The branch, master has been updated via 221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors via 9844a331864 tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0 via d5cb6a1449d tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0 via f03f304deb3 tests/krb5: Adjust unknown critical FAST option test via 7d14aedd3dc tests/krb5: Add test for FAST with invalid ticket checksum via aa38476d89d tests/krb5: Remove magic flag constants via 45d81d56abe tests/krb5: Allow additional unexpected padata types via 6bf3610c5dc tests/krb5: Make edata checking less strict via dfe6ef6f3ec tests/krb5: Add tests for FAST with use-session-key flag and armor ticket via 9c050a4a03a tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data via 1eb1049d2bd tests/krb5: Don't request renewable tickets via f8e55b3670c tests/krb5: Adjust expected error codes for FAST tests from 8bd7b316bd6 kdc: Canonicalize realm for enterprise principals
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 221569a14c8ecd529eae5c8c021cffe65324afec Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 6 14:54:31 2021 +1300 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors A skew error means the client just tried using PADATA-ENC-TIMESTAMP or PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce them in that case. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184 commit 9844a331864ff44645d15e946707fe5278f97ae6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 6 13:06:52 2021 +1300 tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d5cb6a1449db10f2ab287798704c035f793f584c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 17 20:17:27 2021 +1300 tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f03f304deb30522ed5bdc0875cf3b5233ef6ddc5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 17 20:16:32 2021 +1300 tests/krb5: Adjust unknown critical FAST option test Heimdal does not check FAST options when no preauth data is supplied, so the original test could not pass against Heimdal. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7d14aedd3dc904d4341d06c8b38d6e94e780ea71 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 17 20:15:12 2021 +1300 tests/krb5: Add test for FAST with invalid ticket checksum Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit aa38476d89d4a41bef63f3814dd921c4dd4e103f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 17 20:14:50 2021 +1300 tests/krb5: Remove magic flag constants Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 45d81d56abeb5dbc63471ef45bf6473d3ebf5189 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 7 10:59:27 2021 +1300 tests/krb5: Allow additional unexpected padata types Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6bf3610c5dc729cf1dd0b6b63d85e512c25e99c3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 7 15:45:06 2021 +1300 tests/krb5: Make edata checking less strict Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 18 13:44:32 2021 +1300 tests/krb5: Add tests for FAST with use-session-key flag and armor ticket This flag should be ignored and the FAST armor key used instead. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9c050a4a03a8bb1dd8b25a1e800942ce1da68710 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 16 19:56:24 2021 +1300 tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1eb1049d2bdd44af95da820b3dcb5ccd94e4c231 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 16 19:55:44 2021 +1300 tests/krb5: Don't request renewable tickets This is not necessary for testing FAST, and was causing some of the tests to fail. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f8e55b3670c221e5d880c79d0def7be82819e435 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 16 19:55:17 2021 +1300 tests/krb5: Adjust expected error codes for FAST tests This allows more of the tests to pass. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/fast_tests.py | 256 +++++++++++++++++++++------ python/samba/tests/krb5/raw_testcase.py | 67 +++++-- python/samba/tests/krb5/rfc4120.asn1 | 3 +- python/samba/tests/krb5/rfc4120_constants.py | 4 + python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +- selftest/knownfail_heimdal_kdc | 15 +- selftest/knownfail_mit_kdc | 6 +- 7 files changed, 262 insertions(+), 92 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 66cbf23978a..54b74c067e8 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -24,8 +24,8 @@ import collections import ldb -from samba.dcerpc import security -from samba.tests.krb5.raw_testcase import Krb5EncryptionKey +from samba.dcerpc import krb5pac, security +from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, ZeroedChecksumKey from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.rfc4120_constants import ( AD_FX_FAST_ARMOR, @@ -33,15 +33,21 @@ from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, FX_FAST_ARMOR_AP_REQUEST, + KDC_ERR_BAD_INTEGRITY, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN, + KDC_ERR_MODIFIED, KDC_ERR_NOT_US, + KDC_ERR_POLICY, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED, + KDC_ERR_SKEW, KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, KRB_AS_REP, KRB_TGS_REP, + KU_TGS_REQ_AUTH_DAT_SESSION, + KU_TGS_REQ_AUTH_DAT_SUBKEY, NT_PRINCIPAL, NT_SRV_HST, NT_SRV_INST, @@ -134,12 +140,14 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': True, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt, 'sname': None, - 'expected_sname': expected_sname + 'expected_sname': expected_sname, + 'strict_edata_checking': False } ]) @@ -154,7 +162,8 @@ class FAST_Tests(KDCBaseTest): 'gen_tgt_fn': self.get_user_tgt, 'fast_armor': None, 'sname': None, - 'expected_sname': expected_sname + 'expected_sname': expected_sname, + 'strict_edata_checking': False } ]) @@ -164,14 +173,16 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': True, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt, 'inner_req': { 'sname': None # should be ignored }, - 'expected_sname': expected_sname + 'expected_sname': expected_sname, + 'strict_edata_checking': False } ]) @@ -181,14 +192,16 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_S_PRINCIPAL_UNKNOWN), 'use_fast': True, 'gen_tgt_fn': self.get_user_tgt, 'fast_armor': None, 'inner_req': { 'sname': None # should be ignored }, - 'expected_sname': expected_sname + 'expected_sname': expected_sname, + 'strict_edata_checking': False } ]) @@ -206,7 +219,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_NOT_US, + 'expected_error_mode': (KDC_ERR_NOT_US, + KDC_ERR_POLICY), 'use_fast': False, 'gen_tgt_fn': self.get_user_service_ticket, 'expect_edata': False @@ -217,7 +231,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_NOT_US, + 'expected_error_mode': (KDC_ERR_NOT_US, + KDC_ERR_POLICY), 'use_fast': False, 'gen_tgt_fn': self.get_mach_service_ticket, 'expect_edata': False @@ -346,7 +361,8 @@ class FAST_Tests(KDCBaseTest): 'use_fast': True, 'gen_tgt_fn': self.get_mach_tgt, 'fast_armor': None, - 'etypes': () + 'etypes': (), + 'strict_edata_checking': False } ]) @@ -368,7 +384,8 @@ class FAST_Tests(KDCBaseTest): 'use_fast': True, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt, - 'etypes': () + 'etypes': (), + 'strict_edata_checking': False } ]) @@ -378,7 +395,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_PREAUTH_FAILED), 'use_fast': True, 'gen_fast_fn': self.generate_empty_fast, 'fast_armor': None, @@ -389,10 +407,18 @@ class FAST_Tests(KDCBaseTest): def test_fast_unknown_critical_option(self): self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt + }, { 'rep_type': KRB_AS_REP, 'expected_error_mode': KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, 'fast_options': '001', # unsupported critical option 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt @@ -403,7 +429,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_PREAUTH_FAILED), 'use_fast': True, 'fast_armor': None, # no armor, 'gen_armor_tgt_fn': self.get_mach_tgt, @@ -500,7 +527,8 @@ class FAST_Tests(KDCBaseTest): }, { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, + 'expected_error_mode': (KDC_ERR_PREAUTH_FAILED, + KDC_ERR_PREAUTH_REQUIRED), 'use_fast': False, 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key } @@ -509,8 +537,8 @@ class FAST_Tests(KDCBaseTest): def test_fast_encrypted_challenge_clock_skew(self): # The KDC is supposed to confirm that the timestamp is within its # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 - # 5.4.6). However, Windows accepts a skewed timestamp in the encrypted - # challenge. + # 5.4.6). However, this test fails against Windows, which accepts a + # skewed timestamp in the encrypted challenge. self._run_test_sequence([ { 'rep_type': KRB_AS_REP, @@ -521,7 +549,7 @@ class FAST_Tests(KDCBaseTest): }, { 'rep_type': KRB_AS_REP, - 'expected_error_mode': 0, + 'expected_error_mode': KDC_ERR_SKEW, 'use_fast': True, 'gen_padata_fn': functools.partial( self.generate_enc_challenge_padata, @@ -533,21 +561,14 @@ class FAST_Tests(KDCBaseTest): def test_fast_invalid_tgt(self): # The armor ticket 'sname' field is required to identify the target - # realm TGS (RFC6113 5.4.1.1). However, Windows will still accept a - # service ticket identifying a different server principal. + # realm TGS (RFC6113 5.4.1.1). However, this test fails against + # Windows, which will still accept a service ticket identifying a + # different server principal. self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, - 'use_fast': True, - 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, - 'gen_armor_tgt_fn': self.get_user_service_ticket - }, - { - 'rep_type': KRB_AS_REP, - 'expected_error_mode': 0, + 'expected_error_mode': KDC_ERR_POLICY, 'use_fast': True, - 'gen_padata_fn': self.generate_enc_challenge_padata, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_user_service_ticket # ticket not identifying TGS of current @@ -555,24 +576,33 @@ class FAST_Tests(KDCBaseTest): } ]) + # Similarly, this test fails against Windows, which accepts a service + # ticket identifying a different server principal. def test_fast_invalid_tgt_mach(self): self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'expected_error_mode': KDC_ERR_POLICY, 'use_fast': True, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_service_ticket - }, + # ticket not identifying TGS of current + # realm + } + ]) + + def test_fast_invalid_checksum_tgt(self): + # The armor ticket 'sname' field is required to identify the target + # realm TGS (RFC6113 5.4.1.1). However, this test fails against + # Windows, which will still accept a service ticket identifying a + # different server principal even if the ticket checksum is invalid. + self._run_test_sequence([ { 'rep_type': KRB_AS_REP, - 'expected_error_mode': 0, + 'expected_error_mode': KDC_ERR_POLICY, 'use_fast': True, - 'gen_padata_fn': self.generate_enc_challenge_padata, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, - 'gen_armor_tgt_fn': self.get_mach_service_ticket - # ticket not identifying TGS of current - # realm + 'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum } ]) @@ -639,6 +669,42 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_session_key(self): + # Ensure that specified APOptions are ignored. + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key')) + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key')) + } + ]) + + def test_fast_tgs_armor_session_key(self): + # Ensure that specified APOptions are ignored. + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key')) + } + ]) + def test_fast_outer_wrong_realm(self): self._run_test_sequence([ { @@ -862,8 +928,8 @@ class FAST_Tests(KDCBaseTest): # Add the 'FAST used' auth data and it now fails. { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, - # should be KRB_APP_ERR_MODIFIED + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_GENERIC), 'use_fast': False, 'gen_authdata_fn': self.generate_fast_used_auth_data, 'gen_tgt_fn': self.get_user_tgt, @@ -889,7 +955,8 @@ class FAST_Tests(KDCBaseTest): # Add the 'FAST armor' auth data and it now fails. { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_BAD_INTEGRITY), 'use_fast': True, 'gen_authdata_fn': self.generate_fast_armor_auth_data, 'gen_tgt_fn': self.get_user_tgt, @@ -941,7 +1008,8 @@ class FAST_Tests(KDCBaseTest): # fails. { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_BAD_INTEGRITY), 'use_fast': True, 'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data, 'fast_armor': None, @@ -950,6 +1018,32 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_ad_fx_fast_armor_enc_auth_data(self): + # If the authenticator or TGT authentication data contains the + # AD-fx-fast-armor authdata type, the KDC must reject the request + # (RFC6113 5.4.2). However, the KDC should not reject a request that + # contains this authdata type in enc-authorization-data. + self._run_test_sequence([ + # This request works. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + }, + # Add AD-fx-fast-armor authdata element to + # enc-authorization-data. This request also works. + { + 'rep_type': KRB_TGS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_enc_authdata_fn': self.generate_fast_armor_auth_data, + 'gen_tgt_fn': self.get_user_tgt, + 'fast_armor': None + } + ]) + def test_fast_ad_fx_fast_armor_ticket2(self): self._run_test_sequence([ # Show that we can still use the modified ticket as armor. @@ -976,7 +1070,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_NOT_US, + 'expected_error_mode': (KDC_ERR_NOT_US, + KDC_ERR_POLICY), 'use_fast': True, 'gen_tgt_fn': self.get_user_service_ticket, # fails 'fast_armor': None @@ -987,7 +1082,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_NOT_US, # fails + 'expected_error_mode': (KDC_ERR_NOT_US, # fails + KDC_ERR_POLICY), 'use_fast': True, 'gen_tgt_fn': self.get_mach_service_ticket, 'fast_armor': None @@ -1013,7 +1109,8 @@ class FAST_Tests(KDCBaseTest): self._run_test_sequence([ { 'rep_type': KRB_TGS_REP, - 'expected_error_mode': KDC_ERR_GENERIC, + 'expected_error_mode': (KDC_ERR_GENERIC, + KDC_ERR_PREAUTH_FAILED), 'use_fast': True, 'gen_tgt_fn': self.get_user_tgt, 'fast_armor': None, @@ -1031,7 +1128,8 @@ class FAST_Tests(KDCBaseTest): 'use_fast': True, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt, - 'fast_options': '01', # hide client names + 'fast_options': str(krb5_asn1.FastOptions( + 'hide-client-names')), 'expected_anon': True }, { @@ -1041,7 +1139,8 @@ class FAST_Tests(KDCBaseTest): 'gen_padata_fn': self.generate_enc_challenge_padata, 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, 'gen_armor_tgt_fn': self.get_mach_tgt, - 'fast_options': '01', # hide client names + 'fast_options': str(krb5_asn1.FastOptions( + 'hide-client-names')), 'expected_anon': True } ]) @@ -1054,7 +1153,8 @@ class FAST_Tests(KDCBaseTest): 'use_fast': True, 'gen_tgt_fn': self.get_user_tgt, 'fast_armor': None, - 'fast_options': '01', # hide client names + 'fast_options': str(krb5_asn1.FastOptions( + 'hide-client-names')), 'expected_anon': True } ]) @@ -1161,9 +1261,7 @@ class FAST_Tests(KDCBaseTest): self.check_kdc_fast_support() kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' - 'renewable,' - 'canonicalize,' - 'renewable-ok')) + 'canonicalize')) client_creds = self.get_client_creds() target_creds = self.get_service_creds() @@ -1362,6 +1460,21 @@ class FAST_Tests(KDCBaseTest): else: auth_data = None + gen_enc_authdata_fn = kdc_dict.pop('gen_enc_authdata_fn', None) + if gen_enc_authdata_fn is not None: + enc_auth_data = [gen_enc_authdata_fn()] + + enc_auth_data_key = authenticator_subkey + enc_auth_data_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY + if enc_auth_data_key is None: + enc_auth_data_key = tgt.session_key + enc_auth_data_usage = KU_TGS_REQ_AUTH_DAT_SESSION + else: + enc_auth_data = None + + enc_auth_data_key = None + enc_auth_data_usage = None + if not use_fast: self.assertNotIn('inner_req', kdc_dict) self.assertNotIn('outer_req', kdc_dict) @@ -1375,6 +1488,10 @@ class FAST_Tests(KDCBaseTest): if unexpected_flags is not None: unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags) + fast_ap_options = kdc_dict.pop('fast_ap_options', None) + + strict_edata_checking = kdc_dict.pop('strict_edata_checking', True) + if rep_type == KRB_AS_REP: kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, @@ -1409,6 +1526,8 @@ class FAST_Tests(KDCBaseTest): outer_req=outer_req, pac_request=True, pac_options=pac_options, + fast_ap_options=fast_ap_options, + strict_edata_checking=strict_edata_checking, expect_edata=expect_edata) else: # KRB_TGS_REP kdc_exchange_dict = self.tgs_exchange_dict( @@ -1443,15 +1562,21 @@ class FAST_Tests(KDCBaseTest): outer_req=outer_req, -- Samba Shared Repository