The branch, master has been updated via 984a0db00c3 tests/krb5: Add FAST tests via b7b62957bdc initial FAST tests via aa2c221f4e1 tests/krb5: Check PADATA-FX-ERROR in reply via 66e1eb58bed tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via 0c857f67a3a tests/krb5: Check PADATA-PAC-OPTIONS in reply via 29070e74baa tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via ab4e7028a6a tests/krb5: Make check_rep_padata() also work for checking TGS replies via 95b54078c2f tests/krb5: Check PADATA-FX-COOKIE in reply via 2f7919db395 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 44a44109db9 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 056fb71832e tests/krb5: Check reply FAST padata if request included FAST via 7a27b756219 tests/krb5: Check sname is krbtgt for FAST generic error via dbe98005d58 tests/krb5: Add get_krbtgt_sname() method via 5edbabeb26e tests/krb5: Remove unused variables via 705e45e37f4 tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 79b9aac65b7 tests/krb5: Add check_rep_padata() method to check padata in reply via 1389ba346df tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via ea1ed63e881 tests/krb5: Include authdata in kdc_exchange_dict via 2ee87dbf08e tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict via 0c029e780cf tests/krb5: Check encrypted-pa-data via 99e3b909edf tests/krb5: Add methods to determine whether elements were included in the request via dc7dac95ec5 tests/krb5: Add functions to get dicts of request padata via d878bd6404d tests/krb5: Check FAST response via 4ca05402b36 tests/krb5: Add method to verify ticket checksum for FAST via b62488113f6 tests/krb5: Add method to check PA-FX-FAST-REPLY via 16ce1a1d304 tests/krb5: Allow specifying parameters specific to the outer request body via 0df385fc49c tests/krb5: Add FAST armor generation to _generic_kdc_exchange() via 5c2cd71ae70 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ via d554b6dc0f4 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict via 74f332c6f9e tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() via 08089406746 tests/krb5: Add methods to calculate keys for FAST via aafc8689696 tests/krb5: Add method to generate FAST encrypted challenge padata via 69a66c0d2a7 tests/krb5: Add more methods to create ASN1 objects for FAST via ec702900295 tests/krb5: Add more ASN1 definitions for FAST via 025737deb53 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() via b6f96dd6395 tests/krb5: Ensure generated padata is not None via 4824dd4e9f4 tests/krb5: Add generate_ap_req() method via 4951a105b04 tests/krb5: Check nonce in EncKDCRepPart via 6df0e406f1f tests/krb5: Make checking less strict via 98dc19e8c81 tests/krb5: Check version number of obtained ticket via 3d1066e9238 tests/krb5: Assert that more variables are not None via ba3c92f77b2 tests/krb5: Ensure in assertElementPresent() that container elements are not empty via 78818655505 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn via 8fe9589da2d tests/krb5: Include kdc_options in kdc_exchange_dict via 21c64fda8f9 tests/krb5: Always specify expected error code via 28fb50f511f tests/krb5: Add check_reply() method to check for AS or TGS reply via f5689bb8fab tests/krb5: Add method to calculate account salt via 50d743bafc7 tests/krb5: Add more methods for obtaining machine and service credentials via 4790b6b04ae tests/krb5: Allow specifying additional details when creating an account via ce379edf2e1 tests/krb5: Use encryption with admin credentials via bab7503e304 tests/krb5: Add get_EpochFromKerberosTime() via fe8912e4a85 tests/krb5: Make _test_as_exchange() return value more consistent via cb332d83008 tests/krb5: Add method to return dict containing padata elements via f5a906f74f9 tests/krb5: Add get_enc_timestamp_pa_data_from_key() via 2c80f7f851a tests/krb5: Refactor get_pa_data() via a5e5f8fdfe8 tests/krb5: Allow cf2 to automatically use the enctype of the first key via 17d5a267298 tests/krb5: Use credentials kvno when creating password key via d6a242e2000 tests/krb5: Check Kerberos protocol version number via 8194b2a2611 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC via a0c6538a971 tests/krb5: Fix encpart_decryption_key with MIT KDC via bad5f4ee5fd tests/krb5: Fix callback_dict parameter via 67ff72395ce tests/krb5: Fix including enc-authorization-data via a2b183c179e tests/krb5: Remove magic constants via 41c3e410344 tests/krb5: Simplify Python syntax via 38b3a361819 tests/krb5: Use more compact dict lookup via 1320ac0f91a tests/krb5: Remove unneeded statements via df6623363a7 tests/krb5: formatting via 7013a8edd1f tests/krb5: Fix method name typo via 9eb4c4b7b1c tests/krb5: Fix comment typo via 4797ced8909 tests/krb5: Fix ms_kile_client_principal_lookup_test errors via 6818d204897 pygensec: Don't modify Python bytes objects via 814df05f8c1 pygensec: Fix memory leaks from 4809f4a6ee9 registry: check for running as root in clustering mode
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:58:44 2021 +1200 tests/krb5: Add FAST tests Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184 commit b7b62957bdce9929fabd3812b9378bdbd6c12966 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Thu Jun 10 09:56:58 2021 +1200 initial FAST tests Currently incomplete, and tested only against MIT Kerberos. [abart...@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit aa2c221f4e1bfc3403de857e62eaeaee1577560c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:49:58 2021 +1200 tests/krb5: Check PADATA-FX-ERROR in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 66e1eb58bedf036ad25a868993d44480c4e0e055 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 11:50:16 2021 +1200 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:50:20 2021 +1200 tests/krb5: Check PADATA-PAC-OPTIONS in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 29070e74baa18d94642efcd36930b9bab216e10c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:29:39 2021 +1200 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ab4e7028a6ac01eab9531c8a26507a912df54278 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 20:49:25 2021 +1200 tests/krb5: Make check_rep_padata() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:49:12 2021 +1200 tests/krb5: Check PADATA-FX-COOKIE in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:36:56 2021 +1200 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 44a44109db96eab08a3da3683c34446bc13b295b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:42:26 2021 +1200 tests/krb5: Adjust reply padata checking depending on whether FAST was sent Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 056fb71832e7aa16132c58ff393ab8b752ef6a93 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:31:39 2021 +1200 tests/krb5: Check reply FAST padata if request included FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 7a27b75621908a4a6449efaecb54eb20fa45aca0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:25:39 2021 +1200 tests/krb5: Check sname is krbtgt for FAST generic error Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit dbe98005d5873440063b91e56679937149535be7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:15:00 2021 +1200 tests/krb5: Add get_krbtgt_sname() method Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5edbabeb26e110648d4588c90843e4715ec1ac5c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:26:06 2021 +1200 tests/krb5: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 705e45e37f4752e283a80626be10c38b29232359 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:35:32 2021 +1200 tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:21:14 2021 +1200 tests/krb5: Add check_rep_padata() method to check padata in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1389ba346df81c9ea1e1143c4e819212939f6aeb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:20:09 2021 +1200 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ea1ed63e8819926db1cf15974009601c7d37e944 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:18:29 2021 +1200 tests/krb5: Include authdata in kdc_exchange_dict Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:05:59 2021 +1200 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict This is useful for testing the 'hide client names' FAST option. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0c029e780cf16a49c674593e8329eaf3b87aec69 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:34:49 2021 +1200 tests/krb5: Check encrypted-pa-data Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:21:01 2021 +1200 tests/krb5: Add methods to determine whether elements were included in the request Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:20:44 2021 +1200 tests/krb5: Add functions to get dicts of request padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:42:57 2021 +1200 tests/krb5: Check FAST response Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4ca05402b36ba13a987b07b2402906764d3cd49b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:10:13 2021 +1200 tests/krb5: Add method to verify ticket checksum for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b62488113f6053755f9be9faa9b757e7193074fa Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:04:37 2021 +1200 tests/krb5: Add method to check PA-FX-FAST-REPLY Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:01:36 2021 +1200 tests/krb5: Allow specifying parameters specific to the outer request body This is useful for testing FAST. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0df385fc49cc2693c195209936a29e31216df16d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:33:24 2021 +1200 tests/krb5: Add FAST armor generation to _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:33:10 2021 +1200 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d554b6dc0f4e14d154e487dc2a842321aa746155 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:19:46 2021 +1200 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict This is needed for FAST. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 74f332c6f9e31b933837cefee69b219054970713 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 20:49:12 2021 +1200 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() This method will also be useful in checking TGS-REP error replies. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 080894067469d60e2c71961c2d1c1990ba15b917 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:49:05 2021 +1200 tests/krb5: Add methods to calculate keys for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit aafc86896969d02ff1daecdf2668bfa642860082 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:47:18 2021 +1200 tests/krb5: Add method to generate FAST encrypted challenge padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:23:26 2021 +1200 tests/krb5: Add more methods to create ASN1 objects for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ec702900295100ae4e48ba57242eee6670bf30d6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:21:07 2021 +1200 tests/krb5: Add more ASN1 definitions for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 025737deb5325d25b2ae4c57583c24ae1d0eca33 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 13:59:36 2021 +1200 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b6f96dd6395a30e15fa906959cbe665757aaba8d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:06:35 2021 +1200 tests/krb5: Ensure generated padata is not None Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 19:27:02 2021 +1200 tests/krb5: Add generate_ap_req() method This method will be useful to generate an AP-REQ for use as FAST armor. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4951a105b0448854115a7ecc3d867be6f34b0dcf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 12:52:42 2021 +1200 tests/krb5: Check nonce in EncKDCRepPart Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:39:37 2021 +1200 tests/krb5: Make checking less strict Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:34:19 2021 +1200 tests/krb5: Check version number of obtained ticket Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3d1066e923815782036bd11524fda110a2528951 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:39:42 2021 +1200 tests/krb5: Assert that more variables are not None Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ba3c92f77b20e1e0d298cd92399dc69535739c27 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:37:48 2021 +1200 tests/krb5: Ensure in assertElementPresent() that container elements are not empty Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 78818655505b3183251940e86270cd40bae73206 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:06:15 2021 +1200 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn This means that there can no longer be surprises where a test receives a reply when it was expecting an error, or vice versa. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:35:40 2021 +1200 tests/krb5: Include kdc_options in kdc_exchange_dict Make kdc_options an element of kdc_exchange_dict instead of a parameter to _generic_kdc_exchange(). This allows testing code to adjust the reply checking based on the options that were specified in the request. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 21c64fda8f98d451e028ea483dbe351b1280390c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:32:52 2021 +1200 tests/krb5: Always specify expected error code Now the expected error code is always determined by the test code itself rather than by generic_check_as_error(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:19:04 2021 +1200 tests/krb5: Add check_reply() method to check for AS or TGS reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:22:09 2021 +1200 tests/krb5: Add method to calculate account salt Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:19:57 2021 +1200 tests/krb5: Add more methods for obtaining machine and service credentials Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 11:25:55 2021 +1200 tests/krb5: Allow specifying additional details when creating an account Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ce379edf2e135b105b18d35e24d732389de94291 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 3 15:58:19 2021 +1200 tests/krb5: Use encryption with admin credentials This ensures that account creation using admin credentials succeeds. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit bab7503e3043002b1422b00f40cd03a0a29538aa Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:27:17 2021 +1200 tests/krb5: Add get_EpochFromKerberosTime() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit fe8912e4a85c5fd614ad3079b041c0e1975958e3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:27:47 2021 +1200 tests/krb5: Make _test_as_exchange() return value more consistent Always return the reply and the kdc_exchange_dict so that the caller has more potentially useful information. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit cb332d83008aa97a60eaca9e008054f641d514d6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:51:54 2021 +1200 tests/krb5: Add method to return dict containing padata elements This makes checking multiple padata elements easier. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f5a906f74f9665a894db3c13722022f732180620 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:18:38 2021 +1200 tests/krb5: Add get_enc_timestamp_pa_data_from_key() This makes it easier to create encrypted timestamp padata when the key has already been obtained. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:16:01 2021 +1200 tests/krb5: Refactor get_pa_data() The function now returns a single padata object rather than a list, making it easier to combine multiple padata elements into a request. The new name 'get_enc_timestamp_pa_data' also makes it clearer as to what the method generates. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a5e5f8fdfe8b6952592d7d682af893c79080826f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:24:52 2021 +1200 tests/krb5: Allow cf2 to automatically use the enctype of the first key RFC6113 states: "Unless otherwise specified, the resulting enctype of KRB-FX-CF2 is the enctype of k1." This change means the enctype no longer has to be specified manually. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 17d5a267298ccd7272e86fd24c2c608511cf46b7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 11:28:37 2021 +1200 tests/krb5: Use credentials kvno when creating password key Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d6a242e20004217a0ce02dc4ef620a121e5944da Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:07:59 2021 +1200 tests/krb5: Check Kerberos protocol version number Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 17:00:09 2021 +1200 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:06:29 2021 +1200 tests/krb5: Fix encpart_decryption_key with MIT KDC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:12:34 2021 +1200 tests/krb5: Fix callback_dict parameter Items contained in a default-created callback_dict should not be carried over between unrelated calls to {as,tgs}_as_exchange_dict(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 67ff72395cec2e5170c0ebae8db416a1f226df72 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:14:08 2021 +1200 tests/krb5: Fix including enc-authorization-data Remove the EncAuthorizationData parameters from AS_REQ_create(), since it should only be present in the TGS-REQ form. Also, fix a call to EncryptedData_create() to supply the key usage when creating enc-authorization-data. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a2b183c179e74634438c85a4b35518836ba59e47 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 13:49:27 2021 +1200 tests/krb5: Remove magic constants Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 41c3e410344280d691e5a21fa5240ef52e71bd2d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 3 15:03:00 2021 +1200 tests/krb5: Simplify Python syntax Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 38b3a361819c716adb773fb3b4507c28d7d26c0d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:10:32 2021 +1200 tests/krb5: Use more compact dict lookup Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:01:39 2021 +1200 tests/krb5: Remove unneeded statements A return statement is redundant as the last statement in a method, as methods will otherwise return None. Also, code blocks consisting of a single 'pass' statement can be safely omitted. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit df6623363a7ec1a13af48a09e1d29fa8784e825c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:00:09 2021 +1200 tests/krb5: formatting Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:17:52 2021 +1200 tests/krb5: Fix method name typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:26:17 2021 +1200 tests/krb5: Fix comment typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4797ced89095155c01e44727cf8b66ee4fb39710 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:15:23 2021 +1200 tests/krb5: Fix ms_kile_client_principal_lookup_test errors Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 20 10:48:41 2021 +1200 pygensec: Don't modify Python bytes objects gensec_update() and gensec_unwrap() can both modify their input buffers (for example, during the inplace RRC operation on GSSAPI tokens). However, buffers obtained from Python bytes objects must not be modified in any way. Create a copy of the input buffer so the original isn't modified. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 814df05f8c10e9d82e6082d42ece1df569db4385 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 19 17:29:39 2021 +1200 pygensec: Fix memory leaks Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: .../samba/tests/krb5/as_canonicalization_tests.py | 4 - python/samba/tests/krb5/as_req_tests.py | 101 +- python/samba/tests/krb5/compatability_tests.py | 4 - python/samba/tests/krb5/fast_tests.py | 1562 ++++++++++++++++++++ python/samba/tests/krb5/kcrypto.py | 12 +- python/samba/tests/krb5/kdc_base_test.py | 187 ++- python/samba/tests/krb5/kdc_tests.py | 27 +- python/samba/tests/krb5/kdc_tgs_tests.py | 18 +- .../krb5/ms_kile_client_principal_lookup_tests.py | 71 +- python/samba/tests/krb5/raw_testcase.py | 1504 ++++++++++++++----- python/samba/tests/krb5/rfc4120.asn1 | 106 +- python/samba/tests/krb5/rfc4120_constants.py | 41 + python/samba/tests/krb5/rfc4120_pyasn1.py | 100 +- python/samba/tests/krb5/s4u_tests.py | 4 - python/samba/tests/krb5/simple_tests.py | 4 - python/samba/tests/krb5/xrealm_tests.py | 4 - python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 50 + selftest/knownfail_mit_kdc | 53 + source4/auth/gensec/gensec_gssapi.c | 4 + source4/auth/gensec/pygensec.c | 59 +- source4/selftest/tests.py | 8 + 22 files changed, 3379 insertions(+), 545 deletions(-) create mode 100755 python/samba/tests/krb5/fast_tests.py Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index abb3f96a1e6..29d8cf418f5 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -257,8 +257,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) @@ -314,8 +312,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 10e7b603609..fd258e8164a 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import DynamicTestCase from samba.tests.krb5.kdc_base_test import KDCBaseTest +import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, NT_PRINCIPAL, @@ -46,7 +48,6 @@ class AsReqKerberosTests(KDCBaseTest): tname = "%s_pac_%s" % (name, pac) targs = (idx, pac) cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) - return def setUp(self): super(AsReqKerberosTests, self).setUp() @@ -69,32 +70,43 @@ class AsReqKerberosTests(KDCBaseTest): sname = self.PrincipalName_create(name_type=NT_SRV_INST, names=[krbtgt_account, realm]) - expected_error_mode = KDC_ERR_PREAUTH_REQUIRED expected_crealm = realm expected_cname = cname expected_srealm = realm expected_sname = sname expected_salt = client_creds.get_forced_salt() + if any(etype in client_as_etypes and etype in initial_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + else: + expected_error_mode = KDC_ERR_ETYPE_NOSUPP + def _generate_padata_copy(_kdc_exchange_dict, _callback_dict, req_body): return initial_padata, req_body + generate_padata_fn = (_generate_padata_copy + if initial_padata is not None + else None) + kdc_exchange_dict = self.as_exchange_dict( - expected_crealm=expected_crealm, - expected_cname=expected_cname, - expected_srealm=expected_srealm, - expected_sname=expected_sname, - generate_padata_fn=_generate_padata_copy, - check_error_fn=self.generic_check_as_error, - check_rep_fn=self.generic_check_kdc_rep, - expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, - expected_salt=expected_salt) + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + generate_padata_fn=generate_padata_fn, + check_error_fn=self.generic_check_kdc_error, + check_rep_fn=None, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt, + kdc_options=str(initial_kdc_options)) rep = self._generic_kdc_exchange(kdc_exchange_dict, - kdc_options=str(initial_kdc_options), cname=cname, realm=realm, sname=sname, @@ -142,20 +154,21 @@ class AsReqKerberosTests(KDCBaseTest): initial_kdc_options = krb5_asn1.KDCOptions('forwardable') initial_error_mode = KDC_ERR_PREAUTH_REQUIRED - etype_info2 = self._test_as_exchange(cname, - realm, - sname, - till, - client_as_etypes, - initial_error_mode, - expected_crealm, - expected_cname, - expected_srealm, - expected_sname, - expected_salt, - initial_etypes, - initial_padata, - initial_kdc_options) + rep, kdc_exchange_dict = self._test_as_exchange(cname, + realm, + sname, + till, + client_as_etypes, + initial_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + initial_etypes, + initial_padata, + initial_kdc_options) + etype_info2 = kdc_exchange_dict['preauth_etype_info2'] self.assertIsNotNone(etype_info2) preauth_key = self.PasswordKey_from_etype_info2(client_creds, @@ -180,24 +193,24 @@ class AsReqKerberosTests(KDCBaseTest): krbtgt_decryption_key = ( self.TicketDecryptionKey_from_creds(krbtgt_creds)) - as_rep = self._test_as_exchange(cname, - realm, - sname, - till, - client_as_etypes, - preauth_error_mode, - expected_crealm, - expected_cname, - expected_srealm, - expected_sname, - expected_salt, - preauth_etypes, - preauth_padata, - preauth_kdc_options, - preauth_key=preauth_key, - ticket_decryption_key=krbtgt_decryption_key) + as_rep, kdc_exchange_dict = self._test_as_exchange( + cname, + realm, + sname, + till, + client_as_etypes, + preauth_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + preauth_etypes, + preauth_padata, + preauth_kdc_options, + preauth_key=preauth_key, + ticket_decryption_key=krbtgt_decryption_key) self.assertIsNotNone(as_rep) - return if __name__ == "__main__": global_asn1_print = True diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 5a1ef02ef80..cd67549212a 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -147,8 +147,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) @@ -209,8 +207,6 @@ class SimpleKerberosTests(RawKerberosTest): nonce=0x7fffffff, etypes=etypes, addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py new file mode 100755 index 00000000000..e38b2e0a6e1 --- /dev/null +++ b/python/samba/tests/krb5/fast_tests.py @@ -0,0 +1,1562 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import functools +import os +import sys + +import ldb + +from samba.dcerpc import security +from samba.tests.krb5.raw_testcase import ( + KerberosTicketCreds, + Krb5EncryptionKey +) +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AD_FX_FAST_ARMOR, + AD_FX_FAST_USED, + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + FX_FAST_ARMOR_AP_REQUEST, + KDC_ERR_ETYPE_NOSUPP, + KDC_ERR_GENERIC, + KDC_ERR_NOT_US, + KDC_ERR_PREAUTH_FAILED, + KDC_ERR_PREAUTH_REQUIRED, + KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, + KRB_AS_REP, + KRB_TGS_REP, + KU_AS_REP_ENC_PART, + KU_TICKET, + NT_PRINCIPAL, + NT_SRV_INST, + NT_WELLKNOWN, + PADATA_FX_COOKIE, + PADATA_FX_FAST, + PADATA_PAC_OPTIONS +) +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests.krb5.kcrypto as kcrypto + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class FAST_Tests(KDCBaseTest): + @classmethod + def setUpClass(cls): + super().setUpClass() + + cls.user_tgt = None + cls.user_enc_part = None + cls.user_service_ticket = None + + cls.mach_tgt = None + cls.mach_enc_part = None + cls.mach_service_ticket = None + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_simple(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata + } + ]) + + def test_simple_tgs(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_tgt + } + ]) + + def test_simple_tgs_wrong_principal(self): + mach_creds = self.get_mach_creds() + mach_name = mach_creds.get_username() + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[mach_name]) + + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_tgt, + 'expected_cname': expected_cname + } + ]) + + def test_simple_tgs_service_ticket(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, + 'use_fast': False, + 'gen_tgt_fn': self.get_user_service_ticket, + } + ]) + + def test_simple_tgs_service_ticket_mach(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_NOT_US, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_service_ticket, + } + ]) + + def test_fast_no_claims(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0' + } + ]) + + def test_fast_tgs_no_claims(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'pac_options': '0' + } + ]) + + def test_fast_no_claims_or_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0', + 'kdc_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'pac_options': '0', + 'kdc_options': '0' + } + ]) + + def test_fast_tgs_no_claims_or_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'pac_options': '0', + 'kdc_options': '0' + } + ]) + + def test_fast_no_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'kdc_options': '0' + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'kdc_options': '0' + } + ]) + + def test_fast_tgs_no_canon(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None, + 'kdc_options': '0' + } + ]) + + def test_simple_tgs_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': False, + 'gen_tgt_fn': self.get_mach_tgt, + 'etypes': () + } + ]) + + def test_fast_tgs_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': True, + 'gen_tgt_fn': self.get_mach_tgt, + 'fast_armor': None, + 'etypes': () + } + ]) + + def test_simple_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': False, + 'etypes': () + } + ]) + + def test_simple_fast_no_etypes(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'etypes': () + } + ]) + + def test_empty_fast(self): + # Add an empty PA-FX-FAST in the initial AS-REQ. This should get + # rejected with a Generic error. -- Samba Shared Repository