The branch, master has been updated
via 221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be
missing for skew errors
via 9844a331864 tests/krb5: Allow 'renew-till' element to be present if
STRICT_CHECKING=0
via d5cb6a1449d tests/krb5: Don't require claims PAC buffers if
STRICT_CHECKING=0
via f03f304deb3 tests/krb5: Adjust unknown critical FAST option test
via 7d14aedd3dc tests/krb5: Add test for FAST with invalid ticket
checksum
via aa38476d89d tests/krb5: Remove magic flag constants
via 45d81d56abe tests/krb5: Allow additional unexpected padata types
via 6bf3610c5dc tests/krb5: Make edata checking less strict
via dfe6ef6f3ec tests/krb5: Add tests for FAST with use-session-key
flag and armor ticket
via 9c050a4a03a tests/krb5: Add test for AD-fx-fast-armor in
enc-authorization-data
via 1eb1049d2bd tests/krb5: Don't request renewable tickets
via f8e55b3670c tests/krb5: Adjust expected error codes for FAST tests
from 8bd7b316bd6 kdc: Canonicalize realm for enterprise principals
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 221569a14c8ecd529eae5c8c021cffe65324afec
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Dec 6 14:54:31 2021 +1300
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184
commit 9844a331864ff44645d15e946707fe5278f97ae6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Dec 6 13:06:52 2021 +1300
tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d5cb6a1449db10f2ab287798704c035f793f584c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 17 20:17:27 2021 +1300
tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f03f304deb30522ed5bdc0875cf3b5233ef6ddc5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 17 20:16:32 2021 +1300
tests/krb5: Adjust unknown critical FAST option test
Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7d14aedd3dc904d4341d06c8b38d6e94e780ea71
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 17 20:15:12 2021 +1300
tests/krb5: Add test for FAST with invalid ticket checksum
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit aa38476d89d4a41bef63f3814dd921c4dd4e103f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 17 20:14:50 2021 +1300
tests/krb5: Remove magic flag constants
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 45d81d56abeb5dbc63471ef45bf6473d3ebf5189
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Dec 7 10:59:27 2021 +1300
tests/krb5: Allow additional unexpected padata types
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6bf3610c5dc729cf1dd0b6b63d85e512c25e99c3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Dec 7 15:45:06 2021 +1300
tests/krb5: Make edata checking less strict
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 18 13:44:32 2021 +1300
tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
This flag should be ignored and the FAST armor key used instead.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9c050a4a03a8bb1dd8b25a1e800942ce1da68710
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 16 19:56:24 2021 +1300
tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1eb1049d2bdd44af95da820b3dcb5ccd94e4c231
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 16 19:55:44 2021 +1300
tests/krb5: Don't request renewable tickets
This is not necessary for testing FAST, and was causing some of the
tests to fail.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f8e55b3670c221e5d880c79d0def7be82819e435
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 16 19:55:17 2021 +1300
tests/krb5: Adjust expected error codes for FAST tests
This allows more of the tests to pass.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/fast_tests.py | 256 +++++++++++++++++++++------
python/samba/tests/krb5/raw_testcase.py | 67 +++++--
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 4 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
selftest/knownfail_heimdal_kdc | 15 +-
selftest/knownfail_mit_kdc | 6 +-
7 files changed, 262 insertions(+), 92 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/fast_tests.py
b/python/samba/tests/krb5/fast_tests.py
index 66cbf23978a..54b74c067e8 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -24,8 +24,8 @@ import collections
import ldb
-from samba.dcerpc import security
-from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
+from samba.dcerpc import krb5pac, security
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, ZeroedChecksumKey
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AD_FX_FAST_ARMOR,
@@ -33,15 +33,21 @@ from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
FX_FAST_ARMOR_AP_REQUEST,
+ KDC_ERR_BAD_INTEGRITY,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_GENERIC,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ KDC_ERR_MODIFIED,
KDC_ERR_NOT_US,
+ KDC_ERR_POLICY,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED,
+ KDC_ERR_SKEW,
KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
KRB_AS_REP,
KRB_TGS_REP,
+ KU_TGS_REQ_AUTH_DAT_SESSION,
+ KU_TGS_REQ_AUTH_DAT_SUBKEY,
NT_PRINCIPAL,
NT_SRV_HST,
NT_SRV_INST,
@@ -134,12 +140,14 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
'sname': None,
- 'expected_sname': expected_sname
+ 'expected_sname': expected_sname,
+ 'strict_edata_checking': False
}
])
@@ -154,7 +162,8 @@ class FAST_Tests(KDCBaseTest):
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
'sname': None,
- 'expected_sname': expected_sname
+ 'expected_sname': expected_sname,
+ 'strict_edata_checking': False
}
])
@@ -164,14 +173,16 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
'inner_req': {
'sname': None # should be ignored
},
- 'expected_sname': expected_sname
+ 'expected_sname': expected_sname,
+ 'strict_edata_checking': False
}
])
@@ -181,14 +192,16 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
'inner_req': {
'sname': None # should be ignored
},
- 'expected_sname': expected_sname
+ 'expected_sname': expected_sname,
+ 'strict_edata_checking': False
}
])
@@ -206,7 +219,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_NOT_US,
+ 'expected_error_mode': (KDC_ERR_NOT_US,
+ KDC_ERR_POLICY),
'use_fast': False,
'gen_tgt_fn': self.get_user_service_ticket,
'expect_edata': False
@@ -217,7 +231,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_NOT_US,
+ 'expected_error_mode': (KDC_ERR_NOT_US,
+ KDC_ERR_POLICY),
'use_fast': False,
'gen_tgt_fn': self.get_mach_service_ticket,
'expect_edata': False
@@ -346,7 +361,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'gen_tgt_fn': self.get_mach_tgt,
'fast_armor': None,
- 'etypes': ()
+ 'etypes': (),
+ 'strict_edata_checking': False
}
])
@@ -368,7 +384,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
- 'etypes': ()
+ 'etypes': (),
+ 'strict_edata_checking': False
}
])
@@ -378,7 +395,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'gen_fast_fn': self.generate_empty_fast,
'fast_armor': None,
@@ -389,10 +407,18 @@ class FAST_Tests(KDCBaseTest):
def test_fast_unknown_critical_option(self):
self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt
+ },
{
'rep_type': KRB_AS_REP,
'expected_error_mode': KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_options': '001', # unsupported critical option
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt
@@ -403,7 +429,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'fast_armor': None, # no armor,
'gen_armor_tgt_fn': self.get_mach_tgt,
@@ -500,7 +527,8 @@ class FAST_Tests(KDCBaseTest):
},
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_PREAUTH_FAILED,
+ 'expected_error_mode': (KDC_ERR_PREAUTH_FAILED,
+ KDC_ERR_PREAUTH_REQUIRED),
'use_fast': False,
'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key
}
@@ -509,8 +537,8 @@ class FAST_Tests(KDCBaseTest):
def test_fast_encrypted_challenge_clock_skew(self):
# The KDC is supposed to confirm that the timestamp is within its
# current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113
- # 5.4.6). However, Windows accepts a skewed timestamp in the encrypted
- # challenge.
+ # 5.4.6). However, this test fails against Windows, which accepts a
+ # skewed timestamp in the encrypted challenge.
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
@@ -521,7 +549,7 @@ class FAST_Tests(KDCBaseTest):
},
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': 0,
+ 'expected_error_mode': KDC_ERR_SKEW,
'use_fast': True,
'gen_padata_fn': functools.partial(
self.generate_enc_challenge_padata,
@@ -533,21 +561,14 @@ class FAST_Tests(KDCBaseTest):
def test_fast_invalid_tgt(self):
# The armor ticket 'sname' field is required to identify the target
- # realm TGS (RFC6113 5.4.1.1). However, Windows will still accept a
- # service ticket identifying a different server principal.
+ # realm TGS (RFC6113 5.4.1.1). However, this test fails against
+ # Windows, which will still accept a service ticket identifying a
+ # different server principal.
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
- 'use_fast': True,
- 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
- 'gen_armor_tgt_fn': self.get_user_service_ticket
- },
- {
- 'rep_type': KRB_AS_REP,
- 'expected_error_mode': 0,
+ 'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
- 'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_user_service_ticket
# ticket not identifying TGS of current
@@ -555,24 +576,33 @@ class FAST_Tests(KDCBaseTest):
}
])
+ # Similarly, this test fails against Windows, which accepts a service
+ # ticket identifying a different server principal.
def test_fast_invalid_tgt_mach(self):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_service_ticket
- },
+ # ticket not identifying TGS of current
+ # realm
+ }
+ ])
+
+ def test_fast_invalid_checksum_tgt(self):
+ # The armor ticket 'sname' field is required to identify the target
+ # realm TGS (RFC6113 5.4.1.1). However, this test fails against
+ # Windows, which will still accept a service ticket identifying a
+ # different server principal even if the ticket checksum is invalid.
+ self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': 0,
+ 'expected_error_mode': KDC_ERR_POLICY,
'use_fast': True,
- 'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
- 'gen_armor_tgt_fn': self.get_mach_service_ticket
- # ticket not identifying TGS of current
- # realm
+ 'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum
}
])
@@ -639,6 +669,42 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_session_key(self):
+ # Ensure that specified APOptions are ignored.
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+ }
+ ])
+
+ def test_fast_tgs_armor_session_key(self):
+ # Ensure that specified APOptions are ignored.
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'fast_ap_options': str(krb5_asn1.APOptions('use-session-key'))
+ }
+ ])
+
def test_fast_outer_wrong_realm(self):
self._run_test_sequence([
{
@@ -862,8 +928,8 @@ class FAST_Tests(KDCBaseTest):
# Add the 'FAST used' auth data and it now fails.
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
- # should be KRB_APP_ERR_MODIFIED
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_GENERIC),
'use_fast': False,
'gen_authdata_fn': self.generate_fast_used_auth_data,
'gen_tgt_fn': self.get_user_tgt,
@@ -889,7 +955,8 @@ class FAST_Tests(KDCBaseTest):
# Add the 'FAST armor' auth data and it now fails.
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_BAD_INTEGRITY),
'use_fast': True,
'gen_authdata_fn': self.generate_fast_armor_auth_data,
'gen_tgt_fn': self.get_user_tgt,
@@ -941,7 +1008,8 @@ class FAST_Tests(KDCBaseTest):
# fails.
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_BAD_INTEGRITY),
'use_fast': True,
'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data,
'fast_armor': None,
@@ -950,6 +1018,32 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_ad_fx_fast_armor_enc_auth_data(self):
+ # If the authenticator or TGT authentication data contains the
+ # AD-fx-fast-armor authdata type, the KDC must reject the request
+ # (RFC6113 5.4.2). However, the KDC should not reject a request that
+ # contains this authdata type in enc-authorization-data.
+ self._run_test_sequence([
+ # This request works.
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None
+ },
+ # Add AD-fx-fast-armor authdata element to
+ # enc-authorization-data. This request also works.
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_enc_authdata_fn': self.generate_fast_armor_auth_data,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None
+ }
+ ])
+
def test_fast_ad_fx_fast_armor_ticket2(self):
self._run_test_sequence([
# Show that we can still use the modified ticket as armor.
@@ -976,7 +1070,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_NOT_US,
+ 'expected_error_mode': (KDC_ERR_NOT_US,
+ KDC_ERR_POLICY),
'use_fast': True,
'gen_tgt_fn': self.get_user_service_ticket, # fails
'fast_armor': None
@@ -987,7 +1082,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_NOT_US, # fails
+ 'expected_error_mode': (KDC_ERR_NOT_US, # fails
+ KDC_ERR_POLICY),
'use_fast': True,
'gen_tgt_fn': self.get_mach_service_ticket,
'fast_armor': None
@@ -1013,7 +1109,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
- 'expected_error_mode': KDC_ERR_GENERIC,
+ 'expected_error_mode': (KDC_ERR_GENERIC,
+ KDC_ERR_PREAUTH_FAILED),
'use_fast': True,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
@@ -1031,7 +1128,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
- 'fast_options': '01', # hide client names
+ 'fast_options': str(krb5_asn1.FastOptions(
+ 'hide-client-names')),
'expected_anon': True
},
{
@@ -1041,7 +1139,8 @@ class FAST_Tests(KDCBaseTest):
'gen_padata_fn': self.generate_enc_challenge_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
- 'fast_options': '01', # hide client names
+ 'fast_options': str(krb5_asn1.FastOptions(
+ 'hide-client-names')),
'expected_anon': True
}
])
@@ -1054,7 +1153,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
- 'fast_options': '01', # hide client names
+ 'fast_options': str(krb5_asn1.FastOptions(
+ 'hide-client-names')),
'expected_anon': True
}
])
@@ -1161,9 +1261,7 @@ class FAST_Tests(KDCBaseTest):
self.check_kdc_fast_support()
kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,'
- 'renewable,'
- 'canonicalize,'
- 'renewable-ok'))
+ 'canonicalize'))
client_creds = self.get_client_creds()
target_creds = self.get_service_creds()
@@ -1362,6 +1460,21 @@ class FAST_Tests(KDCBaseTest):
else:
auth_data = None
+ gen_enc_authdata_fn = kdc_dict.pop('gen_enc_authdata_fn', None)
+ if gen_enc_authdata_fn is not None:
+ enc_auth_data = [gen_enc_authdata_fn()]
+
+ enc_auth_data_key = authenticator_subkey
+ enc_auth_data_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY
+ if enc_auth_data_key is None:
+ enc_auth_data_key = tgt.session_key
+ enc_auth_data_usage = KU_TGS_REQ_AUTH_DAT_SESSION
+ else:
+ enc_auth_data = None
+
+ enc_auth_data_key = None
+ enc_auth_data_usage = None
+
if not use_fast:
self.assertNotIn('inner_req', kdc_dict)
self.assertNotIn('outer_req', kdc_dict)
@@ -1375,6 +1488,10 @@ class FAST_Tests(KDCBaseTest):
if unexpected_flags is not None:
unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags)
+ fast_ap_options = kdc_dict.pop('fast_ap_options', None)
+
+ strict_edata_checking = kdc_dict.pop('strict_edata_checking', True)
+
if rep_type == KRB_AS_REP:
kdc_exchange_dict = self.as_exchange_dict(
expected_crealm=expected_crealm,
@@ -1409,6 +1526,8 @@ class FAST_Tests(KDCBaseTest):
outer_req=outer_req,
pac_request=True,
pac_options=pac_options,
+ fast_ap_options=fast_ap_options,
+ strict_edata_checking=strict_edata_checking,
expect_edata=expect_edata)
else: # KRB_TGS_REP
kdc_exchange_dict = self.tgs_exchange_dict(
@@ -1443,15 +1562,21 @@ class FAST_Tests(KDCBaseTest):
outer_req=outer_req,
--
Samba Shared Repository
