The branch, master has been updated via 8b5e7644130 selftest: add python S4U2Self tests including unkeyed checksums via 19875a37318 Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum" via b5adc112771 Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc" via ce65e8979dd Revert "selftest: allow any kdc error in mitm-s4u2self test" from ddd8ae51f8c smb2_server: do async shutdown for pending multi-channel requests
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8 Author: Isaac Boukris <ibouk...@gmail.com> Date: Mon May 4 18:09:53 2020 +0200 selftest: add python S4U2Self tests including unkeyed checksums To test the CRC32 I reverted the unkeyed-checksum fix (43958af1) and the weak-crypto fix (389d1b97). Note that the unkeyed-md5 still worked even with weak-crypto disabled, and that the unkeyed-sha1 never worked but I left it anyway. Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184 commit 19875a37318a7cd5585572616cf12a775591193f Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu May 7 17:17:12 2020 +0200 Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum" This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8. This is no longer needed as the next commit includes a Python test for this, without the complexity of being inside krb5.kdc.canon. Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5adc112771f22c2d7c4319063c3e89074c4f4ab Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu May 7 17:17:00 2020 +0200 Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc" This reverts commit 151f8c0f31d3d17b9418db3793ec14ba7dbf2143. This allows a clean revert (and so removal) of the test. Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ce65e8979dda9774b170db7a9fa7ba458af4cee9 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu May 7 17:16:53 2020 +0200 Revert "selftest: allow any kdc error in mitm-s4u2self test" This reverts commit a53fa8ffe3e36f7921baf5d31a1052747f90aa7d. This allows a clean revert (and so removal) of the test. Signed-off-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/kcrypto.py | 85 +++++++++++++++ python/samba/tests/krb5/raw_testcase.py | 23 ++++ python/samba/tests/krb5/rfc4120.asn1 | 8 ++ python/samba/tests/krb5/rfc4120_pyasn1.py | 14 ++- .../tests/krb5/{simple_tests.py => s4u_tests.py} | 58 ++++++++--- python/samba/tests/usage.py | 1 + selftest/knownfail | 2 + selftest/skip_mit_kdc | 1 + selftest/target/Samba4.pm | 23 ++++ source4/selftest/tests.py | 4 + source4/torture/krb5/kdc-canon-heimdal.c | 116 ++------------------- 11 files changed, 209 insertions(+), 126 deletions(-) copy python/samba/tests/krb5/{simple_tests.py => s4u_tests.py} (73%) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index ed3c84fa186..2572fa5bab3 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" from math import gcd from functools import reduce from struct import pack, unpack +from binascii import crc32 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import hmac from cryptography.hazmat.primitives.ciphers import algorithms as ciphers @@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile): return SIMPLE_HASH(text, hashes.MD5) +class _SHA1(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + return SIMPLE_HASH(text, hashes.SHA1) + + +class _CRC32(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + cksum = (~crc32(text, 0xffffffff)) & 0xffffffff + return pack('<I', cksum) + + _enctype_table = { Enctype.DES3: _DES3CBC, Enctype.AES128: _AES128CTS, @@ -547,6 +563,8 @@ _checksum_table = { Cksumtype.SHA1_AES256: _SHA1AES256, Cksumtype.HMAC_MD5: _HMACMD5, Cksumtype.MD5: _MD5, + Cksumtype.SHA1: _SHA1, + Cksumtype.CRC32: _CRC32, } @@ -835,6 +853,73 @@ class KcrytoTest(TestCase): def test_md5_unkeyed_checksum_aes256_usage_50(self): return self._test_md5_unkeyed_checksum(Enctype.AES256, 50) + def _test_sha1_unkeyed_checksum(self, etype, usage): + # SHA1 unkeyed checksum + pw = b'password' + salt = b'salt' + key = string_to_key(etype, pw, salt) + plain = b'twenty nineteen eighteen seventeen' + cksum = h('381c870d8875d1913555de19af5c885fd27b7da9') + verify_checksum(Cksumtype.SHA1, key, usage, plain, cksum) + + def test_sha1_unkeyed_checksum_des3_usage_40(self): + return self._test_sha1_unkeyed_checksum(Enctype.DES3, 40) + + def test_sha1_unkeyed_checksum_des3_usage_50(self): + return self._test_sha1_unkeyed_checksum(Enctype.DES3, 50) + + def test_sha1_unkeyed_checksum_rc4_usage_40(self): + return self._test_sha1_unkeyed_checksum(Enctype.RC4, 40) + + def test_sha1_unkeyed_checksum_rc4_usage_50(self): + return self._test_sha1_unkeyed_checksum(Enctype.RC4, 50) + + def test_sha1_unkeyed_checksum_aes128_usage_40(self): + return self._test_sha1_unkeyed_checksum(Enctype.AES128, 40) + + def test_sha1_unkeyed_checksum_aes128_usage_50(self): + return self._test_sha1_unkeyed_checksum(Enctype.AES128, 50) + + def test_sha1_unkeyed_checksum_aes256_usage_40(self): + return self._test_sha1_unkeyed_checksum(Enctype.AES256, 40) + + def test_sha1_unkeyed_checksum_aes256_usage_50(self): + return self._test_sha1_unkeyed_checksum(Enctype.AES256, 50) + + def _test_crc32_unkeyed_checksum(self, etype, usage): + # CRC32 unkeyed checksum + pw = b'password' + salt = b'salt' + key = string_to_key(etype, pw, salt) + plain = b'africa america asia australia europe' + cksum = h('ce595a53') + verify_checksum(Cksumtype.CRC32, key, usage, plain, cksum) + + def test_crc32_unkeyed_checksum_des3_usage_40(self): + return self._test_crc32_unkeyed_checksum(Enctype.DES3, 40) + + def test_crc32_unkeyed_checksum_des3_usage_50(self): + return self._test_crc32_unkeyed_checksum(Enctype.DES3, 50) + + def test_crc32_unkeyed_checksum_rc4_usage_40(self): + return self._test_crc32_unkeyed_checksum(Enctype.RC4, 40) + + def test_crc32_unkeyed_checksum_rc4_usage_50(self): + return self._test_crc32_unkeyed_checksum(Enctype.RC4, 50) + + def test_crc32_unkeyed_checksum_aes128_usage_40(self): + return self._test_crc32_unkeyed_checksum(Enctype.AES128, 40) + + def test_crc32_unkeyed_checksum_aes128_usage_50(self): + return self._test_crc32_unkeyed_checksum(Enctype.AES128, 50) + + def test_crc32_unkeyed_checksum_aes256_usage_40(self): + return self._test_crc32_unkeyed_checksum(Enctype.AES256, 40) + + def test_crc32_unkeyed_checksum_aes256_usage_50(self): + return self._test_crc32_unkeyed_checksum(Enctype.AES256, 50) + + if __name__ == "__main__": import unittest unittest.main() diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 6c7bcd418a0..f43ce9cbc3c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -867,3 +867,26 @@ class RawKerberosTest(TestCase): if native_decoded_only: return decoded return decoded, obj + + def PA_S4U2Self_create(self, name, realm, tgt_session_key, ctype=None): + # PA-S4U2Self ::= SEQUENCE { + # name [0] PrincipalName, + # realm [1] Realm, + # cksum [2] Checksum, + # auth [3] GeneralString + # } + cksum_data = name['name-type'].to_bytes(4, byteorder='little') + for n in name['name-string']: + cksum_data += n.encode() + cksum_data += realm.encode() + cksum_data += "Kerberos".encode() + cksum = self.Checksum_create(tgt_session_key, 17, cksum_data, ctype) + + PA_S4U2Self_obj = { + 'name': name, + 'realm': realm, + 'cksum': cksum, + 'auth': "Kerberos", + } + pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) + return self.PA_DATA_create(129, pa_s4u2self) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 05b43106034..98ba887729d 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -415,6 +415,14 @@ AD-AND-OR ::= SEQUENCE { AD-MANDATORY-FOR-KDC ::= AuthorizationData +-- S4U + +PA-S4U2Self ::= SEQUENCE { + name [0] PrincipalName, + realm [1] Realm, + cksum [2] Checksum, + auth [3] KerberosString +} diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index b2627aa3dcb..05304a8a099 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-03-26 10:28:24.346775) +# (last modified on 2020-05-06 17:51:00.323318) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -780,6 +780,18 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( ) +class PA_S4U2Self(univ.Sequence): + pass + + +PA_S4U2Self.componentType = namedtype.NamedTypes( + namedtype.NamedType('name', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('auth', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + class PADataTypeValues(univ.Integer): pass diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/s4u_tests.py similarity index 73% copy from python/samba/tests/krb5/simple_tests.py copy to python/samba/tests/krb5/s4u_tests.py index c9998c4d2db..ae38635c53b 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -22,25 +22,27 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +from samba.tests import env_get_var_value +from samba.tests.krb5.kcrypto import Cksumtype from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False global_hexdump = False -class SimpleKerberosTests(RawKerberosTest): +class S4UKerberosTests(RawKerberosTest): def setUp(self): - super(SimpleKerberosTests, self).setUp() + super(S4UKerberosTests, self).setUp() self.do_asn1_print = global_asn1_print self.do_hexdump = global_hexdump - def test_simple(self): - user_creds = self.get_user_creds() - user = user_creds.get_username() - realm = user_creds.get_realm() + def _test_s4u2self(self, pa_s4u2self_ctype=None): + service_creds = self.get_service_creds() + service = service_creds.get_username() + realm = service_creds.get_realm() - cname = self.PrincipalName_create(name_type=1, names=[user]) + cname = self.PrincipalName_create(name_type=1, names=[service]) sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) till = self.get_KerberosTime(offset=36000) @@ -78,7 +80,7 @@ class SimpleKerberosTests(RawKerberosTest): etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) - key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) (patime, pausec) = self.get_KerberosTimeWithUsec() pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) @@ -117,16 +119,20 @@ class SimpleKerberosTests(RawKerberosTest): enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) - # TGS Request - service_creds = self.get_service_creds(allow_missing_password=True) - service_name = service_creds.get_username() + # S4U2Self Request + sname = cname + + for_user_name = env_get_var_value('FOR_USER') + uname = self.PrincipalName_create(name_type=1, names=[for_user_name]) - sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) kdc_options = krb5_asn1.KDCOptions('forwardable') till = self.get_KerberosTime(offset=36000) ticket = rep['ticket'] ticket_session_key = self.EncryptionKey_import(enc_part2['key']) - padata = [] + pa_s4u = self.PA_S4U2Self_create(name=uname, realm=realm, + tgt_session_key=ticket_session_key, + ctype=pa_s4u2self_ctype) + padata = [pa_s4u] subkey = self.RandomKey(ticket_session_key.etype) subkey_usage = 9 @@ -156,13 +162,33 @@ class SimpleKerberosTests(RawKerberosTest): self.assertIsNotNone(rep) msg_type = rep['msg-type'] + if msg_type == 13: + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return msg_type + + # Using the checksum type from the tgt_session_key happens to work everywhere + def test_s4u2self(self): + msg_type = self._test_s4u2self() + self.assertEqual(msg_type, 13) + + # Per spec, the checksum of PA-FOR-USER is HMAC_MD5, see [MS-SFU] 2.2.1 + def test_s4u2self_hmac_md5_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.HMAC_MD5) self.assertEqual(msg_type, 13) - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + def test_s4u2self_md5_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.MD5) + self.assertEqual(msg_type, 30) - return + def test_s4u2self_sha1_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.SHA1) + self.assertEqual(msg_type, 30) + def test_s4u2self_crc32_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) + self.assertEqual(msg_type, 30) if __name__ == "__main__": global_asn1_print = True diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 18e9fad232f..58053474e03 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -87,6 +87,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/dcerpc/raw_protocol.py', 'python/samba/tests/krb5/kcrypto.py', 'python/samba/tests/krb5/simple_tests.py', + 'python/samba/tests/krb5/s4u_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail b/selftest/knownfail index 57a4d93a37d..38e8597deda 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -393,3 +393,5 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) +# Fixed upstream heimdal in PR #439 +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc index 4a51c98ea0b..ea644638c9f 100644 --- a/selftest/skip_mit_kdc +++ b/selftest/skip_mit_kdc @@ -3,3 +3,4 @@ .*RODC ^samba4.ntvfs.cifs.ntlm.base.unlink ^samba4.ntvfs.cifs.krb5.base.unlink +^samba.tests.krb5.s4u_tests diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 2046af3b984..34dd0ee798d 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -934,6 +934,29 @@ sub provision_raw_step2($$$) return undef; } + my $srv_account = "srv_account"; + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add $srv_account user: \n$samba_tool_cmd\n"); + return undef; + } + + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n"); + return undef; + } + my $ldbmodify = ""; $ldbmodify .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 15af32a0415..480ea22987f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -758,6 +758,10 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ={'SERVICE_USERNAME':'$SERVER'}) +planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", + environ={'SERVICE_USERNAME':'srv_account', + 'SERVICE_PASSWORD':'$PASSWORD', + 'FOR_USER':'$USERNAME'}) for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 700e1c2b37e..9e0808b134c 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -33,7 +33,6 @@ #include "auth/auth_sam_reply.h" #include "auth/gensec/gensec.h" #include "param/param.h" -#include "zlib.h" #define TEST_CANONICALIZE 0x0000001 #define TEST_ENTERPRISE 0x0000002 @@ -45,8 +44,7 @@ #define TEST_S4U2SELF 0x0000080 #define TEST_REMOVEDOLLAR 0x0000100 #define TEST_AS_REQ_SPN 0x0000200 -#define TEST_MITM_S4U2SELF 0x0000400 -#define TEST_ALL 0x00007FF +#define TEST_ALL 0x00003FF struct test_data { const char *test_name; @@ -64,7 +62,6 @@ struct test_data { bool upn; bool other_upn_suffix; bool s4u2self; - bool mitm_s4u2self; bool removedollar; bool as_req_spn; bool spn_is_upn; @@ -215,73 +212,6 @@ static bool test_accept_ticket(struct torture_context *tctx, return true; } -static void -zCRC32_checksum(const void *data, - size_t len, - Checksum *C) -{ - uint32_t *crc = C->checksum.data; - *crc = ~(crc32(0xffffffff, data, len)); - C->checksum.length = 4; - C->cksumtype = 1; -} - -krb5_error_code -_krb5_s4u2self_to_checksumdata(krb5_context context, - const PA_S4U2Self *self, - krb5_data *data); - -/* Helper function to modify the principal in PA_FOR_USER padata */ -static bool change_for_user_principal(struct torture_krb5_context *test_context, - krb5_data *modified_send_buf) -{ - PA_DATA *for_user; - int i = 0; - size_t used; - krb5_error_code ret; - PA_S4U2Self self, mod_self; - krb5_data cksum_data; - krb5_principal admin; - heim_octet_string orig_padata_value; - krb5_context k5_ctx = test_context->smb_krb5_context->krb5_context; - - for_user = krb5_find_padata(test_context->tgs_req.padata->val, - test_context->tgs_req.padata->len, KRB5_PADATA_FOR_USER, &i); - torture_assert(test_context->tctx, for_user != NULL, "No PA_FOR_USER in s4u2self request"); - orig_padata_value = for_user->padata_value; - - torture_assert_int_equal(test_context->tctx, - krb5_make_principal(k5_ctx, &admin, test_context->test_data->realm, - "Administrator", NULL), - 0, "krb5_make_principal() failed"); - torture_assert_int_equal(test_context->tctx, - decode_PA_S4U2Self(for_user->padata_value.data, - for_user->padata_value.length, &self, NULL), - 0, "decode_PA_S4U2Self() failed"); - mod_self = self; - mod_self.name = admin->name; - - torture_assert_int_equal(test_context->tctx, - _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), - 0, "_krb5_s4u2self_to_checksumdata() failed"); - zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum); - - ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, - &mod_self, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode PA_S4U2Self ASN1 struct"); - ASN1_MALLOC_ENCODE(TGS_REQ, modified_send_buf->data, modified_send_buf->length, - &test_context->tgs_req, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode TGS_REQ ASN1 struct"); - - free(for_user->padata_value.data); - for_user->padata_value = orig_padata_value; - - free_PA_S4U2Self(&self); - krb5_data_free(&cksum_data); - - return true; -} - /* * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND * @@ -701,12 +631,7 @@ static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context } - if (test_context->test_data->mitm_s4u2self) { -- Samba Shared Repository