The Samba-Bugzilla – Attachment 16777 Details for
Bug 14817
Update Kerberos testing and dependencies to bring in fix for KDC crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from master backported to 4.15 (only) (v2)
samba-4-15-kdc-crash.patch (text/plain), 561.64 KB, created by
Andrew Bartlett
on 2021-09-06 20:49:11 UTC
(
hide
)
Description:
patch from master backported to 4.15 (only) (v2)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-09-06 20:49:11 UTC
Size:
561.64 KB
patch
obsolete
>From d669ae93fa9509c59fccf12d5eeb2c2e4ceb7302 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 20 Jul 2021 15:55:53 +0200 >Subject: [PATCH 001/108] bootstrap: Install krb5-workstation on Fedora based > distros > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit e0fa3e359f16b26122d49ad79372e3923f5ded77) >--- > .gitlab-ci-main.yml | 2 +- > bootstrap/config.py | 2 +- > bootstrap/generated-dists/centos7/bootstrap.sh | 1 + > bootstrap/generated-dists/centos7/packages.yml | 1 + > bootstrap/generated-dists/centos8/bootstrap.sh | 1 + > bootstrap/generated-dists/centos8/packages.yml | 1 + > bootstrap/generated-dists/fedora33/bootstrap.sh | 1 + > bootstrap/generated-dists/fedora33/packages.yml | 1 + > bootstrap/generated-dists/fedora34/bootstrap.sh | 1 + > bootstrap/generated-dists/fedora34/packages.yml | 1 + > bootstrap/generated-dists/opensuse151/bootstrap.sh | 1 + > bootstrap/generated-dists/opensuse151/packages.yml | 1 + > bootstrap/generated-dists/opensuse152/bootstrap.sh | 1 + > bootstrap/generated-dists/opensuse152/packages.yml | 1 + > bootstrap/sha1sum.txt | 2 +- > 15 files changed, 15 insertions(+), 3 deletions(-) > >diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml >index 0979c007dc6..8bcedfc5d6a 100644 >--- a/.gitlab-ci-main.yml >+++ b/.gitlab-ci-main.yml >@@ -42,7 +42,7 @@ variables: > # Set this to the contents of bootstrap/sha1sum.txt > # which is generated by bootstrap/template.py --render > # >- SAMBA_CI_CONTAINER_TAG: fa3eeb92fb5447524a057a4c377e6960dff626ce >+ SAMBA_CI_CONTAINER_TAG: 11d550c08430787a5b0eb8dc847977ffffe12bbe > # > # We use the ubuntu1804 image as default as > # it matches what we have on sn-devel-184. >diff --git a/bootstrap/config.py b/bootstrap/config.py >index b5d04d4e371..b02ce4cf566 100644 >--- a/bootstrap/config.py >+++ b/bootstrap/config.py >@@ -116,7 +116,7 @@ PKGS = [ > ('bind9utils', 'bind-utils'), > ('dnsutils', ''), > ('xsltproc', 'libxslt'), >- ('krb5-user', ''), >+ ('krb5-user', 'krb5-workstation'), > ('krb5-config', ''), > ('krb5-kdc', 'krb5-server'), > ('apt-utils', 'yum-utils'), >diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh >index 00dd22b891f..36913f40b44 100755 >--- a/bootstrap/generated-dists/centos7/bootstrap.sh >+++ b/bootstrap/generated-dists/centos7/bootstrap.sh >@@ -45,6 +45,7 @@ yum install -y \ > keyutils-libs-devel \ > krb5-devel \ > krb5-server \ >+ krb5-workstation \ > lcov \ > libacl-devel \ > libarchive-devel \ >diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml >index 3f5e8331b40..4da3d61441f 100644 >--- a/bootstrap/generated-dists/centos7/packages.yml >+++ b/bootstrap/generated-dists/centos7/packages.yml >@@ -31,6 +31,7 @@ packages: > - keyutils-libs-devel > - krb5-devel > - krb5-server >+ - krb5-workstation > - lcov > - libacl-devel > - libarchive-devel >diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh >index a3079982dda..60cf3937cf7 100755 >--- a/bootstrap/generated-dists/centos8/bootstrap.sh >+++ b/bootstrap/generated-dists/centos8/bootstrap.sh >@@ -54,6 +54,7 @@ yum install -y \ > keyutils-libs-devel \ > krb5-devel \ > krb5-server \ >+ krb5-workstation \ > libacl-devel \ > libarchive-devel \ > libattr-devel \ >diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml >index 2994e81640a..f5d0ac5ffe6 100644 >--- a/bootstrap/generated-dists/centos8/packages.yml >+++ b/bootstrap/generated-dists/centos8/packages.yml >@@ -34,6 +34,7 @@ packages: > - keyutils-libs-devel > - krb5-devel > - krb5-server >+ - krb5-workstation > - libacl-devel > - libarchive-devel > - libattr-devel >diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh >index 106bd09ede8..22b968e9ae2 100755 >--- a/bootstrap/generated-dists/fedora33/bootstrap.sh >+++ b/bootstrap/generated-dists/fedora33/bootstrap.sh >@@ -45,6 +45,7 @@ dnf install -y \ > keyutils-libs-devel \ > krb5-devel \ > krb5-server \ >+ krb5-workstation \ > lcov \ > libacl-devel \ > libarchive-devel \ >diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml >index 9fa48ad4502..7c61da3c53a 100644 >--- a/bootstrap/generated-dists/fedora33/packages.yml >+++ b/bootstrap/generated-dists/fedora33/packages.yml >@@ -34,6 +34,7 @@ packages: > - keyutils-libs-devel > - krb5-devel > - krb5-server >+ - krb5-workstation > - lcov > - libacl-devel > - libarchive-devel >diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh >index 6686ab19250..d5fea5c008a 100755 >--- a/bootstrap/generated-dists/fedora34/bootstrap.sh >+++ b/bootstrap/generated-dists/fedora34/bootstrap.sh >@@ -45,6 +45,7 @@ dnf install -y \ > keyutils-libs-devel \ > krb5-devel \ > krb5-server \ >+ krb5-workstation \ > lcov \ > libacl-devel \ > libarchive-devel \ >diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml >index 1e488823dda..db12fdb5486 100644 >--- a/bootstrap/generated-dists/fedora34/packages.yml >+++ b/bootstrap/generated-dists/fedora34/packages.yml >@@ -34,6 +34,7 @@ packages: > - keyutils-libs-devel > - krb5-devel > - krb5-server >+ - krb5-workstation > - lcov > - libacl-devel > - libarchive-devel >diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh >index 2271e2ea8b2..e4771284f4d 100755 >--- a/bootstrap/generated-dists/opensuse151/bootstrap.sh >+++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh >@@ -40,6 +40,7 @@ zypper --non-interactive install \ > hostname \ > htop \ > keyutils-devel \ >+ krb5-client \ > krb5-devel \ > krb5-server \ > lcov \ >diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml >index 5710c60bd8b..d465252e26b 100644 >--- a/bootstrap/generated-dists/opensuse151/packages.yml >+++ b/bootstrap/generated-dists/opensuse151/packages.yml >@@ -28,6 +28,7 @@ packages: > - hostname > - htop > - keyutils-devel >+ - krb5-client > - krb5-devel > - krb5-server > - lcov >diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh >index ae766095a4d..bdfb121b345 100755 >--- a/bootstrap/generated-dists/opensuse152/bootstrap.sh >+++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh >@@ -40,6 +40,7 @@ zypper --non-interactive install \ > hostname \ > htop \ > keyutils-devel \ >+ krb5-client \ > krb5-devel \ > krb5-server \ > lcov \ >diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml >index 6bc1a137ca7..75a37074791 100644 >--- a/bootstrap/generated-dists/opensuse152/packages.yml >+++ b/bootstrap/generated-dists/opensuse152/packages.yml >@@ -28,6 +28,7 @@ packages: > - hostname > - htop > - keyutils-devel >+ - krb5-client > - krb5-devel > - krb5-server > - lcov >diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt >index e198e6b80ae..0e70f1937b9 100644 >--- a/bootstrap/sha1sum.txt >+++ b/bootstrap/sha1sum.txt >@@ -1 +1 @@ >-fa3eeb92fb5447524a057a4c377e6960dff626ce >+11d550c08430787a5b0eb8dc847977ffffe12bbe >-- >2.25.1 > > >From 83bf113c5ac65312022ed082ce5384483969201c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 21 Jul 2021 09:17:31 +0200 >Subject: [PATCH 002/108] python:waf: Correctly check for python-dateutil > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit e51e9d014598241e1cb8b525cce9e9c6b9e4e98f) >--- > python/wscript | 23 ++++++++++++++++++++--- > 1 file changed, 20 insertions(+), 3 deletions(-) > >diff --git a/python/wscript b/python/wscript >index b33200e41d9..9815e816d35 100644 >--- a/python/wscript >+++ b/python/wscript >@@ -5,7 +5,6 @@ from waflib import Options, Errors > > # work out what python external libraries we need to be successful > selftest_pkgs = { >- 'iso8601': 'python3-iso8601', > 'cryptography': 'python3-cryptography', > 'pyasn1': 'python3-pyasn1' > } >@@ -16,12 +15,14 @@ ad_dc_pkgs = { > } > > >-def find_third_party_module(conf, module, package): >+def find_third_party_module(conf, module, package, required=True): > conf.COMPOUND_START("Checking for system installation of Python module %s" % module) > try: > __import__(module) > except ImportError: > conf.COMPOUND_END(False) >+ if not required: >+ return False > raise Errors.WafError("""\ > Unable to find Python module '%s'. Please install the system package: %s'. > """ % (module, package)) >@@ -29,6 +30,8 @@ def find_third_party_module(conf, module, package): > # Installed on the system > conf.COMPOUND_END("system") > >+ return True >+ > > def configure(conf): > if conf.env.disable_python: >@@ -73,6 +76,20 @@ def configure(conf): > for module, package in selftest_pkgs.items(): > find_third_party_module(conf, module, package) > >+ # Prefer dateutil.parser which is much more widely used. >+ if not find_third_party_module(conf, >+ 'dateutil.parser', >+ 'python3-dateutilis', >+ required=False): >+ if not find_third_party_module(conf, >+ 'iso8601', >+ 'python3-iso8601', >+ required=False): >+ raise Errors.WafError("Could not find Python package " >+ "'python3-dateutils' nor " >+ "'python3-iso8601'. Please install " >+ "one of the packages.") >+ > if not Options.options.without_ad_dc: > for module, package in ad_dc_pkgs.items(): > find_third_party_module(conf, module, package) >@@ -117,5 +134,5 @@ def build(bld): > bld.SAMBA_SCRIPT('samba_python_files', > pattern='samba/**/*.py', > installdir='python') >- >+ > bld.INSTALL_WILDCARD('${PYTHONARCHDIR}', 'samba/**/*.py', flat=False) >-- >2.25.1 > > >From 21467eec5ca34f48486f870c2d36996765a98e83 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 21 Jul 2021 09:32:42 +0200 >Subject: [PATCH 003/108] bootstrap: Install python3-dateutil instead of > python3-iso8601 on RPM distros > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184 > >(cherry picked from commit ee9dfff617ad21d81369d7ef2ea35d7caab82fec) >--- > .gitlab-ci-main.yml | 2 +- > bootstrap/config.py | 3 +++ > bootstrap/generated-dists/fedora33/bootstrap.sh | 2 +- > bootstrap/generated-dists/fedora33/packages.yml | 2 +- > bootstrap/generated-dists/fedora34/bootstrap.sh | 2 +- > bootstrap/generated-dists/fedora34/packages.yml | 2 +- > bootstrap/generated-dists/opensuse152/bootstrap.sh | 2 +- > bootstrap/generated-dists/opensuse152/packages.yml | 2 +- > bootstrap/sha1sum.txt | 2 +- > 9 files changed, 11 insertions(+), 8 deletions(-) > >diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml >index 8bcedfc5d6a..657b28e274f 100644 >--- a/.gitlab-ci-main.yml >+++ b/.gitlab-ci-main.yml >@@ -42,7 +42,7 @@ variables: > # Set this to the contents of bootstrap/sha1sum.txt > # which is generated by bootstrap/template.py --render > # >- SAMBA_CI_CONTAINER_TAG: 11d550c08430787a5b0eb8dc847977ffffe12bbe >+ SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6 > # > # We use the ubuntu1804 image as default as > # it matches what we have on sn-devel-184. >diff --git a/bootstrap/config.py b/bootstrap/config.py >index b02ce4cf566..821ce3d5cc2 100644 >--- a/bootstrap/config.py >+++ b/bootstrap/config.py >@@ -485,6 +485,7 @@ RPM_DISTS = { > 'lsb-release': 'redhat-lsb', > 'libsemanage-python': 'python3-libsemanage', > 'policycoreutils-python': 'python3-policycoreutils', >+ 'python3-iso8601': 'python3-dateutil', > } > }, > 'fedora34': { >@@ -496,6 +497,7 @@ RPM_DISTS = { > 'libsemanage-python': 'python3-libsemanage', > 'policycoreutils-python': 'python3-policycoreutils', > 'perl-FindBin': '', >+ 'python3-iso8601': 'python3-dateutil', > 'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available > } > }, >@@ -552,6 +554,7 @@ RPM_DISTS = { > 'perl-interpreter': '', > 'perl-FindBin': '', > 'procps-ng': 'procps', >+ 'python3-iso8601': 'python3-python-dateutil', > 'python3-dns': 'python3-dnspython', > 'python3-markdown': 'python3-Markdown', > 'quota-devel': '', >diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh >index 22b968e9ae2..52e199f6b88 100755 >--- a/bootstrap/generated-dists/fedora33/bootstrap.sh >+++ b/bootstrap/generated-dists/fedora33/bootstrap.sh >@@ -87,10 +87,10 @@ dnf install -y \ > psmisc \ > python3 \ > python3-cryptography \ >+ python3-dateutil \ > python3-devel \ > python3-dns \ > python3-gpg \ >- python3-iso8601 \ > python3-libsemanage \ > python3-markdown \ > python3-policycoreutils \ >diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml >index 7c61da3c53a..d9cbfbd80db 100644 >--- a/bootstrap/generated-dists/fedora33/packages.yml >+++ b/bootstrap/generated-dists/fedora33/packages.yml >@@ -76,10 +76,10 @@ packages: > - psmisc > - python3 > - python3-cryptography >+ - python3-dateutil > - python3-devel > - python3-dns > - python3-gpg >- - python3-iso8601 > - python3-libsemanage > - python3-markdown > - python3-policycoreutils >diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh >index d5fea5c008a..de5a9670601 100755 >--- a/bootstrap/generated-dists/fedora34/bootstrap.sh >+++ b/bootstrap/generated-dists/fedora34/bootstrap.sh >@@ -86,10 +86,10 @@ dnf install -y \ > psmisc \ > python3 \ > python3-cryptography \ >+ python3-dateutil \ > python3-devel \ > python3-dns \ > python3-gpg \ >- python3-iso8601 \ > python3-libsemanage \ > python3-markdown \ > python3-policycoreutils \ >diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml >index db12fdb5486..749f30dfc0e 100644 >--- a/bootstrap/generated-dists/fedora34/packages.yml >+++ b/bootstrap/generated-dists/fedora34/packages.yml >@@ -75,10 +75,10 @@ packages: > - psmisc > - python3 > - python3-cryptography >+ - python3-dateutil > - python3-devel > - python3-dns > - python3-gpg >- - python3-iso8601 > - python3-libsemanage > - python3-markdown > - python3-policycoreutils >diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh >index bdfb121b345..534ff66896f 100755 >--- a/bootstrap/generated-dists/opensuse152/bootstrap.sh >+++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh >@@ -88,8 +88,8 @@ zypper --non-interactive install \ > python3-devel \ > python3-dnspython \ > python3-gpg \ >- python3-iso8601 \ > python3-pyasn1 \ >+ python3-python-dateutil \ > python3-setproctitle \ > readline-devel \ > rng-tools \ >diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml >index 75a37074791..05b3779a2fd 100644 >--- a/bootstrap/generated-dists/opensuse152/packages.yml >+++ b/bootstrap/generated-dists/opensuse152/packages.yml >@@ -76,8 +76,8 @@ packages: > - python3-devel > - python3-dnspython > - python3-gpg >- - python3-iso8601 > - python3-pyasn1 >+ - python3-python-dateutil > - python3-setproctitle > - readline-devel > - rng-tools >diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt >index 0e70f1937b9..e7de92cc504 100644 >--- a/bootstrap/sha1sum.txt >+++ b/bootstrap/sha1sum.txt >@@ -1 +1 @@ >-11d550c08430787a5b0eb8dc847977ffffe12bbe >+b5333a93306e20ba549f5fac3c6c74e0b103c1d6 >-- >2.25.1 > > >From 1ade7aabee72518dd0efc882d6e208858ebb86fd Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 27 Jul 2021 08:50:54 +0200 >Subject: [PATCH 004/108] selftest: Re-format long lines in selftesthelpers.py > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a) >--- > selftest/selftesthelpers.py | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > >diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py >index 3358374cbca..d24d4487f71 100644 >--- a/selftest/selftesthelpers.py >+++ b/selftest/selftesthelpers.py >@@ -1,4 +1,5 @@ >-#!/usr/bin/python >+#!/usr/bin/env python3 >+# > # This script generates a list of testsuites that should be run as part of > # the Samba 4 test suite. > >@@ -24,7 +25,8 @@ import sys > > > def srcdir(): >- return os.path.normpath(os.getenv("SRCDIR", os.path.join(os.path.dirname(os.path.abspath(__file__)), ".."))) >+ alternate_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..") >+ return os.path.normpath(os.getenv("SRCDIR", alternate_path)) > > > def source4dir(): >@@ -90,7 +92,8 @@ def add_prefix(prefix, env, support_list=False): > listopt = "$LISTOPT " > else: > listopt = "" >- return "%s %s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" % (python, srcdir(), listopt, prefix, env) >+ return ("%s %s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" % >+ (python, srcdir(), listopt, prefix, env)) > > > def plantestsuite_loadlist(name, env, cmdline): >@@ -108,7 +111,9 @@ def plantestsuite_loadlist(name, env, cmdline): > raise AssertionError("loadlist test %s does not support not --list" % name) > if "$LOADLIST" not in cmdline: > raise AssertionError("loadlist test %s does not support --load-list" % name) >- print(("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) >+ print(("%s | %s" % >+ (cmdline.replace("$LOADLIST", ""), >+ add_prefix(name, env, support_list))).replace("$LISTOPT", "--list ")) > print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False)) > > >@@ -163,7 +168,10 @@ bbdir = os.path.join(srcdir(), "testprogs/blackbox") > configuration = "--configfile=$SMB_CONF_PATH" > > smbtorture4 = binpath("smbtorture") >-smbtorture4_testsuite_list = subprocess.Popen([smbtorture4, "--list-suites"], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate("")[0].decode('utf8').splitlines() >+smbtorture4_testsuite_list = subprocess.Popen( >+ [smbtorture4, "--list-suites"], >+ stdout=subprocess.PIPE, >+ stderr=subprocess.PIPE).communicate("")[0].decode('utf8').splitlines() > > smbtorture4_options = [ > configuration, >-- >2.25.1 > > >From fba4a916c8b659a4fa6d7340a49285d6fe71926c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 27 Jul 2021 13:25:59 +0200 >Subject: [PATCH 005/108] selftest: Add support for setting ENV variables in > plansmbtorture4testsuite() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a) >--- > selftest/selftesthelpers.py | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py >index d24d4487f71..524026248d9 100644 >--- a/selftest/selftesthelpers.py >+++ b/selftest/selftesthelpers.py >@@ -182,13 +182,14 @@ smbtorture4_options = [ > ] + get_env_torture_options() > > >-def plansmbtorture4testsuite(name, env, options, target, modname=None): >+def plansmbtorture4testsuite(name, env, options, target, environ={}, modname=None): > if modname is None: > modname = "samba4.%s" % name > if isinstance(options, list): > options = " ".join(options) > options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options >- cmdline = "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) >+ cmdline = ["%s=%s" % item for item in environ.items()] >+ cmdline += "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) > plantestsuite_loadlist(modname, env, cmdline) > > >-- >2.25.1 > > >From 7a27328046b3b3b5e4b520c83f02c1d3789b5a85 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 27 Jul 2021 13:45:03 +0200 >Subject: [PATCH 006/108] selftest: Add support for setting ENV variables in > plantestsuite() > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef) >--- > selftest/selftesthelpers.py | 25 +++++++++++++++++++------ > 1 file changed, 19 insertions(+), 6 deletions(-) > >diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py >index 524026248d9..542737dbd10 100644 >--- a/selftest/selftesthelpers.py >+++ b/selftest/selftesthelpers.py >@@ -66,7 +66,7 @@ def valgrindify(cmdline): > return valgrind + " " + cmdline > > >-def plantestsuite(name, env, cmdline): >+def plantestsuite(name, env, cmd, environ={}): > """Plan a test suite. > > :param name: Testsuite name >@@ -80,8 +80,18 @@ def plantestsuite(name, env, cmdline): > fullname = "%s(%s)" % (name, env) > print(fullname) > print(env) >- if isinstance(cmdline, list): >- cmdline = " ".join(cmdline) >+ >+ cmdline = "" >+ if environ: >+ environ = dict(environ) >+ cmdline_env = ["%s=%s" % item for item in environ.items()] >+ cmdline = " ".join(cmdline_env) + " " >+ >+ if isinstance(cmd, list): >+ cmdline += " ".join(cmd) >+ else: >+ cmdline += cmd >+ > if "$LISTOPT" in cmdline: > raise AssertionError("test %s supports --list, but not --load-list" % name) > print(cmdline + " 2>&1 " + " | " + add_prefix(name, env)) >@@ -182,14 +192,17 @@ smbtorture4_options = [ > ] + get_env_torture_options() > > >-def plansmbtorture4testsuite(name, env, options, target, environ={}, modname=None): >+def plansmbtorture4testsuite(name, env, options, target, modname=None, environ={}): > if modname is None: > modname = "samba4.%s" % name > if isinstance(options, list): > options = " ".join(options) > options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options >- cmdline = ["%s=%s" % item for item in environ.items()] >- cmdline += "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) >+ cmdline = "" >+ if environ: >+ environ = dict(environ) >+ cmdline = ["%s=%s" % item for item in environ.items()] >+ cmdline += " %s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name) > plantestsuite_loadlist(modname, env, cmdline) > > >-- >2.25.1 > > >From 66af75b8af600e04b4457b9dbea3f4c1590b49d9 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 19 Jul 2021 17:29:39 +1200 >Subject: [PATCH 007/108] pygensec: Fix memory leaks > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385) >--- > source4/auth/gensec/pygensec.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > >diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c >index 490fcbecd58..f1f845a4663 100644 >--- a/source4/auth/gensec/pygensec.c >+++ b/source4/auth/gensec/pygensec.c >@@ -310,9 +310,13 @@ static PyObject *py_gensec_session_info(PyObject *self, > return NULL; > } > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } > > status = gensec_session_info(security, mem_ctx, &info); > if (NT_STATUS_IS_ERR(status)) { >+ talloc_free(mem_ctx); > PyErr_SetNTSTATUS(status); > return NULL; > } >@@ -337,6 +341,9 @@ static PyObject *py_gensec_session_key(PyObject *self, > return NULL; > } > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } > > status = gensec_session_key(security, mem_ctx, &session_key); > if (!NT_STATUS_IS_OK(status)) { >@@ -466,7 +473,12 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) > return NULL; > > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } >+ > if (!PyBytes_Check(py_in)) { >+ talloc_free(mem_ctx); > PyErr_Format(PyExc_TypeError, "bytes expected"); > return NULL; > } >@@ -510,8 +522,12 @@ static PyObject *py_gensec_wrap(PyObject *self, PyObject *args) > return NULL; > > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } > > if (!PyBytes_Check(py_in)) { >+ talloc_free(mem_ctx); > PyErr_Format(PyExc_TypeError, "bytes expected"); > return NULL; > } >@@ -545,8 +561,12 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) > return NULL; > > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } > > if (!PyBytes_Check(py_in)) { >+ talloc_free(mem_ctx); > PyErr_Format(PyExc_TypeError, "bytes expected"); > return NULL; > } >@@ -599,6 +619,9 @@ static PyObject *py_gensec_sign_packet(PyObject *self, PyObject *args) > pdu.length = pdu_length; > > mem_ctx = talloc_new(NULL); >+ if (mem_ctx == NULL) { >+ return PyErr_NoMemory(); >+ } > > status = gensec_sign_packet(security, mem_ctx, > data.data, data.length, >-- >2.25.1 > > >From 621230095bee779620c6c83e94803b5907448273 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 20 Jul 2021 10:48:41 +1200 >Subject: [PATCH 008/108] pygensec: Don't modify Python bytes objects > >gensec_update() and gensec_unwrap() can both modify their input buffers >(for example, during the inplace RRC operation on GSSAPI tokens). >However, buffers obtained from Python bytes objects must not be modified >in any way. Create a copy of the input buffer so the original isn't >modified. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159) >--- > source4/auth/gensec/gensec_gssapi.c | 4 ++++ > source4/auth/gensec/pygensec.c | 36 ++++++++++++++++++++++------- > 2 files changed, 32 insertions(+), 8 deletions(-) > >diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c >index 9adc477a15c..e33c78462e2 100644 >--- a/source4/auth/gensec/gensec_gssapi.c >+++ b/source4/auth/gensec/gensec_gssapi.c >@@ -1168,6 +1168,10 @@ static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, > } > } > >+ /* >+ * FIXME: input_message_buffer is marked const, but gss_unwrap() may >+ * modify it (see calls to rrc_rotate() in _gssapi_unwrap_cfx()). >+ */ > maj_stat = gss_unwrap(&min_stat, > gensec_gssapi_state->gssapi_context, > &input_token, >diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c >index f1f845a4663..dd63fa58348 100644 >--- a/source4/auth/gensec/pygensec.c >+++ b/source4/auth/gensec/pygensec.c >@@ -468,6 +468,9 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) > PyObject *py_bytes, *result, *py_in; > struct gensec_security *security = pytalloc_get_type(self, struct gensec_security); > PyObject *finished_processing; >+ char *data = NULL; >+ Py_ssize_t len; >+ int err; > > if (!PyArg_ParseTuple(args, "O", &py_in)) > return NULL; >@@ -477,14 +480,21 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) > return PyErr_NoMemory(); > } > >- if (!PyBytes_Check(py_in)) { >+ err = PyBytes_AsStringAndSize(py_in, &data, &len); >+ if (err) { > talloc_free(mem_ctx); >- PyErr_Format(PyExc_TypeError, "bytes expected"); > return NULL; > } > >- in.data = (uint8_t *)PyBytes_AsString(py_in); >- in.length = PyBytes_Size(py_in); >+ /* >+ * Make a copy of the input buffer, as gensec_update may modify its >+ * input argument. >+ */ >+ in = data_blob_talloc(mem_ctx, data, len); >+ if (!in.data) { >+ talloc_free(mem_ctx); >+ return PyErr_NoMemory(); >+ } > > status = gensec_update(security, mem_ctx, in, &out); > >@@ -556,6 +566,9 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) > DATA_BLOB in, out; > PyObject *ret, *py_in; > struct gensec_security *security = pytalloc_get_type(self, struct gensec_security); >+ char *data = NULL; >+ Py_ssize_t len; >+ int err; > > if (!PyArg_ParseTuple(args, "O", &py_in)) > return NULL; >@@ -565,14 +578,21 @@ static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args) > return PyErr_NoMemory(); > } > >- if (!PyBytes_Check(py_in)) { >+ err = PyBytes_AsStringAndSize(py_in, &data, &len); >+ if (err) { > talloc_free(mem_ctx); >- PyErr_Format(PyExc_TypeError, "bytes expected"); > return NULL; > } > >- in.data = (uint8_t *)PyBytes_AsString(py_in); >- in.length = PyBytes_Size(py_in); >+ /* >+ * Make a copy of the input buffer, as gensec_unwrap may modify its >+ * input argument. >+ */ >+ in = data_blob_talloc(mem_ctx, data, len); >+ if (!in.data) { >+ talloc_free(mem_ctx); >+ return PyErr_NoMemory(); >+ } > > status = gensec_unwrap(security, mem_ctx, &in, &out); > >-- >2.25.1 > > >From 4b484c35a5aa8e93667eb2d2ed579aadc9316653 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 26 Jul 2021 17:15:23 +1200 >Subject: [PATCH 009/108] tests/krb5: Fix ms_kile_client_principal_lookup_test > errors > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710) >--- > .../krb5/ms_kile_client_principal_lookup_tests.py | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > >diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >index e9d251e72f6..1598959a18c 100755 >--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >@@ -395,7 +395,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > # Check the contents of the pac, and the ticket > ticket = rep['ticket'] > enc_part = self.decode_service_ticket(mc, ticket) >- self.check_pac(enc_part['authorization-data'], dn, uc, user_name) >+ self.check_pac(samdb, >+ enc_part['authorization-data'], dn, uc, user_name) > # check the crealm and cname > cname = enc_part['cname'] > self.assertEqual(NT_PRINCIPAL, cname['name-type']) >@@ -497,7 +498,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > ticket = rep['ticket'] > enc_part = self.decode_service_ticket(mc, ticket) > self.check_pac( >- enc_part['authorization-data'], dn, uc, upn, upn=upn) >+ samdb, enc_part['authorization-data'], dn, uc, upn, upn=upn) > # check the crealm and cname > cname = enc_part['cname'] > crealm = enc_part['crealm'] >@@ -560,7 +561,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > ticket = rep['ticket'] > enc_part = self.decode_service_ticket(mc, ticket) > self.check_pac( >- enc_part['authorization-data'], dn, uc, ename, upn=ename) >+ samdb, enc_part['authorization-data'], dn, uc, ename, upn=ename) > # check the crealm and cname > cname = enc_part['cname'] > crealm = enc_part['crealm'] >@@ -624,7 +625,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > ticket = rep['ticket'] > enc_part = self.decode_service_ticket(mc, ticket) > self.check_pac( >- enc_part['authorization-data'], dn, mc, ename, upn=uname) >+ samdb, enc_part['authorization-data'], dn, mc, ename, upn=uname) > # check the crealm and cname > cname = enc_part['cname'] > crealm = enc_part['crealm'] >@@ -771,7 +772,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > ticket = rep['ticket'] > enc_part = self.decode_service_ticket(mc, ticket) > self.check_pac( >- enc_part['authorization-data'], dn, uc, uname, upn=uname) >+ samdb, enc_part['authorization-data'], dn, uc, uname, upn=uname) > # check the crealm and cname > cname = enc_part['cname'] > self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >-- >2.25.1 > > >From ddd177ae1bca06b8816cea64ba71d1de4dcf1f28 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 22 Jul 2021 16:26:17 +1200 >Subject: [PATCH 010/108] tests/krb5: Fix comment typo > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4) >--- > python/samba/tests/krb5/raw_testcase.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index b9bc08d1fa9..9c090e4d005 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -864,7 +864,7 @@ class RawKerberosTest(TestCaseInTempDir): > # The value on the wire should never be 0 > self.assertNotEqual(v, 0) > # unspecified_kvno means we don't know the kvno, >- # but want to enforce its presense >+ # but want to enforce its presence > if value is not self.unspecified_kvno: > value = int(value) > self.assertNotEqual(value, 0) >-- >2.25.1 > > >From f687c66e9edcbd5e62fcdf40a9a947378dd78131 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:17:52 +1200 >Subject: [PATCH 011/108] tests/krb5: Fix method name typo > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2) >--- > python/samba/tests/krb5/kdc_base_test.py | 4 ++-- > python/samba/tests/krb5/kdc_tgs_tests.py | 6 +++--- > .../ms_kile_client_principal_lookup_tests.py | 20 +++++++++---------- > 3 files changed, 15 insertions(+), 15 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 0f5238a3de9..4bd856b217e 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -444,7 +444,7 @@ class KDCBaseTest(RawKerberosTest): > > return enc_part > >- def check_pre_authenication(self, rep): >+ def check_pre_authentication(self, rep): > """ Check that the kdc response was pre-authentication required > """ > self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) >@@ -794,7 +794,7 @@ class KDCBaseTest(RawKerberosTest): > names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(user_credentials, rep) >diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py >index 0c757bd5e5f..25a1f5f3ed8 100755 >--- a/python/samba/tests/krb5/kdc_tgs_tests.py >+++ b/python/samba/tests/krb5/kdc_tgs_tests.py >@@ -63,7 +63,7 @@ class KdcTgsTests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -113,7 +113,7 @@ class KdcTgsTests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -154,7 +154,7 @@ class KdcTgsTests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >index 1598959a18c..e42b643b357 100755 >--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >@@ -106,7 +106,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -165,7 +165,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(mc, rep) >@@ -227,7 +227,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -365,7 +365,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -433,7 +433,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -472,7 +472,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -535,7 +535,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -599,7 +599,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(mc, rep) >@@ -741,7 +741,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >@@ -810,7 +810,7 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > name_type=NT_SRV_INST, names=["krbtgt", realm]) > > rep = self.as_req(cname, sname, realm, etype) >- self.check_pre_authenication(rep) >+ self.check_pre_authentication(rep) > > # Do the next AS-REQ > padata = self.get_pa_data(uc, rep) >-- >2.25.1 > > >From 8e755ea3f9b70b943b30ce8ee0ffa65e371a1dfe Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 2 Aug 2021 17:00:09 +1200 >Subject: [PATCH 012/108] tests/krb5: formatting > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c) >--- > python/samba/tests/krb5/as_req_tests.py | 20 +- > python/samba/tests/krb5/kdc_base_test.py | 22 +- > python/samba/tests/krb5/raw_testcase.py | 323 +++++++++++++---------- > 3 files changed, 209 insertions(+), 156 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 10e7b603609..09cfc9e1fc8 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -82,16 +82,16 @@ class AsReqKerberosTests(KDCBaseTest): > return initial_padata, req_body > > kdc_exchange_dict = self.as_exchange_dict( >- expected_crealm=expected_crealm, >- expected_cname=expected_cname, >- expected_srealm=expected_srealm, >- expected_sname=expected_sname, >- generate_padata_fn=_generate_padata_copy, >- check_error_fn=self.generic_check_as_error, >- check_rep_fn=self.generic_check_kdc_rep, >- expected_error_mode=expected_error_mode, >- client_as_etypes=client_as_etypes, >- expected_salt=expected_salt) >+ expected_crealm=expected_crealm, >+ expected_cname=expected_cname, >+ expected_srealm=expected_srealm, >+ expected_sname=expected_sname, >+ generate_padata_fn=_generate_padata_copy, >+ check_error_fn=self.generic_check_as_error, >+ check_rep_fn=self.generic_check_kdc_rep, >+ expected_error_mode=expected_error_mode, >+ client_as_etypes=client_as_etypes, >+ expected_salt=expected_salt) > > rep = self._generic_kdc_exchange(kdc_exchange_dict, > kdc_options=str(initial_kdc_options), >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 4bd856b217e..c23c71e1d74 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -21,10 +21,7 @@ import os > from datetime import datetime, timezone > import tempfile > import binascii >-import struct > >-sys.path.insert(0, "bin/python") >-os.environ["PYTHONUNBUFFERED"] = "1" > from collections import namedtuple > import ldb > from ldb import SCOPE_BASE >@@ -66,6 +63,9 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_ETYPE_INFO2, > ) > >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ > global_asn1_print = False > global_hexdump = False > >@@ -114,9 +114,9 @@ class KDCBaseTest(RawKerberosTest): > > session = system_session() > type(self)._ldb = SamDB(url="ldap://%s" % self.host, >- session_info=session, >- credentials=creds, >- lp=lp) >+ session_info=session, >+ credentials=creds, >+ lp=lp) > > return self._ldb > >@@ -337,6 +337,7 @@ class KDCBaseTest(RawKerberosTest): > require_strongest_key=False): > if require_strongest_key: > self.assertTrue(require_keys) >+ > def download_krbtgt_creds(): > samdb = self.get_samdb() > >@@ -742,15 +743,16 @@ class KDCBaseTest(RawKerberosTest): > .replace(tzinfo=timezone.utc).timestamp()) > > # Account for clock skew of up to five minutes. >- self.assertLess(cred.authtime - 5*60, >+ self.assertLess(cred.authtime - 5 * 60, > datetime.now(timezone.utc).timestamp(), > "Ticket not yet valid - clocks may be out of sync.") >- self.assertLess(cred.starttime - 5*60, >+ self.assertLess(cred.starttime - 5 * 60, > datetime.now(timezone.utc).timestamp(), > "Ticket not yet valid - clocks may be out of sync.") >- self.assertGreater(cred.endtime - 60*60, >+ self.assertGreater(cred.endtime - 60 * 60, > datetime.now(timezone.utc).timestamp(), >- "Ticket already expired/about to expire - clocks may be out of sync.") >+ "Ticket already expired/about to expire - " >+ "clocks may be out of sync.") > > cred.renew_till = cred.endtime > cred.is_skey = 0 >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 9c090e4d005..de9c25751d2 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -24,11 +24,19 @@ import datetime > import random > import binascii > import itertools >+from pyasn1.codec.der.decoder import decode as pyasn1_der_decode >+from pyasn1.codec.der.encoder import encode as pyasn1_der_encode >+from pyasn1.codec.native.decoder import decode as pyasn1_native_decode >+from pyasn1.codec.native.encoder import encode as pyasn1_native_encode >+ >+from pyasn1.codec.ber.encoder import BitStringEncoder > >-import samba.tests > from samba.credentials import Credentials >-from samba.tests import TestCaseInTempDir > from samba.dcerpc import security >+ >+import samba.tests >+from samba.tests import TestCaseInTempDir >+ > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( > KDC_ERR_ETYPE_NOSUPP, >@@ -53,13 +61,6 @@ from samba.tests.krb5.rfc4120_constants import ( > ) > import samba.tests.krb5.kcrypto as kcrypto > >-from pyasn1.codec.der.decoder import decode as pyasn1_der_decode >-from pyasn1.codec.der.encoder import encode as pyasn1_der_encode >-from pyasn1.codec.native.decoder import decode as pyasn1_native_decode >-from pyasn1.codec.native.encoder import encode as pyasn1_native_encode >- >-from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder >- > > def BitStringEncoder_encodeValue32( > self, value, asn1Spec, encodeFun, **options): >@@ -217,6 +218,7 @@ class Krb5EncryptionKey(object): > } > return EncryptionKey_obj > >+ > class KerberosCredentials(Credentials): > def __init__(self): > super(KerberosCredentials, self).__init__() >@@ -293,6 +295,7 @@ class KerberosCredentials(Credentials): > def get_forced_salt(self): > return self.forced_salt > >+ > class KerberosTicketCreds(object): > def __init__(self, ticket, session_key, > crealm=None, cname=None, >@@ -311,14 +314,15 @@ class KerberosTicketCreds(object): > self.encpart_private = encpart_private > return > >+ > class RawKerberosTest(TestCaseInTempDir): > """A raw Kerberos Test case.""" > > etypes_to_test = ( >- { "value": -1111, "name": "dummy", }, >- { "value": kcrypto.Enctype.AES256, "name": "aes128", }, >- { "value": kcrypto.Enctype.AES128, "name": "aes256", }, >- { "value": kcrypto.Enctype.RC4, "name": "rc4", }, >+ {"value": -1111, "name": "dummy", }, >+ {"value": kcrypto.Enctype.AES256, "name": "aes128", }, >+ {"value": kcrypto.Enctype.AES128, "name": "aes256", }, >+ {"value": kcrypto.Enctype.RC4, "name": "rc4", }, > ) > > setup_etype_test_permutations_done = False >@@ -332,7 +336,7 @@ class RawKerberosTest(TestCaseInTempDir): > > num_idxs = len(cls.etypes_to_test) > permutations = [] >- for num in range(1, num_idxs+1): >+ for num in range(1, num_idxs + 1): > chunk = list(itertools.permutations(range(num_idxs), num)) > for e in chunk: > el = list(e) >@@ -349,7 +353,7 @@ class RawKerberosTest(TestCaseInTempDir): > name += "_%s" % n > etypes += (cls.etypes_to_test[idx]["value"],) > >- r = { "name": name, "etypes": etypes, } >+ r = {"name": name, "etypes": etypes, } > res.append(r) > > cls.etype_test_permutations = res >@@ -386,7 +390,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.do_asn1_print = False > self.do_hexdump = False > >- strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) >+ strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', >+ allow_missing=True) > if strict_checking is None: > strict_checking = '1' > self.strict_checking = bool(int(strict_checking)) >@@ -440,8 +445,9 @@ class RawKerberosTest(TestCaseInTempDir): > val = None > if prefix is not None: > allow_missing_prefix = allow_missing or fallback_default >- val = samba.tests.env_get_var_value('%s_%s' % (prefix, varname), >- allow_missing=allow_missing_prefix) >+ val = samba.tests.env_get_var_value( >+ '%s_%s' % (prefix, varname), >+ allow_missing=allow_missing_prefix) > else: > fallback_default = True > if val is None and fallback_default: >@@ -506,7 +512,8 @@ class RawKerberosTest(TestCaseInTempDir): > if aes256_key is not None: > c.set_forced_key(kcrypto.Enctype.AES256, aes256_key) > aes128_key = self.env_get_var('AES128_KEY_HEX', prefix, >- fallback_default=False, allow_missing=True) >+ fallback_default=False, >+ allow_missing=True) > if aes128_key is not None: > c.set_forced_key(kcrypto.Enctype.AES128, aes128_key) > rc4_key = self.env_get_var('RC4_KEY_HEX', prefix, >@@ -536,11 +543,12 @@ class RawKerberosTest(TestCaseInTempDir): > env_err = None > try: > # Try to obtain them from the environment >- creds = self._get_krb5_creds_from_env(prefix, >- default_username=default_username, >- allow_missing_password=allow_missing_password, >- allow_missing_keys=allow_missing_keys, >- require_strongest_key=require_strongest_key) >+ creds = self._get_krb5_creds_from_env( >+ prefix, >+ default_username=default_username, >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys, >+ require_strongest_key=require_strongest_key) > except Exception as err: > # An error occurred, so save it for later > env_err = err >@@ -886,8 +894,8 @@ class RawKerberosTest(TestCaseInTempDir): > return s > > def get_Nonce(self): >- nonce_min=0x7f000000 >- nonce_max=0x7fffffff >+ nonce_min = 0x7f000000 >+ nonce_max = 0x7fffffff > v = random.randint(nonce_min, nonce_max) > return v > >@@ -936,15 +944,20 @@ class RawKerberosTest(TestCaseInTempDir): > if etype == kcrypto.Enctype.RC4: > nthash = creds.get_nt_hash() > self.assertIsNotNone(nthash, msg=fail_msg) >- return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno) >+ return self.SessionKey_create(etype=etype, >+ contents=nthash, >+ kvno=kvno) > > password = creds.get_password() > self.assertIsNotNone(password, msg=fail_msg) > salt = creds.get_forced_salt() > if salt is None: > salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), >- encoding='utf-8') >- return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno) >+ encoding='utf-8') >+ return self.PasswordKey_create(etype=etype, >+ pwd=password, >+ salt=salt, >+ kvno=kvno) > > def RandomKey(self, etype): > e = kcrypto._get_enctype_profile(etype) >@@ -1020,10 +1033,12 @@ class RawKerberosTest(TestCaseInTempDir): > return PA_ENC_TS_ENC_obj > > def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): >- #KERB-PA-PAC-REQUEST ::= SEQUENCE { >- # include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. >- # --If FALSE, and PAC present, remove PAC >- #} >+ # KERB-PA-PAC-REQUEST ::= SEQUENCE { >+ # include-pac[0] BOOLEAN --If TRUE, and no pac present, >+ # -- include PAC. >+ # --If FALSE, and PAC present, >+ # -- remove PAC. >+ # } > KERB_PA_PAC_REQUEST_obj = { > 'include-pac': include_pac, > } >@@ -1031,7 +1046,7 @@ class RawKerberosTest(TestCaseInTempDir): > return KERB_PA_PAC_REQUEST_obj > pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, > asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) >- pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST >+ pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST > return pa_data > > def KDC_REQ_BODY_create(self, >@@ -1327,11 +1342,14 @@ class RawKerberosTest(TestCaseInTempDir): > EncAuthorizationData=EncAuthorizationData, > EncAuthorizationData_key=EncAuthorizationData_key, > additional_tickets=additional_tickets) >- req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), >+ req_body_blob = self.der_encode(req_body, >+ asn1Spec=krb5_asn1.KDC_REQ_BODY(), > asn1_print=asn1_print, hexdump=hexdump) > >- req_body_checksum = self.Checksum_create( >- ticket_session_key, 6, req_body_blob, ctype=body_checksum_type) >+ req_body_checksum = self.Checksum_create(ticket_session_key, >+ 6, >+ req_body_blob, >+ ctype=body_checksum_type) > > subkey_obj = None > if authenticator_subkey is not None: >@@ -1390,7 +1408,10 @@ class RawKerberosTest(TestCaseInTempDir): > cksum_data += n.encode() > cksum_data += realm.encode() > cksum_data += "Kerberos".encode() >- cksum = self.Checksum_create(tgt_session_key, 17, cksum_data, ctype) >+ cksum = self.Checksum_create(tgt_session_key, >+ 17, >+ cksum_data, >+ ctype) > > PA_S4U2Self_obj = { > 'name': name, >@@ -1403,20 +1424,20 @@ class RawKerberosTest(TestCaseInTempDir): > return self.PA_DATA_create(129, pa_s4u2self) > > def _generic_kdc_exchange(self, >- kdc_exchange_dict, # required >- kdc_options=None, # required >- cname=None, # optional >- realm=None, # required >- sname=None, # optional >- from_time=None, # optional >- till_time=None, # required >- renew_time=None, # optional >- nonce=None, # required >- etypes=None, # required >- addresses=None, # optional >- EncAuthorizationData=None, # optional >- EncAuthorizationData_key=None, # optional >- additional_tickets=None): # optional >+ kdc_exchange_dict, # required >+ kdc_options=None, # required >+ cname=None, # optional >+ realm=None, # required >+ sname=None, # optional >+ from_time=None, # optional >+ till_time=None, # required >+ renew_time=None, # optional >+ nonce=None, # required >+ etypes=None, # required >+ addresses=None, # optional >+ EncAuthorizationData=None, # optional >+ EncAuthorizationData_key=None, # optional >+ additional_tickets=None): # optional > > check_error_fn = kdc_exchange_dict['check_error_fn'] > check_rep_fn = kdc_exchange_dict['check_rep_fn'] >@@ -1431,19 +1452,20 @@ class RawKerberosTest(TestCaseInTempDir): > if nonce is None: > nonce = self.get_Nonce() > >- req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, >- cname=cname, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets) >+ req_body = self.KDC_REQ_BODY_create( >+ kdc_options=kdc_options, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets) > if generate_padata_fn is not None: > # This can alter req_body... > padata, req_body = generate_padata_fn(kdc_exchange_dict, >@@ -1455,10 +1477,10 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_exchange_dict['req_padata'] = padata > kdc_exchange_dict['req_body'] = req_body > >- req_obj,req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, >- padata=padata, >- req_body=req_body, >- asn1Spec=req_asn1Spec()) >+ req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, >+ padata=padata, >+ req_body=req_body, >+ asn1Spec=req_asn1Spec()) > > rep = self.send_recv_transaction(req_decoded) > self.assertIsNotNone(rep) >@@ -1571,7 +1593,7 @@ class RawKerberosTest(TestCaseInTempDir): > rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] > msg_type = kdc_exchange_dict['rep_msg_type'] > >- self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP >+ self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP > padata = self.getElementValue(rep, 'padata') > self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) > self.assertElementEqualPrincipal(rep, 'cname', expected_cname) >@@ -1579,22 +1601,23 @@ class RawKerberosTest(TestCaseInTempDir): > ticket = self.getElementValue(rep, 'ticket') > ticket_encpart = None > ticket_cipher = None >- if ticket is not None: # Never None, but gives indentation >+ if ticket is not None: # Never None, but gives indentation > self.assertElementPresent(ticket, 'tkt-vno') > self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) > self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) > self.assertElementPresent(ticket, 'enc-part') > ticket_encpart = self.getElementValue(ticket, 'enc-part') >- if ticket_encpart is not None: # Never None, but gives indentation >+ if ticket_encpart is not None: # Never None, but gives indentation > self.assertElementPresent(ticket_encpart, 'etype') > # 'unspecified' means present, with any value != 0 >- self.assertElementKVNO(ticket_encpart, 'kvno', self.unspecified_kvno) >+ self.assertElementKVNO(ticket_encpart, 'kvno', >+ self.unspecified_kvno) > self.assertElementPresent(ticket_encpart, 'cipher') > ticket_cipher = self.getElementValue(ticket_encpart, 'cipher') > self.assertElementPresent(rep, 'enc-part') > encpart = self.getElementValue(rep, 'enc-part') > encpart_cipher = None >- if encpart is not None: # Never None, but gives indentation >+ if encpart is not None: # Never None, but gives indentation > self.assertElementPresent(encpart, 'etype') > self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') > self.assertElementPresent(encpart, 'cipher') >@@ -1602,24 +1625,35 @@ class RawKerberosTest(TestCaseInTempDir): > > encpart_decryption_key = None > if check_padata_fn is not None: >- # See if get the decryption key from the preauth phase >- encpart_decryption_key,encpart_decryption_usage = \ >- check_padata_fn(kdc_exchange_dict, callback_dict, >- rep, padata) >+ # See if we can get the decryption key from the preauth phase >+ encpart_decryption_key, encpart_decryption_usage = ( >+ check_padata_fn(kdc_exchange_dict, callback_dict, >+ rep, padata)) > > ticket_private = None > if ticket_decryption_key is not None: >- self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) >- self.assertElementKVNO(ticket_encpart, 'kvno', ticket_decryption_key.kvno) >- ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, ticket_cipher) >- ticket_private = self.der_decode(ticket_decpart, asn1Spec=krb5_asn1.EncTicketPart()) >+ self.assertElementEqual(ticket_encpart, 'etype', >+ ticket_decryption_key.etype) >+ self.assertElementKVNO(ticket_encpart, 'kvno', >+ ticket_decryption_key.kvno) >+ ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, >+ ticket_cipher) >+ ticket_private = self.der_decode( >+ ticket_decpart, >+ asn1Spec=krb5_asn1.EncTicketPart()) > > encpart_private = None > if encpart_decryption_key is not None: >- self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) >- self.assertElementKVNO(encpart, 'kvno', encpart_decryption_key.kvno) >- rep_decpart = encpart_decryption_key.decrypt(encpart_decryption_usage, encpart_cipher) >- encpart_private = self.der_decode(rep_decpart, asn1Spec=rep_encpart_asn1Spec()) >+ self.assertElementEqual(encpart, 'etype', >+ encpart_decryption_key.etype) >+ self.assertElementKVNO(encpart, 'kvno', >+ encpart_decryption_key.kvno) >+ rep_decpart = encpart_decryption_key.decrypt( >+ encpart_decryption_usage, >+ encpart_cipher) >+ encpart_private = self.der_decode( >+ rep_decpart, >+ asn1Spec=rep_encpart_asn1Spec()) > > if check_kdc_private_fn is not None: > check_kdc_private_fn(kdc_exchange_dict, callback_dict, >@@ -1647,12 +1681,14 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementPresent(ticket_private, 'flags') > self.assertElementPresent(ticket_private, 'key') > ticket_key = self.getElementValue(ticket_private, 'key') >- if ticket_key is not None: # Never None, but gives indentation >+ if ticket_key is not None: # Never None, but gives indentation > self.assertElementPresent(ticket_key, 'keytype') > self.assertElementPresent(ticket_key, 'keyvalue') > ticket_session_key = self.EncryptionKey_import(ticket_key) >- self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) >- self.assertElementEqualPrincipal(ticket_private, 'cname', expected_cname) >+ self.assertElementEqualUTF8(ticket_private, 'crealm', >+ expected_crealm) >+ self.assertElementEqualPrincipal(ticket_private, 'cname', >+ expected_cname) > self.assertElementPresent(ticket_private, 'transited') > self.assertElementPresent(ticket_private, 'authtime') > if self.strict_checking: >@@ -1666,39 +1702,45 @@ class RawKerberosTest(TestCaseInTempDir): > if encpart_private is not None: > self.assertElementPresent(encpart_private, 'key') > encpart_key = self.getElementValue(encpart_private, 'key') >- if encpart_key is not None: # Never None, but gives indentation >+ if encpart_key is not None: # Never None, but gives indentation > self.assertElementPresent(encpart_key, 'keytype') > self.assertElementPresent(encpart_key, 'keyvalue') > encpart_session_key = self.EncryptionKey_import(encpart_key) > self.assertElementPresent(encpart_private, 'last-req') > self.assertElementPresent(encpart_private, 'nonce') >- # TODO self.assertElementPresent(encpart_private, 'key-expiration') >+ # TODO self.assertElementPresent(encpart_private, >+ # 'key-expiration') > self.assertElementPresent(encpart_private, 'flags') > self.assertElementPresent(encpart_private, 'authtime') > if self.strict_checking: > self.assertElementPresent(encpart_private, 'starttime') > self.assertElementPresent(encpart_private, 'endtime') > # TODO self.assertElementPresent(encpart_private, 'renew-till') >- self.assertElementEqualUTF8(encpart_private, 'srealm', expected_srealm) >- self.assertElementEqualPrincipal(encpart_private, 'sname', expected_sname) >+ self.assertElementEqualUTF8(encpart_private, 'srealm', >+ expected_srealm) >+ self.assertElementEqualPrincipal(encpart_private, 'sname', >+ expected_sname) > # TODO self.assertElementMissing(encpart_private, 'caddr') > > if ticket_session_key is not None and encpart_session_key is not None: >- self.assertEqual(ticket_session_key.etype, encpart_session_key.etype) >- self.assertEqual(ticket_session_key.key.contents, encpart_session_key.key.contents) >+ self.assertEqual(ticket_session_key.etype, >+ encpart_session_key.etype) >+ self.assertEqual(ticket_session_key.key.contents, >+ encpart_session_key.key.contents) > if encpart_session_key is not None: > session_key = encpart_session_key > else: > session_key = ticket_session_key >- ticket_creds = KerberosTicketCreds(ticket, >- session_key, >- crealm=expected_crealm, >- cname=expected_cname, >- srealm=expected_srealm, >- sname=expected_sname, >- decryption_key=ticket_decryption_key, >- ticket_private=ticket_private, >- encpart_private=encpart_private) >+ ticket_creds = KerberosTicketCreds( >+ ticket, >+ session_key, >+ crealm=expected_crealm, >+ cname=expected_cname, >+ srealm=expected_srealm, >+ sname=expected_sname, >+ decryption_key=ticket_decryption_key, >+ ticket_private=ticket_private, >+ encpart_private=encpart_private) > > kdc_exchange_dict['rep_ticket_creds'] = ticket_creds > return >@@ -1728,11 +1770,11 @@ class RawKerberosTest(TestCaseInTempDir): > if kcrypto.Enctype.RC4 in proposed_etypes: > expect_etype_info = True > for etype in proposed_etypes: >- if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): >+ if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): > expect_etype_info = False > if etype not in client_as_etypes: > continue >- if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): >+ if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): > if etype > expected_aes_type: > expected_aes_type = etype > if etype in (kcrypto.Enctype.RC4,): >@@ -1779,14 +1821,17 @@ class RawKerberosTest(TestCaseInTempDir): > if self.strict_checking: > self.assertIsNotNone(edata) > if edata is not None: >- rep_padata = self.der_decode(edata, asn1Spec=krb5_asn1.METHOD_DATA()) >+ rep_padata = self.der_decode(edata, >+ asn1Spec=krb5_asn1.METHOD_DATA()) > self.assertGreater(len(rep_padata), 0) > else: > rep_padata = [] > > if self.strict_checking: > for i in range(0, len(expected_patypes)): >- self.assertElementEqual(rep_padata[i], 'padata-type', expected_patypes[i]) >+ self.assertElementEqual(rep_padata[i], >+ 'padata-type', >+ expected_patypes[i]) > self.assertEqual(len(rep_padata), len(expected_patypes)) > > etype_info2 = None >@@ -1799,11 +1844,13 @@ class RawKerberosTest(TestCaseInTempDir): > pavalue = self.getElementValue(pa, 'padata-value') > if patype == PADATA_ETYPE_INFO2: > self.assertIsNone(etype_info2) >- etype_info2 = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ etype_info2 = self.der_decode(pavalue, >+ asn1Spec=krb5_asn1.ETYPE_INFO2()) > continue > if patype == PADATA_ETYPE_INFO: > self.assertIsNone(etype_info) >- etype_info = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO()) >+ etype_info = self.der_decode(pavalue, >+ asn1Spec=krb5_asn1.ETYPE_INFO()) > continue > if patype == PADATA_ENC_TIMESTAMP: > self.assertIsNone(enc_timestamp) >@@ -1881,7 +1928,8 @@ class RawKerberosTest(TestCaseInTempDir): > authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] > body_checksum_type = kdc_exchange_dict['body_checksum_type'] > >- req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) >+ req_body_blob = self.der_encode(req_body, >+ asn1Spec=krb5_asn1.KDC_REQ_BODY()) > > req_body_checksum = self.Checksum_create(tgt.session_key, > KU_TGS_REQ_AUTH_CKSUM, >@@ -1893,15 +1941,18 @@ class RawKerberosTest(TestCaseInTempDir): > subkey_obj = authenticator_subkey.export_obj() > seq_number = random.randint(0, 0xfffffffe) > (ctime, cusec) = self.get_KerberosTimeWithUsec() >- authenticator_obj = self.Authenticator_create(crealm=tgt.crealm, >- cname=tgt.cname, >- cksum=req_body_checksum, >- cusec=cusec, >- ctime=ctime, >- subkey=subkey_obj, >- seq_number=seq_number, >- authorization_data=None) >- authenticator_blob = self.der_encode(authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) >+ authenticator_obj = self.Authenticator_create( >+ crealm=tgt.crealm, >+ cname=tgt.cname, >+ cksum=req_body_checksum, >+ cusec=cusec, >+ ctime=ctime, >+ subkey=subkey_obj, >+ seq_number=seq_number, >+ authorization_data=None) >+ authenticator_blob = self.der_encode( >+ authenticator_obj, >+ asn1Spec=krb5_asn1.Authenticator()) > > authenticator = self.EncryptedData_create(tgt.session_key, > KU_TGS_REQ_AUTH, >@@ -1909,8 +1960,8 @@ class RawKerberosTest(TestCaseInTempDir): > > ap_options = krb5_asn1.APOptions('0') > ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options), >- ticket=tgt.ticket, >- authenticator=authenticator) >+ ticket=tgt.ticket, >+ authenticator=authenticator) > ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) > pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) > padata = [pa_tgs_req] >@@ -1964,19 +2015,19 @@ class RawKerberosTest(TestCaseInTempDir): > return preauth_key, as_rep_usage > > kdc_exchange_dict = self.as_exchange_dict( >- expected_crealm=expected_crealm, >- expected_cname=expected_cname, >- expected_srealm=expected_srealm, >- expected_sname=expected_sname, >- ticket_decryption_key=ticket_decryption_key, >- generate_padata_fn=_generate_padata_copy, >- check_error_fn=self.generic_check_as_error, >- check_rep_fn=self.generic_check_kdc_rep, >- check_padata_fn=_check_padata_preauth_key, >- check_kdc_private_fn=self.generic_check_kdc_private, >- expected_error_mode=expected_error_mode, >- client_as_etypes=client_as_etypes, >- expected_salt=expected_salt) >+ expected_crealm=expected_crealm, >+ expected_cname=expected_cname, >+ expected_srealm=expected_srealm, >+ expected_sname=expected_sname, >+ ticket_decryption_key=ticket_decryption_key, >+ generate_padata_fn=_generate_padata_copy, >+ check_error_fn=self.generic_check_as_error, >+ check_rep_fn=self.generic_check_kdc_rep, >+ check_padata_fn=_check_padata_preauth_key, >+ check_kdc_private_fn=self.generic_check_kdc_private, >+ expected_error_mode=expected_error_mode, >+ client_as_etypes=client_as_etypes, >+ expected_salt=expected_salt) > > rep = self._generic_kdc_exchange(kdc_exchange_dict, > kdc_options=str(kdc_options), >@@ -1986,7 +2037,7 @@ class RawKerberosTest(TestCaseInTempDir): > till_time=till, > etypes=etypes) > >- if expected_error_mode == 0: # AS-REP >+ if expected_error_mode == 0: # AS-REP > return rep > > return kdc_exchange_dict['preauth_etype_info2'] >-- >2.25.1 > > >From d840d0bc1c084abc7947480bf17853b2db6207b4 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 2 Aug 2021 17:01:39 +1200 >Subject: [PATCH 013/108] tests/krb5: Remove unneeded statements > >A return statement is redundant as the last statement in a method, as >methods will otherwise return None. Also, code blocks consisting of a >single 'pass' statement can be safely omitted. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d) >--- > python/samba/tests/krb5/as_req_tests.py | 2 - > python/samba/tests/krb5/raw_testcase.py | 99 +++++++++---------------- > 2 files changed, 33 insertions(+), 68 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 09cfc9e1fc8..106c7489e9c 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -46,7 +46,6 @@ class AsReqKerberosTests(KDCBaseTest): > tname = "%s_pac_%s" % (name, pac) > targs = (idx, pac) > cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) >- return > > def setUp(self): > super(AsReqKerberosTests, self).setUp() >@@ -197,7 +196,6 @@ class AsReqKerberosTests(KDCBaseTest): > preauth_key=preauth_key, > ticket_decryption_key=krbtgt_decryption_key) > self.assertIsNotNone(as_rep) >- return > > if __name__ == "__main__": > global_asn1_print = True >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index de9c25751d2..34eae177882 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -195,7 +195,6 @@ class Krb5EncryptionKey(object): > self.etype = key.enctype > self.ctype = EncTypeChecksum[self.etype] > self.kvno = kvno >- return > > def encrypt(self, usage, plaintext): > ciphertext = kcrypto.encrypt(self.key, usage, plaintext) >@@ -235,19 +234,15 @@ class KerberosCredentials(Credentials): > self.forced_keys = {} > > self.forced_salt = None >- return > > def set_as_supported_enctypes(self, value): > self.as_supported_enctypes = int(value) >- return > > def set_tgs_supported_enctypes(self, value): > self.tgs_supported_enctypes = int(value) >- return > > def set_ap_supported_enctypes(self, value): > self.ap_supported_enctypes = int(value) >- return > > def _get_krb5_etypes(self, supported_enctypes): > etypes = () >@@ -290,7 +285,6 @@ class KerberosCredentials(Credentials): > > def set_forced_salt(self, salt): > self.forced_salt = bytes(salt) >- return > > def get_forced_salt(self): > return self.forced_salt >@@ -312,7 +306,6 @@ class KerberosTicketCreds(object): > self.decryption_key = decryption_key > self.ticket_private = ticket_private > self.encpart_private = encpart_private >- return > > > class RawKerberosTest(TestCaseInTempDir): >@@ -358,7 +351,6 @@ class RawKerberosTest(TestCaseInTempDir): > > cls.etype_test_permutations = res > cls.setup_etype_test_permutations_done = True >- return > > @classmethod > def etype_test_permutation_name_idx(cls): >@@ -427,17 +419,12 @@ class RawKerberosTest(TestCaseInTempDir): > except IOError: > self.s.close() > raise >- except Exception: >- raise >- finally: >- pass > > def connect(self): > self.assertNotConnected() > self._connect_tcp() > if self.do_hexdump: > sys.stderr.write("connected[%s]\n" % self.host) >- return > > def env_get_var(self, varname, prefix, > fallback_default=True, >@@ -704,8 +691,6 @@ class RawKerberosTest(TestCaseInTempDir): > except IOError as e: > self._disconnect("send_pdu: %s" % e) > raise >- finally: >- pass > > def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): > rep_pdu = None >@@ -721,57 +706,51 @@ class RawKerberosTest(TestCaseInTempDir): > except socket.timeout: > self.s.settimeout(10) > sys.stderr.write("recv_raw: TIMEOUT\n") >- pass > except socket.error as e: > self._disconnect("recv_raw: %s" % e) > raise > except IOError as e: > self._disconnect("recv_raw: %s" % e) > raise >- finally: >- pass > return rep_pdu > > def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): > rep_pdu = None > rep = None >- try: >+ raw_pdu = self.recv_raw( >+ num_recv=4, hexdump=hexdump, timeout=timeout) >+ if raw_pdu is None: >+ return (None, None) >+ header = struct.unpack(">I", raw_pdu[0:4]) >+ k5_len = header[0] >+ if k5_len == 0: >+ return (None, "") >+ missing = k5_len >+ rep_pdu = b'' >+ while missing > 0: > raw_pdu = self.recv_raw( >- num_recv=4, hexdump=hexdump, timeout=timeout) >- if raw_pdu is None: >- return (None, None) >- header = struct.unpack(">I", raw_pdu[0:4]) >- k5_len = header[0] >- if k5_len == 0: >- return (None, "") >- missing = k5_len >- rep_pdu = b'' >- while missing > 0: >- raw_pdu = self.recv_raw( >- num_recv=missing, hexdump=hexdump, timeout=timeout) >- self.assertGreaterEqual(len(raw_pdu), 1) >- rep_pdu += raw_pdu >- missing = k5_len - len(rep_pdu) >- k5_raw = self.der_decode( >- rep_pdu, >- asn1Spec=None, >- native_encode=False, >- asn1_print=False, >- hexdump=False) >- pvno = k5_raw['field-0'] >- self.assertEqual(pvno, 5) >- msg_type = k5_raw['field-1'] >- self.assertIn(msg_type, [11, 13, 30]) >- if msg_type == 11: >- asn1Spec = krb5_asn1.AS_REP() >- elif msg_type == 13: >- asn1Spec = krb5_asn1.TGS_REP() >- elif msg_type == 30: >- asn1Spec = krb5_asn1.KRB_ERROR() >- rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, >- asn1_print=asn1_print, hexdump=False) >- finally: >- pass >+ num_recv=missing, hexdump=hexdump, timeout=timeout) >+ self.assertGreaterEqual(len(raw_pdu), 1) >+ rep_pdu += raw_pdu >+ missing = k5_len - len(rep_pdu) >+ k5_raw = self.der_decode( >+ rep_pdu, >+ asn1Spec=None, >+ native_encode=False, >+ asn1_print=False, >+ hexdump=False) >+ pvno = k5_raw['field-0'] >+ self.assertEqual(pvno, 5) >+ msg_type = k5_raw['field-1'] >+ self.assertIn(msg_type, [11, 13, 30]) >+ if msg_type == 11: >+ asn1Spec = krb5_asn1.AS_REP() >+ elif msg_type == 13: >+ asn1Spec = krb5_asn1.TGS_REP() >+ elif msg_type == 30: >+ asn1Spec = krb5_asn1.KRB_ERROR() >+ rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, >+ asn1_print=asn1_print, hexdump=False) > return (rep, rep_pdu) > > def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): >@@ -782,11 +761,9 @@ class RawKerberosTest(TestCaseInTempDir): > > def assertIsConnected(self): > self.assertIsNotNone(self.s, msg="Not connected") >- return > > def assertNotConnected(self): > self.assertIsNone(self.s, msg="Is connected") >- return > > def send_recv_transaction( > self, >@@ -807,11 +784,9 @@ class RawKerberosTest(TestCaseInTempDir): > > def assertNoValue(self, value): > self.assertTrue(value.isNoValue) >- return > > def assertHasValue(self, value): > self.assertIsNotNone(value) >- return > > def getElementValue(self, obj, elem): > v = None >@@ -824,24 +799,20 @@ class RawKerberosTest(TestCaseInTempDir): > def assertElementMissing(self, obj, elem): > v = self.getElementValue(obj, elem) > self.assertIsNone(v) >- return > > def assertElementPresent(self, obj, elem): > v = self.getElementValue(obj, elem) > self.assertIsNotNone(v) >- return > > def assertElementEqual(self, obj, elem, value): > v = self.getElementValue(obj, elem) > self.assertIsNotNone(v) > self.assertEqual(v, value) >- return > > def assertElementEqualUTF8(self, obj, elem, value): > v = self.getElementValue(obj, elem) > self.assertIsNotNone(v) > self.assertEqual(v, bytes(value, 'utf8')) >- return > > def assertPrincipalEqual(self, princ1, princ2): > self.assertEqual(princ1['name-type'], princ2['name-type']) >@@ -854,14 +825,12 @@ class RawKerberosTest(TestCaseInTempDir): > princ1['name-string'][idx], > princ2['name-string'][idx], > msg="princ1=%s != princ2=%s" % (princ1, princ2)) >- return > > def assertElementEqualPrincipal(self, obj, elem, value): > v = self.getElementValue(obj, elem) > self.assertIsNotNone(v) > v = pyasn1_native_decode(v, asn1Spec=krb5_asn1.PrincipalName()) > self.assertPrincipalEqual(v, value) >- return > > def assertElementKVNO(self, obj, elem, value): > v = self.getElementValue(obj, elem) >@@ -879,7 +848,6 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertEqual(v, value) > else: > self.assertIsNone(v) >- return > > def get_KerberosTimeWithUsec(self, epoch=None, offset=None): > if epoch is None: >@@ -1743,7 +1711,6 @@ class RawKerberosTest(TestCaseInTempDir): > encpart_private=encpart_private) > > kdc_exchange_dict['rep_ticket_creds'] = ticket_creds >- return > > def generic_check_as_error(self, > kdc_exchange_dict, >-- >2.25.1 > > >From 3a4199107fb48712c7696898c44d93800984096e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 2 Aug 2021 17:10:32 +1200 >Subject: [PATCH 014/108] tests/krb5: Use more compact dict lookup > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d) >--- > python/samba/tests/krb5/kdc_base_test.py | 5 +---- > python/samba/tests/krb5/raw_testcase.py | 18 ++++-------------- > 2 files changed, 5 insertions(+), 18 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index c23c71e1d74..79efc68254e 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -722,10 +722,7 @@ class KDCBaseTest(RawKerberosTest): > ticket_data = self.der_encode(ticket, asn1Spec=krb5_asn1.Ticket()) > > authtime = enc_part['authtime'] >- try: >- starttime = enc_part['starttime'] >- except KeyError: >- starttime = authtime >+ starttime = enc_part.get('starttime', authtime) > endtime = enc_part['endtime'] > > cred = krb5ccache.CREDENTIAL() >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 34eae177882..15bbd9ec999 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -279,9 +279,7 @@ class KerberosCredentials(Credentials): > > def get_forced_key(self, etype): > etype = int(etype) >- if etype in self.forced_keys: >- return self.forced_keys[etype] >- return None >+ return self.forced_keys.get(etype, None) > > def set_forced_salt(self, salt): > self.forced_salt = bytes(salt) >@@ -789,12 +787,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(value) > > def getElementValue(self, obj, elem): >- v = None >- try: >- v = obj[elem] >- except KeyError: >- pass >- return v >+ return obj.get(elem, None) > > def assertElementMissing(self, obj, elem): > v = self.getElementValue(obj, elem) >@@ -879,11 +872,8 @@ class RawKerberosTest(TestCaseInTempDir): > > def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): > e = etype_info2['etype'] >- salt = None >- try: >- salt = etype_info2['salt'] >- except Exception: >- pass >+ >+ salt = etype_info2.get('salt', None) > > if e == kcrypto.Enctype.RC4: > nthash = creds.get_nt_hash() >-- >2.25.1 > > >From aacb4fb516dcb862208d666cea45c67f898a2941 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 3 Aug 2021 15:03:00 +1200 >Subject: [PATCH 015/108] tests/krb5: Simplify Python syntax > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d) >--- > python/samba/tests/krb5/raw_testcase.py | 12 +++++------- > 1 file changed, 5 insertions(+), 7 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 15bbd9ec999..31731a6547c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -184,7 +184,7 @@ krb5_asn1.KerbErrorDataType.prettyPrint =\ > Integer_NamedValues_prettyPrint > > >-class Krb5EncryptionKey(object): >+class Krb5EncryptionKey: > def __init__(self, key, kvno): > EncTypeChecksum = { > kcrypto.Enctype.AES256: kcrypto.Cksumtype.SHA1_AES256, >@@ -288,7 +288,7 @@ class KerberosCredentials(Credentials): > return self.forced_salt > > >-class KerberosTicketCreds(object): >+class KerberosTicketCreds: > def __init__(self, ticket, session_key, > crealm=None, cname=None, > srealm=None, sname=None, >@@ -956,7 +956,7 @@ class RawKerberosTest(TestCaseInTempDir): > return Checksum_obj > > @classmethod >- def PrincipalName_create(self, name_type, names): >+ def PrincipalName_create(cls, name_type, names): > # PrincipalName ::= SEQUENCE { > # name-type [0] Int32, > # name-string [1] SEQUENCE OF KerberosString >@@ -1785,10 +1785,8 @@ class RawKerberosTest(TestCaseInTempDir): > rep_padata = [] > > if self.strict_checking: >- for i in range(0, len(expected_patypes)): >- self.assertElementEqual(rep_padata[i], >- 'padata-type', >- expected_patypes[i]) >+ for i, patype in enumerate(expected_patypes): >+ self.assertElementEqual(rep_padata[i], 'padata-type', patype) > self.assertEqual(len(rep_padata), len(expected_patypes)) > > etype_info2 = None >-- >2.25.1 > > >From a9fb0d8c4ba6c8759aa4725c7bd770ba8922bc4e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 13:49:27 +1200 >Subject: [PATCH 016/108] tests/krb5: Remove magic constants > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47) >--- > python/samba/tests/krb5/raw_testcase.py | 30 +++++++++++--------- > python/samba/tests/krb5/rfc4120_constants.py | 7 +++++ > 2 files changed, 24 insertions(+), 13 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 31731a6547c..dfa6a71467a 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -41,12 +41,14 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( > KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_PREAUTH_REQUIRED, >+ KRB_AP_REQ, > KRB_AS_REP, > KRB_AS_REQ, > KRB_ERROR, > KRB_TGS_REP, > KRB_TGS_REQ, > KU_AS_REP_ENC_PART, >+ KU_NON_KERB_CKSUM_SALT, > KU_TGS_REP_ENC_PART_SESSION, > KU_TGS_REP_ENC_PART_SUB_KEY, > KU_TGS_REQ_AUTH, >@@ -55,7 +57,9 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO, > PADATA_ETYPE_INFO2, >+ PADATA_FOR_USER, > PADATA_KDC_REQ, >+ PADATA_PAC_REQUEST, > PADATA_PK_AS_REQ, > PADATA_PK_AS_REP_19 > ) >@@ -740,12 +744,12 @@ class RawKerberosTest(TestCaseInTempDir): > pvno = k5_raw['field-0'] > self.assertEqual(pvno, 5) > msg_type = k5_raw['field-1'] >- self.assertIn(msg_type, [11, 13, 30]) >- if msg_type == 11: >+ self.assertIn(msg_type, [KRB_AS_REP, KRB_TGS_REP, KRB_ERROR]) >+ if msg_type == KRB_AS_REP: > asn1Spec = krb5_asn1.AS_REP() >- elif msg_type == 13: >+ elif msg_type == KRB_TGS_REP: > asn1Spec = krb5_asn1.TGS_REP() >- elif msg_type == 30: >+ elif msg_type == KRB_ERROR: > asn1Spec = krb5_asn1.KRB_ERROR() > rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, > asn1_print=asn1_print, hexdump=False) >@@ -1004,7 +1008,7 @@ class RawKerberosTest(TestCaseInTempDir): > return KERB_PA_PAC_REQUEST_obj > pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, > asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) >- pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST >+ pa_data = self.PA_DATA_create(PADATA_PAC_REQUEST, pa_pac) > return pa_data > > def KDC_REQ_BODY_create(self, >@@ -1172,7 +1176,7 @@ class RawKerberosTest(TestCaseInTempDir): > asn1_print=asn1_print, > hexdump=hexdump) > obj, decoded = self.KDC_REQ_create( >- msg_type=10, >+ msg_type=KRB_AS_REQ, > padata=padata, > req_body=KDC_REQ_BODY_obj, > asn1Spec=krb5_asn1.AS_REQ(), >@@ -1192,7 +1196,7 @@ class RawKerberosTest(TestCaseInTempDir): > # } > AP_REQ_obj = { > 'pvno': 5, >- 'msg-type': 14, >+ 'msg-type': KRB_AP_REQ, > 'ap-options': ap_options, > 'ticket': ticket, > 'authenticator': authenticator, >@@ -1305,7 +1309,7 @@ class RawKerberosTest(TestCaseInTempDir): > asn1_print=asn1_print, hexdump=hexdump) > > req_body_checksum = self.Checksum_create(ticket_session_key, >- 6, >+ KU_TGS_REQ_AUTH_CKSUM, > req_body_blob, > ctype=body_checksum_type) > >@@ -1329,7 +1333,7 @@ class RawKerberosTest(TestCaseInTempDir): > hexdump=hexdump) > > authenticator = self.EncryptedData_create( >- ticket_session_key, 7, authenticator) >+ ticket_session_key, KU_TGS_REQ_AUTH, authenticator) > > ap_options = krb5_asn1.APOptions('0') > ap_req = self.AP_REQ_create(ap_options=str(ap_options), >@@ -1337,14 +1341,14 @@ class RawKerberosTest(TestCaseInTempDir): > authenticator=authenticator) > ap_req = self.der_encode(ap_req, asn1Spec=krb5_asn1.AP_REQ(), > asn1_print=asn1_print, hexdump=hexdump) >- pa_tgs_req = self.PA_DATA_create(1, ap_req) >+ pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) > if padata is not None: > padata.append(pa_tgs_req) > else: > padata = [pa_tgs_req] > > obj, decoded = self.KDC_REQ_create( >- msg_type=12, >+ msg_type=KRB_TGS_REQ, > padata=padata, > req_body=req_body, > asn1Spec=krb5_asn1.TGS_REQ(), >@@ -1367,7 +1371,7 @@ class RawKerberosTest(TestCaseInTempDir): > cksum_data += realm.encode() > cksum_data += "Kerberos".encode() > cksum = self.Checksum_create(tgt_session_key, >- 17, >+ KU_NON_KERB_CKSUM_SALT, > cksum_data, > ctype) > >@@ -1379,7 +1383,7 @@ class RawKerberosTest(TestCaseInTempDir): > } > pa_s4u2self = self.der_encode( > PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) >- return self.PA_DATA_create(129, pa_s4u2self) >+ return self.PA_DATA_create(PADATA_FOR_USER, pa_s4u2self) > > def _generic_kdc_exchange(self, > kdc_exchange_dict, # required >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index a4c5e079b66..adcc93e1d6b 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -27,6 +27,7 @@ ARCFOUR_HMAC_MD5 = int( > > # Message types > KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) >+KRB_AP_REQ = int(krb5_asn1.MessageTypeValues('krb-ap-req')) > KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) > KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req')) > KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) >@@ -39,8 +40,12 @@ PADATA_ETYPE_INFO = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO')) > PADATA_ETYPE_INFO2 = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) >+PADATA_FOR_USER = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER')) > PADATA_KDC_REQ = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ')) >+PADATA_PAC_REQUEST = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST')) > PADATA_PK_AS_REQ = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) > PADATA_PK_AS_REP_19 = int( >@@ -125,3 +130,5 @@ KU_KRB_CRED = 14 > KU_KRB_SAFE_CKSUM = 15 > ''' KRB-SAFE cksum, keyed with a key chosen by the application > (section 5.6.1) ''' >+KU_NON_KERB_SALT = 16 >+KU_NON_KERB_CKSUM_SALT = 17 >-- >2.25.1 > > >From cfee6ce530b7c94dd158f483ea613f8e5cc4e382 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 26 Jul 2021 17:14:08 +1200 >Subject: [PATCH 017/108] tests/krb5: Fix including enc-authorization-data > >Remove the EncAuthorizationData parameters from AS_REQ_create(), since >it should only be present in the TGS-REQ form. Also, fix a call to >EncryptedData_create() to supply the key usage when creating >enc-authorization-data. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72) >--- > .../tests/krb5/as_canonicalization_tests.py | 4 --- > .../samba/tests/krb5/compatability_tests.py | 4 --- > python/samba/tests/krb5/kdc_base_test.py | 2 -- > python/samba/tests/krb5/kdc_tests.py | 2 -- > python/samba/tests/krb5/raw_testcase.py | 31 +++++++++++++------ > python/samba/tests/krb5/s4u_tests.py | 4 --- > python/samba/tests/krb5/simple_tests.py | 4 --- > python/samba/tests/krb5/xrealm_tests.py | 4 --- > 8 files changed, 21 insertions(+), 34 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index abb3f96a1e6..29d8cf418f5 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -257,8 +257,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >@@ -314,8 +312,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index 5a1ef02ef80..cd67549212a 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -147,8 +147,6 @@ class SimpleKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > >@@ -209,8 +207,6 @@ class SimpleKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 79efc68254e..7874562d32d 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -390,8 +390,6 @@ class KDCBaseTest(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > return rep >diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py >index c7c53953a86..930edd0a63e 100755 >--- a/python/samba/tests/krb5/kdc_tests.py >+++ b/python/samba/tests/krb5/kdc_tests.py >@@ -79,8 +79,6 @@ class KdcTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > return rep >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index dfa6a71467a..f39656d5e03 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -53,6 +53,8 @@ from samba.tests.krb5.rfc4120_constants import ( > KU_TGS_REP_ENC_PART_SUB_KEY, > KU_TGS_REQ_AUTH, > KU_TGS_REQ_AUTH_CKSUM, >+ KU_TGS_REQ_AUTH_DAT_SESSION, >+ KU_TGS_REQ_AUTH_DAT_SUBKEY, > KU_TICKET, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO, >@@ -1022,9 +1024,10 @@ class RawKerberosTest(TestCaseInTempDir): > nonce, > etypes, > addresses, >+ additional_tickets, > EncAuthorizationData, > EncAuthorizationData_key, >- additional_tickets, >+ EncAuthorizationData_usage, > asn1_print=None, > hexdump=None): > # KDC-REQ-BODY ::= SEQUENCE { >@@ -1054,8 +1057,9 @@ class RawKerberosTest(TestCaseInTempDir): > asn1Spec=krb5_asn1.AuthorizationData(), > asn1_print=asn1_print, > hexdump=hexdump) >- enc_ad = self.EncryptedData_create( >- EncAuthorizationData_key, enc_ad_plain) >+ enc_ad = self.EncryptedData_create(EncAuthorizationData_key, >+ EncAuthorizationData_usage, >+ enc_ad_plain) > else: > enc_ad = None > KDC_REQ_BODY_obj = { >@@ -1123,8 +1127,6 @@ class RawKerberosTest(TestCaseInTempDir): > nonce, # required > etypes, # required > addresses, # optional >- EncAuthorizationData, >- EncAuthorizationData_key, > additional_tickets, > native_decoded_only=True, > asn1_print=None, >@@ -1170,9 +1172,10 @@ class RawKerberosTest(TestCaseInTempDir): > nonce, > etypes, > addresses, >- EncAuthorizationData, >- EncAuthorizationData_key, > additional_tickets, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ EncAuthorizationData_usage=None, > asn1_print=asn1_print, > hexdump=hexdump) > obj, decoded = self.KDC_REQ_create( >@@ -1290,6 +1293,11 @@ class RawKerberosTest(TestCaseInTempDir): > # -- NOTE: not empty > # } > >+ if authenticator_subkey is not None: >+ EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SUBKEY >+ else: >+ EncAuthorizationData_usage = KU_TGS_REQ_AUTH_DAT_SESSION >+ > req_body = self.KDC_REQ_BODY_create( > kdc_options=kdc_options, > cname=None, >@@ -1301,9 +1309,10 @@ class RawKerberosTest(TestCaseInTempDir): > nonce=nonce, > etypes=etypes, > addresses=addresses, >+ additional_tickets=additional_tickets, > EncAuthorizationData=EncAuthorizationData, > EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets) >+ EncAuthorizationData_usage=EncAuthorizationData_usage) > req_body_blob = self.der_encode(req_body, > asn1Spec=krb5_asn1.KDC_REQ_BODY(), > asn1_print=asn1_print, hexdump=hexdump) >@@ -1397,9 +1406,10 @@ class RawKerberosTest(TestCaseInTempDir): > nonce=None, # required > etypes=None, # required > addresses=None, # optional >+ additional_tickets=None, # optional > EncAuthorizationData=None, # optional > EncAuthorizationData_key=None, # optional >- additional_tickets=None): # optional >+ EncAuthorizationData_usage=None): # optional > > check_error_fn = kdc_exchange_dict['check_error_fn'] > check_rep_fn = kdc_exchange_dict['check_rep_fn'] >@@ -1425,9 +1435,10 @@ class RawKerberosTest(TestCaseInTempDir): > nonce=nonce, > etypes=etypes, > addresses=addresses, >+ additional_tickets=additional_tickets, > EncAuthorizationData=EncAuthorizationData, > EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets) >+ EncAuthorizationData_usage=EncAuthorizationData_usage) > if generate_padata_fn is not None: > # This can alter req_body... > padata, req_body = generate_padata_fn(kdc_exchange_dict, >diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py >index 30a58d6345a..57575f0595d 100755 >--- a/python/samba/tests/krb5/s4u_tests.py >+++ b/python/samba/tests/krb5/s4u_tests.py >@@ -69,8 +69,6 @@ class S4UKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >@@ -113,8 +111,6 @@ class S4UKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >index 9650702c6c6..795d753b4f7 100755 >--- a/python/samba/tests/krb5/simple_tests.py >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -69,8 +69,6 @@ class SimpleKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >@@ -113,8 +111,6 @@ class SimpleKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py >index efb953bdf7e..073cb755b46 100755 >--- a/python/samba/tests/krb5/xrealm_tests.py >+++ b/python/samba/tests/krb5/xrealm_tests.py >@@ -68,8 +68,6 @@ class XrealmKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >@@ -112,8 +110,6 @@ class XrealmKerberosTests(RawKerberosTest): > nonce=0x7fffffff, > etypes=etypes, > addresses=None, >- EncAuthorizationData=None, >- EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) >-- >2.25.1 > > >From d31bed4dad48505b14dfcf74c6782ddda754cf9e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:12:34 +1200 >Subject: [PATCH 018/108] tests/krb5: Fix callback_dict parameter > >Items contained in a default-created callback_dict should not be carried >over between unrelated calls to {as,tgs}_as_exchange_dict(). > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf) >--- > python/samba/tests/krb5/raw_testcase.py | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index f39656d5e03..fc8e6990834 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1486,7 +1486,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_rep_fn=None, > check_padata_fn=None, > check_kdc_private_fn=None, >- callback_dict=dict(), >+ callback_dict=None, > expected_error_mode=None, > client_as_etypes=None, > expected_salt=None): >@@ -1511,6 +1511,9 @@ class RawKerberosTest(TestCaseInTempDir): > 'client_as_etypes': client_as_etypes, > 'expected_salt': expected_salt, > } >+ if callback_dict is None: >+ callback_dict = {} >+ > return kdc_exchange_dict > > def tgs_exchange_dict(self, >@@ -1524,7 +1527,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_rep_fn=None, > check_padata_fn=None, > check_kdc_private_fn=None, >- callback_dict=dict(), >+ callback_dict=None, > tgt=None, > authenticator_subkey=None, > body_checksum_type=None): >@@ -1549,6 +1552,9 @@ class RawKerberosTest(TestCaseInTempDir): > 'body_checksum_type': body_checksum_type, > 'authenticator_subkey': authenticator_subkey, > } >+ if callback_dict is None: >+ callback_dict = {} >+ > return kdc_exchange_dict > > def generic_check_kdc_rep(self, >-- >2.25.1 > > >From 7c92ecb6ca94ca641cfed45cbbf5ed7a698c2902 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:06:29 +1200 >Subject: [PATCH 019/108] tests/krb5: Fix encpart_decryption_key with MIT KDC > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1) >--- > python/samba/tests/krb5/raw_testcase.py | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index fc8e6990834..1c08b76061f 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1630,9 +1630,16 @@ class RawKerberosTest(TestCaseInTempDir): > rep_decpart = encpart_decryption_key.decrypt( > encpart_decryption_usage, > encpart_cipher) >- encpart_private = self.der_decode( >- rep_decpart, >- asn1Spec=rep_encpart_asn1Spec()) >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with >+ # application tag 26 >+ try: >+ encpart_private = self.der_decode( >+ rep_decpart, >+ asn1Spec=rep_encpart_asn1Spec()) >+ except Exception: >+ encpart_private = self.der_decode( >+ rep_decpart, >+ asn1Spec=krb5_asn1.EncTGSRepPart()) > > if check_kdc_private_fn is not None: > check_kdc_private_fn(kdc_exchange_dict, callback_dict, >-- >2.25.1 > > >From a2377015602630f90aed22f923432abca8c0eab8 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Jul 2021 17:00:09 +1200 >Subject: [PATCH 020/108] tests/krb5: Expect e-data except when the error code > is KDC_ERR_GENERIC > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b) >--- > python/samba/tests/krb5/raw_testcase.py | 3 ++- > python/samba/tests/krb5/rfc4120_constants.py | 1 + > 2 files changed, 3 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 1c08b76061f..c0e997a86a1 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -40,6 +40,7 @@ from samba.tests import TestCaseInTempDir > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( > KDC_ERR_ETYPE_NOSUPP, >+ KDC_ERR_GENERIC, > KDC_ERR_PREAUTH_REQUIRED, > KRB_AP_REQ, > KRB_AS_REP, >@@ -1799,7 +1800,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > if self.strict_checking: > self.assertElementMissing(rep, 'e-text') >- if expected_error_mode != KDC_ERR_PREAUTH_REQUIRED: >+ if expected_error_mode == KDC_ERR_GENERIC: > self.assertElementMissing(rep, 'e-data') > return > edata = self.getElementValue(rep, 'e-data') >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index adcc93e1d6b..b00b8b48ae5 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -58,6 +58,7 @@ KDC_ERR_PREAUTH_FAILED = 24 > KDC_ERR_PREAUTH_REQUIRED = 25 > KDC_ERR_BADMATCH = 36 > KDC_ERR_SKEW = 37 >+KDC_ERR_GENERIC = 60 > > # Name types > NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >-- >2.25.1 > > >From 9a9b4b6b8651884a65806dc7453b518c35d630df Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 15:07:59 +1200 >Subject: [PATCH 021/108] tests/krb5: Check Kerberos protocol version number > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da) >--- > python/samba/tests/krb5/raw_testcase.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index c0e997a86a1..693f196940c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1786,6 +1786,7 @@ class RawKerberosTest(TestCaseInTempDir): > expected_patypes += (PADATA_PK_AS_REQ,) > expected_patypes += (PADATA_PK_AS_REP_19,) > >+ self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) > self.assertElementEqual(rep, 'error-code', expected_error) > self.assertElementMissing(rep, 'ctime') >-- >2.25.1 > > >From 5da984477c3445cc0628d71e11a1d21784a59bbd Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 11:28:37 +1200 >Subject: [PATCH 022/108] tests/krb5: Use credentials kvno when creating > password key > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7) >--- > python/samba/tests/krb5/kdc_base_test.py | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 7874562d32d..aa172640399 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -409,7 +409,8 @@ class KDCBaseTest(RawKerberosTest): > etype_info2 = self.der_decode( > padata_value, asn1Spec=krb5_asn1.ETYPE_INFO2()) > >- key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) >+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0], >+ creds.get_kvno()) > return key > > def get_pa_data(self, creds, rep, skew=0): >-- >2.25.1 > > >From d6bb36abd1043d766c2e69d3c2bf2711a0818d01 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:24:52 +1200 >Subject: [PATCH 023/108] tests/krb5: Allow cf2 to automatically use the > enctype of the first key > >RFC6113 states: "Unless otherwise specified, the resulting enctype of >KRB-FX-CF2 is the enctype of k1." This change means the enctype no >longer has to be specified manually. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f) >--- > python/samba/tests/krb5/kcrypto.py | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >index c8fef4c876d..ce7b00bda4c 100755 >--- a/python/samba/tests/krb5/kcrypto.py >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -653,9 +653,11 @@ def prfplus(key, pepper, ln): > return out[:ln] > > >-def cf2(enctype, key1, key2, pepper1, pepper2): >+def cf2(key1, key2, pepper1, pepper2, enctype=None): > # Combine two keys and two pepper strings to produce a result key > # of type enctype, using the RFC 6113 KRB-FX-CF2 function. >+ if enctype is None: >+ enctype = key1.enctype > e = _get_enctype_profile(enctype) > return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), > prfplus(key2, pepper2, e.seedsize))) >@@ -748,7 +750,7 @@ class KcrytoTest(TestCase): > kb = h('97DF97E4B798B29EB31ED7280287A92A') > k1 = string_to_key(Enctype.AES128, b'key1', b'key1') > k2 = string_to_key(Enctype.AES128, b'key2', b'key2') >- k = cf2(Enctype.AES128, k1, k2, b'a', b'b') >+ k = cf2(k1, k2, b'a', b'b') > self.assertEqual(k.contents, kb) > > def test_aes256_cf2(self): >@@ -757,7 +759,7 @@ class KcrytoTest(TestCase): > 'E72B1C7B') > k1 = string_to_key(Enctype.AES256, b'key1', b'key1') > k2 = string_to_key(Enctype.AES256, b'key2', b'key2') >- k = cf2(Enctype.AES256, k1, k2, b'a', b'b') >+ k = cf2(k1, k2, b'a', b'b') > self.assertEqual(k.contents, kb) > > def test_des3_crypt(self): >@@ -794,7 +796,7 @@ class KcrytoTest(TestCase): > kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') > k1 = string_to_key(Enctype.DES3, b'key1', b'key1') > k2 = string_to_key(Enctype.DES3, b'key2', b'key2') >- k = cf2(Enctype.DES3, k1, k2, b'a', b'b') >+ k = cf2(k1, k2, b'a', b'b') > self.assertEqual(k.contents, kb) > > def test_rc4_crypt(self): >@@ -830,7 +832,7 @@ class KcrytoTest(TestCase): > kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') > k1 = string_to_key(Enctype.RC4, b'key1', b'key1') > k2 = string_to_key(Enctype.RC4, b'key2', b'key2') >- k = cf2(Enctype.RC4, k1, k2, b'a', b'b') >+ k = cf2(k1, k2, b'a', b'b') > self.assertEqual(k.contents, kb) > > def _test_md5_unkeyed_checksum(self, etype, usage): >-- >2.25.1 > > >From 1d762dd9b8b6961d7fa7297d4ee1f806a5ff1a33 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:16:01 +1200 >Subject: [PATCH 024/108] tests/krb5: Refactor get_pa_data() > >The function now returns a single padata object rather than a list, >making it easier to combine multiple padata elements into a request. The >new name 'get_enc_timestamp_pa_data' also makes it clearer as to what >the method generates. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731) >--- > python/samba/tests/krb5/kdc_base_test.py | 8 ++-- > python/samba/tests/krb5/kdc_tests.py | 25 ++++++------ > python/samba/tests/krb5/kdc_tgs_tests.py | 12 +++--- > .../ms_kile_client_principal_lookup_tests.py | 40 +++++++++---------- > 4 files changed, 42 insertions(+), 43 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index aa172640399..7748eae6225 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -413,7 +413,7 @@ class KDCBaseTest(RawKerberosTest): > creds.get_kvno()) > return key > >- def get_pa_data(self, creds, rep, skew=0): >+ def get_enc_timestamp_pa_data(self, creds, rep, skew=0): > '''generate the pa_data data element for an AS-REQ > ''' > key = self.get_as_rep_key(creds, rep) >@@ -427,7 +427,7 @@ class KDCBaseTest(RawKerberosTest): > > padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) > >- return [padata] >+ return padata > > def get_as_rep_enc_data(self, key, rep): > ''' Decrypt and Decode the encrypted data in an AS-REP >@@ -795,9 +795,9 @@ class KDCBaseTest(RawKerberosTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(user_credentials, rep) >+ padata = self.get_enc_timestamp_pa_data(user_credentials, rep) > key = self.get_as_rep_key(user_credentials, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py >index 930edd0a63e..928f3c25c0f 100755 >--- a/python/samba/tests/krb5/kdc_tests.py >+++ b/python/samba/tests/krb5/kdc_tests.py >@@ -83,7 +83,7 @@ class KdcTests(RawKerberosTest): > rep = self.send_recv_transaction(req) > return rep > >- def get_pa_data(self, creds, rep, skew=0): >+ def get_enc_timestamp_pa_data(self, creds, rep, skew=0): > rep_padata = self.der_decode( > rep['e-data'], > asn1Spec=krb5_asn1.METHOD_DATA()) >@@ -107,8 +107,7 @@ class KdcTests(RawKerberosTest): > > pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) > >- padata = [pa_ts] >- return padata >+ return pa_ts > > def check_pre_authenication(self, rep): > """ Check that the kdc response was pre-authentication required >@@ -160,8 +159,8 @@ class KdcTests(RawKerberosTest): > rep = self.as_req(creds, etype) > self.check_pre_authenication(rep) > >- padata = self.get_pa_data(creds, rep) >- rep = self.as_req(creds, etype, padata=padata) >+ padata = self.get_enc_timestamp_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=[padata]) > self.check_as_reply(rep) > > etype = rep['enc-part']['etype'] >@@ -174,8 +173,8 @@ class KdcTests(RawKerberosTest): > rep = self.as_req(creds, etype) > self.check_pre_authenication(rep) > >- padata = self.get_pa_data(creds, rep) >- rep = self.as_req(creds, etype, padata=padata) >+ padata = self.get_enc_timestamp_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=[padata]) > self.check_as_reply(rep) > > etype = rep['enc-part']['etype'] >@@ -188,8 +187,8 @@ class KdcTests(RawKerberosTest): > rep = self.as_req(creds, etype) > self.check_pre_authenication(rep) > >- padata = self.get_pa_data(creds, rep) >- rep = self.as_req(creds, etype, padata=padata) >+ padata = self.get_enc_timestamp_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=[padata]) > self.check_as_reply(rep) > > etype = rep['enc-part']['etype'] >@@ -202,8 +201,8 @@ class KdcTests(RawKerberosTest): > rep = self.as_req(creds, etype) > self.check_pre_authenication(rep) > >- padata = self.get_pa_data(creds, rep, skew=3600) >- rep = self.as_req(creds, etype, padata=padata) >+ padata = self.get_enc_timestamp_pa_data(creds, rep, skew=3600) >+ rep = self.as_req(creds, etype, padata=[padata]) > > self.check_error_rep(rep, KDC_ERR_SKEW) > >@@ -216,8 +215,8 @@ class KdcTests(RawKerberosTest): > rep = self.as_req(creds, etype) > self.check_pre_authenication(rep) > >- padata = self.get_pa_data(creds, rep) >- rep = self.as_req(creds, etype, padata=padata) >+ padata = self.get_enc_timestamp_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=[padata]) > > self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED) > >diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py >index 25a1f5f3ed8..97f9dd41339 100755 >--- a/python/samba/tests/krb5/kdc_tgs_tests.py >+++ b/python/samba/tests/krb5/kdc_tgs_tests.py >@@ -66,9 +66,9 @@ class KdcTgsTests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a service ticket, but use a cname that does not match >@@ -116,9 +116,9 @@ class KdcTgsTests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > enc_part2 = self.get_as_rep_enc_data(key, rep) >@@ -157,9 +157,9 @@ class KdcTgsTests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >index e42b643b357..99c842701ea 100755 >--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >@@ -109,9 +109,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -168,9 +168,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(mc, rep) >+ padata = self.get_enc_timestamp_pa_data(mc, rep) > key = self.get_as_rep_key(mc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -230,9 +230,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -368,13 +368,13 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) > # Note: although we used the alt security id for the pre-auth > # we need to use the username for the auth > cname = self.PrincipalName_create( > name_type=NT_PRINCIPAL, names=[user_name]) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -436,12 +436,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > # Use the alternate security identifier > # this should fail > cname = self.PrincipalName_create( > name_type=NT_PRINCIPAL, names=[alt_sec]) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) > > def test_enterprise_principal_step_1_3(self): >@@ -475,9 +475,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -538,9 +538,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -602,9 +602,9 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(mc, rep) >+ padata = self.get_enc_timestamp_pa_data(mc, rep) > key = self.get_as_rep_key(mc, rep) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -744,13 +744,13 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > key = self.get_as_rep_key(uc, rep) > # Note: although we used the alt security id for the pre-auth > # we need to use the username for the auth > cname = self.PrincipalName_create( > name_type=NT_ENTERPRISE_PRINCIPAL, names=[uname]) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_as_reply(rep) > > # Request a ticket to the host service on the machine account >@@ -813,12 +813,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): > self.check_pre_authentication(rep) > > # Do the next AS-REQ >- padata = self.get_pa_data(uc, rep) >+ padata = self.get_enc_timestamp_pa_data(uc, rep) > # Use the alternate security identifier > # this should fail > cname = self.PrincipalName_create( > name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ rep = self.as_req(cname, sname, realm, etype, padata=[padata]) > self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) > > >-- >2.25.1 > > >From e22c42b5a03445cf40c4fdb47638b4b6c6b64bd8 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 26 Jul 2021 17:18:38 +1200 >Subject: [PATCH 025/108] tests/krb5: Add get_enc_timestamp_pa_data_from_key() > >This makes it easier to create encrypted timestamp padata when the key >has already been obtained. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit f5a906f74f9665a894db3c13722022f732180620) >--- > python/samba/tests/krb5/kdc_base_test.py | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 7748eae6225..64d9e627672 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -416,8 +416,12 @@ class KDCBaseTest(RawKerberosTest): > def get_enc_timestamp_pa_data(self, creds, rep, skew=0): > '''generate the pa_data data element for an AS-REQ > ''' >+ > key = self.get_as_rep_key(creds, rep) > >+ return self.get_enc_timestamp_pa_data_from_key(key, skew=skew) >+ >+ def get_enc_timestamp_pa_data_from_key(self, key, skew=0): > (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) > padata = self.PA_ENC_TS_ENC_create(patime, pausec) > padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >-- >2.25.1 > > >From bc97c555853a42894510d9ff496d731a966e6104 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 12:51:54 +1200 >Subject: [PATCH 026/108] tests/krb5: Add method to return dict containing > padata elements > >This makes checking multiple padata elements easier. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6) >--- > python/samba/tests/krb5/raw_testcase.py | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 693f196940c..9b0b953e565 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -867,6 +867,18 @@ class RawKerberosTest(TestCaseInTempDir): > v = random.randint(nonce_min, nonce_max) > return v > >+ def get_pa_dict(self, pa_data): >+ pa_dict = {} >+ >+ if pa_data is not None: >+ for pa in pa_data: >+ pa_type = pa['padata-type'] >+ if pa_type in pa_dict: >+ raise RuntimeError(f'Duplicate type {pa_type}') >+ pa_dict[pa_type] = pa['padata-value'] >+ >+ return pa_dict >+ > def SessionKey_create(self, etype, contents, kvno=None): > key = kcrypto.Key(etype, contents) > return Krb5EncryptionKey(key, kvno) >-- >2.25.1 > > >From 5ae1af3c79bfc14ee9b697ce530ca9ebd3ff0351 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:27:47 +1200 >Subject: [PATCH 027/108] tests/krb5: Make _test_as_exchange() return value > more consistent > >Always return the reply and the kdc_exchange_dict so that the caller has >more potentially useful information. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3) >--- > python/samba/tests/krb5/as_req_tests.py | 62 +++++++++++++------------ > python/samba/tests/krb5/raw_testcase.py | 5 +- > 2 files changed, 33 insertions(+), 34 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 106c7489e9c..3b7841243c5 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -141,20 +141,21 @@ class AsReqKerberosTests(KDCBaseTest): > initial_kdc_options = krb5_asn1.KDCOptions('forwardable') > initial_error_mode = KDC_ERR_PREAUTH_REQUIRED > >- etype_info2 = self._test_as_exchange(cname, >- realm, >- sname, >- till, >- client_as_etypes, >- initial_error_mode, >- expected_crealm, >- expected_cname, >- expected_srealm, >- expected_sname, >- expected_salt, >- initial_etypes, >- initial_padata, >- initial_kdc_options) >+ rep, kdc_exchange_dict = self._test_as_exchange(cname, >+ realm, >+ sname, >+ till, >+ client_as_etypes, >+ initial_error_mode, >+ expected_crealm, >+ expected_cname, >+ expected_srealm, >+ expected_sname, >+ expected_salt, >+ initial_etypes, >+ initial_padata, >+ initial_kdc_options) >+ etype_info2 = kdc_exchange_dict['preauth_etype_info2'] > self.assertIsNotNone(etype_info2) > > preauth_key = self.PasswordKey_from_etype_info2(client_creds, >@@ -179,22 +180,23 @@ class AsReqKerberosTests(KDCBaseTest): > krbtgt_decryption_key = ( > self.TicketDecryptionKey_from_creds(krbtgt_creds)) > >- as_rep = self._test_as_exchange(cname, >- realm, >- sname, >- till, >- client_as_etypes, >- preauth_error_mode, >- expected_crealm, >- expected_cname, >- expected_srealm, >- expected_sname, >- expected_salt, >- preauth_etypes, >- preauth_padata, >- preauth_kdc_options, >- preauth_key=preauth_key, >- ticket_decryption_key=krbtgt_decryption_key) >+ as_rep, kdc_exchange_dict = self._test_as_exchange( >+ cname, >+ realm, >+ sname, >+ till, >+ client_as_etypes, >+ preauth_error_mode, >+ expected_crealm, >+ expected_cname, >+ expected_srealm, >+ expected_sname, >+ expected_salt, >+ preauth_etypes, >+ preauth_padata, >+ preauth_kdc_options, >+ preauth_key=preauth_key, >+ ticket_decryption_key=krbtgt_decryption_key) > self.assertIsNotNone(as_rep) > > if __name__ == "__main__": >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 9b0b953e565..e9b4c6c9efa 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2034,7 +2034,4 @@ class RawKerberosTest(TestCaseInTempDir): > till_time=till, > etypes=etypes) > >- if expected_error_mode == 0: # AS-REP >- return rep >- >- return kdc_exchange_dict['preauth_etype_info2'] >+ return rep, kdc_exchange_dict >-- >2.25.1 > > >From 8510d26f4c6053cd1fcede31c4abf163d2df210c Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 22 Jul 2021 16:27:17 +1200 >Subject: [PATCH 028/108] tests/krb5: Add get_EpochFromKerberosTime() > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa) >--- > python/samba/tests/krb5/kdc_base_test.py | 12 +++--------- > python/samba/tests/krb5/raw_testcase.py | 11 +++++++++++ > 2 files changed, 14 insertions(+), 9 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 64d9e627672..f0a9e7311a5 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -732,15 +732,9 @@ class KDCBaseTest(RawKerberosTest): > cred.client = cprincipal > cred.server = sprincipal > cred.keyblock = keyblock >- cred.authtime = int(datetime.strptime(authtime.decode(), >- "%Y%m%d%H%M%SZ") >- .replace(tzinfo=timezone.utc).timestamp()) >- cred.starttime = int(datetime.strptime(starttime.decode(), >- "%Y%m%d%H%M%SZ") >- .replace(tzinfo=timezone.utc).timestamp()) >- cred.endtime = int(datetime.strptime(endtime.decode(), >- "%Y%m%d%H%M%SZ") >- .replace(tzinfo=timezone.utc).timestamp()) >+ cred.authtime = self.get_EpochFromKerberosTime(authtime) >+ cred.starttime = self.get_EpochFromKerberosTime(starttime) >+ cred.endtime = self.get_EpochFromKerberosTime(endtime) > > # Account for clock skew of up to five minutes. > self.assertLess(cred.authtime - 5 * 60, >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index e9b4c6c9efa..3ab63cd01d0 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -861,6 +861,17 @@ class RawKerberosTest(TestCaseInTempDir): > (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) > return s > >+ def get_EpochFromKerberosTime(self, kerberos_time): >+ if isinstance(kerberos_time, bytes): >+ kerberos_time = kerberos_time.decode() >+ >+ epoch = datetime.datetime.strptime(kerberos_time, >+ '%Y%m%d%H%M%SZ') >+ epoch = epoch.replace(tzinfo=datetime.timezone.utc) >+ epoch = int(epoch.timestamp()) >+ >+ return epoch >+ > def get_Nonce(self): > nonce_min = 0x7f000000 > nonce_max = 0x7fffffff >-- >2.25.1 > > >From 69fe2cad913ee6a40f50a03f57ed6772d1b83a58 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 3 Aug 2021 15:58:19 +1200 >Subject: [PATCH 029/108] tests/krb5: Use encryption with admin credentials > >This ensures that account creation using admin credentials succeeds. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291) >--- > python/samba/tests/krb5/raw_testcase.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 3ab63cd01d0..e48d501ad19 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -33,6 +33,7 @@ from pyasn1.codec.ber.encoder import BitStringEncoder > > from samba.credentials import Credentials > from samba.dcerpc import security >+from samba.gensec import FEATURE_SEAL > > import samba.tests > from samba.tests import TestCaseInTempDir >@@ -606,6 +607,7 @@ class RawKerberosTest(TestCaseInTempDir): > c = self._get_krb5_creds(prefix='ADMIN', > allow_missing_password=allow_missing_password, > allow_missing_keys=allow_missing_keys) >+ c.set_gensec_features(c.get_gensec_features() | FEATURE_SEAL) > return c > > def get_krbtgt_creds(self, >-- >2.25.1 > > >From c6aba8a25c8c194c4f585221e423f99cc3a2f4e0 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 11:25:55 +1200 >Subject: [PATCH 030/108] tests/krb5: Allow specifying additional details when > creating an account > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c) >--- > python/samba/tests/krb5/kdc_base_test.py | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index f0a9e7311a5..279e15c13ce 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -148,7 +148,7 @@ class KDCBaseTest(RawKerberosTest): > return default_enctypes > > def create_account(self, ldb, name, machine_account=False, >- spn=None, upn=None): >+ spn=None, upn=None, additional_details=None): > '''Create an account for testing. > The dn of the created account is added to self.accounts, > which is used by tearDownClass to clean up the created accounts. >@@ -180,6 +180,8 @@ class KDCBaseTest(RawKerberosTest): > details["servicePrincipalName"] = spn > if upn is not None: > details["userPrincipalName"] = upn >+ if additional_details is not None: >+ details.update(additional_details) > ldb.add(details) > > creds = KerberosCredentials() >-- >2.25.1 > > >From 4a7b01317bd6810de3178b2ff06fcdc43cd50375 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:19:57 +1200 >Subject: [PATCH 031/108] tests/krb5: Add more methods for obtaining machine > and service credentials > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb) >--- > python/samba/tests/krb5/kdc_base_test.py | 74 ++++++++++++++++++++++++ > 1 file changed, 74 insertions(+) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 279e15c13ce..21e2c04cea1 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -334,6 +334,80 @@ class KDCBaseTest(RawKerberosTest): > fallback_creds_fn=create_client_account) > return c > >+ def get_mach_creds(self, >+ allow_missing_password=False, >+ allow_missing_keys=True): >+ def create_mach_account(): >+ samdb = self.get_samdb() >+ >+ mach_name = 'kdctestmac' >+ details = { >+ 'msDS-SupportedEncryptionTypes': str( >+ security.KERB_ENCTYPE_FAST_SUPPORTED | >+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED | >+ security.KERB_ENCTYPE_CLAIMS_SUPPORTED >+ ) >+ } >+ >+ creds, dn = self.create_account(samdb, mach_name, >+ machine_account=True, >+ spn='host/' + mach_name, >+ additional_details=details) >+ >+ res = samdb.search(base=dn, >+ scope=ldb.SCOPE_BASE, >+ attrs=['msDS-KeyVersionNumber']) >+ kvno = int(res[0]['msDS-KeyVersionNumber'][0]) >+ creds.set_kvno(kvno) >+ >+ keys = self.get_keys(samdb, dn) >+ self.creds_set_keys(creds, keys) >+ >+ return creds >+ >+ c = self._get_krb5_creds(prefix='MAC', >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys, >+ fallback_creds_fn=create_mach_account) >+ return c >+ >+ def get_service_creds(self, >+ allow_missing_password=False, >+ allow_missing_keys=True): >+ def create_service_account(): >+ samdb = self.get_samdb() >+ >+ mach_name = 'kdctestservice' >+ details = { >+ 'msDS-SupportedEncryptionTypes': str( >+ security.KERB_ENCTYPE_FAST_SUPPORTED | >+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED | >+ security.KERB_ENCTYPE_CLAIMS_SUPPORTED >+ ) >+ } >+ >+ creds, dn = self.create_account(samdb, mach_name, >+ machine_account=True, >+ spn='host/' + mach_name, >+ additional_details=details) >+ >+ res = samdb.search(base=dn, >+ scope=ldb.SCOPE_BASE, >+ attrs=['msDS-KeyVersionNumber']) >+ kvno = int(res[0]['msDS-KeyVersionNumber'][0]) >+ creds.set_kvno(kvno) >+ >+ keys = self.get_keys(samdb, dn) >+ self.creds_set_keys(creds, keys) >+ >+ return creds >+ >+ c = self._get_krb5_creds(prefix='SERVICE', >+ allow_missing_password=allow_missing_password, >+ allow_missing_keys=allow_missing_keys, >+ fallback_creds_fn=create_service_account) >+ return c >+ > def get_krbtgt_creds(self, > require_keys=True, > require_strongest_key=False): >-- >2.25.1 > > >From 2d70d9f4d2ad4b4ee5c76f4bc9c9daa951c01218 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 22 Jul 2021 16:22:09 +1200 >Subject: [PATCH 032/108] tests/krb5: Add method to calculate account salt > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5) >--- > python/samba/tests/krb5/kdc_base_test.py | 2 ++ > python/samba/tests/krb5/raw_testcase.py | 19 +++++++++++++++---- > 2 files changed, 17 insertions(+), 4 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 21e2c04cea1..0dbaeab4a0e 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -192,6 +192,8 @@ class KDCBaseTest(RawKerberosTest): > creds.set_username(account_name) > if machine_account: > creds.set_workstation(name) >+ else: >+ creds.set_workstation('') > # > # Save the account name so it can be deleted in tearDownClass > self.accounts.add(dn) >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index e48d501ad19..2dbcc39114a 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -295,6 +295,20 @@ class KerberosCredentials(Credentials): > def get_forced_salt(self): > return self.forced_salt > >+ def get_salt(self): >+ if self.forced_salt is not None: >+ return self.forced_salt >+ >+ if self.get_workstation(): >+ salt_string = '%shost%s.%s' % ( >+ self.get_realm().upper(), >+ self.get_username().lower().rsplit('$', 1)[0], >+ self.get_realm().lower()) >+ else: >+ salt_string = self.get_realm().upper() + self.get_username() >+ >+ return salt_string.encode('utf-8') >+ > > class KerberosTicketCreds: > def __init__(self, ticket, session_key, >@@ -940,10 +954,7 @@ class RawKerberosTest(TestCaseInTempDir): > > password = creds.get_password() > self.assertIsNotNone(password, msg=fail_msg) >- salt = creds.get_forced_salt() >- if salt is None: >- salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), >- encoding='utf-8') >+ salt = creds.get_salt() > return self.PasswordKey_create(etype=etype, > pwd=password, > salt=salt, >-- >2.25.1 > > >From a181435739f4b35aecd069d130657793dd80c419 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 26 Jul 2021 17:19:04 +1200 >Subject: [PATCH 033/108] tests/krb5: Add check_reply() method to check for AS > or TGS reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329) >--- > python/samba/tests/krb5/kdc_base_test.py | 26 +++++------------------- > 1 file changed, 5 insertions(+), 21 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 0dbaeab4a0e..1b550179e0e 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -540,26 +540,7 @@ class KDCBaseTest(RawKerberosTest): > kvno > match the expected values > """ >- >- # Should have a reply, and it should an AS-REP message. >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], KRB_AS_REP, "rep = {%s}" % rep) >- >- # Protocol version number should be 5 >- pvno = int(rep['pvno']) >- self.assertEqual(5, pvno, "rep = {%s}" % rep) >- >- # The ticket version number should be 5 >- tkt_vno = int(rep['ticket']['tkt-vno']) >- self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) >- >- # Check that the kvno is not an RODC kvno >- # MIT kerberos does not provide the kvno, so we treat it as optional. >- # This is tested in compatability_test.py >- if 'kvno' in rep['enc-part']: >- kvno = int(rep['enc-part']['kvno']) >- # If the high order bits are set this is an RODC kvno. >- self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) >+ self.check_reply(rep, msg_type=KRB_AS_REP) > > def check_tgs_reply(self, rep): > """ Check that the kdc response is an TGS-REP and that the >@@ -570,10 +551,13 @@ class KDCBaseTest(RawKerberosTest): > kvno > match the expected values > """ >+ self.check_reply(rep, msg_type=KRB_TGS_REP) >+ >+ def check_reply(self, rep, msg_type): > > # Should have a reply, and it should an TGS-REP message. > self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], KRB_TGS_REP, "rep = {%s}" % rep) >+ self.assertEqual(rep['msg-type'], msg_type, "rep = {%s}" % rep) > > # Protocol version number should be 5 > pvno = int(rep['pvno']) >-- >2.25.1 > > >From 61c474e212aaf315df42f73b1dc611e369f53a8a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 10:32:52 +1200 >Subject: [PATCH 034/108] tests/krb5: Always specify expected error code > >Now the expected error code is always determined by the test code itself >rather than by generic_check_as_error(). > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c) >--- > python/samba/tests/krb5/as_req_tests.py | 11 ++++++++++- > python/samba/tests/krb5/raw_testcase.py | 13 ++++++------- > 2 files changed, 16 insertions(+), 8 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 3b7841243c5..861d2371b75 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests import DynamicTestCase > from samba.tests.krb5.kdc_base_test import KDCBaseTest >+import samba.tests.krb5.kcrypto as kcrypto > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_PREAUTH_REQUIRED, > KU_PA_ENC_TIMESTAMP, > NT_PRINCIPAL, >@@ -68,13 +70,20 @@ class AsReqKerberosTests(KDCBaseTest): > sname = self.PrincipalName_create(name_type=NT_SRV_INST, > names=[krbtgt_account, realm]) > >- expected_error_mode = KDC_ERR_PREAUTH_REQUIRED > expected_crealm = realm > expected_cname = cname > expected_srealm = realm > expected_sname = sname > expected_salt = client_creds.get_forced_salt() > >+ if any(etype in client_as_etypes and etype in initial_etypes >+ for etype in (kcrypto.Enctype.AES256, >+ kcrypto.Enctype.AES128, >+ kcrypto.Enctype.RC4)): >+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED >+ else: >+ expected_error_mode = KDC_ERR_ETYPE_NOSUPP >+ > def _generate_padata_copy(_kdc_exchange_dict, > _callback_dict, > req_body): >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 2dbcc39114a..5579e989d1c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -40,9 +40,7 @@ from samba.tests import TestCaseInTempDir > > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( >- KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_GENERIC, >- KDC_ERR_PREAUTH_REQUIRED, > KRB_AP_REQ, > KRB_AS_REP, > KRB_AS_REQ, >@@ -1524,7 +1522,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_padata_fn=None, > check_kdc_private_fn=None, > callback_dict=None, >- expected_error_mode=None, >+ expected_error_mode=0, > client_as_etypes=None, > expected_salt=None): > kdc_exchange_dict = { >@@ -1809,13 +1807,11 @@ class RawKerberosTest(TestCaseInTempDir): > if expected_rc4_type != 0: > expect_etype_info2 += (expected_rc4_type,) > >- expected_error = KDC_ERR_ETYPE_NOSUPP > expected_patypes = () > if expect_etype_info: > self.assertGreater(len(expect_etype_info2), 0) > expected_patypes += (PADATA_ETYPE_INFO,) > if len(expect_etype_info2) != 0: >- expected_error = KDC_ERR_PREAUTH_REQUIRED > expected_patypes += (PADATA_ETYPE_INFO2,) > > expected_patypes += (PADATA_ENC_TIMESTAMP,) >@@ -1824,7 +1820,7 @@ class RawKerberosTest(TestCaseInTempDir): > > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) >- self.assertElementEqual(rep, 'error-code', expected_error) >+ self.assertElementEqual(rep, 'error-code', expected_error_mode) > self.assertElementMissing(rep, 'ctime') > self.assertElementMissing(rep, 'cusec') > self.assertElementPresent(rep, 'stime') >@@ -1889,7 +1885,10 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertEqual(len(pk_as_rep19), 0) > continue > >- if expected_error == KDC_ERR_ETYPE_NOSUPP: >+ if all(etype not in client_as_etypes or etype not in proposed_etypes >+ for etype in (kcrypto.Enctype.AES256, >+ kcrypto.Enctype.AES128, >+ kcrypto.Enctype.RC4)): > self.assertIsNone(etype_info2) > self.assertIsNone(etype_info) > if self.strict_checking: >-- >2.25.1 > > >From 6181eb78d60c9575238572baa779d09377e08238 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 10:35:40 +1200 >Subject: [PATCH 035/108] tests/krb5: Include kdc_options in kdc_exchange_dict > >Make kdc_options an element of kdc_exchange_dict instead of a parameter >to _generic_kdc_exchange(). This allows testing code to adjust the reply >checking based on the options that were specified in the request. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95) >--- > python/samba/tests/krb5/as_req_tests.py | 4 ++-- > python/samba/tests/krb5/raw_testcase.py | 15 ++++++++++----- > 2 files changed, 12 insertions(+), 7 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 861d2371b75..ed97a10b616 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -99,10 +99,10 @@ class AsReqKerberosTests(KDCBaseTest): > check_rep_fn=self.generic_check_kdc_rep, > expected_error_mode=expected_error_mode, > client_as_etypes=client_as_etypes, >- expected_salt=expected_salt) >+ expected_salt=expected_salt, >+ kdc_options=str(initial_kdc_options)) > > rep = self._generic_kdc_exchange(kdc_exchange_dict, >- kdc_options=str(initial_kdc_options), > cname=cname, > realm=realm, > sname=sname, >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 5579e989d1c..00f90c5dea9 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1431,7 +1431,6 @@ class RawKerberosTest(TestCaseInTempDir): > > def _generic_kdc_exchange(self, > kdc_exchange_dict, # required >- kdc_options=None, # required > cname=None, # optional > realm=None, # required > sname=None, # optional >@@ -1454,6 +1453,8 @@ class RawKerberosTest(TestCaseInTempDir): > req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] > rep_msg_type = kdc_exchange_dict['rep_msg_type'] > >+ kdc_options = kdc_exchange_dict['kdc_options'] >+ > if till_time is None: > till_time = self.get_KerberosTime(offset=36000) > if nonce is None: >@@ -1524,7 +1525,8 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict=None, > expected_error_mode=0, > client_as_etypes=None, >- expected_salt=None): >+ expected_salt=None, >+ kdc_options=''): > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, > 'req_asn1Spec': krb5_asn1.AS_REQ, >@@ -1545,6 +1547,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'expected_error_mode': expected_error_mode, > 'client_as_etypes': client_as_etypes, > 'expected_salt': expected_salt, >+ 'kdc_options': kdc_options, > } > if callback_dict is None: > callback_dict = {} >@@ -1565,7 +1568,8 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict=None, > tgt=None, > authenticator_subkey=None, >- body_checksum_type=None): >+ body_checksum_type=None, >+ kdc_options=''): > kdc_exchange_dict = { > 'req_msg_type': KRB_TGS_REQ, > 'req_asn1Spec': krb5_asn1.TGS_REQ, >@@ -1586,6 +1590,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'tgt': tgt, > 'body_checksum_type': body_checksum_type, > 'authenticator_subkey': authenticator_subkey, >+ 'kdc_options': kdc_options > } > if callback_dict is None: > callback_dict = {} >@@ -2047,10 +2052,10 @@ class RawKerberosTest(TestCaseInTempDir): > check_kdc_private_fn=self.generic_check_kdc_private, > expected_error_mode=expected_error_mode, > client_as_etypes=client_as_etypes, >- expected_salt=expected_salt) >+ expected_salt=expected_salt, >+ kdc_options=str(kdc_options)) > > rep = self._generic_kdc_exchange(kdc_exchange_dict, >- kdc_options=str(kdc_options), > cname=cname, > realm=realm, > sname=sname, >-- >2.25.1 > > >From fda7dc53840dbe67388c259c220422e6a0e18769 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:06:15 +1200 >Subject: [PATCH 036/108] tests/krb5: Only allow specifying one of check_rep_fn > and check_error_fn > >This means that there can no longer be surprises where a test receives a >reply when it was expecting an error, or vice versa. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 78818655505b3183251940e86270cd40bae73206) >--- > python/samba/tests/krb5/as_req_tests.py | 2 +- > python/samba/tests/krb5/raw_testcase.py | 25 +++++++++++++++++++------ > 2 files changed, 20 insertions(+), 7 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index ed97a10b616..d9a66f99ecf 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -96,7 +96,7 @@ class AsReqKerberosTests(KDCBaseTest): > expected_sname=expected_sname, > generate_padata_fn=_generate_padata_copy, > check_error_fn=self.generic_check_as_error, >- check_rep_fn=self.generic_check_kdc_rep, >+ check_rep_fn=None, > expected_error_mode=expected_error_mode, > client_as_etypes=client_as_etypes, > expected_salt=expected_salt, >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 00f90c5dea9..d7813387941 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1453,6 +1453,7 @@ class RawKerberosTest(TestCaseInTempDir): > req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] > rep_msg_type = kdc_exchange_dict['rep_msg_type'] > >+ expected_error_mode = kdc_exchange_dict['expected_error_mode'] > kdc_options = kdc_exchange_dict['kdc_options'] > > if till_time is None: >@@ -1497,12 +1498,17 @@ class RawKerberosTest(TestCaseInTempDir): > msg_type = self.getElementValue(rep, 'msg-type') > self.assertIsNotNone(msg_type) > >- allowed_msg_types = () >+ expected_msg_type = None > if check_error_fn is not None: >- allowed_msg_types = (KRB_ERROR,) >+ expected_msg_type = KRB_ERROR >+ self.assertIsNone(check_rep_fn) >+ self.assertNotEqual(0, expected_error_mode) > if check_rep_fn is not None: >- allowed_msg_types += (rep_msg_type,) >- self.assertIn(msg_type, allowed_msg_types) >+ expected_msg_type = rep_msg_type >+ self.assertIsNone(check_error_fn) >+ self.assertEqual(0, expected_error_mode) >+ self.assertIsNotNone(expected_msg_type) >+ self.assertEqual(msg_type, expected_msg_type) > > if msg_type == KRB_ERROR: > return check_error_fn(kdc_exchange_dict, >@@ -2039,6 +2045,13 @@ class RawKerberosTest(TestCaseInTempDir): > as_rep_usage = KU_AS_REP_ENC_PART > return preauth_key, as_rep_usage > >+ if expected_error_mode == 0: >+ check_error_fn = None >+ check_rep_fn = self.generic_check_kdc_rep >+ else: >+ check_error_fn = self.generic_check_as_error >+ check_rep_fn = None >+ > kdc_exchange_dict = self.as_exchange_dict( > expected_crealm=expected_crealm, > expected_cname=expected_cname, >@@ -2046,8 +2059,8 @@ class RawKerberosTest(TestCaseInTempDir): > expected_sname=expected_sname, > ticket_decryption_key=ticket_decryption_key, > generate_padata_fn=_generate_padata_copy, >- check_error_fn=self.generic_check_as_error, >- check_rep_fn=self.generic_check_kdc_rep, >+ check_error_fn=check_error_fn, >+ check_rep_fn=check_rep_fn, > check_padata_fn=_check_padata_preauth_key, > check_kdc_private_fn=self.generic_check_kdc_private, > expected_error_mode=expected_error_mode, >-- >2.25.1 > > >From 9f2fcacca24176d4a3161e9ddcf4b9a9191d496e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 10:37:48 +1200 >Subject: [PATCH 037/108] tests/krb5: Ensure in assertElementPresent() that > container elements are not empty > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27) >--- > python/samba/tests/krb5/raw_testcase.py | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index d7813387941..e1baf0ce943 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -24,6 +24,8 @@ import datetime > import random > import binascii > import itertools >+import collections >+ > from pyasn1.codec.der.decoder import decode as pyasn1_der_decode > from pyasn1.codec.der.encoder import encode as pyasn1_der_encode > from pyasn1.codec.native.decoder import decode as pyasn1_native_decode >@@ -817,6 +819,9 @@ class RawKerberosTest(TestCaseInTempDir): > def assertElementPresent(self, obj, elem): > v = self.getElementValue(obj, elem) > self.assertIsNotNone(v) >+ if self.strict_checking: >+ if isinstance(v, collections.abc.Container): >+ self.assertNotEqual(0, len(v)) > > def assertElementEqual(self, obj, elem, value): > v = self.getElementValue(obj, elem) >-- >2.25.1 > > >From c92063c0ce1ce236c79e851fda8effb6ba5c967d Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:39:42 +1200 >Subject: [PATCH 038/108] tests/krb5: Assert that more variables are not None > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 3d1066e923815782036bd11524fda110a2528951) >--- > python/samba/tests/krb5/raw_testcase.py | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index e1baf0ce943..3a178f4bce3 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1631,12 +1631,14 @@ class RawKerberosTest(TestCaseInTempDir): > ticket = self.getElementValue(rep, 'ticket') > ticket_encpart = None > ticket_cipher = None >+ self.assertIsNotNone(ticket) > if ticket is not None: # Never None, but gives indentation > self.assertElementPresent(ticket, 'tkt-vno') > self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) > self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) > self.assertElementPresent(ticket, 'enc-part') > ticket_encpart = self.getElementValue(ticket, 'enc-part') >+ self.assertIsNotNone(ticket_encpart) > if ticket_encpart is not None: # Never None, but gives indentation > self.assertElementPresent(ticket_encpart, 'etype') > # 'unspecified' means present, with any value != 0 >@@ -1647,6 +1649,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementPresent(rep, 'enc-part') > encpart = self.getElementValue(rep, 'enc-part') > encpart_cipher = None >+ self.assertIsNotNone(encpart) > if encpart is not None: # Never None, but gives indentation > self.assertElementPresent(encpart, 'etype') > self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') >@@ -1654,6 +1657,7 @@ class RawKerberosTest(TestCaseInTempDir): > encpart_cipher = self.getElementValue(encpart, 'cipher') > > encpart_decryption_key = None >+ self.assertIsNotNone(check_padata_fn) > if check_padata_fn is not None: > # See if we can get the decryption key from the preauth phase > encpart_decryption_key, encpart_decryption_usage = ( >@@ -1661,6 +1665,7 @@ class RawKerberosTest(TestCaseInTempDir): > rep, padata)) > > ticket_private = None >+ self.assertIsNotNone(ticket_decryption_key) > if ticket_decryption_key is not None: > self.assertElementEqual(ticket_encpart, 'etype', > ticket_decryption_key.etype) >@@ -1673,6 +1678,7 @@ class RawKerberosTest(TestCaseInTempDir): > asn1Spec=krb5_asn1.EncTicketPart()) > > encpart_private = None >+ self.assertIsNotNone(encpart_decryption_key) > if encpart_decryption_key is not None: > self.assertElementEqual(encpart, 'etype', > encpart_decryption_key.etype) >@@ -1692,6 +1698,7 @@ class RawKerberosTest(TestCaseInTempDir): > rep_decpart, > asn1Spec=krb5_asn1.EncTGSRepPart()) > >+ self.assertIsNotNone(check_kdc_private_fn) > if check_kdc_private_fn is not None: > check_kdc_private_fn(kdc_exchange_dict, callback_dict, > rep, ticket_private, encpart_private) >@@ -1718,6 +1725,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementPresent(ticket_private, 'flags') > self.assertElementPresent(ticket_private, 'key') > ticket_key = self.getElementValue(ticket_private, 'key') >+ self.assertIsNotNone(ticket_key) > if ticket_key is not None: # Never None, but gives indentation > self.assertElementPresent(ticket_key, 'keytype') > self.assertElementPresent(ticket_key, 'keyvalue') >@@ -1739,6 +1747,7 @@ class RawKerberosTest(TestCaseInTempDir): > if encpart_private is not None: > self.assertElementPresent(encpart_private, 'key') > encpart_key = self.getElementValue(encpart_private, 'key') >+ self.assertIsNotNone(encpart_key) > if encpart_key is not None: # Never None, but gives indentation > self.assertElementPresent(encpart_key, 'keytype') > self.assertElementPresent(encpart_key, 'keyvalue') >-- >2.25.1 > > >From 33c85d1f046f046109cc2a2debd914483cfdbf82 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:34:19 +1200 >Subject: [PATCH 039/108] tests/krb5: Check version number of obtained ticket > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b) >--- > python/samba/tests/krb5/raw_testcase.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 3a178f4bce3..70062ca338a 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1633,7 +1633,7 @@ class RawKerberosTest(TestCaseInTempDir): > ticket_cipher = None > self.assertIsNotNone(ticket) > if ticket is not None: # Never None, but gives indentation >- self.assertElementPresent(ticket, 'tkt-vno') >+ self.assertElementEqual(ticket, 'tkt-vno', 5) > self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) > self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) > self.assertElementPresent(ticket, 'enc-part') >-- >2.25.1 > > >From 09ff7313d50659c7334cff0cf7d920ec0ba72e9a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:39:37 +1200 >Subject: [PATCH 040/108] tests/krb5: Make checking less strict > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc) >--- > python/samba/tests/krb5/raw_testcase.py | 52 +++++++++++++------------ > 1 file changed, 27 insertions(+), 25 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 70062ca338a..69b7c7adc9b 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1625,8 +1625,9 @@ class RawKerberosTest(TestCaseInTempDir): > > self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP > padata = self.getElementValue(rep, 'padata') >- self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) >- self.assertElementEqualPrincipal(rep, 'cname', expected_cname) >+ if self.strict_checking: >+ self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) >+ self.assertElementEqualPrincipal(rep, 'cname', expected_cname) > self.assertElementPresent(rep, 'ticket') > ticket = self.getElementValue(rep, 'ticket') > ticket_encpart = None >@@ -1682,8 +1683,9 @@ class RawKerberosTest(TestCaseInTempDir): > if encpart_decryption_key is not None: > self.assertElementEqual(encpart, 'etype', > encpart_decryption_key.etype) >- self.assertElementKVNO(encpart, 'kvno', >- encpart_decryption_key.kvno) >+ if self.strict_checking: >+ self.assertElementKVNO(encpart, 'kvno', >+ encpart_decryption_key.kvno) > rep_decpart = encpart_decryption_key.decrypt( > encpart_decryption_usage, > encpart_cipher) >@@ -1846,17 +1848,17 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) > self.assertElementEqual(rep, 'error-code', expected_error_mode) >- self.assertElementMissing(rep, 'ctime') >- self.assertElementMissing(rep, 'cusec') >+ if self.strict_checking: >+ self.assertElementMissing(rep, 'ctime') >+ self.assertElementMissing(rep, 'cusec') > self.assertElementPresent(rep, 'stime') > self.assertElementPresent(rep, 'susec') > # error-code checked above > if self.strict_checking: > self.assertElementMissing(rep, 'crealm') > self.assertElementMissing(rep, 'cname') >- self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >- self.assertElementEqualPrincipal(rep, 'sname', expected_sname) >- if self.strict_checking: >+ self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >+ self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') > if expected_error_mode == KDC_ERR_GENERIC: > self.assertElementMissing(rep, 'e-data') >@@ -1922,7 +1924,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(pk_as_rep19) > return > >- self.assertIsNotNone(etype_info2) >+ if self.strict_checking: >+ self.assertIsNotNone(etype_info2) > if expect_etype_info: > self.assertIsNotNone(etype_info) > else: >@@ -1931,23 +1934,22 @@ class RawKerberosTest(TestCaseInTempDir): > if unexpect_etype_info: > self.assertIsNone(etype_info) > >- self.assertGreaterEqual(len(etype_info2), 1) >- self.assertLessEqual(len(etype_info2), len(expect_etype_info2)) > if self.strict_checking: >+ self.assertGreaterEqual(len(etype_info2), 1) > self.assertEqual(len(etype_info2), len(expect_etype_info2)) >- for i in range(0, len(etype_info2)): >- e = self.getElementValue(etype_info2[i], 'etype') >- self.assertEqual(e, expect_etype_info2[i]) >- salt = self.getElementValue(etype_info2[i], 'salt') >- if e == kcrypto.Enctype.RC4: >- self.assertIsNone(salt) >- else: >- self.assertIsNotNone(salt) >- if expected_salt is not None: >- self.assertEqual(salt, expected_salt) >- s2kparams = self.getElementValue(etype_info2[i], 's2kparams') >- if self.strict_checking: >- self.assertIsNone(s2kparams) >+ for i in range(0, len(etype_info2)): >+ e = self.getElementValue(etype_info2[i], 'etype') >+ self.assertEqual(e, expect_etype_info2[i]) >+ salt = self.getElementValue(etype_info2[i], 'salt') >+ if e == kcrypto.Enctype.RC4: >+ self.assertIsNone(salt) >+ else: >+ self.assertIsNotNone(salt) >+ if expected_salt is not None: >+ self.assertEqual(salt, expected_salt) >+ s2kparams = self.getElementValue(etype_info2[i], 's2kparams') >+ if self.strict_checking: >+ self.assertIsNone(s2kparams) > if etype_info is not None: > self.assertEqual(len(etype_info), 1) > e = self.getElementValue(etype_info[0], 'etype') >-- >2.25.1 > > >From 666dbc83f8b3df872f52d5b9d1751152bbad1341 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 12:52:42 +1200 >Subject: [PATCH 041/108] tests/krb5: Check nonce in EncKDCRepPart > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf) >--- > python/samba/tests/krb5/raw_testcase.py | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 69b7c7adc9b..60e589464f3 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1442,7 +1442,6 @@ class RawKerberosTest(TestCaseInTempDir): > from_time=None, # optional > till_time=None, # required > renew_time=None, # optional >- nonce=None, # required > etypes=None, # required > addresses=None, # optional > additional_tickets=None, # optional >@@ -1463,8 +1462,12 @@ class RawKerberosTest(TestCaseInTempDir): > > if till_time is None: > till_time = self.get_KerberosTime(offset=36000) >- if nonce is None: >+ >+ if 'nonce' in kdc_exchange_dict: >+ nonce = kdc_exchange_dict['nonce'] >+ else: > nonce = self.get_Nonce() >+ kdc_exchange_dict['nonce'] = nonce > > req_body = self.KDC_REQ_BODY_create( > kdc_options=kdc_options, >@@ -1755,7 +1758,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementPresent(encpart_key, 'keyvalue') > encpart_session_key = self.EncryptionKey_import(encpart_key) > self.assertElementPresent(encpart_private, 'last-req') >- self.assertElementPresent(encpart_private, 'nonce') >+ self.assertElementEqual(encpart_private, 'nonce', >+ kdc_exchange_dict['nonce']) > # TODO self.assertElementPresent(encpart_private, > # 'key-expiration') > self.assertElementPresent(encpart_private, 'flags') >-- >2.25.1 > > >From 9e682e058a7b52297cd69894744fe1f9256df698 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Jul 2021 19:27:02 +1200 >Subject: [PATCH 042/108] tests/krb5: Add generate_ap_req() method > >This method will be useful to generate an AP-REQ for use as FAST armor. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7) >--- > python/samba/tests/krb5/raw_testcase.py | 18 ++++++++++++++---- > 1 file changed, 14 insertions(+), 4 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 60e589464f3..67b359f07d8 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1971,10 +1971,10 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_exchange_dict['preauth_etype_info2'] = etype_info2 > return > >- def generate_simple_tgs_padata(self, >- kdc_exchange_dict, >- callback_dict, >- req_body): >+ def generate_ap_req(self, >+ kdc_exchange_dict, >+ _callback_dict, >+ req_body): > tgt = kdc_exchange_dict['tgt'] > authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] > body_checksum_type = kdc_exchange_dict['body_checksum_type'] >@@ -2014,6 +2014,16 @@ class RawKerberosTest(TestCaseInTempDir): > ticket=tgt.ticket, > authenticator=authenticator) > ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) >+ >+ return ap_req >+ >+ def generate_simple_tgs_padata(self, >+ kdc_exchange_dict, >+ callback_dict, >+ req_body): >+ ap_req = self.generate_ap_req(kdc_exchange_dict, >+ callback_dict, >+ req_body) > pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) > padata = [pa_tgs_req] > >-- >2.25.1 > > >From dd412d30a29ae4a3e76f0a3ace4a6a8d0c04e23c Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:06:35 +1200 >Subject: [PATCH 043/108] tests/krb5: Ensure generated padata is not None > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d) >--- > python/samba/tests/krb5/as_req_tests.py | 6 +++++- > python/samba/tests/krb5/raw_testcase.py | 8 +++++++- > 2 files changed, 12 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index d9a66f99ecf..b5a6cfd31c7 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -89,12 +89,16 @@ class AsReqKerberosTests(KDCBaseTest): > req_body): > return initial_padata, req_body > >+ generate_padata_fn = (_generate_padata_copy >+ if initial_padata is not None >+ else None) >+ > kdc_exchange_dict = self.as_exchange_dict( > expected_crealm=expected_crealm, > expected_cname=expected_cname, > expected_srealm=expected_srealm, > expected_sname=expected_sname, >- generate_padata_fn=_generate_padata_copy, >+ generate_padata_fn=generate_padata_fn, > check_error_fn=self.generic_check_as_error, > check_rep_fn=None, > expected_error_mode=expected_error_mode, >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 67b359f07d8..e15fc44a962 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1489,6 +1489,7 @@ class RawKerberosTest(TestCaseInTempDir): > padata, req_body = generate_padata_fn(kdc_exchange_dict, > callback_dict, > req_body) >+ self.assertIsNotNone(padata) > else: > padata = None > >@@ -2082,13 +2083,18 @@ class RawKerberosTest(TestCaseInTempDir): > check_error_fn = self.generic_check_as_error > check_rep_fn = None > >+ if padata is not None: >+ generate_padata_fn = _generate_padata_copy >+ else: >+ generate_padata_fn = None >+ > kdc_exchange_dict = self.as_exchange_dict( > expected_crealm=expected_crealm, > expected_cname=expected_cname, > expected_srealm=expected_srealm, > expected_sname=expected_sname, > ticket_decryption_key=ticket_decryption_key, >- generate_padata_fn=_generate_padata_copy, >+ generate_padata_fn=generate_padata_fn, > check_error_fn=check_error_fn, > check_rep_fn=check_rep_fn, > check_padata_fn=_check_padata_preauth_key, >-- >2.25.1 > > >From ab6be7f22dad27dbf5f4072673c4e460ae1db654 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 13:59:36 +1200 >Subject: [PATCH 044/108] tests/krb5: Generate AP-REQ for TGS request in > _generic_kdc_exchange() > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33) >--- > python/samba/tests/krb5/raw_testcase.py | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index e15fc44a962..4f399467cfe 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1484,13 +1484,34 @@ class RawKerberosTest(TestCaseInTempDir): > EncAuthorizationData=EncAuthorizationData, > EncAuthorizationData_key=EncAuthorizationData_key, > EncAuthorizationData_usage=EncAuthorizationData_usage) >+ >+ if req_msg_type == KRB_AS_REQ: >+ tgs_req = None >+ tgs_req_padata = None >+ else: >+ self.assertEqual(KRB_TGS_REQ, req_msg_type) >+ >+ tgs_req = self.generate_ap_req(kdc_exchange_dict, >+ callback_dict, >+ req_body) >+ tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) >+ > if generate_padata_fn is not None: > # This can alter req_body... > padata, req_body = generate_padata_fn(kdc_exchange_dict, > callback_dict, > req_body) > self.assertIsNotNone(padata) >+ self.assertNotIn(PADATA_KDC_REQ, >+ [pa['padata-type'] for pa in padata], >+ 'Don\'t create TGS-REQ manually') > else: >+ padata = [] >+ >+ if tgs_req_padata is not None: >+ padata.insert(0, tgs_req_padata) >+ >+ if not padata: > padata = None > > kdc_exchange_dict['req_padata'] = padata >-- >2.25.1 > > >From e8aed5c88fe2f03e6a7c751f6feabe30ce891da3 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:21:07 +1200 >Subject: [PATCH 045/108] tests/krb5: Add more ASN1 definitions for FAST > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6) >--- > python/samba/tests/krb5/rfc4120.asn1 | 106 ++++++++++++++++++- > python/samba/tests/krb5/rfc4120_constants.py | 33 ++++++ > python/samba/tests/krb5/rfc4120_pyasn1.py | 100 ++++++++++++++++- > 3 files changed, 236 insertions(+), 3 deletions(-) > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index d81d06ad6f7..f47c1d00202 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -1,3 +1,43 @@ >+-- Portions of these ASN.1 modules are structures are from RFC6113 >+-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft) >+-- >+-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the >+-- code. All rights reserved. >+-- >+-- Redistribution and use in source and binary forms, with or without >+-- modification, is permitted pursuant to, and subject to the license terms >+-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF >+-- Trustâs Legal Provisions Relating to IETF Documents >+-- (http://trustee.ietf.org/license-info). >+-- >+-- BSD License: >+-- >+-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. >+-- Redistribution and use in source and binary forms, with or without modification, are permitted provided >+-- that the following conditions are met: >+-- ⢠Redistributions of source code must retain the above copyright notice, this list of conditions and >+-- the following disclaimer. >+-- >+-- ⢠Redistributions in binary form must reproduce the above copyright notice, this list of conditions >+-- and the following disclaimer in the documentation and/or other materials provided with the >+-- distribution. >+-- >+-- ⢠Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors, >+-- may be used to endorse or promote products derived from this software without specific prior written >+-- permission. >+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS âAS ISâ >+-- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE >+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE >+-- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE >+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF >+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS >+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN >+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE >+-- POSSIBILITY OF SUCH DAMAGE. >+-- >+ > KerberosV5Spec2 { > iso(1) identified-organization(3) dod(6) internet(1) > security(5) kerberosV5(2) modules(4) krb5spec2(2) >@@ -464,6 +504,69 @@ PA-PAC-OPTIONS ::= SEQUENCE { > KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type -- > KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey > >+FastOptions ::= BIT STRING { >+ reserved(0), >+ hide-client-names(1), >+ kdc-follow-referrals(16) >+} >+ >+KrbFastReq ::= SEQUENCE { >+ fast-options [0] FastOptions, >+ padata [1] SEQUENCE OF PA-DATA, >+ req-body [2] KDC-REQ-BODY, >+ ... >+} >+ >+KrbFastArmor ::= SEQUENCE { >+ armor-type [0] Int32, >+ armor-value [1] OCTET STRING, >+ ... >+} >+ >+KrbFastArmoredReq ::= SEQUENCE { >+ armor [0] KrbFastArmor OPTIONAL, >+ req-checksum [1] Checksum, >+ enc-fast-req [2] EncryptedData -- KrbFastReq -- >+} >+ >+PA-FX-FAST-REQUEST ::= CHOICE { >+ armored-data [0] KrbFastArmoredReq, >+ ... >+} >+ >+KrbFastFinished ::= SEQUENCE { >+ timestamp [0] KerberosTime, >+ usec [1] Int32, >+ crealm [2] Realm, >+ cname [3] PrincipalName, >+ ticket-checksum [4] Checksum, >+ ... >+} >+ >+KrbFastResponse ::= SEQUENCE { >+ padata [0] SEQUENCE OF PA-DATA, >+ -- padata typed holes. >+ strengthen-key [1] EncryptionKey OPTIONAL, >+ -- This, if present, strengthens the reply key for AS and >+ -- TGS. MUST be present for TGS. >+ -- MUST be absent in KRB-ERROR. >+ finished [2] KrbFastFinished OPTIONAL, >+ -- Present in AS or TGS reply; absent otherwise. >+ nonce [3] UInt32, >+ -- Nonce from the client request. >+ ... >+} >+ >+KrbFastArmoredRep ::= SEQUENCE { >+ enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- >+ ... >+} >+ >+PA-FX-FAST-REPLY ::= CHOICE { >+ armored-data [0] KrbFastArmoredRep, >+ ... >+} >+ > -- MS-KILE End > -- > -- >@@ -631,7 +734,8 @@ PADataTypeValues ::= INTEGER { > kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon > kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u > kRB5-PADATA-REQ-ENC-PA-REP(149), -- >- kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE >+ kRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE >+ kRB5-PADATA-PAC-OPTIONS(167) -- MS-KILE > } > PADataTypeSequence ::= SEQUENCE { > dummy [0] PADataTypeValues >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index b00b8b48ae5..e1a688991a7 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -36,29 +36,44 @@ KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req')) > # PAData types > PADATA_ENC_TIMESTAMP = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) >+PADATA_ENCRYPTED_CHALLENGE = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE')) > PADATA_ETYPE_INFO = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO')) > PADATA_ETYPE_INFO2 = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) > PADATA_FOR_USER = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER')) >+PADATA_FX_COOKIE = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-COOKIE')) >+PADATA_FX_ERROR = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-ERROR')) >+PADATA_FX_FAST = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-FAST')) > PADATA_KDC_REQ = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ')) >+PADATA_PAC_OPTIONS = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS')) > PADATA_PAC_REQUEST = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST')) > PADATA_PK_AS_REQ = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) > PADATA_PK_AS_REP_19 = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19')) >+PADATA_SUPPORTED_ETYPES = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES')) > > # Error codes > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_POLICY = 12 > KDC_ERR_ETYPE_NOSUPP = 14 > KDC_ERR_PREAUTH_FAILED = 24 > KDC_ERR_PREAUTH_REQUIRED = 25 >+KDC_ERR_NOT_US = 35 > KDC_ERR_BADMATCH = 36 > KDC_ERR_SKEW = 37 > KDC_ERR_GENERIC = 60 >+KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93 > > # Name types > NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >@@ -67,6 +82,7 @@ NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST')) > NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) > NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( > 'kRB5-NT-ENTERPRISE-PRINCIPAL')) >+NT_WELLKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-WELLKNOWN')) > > # Authorization data ad-type values > >@@ -79,6 +95,8 @@ AD_MANDATORY_TICKET_EXTENSIONS = 6 > AD_IN_TICKET_EXTENSIONS = 7 > AD_MANDATORY_FOR_KDC = 8 > AD_INITIAL_VERIFIED_CAS = 9 >+AD_FX_FAST_ARMOR = 71 >+AD_FX_FAST_USED = 72 > AD_WIN2K_PAC = 128 > AD_SIGNTICKET = 512 > >@@ -133,3 +151,18 @@ KU_KRB_SAFE_CKSUM = 15 > (section 5.6.1) ''' > KU_NON_KERB_SALT = 16 > KU_NON_KERB_CKSUM_SALT = 17 >+ >+KU_ACCEPTOR_SEAL = 22 >+KU_ACCEPTOR_SIGN = 23 >+KU_INITIATOR_SEAL = 24 >+KU_INITIATOR_SIGN = 25 >+ >+KU_FAST_REQ_CHKSUM = 50 >+KU_FAST_ENC = 51 >+KU_FAST_REP = 52 >+KU_FAST_FINISHED = 53 >+KU_ENC_CHALLENGE_CLIENT = 54 >+KU_ENC_CHALLENGE_KDC = 55 >+ >+# Armor types >+FX_FAST_ARMOR_AP_REQUEST = 1 >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >index 56fe02a68f0..39ec8ed7982 100644 >--- a/python/samba/tests/krb5/rfc4120_pyasn1.py >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -1,5 +1,5 @@ > # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >-# (last modified on 2021-06-16 08:54:13.969508) >+# (last modified on 2021-06-25 12:10:34.484667) > > # KerberosV5Spec2 > from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >@@ -619,6 +619,17 @@ EncryptionTypeSequence.componentType = namedtype.NamedTypes( > ) > > >+class FastOptions(univ.BitString): >+ pass >+ >+ >+FastOptions.namedValues = namedval.NamedValues( >+ ('reserved', 0), >+ ('hide-client-names', 1), >+ ('kdc-follow-referrals', 16) >+) >+ >+ > class KDCOptionsValues(univ.BitString): > pass > >@@ -800,6 +811,72 @@ KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes( > ) > > >+class KrbFastArmor(univ.Sequence): >+ pass >+ >+ >+KrbFastArmor.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('armor-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('armor-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class KrbFastArmoredRep(univ.Sequence): >+ pass >+ >+ >+KrbFastArmoredRep.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('enc-fast-rep', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) >+) >+ >+ >+class KrbFastArmoredReq(univ.Sequence): >+ pass >+ >+ >+KrbFastArmoredReq.componentType = namedtype.NamedTypes( >+ namedtype.OptionalNamedType('armor', KrbFastArmor().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), >+ namedtype.NamedType('req-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), >+ namedtype.NamedType('enc-fast-req', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) >+) >+ >+ >+class KrbFastFinished(univ.Sequence): >+ pass >+ >+ >+KrbFastFinished.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('usec', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), >+ namedtype.NamedType('ticket-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) >+) >+ >+ >+class KrbFastReq(univ.Sequence): >+ pass >+ >+ >+KrbFastReq.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('fast-options', FastOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) >+) >+ >+ >+class KrbFastResponse(univ.Sequence): >+ pass >+ >+ >+KrbFastResponse.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('strengthen-key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), >+ namedtype.OptionalNamedType('finished', KrbFastFinished().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) >+) >+ >+ > class MessageTypeValues(univ.Integer): > pass > >@@ -871,6 +948,24 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( > ) > > >+class PA_FX_FAST_REPLY(univ.Choice): >+ pass >+ >+ >+PA_FX_FAST_REPLY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('armored-data', KrbFastArmoredRep().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) >+) >+ >+ >+class PA_FX_FAST_REQUEST(univ.Choice): >+ pass >+ >+ >+PA_FX_FAST_REQUEST.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('armored-data', KrbFastArmoredReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))) >+) >+ >+ > class PACOptionFlags(KerberosFlags): > pass > >@@ -980,7 +1075,8 @@ PADataTypeValues.namedValues = namedval.NamedValues( > ('kRB5-PADATA-PKINIT-KX', 147), > ('kRB5-PADATA-PKU2U-NAME', 148), > ('kRB5-PADATA-REQ-ENC-PA-REP', 149), >- ('kRB5-PADATA-SUPPORTED-ETYPES', 165) >+ ('kRB5-PADATA-SUPPORTED-ETYPES', 165), >+ ('kRB5-PADATA-PAC-OPTIONS', 167) > ) > > >-- >2.25.1 > > >From d5a84b8eb701d2de515218d2b6e1b813417dbc76 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 10:23:26 +1200 >Subject: [PATCH 046/108] tests/krb5: Add more methods to create ASN1 objects > for FAST > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d) >--- > python/samba/tests/krb5/raw_testcase.py | 70 +++++++++++++++++++++++++ > 1 file changed, 70 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 4f399467cfe..46ce7605edf 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1013,6 +1013,17 @@ class RawKerberosTest(TestCaseInTempDir): > } > return PrincipalName_obj > >+ def AuthorizationData_create(self, ad_type, ad_data): >+ # AuthorizationData ::= SEQUENCE { >+ # ad-type [0] Int32, >+ # ad-data [1] OCTET STRING >+ # } >+ AUTH_DATA_obj = { >+ 'ad-type': ad_type, >+ 'ad-data': ad_data >+ } >+ return AUTH_DATA_obj >+ > def PA_DATA_create(self, padata_type, padata_value): > # PA-DATA ::= SEQUENCE { > # -- NOTE: first tag is [1], not [0] >@@ -1036,6 +1047,65 @@ class RawKerberosTest(TestCaseInTempDir): > } > return PA_ENC_TS_ENC_obj > >+ def PA_PAC_OPTIONS_create(self, options): >+ # PA-PAC-OPTIONS ::= SEQUENCE { >+ # options [0] PACOptionFlags >+ # } >+ PA_PAC_OPTIONS_obj = { >+ 'options': options >+ } >+ return PA_PAC_OPTIONS_obj >+ >+ def KRB_FAST_ARMOR_create(self, armor_type, armor_value): >+ # KrbFastArmor ::= SEQUENCE { >+ # armor-type [0] Int32, >+ # armor-value [1] OCTET STRING, >+ # ... >+ # } >+ KRB_FAST_ARMOR_obj = { >+ 'armor-type': armor_type, >+ 'armor-value': armor_value >+ } >+ return KRB_FAST_ARMOR_obj >+ >+ def KRB_FAST_REQ_create(self, fast_options, padata, req_body): >+ # KrbFastReq ::= SEQUENCE { >+ # fast-options [0] FastOptions, >+ # padata [1] SEQUENCE OF PA-DATA, >+ # req-body [2] KDC-REQ-BODY, >+ # ... >+ # } >+ KRB_FAST_REQ_obj = { >+ 'fast-options': fast_options, >+ 'padata': padata, >+ 'req-body': req_body >+ } >+ return KRB_FAST_REQ_obj >+ >+ def KRB_FAST_ARMORED_REQ_create(self, armor, req_checksum, enc_fast_req): >+ # KrbFastArmoredReq ::= SEQUENCE { >+ # armor [0] KrbFastArmor OPTIONAL, >+ # req-checksum [1] Checksum, >+ # enc-fast-req [2] EncryptedData -- KrbFastReq -- >+ # } >+ KRB_FAST_ARMORED_REQ_obj = { >+ 'req-checksum': req_checksum, >+ 'enc-fast-req': enc_fast_req >+ } >+ if armor is not None: >+ KRB_FAST_ARMORED_REQ_obj['armor'] = armor >+ return KRB_FAST_ARMORED_REQ_obj >+ >+ def PA_FX_FAST_REQUEST_create(self, armored_data): >+ # PA-FX-FAST-REQUEST ::= CHOICE { >+ # armored-data [0] KrbFastArmoredReq, >+ # ... >+ # } >+ PA_FX_FAST_REQUEST_obj = { >+ 'armored-data': armored_data >+ } >+ return PA_FX_FAST_REQUEST_obj >+ > def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): > # KERB-PA-PAC-REQUEST ::= SEQUENCE { > # include-pac[0] BOOLEAN --If TRUE, and no pac present, >-- >2.25.1 > > >From 853957ee383c35a490f1f578ad2fc73ecfd3d4fc Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 12:47:18 +1200 >Subject: [PATCH 047/108] tests/krb5: Add method to generate FAST encrypted > challenge padata > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082) >--- > python/samba/tests/krb5/kdc_base_test.py | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 1b550179e0e..24a1e7cfbc8 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -54,11 +54,13 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REP, > KRB_ERROR, > KU_AS_REP_ENC_PART, >+ KU_ENC_CHALLENGE_CLIENT, > KU_PA_ENC_TIMESTAMP, > KU_TGS_REP_ENC_PART_SUB_KEY, > KU_TICKET, > NT_PRINCIPAL, > NT_SRV_HST, >+ PADATA_ENCRYPTED_CHALLENGE, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO2, > ) >@@ -511,6 +513,23 @@ class KDCBaseTest(RawKerberosTest): > > return padata > >+ def get_challenge_pa_data(self, client_challenge_key, skew=0): >+ patime, pausec = self.get_KerberosTimeWithUsec(offset=skew) >+ padata = self.PA_ENC_TS_ENC_create(patime, pausec) >+ padata = self.der_encode(padata, >+ asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ padata = self.EncryptedData_create(client_challenge_key, >+ KU_ENC_CHALLENGE_CLIENT, >+ padata) >+ padata = self.der_encode(padata, >+ asn1Spec=krb5_asn1.EncryptedData()) >+ >+ padata = self.PA_DATA_create(PADATA_ENCRYPTED_CHALLENGE, >+ padata) >+ >+ return padata >+ > def get_as_rep_enc_data(self, key, rep): > ''' Decrypt and Decode the encrypted data in an AS-REP > ''' >-- >2.25.1 > > >From 1298ba12a35df1101b6d414ff5c9428bcca071ae Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 6 Jul 2021 12:49:05 +1200 >Subject: [PATCH 048/108] tests/krb5: Add methods to calculate keys for FAST > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917) >--- > python/samba/tests/krb5/raw_testcase.py | 37 +++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 46ce7605edf..113f08628b6 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2137,6 +2137,43 @@ class RawKerberosTest(TestCaseInTempDir): > > return subkey, subkey_usage > >+ def generate_armor_key(self, subkey, session_key): >+ armor_key = kcrypto.cf2(subkey.key, >+ session_key.key, >+ b'subkeyarmor', >+ b'ticketarmor') >+ armor_key = Krb5EncryptionKey(armor_key, None) >+ >+ return armor_key >+ >+ def generate_strengthen_reply_key(self, strengthen_key, reply_key): >+ strengthen_reply_key = kcrypto.cf2(strengthen_key.key, >+ reply_key.key, >+ b'strengthenkey', >+ b'replykey') >+ strengthen_reply_key = Krb5EncryptionKey(strengthen_reply_key, >+ reply_key.kvno) >+ >+ return strengthen_reply_key >+ >+ def generate_client_challenge_key(self, armor_key, longterm_key): >+ client_challenge_key = kcrypto.cf2(armor_key.key, >+ longterm_key.key, >+ b'clientchallengearmor', >+ b'challengelongterm') >+ client_challenge_key = Krb5EncryptionKey(client_challenge_key, None) >+ >+ return client_challenge_key >+ >+ def generate_kdc_challenge_key(self, armor_key, longterm_key): >+ kdc_challenge_key = kcrypto.cf2(armor_key.key, >+ longterm_key.key, >+ b'kdcchallengearmor', >+ b'challengelongterm') >+ kdc_challenge_key = Krb5EncryptionKey(kdc_challenge_key, None) >+ >+ return kdc_challenge_key >+ > def _test_as_exchange(self, > cname, > realm, >-- >2.25.1 > > >From fda46d7fd5e44293f60f927f1fe39fc740d59f49 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Jul 2021 20:49:12 +1200 >Subject: [PATCH 049/108] tests/krb5: Rename generic_check_as_error() to > generic_check_kdc_error() > >This method will also be useful in checking TGS-REP error replies. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713) >--- > python/samba/tests/krb5/as_req_tests.py | 2 +- > python/samba/tests/krb5/raw_testcase.py | 10 +++++----- > 2 files changed, 6 insertions(+), 6 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index b5a6cfd31c7..fd258e8164a 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -99,7 +99,7 @@ class AsReqKerberosTests(KDCBaseTest): > expected_srealm=expected_srealm, > expected_sname=expected_sname, > generate_padata_fn=generate_padata_fn, >- check_error_fn=self.generic_check_as_error, >+ check_error_fn=self.generic_check_kdc_error, > check_rep_fn=None, > expected_error_mode=expected_error_mode, > client_as_etypes=client_as_etypes, >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 113f08628b6..047bf413b34 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1888,10 +1888,10 @@ class RawKerberosTest(TestCaseInTempDir): > > kdc_exchange_dict['rep_ticket_creds'] = ticket_creds > >- def generic_check_as_error(self, >- kdc_exchange_dict, >- callback_dict, >- rep): >+ def generic_check_kdc_error(self, >+ kdc_exchange_dict, >+ callback_dict, >+ rep): > > expected_crealm = kdc_exchange_dict['expected_crealm'] > expected_cname = kdc_exchange_dict['expected_cname'] >@@ -2208,7 +2208,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_error_fn = None > check_rep_fn = self.generic_check_kdc_rep > else: >- check_error_fn = self.generic_check_as_error >+ check_error_fn = self.generic_check_kdc_error > check_rep_fn = None > > if padata is not None: >-- >2.25.1 > > >From 04915a9a5cb40934f1bccfda2a5882ba84b0670d Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 10:19:46 +1200 >Subject: [PATCH 050/108] tests/krb5: Include authenticator_subkey in AS-REQ > exchange dict > >This is needed for FAST. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155) >--- > python/samba/tests/krb5/raw_testcase.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 047bf413b34..9375f39937e 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1632,6 +1632,7 @@ class RawKerberosTest(TestCaseInTempDir): > expected_error_mode=0, > client_as_etypes=None, > expected_salt=None, >+ authenticator_subkey=None, > kdc_options=''): > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, >@@ -1653,6 +1654,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'expected_error_mode': expected_error_mode, > 'client_as_etypes': client_as_etypes, > 'expected_salt': expected_salt, >+ 'authenticator_subkey': authenticator_subkey, > 'kdc_options': kdc_options, > } > if callback_dict is None: >-- >2.25.1 > > >From fba1e728b8dd96496d3d20c8168b7cd2205a20dd Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 10:33:10 +1200 >Subject: [PATCH 051/108] tests/krb5: Modify generate_ap_req() to also generate > FAST armor AP-REQ > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e) >--- > python/samba/tests/krb5/raw_testcase.py | 45 ++++++++++++++++++------- > 1 file changed, 32 insertions(+), 13 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 9375f39937e..29ea41ec92b 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -49,6 +49,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_ERROR, > KRB_TGS_REP, > KRB_TGS_REQ, >+ KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, > KU_NON_KERB_CKSUM_SALT, > KU_TGS_REP_ENC_PART_SESSION, >@@ -1563,7 +1564,8 @@ class RawKerberosTest(TestCaseInTempDir): > > tgs_req = self.generate_ap_req(kdc_exchange_dict, > callback_dict, >- req_body) >+ req_body, >+ armor=False) > tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) > > if generate_padata_fn is not None: >@@ -1633,6 +1635,8 @@ class RawKerberosTest(TestCaseInTempDir): > client_as_etypes=None, > expected_salt=None, > authenticator_subkey=None, >+ armor_tgt=None, >+ armor_subkey=None, > kdc_options=''): > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, >@@ -1655,6 +1659,8 @@ class RawKerberosTest(TestCaseInTempDir): > 'client_as_etypes': client_as_etypes, > 'expected_salt': expected_salt, > 'authenticator_subkey': authenticator_subkey, >+ 'armor_tgt': armor_tgt, >+ 'armor_subkey': armor_subkey, > 'kdc_options': kdc_options, > } > if callback_dict is None: >@@ -1675,6 +1681,8 @@ class RawKerberosTest(TestCaseInTempDir): > check_kdc_private_fn=None, > callback_dict=None, > tgt=None, >+ armor_tgt=None, >+ armor_subkey=None, > authenticator_subkey=None, > body_checksum_type=None, > kdc_options=''): >@@ -1697,6 +1705,8 @@ class RawKerberosTest(TestCaseInTempDir): > 'callback_dict': callback_dict, > 'tgt': tgt, > 'body_checksum_type': body_checksum_type, >+ 'armor_tgt': armor_tgt, >+ 'armor_subkey': armor_subkey, > 'authenticator_subkey': authenticator_subkey, > 'kdc_options': kdc_options > } >@@ -2068,18 +2078,25 @@ class RawKerberosTest(TestCaseInTempDir): > def generate_ap_req(self, > kdc_exchange_dict, > _callback_dict, >- req_body): >- tgt = kdc_exchange_dict['tgt'] >- authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] >- body_checksum_type = kdc_exchange_dict['body_checksum_type'] >+ req_body, >+ armor): >+ if armor: >+ tgt = kdc_exchange_dict['armor_tgt'] >+ authenticator_subkey = kdc_exchange_dict['armor_subkey'] > >- req_body_blob = self.der_encode(req_body, >- asn1Spec=krb5_asn1.KDC_REQ_BODY()) >+ req_body_checksum = None >+ else: >+ tgt = kdc_exchange_dict['tgt'] >+ authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] >+ body_checksum_type = kdc_exchange_dict['body_checksum_type'] > >- req_body_checksum = self.Checksum_create(tgt.session_key, >- KU_TGS_REQ_AUTH_CKSUM, >- req_body_blob, >- ctype=body_checksum_type) >+ req_body_blob = self.der_encode(req_body, >+ asn1Spec=krb5_asn1.KDC_REQ_BODY()) >+ >+ req_body_checksum = self.Checksum_create(tgt.session_key, >+ KU_TGS_REQ_AUTH_CKSUM, >+ req_body_blob, >+ ctype=body_checksum_type) > > subkey_obj = None > if authenticator_subkey is not None: >@@ -2099,8 +2116,9 @@ class RawKerberosTest(TestCaseInTempDir): > authenticator_obj, > asn1Spec=krb5_asn1.Authenticator()) > >+ usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH > authenticator = self.EncryptedData_create(tgt.session_key, >- KU_TGS_REQ_AUTH, >+ usage, > authenticator_blob) > > ap_options = krb5_asn1.APOptions('0') >@@ -2117,7 +2135,8 @@ class RawKerberosTest(TestCaseInTempDir): > req_body): > ap_req = self.generate_ap_req(kdc_exchange_dict, > callback_dict, >- req_body) >+ req_body, >+ armor=False) > pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) > padata = [pa_tgs_req] > >-- >2.25.1 > > >From fc85ab1aa820520ea3a8d35a8ca5afb1b0d2e430 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 10:33:24 +1200 >Subject: [PATCH 052/108] tests/krb5: Add FAST armor generation to > _generic_kdc_exchange() > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d) >--- > python/samba/tests/krb5/raw_testcase.py | 95 +++++++++++++++++++++++-- > 1 file changed, 88 insertions(+), 7 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 29ea41ec92b..151dc0355a3 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -42,6 +42,7 @@ from samba.tests import TestCaseInTempDir > > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( >+ FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_GENERIC, > KRB_AP_REQ, > KRB_AS_REP, >@@ -51,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REQ, > KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, >+ KU_FAST_REQ_CHKSUM, > KU_NON_KERB_CKSUM_SALT, > KU_TGS_REP_ENC_PART_SESSION, > KU_TGS_REP_ENC_PART_SUB_KEY, >@@ -1522,6 +1524,9 @@ class RawKerberosTest(TestCaseInTempDir): > > check_error_fn = kdc_exchange_dict['check_error_fn'] > check_rep_fn = kdc_exchange_dict['check_rep_fn'] >+ generate_fast_fn = kdc_exchange_dict['generate_fast_fn'] >+ generate_fast_armor_fn = kdc_exchange_dict['generate_fast_armor_fn'] >+ generate_fast_padata_fn = kdc_exchange_dict['generate_fast_padata_fn'] > generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] > callback_dict = kdc_exchange_dict['callback_dict'] > req_msg_type = kdc_exchange_dict['req_msg_type'] >@@ -1568,25 +1573,81 @@ class RawKerberosTest(TestCaseInTempDir): > armor=False) > tgs_req_padata = self.PA_DATA_create(PADATA_KDC_REQ, tgs_req) > >+ if generate_fast_padata_fn is not None: >+ self.assertIsNotNone(generate_fast_fn) >+ # This can alter req_body... >+ fast_padata, req_body = generate_fast_padata_fn(kdc_exchange_dict, >+ callback_dict, >+ req_body) >+ else: >+ fast_padata = [] >+ >+ if generate_fast_armor_fn is not None: >+ self.assertIsNotNone(generate_fast_fn) >+ fast_ap_req = generate_fast_armor_fn(kdc_exchange_dict, >+ callback_dict, >+ req_body, >+ armor=True) >+ >+ fast_armor_type = kdc_exchange_dict['fast_armor_type'] >+ fast_armor = self.KRB_FAST_ARMOR_create(fast_armor_type, >+ fast_ap_req) >+ else: >+ fast_armor = None >+ > if generate_padata_fn is not None: > # This can alter req_body... >- padata, req_body = generate_padata_fn(kdc_exchange_dict, >- callback_dict, >- req_body) >- self.assertIsNotNone(padata) >+ outer_padata, req_body = generate_padata_fn(kdc_exchange_dict, >+ callback_dict, >+ req_body) >+ self.assertIsNotNone(outer_padata) > self.assertNotIn(PADATA_KDC_REQ, >- [pa['padata-type'] for pa in padata], >+ [pa['padata-type'] for pa in outer_padata], > 'Don\'t create TGS-REQ manually') > else: >- padata = [] >+ outer_padata = None >+ >+ if generate_fast_fn is not None: >+ armor_key = kdc_exchange_dict['armor_key'] >+ self.assertIsNotNone(armor_key) >+ >+ if req_msg_type == KRB_AS_REQ: >+ checksum_blob = self.der_encode( >+ req_body, >+ asn1Spec=krb5_asn1.KDC_REQ_BODY()) >+ else: >+ self.assertEqual(KRB_TGS_REQ, req_msg_type) >+ checksum_blob = tgs_req >+ >+ checksum = self.Checksum_create(armor_key, >+ KU_FAST_REQ_CHKSUM, >+ checksum_blob) >+ >+ fast = generate_fast_fn(kdc_exchange_dict, >+ callback_dict, >+ req_body, >+ fast_padata, >+ fast_armor, >+ checksum) >+ else: >+ fast = None >+ >+ padata = [] > > if tgs_req_padata is not None: >- padata.insert(0, tgs_req_padata) >+ padata.append(tgs_req_padata) >+ >+ if fast is not None: >+ padata.append(fast) >+ >+ if outer_padata is not None: >+ padata += outer_padata > > if not padata: > padata = None > > kdc_exchange_dict['req_padata'] = padata >+ kdc_exchange_dict['fast_padata'] = fast_padata > kdc_exchange_dict['req_body'] = req_body > > req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, >@@ -1625,6 +1686,10 @@ class RawKerberosTest(TestCaseInTempDir): > expected_srealm=None, > expected_sname=None, > ticket_decryption_key=None, >+ generate_fast_fn=None, >+ generate_fast_armor_fn=None, >+ generate_fast_padata_fn=None, >+ fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, > generate_padata_fn=None, > check_error_fn=None, > check_rep_fn=None, >@@ -1635,6 +1700,7 @@ class RawKerberosTest(TestCaseInTempDir): > client_as_etypes=None, > expected_salt=None, > authenticator_subkey=None, >+ armor_key=None, > armor_tgt=None, > armor_subkey=None, > kdc_options=''): >@@ -1649,6 +1715,10 @@ class RawKerberosTest(TestCaseInTempDir): > 'expected_srealm': expected_srealm, > 'expected_sname': expected_sname, > 'ticket_decryption_key': ticket_decryption_key, >+ 'generate_fast_fn': generate_fast_fn, >+ 'generate_fast_armor_fn': generate_fast_armor_fn, >+ 'generate_fast_padata_fn': generate_fast_padata_fn, >+ 'fast_armor_type': fast_armor_type, > 'generate_padata_fn': generate_padata_fn, > 'check_error_fn': check_error_fn, > 'check_rep_fn': check_rep_fn, >@@ -1659,6 +1729,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'client_as_etypes': client_as_etypes, > 'expected_salt': expected_salt, > 'authenticator_subkey': authenticator_subkey, >+ 'armor_key': armor_key, > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, > 'kdc_options': kdc_options, >@@ -1674,6 +1745,10 @@ class RawKerberosTest(TestCaseInTempDir): > expected_srealm=None, > expected_sname=None, > ticket_decryption_key=None, >+ generate_fast_fn=None, >+ generate_fast_armor_fn=None, >+ generate_fast_padata_fn=None, >+ fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, > generate_padata_fn=None, > check_error_fn=None, > check_rep_fn=None, >@@ -1681,6 +1756,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_kdc_private_fn=None, > callback_dict=None, > tgt=None, >+ armor_key=None, > armor_tgt=None, > armor_subkey=None, > authenticator_subkey=None, >@@ -1697,6 +1773,10 @@ class RawKerberosTest(TestCaseInTempDir): > 'expected_srealm': expected_srealm, > 'expected_sname': expected_sname, > 'ticket_decryption_key': ticket_decryption_key, >+ 'generate_fast_fn': generate_fast_fn, >+ 'generate_fast_armor_fn': generate_fast_armor_fn, >+ 'generate_fast_padata_fn': generate_fast_padata_fn, >+ 'fast_armor_type': fast_armor_type, > 'generate_padata_fn': generate_padata_fn, > 'check_error_fn': check_error_fn, > 'check_rep_fn': check_rep_fn, >@@ -1705,6 +1785,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'callback_dict': callback_dict, > 'tgt': tgt, > 'body_checksum_type': body_checksum_type, >+ 'armor_key': armor_key, > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, > 'authenticator_subkey': authenticator_subkey, >-- >2.25.1 > > >From b399908ed11e712dfb171062ca33c691eaa56664 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:01:36 +1200 >Subject: [PATCH 053/108] tests/krb5: Allow specifying parameters specific to > the outer request body > >This is useful for testing FAST. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb) >--- > python/samba/tests/krb5/raw_testcase.py | 25 ++++++++++++++++++++----- > 1 file changed, 20 insertions(+), 5 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 151dc0355a3..a173caf98d1 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1536,6 +1536,9 @@ class RawKerberosTest(TestCaseInTempDir): > expected_error_mode = kdc_exchange_dict['expected_error_mode'] > kdc_options = kdc_exchange_dict['kdc_options'] > >+ # Parameters specific to the outer request body >+ outer_req = kdc_exchange_dict['outer_req'] >+ > if till_time is None: > till_time = self.get_KerberosTime(offset=36000) > >@@ -1561,6 +1564,14 @@ class RawKerberosTest(TestCaseInTempDir): > EncAuthorizationData_key=EncAuthorizationData_key, > EncAuthorizationData_usage=EncAuthorizationData_usage) > >+ inner_req_body = dict(req_body) >+ if outer_req is not None: >+ for key, value in outer_req.items(): >+ if value is not None: >+ req_body[key] = value >+ else: >+ del req_body[key] >+ > if req_msg_type == KRB_AS_REQ: > tgs_req = None > tgs_req_padata = None >@@ -1625,7 +1636,7 @@ class RawKerberosTest(TestCaseInTempDir): > > fast = generate_fast_fn(kdc_exchange_dict, > callback_dict, >- req_body, >+ inner_req_body, > fast_padata, > fast_armor, > checksum) >@@ -1648,7 +1659,7 @@ class RawKerberosTest(TestCaseInTempDir): > > kdc_exchange_dict['req_padata'] = padata > kdc_exchange_dict['fast_padata'] = fast_padata >- kdc_exchange_dict['req_body'] = req_body >+ kdc_exchange_dict['req_body'] = inner_req_body > > req_obj, req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, > padata=padata, >@@ -1703,7 +1714,8 @@ class RawKerberosTest(TestCaseInTempDir): > armor_key=None, > armor_tgt=None, > armor_subkey=None, >- kdc_options=''): >+ kdc_options='', >+ outer_req=None): > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, > 'req_asn1Spec': krb5_asn1.AS_REQ, >@@ -1733,6 +1745,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, > 'kdc_options': kdc_options, >+ 'outer_req': outer_req > } > if callback_dict is None: > callback_dict = {} >@@ -1761,7 +1774,8 @@ class RawKerberosTest(TestCaseInTempDir): > armor_subkey=None, > authenticator_subkey=None, > body_checksum_type=None, >- kdc_options=''): >+ kdc_options='', >+ outer_req=None): > kdc_exchange_dict = { > 'req_msg_type': KRB_TGS_REQ, > 'req_asn1Spec': krb5_asn1.TGS_REQ, >@@ -1789,7 +1803,8 @@ class RawKerberosTest(TestCaseInTempDir): > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, > 'authenticator_subkey': authenticator_subkey, >- 'kdc_options': kdc_options >+ 'kdc_options': kdc_options, >+ 'outer_req': outer_req > } > if callback_dict is None: > callback_dict = {} >-- >2.25.1 > > >From 960f8bed7536a7cf66508df04e2021b6af3ff8da Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:04:37 +1200 >Subject: [PATCH 054/108] tests/krb5: Add method to check PA-FX-FAST-REPLY > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa) >--- > python/samba/tests/krb5/raw_testcase.py | 31 +++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index a173caf98d1..dd733aea09b 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REQ, > KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, >+ KU_FAST_REP, > KU_FAST_REQ_CHKSUM, > KU_NON_KERB_CKSUM_SALT, > KU_TGS_REP_ENC_PART_SESSION, >@@ -1910,6 +1911,36 @@ class RawKerberosTest(TestCaseInTempDir): > > return rep > >+ def check_fx_fast_data(self, >+ kdc_exchange_dict, >+ fx_fast_data, >+ armor_key, >+ finished=False, >+ expect_strengthen_key=True): >+ fx_fast_data = self.der_decode(fx_fast_data, >+ asn1Spec=krb5_asn1.PA_FX_FAST_REPLY()) >+ >+ enc_fast_rep = fx_fast_data['armored-data']['enc-fast-rep'] >+ self.assertEqual(enc_fast_rep['etype'], armor_key.etype) >+ >+ fast_rep = armor_key.decrypt(KU_FAST_REP, enc_fast_rep['cipher']) >+ >+ fast_response = self.der_decode(fast_rep, >+ asn1Spec=krb5_asn1.KrbFastResponse()) >+ >+ if expect_strengthen_key and self.strict_checking: >+ self.assertIn('strengthen-key', fast_response) >+ >+ if finished: >+ self.assertIn('finished', fast_response) >+ >+ # Ensure that the nonce matches the nonce in the body of the request >+ # (RFC6113 5.4.3). >+ nonce = kdc_exchange_dict['nonce'] >+ self.assertEqual(nonce, fast_response['nonce']) >+ >+ return fast_response >+ > def generic_check_kdc_private(self, > kdc_exchange_dict, > callback_dict, >-- >2.25.1 > > >From 06043587443c688e8298870da6c81a343e3af3bd Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:10:13 +1200 >Subject: [PATCH 055/108] tests/krb5: Add method to verify ticket checksum for > FAST > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b) >--- > python/samba/tests/krb5/raw_testcase.py | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index dd733aea09b..da38a9dfa62 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REQ, > KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, >+ KU_FAST_FINISHED, > KU_FAST_REP, > KU_FAST_REQ_CHKSUM, > KU_NON_KERB_CKSUM_SALT, >@@ -2322,6 +2323,17 @@ class RawKerberosTest(TestCaseInTempDir): > > return kdc_challenge_key > >+ def verify_ticket_checksum(self, ticket, expected_checksum, armor_key): >+ expected_type = expected_checksum['cksumtype'] >+ self.assertEqual(armor_key.ctype, expected_type) >+ >+ ticket_blob = self.der_encode(ticket, >+ asn1Spec=krb5_asn1.Ticket()) >+ checksum = self.Checksum_create(armor_key, >+ KU_FAST_FINISHED, >+ ticket_blob) >+ self.assertEqual(expected_checksum, checksum) >+ > def _test_as_exchange(self, > cname, > realm, >-- >2.25.1 > > >From 03cfcbd6221b48919110cc5a5b35b02e658263c5 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:42:57 +1200 >Subject: [PATCH 056/108] tests/krb5: Check FAST response > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e) >--- > python/samba/tests/krb5/raw_testcase.py | 41 +++++++++++++++++++++++-- > 1 file changed, 39 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index da38a9dfa62..ab1f711cde1 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_ETYPE_INFO, > PADATA_ETYPE_INFO2, > PADATA_FOR_USER, >+ PADATA_FX_FAST, > PADATA_KDC_REQ, > PADATA_PAC_REQUEST, > PADATA_PK_AS_REQ, >@@ -1827,6 +1828,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn'] > rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] > msg_type = kdc_exchange_dict['rep_msg_type'] >+ armor_key = kdc_exchange_dict['armor_key'] > > self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP > padata = self.getElementValue(rep, 'padata') >@@ -1862,6 +1864,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementPresent(encpart, 'cipher') > encpart_cipher = self.getElementValue(encpart, 'cipher') > >+ ticket_checksum = None >+ > encpart_decryption_key = None > self.assertIsNotNone(check_padata_fn) > if check_padata_fn is not None: >@@ -1870,6 +1874,33 @@ class RawKerberosTest(TestCaseInTempDir): > check_padata_fn(kdc_exchange_dict, callback_dict, > rep, padata)) > >+ if armor_key is not None: >+ pa_dict = self.get_pa_dict(padata) >+ >+ if PADATA_FX_FAST in pa_dict: >+ fx_fast_data = pa_dict[PADATA_FX_FAST] >+ fast_response = self.check_fx_fast_data(kdc_exchange_dict, >+ fx_fast_data, >+ armor_key, >+ finished=True) >+ >+ if 'strengthen-key' in fast_response: >+ strengthen_key = self.EncryptionKey_import( >+ fast_response['strengthen-key']) >+ encpart_decryption_key = ( >+ self.generate_strengthen_reply_key( >+ strengthen_key, >+ encpart_decryption_key)) >+ >+ fast_finished = fast_response.get('finished', None) >+ if fast_finished is not None: >+ ticket_checksum = fast_finished['ticket-checksum'] >+ >+ self.check_rep_padata(kdc_exchange_dict, >+ callback_dict, >+ rep, >+ fast_response['padata']) >+ > ticket_private = None > self.assertIsNotNone(ticket_decryption_key) > if ticket_decryption_key is not None: >@@ -1908,7 +1939,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(check_kdc_private_fn) > if check_kdc_private_fn is not None: > check_kdc_private_fn(kdc_exchange_dict, callback_dict, >- rep, ticket_private, encpart_private) >+ rep, ticket_private, encpart_private, >+ ticket_checksum) > > return rep > >@@ -1947,7 +1979,8 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict, > rep, > ticket_private, >- encpart_private): >+ encpart_private, >+ ticket_checksum): > > expected_crealm = kdc_exchange_dict['expected_crealm'] > expected_cname = kdc_exchange_dict['expected_cname'] >@@ -1957,6 +1990,10 @@ class RawKerberosTest(TestCaseInTempDir): > > ticket = self.getElementValue(rep, 'ticket') > >+ if ticket_checksum is not None: >+ armor_key = kdc_exchange_dict['armor_key'] >+ self.verify_ticket_checksum(ticket, ticket_checksum, armor_key) >+ > ticket_session_key = None > if ticket_private is not None: > self.assertElementPresent(ticket_private, 'flags') >-- >2.25.1 > > >From 9537a1b63990260fe5b8f3c56a54deddb0861969 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 15:20:44 +1200 >Subject: [PATCH 057/108] tests/krb5: Add functions to get dicts of request > padata > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6) >--- > python/samba/tests/krb5/raw_testcase.py | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index ab1f711cde1..2963df70003 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2371,6 +2371,17 @@ class RawKerberosTest(TestCaseInTempDir): > ticket_blob) > self.assertEqual(expected_checksum, checksum) > >+ def get_outer_pa_dict(self, kdc_exchange_dict): >+ return self.get_pa_dict(kdc_exchange_dict['req_padata']) >+ >+ def get_fast_pa_dict(self, kdc_exchange_dict): >+ req_pa_dict = self.get_pa_dict(kdc_exchange_dict['fast_padata']) >+ >+ if req_pa_dict: >+ return req_pa_dict >+ >+ return self.get_outer_pa_dict(kdc_exchange_dict) >+ > def _test_as_exchange(self, > cname, > realm, >-- >2.25.1 > > >From 597e4940efa8d86e13e460de5c338051c5dea18d Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 15:21:01 +1200 >Subject: [PATCH 058/108] tests/krb5: Add methods to determine whether elements > were included in the request > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2) >--- > python/samba/tests/krb5/raw_testcase.py | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 2963df70003..d96cd1cfc15 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -69,6 +69,7 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_FOR_USER, > PADATA_FX_FAST, > PADATA_KDC_REQ, >+ PADATA_PAC_OPTIONS, > PADATA_PAC_REQUEST, > PADATA_PK_AS_REQ, > PADATA_PK_AS_REP_19 >@@ -2382,6 +2383,30 @@ class RawKerberosTest(TestCaseInTempDir): > > return self.get_outer_pa_dict(kdc_exchange_dict) > >+ def sent_fast(self, kdc_exchange_dict): >+ outer_pa_dict = self.get_outer_pa_dict(kdc_exchange_dict) >+ >+ return PADATA_FX_FAST in outer_pa_dict >+ >+ def sent_enc_challenge(self, kdc_exchange_dict): >+ fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict) >+ >+ return PADATA_ENCRYPTED_CHALLENGE in fast_pa_dict >+ >+ def sent_claims(self, kdc_exchange_dict): >+ fast_pa_dict = self.get_fast_pa_dict(kdc_exchange_dict) >+ >+ if PADATA_PAC_OPTIONS not in fast_pa_dict: >+ return False >+ >+ pac_options = self.der_decode(fast_pa_dict[PADATA_PAC_OPTIONS], >+ asn1Spec=krb5_asn1.PA_PAC_OPTIONS()) >+ pac_options = pac_options['options'] >+ claims_pos = len(tuple(krb5_asn1.PACOptionFlags('claims'))) - 1 >+ >+ return (claims_pos < len(pac_options) >+ and pac_options[claims_pos] == '1') >+ > def _test_as_exchange(self, > cname, > realm, >-- >2.25.1 > > >From 7cc8d2526210a51bf4fd2a3a7d7f5396b219e452 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:34:49 +1200 >Subject: [PATCH 059/108] tests/krb5: Check encrypted-pa-data > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69) >--- > python/samba/tests/krb5/raw_testcase.py | 52 ++++++++++++++++++++++++- > 1 file changed, 51 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index d96cd1cfc15..2512ee1b99f 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -72,7 +72,8 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_PAC_OPTIONS, > PADATA_PAC_REQUEST, > PADATA_PK_AS_REQ, >- PADATA_PK_AS_REP_19 >+ PADATA_PK_AS_REP_19, >+ PADATA_SUPPORTED_ETYPES > ) > import samba.tests.krb5.kcrypto as kcrypto > >@@ -1982,6 +1983,10 @@ class RawKerberosTest(TestCaseInTempDir): > ticket_private, > encpart_private, > ticket_checksum): >+ kdc_options = kdc_exchange_dict['kdc_options'] >+ canon_pos = len(tuple(krb5_asn1.KDCOptions('canonicalize'))) - 1 >+ canonicalize = (canon_pos < len(kdc_options) >+ and kdc_options[canon_pos] == '1') > > expected_crealm = kdc_exchange_dict['expected_crealm'] > expected_cname = kdc_exchange_dict['expected_cname'] >@@ -2044,6 +2049,46 @@ class RawKerberosTest(TestCaseInTempDir): > expected_sname) > # TODO self.assertElementMissing(encpart_private, 'caddr') > >+ sent_claims = self.sent_claims(kdc_exchange_dict) >+ >+ if self.strict_checking: >+ if sent_claims or canonicalize: >+ self.assertElementPresent(encpart_private, >+ 'encrypted-pa-data') >+ enc_pa_dict = self.get_pa_dict( >+ encpart_private['encrypted-pa-data']) >+ if canonicalize: >+ self.assertIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict) >+ >+ (supported_etypes,) = struct.unpack( >+ '<L', >+ enc_pa_dict[PADATA_SUPPORTED_ETYPES]) >+ >+ self.assertTrue( >+ security.KERB_ENCTYPE_FAST_SUPPORTED >+ & supported_etypes) >+ self.assertTrue( >+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED >+ & supported_etypes) >+ self.assertTrue( >+ security.KERB_ENCTYPE_CLAIMS_SUPPORTED >+ & supported_etypes) >+ else: >+ self.assertNotIn(PADATA_SUPPORTED_ETYPES, enc_pa_dict) >+ >+ # ClaimsCompIdFASTSupported registry key >+ if sent_claims: >+ self.assertIn(PADATA_PAC_OPTIONS, enc_pa_dict) >+ >+ self.check_pac_options_claims_support( >+ enc_pa_dict[PADATA_PAC_OPTIONS]) >+ else: >+ self.assertNotIn(PADATA_PAC_OPTIONS, enc_pa_dict) >+ else: >+ self.assertElementEqual(encpart_private, >+ 'encrypted-pa-data', >+ []) >+ > if ticket_session_key is not None and encpart_session_key is not None: > self.assertEqual(ticket_session_key.etype, > encpart_session_key.etype) >@@ -2066,6 +2111,11 @@ class RawKerberosTest(TestCaseInTempDir): > > kdc_exchange_dict['rep_ticket_creds'] = ticket_creds > >+ def check_pac_options_claims_support(self, pac_options): >+ pac_options = self.der_decode(pac_options, >+ asn1Spec=krb5_asn1.PA_PAC_OPTIONS()) >+ self.assertEqual('1', pac_options['options'][0]) # claims bit >+ > def generic_check_kdc_error(self, > kdc_exchange_dict, > callback_dict, >-- >2.25.1 > > >From d2cb91d1b1ec5961d29b7f6c8f10df99c090d3f3 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:05:59 +1200 >Subject: [PATCH 060/108] tests/krb5: Add expected_cname_private parameter to > kdc_exchange_dict > >This is useful for testing the 'hide client names' FAST option. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d) >--- > python/samba/tests/krb5/raw_testcase.py | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 2512ee1b99f..b79b84686a6 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1699,6 +1699,7 @@ class RawKerberosTest(TestCaseInTempDir): > def as_exchange_dict(self, > expected_crealm=None, > expected_cname=None, >+ expected_cname_private=None, > expected_srealm=None, > expected_sname=None, > ticket_decryption_key=None, >@@ -1752,6 +1753,10 @@ class RawKerberosTest(TestCaseInTempDir): > 'kdc_options': kdc_options, > 'outer_req': outer_req > } >+ if expected_cname_private is not None: >+ kdc_exchange_dict['expected_cname_private'] = ( >+ expected_cname_private) >+ > if callback_dict is None: > callback_dict = {} > >@@ -1760,6 +1765,7 @@ class RawKerberosTest(TestCaseInTempDir): > def tgs_exchange_dict(self, > expected_crealm=None, > expected_cname=None, >+ expected_cname_private=None, > expected_srealm=None, > expected_sname=None, > ticket_decryption_key=None, >@@ -1811,6 +1817,10 @@ class RawKerberosTest(TestCaseInTempDir): > 'kdc_options': kdc_options, > 'outer_req': outer_req > } >+ if expected_cname_private is not None: >+ kdc_exchange_dict['expected_cname_private'] = ( >+ expected_cname_private) >+ > if callback_dict is None: > callback_dict = {} > >@@ -1989,11 +1999,15 @@ class RawKerberosTest(TestCaseInTempDir): > and kdc_options[canon_pos] == '1') > > expected_crealm = kdc_exchange_dict['expected_crealm'] >- expected_cname = kdc_exchange_dict['expected_cname'] > expected_srealm = kdc_exchange_dict['expected_srealm'] > expected_sname = kdc_exchange_dict['expected_sname'] > ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] > >+ try: >+ expected_cname = kdc_exchange_dict['expected_cname_private'] >+ except KeyError: >+ expected_cname = kdc_exchange_dict['expected_cname'] >+ > ticket = self.getElementValue(rep, 'ticket') > > if ticket_checksum is not None: >-- >2.25.1 > > >From 7397156eec5cf4e37f57fc9fb691964a4e8f1002 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:18:29 +1200 >Subject: [PATCH 061/108] tests/krb5: Include authdata in kdc_exchange_dict > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944) >--- > python/samba/tests/krb5/raw_testcase.py | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index b79b84686a6..c1dfe44dfd1 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1720,6 +1720,7 @@ class RawKerberosTest(TestCaseInTempDir): > armor_key=None, > armor_tgt=None, > armor_subkey=None, >+ auth_data=None, > kdc_options='', > outer_req=None): > kdc_exchange_dict = { >@@ -1750,6 +1751,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'armor_key': armor_key, > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, >+ 'auth_data': auth_data, > 'kdc_options': kdc_options, > 'outer_req': outer_req > } >@@ -1784,6 +1786,7 @@ class RawKerberosTest(TestCaseInTempDir): > armor_tgt=None, > armor_subkey=None, > authenticator_subkey=None, >+ auth_data=None, > body_checksum_type=None, > kdc_options='', > outer_req=None): >@@ -1813,6 +1816,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'armor_key': armor_key, > 'armor_tgt': armor_tgt, > 'armor_subkey': armor_subkey, >+ 'auth_data': auth_data, > 'authenticator_subkey': authenticator_subkey, > 'kdc_options': kdc_options, > 'outer_req': outer_req >@@ -2328,6 +2332,8 @@ class RawKerberosTest(TestCaseInTempDir): > req_body_blob, > ctype=body_checksum_type) > >+ auth_data = kdc_exchange_dict['auth_data'] >+ > subkey_obj = None > if authenticator_subkey is not None: > subkey_obj = authenticator_subkey.export_obj() >@@ -2341,7 +2347,7 @@ class RawKerberosTest(TestCaseInTempDir): > ctime=ctime, > subkey=subkey_obj, > seq_number=seq_number, >- authorization_data=None) >+ authorization_data=auth_data) > authenticator_blob = self.der_encode( > authenticator_obj, > asn1Spec=krb5_asn1.Authenticator()) >-- >2.25.1 > > >From 1e4d12b93aba89523bea15eef0ffc32568754e7f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 15:20:09 +1200 >Subject: [PATCH 062/108] tests/krb5: Add generate_simple_fast() method to > generate FX-FAST padata > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb) >--- > python/samba/tests/krb5/raw_testcase.py | 34 +++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index c1dfe44dfd1..a557c424527 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -52,6 +52,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REQ, > KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, >+ KU_FAST_ENC, > KU_FAST_FINISHED, > KU_FAST_REP, > KU_FAST_REQ_CHKSUM, >@@ -2309,6 +2310,39 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_exchange_dict['preauth_etype_info2'] = etype_info2 > return > >+ def generate_simple_fast(self, >+ kdc_exchange_dict, >+ _callback_dict, >+ req_body, >+ fast_padata, >+ fast_armor, >+ checksum, >+ fast_options=''): >+ armor_key = kdc_exchange_dict['armor_key'] >+ >+ fast_req = self.KRB_FAST_REQ_create(fast_options, >+ fast_padata, >+ req_body) >+ fast_req = self.der_encode(fast_req, >+ asn1Spec=krb5_asn1.KrbFastReq()) >+ fast_req = self.EncryptedData_create(armor_key, >+ KU_FAST_ENC, >+ fast_req) >+ >+ fast_armored_req = self.KRB_FAST_ARMORED_REQ_create(fast_armor, >+ checksum, >+ fast_req) >+ >+ fx_fast_request = self.PA_FX_FAST_REQUEST_create(fast_armored_req) >+ fx_fast_request = self.der_encode( >+ fx_fast_request, >+ asn1Spec=krb5_asn1.PA_FX_FAST_REQUEST()) >+ >+ fast_padata = self.PA_DATA_create(PADATA_FX_FAST, >+ fx_fast_request) >+ >+ return fast_padata >+ > def generate_ap_req(self, > kdc_exchange_dict, > _callback_dict, >-- >2.25.1 > > >From 1df48b35577796da0eafa156b853c487219b8f8e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:21:14 +1200 >Subject: [PATCH 063/108] tests/krb5: Add check_rep_padata() method to check > padata in reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab) >--- > python/samba/tests/krb5/raw_testcase.py | 83 ++++++++++++++----------- > 1 file changed, 48 insertions(+), 35 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index a557c424527..80c60682bd1 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2144,13 +2144,54 @@ class RawKerberosTest(TestCaseInTempDir): > expected_cname = kdc_exchange_dict['expected_cname'] > expected_srealm = kdc_exchange_dict['expected_srealm'] > expected_sname = kdc_exchange_dict['expected_sname'] >- expected_salt = kdc_exchange_dict['expected_salt'] >- client_as_etypes = kdc_exchange_dict['client_as_etypes'] >+ expected_error_mode = kdc_exchange_dict['expected_error_mode'] >+ >+ self.assertElementEqual(rep, 'pvno', 5) >+ self.assertElementEqual(rep, 'msg-type', KRB_ERROR) >+ self.assertElementEqual(rep, 'error-code', expected_error_mode) >+ if self.strict_checking: >+ self.assertElementMissing(rep, 'ctime') >+ self.assertElementMissing(rep, 'cusec') >+ self.assertElementPresent(rep, 'stime') >+ self.assertElementPresent(rep, 'susec') >+ # error-code checked above >+ if self.strict_checking: >+ self.assertElementMissing(rep, 'crealm') >+ self.assertElementMissing(rep, 'cname') >+ self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >+ self.assertElementEqualPrincipal(rep, 'sname', expected_sname) >+ self.assertElementMissing(rep, 'e-text') >+ if expected_error_mode == KDC_ERR_GENERIC: >+ self.assertElementMissing(rep, 'e-data') >+ return rep >+ edata = self.getElementValue(rep, 'e-data') >+ if self.strict_checking: >+ self.assertIsNotNone(edata) >+ if edata is not None: >+ rep_padata = self.der_decode(edata, >+ asn1Spec=krb5_asn1.METHOD_DATA()) >+ self.assertGreater(len(rep_padata), 0) >+ else: >+ rep_padata = [] >+ >+ etype_info2 = self.check_rep_padata(kdc_exchange_dict, >+ callback_dict, >+ rep, >+ rep_padata) >+ >+ kdc_exchange_dict['preauth_etype_info2'] = etype_info2 >+ >+ return rep >+ >+ def check_rep_padata(self, >+ kdc_exchange_dict, >+ callback_dict, >+ rep, >+ rep_padata): > expected_error_mode = kdc_exchange_dict['expected_error_mode'] > req_body = kdc_exchange_dict['req_body'] > proposed_etypes = req_body['etype'] >- >- kdc_exchange_dict['preauth_etype_info2'] = None >+ client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) > > expect_etype_info2 = () > expect_etype_info = False >@@ -2188,34 +2229,6 @@ class RawKerberosTest(TestCaseInTempDir): > expected_patypes += (PADATA_PK_AS_REQ,) > expected_patypes += (PADATA_PK_AS_REP_19,) > >- self.assertElementEqual(rep, 'pvno', 5) >- self.assertElementEqual(rep, 'msg-type', KRB_ERROR) >- self.assertElementEqual(rep, 'error-code', expected_error_mode) >- if self.strict_checking: >- self.assertElementMissing(rep, 'ctime') >- self.assertElementMissing(rep, 'cusec') >- self.assertElementPresent(rep, 'stime') >- self.assertElementPresent(rep, 'susec') >- # error-code checked above >- if self.strict_checking: >- self.assertElementMissing(rep, 'crealm') >- self.assertElementMissing(rep, 'cname') >- self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >- self.assertElementEqualPrincipal(rep, 'sname', expected_sname) >- self.assertElementMissing(rep, 'e-text') >- if expected_error_mode == KDC_ERR_GENERIC: >- self.assertElementMissing(rep, 'e-data') >- return >- edata = self.getElementValue(rep, 'e-data') >- if self.strict_checking: >- self.assertIsNotNone(edata) >- if edata is not None: >- rep_padata = self.der_decode(edata, >- asn1Spec=krb5_asn1.METHOD_DATA()) >- self.assertGreater(len(rep_padata), 0) >- else: >- rep_padata = [] >- > if self.strict_checking: > for i, patype in enumerate(expected_patypes): > self.assertElementEqual(rep_padata[i], 'padata-type', patype) >@@ -2265,7 +2278,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(enc_timestamp) > self.assertIsNotNone(pk_as_req) > self.assertIsNotNone(pk_as_rep19) >- return >+ return None > > if self.strict_checking: > self.assertIsNotNone(etype_info2) >@@ -2288,6 +2301,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNone(salt) > else: > self.assertIsNotNone(salt) >+ expected_salt = kdc_exchange_dict['expected_salt'] > if expected_salt is not None: > self.assertEqual(salt, expected_salt) > s2kparams = self.getElementValue(etype_info2[i], 's2kparams') >@@ -2307,8 +2321,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(pk_as_req) > self.assertIsNotNone(pk_as_rep19) > >- kdc_exchange_dict['preauth_etype_info2'] = etype_info2 >- return >+ return etype_info2 > > def generate_simple_fast(self, > kdc_exchange_dict, >-- >2.25.1 > > >From de5c20323251c7e4bef90dcb61e23d2eaa0610fc Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:35:32 +1200 >Subject: [PATCH 064/108] tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a > non-error reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359) >--- > python/samba/tests/krb5/raw_testcase.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 80c60682bd1..7a66b74adfe 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2208,7 +2208,7 @@ class RawKerberosTest(TestCaseInTempDir): > if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): > if etype > expected_aes_type: > expected_aes_type = etype >- if etype in (kcrypto.Enctype.RC4,): >+ if etype in (kcrypto.Enctype.RC4,) and expected_error_mode != 0: > unexpect_etype_info = False > if etype > expected_rc4_type: > expected_rc4_type = etype >-- >2.25.1 > > >From 94004ab4148bb16826874a7f3a6ea5e3badb895a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:26:06 +1200 >Subject: [PATCH 065/108] tests/krb5: Remove unused variables > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c) >--- > python/samba/tests/krb5/kdc_base_test.py | 2 -- > python/samba/tests/krb5/raw_testcase.py | 1 - > 2 files changed, 3 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 24a1e7cfbc8..b148fa01f65 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -256,8 +256,6 @@ class KDCBaseTest(RawKerberosTest): > > rid = identifier.sid.split()[1] > >- forced_keys = dict() >- > net_ctx = net.Net(admin_creds) > > keys = {} >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 7a66b74adfe..60d35923b35 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2140,7 +2140,6 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict, > rep): > >- expected_crealm = kdc_exchange_dict['expected_crealm'] > expected_cname = kdc_exchange_dict['expected_cname'] > expected_srealm = kdc_exchange_dict['expected_srealm'] > expected_sname = kdc_exchange_dict['expected_sname'] >-- >2.25.1 > > >From 2d27db1a813d1367fc83d898a5ff2c6fbb79646e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 11:15:00 +1200 >Subject: [PATCH 066/108] tests/krb5: Add get_krbtgt_sname() method > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit dbe98005d5873440063b91e56679937149535be7) >--- > python/samba/tests/krb5/raw_testcase.py | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 60d35923b35..8351de1e6e3 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -64,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KU_TGS_REQ_AUTH_DAT_SESSION, > KU_TGS_REQ_AUTH_DAT_SUBKEY, > KU_TICKET, >+ NT_SRV_INST, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO, > PADATA_ETYPE_INFO2, >@@ -2523,6 +2524,15 @@ class RawKerberosTest(TestCaseInTempDir): > return (claims_pos < len(pac_options) > and pac_options[claims_pos] == '1') > >+ def get_krbtgt_sname(self): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ krbtgt_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ >+ return krbtgt_sname >+ > def _test_as_exchange(self, > cname, > realm, >-- >2.25.1 > > >From 3b7713f3bef851057dfc8fe1c4fbde47759ae344 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:25:39 +1200 >Subject: [PATCH 067/108] tests/krb5: Check sname is krbtgt for FAST generic > error > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0) >--- > python/samba/tests/krb5/raw_testcase.py | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 8351de1e6e3..77b682e57ea 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2146,6 +2146,8 @@ class RawKerberosTest(TestCaseInTempDir): > expected_sname = kdc_exchange_dict['expected_sname'] > expected_error_mode = kdc_exchange_dict['expected_error_mode'] > >+ sent_fast = self.sent_fast(kdc_exchange_dict) >+ > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) > self.assertElementEqual(rep, 'error-code', expected_error_mode) >@@ -2159,7 +2161,11 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertElementMissing(rep, 'crealm') > self.assertElementMissing(rep, 'cname') > self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >- self.assertElementEqualPrincipal(rep, 'sname', expected_sname) >+ if sent_fast and expected_error_mode == KDC_ERR_GENERIC: >+ self.assertElementEqualPrincipal(rep, 'sname', >+ self.get_krbtgt_sname()) >+ else: >+ self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') > if expected_error_mode == KDC_ERR_GENERIC: > self.assertElementMissing(rep, 'e-data') >-- >2.25.1 > > >From ec89bd61d94cf5251aa6e2ed83a5657144f15dcc Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:31:39 +1200 >Subject: [PATCH 068/108] tests/krb5: Check reply FAST padata if request > included FAST > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93) >--- > python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 77b682e57ea..965a8f9fb00 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2177,6 +2177,21 @@ class RawKerberosTest(TestCaseInTempDir): > rep_padata = self.der_decode(edata, > asn1Spec=krb5_asn1.METHOD_DATA()) > self.assertGreater(len(rep_padata), 0) >+ >+ if sent_fast: >+ self.assertEqual(1, len(rep_padata)) >+ rep_pa_dict = self.get_pa_dict(rep_padata) >+ self.assertIn(PADATA_FX_FAST, rep_pa_dict) >+ >+ armor_key = kdc_exchange_dict['armor_key'] >+ self.assertIsNotNone(armor_key) >+ fast_response = self.check_fx_fast_data( >+ kdc_exchange_dict, >+ rep_pa_dict[PADATA_FX_FAST], >+ armor_key, >+ expect_strengthen_key=False) >+ >+ rep_padata = fast_response['padata'] > else: > rep_padata = [] > >-- >2.25.1 > > >From af94fc066b783e07e892bc30d6f4e0eac70527e8 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:42:26 +1200 >Subject: [PATCH 069/108] tests/krb5: Adjust reply padata checking depending on > whether FAST was sent > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b) >--- > python/samba/tests/krb5/raw_testcase.py | 62 ++++++++++++++++++++++--- > 1 file changed, 55 insertions(+), 7 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 965a8f9fb00..529d4d925e6 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -44,6 +44,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( > FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_GENERIC, >+ KDC_ERR_PREAUTH_FAILED, > KRB_AP_REQ, > KRB_AS_REP, > KRB_AS_REQ, >@@ -65,10 +66,13 @@ from samba.tests.krb5.rfc4120_constants import ( > KU_TGS_REQ_AUTH_DAT_SUBKEY, > KU_TICKET, > NT_SRV_INST, >+ PADATA_ENCRYPTED_CHALLENGE, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO, > PADATA_ETYPE_INFO2, > PADATA_FOR_USER, >+ PADATA_FX_COOKIE, >+ PADATA_FX_ERROR, > PADATA_FX_FAST, > PADATA_KDC_REQ, > PADATA_PAC_OPTIONS, >@@ -407,6 +411,8 @@ class RawKerberosTest(TestCaseInTempDir): > # obtained. > cls.creds_dict = {} > >+ cls.kdc_fast_support = False >+ > def setUp(self): > super().setUp() > self.do_asn1_print = False >@@ -2214,6 +2220,9 @@ class RawKerberosTest(TestCaseInTempDir): > proposed_etypes = req_body['etype'] > client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) > >+ sent_fast = self.sent_fast(kdc_exchange_dict) >+ sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict) >+ > expect_etype_info2 = () > expect_etype_info = False > unexpect_etype_info = True >@@ -2240,15 +2249,31 @@ class RawKerberosTest(TestCaseInTempDir): > expect_etype_info2 += (expected_rc4_type,) > > expected_patypes = () >+ if sent_fast and expected_error_mode != 0: >+ expected_patypes += (PADATA_FX_ERROR,) >+ expected_patypes += (PADATA_FX_COOKIE,) >+ > if expect_etype_info: > self.assertGreater(len(expect_etype_info2), 0) > expected_patypes += (PADATA_ETYPE_INFO,) > if len(expect_etype_info2) != 0: > expected_patypes += (PADATA_ETYPE_INFO2,) > >- expected_patypes += (PADATA_ENC_TIMESTAMP,) >- expected_patypes += (PADATA_PK_AS_REQ,) >- expected_patypes += (PADATA_PK_AS_REP_19,) >+ if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >+ if sent_fast: >+ expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) >+ else: >+ expected_patypes += (PADATA_ENC_TIMESTAMP,) >+ >+ if not sent_enc_challenge: >+ expected_patypes += (PADATA_PK_AS_REQ,) >+ expected_patypes += (PADATA_PK_AS_REP_19,) >+ >+ if (self.kdc_fast_support >+ and not sent_fast >+ and not sent_enc_challenge): >+ expected_patypes += (PADATA_FX_FAST,) >+ expected_patypes += (PADATA_FX_COOKIE,) > > if self.strict_checking: > for i, patype in enumerate(expected_patypes): >@@ -2296,7 +2321,12 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNone(etype_info2) > self.assertIsNone(etype_info) > if self.strict_checking: >- self.assertIsNotNone(enc_timestamp) >+ if sent_fast: >+ self.assertIsNotNone(enc_challenge) >+ self.assertIsNone(enc_timestamp) >+ else: >+ self.assertIsNotNone(enc_timestamp) >+ self.assertIsNone(enc_challenge) > self.assertIsNotNone(pk_as_req) > self.assertIsNotNone(pk_as_rep19) > return None >@@ -2338,9 +2368,27 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(salt) > self.assertEqual(len(salt), 0) > >- self.assertIsNotNone(enc_timestamp) >- self.assertIsNotNone(pk_as_req) >- self.assertIsNotNone(pk_as_rep19) >+ if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >+ if sent_fast: >+ self.assertIsNotNone(enc_challenge) >+ if self.strict_checking: >+ self.assertIsNone(enc_timestamp) >+ else: >+ self.assertIsNotNone(enc_timestamp) >+ if self.strict_checking: >+ self.assertIsNone(enc_challenge) >+ if not sent_enc_challenge: >+ self.assertIsNotNone(pk_as_req) >+ self.assertIsNotNone(pk_as_rep19) >+ else: >+ self.assertIsNone(pk_as_req) >+ self.assertIsNone(pk_as_rep19) >+ else: >+ if self.strict_checking: >+ self.assertIsNone(enc_timestamp) >+ self.assertIsNone(enc_challenge) >+ self.assertIsNone(pk_as_req) >+ self.assertIsNone(pk_as_rep19) > > return etype_info2 > >-- >2.25.1 > > >From 39c72b012923005e9464af5f4a02f1435b57f64b Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:36:56 +1200 >Subject: [PATCH 070/108] tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd) >--- > python/samba/tests/krb5/raw_testcase.py | 54 +++++++++++++++++++++++++ > 1 file changed, 54 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 529d4d925e6..ca967c1ac13 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -53,6 +53,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_TGS_REQ, > KU_AP_REQ_AUTH, > KU_AS_REP_ENC_PART, >+ KU_ENC_CHALLENGE_KDC, > KU_FAST_ENC, > KU_FAST_FINISHED, > KU_FAST_REP, >@@ -2283,6 +2284,7 @@ class RawKerberosTest(TestCaseInTempDir): > etype_info2 = None > etype_info = None > enc_timestamp = None >+ enc_challenge = None > pk_as_req = None > pk_as_rep19 = None > for pa in rep_padata: >@@ -2303,6 +2305,10 @@ class RawKerberosTest(TestCaseInTempDir): > enc_timestamp = pavalue > self.assertEqual(len(enc_timestamp), 0) > continue >+ if patype == PADATA_ENCRYPTED_CHALLENGE: >+ self.assertIsNone(enc_challenge) >+ enc_challenge = pavalue >+ continue > if patype == PADATA_PK_AS_REQ: > self.assertIsNone(pk_as_req) > pk_as_req = pavalue >@@ -2314,6 +2320,54 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertEqual(len(pk_as_rep19), 0) > continue > >+ if enc_challenge is not None: >+ if not sent_enc_challenge: >+ self.assertEqual(len(enc_challenge), 0) >+ else: >+ armor_key = kdc_exchange_dict['armor_key'] >+ self.assertIsNotNone(armor_key) >+ >+ check_padata_fn = kdc_exchange_dict['check_padata_fn'] >+ padata = self.getElementValue(rep, 'padata') >+ self.assertIsNotNone(check_padata_fn) >+ preauth_key, _ = check_padata_fn(kdc_exchange_dict, >+ callback_dict, >+ rep, >+ padata) >+ >+ kdc_challenge_key = self.generate_kdc_challenge_key( >+ armor_key, preauth_key) >+ >+ # Ensure that the encrypted challenge FAST factor is supported >+ # (RFC6113 5.4.6). >+ if self.strict_checking: >+ self.assertNotEqual(len(enc_challenge), 0) >+ if len(enc_challenge) != 0: >+ encrypted_challenge = self.der_decode( >+ enc_challenge, >+ asn1Spec=krb5_asn1.EncryptedData()) >+ self.assertEqual(encrypted_challenge['etype'], >+ kdc_challenge_key.etype) >+ >+ challenge = kdc_challenge_key.decrypt( >+ KU_ENC_CHALLENGE_KDC, >+ encrypted_challenge['cipher']) >+ challenge = self.der_decode( >+ challenge, >+ asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ # Retrieve the returned timestamp. >+ rep_patime = challenge['patimestamp'] >+ self.assertIn('pausec', challenge) >+ >+ # Ensure the returned time is within five minutes of the >+ # current time. >+ rep_time = self.get_EpochFromKerberosTime(rep_patime) >+ current_time = time.time() >+ >+ self.assertLess(current_time - 300, rep_time) >+ self.assertLess(rep_time, current_time) >+ > if all(etype not in client_as_etypes or etype not in proposed_etypes > for etype in (kcrypto.Enctype.AES256, > kcrypto.Enctype.AES128, >-- >2.25.1 > > >From abbfdec31576887acdca8f7e5401679401d2b045 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:49:12 +1200 >Subject: [PATCH 071/108] tests/krb5: Check PADATA-FX-COOKIE in reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7) >--- > python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index ca967c1ac13..23a4e70c22f 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2287,6 +2287,8 @@ class RawKerberosTest(TestCaseInTempDir): > enc_challenge = None > pk_as_req = None > pk_as_rep19 = None >+ fast_cookie = None >+ fx_fast = None > for pa in rep_padata: > patype = self.getElementValue(pa, 'padata-type') > pavalue = self.getElementValue(pa, 'padata-value') >@@ -2319,6 +2321,19 @@ class RawKerberosTest(TestCaseInTempDir): > pk_as_rep19 = pavalue > self.assertEqual(len(pk_as_rep19), 0) > continue >+ if patype == PADATA_FX_COOKIE: >+ self.assertIsNone(fast_cookie) >+ fast_cookie = pavalue >+ self.assertIsNotNone(fast_cookie) >+ continue >+ if patype == PADATA_FX_FAST: >+ self.assertIsNone(fx_fast) >+ fx_fast = pavalue >+ self.assertEqual(len(fx_fast), 0) >+ continue >+ >+ if fast_cookie is not None: >+ kdc_exchange_dict['fast_cookie'] = fast_cookie > > if enc_challenge is not None: > if not sent_enc_challenge: >-- >2.25.1 > > >From b5a88b44f3b2e22218026fc9472512ae4f9fb28e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Jul 2021 20:49:25 +1200 >Subject: [PATCH 072/108] tests/krb5: Make check_rep_padata() also work for > checking TGS replies > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278) >--- > python/samba/tests/krb5/raw_testcase.py | 72 +++++++++++++++---------- > 1 file changed, 45 insertions(+), 27 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 23a4e70c22f..14f86fb87a8 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1789,6 +1789,7 @@ class RawKerberosTest(TestCaseInTempDir): > check_rep_fn=None, > check_padata_fn=None, > check_kdc_private_fn=None, >+ expected_error_mode=0, > callback_dict=None, > tgt=None, > armor_key=None, >@@ -1820,6 +1821,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'check_padata_fn': check_padata_fn, > 'check_kdc_private_fn': check_kdc_private_fn, > 'callback_dict': callback_dict, >+ 'expected_error_mode': expected_error_mode, > 'tgt': tgt, > 'body_checksum_type': body_checksum_type, > 'armor_key': armor_key, >@@ -2216,6 +2218,8 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict, > rep, > rep_padata): >+ rep_msg_type = kdc_exchange_dict['rep_msg_type'] >+ > expected_error_mode = kdc_exchange_dict['expected_error_mode'] > req_body = kdc_exchange_dict['req_body'] > proposed_etypes = req_body['etype'] >@@ -2224,6 +2228,9 @@ class RawKerberosTest(TestCaseInTempDir): > sent_fast = self.sent_fast(kdc_exchange_dict) > sent_enc_challenge = self.sent_enc_challenge(kdc_exchange_dict) > >+ if rep_msg_type == KRB_TGS_REP: >+ self.assertTrue(sent_fast) >+ > expect_etype_info2 = () > expect_etype_info = False > unexpect_etype_info = True >@@ -2254,27 +2261,32 @@ class RawKerberosTest(TestCaseInTempDir): > expected_patypes += (PADATA_FX_ERROR,) > expected_patypes += (PADATA_FX_COOKIE,) > >- if expect_etype_info: >- self.assertGreater(len(expect_etype_info2), 0) >- expected_patypes += (PADATA_ETYPE_INFO,) >- if len(expect_etype_info2) != 0: >- expected_patypes += (PADATA_ETYPE_INFO2,) >+ if rep_msg_type == KRB_TGS_REP: >+ sent_claims = self.sent_claims(kdc_exchange_dict) >+ if sent_claims and expected_error_mode != 0: >+ expected_patypes += (PADATA_PAC_OPTIONS,) >+ else: >+ if expect_etype_info: >+ self.assertGreater(len(expect_etype_info2), 0) >+ expected_patypes += (PADATA_ETYPE_INFO,) >+ if len(expect_etype_info2) != 0: >+ expected_patypes += (PADATA_ETYPE_INFO2,) > >- if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >- if sent_fast: >- expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) >- else: >- expected_patypes += (PADATA_ENC_TIMESTAMP,) >+ if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >+ if sent_fast: >+ expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) >+ else: >+ expected_patypes += (PADATA_ENC_TIMESTAMP,) > >- if not sent_enc_challenge: >- expected_patypes += (PADATA_PK_AS_REQ,) >- expected_patypes += (PADATA_PK_AS_REP_19,) >+ if not sent_enc_challenge: >+ expected_patypes += (PADATA_PK_AS_REQ,) >+ expected_patypes += (PADATA_PK_AS_REP_19,) > >- if (self.kdc_fast_support >- and not sent_fast >- and not sent_enc_challenge): >- expected_patypes += (PADATA_FX_FAST,) >- expected_patypes += (PADATA_FX_COOKIE,) >+ if (self.kdc_fast_support >+ and not sent_fast >+ and not sent_enc_challenge): >+ expected_patypes += (PADATA_FX_FAST,) >+ expected_patypes += (PADATA_FX_COOKIE,) > > if self.strict_checking: > for i, patype in enumerate(expected_patypes): >@@ -2389,15 +2401,21 @@ class RawKerberosTest(TestCaseInTempDir): > kcrypto.Enctype.RC4)): > self.assertIsNone(etype_info2) > self.assertIsNone(etype_info) >- if self.strict_checking: >- if sent_fast: >- self.assertIsNotNone(enc_challenge) >- self.assertIsNone(enc_timestamp) >- else: >- self.assertIsNotNone(enc_timestamp) >- self.assertIsNone(enc_challenge) >- self.assertIsNotNone(pk_as_req) >- self.assertIsNotNone(pk_as_rep19) >+ if rep_msg_type == KRB_AS_REP: >+ if self.strict_checking: >+ if sent_fast: >+ self.assertIsNotNone(enc_challenge) >+ self.assertIsNone(enc_timestamp) >+ else: >+ self.assertIsNotNone(enc_timestamp) >+ self.assertIsNone(enc_challenge) >+ self.assertIsNotNone(pk_as_req) >+ self.assertIsNotNone(pk_as_rep19) >+ else: >+ self.assertIsNone(enc_timestamp) >+ self.assertIsNone(enc_challenge) >+ self.assertIsNone(pk_as_req) >+ self.assertIsNone(pk_as_rep19) > return None > > if self.strict_checking: >-- >2.25.1 > > >From 0dac59fd708f6da47d53a98903d595cfc11fb8d1 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 16:29:39 +1200 >Subject: [PATCH 073/108] tests/krb5: Make generic_check_kdc_error() also work > for checking TGS replies > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c) >--- > python/samba/tests/krb5/raw_testcase.py | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 14f86fb87a8..8cbf3edbbab 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -45,6 +45,7 @@ from samba.tests.krb5.rfc4120_constants import ( > FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_GENERIC, > KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, > KRB_AP_REQ, > KRB_AS_REP, > KRB_AS_REQ, >@@ -2150,6 +2151,8 @@ class RawKerberosTest(TestCaseInTempDir): > callback_dict, > rep): > >+ rep_msg_type = kdc_exchange_dict['rep_msg_type'] >+ > expected_cname = kdc_exchange_dict['expected_cname'] > expected_srealm = kdc_exchange_dict['expected_srealm'] > expected_sname = kdc_exchange_dict['expected_sname'] >@@ -2157,6 +2160,8 @@ class RawKerberosTest(TestCaseInTempDir): > > sent_fast = self.sent_fast(kdc_exchange_dict) > >+ fast_armor_type = kdc_exchange_dict['fast_armor_type'] >+ > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) > self.assertElementEqual(rep, 'error-code', expected_error_mode) >@@ -2176,7 +2181,12 @@ class RawKerberosTest(TestCaseInTempDir): > else: > self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') >- if expected_error_mode == KDC_ERR_GENERIC: >+ if (expected_error_mode in (KDC_ERR_GENERIC, >+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS) >+ or (rep_msg_type == KRB_TGS_REP >+ and not sent_fast) >+ or (sent_fast and fast_armor_type is not None >+ and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)): > self.assertElementMissing(rep, 'e-data') > return rep > edata = self.getElementValue(rep, 'e-data') >-- >2.25.1 > > >From f868c5e0b584fe0ce9b0596193a089255b7833ef Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:50:20 +1200 >Subject: [PATCH 074/108] tests/krb5: Check PADATA-PAC-OPTIONS in reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07) >--- > python/samba/tests/krb5/raw_testcase.py | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 8cbf3edbbab..5016e14783c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2311,6 +2311,7 @@ class RawKerberosTest(TestCaseInTempDir): > pk_as_rep19 = None > fast_cookie = None > fx_fast = None >+ pac_options = None > for pa in rep_padata: > patype = self.getElementValue(pa, 'padata-type') > pavalue = self.getElementValue(pa, 'padata-value') >@@ -2353,10 +2354,18 @@ class RawKerberosTest(TestCaseInTempDir): > fx_fast = pavalue > self.assertEqual(len(fx_fast), 0) > continue >+ if patype == PADATA_PAC_OPTIONS: >+ self.assertIsNone(pac_options) >+ pac_options = pavalue >+ self.assertIsNotNone(pac_options) >+ continue > > if fast_cookie is not None: > kdc_exchange_dict['fast_cookie'] = fast_cookie > >+ if pac_options is not None: >+ self.check_pac_options_claims_support(pac_options) >+ > if enc_challenge is not None: > if not sent_enc_challenge: > self.assertEqual(len(enc_challenge), 0) >-- >2.25.1 > > >From 49b1dc160db90266806afbe9bbb7fd8cd20f92ec Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 11:50:16 +1200 >Subject: [PATCH 075/108] tests/krb5: Allow generic_check_kdc_error() to check > inner FAST errors > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055) >--- > python/samba/tests/krb5/raw_testcase.py | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 5016e14783c..4ebab367141 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -68,6 +68,7 @@ from samba.tests.krb5.rfc4120_constants import ( > KU_TGS_REQ_AUTH_DAT_SUBKEY, > KU_TICKET, > NT_SRV_INST, >+ NT_WELLKNOWN, > PADATA_ENCRYPTED_CHALLENGE, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO, >@@ -2149,7 +2150,8 @@ class RawKerberosTest(TestCaseInTempDir): > def generic_check_kdc_error(self, > kdc_exchange_dict, > callback_dict, >- rep): >+ rep, >+ inner=False): > > rep_msg_type = kdc_exchange_dict['rep_msg_type'] > >@@ -2173,7 +2175,10 @@ class RawKerberosTest(TestCaseInTempDir): > # error-code checked above > if self.strict_checking: > self.assertElementMissing(rep, 'crealm') >- self.assertElementMissing(rep, 'cname') >+ if expected_cname['name-type'] == NT_WELLKNOWN and not inner: >+ self.assertElementEqualPrincipal(rep, 'cname', expected_cname) >+ else: >+ self.assertElementMissing(rep, 'cname') > self.assertElementEqualUTF8(rep, 'realm', expected_srealm) > if sent_fast and expected_error_mode == KDC_ERR_GENERIC: > self.assertElementEqualPrincipal(rep, 'sname', >@@ -2186,7 +2191,8 @@ class RawKerberosTest(TestCaseInTempDir): > or (rep_msg_type == KRB_TGS_REP > and not sent_fast) > or (sent_fast and fast_armor_type is not None >- and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)): >+ and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST) >+ or inner): > self.assertElementMissing(rep, 'e-data') > return rep > edata = self.getElementValue(rep, 'e-data') >-- >2.25.1 > > >From e4fccc10123557d47523969a56d642b1887d9e47 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 27 Jul 2021 14:49:58 +1200 >Subject: [PATCH 076/108] tests/krb5: Check PADATA-FX-ERROR in reply > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c) >--- > python/samba/tests/krb5/raw_testcase.py | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 4ebab367141..17ef8df5daa 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2316,6 +2316,7 @@ class RawKerberosTest(TestCaseInTempDir): > pk_as_req = None > pk_as_rep19 = None > fast_cookie = None >+ fast_error = None > fx_fast = None > pac_options = None > for pa in rep_padata: >@@ -2355,6 +2356,11 @@ class RawKerberosTest(TestCaseInTempDir): > fast_cookie = pavalue > self.assertIsNotNone(fast_cookie) > continue >+ if patype == PADATA_FX_ERROR: >+ self.assertIsNone(fast_error) >+ fast_error = pavalue >+ self.assertIsNotNone(fast_error) >+ continue > if patype == PADATA_FX_FAST: > self.assertIsNone(fx_fast) > fx_fast = pavalue >@@ -2369,6 +2375,14 @@ class RawKerberosTest(TestCaseInTempDir): > if fast_cookie is not None: > kdc_exchange_dict['fast_cookie'] = fast_cookie > >+ if fast_error is not None: >+ fast_error = self.der_decode(fast_error, >+ asn1Spec=krb5_asn1.KRB_ERROR()) >+ self.generic_check_kdc_error(kdc_exchange_dict, >+ callback_dict, >+ fast_error, >+ inner=True) >+ > if pac_options is not None: > self.check_pac_options_claims_support(pac_options) > >-- >2.25.1 > > >From 8b6ea46bc5eac6f651459da5196c3d6ed3dce992 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 10 Jun 2021 09:56:58 +1200 >Subject: [PATCH 077/108] initial FAST tests > >Currently incomplete, and tested only against MIT Kerberos. > >[abartlet@samba.org > Originally "WIP inital FAST tests" > > Samba's general policy that we don't push WIP patches, we polish > into a 'perfect' patch stream. > > However, I think there are good reasons to keep this patch distinct > in this particular case. > > Gary is being modest in titling this WIP (now removed from the title > to avoid confusion). They are not WIP in the normal sense of > partially or untested code or random unfinished thoughts. The primary > issue is that at that point where Gary had to finish up he had > trouble getting FAST support enabled on Windows, so couldn't test > against our standard reference. They are instead good, working > initial tests written against the RFC and tested against Samba's AD DC > in the mode backed by MIT Kerberos. > > This preserves clear authorship for the two distinct bodies of work, > as in the next patch Joseph was able to extend and improve the tests > significantly. ] > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966) >--- > python/samba/tests/krb5/fast_tests.py | 245 ++++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail_heimdal_kdc | 8 + > source4/selftest/tests.py | 8 + > 4 files changed, 262 insertions(+) > create mode 100755 python/samba/tests/krb5/fast_tests.py > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >new file mode 100755 >index 00000000000..c4d1c2c5d82 >--- /dev/null >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -0,0 +1,245 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+ PADATA_FX_COOKIE, >+ PADATA_FX_FAST, >+) >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class FAST_Tests(KDCBaseTest): >+ ''' >+ ''' >+ >+ def setUp(self): >+ super().setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def get_padata_element(self, rep, padata_type): >+ rep_padata = self.der_decode( >+ rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ for pa in rep_padata: >+ if pa['padata-type'] == padata_type: >+ return pa['padata-value'] >+ return None >+ >+ def test_fast_supported(self): >+ '''Confirm that the kdc supports FAST >+ The KDC SHOULD return an empty PA-FX-FAST in a >+ PREAUTH_REQUIRED error if FAST is supported >+ >+ >+ ''' >+ >+ # Create a user account for the test. >+ # >+ samdb = self.get_samdb() >+ user_name = "krb5fastusr" >+ (uc, dn) = self.create_account(samdb, user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ >+ fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >+ self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ >+ def test_explicit_PA_FX_FAST_in_as_req(self): >+ ''' >+ Add an empty PA-FX-FAST in the initial AS-REQ >+ This should get rejected with a Generic error. >+ >+ ''' >+ >+ # Create a user account for the test. >+ # >+ samdb = self.get_samdb() >+ user_name = "krb5fastusr" >+ (uc, dn) = self.create_account(samdb, user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a generic error response >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ x = self.PA_DATA_create(PADATA_FX_FAST, b'') >+ padata = [x] >+ rep = self.as_req(cname, sname, realm, etype, padata) >+ >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 60) >+ >+ def test_fast_cookie_retured_in_pre_auth(self): >+ '''Confirm that the kdc returns PA-FX-COOKIE >+ ''' >+ >+ # Create a user account for the test. >+ # >+ samdb = self.get_samdb() >+ user_name = "krb5fastusr" >+ (uc, dn) = self.create_account(samdb, user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ >+ fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >+ self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ >+ fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >+ self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >+ >+ def test_ignore_fast(self): >+ ''' >+ TODO reword this >+ Attempt to authenticate with out FAST, i.e. ignoring the >+ FAST advertised in the pre-auth >+ ''' >+ >+ # Create a user account for the test. >+ # >+ samdb = self.get_samdb() >+ user_name = "krb5fastusr" >+ (uc, dn) = self.create_account(samdb, user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ >+ fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >+ self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ >+ fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >+ self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >+ >+ # Do the next AS-REQ >+ padata = [self.get_enc_timestamp_pa_data(uc, rep)] >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ def test_fast(self): >+ ''' >+ Attempt to authenticate with >+ ''' >+ >+ # Create a user account for the test. >+ # >+ samdb = self.get_samdb() >+ user_name = "krb5fastusr" >+ (uc, dn) = self.create_account(samdb, user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ >+ fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >+ self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ >+ fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >+ self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >+ >+ cookie = self.PA_DATA_create(PADATA_FX_COOKIE, fx_cookie) >+ >+ # Do the next AS-REQ >+ padata = [self.get_enc_timestamp_pa_data(uc, rep)] >+ padata.append(cookie) >+ # req = self.AS_REQ_create(padata=padata, >+ # kdc_options=str(kdc_options), >+ # cname=cname, >+ # realm=realm, >+ # sname=sname, >+ # from_time=None, >+ # till_time=till, >+ # renew_time=None, >+ # nonce=0x7fffffff, >+ # etypes=etypes, >+ # addresses=None, >+ # EncAuthorizationData=None, >+ # EncAuthorizationData_key=None, >+ # additional_tickets=None) >+ # rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ # self.check_as_reply(rep) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = False >+ global_hexdump = False >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 27497e069d1..7cdf25b48ae 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -102,6 +102,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/test_smb.py', > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > 'python/samba/tests/krb5/as_req_tests.py', >+ 'python/samba/tests/krb5/fast_tests.py', > } > > EXCLUDE_HELP = { >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 4e6ee93ce96..66f07cebc14 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -14,3 +14,11 @@ > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c >+# >+# MIT specific FAST tests, >+# >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_explicit_PA_FX_FAST_in_as_req\(ad_dc\) >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast\(ad_dc\) >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_cookie_retured_in_pre_auth\(ad_dc\) >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_supported\(ad_dc\) >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_ignore_fast\(ad_dc\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 8938754d0fc..56444fc5aa5 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1476,6 +1476,14 @@ planpythontestsuite( > 'ADMIN_USERNAME': '$USERNAME', > 'ADMIN_PASSWORD': '$PASSWORD' > }) >+planpythontestsuite( >+ "ad_dc", >+ "samba.tests.krb5.fast_tests", >+ environ={ >+ 'ADMIN_USERNAME': '$USERNAME', >+ 'ADMIN_PASSWORD': '$PASSWORD', >+ 'SERVICE_USERNAME': '$SERVER' >+ }) > planpythontestsuite( > "ad_dc", > "samba.tests.krb5.ms_kile_client_principal_lookup_tests", >-- >2.25.1 > > >From c4c0a26bff8740b7ee6c127ee1512ed32d315aff Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 10:58:44 +1200 >Subject: [PATCH 078/108] tests/krb5: Add FAST tests > >Example command: > >SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ >KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ >ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ >PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184 > >(cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854) >--- > python/samba/tests/krb5/fast_tests.py | 1649 ++++++++++++++++++++++--- > selftest/knownfail_heimdal_kdc | 54 +- > selftest/knownfail_mit_kdc | 53 + > source4/selftest/tests.py | 2 +- > 4 files changed, 1585 insertions(+), 173 deletions(-) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index c4d1c2c5d82..e38b2e0a6e1 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -17,225 +17,1542 @@ > # along with this program. If not, see <http://www.gnu.org/licenses/>. > # > >-import sys >+import functools > import os >+import sys > >-sys.path.insert(0, "bin/python") >-os.environ["PYTHONUNBUFFERED"] = "1" >+import ldb > >+from samba.dcerpc import security >+from samba.tests.krb5.raw_testcase import ( >+ KerberosTicketCreds, >+ Krb5EncryptionKey >+) > from samba.tests.krb5.kdc_base_test import KDCBaseTest > from samba.tests.krb5.rfc4120_constants import ( >+ AD_FX_FAST_ARMOR, >+ AD_FX_FAST_USED, > AES256_CTS_HMAC_SHA1_96, > ARCFOUR_HMAC_MD5, >+ FX_FAST_ARMOR_AP_REQUEST, >+ KDC_ERR_ETYPE_NOSUPP, >+ KDC_ERR_GENERIC, >+ KDC_ERR_NOT_US, >+ KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, >+ KRB_AS_REP, >+ KRB_TGS_REP, >+ KU_AS_REP_ENC_PART, >+ KU_TICKET, > NT_PRINCIPAL, > NT_SRV_INST, >+ NT_WELLKNOWN, > PADATA_FX_COOKIE, > PADATA_FX_FAST, >+ PADATA_PAC_OPTIONS > ) > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+import samba.tests.krb5.kcrypto as kcrypto >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" > > global_asn1_print = False > global_hexdump = False > > > class FAST_Tests(KDCBaseTest): >- ''' >- ''' >+ @classmethod >+ def setUpClass(cls): >+ super().setUpClass() >+ >+ cls.user_tgt = None >+ cls.user_enc_part = None >+ cls.user_service_ticket = None >+ >+ cls.mach_tgt = None >+ cls.mach_enc_part = None >+ cls.mach_service_ticket = None > > def setUp(self): > super().setUp() > self.do_asn1_print = global_asn1_print > self.do_hexdump = global_hexdump > >- def get_padata_element(self, rep, padata_type): >- rep_padata = self.der_decode( >- rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >- for pa in rep_padata: >- if pa['padata-type'] == padata_type: >- return pa['padata-value'] >- return None >+ def test_simple(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': False >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': False, >+ 'gen_padata_fn': self.generate_enc_timestamp_padata >+ } >+ ]) > >- def test_fast_supported(self): >- '''Confirm that the kdc supports FAST >- The KDC SHOULD return an empty PA-FX-FAST in a >- PREAUTH_REQUIRED error if FAST is supported >+ def test_simple_tgs(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_user_tgt >+ } >+ ]) > >+ def test_simple_tgs_wrong_principal(self): >+ mach_creds = self.get_mach_creds() >+ mach_name = mach_creds.get_username() >+ expected_cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[mach_name]) > >- ''' >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_mach_tgt, >+ 'expected_cname': expected_cname >+ } >+ ]) > >- # Create a user account for the test. >- # >- samdb = self.get_samdb() >- user_name = "krb5fastusr" >- (uc, dn) = self.create_account(samdb, user_name) >- realm = uc.get_realm().lower() >+ def test_simple_tgs_service_ticket(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_NOT_US, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_user_service_ticket, >+ } >+ ]) > >- # Do the initial AS-REQ, should get a pre-authentication required >- # response >- etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >- cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, names=[user_name]) >- sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ def test_simple_tgs_service_ticket_mach(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_NOT_US, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_mach_service_ticket, >+ } >+ ]) > >- rep = self.as_req(cname, sname, realm, etype) >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 25) >+ def test_fast_no_claims(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'pac_options': '0' >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'pac_options': '0' >+ } >+ ]) > >- fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >- self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ def test_fast_tgs_no_claims(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'pac_options': '0' >+ } >+ ]) > >- def test_explicit_PA_FX_FAST_in_as_req(self): >- ''' >- Add an empty PA-FX-FAST in the initial AS-REQ >- This should get rejected with a Generic error. >+ def test_fast_no_claims_or_canon(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'pac_options': '0', >+ 'kdc_options': '0' >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'pac_options': '0', >+ 'kdc_options': '0' >+ } >+ ]) > >- ''' >+ def test_fast_tgs_no_claims_or_canon(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'pac_options': '0', >+ 'kdc_options': '0' >+ } >+ ]) > >- # Create a user account for the test. >- # >- samdb = self.get_samdb() >- user_name = "krb5fastusr" >- (uc, dn) = self.create_account(samdb, user_name) >- realm = uc.get_realm().lower() >+ def test_fast_no_canon(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'kdc_options': '0' >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'kdc_options': '0' >+ } >+ ]) > >- # Do the initial AS-REQ, should get a generic error response >- # response >- etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >- cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, names=[user_name]) >- sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ def test_fast_tgs_no_canon(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'kdc_options': '0' >+ } >+ ]) >+ >+ def test_simple_tgs_no_etypes(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_mach_tgt, >+ 'etypes': () >+ } >+ ]) >+ >+ def test_fast_tgs_no_etypes(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_mach_tgt, >+ 'fast_armor': None, >+ 'etypes': () >+ } >+ ]) >+ >+ def test_simple_no_etypes(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, >+ 'use_fast': False, >+ 'etypes': () >+ } >+ ]) >+ >+ def test_simple_fast_no_etypes(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'etypes': () >+ } >+ ]) >+ >+ def test_empty_fast(self): >+ # Add an empty PA-FX-FAST in the initial AS-REQ. This should get >+ # rejected with a Generic error. >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_fast_fn': self.generate_empty_fast, >+ 'fast_armor': None, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_unknown_critical_option(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, >+ 'use_fast': True, >+ 'fast_options': '001', # unsupported critical option >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_unarmored_as_req(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'fast_armor': None, # no armor, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_invalid_armor_type(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, >+ 'use_fast': True, >+ 'fast_armor': 0, # invalid armor type >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_invalid_armor_type2(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, >+ 'use_fast': True, >+ 'fast_armor': 2, # invalid armor type >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_encrypted_challenge(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_encrypted_challenge_wrong_key(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_encrypted_challenge_wrong_key_kdc(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, >+ 'use_fast': True, >+ 'gen_padata_fn': >+ self.generate_enc_challenge_padata_wrong_key_kdc, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_encrypted_challenge_clock_skew(self): >+ # The KDC is supposed to confirm that the timestamp is within its >+ # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 >+ # 5.4.6). However, Windows accepts a skewed timestamp in the encrypted >+ # challenge. >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': functools.partial( >+ self.generate_enc_challenge_padata, >+ skew=10000), >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_invalid_tgt(self): >+ # The armor ticket 'sname' field is required to identify the target >+ # realm TGS (RFC6113 5.4.1.1). However, Windows will still accept a >+ # service ticket identifying a different server principal. >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_user_service_ticket >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_user_service_ticket >+ # ticket not identifying TGS of current >+ # realm >+ } >+ ]) >+ >+ def test_fast_invalid_tgt_mach(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_service_ticket >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_service_ticket >+ # ticket not identifying TGS of current >+ # realm >+ } >+ ]) >+ >+ def test_fast_enc_timestamp(self): >+ # Provide ENC-TIMESTAMP as FAST padata when we should be providing >+ # ENCRYPTED-CHALLENGE - ensure that we get PREAUTH_REQUIRED. >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_timestamp_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_tgs(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_fast_tgs_armor(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST >+ } >+ ]) >+ >+ def test_fast_outer_wrong_realm(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'realm': 'TEST' # should be ignored >+ } >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'realm': 'TEST' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_outer_wrong_realm(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'outer_req': { >+ 'realm': 'TEST' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_outer_wrong_nonce(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'nonce': '123' # should be ignored >+ } >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'nonce': '123' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_outer_wrong_nonce(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'outer_req': { >+ 'nonce': '123' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_outer_wrong_flags(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'kdc-options': '11111111111111111' # should be ignored >+ } >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'kdc-options': '11111111111111111' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_outer_wrong_flags(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'outer_req': { >+ 'kdc-options': '11111111111111111' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_outer_wrong_till(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'till': '15000101000000Z' # should be ignored >+ } >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'till': '15000101000000Z' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_outer_wrong_till(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'outer_req': { >+ 'till': '15000101000000Z' # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_authdata_fast_used(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_authdata_fn': self.generate_fast_used_auth_data, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_fast_authdata_fast_not_used(self): >+ # The AD-fx-fast-used authdata type can be included in the >+ # authenticator or the TGT authentication data to indicate that FAST >+ # must be used. The KDC must return KRB_APP_ERR_MODIFIED if it receives >+ # this authdata type in a request not using FAST (RFC6113 5.4.2). >+ self._run_test_sequence([ >+ # This request works without FAST. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_user_tgt >+ }, >+ # Add the 'FAST used' auth data and it now fails. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ # should be KRB_APP_ERR_MODIFIED >+ 'use_fast': False, >+ 'gen_authdata_fn': self.generate_fast_used_auth_data, >+ 'gen_tgt_fn': self.get_user_tgt >+ } >+ ]) >+ >+ def test_fast_ad_fx_fast_armor(self): >+ # If the authenticator or TGT authentication data contains the >+ # AD-fx-fast-armor authdata type, the KDC must reject the request >+ # (RFC6113 5.4.1.1). >+ self._run_test_sequence([ >+ # This request works. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None >+ }, >+ # Add the 'FAST armor' auth data and it now fails. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_authdata_fn': self.generate_fast_armor_auth_data, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_fast_ad_fx_fast_armor2(self): >+ # Show that we can still use the AD-fx-fast-armor authorization data in >+ # FAST armor tickets. >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'gen_authdata_fn': self.generate_fast_armor_auth_data, >+ # include the auth data in the FAST armor. >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ } >+ ]) >+ >+ def test_fast_ad_fx_fast_armor_ticket(self): >+ # If the authenticator or TGT authentication data contains the >+ # AD-fx-fast-armor authdata type, the KDC must reject the request >+ # (RFC6113 5.4.2). >+ self._run_test_sequence([ >+ # This request works. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None >+ }, >+ # Add AD-fx-fast-armor authdata element to user TGT. This request >+ # fails. >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data, >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_fast_ad_fx_fast_armor_ticket2(self): >+ self._run_test_sequence([ >+ # Show that we can still use the modified ticket as armor. >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.gen_tgt_fast_armor_auth_data >+ } >+ ]) >+ >+ def test_fast_tgs_service_ticket(self): >+ # Try to use a non-TGT ticket to establish an armor key, which fails >+ # (RFC6113 5.4.2). >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_NOT_US, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_service_ticket, # fails >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_fast_tgs_service_ticket_mach(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_NOT_US, # fails >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_mach_service_ticket, >+ 'fast_armor': None >+ } >+ ]) >+ >+ def test_simple_tgs_no_subkey(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'include_subkey': False >+ } >+ ]) >+ >+ def test_fast_tgs_no_subkey(self): >+ # Show that omitting the subkey in the TGS-REQ authenticator fails >+ # (RFC6113 5.4.2). >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'include_subkey': False >+ } >+ ]) >+ >+ def test_fast_hide_client_names(self): >+ user_creds = self.get_client_creds() >+ user_name = user_creds.get_username() >+ user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ >+ expected_cname = self.PrincipalName_create( >+ name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS']) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'fast_options': '01', # hide client names >+ 'expected_cname': expected_cname >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'fast_options': '01', # hide client names >+ 'expected_cname': expected_cname, >+ 'expected_cname_private': user_cname >+ } >+ ]) >+ >+ def test_fast_tgs_hide_client_names(self): >+ user_creds = self.get_client_creds() >+ user_name = user_creds.get_username() >+ user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ >+ expected_cname = self.PrincipalName_create( >+ name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS']) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'fast_options': '01', # hide client names >+ 'expected_cname': expected_cname, >+ 'expected_cname_private': user_cname >+ } >+ ]) >+ >+ def test_fast_encrypted_challenge_replay(self): >+ # The KDC is supposed to check that encrypted challenges are not >+ # replays (RFC6113 5.4.6), but timestamps may be reused; an encrypted >+ # challenge is only considered a replay if the ciphertext is identical >+ # to a previous challenge. Windows does not perform this check. >+ >+ class GenerateEncChallengePadataReplay: >+ def __init__(replay): >+ replay._padata = None >+ >+ def __call__(replay, key, armor_key): >+ if replay._padata is None: >+ client_challenge_key = ( >+ self.generate_client_challenge_key(armor_key, key)) >+ replay._padata = self.get_challenge_pa_data( >+ client_challenge_key) >+ >+ return replay._padata >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': GenerateEncChallengePadataReplay(), >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'repeat': 2 >+ } >+ ]) >+ >+ def generate_enc_timestamp_padata(self, key, _armor_key): >+ return self.get_enc_timestamp_pa_data_from_key(key) >+ >+ def generate_enc_challenge_padata(self, key, armor_key, skew=0): >+ client_challenge_key = ( >+ self.generate_client_challenge_key(armor_key, key)) >+ return self.get_challenge_pa_data(client_challenge_key, skew=skew) >+ >+ def generate_enc_challenge_padata_wrong_key_kdc(self, key, armor_key): >+ kdc_challenge_key = ( >+ self.generate_kdc_challenge_key(armor_key, key)) >+ return self.get_challenge_pa_data(kdc_challenge_key) >+ >+ def generate_enc_challenge_padata_wrong_key(self, key, _armor_key): >+ return self.get_challenge_pa_data(key) >+ >+ def generate_empty_fast(self, >+ _kdc_exchange_dict, >+ _callback_dict, >+ _req_body, >+ _fast_padata, >+ _fast_armor, >+ _checksum, >+ _fast_options=''): >+ fast_padata = self.PA_DATA_create(PADATA_FX_FAST, b'') >+ >+ return fast_padata >+ >+ def _run_test_sequence(self, test_sequence): >+ if self.strict_checking: >+ self.check_kdc_fast_support() >+ >+ kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' >+ 'renewable,' >+ 'canonicalize,' >+ 'renewable-ok')) >+ >+ pac_request = self.get_pa_pac_request() >+ >+ client_creds = self.get_client_creds() >+ target_creds = self.get_service_creds() >+ krbtgt_creds = self.get_krbtgt_creds() >+ >+ client_username = client_creds.get_username() >+ client_realm = client_creds.get_realm() >+ client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[client_username]) >+ >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ krbtgt_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ krbtgt_decryption_key = self.TicketDecryptionKey_from_creds( >+ krbtgt_creds) >+ >+ target_username = target_creds.get_username()[:-1] >+ target_realm = target_creds.get_realm() >+ target_service = 'host' >+ target_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[target_service, target_username]) >+ target_decryption_key = self.TicketDecryptionKey_from_creds( >+ target_creds, etype=kcrypto.Enctype.RC4) >+ >+ fast_cookie = None >+ preauth_etype_info2 = None >+ >+ preauth_key = None >+ >+ for kdc_dict in test_sequence: >+ rep_type = kdc_dict.pop('rep_type') >+ self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) >+ >+ expected_error_mode = kdc_dict.pop('expected_error_mode') >+ self.assertIn(expected_error_mode, range(240)) >+ >+ use_fast = kdc_dict.pop('use_fast') >+ self.assertIs(type(use_fast), bool) >+ >+ if use_fast: >+ self.assertIn('fast_armor', kdc_dict) >+ fast_armor_type = kdc_dict.pop('fast_armor') >+ >+ if fast_armor_type is not None: >+ self.assertIn('gen_armor_tgt_fn', kdc_dict) >+ elif expected_error_mode != KDC_ERR_GENERIC: >+ self.assertNotIn('gen_armor_tgt_fn', kdc_dict) >+ >+ gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) >+ if gen_armor_tgt_fn is not None: >+ armor_tgt = gen_armor_tgt_fn() >+ else: >+ armor_tgt = None > >- x = self.PA_DATA_create(PADATA_FX_FAST, b'') >- padata = [x] >- rep = self.as_req(cname, sname, realm, etype, padata) >+ fast_options = kdc_dict.pop('fast_options', '') >+ else: >+ fast_armor_type = None >+ armor_tgt = None > >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 60) >+ self.assertNotIn('fast_options', kdc_dict) >+ fast_options = None > >- def test_fast_cookie_retured_in_pre_auth(self): >- '''Confirm that the kdc returns PA-FX-COOKIE >- ''' >+ if rep_type == KRB_TGS_REP: >+ gen_tgt_fn = kdc_dict.pop('gen_tgt_fn') >+ tgt = gen_tgt_fn() >+ else: >+ self.assertNotIn('gen_tgt_fn', kdc_dict) >+ tgt = None >+ >+ if expected_error_mode != 0: >+ check_error_fn = self.generic_check_kdc_error >+ check_rep_fn = None >+ else: >+ check_error_fn = None >+ check_rep_fn = self.generic_check_kdc_rep >+ >+ etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5)) >+ >+ cname = client_cname if rep_type == KRB_AS_REP else None >+ crealm = client_realm >+ >+ if rep_type == KRB_AS_REP: >+ sname = krbtgt_sname >+ srealm = krbtgt_realm >+ else: # KRB_TGS_REP >+ sname = target_sname >+ srealm = target_realm >+ >+ expected_cname = kdc_dict.pop('expected_cname', client_cname) >+ expected_cname_private = kdc_dict.pop('expected_cname_private', >+ None) >+ expected_crealm = kdc_dict.pop('expected_crealm', client_realm) >+ expected_sname = kdc_dict.pop('expected_sname', sname) >+ expected_srealm = kdc_dict.pop('expected_srealm', srealm) >+ >+ expected_salt = client_creds.get_salt() >+ >+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) >+ if rep_type == KRB_AS_REP: >+ if use_fast: >+ armor_key = self.generate_armor_key(authenticator_subkey, >+ armor_tgt.session_key) >+ armor_subkey = authenticator_subkey >+ else: >+ armor_key = None >+ armor_subkey = authenticator_subkey >+ else: # KRB_TGS_REP >+ if fast_armor_type is not None: >+ armor_subkey = self.RandomKey(kcrypto.Enctype.AES256) >+ explicit_armor_key = self.generate_armor_key( >+ armor_subkey, >+ armor_tgt.session_key) >+ armor_key = kcrypto.cf2(explicit_armor_key.key, >+ authenticator_subkey.key, >+ b'explicitarmor', >+ b'tgsarmor') >+ armor_key = Krb5EncryptionKey(armor_key, None) >+ else: >+ armor_key = self.generate_armor_key(authenticator_subkey, >+ tgt.session_key) >+ armor_subkey = authenticator_subkey >+ >+ if not kdc_dict.pop('include_subkey', True): >+ authenticator_subkey = None >+ >+ if use_fast: >+ generate_fast_fn = kdc_dict.pop('gen_fast_fn', None) >+ if generate_fast_fn is None: >+ generate_fast_fn = functools.partial( >+ self.generate_simple_fast, >+ fast_options=fast_options) >+ else: >+ generate_fast_fn = None >+ >+ generate_fast_armor_fn = ( >+ self.generate_ap_req >+ if fast_armor_type is not None >+ else None) >+ >+ def _generate_padata_copy(_kdc_exchange_dict, >+ _callback_dict, >+ req_body, >+ padata): >+ return padata, req_body >+ >+ def _check_padata_preauth_key(_kdc_exchange_dict, >+ _callback_dict, >+ _rep, >+ _padata): >+ as_rep_usage = KU_AS_REP_ENC_PART >+ return preauth_key, as_rep_usage >+ >+ pac_options = kdc_dict.pop('pac_options', '1') # claims support >+ pac_options = self.get_pa_pac_options(pac_options) >+ >+ kdc_options = kdc_dict.pop('kdc_options', kdc_options_default) >+ >+ if rep_type == KRB_AS_REP: >+ padata = [pac_request, pac_options] >+ else: >+ padata = [pac_options] >+ >+ gen_padata_fn = kdc_dict.pop('gen_padata_fn', None) >+ if gen_padata_fn is not None: >+ self.assertEqual(KRB_AS_REP, rep_type) >+ self.assertIsNotNone(preauth_etype_info2) >+ >+ preauth_key = self.PasswordKey_from_etype_info2( >+ client_creds, >+ preauth_etype_info2[0], >+ client_creds.get_kvno()) >+ gen_padata = gen_padata_fn(preauth_key, armor_key) >+ padata.insert(0, gen_padata) >+ else: >+ preauth_key = None >+ >+ if rep_type == KRB_AS_REP: >+ check_padata_fn = _check_padata_preauth_key >+ else: >+ check_padata_fn = self.check_simple_tgs_padata >+ >+ if use_fast: >+ inner_padata = padata >+ outer_padata = [] >+ else: >+ inner_padata = [] >+ outer_padata = padata >+ >+ if use_fast and fast_cookie is not None: >+ outer_padata.append(fast_cookie) >+ >+ generate_fast_padata_fn = (functools.partial(_generate_padata_copy, >+ padata=inner_padata) >+ if inner_padata else None) >+ generate_padata_fn = (functools.partial(_generate_padata_copy, >+ padata=outer_padata) >+ if outer_padata else None) >+ >+ gen_authdata_fn = kdc_dict.pop('gen_authdata_fn', None) >+ if gen_authdata_fn is not None: >+ auth_data = [gen_authdata_fn()] >+ else: >+ auth_data = None >+ >+ if not use_fast: >+ self.assertNotIn('outer_req', kdc_dict) >+ outer_req = kdc_dict.pop('outer_req', None) >+ >+ if rep_type == KRB_AS_REP: >+ kdc_exchange_dict = self.as_exchange_dict( >+ expected_crealm=expected_crealm, >+ expected_cname=expected_cname, >+ expected_cname_private=expected_cname_private, >+ expected_srealm=expected_srealm, >+ expected_sname=expected_sname, >+ ticket_decryption_key=krbtgt_decryption_key, >+ generate_fast_fn=generate_fast_fn, >+ generate_fast_armor_fn=generate_fast_armor_fn, >+ generate_fast_padata_fn=generate_fast_padata_fn, >+ fast_armor_type=fast_armor_type, >+ generate_padata_fn=generate_padata_fn, >+ check_error_fn=check_error_fn, >+ check_rep_fn=check_rep_fn, >+ check_padata_fn=check_padata_fn, >+ check_kdc_private_fn=self.generic_check_kdc_private, >+ callback_dict={}, >+ expected_error_mode=expected_error_mode, >+ client_as_etypes=etypes, >+ expected_salt=expected_salt, >+ authenticator_subkey=authenticator_subkey, >+ auth_data=auth_data, >+ armor_key=armor_key, >+ armor_tgt=armor_tgt, >+ armor_subkey=armor_subkey, >+ kdc_options=kdc_options, >+ outer_req=outer_req) >+ else: # KRB_TGS_REP >+ kdc_exchange_dict = self.tgs_exchange_dict( >+ expected_crealm=expected_crealm, >+ expected_cname=expected_cname, >+ expected_cname_private=expected_cname_private, >+ expected_srealm=expected_srealm, >+ expected_sname=expected_sname, >+ ticket_decryption_key=target_decryption_key, >+ generate_fast_fn=generate_fast_fn, >+ generate_fast_armor_fn=generate_fast_armor_fn, >+ generate_fast_padata_fn=generate_fast_padata_fn, >+ fast_armor_type=fast_armor_type, >+ generate_padata_fn=generate_padata_fn, >+ check_error_fn=check_error_fn, >+ check_rep_fn=check_rep_fn, >+ check_padata_fn=check_padata_fn, >+ check_kdc_private_fn=self.generic_check_kdc_private, >+ expected_error_mode=expected_error_mode, >+ callback_dict={}, >+ tgt=tgt, >+ armor_key=armor_key, >+ armor_tgt=armor_tgt, >+ armor_subkey=armor_subkey, >+ authenticator_subkey=authenticator_subkey, >+ auth_data=auth_data, >+ body_checksum_type=None, >+ kdc_options=kdc_options, >+ outer_req=outer_req) >+ >+ repeat = kdc_dict.pop('repeat', 1) >+ for _ in range(repeat): >+ rep = self._generic_kdc_exchange(kdc_exchange_dict, >+ cname=cname, >+ realm=crealm, >+ sname=sname, >+ etypes=etypes) >+ if expected_error_mode == 0: >+ self.check_reply(rep, rep_type) >+ >+ fast_cookie = None >+ preauth_etype_info2 = None >+ else: >+ self.check_error_rep(rep, expected_error_mode) >+ >+ if 'fast_cookie' in kdc_exchange_dict: >+ fast_cookie = self.create_fast_cookie( >+ kdc_exchange_dict['fast_cookie']) >+ else: >+ fast_cookie = None >+ >+ if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: >+ preauth_etype_info2 = ( >+ kdc_exchange_dict['preauth_etype_info2']) >+ else: >+ preauth_etype_info2 = None >+ >+ # Ensure we used all the parameters given to us. >+ self.assertEqual({}, kdc_dict) >+ >+ def generate_fast_armor_auth_data(self): >+ auth_data = self.AuthorizationData_create(AD_FX_FAST_ARMOR, b'') >+ >+ return auth_data >+ >+ def generate_fast_used_auth_data(self): >+ auth_data = self.AuthorizationData_create(AD_FX_FAST_USED, b'') >+ >+ return auth_data >+ >+ def gen_tgt_fast_armor_auth_data(self): >+ user_tgt = self.get_user_tgt() >+ >+ ticket_decryption_key = user_tgt.decryption_key >+ >+ tgt_encpart = self.getElementValue(user_tgt.ticket, 'enc-part') >+ self.assertElementEqual(tgt_encpart, 'etype', >+ ticket_decryption_key.etype) >+ self.assertElementKVNO(tgt_encpart, 'kvno', >+ ticket_decryption_key.kvno) >+ tgt_cipher = self.getElementValue(tgt_encpart, 'cipher') >+ tgt_decpart = ticket_decryption_key.decrypt(KU_TICKET, tgt_cipher) >+ tgt_private = self.der_decode(tgt_decpart, >+ asn1Spec=krb5_asn1.EncTicketPart()) >+ >+ auth_data = self.generate_fast_armor_auth_data() >+ tgt_private['authorization-data'].append(auth_data) >+ >+ # Re-encrypt the user TGT. >+ tgt_private_new = self.der_encode( >+ tgt_private, >+ asn1Spec=krb5_asn1.EncTicketPart()) >+ tgt_encpart = self.EncryptedData_create(ticket_decryption_key, >+ KU_TICKET, >+ tgt_private_new) >+ user_ticket = user_tgt.ticket.copy() >+ user_ticket['enc-part'] = tgt_encpart >+ >+ user_tgt = KerberosTicketCreds( >+ user_ticket, >+ session_key=user_tgt.session_key, >+ crealm=user_tgt.crealm, >+ cname=user_tgt.cname, >+ srealm=user_tgt.srealm, >+ sname=user_tgt.sname, >+ decryption_key=user_tgt.decryption_key, >+ ticket_private=tgt_private, >+ encpart_private=user_tgt.encpart_private) >+ >+ # Use our modifed TGT to replace the one in the request. >+ return user_tgt >+ >+ def create_fast_cookie(self, cookie): >+ self.assertIsNotNone(cookie) >+ if self.strict_checking: >+ self.assertNotEqual(0, len(cookie)) >+ >+ return self.PA_DATA_create(PADATA_FX_COOKIE, cookie) >+ >+ def get_pa_pac_request(self, request_pac=True): >+ pac_request = self.KERB_PA_PAC_REQUEST_create(request_pac) >+ >+ return pac_request >+ >+ def get_pa_pac_options(self, options): >+ pac_options = self.PA_PAC_OPTIONS_create(options) >+ pac_options = self.der_encode(pac_options, >+ asn1Spec=krb5_asn1.PA_PAC_OPTIONS()) >+ pac_options = self.PA_DATA_create(PADATA_PAC_OPTIONS, pac_options) >+ >+ return pac_options >+ >+ def check_kdc_fast_support(self): >+ # Check that the KDC supports FAST > >- # Create a user account for the test. >- # > samdb = self.get_samdb() >- user_name = "krb5fastusr" >- (uc, dn) = self.create_account(samdb, user_name) >- realm = uc.get_realm().lower() > >- # Do the initial AS-REQ, should get a pre-authentication required >- # response >+ krbtgt_rid = 502 >+ krbtgt_sid = '%s-%d' % (samdb.get_domain_sid(), krbtgt_rid) >+ >+ res = samdb.search(base='<SID=%s>' % krbtgt_sid, >+ scope=ldb.SCOPE_BASE, >+ attrs=['msDS-SupportedEncryptionTypes']) >+ >+ krbtgt_etypes = int(res[0]['msDS-SupportedEncryptionTypes'][0]) >+ >+ self.assertTrue( >+ security.KERB_ENCTYPE_FAST_SUPPORTED & krbtgt_etypes) >+ self.assertTrue( >+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED & krbtgt_etypes) >+ self.assertTrue( >+ security.KERB_ENCTYPE_CLAIMS_SUPPORTED & krbtgt_etypes) >+ >+ def get_service_ticket(self, tgt, target_creds, service='host'): > etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >- cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, names=[user_name]) >- sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", realm]) >- >- rep = self.as_req(cname, sname, realm, etype) >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 25) >- >- fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >- self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >- >- fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >- self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >- >- def test_ignore_fast(self): >- ''' >- TODO reword this >- Attempt to authenticate with out FAST, i.e. ignoring the >- FAST advertised in the pre-auth >- ''' >- >- # Create a user account for the test. >- # >- samdb = self.get_samdb() >- user_name = "krb5fastusr" >- (uc, dn) = self.create_account(samdb, user_name) >- realm = uc.get_realm().lower() > >- # Do the initial AS-REQ, should get a pre-authentication required >- # response >+ key = tgt.session_key >+ ticket = tgt.ticket >+ >+ cname = tgt.cname >+ realm = tgt.crealm >+ >+ target_name = target_creds.get_username()[:-1] >+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[service, target_name]) >+ >+ rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype) >+ >+ service_ticket = rep['ticket'] >+ >+ ticket_etype = service_ticket['enc-part']['etype'] >+ target_key = self.TicketDecryptionKey_from_creds(target_creds, >+ etype=ticket_etype) >+ >+ session_key = self.EncryptionKey_import(enc_part['key']) >+ >+ service_ticket_creds = KerberosTicketCreds(service_ticket, >+ session_key, >+ crealm=realm, >+ cname=cname, >+ srealm=realm, >+ sname=sname, >+ decryption_key=target_key) >+ >+ return service_ticket_creds >+ >+ def get_tgt(self, creds): >+ user_name = creds.get_username() >+ realm = creds.get_realm() >+ >+ salt = creds.get_salt() >+ > etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >- cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, names=[user_name]) >- sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create(name_type=NT_SRV_INST, >+ names=['krbtgt', realm]) > >- rep = self.as_req(cname, sname, realm, etype) >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 25) >+ till = self.get_KerberosTime(offset=36000) > >- fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >- self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >+ krbtgt_creds = self.get_krbtgt_creds() >+ ticket_decryption_key = ( >+ self.TicketDecryptionKey_from_creds(krbtgt_creds)) > >- fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >- self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >+ kdc_options = str(krb5_asn1.KDCOptions('forwardable,' >+ 'renewable,' >+ 'canonicalize,' >+ 'renewable-ok')) > >- # Do the next AS-REQ >- padata = [self.get_enc_timestamp_pa_data(uc, rep)] >- rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ pac_request = self.get_pa_pac_request() >+ pac_options = self.get_pa_pac_options('1') # supports claims >+ >+ padata = [pac_request, pac_options] >+ >+ rep, kdc_exchange_dict = self._test_as_exchange( >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ till=till, >+ client_as_etypes=etype, >+ expected_error_mode=KDC_ERR_PREAUTH_REQUIRED, >+ expected_crealm=realm, >+ expected_cname=cname, >+ expected_srealm=realm, >+ expected_sname=sname, >+ expected_salt=salt, >+ etypes=etype, >+ padata=padata, >+ kdc_options=kdc_options, >+ preauth_key=None, >+ ticket_decryption_key=ticket_decryption_key) >+ self.check_pre_authentication(rep) >+ >+ etype_info2 = kdc_exchange_dict['preauth_etype_info2'] >+ >+ preauth_key = self.PasswordKey_from_etype_info2(creds, >+ etype_info2[0], >+ creds.get_kvno()) >+ >+ ts_enc_padata = self.get_enc_timestamp_pa_data(creds, rep) >+ >+ padata = [ts_enc_padata, pac_request, pac_options] >+ >+ expected_realm = realm.upper() >+ >+ expected_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) >+ >+ rep, kdc_exchange_dict = self._test_as_exchange( >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ till=till, >+ client_as_etypes=etype, >+ expected_error_mode=0, >+ expected_crealm=expected_realm, >+ expected_cname=cname, >+ expected_srealm=expected_realm, >+ expected_sname=expected_sname, >+ expected_salt=salt, >+ etypes=etype, >+ padata=padata, >+ kdc_options=kdc_options, >+ preauth_key=preauth_key, >+ ticket_decryption_key=ticket_decryption_key) > self.check_as_reply(rep) > >- def test_fast(self): >- ''' >- Attempt to authenticate with >- ''' >+ tgt = rep['ticket'] > >- # Create a user account for the test. >- # >- samdb = self.get_samdb() >- user_name = "krb5fastusr" >- (uc, dn) = self.create_account(samdb, user_name) >- realm = uc.get_realm().lower() >+ enc_part = self.get_as_rep_enc_data(preauth_key, rep) >+ session_key = self.EncryptionKey_import(enc_part['key']) > >- # Do the initial AS-REQ, should get a pre-authentication required >- # response >- etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >- cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, names=[user_name]) >- sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", realm]) >- >- rep = self.as_req(cname, sname, realm, etype) >- self.assertIsNotNone(rep) >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 25) >- >- fx_fast = self.get_padata_element(rep, PADATA_FX_FAST) >- self.assertIsNotNone(fx_fast, "No PADATA_FX_FAST element") >- >- fx_cookie = self.get_padata_element(rep, PADATA_FX_COOKIE) >- self.assertIsNotNone(fx_cookie, "No PADATA_FX_COOKIE element") >- >- cookie = self.PA_DATA_create(PADATA_FX_COOKIE, fx_cookie) >- >- # Do the next AS-REQ >- padata = [self.get_enc_timestamp_pa_data(uc, rep)] >- padata.append(cookie) >- # req = self.AS_REQ_create(padata=padata, >- # kdc_options=str(kdc_options), >- # cname=cname, >- # realm=realm, >- # sname=sname, >- # from_time=None, >- # till_time=till, >- # renew_time=None, >- # nonce=0x7fffffff, >- # etypes=etypes, >- # addresses=None, >- # EncAuthorizationData=None, >- # EncAuthorizationData_key=None, >- # additional_tickets=None) >- # rep = self.as_req(cname, sname, realm, etype, padata=padata) >- # self.check_as_reply(rep) >+ ticket_creds = KerberosTicketCreds( >+ tgt, >+ session_key, >+ crealm=realm, >+ cname=cname, >+ srealm=realm, >+ sname=sname, >+ decryption_key=ticket_decryption_key) >+ >+ return ticket_creds, enc_part >+ >+ def get_mach_tgt(self): >+ if self.mach_tgt is None: >+ mach_creds = self.get_mach_creds() >+ type(self).mach_tgt, type(self).mach_enc_part = ( >+ self.get_tgt(mach_creds)) >+ >+ return self.mach_tgt >+ >+ def get_user_tgt(self): >+ if self.user_tgt is None: >+ user_creds = self.get_client_creds() >+ type(self).user_tgt, type(self).user_enc_part = ( >+ self.get_tgt(user_creds)) >+ >+ return self.user_tgt >+ >+ def get_user_service_ticket(self): >+ if self.user_service_ticket is None: >+ user_tgt = self.get_user_tgt() >+ service_creds = self.get_service_creds() >+ type(self).user_service_ticket = ( >+ self.get_service_ticket(user_tgt, service_creds)) >+ >+ return self.user_service_ticket >+ >+ def get_mach_service_ticket(self): >+ if self.mach_service_ticket is None: >+ mach_tgt = self.get_mach_tgt() >+ service_creds = self.get_service_creds() >+ type(self).mach_service_ticket = ( >+ self.get_service_ticket(mach_tgt, service_creds)) >+ >+ return self.mach_service_ticket > > > if __name__ == "__main__": >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 66f07cebc14..02a3db1a3cd 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -15,10 +15,52 @@ > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c > # >-# MIT specific FAST tests, >+# FAST tests > # >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_explicit_PA_FX_FAST_in_as_req\(ad_dc\) >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast\(ad_dc\) >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_cookie_retured_in_pre_auth\(ad_dc\) >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_supported\(ad_dc\) >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_ignore_fast\(ad_dc\) >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index fffa5c3cd7e..0e302343111 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -647,3 +647,56 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > # > # fl2000dc doesn't support AES > ^samba4.krb5.kdc.*as-req-aes.*fl2000dc >+# >+# FAST tests >+# >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims_or_canon.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 56444fc5aa5..aed0fb36dc5 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1482,7 +1482,7 @@ planpythontestsuite( > environ={ > 'ADMIN_USERNAME': '$USERNAME', > 'ADMIN_PASSWORD': '$PASSWORD', >- 'SERVICE_USERNAME': '$SERVER' >+ 'STRICT_CHECKING': '0', > }) > planpythontestsuite( > "ad_dc", >-- >2.25.1 > > >From 86c7d6d7bc96dd1cd82376881e54c1d43f59c4c6 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 14 Jul 2021 12:49:11 +0200 >Subject: [PATCH 079/108] mit-samba: Define debug class for kdb module > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 41d906301b8d13f831b155dcec37d88889b9f36c) >--- > source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 3 +++ > source4/kdc/mit-kdb/kdb_samba_common.c | 3 +++ > source4/kdc/mit-kdb/kdb_samba_masterkey.c | 3 +++ > source4/kdc/mit-kdb/kdb_samba_pac.c | 3 +++ > source4/kdc/mit-kdb/kdb_samba_policies.c | 3 +++ > source4/kdc/mit-kdb/kdb_samba_principals.c | 3 +++ > source4/kdc/mit_samba.c | 3 +++ > 7 files changed, 21 insertions(+) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c >index e0264cb4f09..ad7bb5d54ea 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c >+++ b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c >@@ -30,6 +30,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > krb5_error_code kdb_samba_change_pwd(krb5_context context, > krb5_keyblock *master_key, > krb5_key_salt_tuple *ks_tuple, >diff --git a/source4/kdc/mit-kdb/kdb_samba_common.c b/source4/kdc/mit-kdb/kdb_samba_common.c >index e89aed6aeba..35cac193a44 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_common.c >+++ b/source4/kdc/mit-kdb/kdb_samba_common.c >@@ -30,6 +30,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > struct mit_samba_context *ks_get_context(krb5_context kcontext) > { > void *db_ctx; >diff --git a/source4/kdc/mit-kdb/kdb_samba_masterkey.c b/source4/kdc/mit-kdb/kdb_samba_masterkey.c >index 2c4fe72d8c2..b068d964735 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_masterkey.c >+++ b/source4/kdc/mit-kdb/kdb_samba_masterkey.c >@@ -31,6 +31,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > krb5_error_code kdb_samba_fetch_master_key(krb5_context context, > krb5_principal name, > krb5_keyblock *key, >diff --git a/source4/kdc/mit-kdb/kdb_samba_pac.c b/source4/kdc/mit-kdb/kdb_samba_pac.c >index 15497603b10..75b05a62a07 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_pac.c >+++ b/source4/kdc/mit-kdb/kdb_samba_pac.c >@@ -30,6 +30,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > krb5_error_code kdb_samba_dbekd_decrypt_key_data(krb5_context context, > const krb5_keyblock *mkey, > const krb5_key_data *key_data, >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 9197551ed61..a8cf280bdb3 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -30,6 +30,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > /* FIXME: This is a krb5 function which is exported, but in no header */ > extern krb5_error_code decode_krb5_padata_sequence(const krb5_data *output, > krb5_pa_data ***rep); >diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c >index 8b67436dc47..c17fe8b0a14 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_principals.c >+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c >@@ -30,6 +30,9 @@ > #include "kdc/mit_samba.h" > #include "kdb_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ > #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index feacc1b5f19..b3bb6b1b032 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -40,6 +40,9 @@ > > #include "mit_samba.h" > >+#undef DBGC_CLASS >+#define DBGC_CLASS DBGC_KERBEROS >+ > void mit_samba_context_free(struct mit_samba_context *ctx) > { > /* free heimdal's krb5_context */ >-- >2.25.1 > > >From b639e963c1b7a1843323c9ab04a91cc859ef2121 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 11 Jun 2018 16:15:10 +0200 >Subject: [PATCH 080/108] mit-samba: Send the logging to the kdc log facility > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit dd8138236bec3635c25e5b482b7a14faa0a9c36b) >--- > source4/kdc/mit_samba.c | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index b3bb6b1b032..0a142513608 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -25,6 +25,7 @@ > #include "param/param.h" > #include "dsdb/samdb/samdb.h" > #include "system/kerberos.h" >+#include <com_err.h> > #include <kdb.h> > #include <kadm5/kadm_err.h> > #include "kdc/sdb.h" >@@ -54,6 +55,22 @@ void mit_samba_context_free(struct mit_samba_context *ctx) > talloc_free(ctx); > } > >+/* >+ * Implemant a callback to log to the MIT KDC log facility >+ * >+ * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules >+ */ >+static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg) >+{ >+ int is_error = 1; >+ >+ if (msg_level > 0) { >+ is_error = 0; >+ } >+ >+ com_err("", is_error, "%s", msg); >+} >+ > int mit_samba_context_init(struct mit_samba_context **_ctx) > { > NTSTATUS status; >@@ -80,7 +97,7 @@ int mit_samba_context_init(struct mit_samba_context **_ctx) > goto done; > } > >- setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT); >+ debug_set_callback(NULL, mit_samba_debug); > > /* init s4 configuration */ > s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx); >-- >2.25.1 > > >From 21c0bfb38d48b3d6d4f898d5a8aa7a9f887fd720 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 12 Jul 2021 13:05:59 +0200 >Subject: [PATCH 081/108] mit-samba: Use talloc_get_type_abort() instead of > casting > >This is safer to use and fixes compiler warnings. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 60159e03850f88cdee332ba65939cfe4582cb5e1) >--- > source4/kdc/mit_samba.c | 15 ++++++--------- > 1 file changed, 6 insertions(+), 9 deletions(-) > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 0a142513608..0a0d3a98315 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -1076,7 +1076,8 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, > struct samr_DomInfo1 *dominfo; > const char *error_string = NULL; > struct auth_user_info_dc *user_info_dc; >- struct samba_kdc_entry *p; >+ struct samba_kdc_entry *p = >+ talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); > krb5_error_code code = 0; > > #ifdef DEBUG_PASSWORD >@@ -1088,8 +1089,6 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, > return ENOMEM; > } > >- p = (struct samba_kdc_entry *)db_entry->e_data; >- > status = authsam_make_user_info_dc(tmp_ctx, > ctx->db_ctx->samdb, > lpcfg_netbios_name(ctx->db_ctx->lp_ctx), >@@ -1165,11 +1164,10 @@ out: > void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry) > { > struct netr_SendToSamBase *send_to_sam = NULL; >- struct samba_kdc_entry *p; >+ struct samba_kdc_entry *p = >+ talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); > struct ldb_dn *domain_dn; > >- p = (struct samba_kdc_entry *)db_entry->e_data; >- > domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb); > > authsam_logon_success_accounting(p->kdc_db_ctx->samdb, >@@ -1183,9 +1181,8 @@ void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry) > > void mit_samba_update_bad_password_count(krb5_db_entry *db_entry) > { >- struct samba_kdc_entry *p; >- >- p = (struct samba_kdc_entry *)db_entry->e_data; >+ struct samba_kdc_entry *p = >+ talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); > > authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb, > p->msg, >-- >2.25.1 > > >From c7711082d4620ad684c8b3e46cb1f04588fc9ce6 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 15 Jul 2021 08:48:37 +0200 >Subject: [PATCH 082/108] mit-samba: Only set the function opening bracket once > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Aug 5 10:33:18 UTC 2021 on sn-devel-184 > >(cherry picked from commit 104fc3539090ae9e161945ef9d18d897e3b71fed) >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index a8cf280bdb3..c431567a7f4 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -304,7 +304,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_timestamp authtime, > krb5_authdata **tgt_auth_data, > krb5_authdata ***signed_auth_data) >-{ > #else > krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > unsigned int flags, >@@ -324,8 +323,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > void *authdata_info, > krb5_data ***auth_indicators, > krb5_authdata ***signed_auth_data) >-{ > #endif >+{ > krb5_authdata **authdata = NULL; > krb5_boolean is_as_req; > krb5_error_code code; >-- >2.25.1 > > >From 9095add290f71a697ce8c6f00e8db25a9fd07dc1 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 Aug 2021 19:41:15 +1200 >Subject: [PATCH 083/108] samba-tool domain backup offline: Use passed in samdb > when backing up sam.ldb > >This avoids opening the database again by having the caller pass in >the DB open > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 423f808ff48e297745f576a52b2118c4b920a3e4) >--- > python/samba/netcmd/domain_backup.py | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > >diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py >index 5cccccd40ec..4f669a940b7 100644 >--- a/python/samba/netcmd/domain_backup.py >+++ b/python/samba/netcmd/domain_backup.py >@@ -1020,8 +1020,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > else: > logger.info('Starting transaction on ' + sam_ldb_path) > copy_function = self.offline_tdb_copy >- sam_obj = Ldb(sam_ldb_path, lp=lp, flags=ldb.FLG_DONT_CREATE_DB) >- sam_obj.transaction_start() >+ samdb.transaction_start() > > logger.info(' backing up ' + sam_ldb_path) > self.offline_tdb_copy(sam_ldb_path) >@@ -1036,7 +1035,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > shutil.copyfile(sam_file, sam_file + self.backup_ext) > > if not mdb_backend: >- sam_obj.transaction_cancel() >+ samdb.transaction_cancel() > > # Find where a path should go in the fixed backup archive structure. > def get_arc_path(self, path, conf_paths): >@@ -1072,9 +1071,6 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > > check_targetdir(logger, targetdir) > >- samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, >- flags=ldb.FLG_RDONLY) >- > # Iterating over the directories in this specific order ensures that > # when the private directory contains hardlinks that are also contained > # in other directories to be backed up (such as in paths.binddns_dir), >@@ -1117,7 +1113,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > > all_files.append(full_path) > >- # Backup secrets, sam.ldb and their downstream files >+ # We would prefer to open with FLG_RDONLY but then we can't >+ # start a transaction which is the strong isolation we want >+ # for the backup. >+ samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, >+ flags=ldb.FLG_DONT_CREATE_DB) >+ > self.backup_secrets(paths.private_dir, lp, logger) > self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) > >-- >2.25.1 > > >From 4247ac2c56a44e36a0470cc88cd93f1f4c82a5f6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 Aug 2021 18:14:16 +1200 >Subject: [PATCH 084/108] samba-tool: Rework transations/locks to hold a lock > during mdb backup > >We now also get sidForRestore under that lock, rather than >after the backup. > >This avoids using the database again after the backup process > >While not entirely clear how/why this matters with LMDB >as seen in Fedora 34, likely due to the same issues >seen with 0.9.26 or later fixed by commmit >bb3dcd403ced922574a89011dd3814c4fe87dd76. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 958931ad379af26dcbc55cfbc49e7886ef8e0550) >--- > python/samba/netcmd/domain_backup.py | 38 +++++++++++++++++++++++----- > 1 file changed, 32 insertions(+), 6 deletions(-) > >diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py >index 4f669a940b7..3a2622c5c80 100644 >--- a/python/samba/netcmd/domain_backup.py >+++ b/python/samba/netcmd/domain_backup.py >@@ -1004,7 +1004,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > > # sam.ldb must have a transaction started on it before backing up > # everything in sam.ldb.d with the appropriate backup function. >+ # >+ # Obtains the sidForRestore (SID for the new DC) and returns it >+ # from under the transaction > def backup_smb_dbs(self, private_dir, samdb, lp, logger): >+ sam_ldb_path = os.path.join(private_dir, 'sam.ldb') >+ > # First, determine if DB backend is MDB. Assume not unless there is a > # 'backendStore' attribute on @PARTITION containing the text 'mdb' > store_label = "backendStore" >@@ -1012,11 +1017,24 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > attrs=[store_label]) > mdb_backend = store_label in res[0] and str(res[0][store_label][0]) == 'mdb' > >- sam_ldb_path = os.path.join(private_dir, 'sam.ldb') >+ # This is needed to keep this variable in scope until the end >+ # of the transaction. >+ res_iterator = None >+ > copy_function = None > if mdb_backend: > logger.info('MDB backend detected. Using mdb backup function.') > copy_function = self.offline_mdb_copy >+ >+ # We can't backup with a write transaction open, so get a >+ # read lock with a search_iterator(). >+ # >+ # We have tests in lib/ldb/tests/python/api.py that the >+ # search iterator takes a read lock effective against a >+ # transaction. This in turn will ensure there are no >+ # transactions on either the main or sub-database, even if >+ # the read locks were not enforced globally (they are). >+ res_iterator = samdb.search_iterator() > else: > logger.info('Starting transaction on ' + sam_ldb_path) > copy_function = self.offline_tdb_copy >@@ -1034,9 +1052,16 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > logger.info(' copying locked/related file ' + sam_file) > shutil.copyfile(sam_file, sam_file + self.backup_ext) > >- if not mdb_backend: >+ sid = get_sid_for_restore(samdb, logger) >+ >+ if mdb_backend: >+ # Delete the iterator, release the read lock >+ del(res_iterator) >+ else: > samdb.transaction_cancel() > >+ return sid >+ > # Find where a path should go in the fixed backup archive structure. > def get_arc_path(self, path, conf_paths): > backup_dirs = {"private": conf_paths.private_dir, >@@ -1119,16 +1144,17 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > samdb = SamDB(url=paths.samdb, session_info=system_session(), lp=lp, > flags=ldb.FLG_DONT_CREATE_DB) > >+ # Backup secrets, sam.ldb and their downstream files > self.backup_secrets(paths.private_dir, lp, logger) >- self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) >+ sid = self.backup_smb_dbs(paths.private_dir, samdb, lp, logger) > > # Get the domain SID so we can later place it in the backup > dom_sid_str = samdb.get_domain_sid() > dom_sid = security.dom_sid(dom_sid_str) > >- sid = get_sid_for_restore(samdb, logger) >- >- # Close the original samdb >+ # Close the original samdb, to avoid any confusion, we will >+ # not use this any more as the data has all been copied under >+ # the transaction > samdb = None > > # Open the new backed up samdb, flag it as backed up, and write >-- >2.25.1 > > >From d6404bfc5634cfc1368624b698723611b39b1e8c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 Aug 2021 20:45:50 +1200 >Subject: [PATCH 085/108] samba-tool domain backup: Use tdbbackup on > metadata.tdb > >metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184 > >(cherry picked from commit 78942ad7d17a92cd39d9c46ae1b8348e9673ac30) >--- > python/samba/netcmd/domain_backup.py | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py >index 3a2622c5c80..81738196385 100644 >--- a/python/samba/netcmd/domain_backup.py >+++ b/python/samba/netcmd/domain_backup.py >@@ -1048,6 +1048,9 @@ class cmd_domain_backup_offline(samba.netcmd.Command): > if sam_file.endswith('.ldb'): > logger.info(' backing up locked/related file ' + sam_file) > copy_function(sam_file) >+ elif sam_file.endswith('.tdb'): >+ logger.info(' tdbbackup of locked/related file ' + sam_file) >+ self.offline_tdb_copy(sam_file) > else: > logger.info(' copying locked/related file ' + sam_file) > shutil.copyfile(sam_file, sam_file + self.backup_ext) >-- >2.25.1 > > >From 8f064ee29a1c8c092a4e98c7c23b965abcc14c65 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 16 Aug 2021 13:40:39 +1200 >Subject: [PATCH 086/108] autobuild.py: Explain why each job is removed from > the default set > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 167ad96136b42b5cb601decc0fc68c9603c8b172) >--- > script/autobuild.py | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/script/autobuild.py b/script/autobuild.py >index b1dcece0093..d4a335c0320 100755 >--- a/script/autobuild.py >+++ b/script/autobuild.py >@@ -1002,14 +1002,26 @@ defaulttasks = list(tasks.keys()) > > defaulttasks.remove("pass") > defaulttasks.remove("fail") >+ >+# The build tasks will be brought in by the test tasks as needed > defaulttasks.remove("samba-def-build") > defaulttasks.remove("samba-nt4-build") > defaulttasks.remove("samba-mit-build") > defaulttasks.remove("samba-h5l-build") > defaulttasks.remove("samba-no-opath-build") >+ >+# This is not a normal test, but a task to support manually running >+# one test under autobuild > defaulttasks.remove("samba-test-only") >+ >+# Only built on GitLab CI and not in the default autobuild because it >+# uses too much space (4GB of semi-static binaries) > defaulttasks.remove("samba-fuzz") >+ >+# The FIPS build runs only in GitLab CI on a current Fedora Docker >+# container where a simulated FIPS mode is possible. > defaulttasks.remove("samba-fips") >+ > if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1": > defaulttasks.remove("samba-o3") > >-- >2.25.1 > > >From 3164823cf789241e083bb893c2624e98ac34c512 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 18 Aug 2021 14:59:47 +1200 >Subject: [PATCH 087/108] gitlab-ci/autobuild: Add new build confirming > behaviour on older MIT Kerberos > >Because the MIT KDC builds are moving to current MIT and out of the default autobuild >this ensures that on our default host, which is closer to what most of our >users operate, Samba still works with Kerberos. > >This uses the ktest environment that does not require the KDC to exist >and instead uses a static ccache and keytab. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6145c388d201d817444322dee67ca1ec1989ecd1) >--- > .gitlab-ci-main.yml | 7 +++++++ > script/autobuild.py | 24 ++++++++++++++++++++++-- > 2 files changed, 29 insertions(+), 2 deletions(-) > >diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml >index 657b28e274f..0ac6f67fcdf 100644 >--- a/.gitlab-ci-main.yml >+++ b/.gitlab-ci-main.yml >@@ -383,6 +383,13 @@ samba-fips: > samba-fileserver: > extends: .needs_samba-h5l-build-private > >+# This is a full build without the AD DC so we test the build with MIT >+# Kerberos from the default system (Ubuntu 18.04 at this stage). >+# Runtime behaviour checked via the ktest (static ccache and keytab) >+# environment >+samba-ktest-mit: >+ extends: .shared_template >+ > samba-ad-dc-1: > extends: .needs_samba-def-build-private > >diff --git a/script/autobuild.py b/script/autobuild.py >index d4a335c0320..9db8c88f2c7 100755 >--- a/script/autobuild.py >+++ b/script/autobuild.py >@@ -426,8 +426,28 @@ tasks = { > "fileserver_smb1", > "fileserver_smb1_done", > "maptoguest", >- "ktest", # ktest is also tested in samba and samba-mitkrb5 >- # but is tested here against a system Heimdal >+ "ktest", # ktest is also tested in samba-ktest-mit samba >+ # and samba-mitkrb5 but is tested here against >+ # a system Heimdal >+ ])), >+ ("lcov", LCOV_CMD), >+ ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), >+ ], >+ }, >+ >+ # This is a full build without the AD DC so we test the build with >+ # MIT Kerberos from the current system. Runtime behaviour is >+ # confirmed via the ktest (static ccache and keytab) environment >+ >+ "samba-ktest-mit": { >+ "sequence": [ >+ ("random-sleep", random_sleep(300, 900)), >+ ("configure", "./configure.developer --without-ad-dc --with-system-mitkrb5 " + samba_configure_params), >+ ("make", "make -j"), >+ ("test", make_test(include_envs=[ >+ "ktest", # ktest is also tested in fileserver, samba and >+ # samba-mitkrb5 but is tested here against a >+ # system MIT krb5 > ])), > ("lcov", LCOV_CMD), > ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), >-- >2.25.1 > > >From 47bd1ae6dfc7d17d867cab4be8e21c0d5f3fd28a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 16 Aug 2021 13:52:04 +1200 >Subject: [PATCH 088/108] gitlab-ci: Move MIT builds to current Fedora so we > can test against a current MIT KDC > >Fedora packages current MIT builds pretty fast so we base our >MIT KDC tests there, as this avoids backporting and tests against >the most current code. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 649b0741e17909afce762a5b84c1231600eec5f0) >--- > .gitlab-ci-main.yml | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml >index 0ac6f67fcdf..ce80561ba0f 100644 >--- a/.gitlab-ci-main.yml >+++ b/.gitlab-ci-main.yml >@@ -234,10 +234,14 @@ samba-def-build: > > samba-mit-build: > extends: .shared_template_build_only >+ variables: >+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} > stage: build_first > > .needs_samba-mit-build: > extends: .shared_template_test_only >+ variables: >+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} > needs: > - job: samba-mit-build > artifacts: true >@@ -274,6 +278,8 @@ samba: > > samba-mitkrb5: > extends: .shared_template >+ variables: >+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} > > samba-minimal-smbd: > extends: .shared_template >-- >2.25.1 > > >From e46146ba58c5281b20c1941cb881bbcf0c6b300c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 16 Aug 2021 13:53:58 +1200 >Subject: [PATCH 089/108] autobuild.py: Do not build MIT builds by default (eg > sn-devel) > >This avoids the need for MIT KDC tests and the MIT KDC glue code to >operate against the older MIT 1.16 found on Ubuntu 18.04, which >is our current build environment. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ff267c3c790c0ae9f276225f67fb543d6371cb53) >--- > script/autobuild.py | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/script/autobuild.py b/script/autobuild.py >index 9db8c88f2c7..97731215282 100755 >--- a/script/autobuild.py >+++ b/script/autobuild.py >@@ -1042,6 +1042,17 @@ defaulttasks.remove("samba-fuzz") > # container where a simulated FIPS mode is possible. > defaulttasks.remove("samba-fips") > >+# The MIT build runs on a current Fedora where an up to date MIT KDC >+# is already packaged. This avoids needing to backport a current MIT >+# to the default Ubuntu 18.04, particularly during development, and >+# the need to install on the shared sn-devel-184. >+ >+defaulttasks.remove("samba-mitkrb5") >+defaulttasks.remove("samba-admem-mit") >+defaulttasks.remove("samba-addc-mit-1") >+defaulttasks.remove("samba-addc-mit-4a") >+defaulttasks.remove("samba-addc-mit-4b") >+ > if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1": > defaulttasks.remove("samba-o3") > >-- >2.25.1 > > >From d4cae8e82f975a5f3e00685f1e6e361602e03940 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 16 Aug 2021 14:25:54 +1200 >Subject: [PATCH 090/108] build: Move minimum MIT krb5 version to 1.19 to align > with what is tested > >This avoid shipping untested code and aligns with the version >used in GitLab CI for all the MIT builds. > >The "bronze bit" (CVE-2020-17049) security fixes will need >a new MIT KDB version in any case, this prepares the ground >by removing the older version support. > >(knownfail_mit_kdc updates taken from a patch by >Andreas Schneider <asn@samba.org> that did this optionally) > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 554bdfa8a04fd95c710b486890277dd92f685f2f) >--- > selftest/knownfail_mit_kdc | 20 -------------------- > selftest/knownfail_mit_krb5_pre_1_18 | 1 - > selftest/wscript | 3 --- > wscript_configure_system_mitkrb5 | 4 +--- > 4 files changed, 1 insertion(+), 27 deletions(-) > delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18 > >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 0e302343111..8b3015f254a 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -146,14 +146,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( >@@ -170,10 +162,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\( >@@ -239,14 +227,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( >-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\( >diff --git a/selftest/knownfail_mit_krb5_pre_1_18 b/selftest/knownfail_mit_krb5_pre_1_18 >deleted file mode 100644 >index ef1a3d5aa91..00000000000 >--- a/selftest/knownfail_mit_krb5_pre_1_18 >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.kinit.kinit.with.canonicalize >diff --git a/selftest/wscript b/selftest/wscript >index afb1fa936cd..a6be06c2ae9 100644 >--- a/selftest/wscript >+++ b/selftest/wscript >@@ -142,9 +142,6 @@ def cmd_testonly(opt): > '--flapping=${srcdir}/selftest/flapping ' > '--flapping=${srcdir}/selftest/flapping.d') > >- if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'): >- env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18' >- > if Options.options.FAIL_IMMEDIATELY: > env.FILTER_XFAIL += ' --fail-immediately' > >diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 >index f971194c2cd..6f7bbd4ed13 100644 >--- a/wscript_configure_system_mitkrb5 >+++ b/wscript_configure_system_mitkrb5 >@@ -9,7 +9,7 @@ krb5_min_required_version = "1.9" > # Requried versions > krb5_required_version = krb5_min_required_version > if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): >- krb5_required_version = "1.15.1" >+ krb5_required_version = "1.19" > > def parse_version(v): > return tuple(map(int, (v.split(".")))) >@@ -77,8 +77,6 @@ if conf.env.KRB5_CONFIG: > else: > Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) > >- if parse_version(krb5_version) < parse_version('1.18'): >- conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1) > conf.define('USING_SYSTEM_MITKRB5', '"%s"' % krb5_version) > > conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err") >-- >2.25.1 > > >From 8cc7f57e5c5688e3a47af92bf4cd97668e32941d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 16 Aug 2021 14:46:31 +1200 >Subject: [PATCH 091/108] mit-kdc: Remove build time support for KDB_API < 10 > >The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the > #ifdef in the code of what will become untested code. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184 > >(cherry picked from commit 9b9fd2a0d9ca81aa16ddfe2f7e219b94e2ac158b) >--- > source4/kdc/mit-kdb/kdb_samba.h | 32 ------------------ > source4/kdc/mit-kdb/kdb_samba_policies.c | 38 ---------------------- > source4/kdc/mit-kdb/kdb_samba_principals.c | 7 ---- > 3 files changed, 77 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h >index ad4f6e27573..8a29334bcea 100644 >--- a/source4/kdc/mit-kdb/kdb_samba.h >+++ b/source4/kdc/mit-kdb/kdb_samba.h >@@ -71,18 +71,11 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context, > krb5_error_code kdb_samba_db_delete_principal(krb5_context context, > krb5_const_principal princ); > >-#if KRB5_KDB_API_VERSION >= 8 > krb5_error_code kdb_samba_db_iterate(krb5_context context, > char *match_entry, > int (*func)(krb5_pointer, krb5_db_entry *), > krb5_pointer func_arg, > krb5_flags iterflags); >-#else >-krb5_error_code kdb_samba_db_iterate(krb5_context context, >- char *match_entry, >- int (*func)(krb5_pointer, krb5_db_entry *), >- krb5_pointer func_arg); >-#endif > > /* from kdb_samba_masterkey.c */ > >@@ -114,21 +107,6 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, > > /* from kdb_samba_policies.c */ > >-#if KRB5_KDB_API_VERSION < 10 >-krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >- unsigned int flags, >- krb5_const_principal client_princ, >- krb5_db_entry *client, >- krb5_db_entry *server, >- krb5_db_entry *krbtgt, >- krb5_keyblock *client_key, >- krb5_keyblock *server_key, >- krb5_keyblock *krbtgt_key, >- krb5_keyblock *session_key, >- krb5_timestamp authtime, >- krb5_authdata **tgt_auth_data, >- krb5_authdata ***signed_auth_data); >-#else > krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > unsigned int flags, > krb5_const_principal client_princ, >@@ -147,7 +125,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > void *authdata_info, > krb5_data ***auth_indicators, > krb5_authdata ***signed_auth_data); >-#endif > > krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > krb5_kdc_req *kdcreq, >@@ -162,7 +139,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, > const krb5_db_entry *server, > krb5_const_principal proxy); > >-#if KRB5_KDB_API_VERSION >= 9 > void kdb_samba_db_audit_as_req(krb5_context kcontext, > krb5_kdc_req *request, > const krb5_address *local_addr, >@@ -171,14 +147,6 @@ void kdb_samba_db_audit_as_req(krb5_context kcontext, > krb5_db_entry *server, > krb5_timestamp authtime, > krb5_error_code error_code); >-#else >-void kdb_samba_db_audit_as_req(krb5_context kcontext, >- krb5_kdc_req *request, >- krb5_db_entry *client, >- krb5_db_entry *server, >- krb5_timestamp authtime, >- krb5_error_code error_code); >-#endif > > /* from kdb_samba_change_pwd.c */ > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index c431567a7f4..ac9865aac60 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -290,21 +290,6 @@ done: > return code; > } > >-#if KRB5_KDB_API_VERSION < 10 >-krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >- unsigned int flags, >- krb5_const_principal client_princ, >- krb5_db_entry *client, >- krb5_db_entry *server, >- krb5_db_entry *krbtgt, >- krb5_keyblock *client_key, >- krb5_keyblock *server_key, >- krb5_keyblock *krbtgt_key, >- krb5_keyblock *session_key, >- krb5_timestamp authtime, >- krb5_authdata **tgt_auth_data, >- krb5_authdata ***signed_auth_data) >-#else > krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > unsigned int flags, > krb5_const_principal client_princ, >@@ -323,7 +308,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > void *authdata_info, > krb5_data ***auth_indicators, > krb5_authdata ***signed_auth_data) >-#endif > { > krb5_authdata **authdata = NULL; > krb5_boolean is_as_req; >@@ -331,10 +315,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_pac pac = NULL; > krb5_data pac_data; > >-#if KRB5_KDB_API_VERSION >= 10 > krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; > krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; >-#endif > > /* FIXME: We don't support S4U yet */ > if (flags & KRB5_KDB_FLAGS_S4U) { >@@ -477,7 +459,6 @@ static void samba_bad_password_count(krb5_db_entry *client, > } > } > >-#if KRB5_KDB_API_VERSION >= 9 > void kdb_samba_db_audit_as_req(krb5_context context, > krb5_kdc_req *request, > const krb5_address *local_addr, >@@ -499,22 +480,3 @@ void kdb_samba_db_audit_as_req(krb5_context context, > > /* TODO: perform proper audit logging for addresses */ > } >-#else >-void kdb_samba_db_audit_as_req(krb5_context context, >- krb5_kdc_req *request, >- krb5_db_entry *client, >- krb5_db_entry *server, >- krb5_timestamp authtime, >- krb5_error_code error_code) >-{ >- /* >- * FIXME: This segfaulted with a FAST test >- * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0 >- */ >- if (client == NULL) { >- return; >- } >- >- samba_bad_password_count(client, error_code); >-} >-#endif >diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c >index c17fe8b0a14..a8c99b025c9 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_principals.c >+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c >@@ -311,18 +311,11 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context, > return KRB5_KDB_DB_INUSE; > } > >-#if KRB5_KDB_API_VERSION >= 8 > krb5_error_code kdb_samba_db_iterate(krb5_context context, > char *match_entry, > int (*func)(krb5_pointer, krb5_db_entry *), > krb5_pointer func_arg, > krb5_flags iterflags) >-#else >-krb5_error_code kdb_samba_db_iterate(krb5_context context, >- char *match_entry, >- int (*func)(krb5_pointer, krb5_db_entry *), >- krb5_pointer func_arg) >-#endif > { > struct mit_samba_context *mit_ctx; > krb5_db_entry *kentry = NULL; >-- >2.25.1 > > >From 38c0da4f88648be30e27a624e585e91b1f36be09 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Sep 2021 20:45:03 +1200 >Subject: [PATCH 092/108] bootstrap: Update to get newer krb5 on Fedora 34 > >We need the update FEDORA-2021-20b495cb94 (krb5) to >get a fix for CVE-2021-37750 (explicit NULL deref on KDC) >so our CI will pass as we have a test for this. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit e9c8ac4adbca2f8cb45470ccb45a45039188a285) >--- > .gitlab-ci-main.yml | 2 +- > bootstrap/config.py | 3 +++ > bootstrap/sha1sum.txt | 2 +- > 3 files changed, 5 insertions(+), 2 deletions(-) > >diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml >index ce80561ba0f..4b2f17938c8 100644 >--- a/.gitlab-ci-main.yml >+++ b/.gitlab-ci-main.yml >@@ -42,7 +42,7 @@ variables: > # Set this to the contents of bootstrap/sha1sum.txt > # which is generated by bootstrap/template.py --render > # >- SAMBA_CI_CONTAINER_TAG: b5333a93306e20ba549f5fac3c6c74e0b103c1d6 >+ SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 > # > # We use the ubuntu1804 image as default as > # it matches what we have on sn-devel-184. >diff --git a/bootstrap/config.py b/bootstrap/config.py >index 821ce3d5cc2..ba4304bb9f8 100644 >--- a/bootstrap/config.py >+++ b/bootstrap/config.py >@@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba. > > Config file for packages and templates. > >+Update the lists in this file to require new packages in the >+container images used in GitLab CI >+ > Author: Joe Guo <joeg@catalyst.net.nz> > """ > import os >diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt >index e7de92cc504..e433f698b68 100644 >--- a/bootstrap/sha1sum.txt >+++ b/bootstrap/sha1sum.txt >@@ -1 +1 @@ >-b5333a93306e20ba549f5fac3c6c74e0b103c1d6 >+733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 >-- >2.25.1 > > >From 58f3d8444d7581703ba8c18ef54f000ee855c079 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Sep 2021 20:55:40 +1200 >Subject: [PATCH 093/108] bootstrap: SAMBA_CI_CONTAINER_TAG is now in > .gitlab-ci-main.yml > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 5805a7c49aa13b578a717cbbc46460741d325c65) >--- > bootstrap/README.md | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/bootstrap/README.md b/bootstrap/README.md >index 47ef1c67836..d825e30dc05 100644 >--- a/bootstrap/README.md >+++ b/bootstrap/README.md >@@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks: > bootstrap/template.py --sha1sum > > The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in >-the toplevel .gitlab-ci.yml file. >+the toplevel .gitlab-ci-main.yml file. > > ## User Stories > >-- >2.25.1 > > >From c37e6e3161a8087a0b7126b17d50a61588f7cf84 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Sep 2021 20:53:45 +1200 >Subject: [PATCH 094/108] Update common on currently supported Fedora versions > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7) >--- > bootstrap/README.md | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/bootstrap/README.md b/bootstrap/README.md >index d825e30dc05..44a354de545 100644 >--- a/bootstrap/README.md >+++ b/bootstrap/README.md >@@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution > ## Supported Distributions > > deb: Debian 10, Ubuntu 1604|1804|2004 >-rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2 >+rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2 > > Easy to add more. > >-- >2.25.1 > > >From 31717700d22f26ea1c0729b9ee2ccd70cb6331e5 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:35:59 +1200 >Subject: [PATCH 095/108] tests/krb5: Make e-data checking less strict > >Without this additional 'self.strict_checking' check, the tests in the >following patches do not get far enough to trigger a crash with the MIT >KDC, instead failing when obtaining a TGT for the user or machine. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 79dda329f2a8382f1e46b50f4b9692e78d687826) >--- > python/samba/tests/krb5/raw_testcase.py | 5 +- > selftest/knownfail_mit_kdc | 341 ------------------------ > 2 files changed, 3 insertions(+), 343 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 17ef8df5daa..22f64f25f14 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2504,8 +2504,9 @@ class RawKerberosTest(TestCaseInTempDir): > if self.strict_checking: > self.assertIsNone(enc_challenge) > if not sent_enc_challenge: >- self.assertIsNotNone(pk_as_req) >- self.assertIsNotNone(pk_as_rep19) >+ if self.strict_checking: >+ self.assertIsNotNone(pk_as_req) >+ self.assertIsNotNone(pk_as_rep19) > else: > self.assertIsNone(pk_as_req) > self.assertIsNone(pk_as_rep19) >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 8b3015f254a..ae1d8702e18 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -271,356 +271,15 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c > # >-# MIT currently fails the test_as_req_enc_timestamp test. >-# >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp.fl2008r2dc >-# > # MIT currently fails some as_req_no_preauth tests. > # > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_True.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2003dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2008r2dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2003dc > ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_pac_True.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_False.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_False.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_None.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_None.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_True.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_pac_True.fl2008r2dc > # Differences in our KDC compared to windows > # > ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally >-- >2.25.1 > > >From 424da36a9590791fcecc5a9a11503a4c5fb3c975 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 1 Sep 2021 14:43:53 +1200 >Subject: [PATCH 096/108] tests/krb5: Make cname checking less strict > >Without this additional 'self.strict_checking' check, the tests in the >following patches do not get far enough to trigger a crash with the MIT >KDC. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 36798f5b651a02b74b6844c024101f7a026f1f68) >--- > python/samba/tests/krb5/raw_testcase.py | 5 ++-- > selftest/knownfail_mit_kdc | 39 ------------------------- > 2 files changed, 3 insertions(+), 41 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 22f64f25f14..32de51c2da4 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2043,8 +2043,9 @@ class RawKerberosTest(TestCaseInTempDir): > ticket_session_key = self.EncryptionKey_import(ticket_key) > self.assertElementEqualUTF8(ticket_private, 'crealm', > expected_crealm) >- self.assertElementEqualPrincipal(ticket_private, 'cname', >- expected_cname) >+ if self.strict_checking: >+ self.assertElementEqualPrincipal(ticket_private, 'cname', >+ expected_cname) > self.assertElementPresent(ticket_private, 'transited') > self.assertElementPresent(ticket_private, 'authtime') > if self.strict_checking: >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index ae1d8702e18..be590f997a0 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -289,53 +289,14 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > # > # FAST tests > # >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_empty_fast.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor2.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket2.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_used.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_armor_type2.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_canon.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_claims_or_canon.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_flags.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_nonce.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_realm.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_wrong_till.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_canon.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims_or_canon.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc >-- >2.25.1 > > >From c5a33493a01dbf2ac6b94c3e1f0f61677bdcb11a Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 16:52:29 +1200 >Subject: [PATCH 097/108] tests/krb5: Add test for sending > PA-ENCRYPTED-CHALLENGE without FAST > >Note: This test crashed the MIT KDC prior to MIT commit >fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given >CVE-2021-36222. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 15f9f040fe537ebd30419a4751aa0f13b20f242b) >--- > python/samba/tests/krb5/fast_tests.py | 15 +++++++++++++++ > selftest/knownfail_heimdal_kdc | 1 + > 2 files changed, 16 insertions(+) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index e38b2e0a6e1..6d08ad942e1 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -405,6 +405,21 @@ class FAST_Tests(KDCBaseTest): > } > ]) > >+ def test_fast_encrypted_challenge_no_fast(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': False >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_FAILED, >+ 'use_fast': False, >+ 'gen_padata_fn': self.generate_enc_challenge_padata_wrong_key >+ } >+ ]) >+ > def test_fast_encrypted_challenge_clock_skew(self): > # The KDC is supposed to confirm that the timestamp is within its > # current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113 >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 02a3db1a3cd..c177706822e 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -28,6 +28,7 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_replay.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc >-- >2.25.1 > > >From ef94c612f9615d578cb8014ff7f2ac649527486e Mon Sep 17 00:00:00 2001 >From: Luke Howard <lukeh@padl.com> >Date: Fri, 27 Aug 2021 11:42:48 +1000 >Subject: [PATCH 098/108] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ > >In tgs_build_reply(), validate the server name in the TGS-REQ is present before >dereferencing. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >[abartlet@samba.org backported from from Heimdal >commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference >to an earlier patch by Joseph Sutton] > >RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ > >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5) >--- > source4/heimdal/kdc/krb5tgs.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index b76726cdd64..d143eb739eb 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context, > > s = &adtkt.cname; > r = adtkt.crealm; >+ } else if (s == NULL) { >+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; >+ krb5_set_error_message(context, ret, "No server in request"); >+ goto out; > } > > _krb5_principalname2krb5_principal(context, &sp, *s, r); >-- >2.25.1 > > >From 099f5c4276d0e09742d96d07fed5aef477623a94 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Jul 2021 12:25:06 +1200 >Subject: [PATCH 099/108] CVE-2021-3671 tests/krb5: Add tests for omitting > sname in outer request > >Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would >crash the Heimdal KDC. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5) >--- > python/samba/tests/krb5/fast_tests.py | 39 +++++++++++++++++++++++++++ > selftest/knownfail_heimdal_kdc | 2 ++ > selftest/knownfail_mit_kdc | 2 ++ > 3 files changed, 43 insertions(+) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index 6d08ad942e1..559f5dc14c6 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -670,6 +670,45 @@ class FAST_Tests(KDCBaseTest): > } > ]) > >+ def test_fast_outer_no_sname(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'sname': None # should be ignored >+ } >+ }, >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_padata_fn': self.generate_enc_challenge_padata, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'outer_req': { >+ 'sname': None # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_outer_no_sname(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': 0, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'outer_req': { >+ 'sname': None # should be ignored >+ } >+ } >+ ]) >+ > def test_fast_outer_wrong_till(self): > self._run_test_sequence([ > { >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index c177706822e..f430bda9cd8 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -65,3 +65,5 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_wrong_principal.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index be590f997a0..1be74250570 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -300,3 +300,5 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc >-- >2.25.1 > > >From 69ffa2d3e2a6be1b166a4b846235758df0514a2c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 1 Sep 2021 10:43:06 +1200 >Subject: [PATCH 100/108] tests/krb5: Remove harmful and a-typical return in > as_req testcase > >A test in a TestCase class should not return a value, the >test is determined by the assertions raised. > >Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] >to not always be filled, so we need to remove this >rudundent code. > >This also fixes a *lot* of tests against the MIT KDC > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5) >--- > python/samba/tests/krb5/as_req_tests.py | 14 ++++++-------- > selftest/knownfail_mit_kdc | 10 ---------- > 2 files changed, 6 insertions(+), 18 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index fd258e8164a..82ff3f4845c 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -106,13 +106,11 @@ class AsReqKerberosTests(KDCBaseTest): > expected_salt=expected_salt, > kdc_options=str(initial_kdc_options)) > >- rep = self._generic_kdc_exchange(kdc_exchange_dict, >- cname=cname, >- realm=realm, >- sname=sname, >- etypes=initial_etypes) >- >- return kdc_exchange_dict['preauth_etype_info2'] >+ self._generic_kdc_exchange(kdc_exchange_dict, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ etypes=initial_etypes) > > def _test_as_req_no_preauth_with_args(self, etype_idx, pac): > name, etypes = self.etype_test_permutation_by_idx(etype_idx) >@@ -121,7 +119,7 @@ class AsReqKerberosTests(KDCBaseTest): > else: > pa_pac = self.KERB_PA_PAC_REQUEST_create(pac) > padata = [pa_pac] >- return self._test_as_req_nopreauth( >+ self._test_as_req_nopreauth( > initial_padata=padata, > initial_etypes=etypes, > initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 1be74250570..02dbe1aa2fb 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -270,16 +270,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c > ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c >-# >-# MIT currently fails some as_req_no_preauth tests. >-# >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2008r2dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2003dc >-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2008r2dc > # Differences in our KDC compared to windows > # > ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally >-- >2.25.1 > > >From 5551e1f84a28923b801e4fba3022e3e8d9ca5e17 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:00:21 +1200 >Subject: [PATCH 101/108] tests/krb5: Check e-data element for TGS-REP errors > without FAST > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a) >--- > python/samba/tests/krb5/raw_testcase.py | 52 ++++++++++++-------- > python/samba/tests/krb5/rfc4120_constants.py | 2 + > 2 files changed, 34 insertions(+), 20 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 32de51c2da4..ba6d07ce465 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -82,6 +82,7 @@ from samba.tests.krb5.rfc4120_constants import ( > PADATA_PAC_REQUEST, > PADATA_PK_AS_REQ, > PADATA_PK_AS_REP_19, >+ PADATA_PW_SALT, > PADATA_SUPPORTED_ETYPES > ) > import samba.tests.krb5.kcrypto as kcrypto >@@ -2187,8 +2188,7 @@ class RawKerberosTest(TestCaseInTempDir): > else: > self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') >- if (expected_error_mode in (KDC_ERR_GENERIC, >- KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS) >+ if (expected_error_mode == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS > or (rep_msg_type == KRB_TGS_REP > and not sent_fast) > or (sent_fast and fast_armor_type is not None >@@ -2198,10 +2198,17 @@ class RawKerberosTest(TestCaseInTempDir): > return rep > edata = self.getElementValue(rep, 'e-data') > if self.strict_checking: >- self.assertIsNotNone(edata) >+ if expected_error_mode != KDC_ERR_GENERIC: >+ # Predicting whether an ERR_GENERIC error contains e-data is >+ # more complicated. >+ self.assertIsNotNone(edata) > if edata is not None: >- rep_padata = self.der_decode(edata, >- asn1Spec=krb5_asn1.METHOD_DATA()) >+ if rep_msg_type == KRB_TGS_REP and not sent_fast: >+ rep_padata = [self.der_decode(edata, >+ asn1Spec=krb5_asn1.PA_DATA())] >+ else: >+ rep_padata = self.der_decode(edata, >+ asn1Spec=krb5_asn1.METHOD_DATA()) > self.assertGreater(len(rep_padata), 0) > > if sent_fast: >@@ -2218,15 +2225,13 @@ class RawKerberosTest(TestCaseInTempDir): > expect_strengthen_key=False) > > rep_padata = fast_response['padata'] >- else: >- rep_padata = [] > >- etype_info2 = self.check_rep_padata(kdc_exchange_dict, >- callback_dict, >- rep, >- rep_padata) >+ etype_info2 = self.check_rep_padata(kdc_exchange_dict, >+ callback_dict, >+ rep, >+ rep_padata) > >- kdc_exchange_dict['preauth_etype_info2'] = etype_info2 >+ kdc_exchange_dict['preauth_etype_info2'] = etype_info2 > > return rep > >@@ -2279,10 +2284,13 @@ class RawKerberosTest(TestCaseInTempDir): > expected_patypes += (PADATA_FX_COOKIE,) > > if rep_msg_type == KRB_TGS_REP: >- sent_claims = self.sent_claims(kdc_exchange_dict) >- if sent_claims and expected_error_mode != 0: >- expected_patypes += (PADATA_PAC_OPTIONS,) >- else: >+ if not sent_fast and expected_error_mode != 0: >+ expected_patypes += (PADATA_PW_SALT,) >+ else: >+ sent_claims = self.sent_claims(kdc_exchange_dict) >+ if sent_claims and expected_error_mode not in (0, KDC_ERR_GENERIC): >+ expected_patypes += (PADATA_PAC_OPTIONS,) >+ elif expected_error_mode != KDC_ERR_GENERIC: > if expect_etype_info: > self.assertGreater(len(expect_etype_info2), 0) > expected_patypes += (PADATA_ETYPE_INFO,) >@@ -2458,8 +2466,11 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNone(pk_as_rep19) > return None > >- if self.strict_checking: >- self.assertIsNotNone(etype_info2) >+ if expected_error_mode != KDC_ERR_GENERIC: >+ if self.strict_checking: >+ self.assertIsNotNone(etype_info2) >+ else: >+ self.assertIsNone(etype_info2) > if expect_etype_info: > self.assertIsNotNone(etype_info) > else: >@@ -2468,7 +2479,7 @@ class RawKerberosTest(TestCaseInTempDir): > if unexpect_etype_info: > self.assertIsNone(etype_info) > >- if self.strict_checking: >+ if expected_error_mode != KDC_ERR_GENERIC and self.strict_checking: > self.assertGreaterEqual(len(etype_info2), 1) > self.assertEqual(len(etype_info2), len(expect_etype_info2)) > for i in range(0, len(etype_info2)): >@@ -2495,7 +2506,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(salt) > self.assertEqual(len(salt), 0) > >- if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >+ if expected_error_mode not in (KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_GENERIC): > if sent_fast: > self.assertIsNotNone(enc_challenge) > if self.strict_checking: >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index e1a688991a7..c70ce309b95 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -60,6 +60,8 @@ PADATA_PK_AS_REQ = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) > PADATA_PK_AS_REP_19 = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19')) >+PADATA_PW_SALT = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-PW-SALT')) > PADATA_SUPPORTED_ETYPES = int( > krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES')) > >-- >2.25.1 > > >From 456f98e107c64297eda3c9e1ab6a67edd232b5f9 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:00:37 +1200 >Subject: [PATCH 102/108] tests/krb5: Check PADATA-PW-SALT element in e-data > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1) >--- > python/samba/tests/krb5/raw_testcase.py | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index ba6d07ce465..4e7891ae89a 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -2328,6 +2328,7 @@ class RawKerberosTest(TestCaseInTempDir): > fast_error = None > fx_fast = None > pac_options = None >+ pw_salt = None > for pa in rep_padata: > patype = self.getElementValue(pa, 'padata-type') > pavalue = self.getElementValue(pa, 'padata-value') >@@ -2380,6 +2381,11 @@ class RawKerberosTest(TestCaseInTempDir): > pac_options = pavalue > self.assertIsNotNone(pac_options) > continue >+ if patype == PADATA_PW_SALT: >+ self.assertIsNone(pw_salt) >+ pw_salt = pavalue >+ self.assertIsNotNone(pw_salt) >+ continue > > if fast_cookie is not None: > kdc_exchange_dict['fast_cookie'] = fast_cookie >@@ -2395,6 +2401,14 @@ class RawKerberosTest(TestCaseInTempDir): > if pac_options is not None: > self.check_pac_options_claims_support(pac_options) > >+ if pw_salt is not None: >+ self.assertEqual(12, len(pw_salt)) >+ >+ status = int.from_bytes(pw_salt[:4], 'little') >+ flags = int.from_bytes(pw_salt[8:], 'little') >+ >+ self.assertEqual(3, flags) >+ > if enc_challenge is not None: > if not sent_enc_challenge: > self.assertEqual(len(enc_challenge), 0) >-- >2.25.1 > > >From e4b686ee234ec6a318850381eac0854558a442bd Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:02:04 +1200 >Subject: [PATCH 103/108] tests/krb5: Add tests for omitting sname in request > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b) >--- > python/samba/tests/krb5/fast_tests.py | 83 ++++++++++++++++++++++++++- > selftest/knownfail_heimdal_kdc | 3 + > selftest/knownfail_mit_kdc | 4 ++ > 3 files changed, 88 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index 559f5dc14c6..2a423402c7a 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -105,6 +105,79 @@ class FAST_Tests(KDCBaseTest): > } > ]) > >+ def test_simple_no_sname(self): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ expected_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': False, >+ 'sname': None, >+ 'expected_sname': expected_sname >+ } >+ ]) >+ >+ def test_simple_tgs_no_sname(self): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ expected_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': False, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'sname': None, >+ 'expected_sname': expected_sname >+ } >+ ]) >+ >+ def test_fast_no_sname(self): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ expected_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'sname': None, >+ 'expected_sname': expected_sname >+ } >+ ]) >+ >+ def test_fast_tgs_no_sname(self): >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_username = krbtgt_creds.get_username() >+ krbtgt_realm = krbtgt_creds.get_realm() >+ expected_sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm]) >+ >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'sname': None, >+ 'expected_sname': expected_sname >+ } >+ ]) >+ > def test_simple_tgs_wrong_principal(self): > mach_creds = self.get_mach_creds() > mach_name = mach_creds.get_username() >@@ -1137,11 +1210,17 @@ class FAST_Tests(KDCBaseTest): > cname = client_cname if rep_type == KRB_AS_REP else None > crealm = client_realm > >+ if 'sname' in kdc_dict: >+ sname = kdc_dict.pop('sname') >+ else: >+ if rep_type == KRB_AS_REP: >+ sname = krbtgt_sname >+ else: # KRB_TGS_REP >+ sname = target_sname >+ > if rep_type == KRB_AS_REP: >- sname = krbtgt_sname > srealm = krbtgt_realm > else: # KRB_TGS_REP >- sname = target_sname > srealm = target_realm > > expected_cname = kdc_dict.pop('expected_cname', client_cname) >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index f430bda9cd8..b336d6fb3e2 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -67,3 +67,6 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 02dbe1aa2fb..41ad93b89c5 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -292,3 +292,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >-- >2.25.1 > > >From fb1255a88f016598cb9f2e0d8acbceb7cf43ec12 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:26:45 +1200 >Subject: [PATCH 104/108] tests/krb5: Allow specifying parameters specific to > the inner FAST request body > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340) >--- > python/samba/tests/krb5/fast_tests.py | 4 ++++ > python/samba/tests/krb5/raw_testcase.py | 13 +++++++++++++ > 2 files changed, 17 insertions(+) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index 2a423402c7a..fb5c0fc28f8 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -1340,7 +1340,9 @@ class FAST_Tests(KDCBaseTest): > auth_data = None > > if not use_fast: >+ self.assertNotIn('inner_req', kdc_dict) > self.assertNotIn('outer_req', kdc_dict) >+ inner_req = kdc_dict.pop('inner_req', None) > outer_req = kdc_dict.pop('outer_req', None) > > if rep_type == KRB_AS_REP: >@@ -1370,6 +1372,7 @@ class FAST_Tests(KDCBaseTest): > armor_tgt=armor_tgt, > armor_subkey=armor_subkey, > kdc_options=kdc_options, >+ inner_req=inner_req, > outer_req=outer_req) > else: # KRB_TGS_REP > kdc_exchange_dict = self.tgs_exchange_dict( >@@ -1398,6 +1401,7 @@ class FAST_Tests(KDCBaseTest): > auth_data=auth_data, > body_checksum_type=None, > kdc_options=kdc_options, >+ inner_req=inner_req, > outer_req=outer_req) > > repeat = kdc_dict.pop('repeat', 1) >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 4e7891ae89a..15873d69fa6 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1553,6 +1553,9 @@ class RawKerberosTest(TestCaseInTempDir): > expected_error_mode = kdc_exchange_dict['expected_error_mode'] > kdc_options = kdc_exchange_dict['kdc_options'] > >+ # Parameters specific to the inner request body >+ inner_req = kdc_exchange_dict['inner_req'] >+ > # Parameters specific to the outer request body > outer_req = kdc_exchange_dict['outer_req'] > >@@ -1582,6 +1585,12 @@ class RawKerberosTest(TestCaseInTempDir): > EncAuthorizationData_usage=EncAuthorizationData_usage) > > inner_req_body = dict(req_body) >+ if inner_req is not None: >+ for key, value in inner_req.items(): >+ if value is not None: >+ inner_req_body[key] = value >+ else: >+ del inner_req_body[key] > if outer_req is not None: > for key, value in outer_req.items(): > if value is not None: >@@ -1734,6 +1743,7 @@ class RawKerberosTest(TestCaseInTempDir): > armor_subkey=None, > auth_data=None, > kdc_options='', >+ inner_req=None, > outer_req=None): > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, >@@ -1765,6 +1775,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'armor_subkey': armor_subkey, > 'auth_data': auth_data, > 'kdc_options': kdc_options, >+ 'inner_req': inner_req, > 'outer_req': outer_req > } > if expected_cname_private is not None: >@@ -1802,6 +1813,7 @@ class RawKerberosTest(TestCaseInTempDir): > auth_data=None, > body_checksum_type=None, > kdc_options='', >+ inner_req=None, > outer_req=None): > kdc_exchange_dict = { > 'req_msg_type': KRB_TGS_REQ, >@@ -1833,6 +1845,7 @@ class RawKerberosTest(TestCaseInTempDir): > 'auth_data': auth_data, > 'authenticator_subkey': authenticator_subkey, > 'kdc_options': kdc_options, >+ 'inner_req': inner_req, > 'outer_req': outer_req > } > if expected_cname_private is not None: >-- >2.25.1 > > >From 2170b4f1e92db7fb9e7d976927490fd1ae1446f9 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 27 Aug 2021 13:37:16 +1200 >Subject: [PATCH 105/108] tests/krb5: Add tests for omitting sname in inner > request > >Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC. > >This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49 >and was given CVE-2021-37750 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 24914ae17d49f634fafc1bdeb88859293da05f79) >--- > python/samba/tests/krb5/fast_tests.py | 28 +++++++++++++++++++++++++++ > selftest/knownfail_heimdal_kdc | 2 ++ > selftest/knownfail_mit_kdc | 2 ++ > 3 files changed, 32 insertions(+) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index fb5c0fc28f8..cee91fa2a93 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -178,6 +178,34 @@ class FAST_Tests(KDCBaseTest): > } > ]) > >+ def test_fast_inner_no_sname(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_AS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, >+ 'gen_armor_tgt_fn': self.get_mach_tgt, >+ 'inner_req': { >+ 'sname': None # should be ignored >+ } >+ } >+ ]) >+ >+ def test_fast_tgs_inner_no_sname(self): >+ self._run_test_sequence([ >+ { >+ 'rep_type': KRB_TGS_REP, >+ 'expected_error_mode': KDC_ERR_GENERIC, >+ 'use_fast': True, >+ 'gen_tgt_fn': self.get_user_tgt, >+ 'fast_armor': None, >+ 'inner_req': { >+ 'sname': None # should be ignored >+ } >+ } >+ ]) >+ > def test_simple_tgs_wrong_principal(self): > mach_creds = self.get_mach_creds() > mach_name = mach_creds.get_username() >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index b336d6fb3e2..a55357b7537 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -70,3 +70,5 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 41ad93b89c5..8366bce67eb 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -296,3 +296,5 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc >-- >2.25.1 > > >From 84b73d8181432d3c99e166472e5773e6db33bd9f Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 31 Aug 2021 19:42:33 +1200 >Subject: [PATCH 106/108] tests/krb5: Allow expected_error_mode to be a > container type > >This allows a range of possible error codes to be checked against, for >cases when the particular error code returned is not so important. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0) >--- > python/samba/tests/krb5/raw_testcase.py | 56 +++++++++++++++---------- > 1 file changed, 35 insertions(+), 21 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 15873d69fa6..6db17f2a118 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -1702,11 +1702,12 @@ class RawKerberosTest(TestCaseInTempDir): > if check_error_fn is not None: > expected_msg_type = KRB_ERROR > self.assertIsNone(check_rep_fn) >- self.assertNotEqual(0, expected_error_mode) >+ self.assertNotEqual(0, len(expected_error_mode)) >+ self.assertNotIn(0, expected_error_mode) > if check_rep_fn is not None: > expected_msg_type = rep_msg_type > self.assertIsNone(check_error_fn) >- self.assertEqual(0, expected_error_mode) >+ self.assertEqual(0, len(expected_error_mode)) > self.assertIsNotNone(expected_msg_type) > self.assertEqual(msg_type, expected_msg_type) > >@@ -1745,6 +1746,11 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_options='', > inner_req=None, > outer_req=None): >+ if expected_error_mode == 0: >+ expected_error_mode = () >+ elif not isinstance(expected_error_mode, collections.abc.Container): >+ expected_error_mode = (expected_error_mode,) >+ > kdc_exchange_dict = { > 'req_msg_type': KRB_AS_REQ, > 'req_asn1Spec': krb5_asn1.AS_REQ, >@@ -1815,6 +1821,11 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_options='', > inner_req=None, > outer_req=None): >+ if expected_error_mode == 0: >+ expected_error_mode = () >+ elif not isinstance(expected_error_mode, collections.abc.Container): >+ expected_error_mode = (expected_error_mode,) >+ > kdc_exchange_dict = { > 'req_msg_type': KRB_TGS_REQ, > 'req_asn1Spec': krb5_asn1.TGS_REQ, >@@ -1942,7 +1953,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.check_rep_padata(kdc_exchange_dict, > callback_dict, > rep, >- fast_response['padata']) >+ fast_response['padata'], >+ error_code=0) > > ticket_private = None > self.assertIsNotNone(ticket_decryption_key) >@@ -2181,7 +2193,8 @@ class RawKerberosTest(TestCaseInTempDir): > > self.assertElementEqual(rep, 'pvno', 5) > self.assertElementEqual(rep, 'msg-type', KRB_ERROR) >- self.assertElementEqual(rep, 'error-code', expected_error_mode) >+ error_code = self.getElementValue(rep, 'error-code') >+ self.assertIn(error_code, expected_error_mode) > if self.strict_checking: > self.assertElementMissing(rep, 'ctime') > self.assertElementMissing(rep, 'cusec') >@@ -2195,13 +2208,13 @@ class RawKerberosTest(TestCaseInTempDir): > else: > self.assertElementMissing(rep, 'cname') > self.assertElementEqualUTF8(rep, 'realm', expected_srealm) >- if sent_fast and expected_error_mode == KDC_ERR_GENERIC: >+ if sent_fast and error_code == KDC_ERR_GENERIC: > self.assertElementEqualPrincipal(rep, 'sname', > self.get_krbtgt_sname()) > else: > self.assertElementEqualPrincipal(rep, 'sname', expected_sname) > self.assertElementMissing(rep, 'e-text') >- if (expected_error_mode == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS >+ if (error_code == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS > or (rep_msg_type == KRB_TGS_REP > and not sent_fast) > or (sent_fast and fast_armor_type is not None >@@ -2211,7 +2224,7 @@ class RawKerberosTest(TestCaseInTempDir): > return rep > edata = self.getElementValue(rep, 'e-data') > if self.strict_checking: >- if expected_error_mode != KDC_ERR_GENERIC: >+ if error_code != KDC_ERR_GENERIC: > # Predicting whether an ERR_GENERIC error contains e-data is > # more complicated. > self.assertIsNotNone(edata) >@@ -2242,7 +2255,8 @@ class RawKerberosTest(TestCaseInTempDir): > etype_info2 = self.check_rep_padata(kdc_exchange_dict, > callback_dict, > rep, >- rep_padata) >+ rep_padata, >+ error_code) > > kdc_exchange_dict['preauth_etype_info2'] = etype_info2 > >@@ -2252,10 +2266,10 @@ class RawKerberosTest(TestCaseInTempDir): > kdc_exchange_dict, > callback_dict, > rep, >- rep_padata): >+ rep_padata, >+ error_code): > rep_msg_type = kdc_exchange_dict['rep_msg_type'] > >- expected_error_mode = kdc_exchange_dict['expected_error_mode'] > req_body = kdc_exchange_dict['req_body'] > proposed_etypes = req_body['etype'] > client_as_etypes = kdc_exchange_dict.get('client_as_etypes', []) >@@ -2281,7 +2295,7 @@ class RawKerberosTest(TestCaseInTempDir): > if etype in (kcrypto.Enctype.AES256, kcrypto.Enctype.AES128): > if etype > expected_aes_type: > expected_aes_type = etype >- if etype in (kcrypto.Enctype.RC4,) and expected_error_mode != 0: >+ if etype in (kcrypto.Enctype.RC4,) and error_code != 0: > unexpect_etype_info = False > if etype > expected_rc4_type: > expected_rc4_type = etype >@@ -2292,25 +2306,25 @@ class RawKerberosTest(TestCaseInTempDir): > expect_etype_info2 += (expected_rc4_type,) > > expected_patypes = () >- if sent_fast and expected_error_mode != 0: >+ if sent_fast and error_code != 0: > expected_patypes += (PADATA_FX_ERROR,) > expected_patypes += (PADATA_FX_COOKIE,) > > if rep_msg_type == KRB_TGS_REP: >- if not sent_fast and expected_error_mode != 0: >+ if not sent_fast and error_code != 0: > expected_patypes += (PADATA_PW_SALT,) > else: > sent_claims = self.sent_claims(kdc_exchange_dict) >- if sent_claims and expected_error_mode not in (0, KDC_ERR_GENERIC): >+ if sent_claims and error_code not in (0, KDC_ERR_GENERIC): > expected_patypes += (PADATA_PAC_OPTIONS,) >- elif expected_error_mode != KDC_ERR_GENERIC: >+ elif error_code != KDC_ERR_GENERIC: > if expect_etype_info: > self.assertGreater(len(expect_etype_info2), 0) > expected_patypes += (PADATA_ETYPE_INFO,) > if len(expect_etype_info2) != 0: > expected_patypes += (PADATA_ETYPE_INFO2,) > >- if expected_error_mode != KDC_ERR_PREAUTH_FAILED: >+ if error_code != KDC_ERR_PREAUTH_FAILED: > if sent_fast: > expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) > else: >@@ -2493,7 +2507,7 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNone(pk_as_rep19) > return None > >- if expected_error_mode != KDC_ERR_GENERIC: >+ if error_code != KDC_ERR_GENERIC: > if self.strict_checking: > self.assertIsNotNone(etype_info2) > else: >@@ -2506,7 +2520,7 @@ class RawKerberosTest(TestCaseInTempDir): > if unexpect_etype_info: > self.assertIsNone(etype_info) > >- if expected_error_mode != KDC_ERR_GENERIC and self.strict_checking: >+ if error_code != KDC_ERR_GENERIC and self.strict_checking: > self.assertGreaterEqual(len(etype_info2), 1) > self.assertEqual(len(etype_info2), len(expect_etype_info2)) > for i in range(0, len(etype_info2)): >@@ -2533,8 +2547,8 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(salt) > self.assertEqual(len(salt), 0) > >- if expected_error_mode not in (KDC_ERR_PREAUTH_FAILED, >- KDC_ERR_GENERIC): >+ if error_code not in (KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_GENERIC): > if sent_fast: > self.assertIsNotNone(enc_challenge) > if self.strict_checking: >@@ -2799,7 +2813,7 @@ class RawKerberosTest(TestCaseInTempDir): > as_rep_usage = KU_AS_REP_ENC_PART > return preauth_key, as_rep_usage > >- if expected_error_mode == 0: >+ if not expected_error_mode: > check_error_fn = None > check_rep_fn = self.generic_check_kdc_rep > else: >-- >2.25.1 > > >From e6aedf3655ab593896065e25e5d8e948ab922e2a Mon Sep 17 00:00:00 2001 >From: Luke Howard <lukeh@padl.com> >Date: Tue, 31 Aug 2021 17:38:16 +1200 >Subject: [PATCH 107/108] kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing > field > >If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and >KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. > >[abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd >and knownfail added] > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit b0f4455e524cbbfb13202220e7095f466b083a2f) >--- > selftest/knownfail_heimdal_kdc | 1 + > source4/heimdal/kdc/kerberos5.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index a55357b7537..2c63707fff3 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -72,3 +72,4 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc >+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >\ No newline at end of file >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index 27d38ad84b7..0fa336e871c 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -996,7 +996,7 @@ _kdc_as_rep(krb5_context context, > flags |= HDB_F_CANON; > > if(b->sname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; > e_text = "No server in request"; > } else{ > ret = _krb5_principalname2krb5_principal (context, >@@ -1012,7 +1012,7 @@ _kdc_as_rep(krb5_context context, > goto out; > } > if(b->cname == NULL){ >- ret = KRB5KRB_ERR_GENERIC; >+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > e_text = "No client in request"; > } else { > ret = _krb5_principalname2krb5_principal (context, >-- >2.25.1 > > >From 90039edf89f548fe2bdff9e8e2bf355eafc15c65 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 31 Aug 2021 22:38:01 +1200 >Subject: [PATCH 108/108] tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for > a missing sname > >This allows our code to still pass with the error code that >MIT and Heimdal have chosen > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 > >(cherry picked from commit 10baaf08523200e47451aa1862430977b0365b59) >--- > python/samba/tests/krb5/fast_tests.py | 23 +++++++++++++------- > python/samba/tests/krb5/kdc_base_test.py | 6 ++++- > python/samba/tests/krb5/rfc4120_constants.py | 1 + > selftest/knownfail_heimdal_kdc | 3 --- > 4 files changed, 21 insertions(+), 12 deletions(-) > >diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py >index cee91fa2a93..392d19f59b3 100755 >--- a/python/samba/tests/krb5/fast_tests.py >+++ b/python/samba/tests/krb5/fast_tests.py >@@ -20,6 +20,7 @@ > import functools > import os > import sys >+import collections > > import ldb > >@@ -37,6 +38,7 @@ from samba.tests.krb5.rfc4120_constants import ( > FX_FAST_ARMOR_AP_REQUEST, > KDC_ERR_ETYPE_NOSUPP, > KDC_ERR_GENERIC, >+ KDC_ERR_S_PRINCIPAL_UNKNOWN, > KDC_ERR_NOT_US, > KDC_ERR_PREAUTH_FAILED, > KDC_ERR_PREAUTH_REQUIRED, >@@ -115,7 +117,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_AS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'sname': None, > 'expected_sname': expected_sname >@@ -132,7 +134,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': False, > 'gen_tgt_fn': self.get_user_tgt, > 'sname': None, >@@ -169,7 +171,7 @@ class FAST_Tests(KDCBaseTest): > self._run_test_sequence([ > { > 'rep_type': KRB_TGS_REP, >- 'expected_error_mode': KDC_ERR_GENERIC, >+ 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN), > 'use_fast': True, > 'gen_tgt_fn': self.get_user_tgt, > 'fast_armor': None, >@@ -1190,7 +1192,12 @@ class FAST_Tests(KDCBaseTest): > self.assertIn(rep_type, (KRB_AS_REP, KRB_TGS_REP)) > > expected_error_mode = kdc_dict.pop('expected_error_mode') >- self.assertIn(expected_error_mode, range(240)) >+ if expected_error_mode == 0: >+ expected_error_mode = () >+ elif not isinstance(expected_error_mode, collections.abc.Container): >+ expected_error_mode = (expected_error_mode,) >+ for error in expected_error_mode: >+ self.assertIn(error, range(240)) > > use_fast = kdc_dict.pop('use_fast') > self.assertIs(type(use_fast), bool) >@@ -1201,7 +1208,7 @@ class FAST_Tests(KDCBaseTest): > > if fast_armor_type is not None: > self.assertIn('gen_armor_tgt_fn', kdc_dict) >- elif expected_error_mode != KDC_ERR_GENERIC: >+ elif KDC_ERR_GENERIC not in expected_error_mode: > self.assertNotIn('gen_armor_tgt_fn', kdc_dict) > > gen_armor_tgt_fn = kdc_dict.pop('gen_armor_tgt_fn', None) >@@ -1225,7 +1232,7 @@ class FAST_Tests(KDCBaseTest): > self.assertNotIn('gen_tgt_fn', kdc_dict) > tgt = None > >- if expected_error_mode != 0: >+ if len(expected_error_mode) != 0: > check_error_fn = self.generic_check_kdc_error > check_rep_fn = None > else: >@@ -1439,7 +1446,7 @@ class FAST_Tests(KDCBaseTest): > realm=crealm, > sname=sname, > etypes=etypes) >- if expected_error_mode == 0: >+ if len(expected_error_mode) == 0: > self.check_reply(rep, rep_type) > > fast_cookie = None >@@ -1453,7 +1460,7 @@ class FAST_Tests(KDCBaseTest): > else: > fast_cookie = None > >- if expected_error_mode == KDC_ERR_PREAUTH_REQUIRED: >+ if KDC_ERR_PREAUTH_REQUIRED in expected_error_mode: > preauth_etype_info2 = ( > kdc_exchange_dict['preauth_etype_info2']) > else: >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index b148fa01f65..f5c1eba9151 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -21,6 +21,7 @@ import os > from datetime import datetime, timezone > import tempfile > import binascii >+import collections > > from collections import namedtuple > import ldb >@@ -598,7 +599,10 @@ class KDCBaseTest(RawKerberosTest): > """ > self.assertIsNotNone(rep) > self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) >- self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) >+ if isinstance(expected, collections.abc.Container): >+ self.assertIn(rep['error-code'], expected, "rep = {%s}" % rep) >+ else: >+ self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) > > def tgs_req(self, cname, sname, realm, ticket, key, etypes): > '''Send a TGS-REQ, returns the response and the decrypted and >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index c70ce309b95..ac2bac4d91e 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -67,6 +67,7 @@ PADATA_SUPPORTED_ETYPES = int( > > # Error codes > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 > KDC_ERR_POLICY = 12 > KDC_ERR_ETYPE_NOSUPP = 14 > KDC_ERR_PREAUTH_FAILED = 24 >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 2c63707fff3..767bfe90943 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -68,8 +68,5 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc >\ No newline at end of file >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 14817
:
16763
|
16764
|
16765
|
16766
|
16767
|
16768
|
16769
|
16777
|
16778
|
16779
|
16780
|
16781
|
16782
|
16783
|
16784
|
16785
|
16786
|
16787
|
16788
|
16789
|
16790
|
16791
|
16792
|
16793
|
16794
|
16795