAST-REPLY Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	16ce1a1d30	tests/krb5: Allow specifying parameters specific to the outer request body This is useful for testing FAST. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	0df385fc49	tests/krb5: Add FAST armor generation to _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	5c2cd71ae7	tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	d554b6dc0f	tests/krb5: Include authenticator_subkey in AS-REQ exchange dict This is needed for FAST. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	74f332c6f9	tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() This method will also be useful in checking TGS-REP error replies. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	0808940674	tests/krb5: Add methods to calculate keys for FAST Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	aafc868969	tests/krb5: Add method to generate FAST encrypted challenge padata Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	69a66c0d2a	tests/krb5: Add more methods to create ASN1 objects for FAST Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	ec70290029	tests/krb5: Add more ASN1 definitions for FAST Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	025737deb5	tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	b6f96dd639	tests/krb5: Ensure generated padata is not None Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	4824dd4e9f	tests/krb5: Add generate_ap_req() method This method will be useful to generate an AP-REQ for use as FAST armor. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	4951a105b0	tests/krb5: Check nonce in EncKDCRepPart Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00
Joseph Sutton	6df0e406f1	tests/krb5: Make checking less strict Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2021-08-18 22:28:34 +00:00

... 3 4 5 6 7 ...

358 Commits